KR102669475B1 - Data management device, data management method and a computer-readable storage medium for storing data management program - Google Patents

Abstract

One embodiment of the present invention includes receiving a first markdown cell; Receiving a first code cell for the first markdown cell; and executing a first analysis task based on the first code cell.

Description

A computer-readable storage medium storing a data management device, a data management method, and a data management program {DATA MANAGEMENT DEVICE, DATA MANAGEMENT METHOD AND A COMPUTER-READABLE STORAGE MEDIUM FOR STORING DATA MANAGEMENT PROGRAM}

The present invention relates to a data management device, a data management method, and a computer-readable storage medium storing a data management program.

Log data comes from various sources. For example, log data is recorded to monitor the behavior of a system or application, it is used to monitor the security status of the system and track user activity, and log data is used to track and debug errors that occur in the application. It is used.

In addition, log data is used for business analysis to aid decision-making. For example, it can be used to analyze customer behavior, analyze marketing effectiveness, and quality control.

For this reason, large amounts of log data are generated, and efficiently processing and analyzing this data becomes an important task.

Therefore, in order to solve the problems of existing technologies, the present invention seeks to provide a data management device that provides a user interface for processing data, a data management method, and a computer-readable storage medium that stores a data management program.

One embodiment of the present invention includes receiving a first markdown cell; Receiving a first code cell for the first markdown cell; and executing a first analysis task based on the first code cell.

The data management method is characterized in that the first Markdown cell includes description data for an execution script, and the first code cell includes first Lua script information for analysis.

The data management method includes interpreting the first Lua script information within an analysis engine; and returning a result for the first code cell.

The data management method includes registering a second analysis task in an analysis task scheduler; And the second analysis task is characterized in that it further includes a step of being periodically executed based on preset conditions.

One embodiment of the present invention includes a database storing data; And a processor that processes the data, wherein the processor receives a first markdown cell, receives a first code cell for the first markdown cell, and executes a first code cell based on the first code cell. Provides a data management device that executes analysis tasks.

The data management device is characterized in that the first markdown cell includes description data for an execution script, and the first code cell includes first Lua script information for analysis.

The processor is characterized in that it interprets the first Lua script information within an analysis engine and returns a result for the first code cell.

The processor registers a second analysis task in an analysis task scheduler, and the second analysis task is periodically executed based on preset conditions.

One embodiment of the present invention includes the steps of receiving a first markdown cell, receiving a first code cell for the first markdown cell, and executing a first analysis task based on the first code cell. Provides a computer-readable storage medium that stores a data management program.

According to one embodiment of the present invention, the needs for data security and monitoring of companies can be met by providing innovative technology for data management in ERP systems.

Additionally, according to an embodiment of the present invention, there is an advantage in that all connection records to the server are created as logs, thereby ensuring the stability of log records.

In addition, according to an embodiment of the present invention, even when using the Diffie-Hellman algorithm, there is an advantage that the integrity and confidentiality of data can be guaranteed by decrypting the SSL encryption, recording logs, and transmitting to the business system in a secure manner. .

In addition, according to an embodiment of the present invention, there is an advantage in that the accuracy of personal information extraction can be increased through a multidimensional extraction method using personal information metadata and an exception handling list.

Additionally, according to an embodiment of the present invention, there is an advantage that user behavior can be mapped to all log data containing personal information.

Additionally, according to an embodiment of the present invention, there is an advantage that a large amount of personal information data can be decrypted and re-encrypted in real time.

Additionally, according to an embodiment of the present invention, there is an advantage that the safety of original data can be maintained by providing altered data to the user.

Additionally, according to an embodiment of the present invention, there is an advantage that updating, patching, and rollback of at least one agent can be easily performed.

In addition, according to an embodiment of the present invention, it is possible to provide users who have difficulty entering regular expressions with the convenience of completing the entire regular expression by partially assisting them in entering regular expressions.

Additionally, according to an embodiment of the present invention, a convenience function of scanning a pre-registered parser can be provided to increase the reusability of the registered parser.

Additionally, according to an embodiment of the present invention, there is an advantage in that a large amount of data can be searched simultaneously and the results can be confirmed in real time.

Additionally, according to an embodiment of the present invention, there is an advantage that a user can perform analysis and manipulation of various data using a script for data that is not provided through the basic UI.

1 is a diagram illustrating hardware for explaining the data management device of the present invention.
Figure 2 is a diagram disclosing an embodiment of the data management device of the present invention.
Figure 3 is a diagram disclosing an embodiment of the data management platform of the present invention.
Figure 4 is a flow chart explaining an embodiment of the data management method of the present invention.
Figure 5 is a diagram disclosing an embodiment of the data management method of the present invention.
Figure 6 is a diagram illustrating an embodiment of the packet collection method of the present invention.
Figure 7 is a diagram illustrating another embodiment of the packet collection method of the present invention.
Figure 8 is a diagram illustrating an example of RFC protocol-based packet analysis data collected according to the packet collection method of the present invention.
Figure 9 is a diagram illustrating an embodiment of a GUI protocol-based packet analysis device collected according to the packet collection method of the present invention.
Figure 10 is a diagram illustrating an example of a method for analyzing packets based on a GUI protocol collected according to the packet collection method of the present invention.
Figure 11 is a diagram illustrating an example of GUI protocol-based packet analysis data collected according to the packet collection method of the present invention.
Figure 12 is a diagram illustrating an embodiment of a method for analyzing packets based on HTTP/HTTPS collected according to the packet collection method of the present invention.
Figure 13 is a diagram illustrating an example of HTTP/HTTPS-based packet analysis data collected according to the packet collection method of the present invention.
Figure 14 is a diagram illustrating an example of extracting personal information from data included in an analyzed packet of the present invention.
Figure 15 is a diagram illustrating an embodiment of the present invention visualizing data included in an analyzed packet.
Figure 16 is a diagram illustrating an embodiment of retrieving data included in an analyzed packet of the present invention.
Figure 17 is a diagram illustrating an embodiment of monitoring data collected according to the data management method of the present invention.
Figure 18 is a diagram explaining an embodiment in which the data management platform of the present invention distributes collected packets.
Figure 19 is a diagram explaining an embodiment in which the data management platform of the present invention analyzes packets based on the RFC protocol.
Figure 20 is a diagram explaining an embodiment in which the data management platform of the present invention analyzes packets.
Figure 21 is a diagram illustrating an embodiment in which the data management platform of the present invention stores and monitors audit logs.
Figure 22 is a diagram illustrating an embodiment of distributing collected packets by the data management method of the present invention.
Figure 23 is a diagram illustrating an embodiment in which the data management platform of the present invention analyzes HTTPS-based packets.
Figure 24 is a diagram explaining an embodiment of the data management method of the present invention analyzing HTTPS-based packets.
Figure 25 is a diagram explaining an embodiment of the data management method of the present invention.
Figure 26 is a diagram explaining an embodiment of extracting and storing personal information in the data management platform of the present invention.
Figure 27 is a diagram illustrating an example of a regular expression pattern used in the data management platform of the present invention.
Figure 28 is a diagram illustrating an example of a masking pattern used in the data management platform of the present invention.
Figure 29 is a diagram illustrating an example of personal information metadata 1036 defined in the data management platform of the present invention.
Figure 30 is a diagram illustrating an embodiment of extracting personal information by classifying architecture types in the data management platform of the present invention.
Figure 31 is a diagram explaining an embodiment of creating a personal information extraction rule in the data management platform of the present invention.
Figure 32 is a diagram illustrating an embodiment of creating a personal information exception processing list in the data management platform of the present invention.
Figure 33 is a diagram explaining an embodiment of creating an exception filter of the data management platform of the present invention.
Figure 34 is a diagram explaining an embodiment of searching and outputting personal information extracted from the data management platform of the present invention.
Figure 35 is a diagram explaining an embodiment of how the data management method of the present invention manages personal information.
Figure 36 is a diagram illustrating another embodiment of the data management method of the present invention extracting and storing personal information.
Figure 37 is a diagram explaining an embodiment of managing personal information in the data management method of the present invention.
Figure 38 is a diagram explaining an embodiment of collecting and mapping user behavior in the data management platform of the present invention.
Figure 39 is a diagram explaining an embodiment of generating user behavior metadata in the data management platform of the present invention.
Figure 40 is a diagram illustrating an embodiment of mapping user behavior metadata and log data in the data management platform of the present invention.
Figure 41 is a diagram explaining an embodiment in which the data management method of the present invention generates user behavior metadata.
Figure 42 is a diagram illustrating an embodiment of the data management method of the present invention mapping user behavior metadata and log data.
Figure 43 is a diagram explaining an embodiment in which the data management method of the present invention generates user behavior metadata.
Figure 44 is a diagram explaining an embodiment of encrypting personal information in the data management platform of the present invention.
Figure 45 is a diagram explaining an embodiment of encrypting personal information in the data management platform of the present invention.
Figure 46 is a diagram explaining the mapping information table and task table of the present invention.
Figure 47 is a diagram explaining an embodiment of generating a new encryption key in the data management platform of the present invention.
Figure 48 is a diagram explaining an embodiment of adding new work data in the data management platform of the present invention.
Figure 49 is a diagram explaining an actual use example of personal information encryption of the present invention.
Figure 50 is a diagram explaining an embodiment of the data management method of the present invention encrypting personal information.
Figure 51 is a diagram explaining an embodiment in which the data management method of the present invention generates a new encryption key.
Figure 52 is a diagram explaining an embodiment in which the data management method of the present invention adds new work data.
Figure 53 is a diagram explaining an embodiment of the data management method of the present invention encrypting personal information.
Figure 54 is a diagram explaining an embodiment of modulating data in the data management platform of the present invention.
Figure 55 is a diagram illustrating an embodiment in which the data management method of the present invention generates token values and mapping information corresponding to data.
Figure 56 is a diagram explaining the mapping information table and task table of the present invention.
Figure 57 is a diagram explaining an embodiment in which the data management method of the present invention modifies data.
Figure 58 is a diagram explaining the mapping information table and task table in which the modulated data of the present invention is stored.
Figure 59 is a diagram illustrating an embodiment of searching for altered data in the data management method of the present invention.
Figure 60 is a diagram explaining an embodiment of modulating data in the data management platform of the present invention.
Figure 61 is a diagram explaining an embodiment of modulating data in the data management platform of the present invention.
Figure 62 is a diagram explaining an embodiment in which the data management method of the present invention modifies data.
Figure 63 is a diagram explaining an embodiment of managing agents in the data management platform of the present invention.
Figure 64 is a diagram explaining a method of managing an agent in the data management method of the present invention.
Figure 65 is a diagram explaining a method of communicating with an agent in the data management method of the present invention.
Figure 66 is a diagram explaining the agent operation method in the data management method of the present invention.
Figure 67 is a diagram explaining the agent operation method in the data management method of the present invention.
Figure 68 is a diagram explaining an embodiment in which the data management platform of the present invention normalizes log data.
Figure 69 is a diagram explaining an embodiment of how the data management method of the present invention generates a parser.
Figure 70 is a diagram illustrating an example of a parser creation screen of the present invention.
Figure 71 is a diagram illustrating an example of a parser test screen of the present invention.
Figure 72 is a diagram illustrating an embodiment of how the data management method of the present invention generates a conversion rule.
Figure 73 is a diagram illustrating an example of a conversion rule creation screen of the present invention.
Figure 74 is a diagram illustrating an embodiment of the parser field batch registration screen of the present invention.
Figure 75 is a diagram illustrating an embodiment of how the data management method of the present invention creates a collection path rule.
Figure 76 is a diagram illustrating an example of a collection path rule creation screen of the present invention.
Figure 77 is a diagram illustrating an embodiment of the data management method of the present invention searching an event log.
Figure 78 is a diagram illustrating an example of an event log search screen of the present invention.
Figure 79 is a diagram explaining an embodiment of the data management method of the present invention.
Figure 80 is a diagram explaining an embodiment of searching logs in the data management platform of the present invention.
Figure 81 is a diagram explaining an embodiment of searching a log in the data management platform of the present invention.
Figure 82 is a diagram illustrating an embodiment in which the data management method of the present invention searches logs.
Figure 83 is a diagram explaining an embodiment of searching a log in the data management method of the present invention.
Figure 84 is a diagram explaining an embodiment of searching a log in the data management method of the present invention.
Figure 85 is a diagram explaining an embodiment of the external merge sort algorithm of the present invention.
Figure 86 is a diagram explaining the search result file of the present invention.
Figure 87 is a diagram illustrating an embodiment in which the data management method of the present invention searches logs.
Figure 88 is a diagram explaining an embodiment of analyzing data in the data management platform of the present invention.
Figure 89 is a diagram explaining an embodiment in which the data management method of the present invention analyzes data.
Figure 90 is a diagram explaining an embodiment of the data management method of the present invention setting a schedule for analysis work.
Figure 91 is a diagram illustrating an embodiment in which the data management method of the present invention performs an analysis task.
Figure 92 is a diagram explaining an embodiment of modulating data in the data management platform of the present invention.
Figure 93 is a diagram illustrating the user interface of the analysis task editor provided by the data management platform of the present invention.
Figure 94 is a diagram illustrating the user interface of the analysis task editor provided by the data management platform of the present invention.
Figure 95 is a diagram illustrating the user interface of the analysis task editor provided by the data management platform of the present invention.
Figure 96 is a diagram explaining the user interface provided by the monitoring module of the data management platform of the present invention.
Figure 97 is a diagram illustrating the user interface of the analysis task editor provided by the data management platform of the present invention.
Figure 98 is a diagram explaining an embodiment of the data management method of the present invention analyzing data.

Hereinafter, various embodiments will be described in detail with reference to the drawings. The embodiments described below may be modified and implemented in various different forms. In order to more clearly explain the characteristics of the embodiments, detailed descriptions of matters widely known to those skilled in the art to which the following embodiments belong will be omitted.

Meanwhile, in this specification, when a configuration is said to be “connected” to another configuration, this includes not only the case of being “directly connected,” but also the case of being “connected with another configuration in between.” In addition, when a configuration “includes” another configuration, this means that other configurations may be further included rather than excluding other configurations, unless specifically stated to the contrary.

Additionally, terms including ordinal numbers such as “first” or “second” used in this specification may be used to describe various components, but the components should not be limited by the terms. The above terms are used only for the purpose of distinguishing one component from another.

In addition, since the function units included in each module are a logical structure for explaining the functions performed by the module, it goes without saying that the module can perform the functions performed by each function unit. That is, each module does not need to include all functional units included within the module, but may include at least one functional unit to perform the function.

Hereinafter, examples will be described in detail with reference to the attached drawings. In an embodiment, the framework, module, application program interface, etc. may be implemented as a device combined with a physical device or may be implemented as software. At this time, if the embodiment is implemented as software, it may be stored in a storage medium, installed on a computer, etc., and executed by a processor.

1 is a diagram illustrating hardware for explaining the data management device of the present invention.

This drawing explains an embodiment of data transmission and reception between hardware components related to a data management platform, which will be described later.

The present invention can be provided to users through a platform. To this end, the user/client 1000 can access the network device 1001 through a web browser or the like and use data and applications stored in a separate storage/database 1003 under the control of the computing server 1004.

More specifically, the user/client 1000 requests a service (e.g., tasks such as searching, modifying, deleting data, etc.) through a client terminal, and is computed through the computing server 1004 and network device 1001. ), the received data can be displayed on the screen. In one embodiment, user/client 1000 may include anyone accessing the data management platform of the present invention. That is, in this figure, the user/client 1000 can access the data management platform using the network device 1001, and is not limited by the network device 1001.

The network device 1001 serves to mediate data transmission between the user/client 1000 and the computing server 1004. Here, the network device 1001 may include a router, TAP, switch, etc. Routers transmit data using IP addresses, and switches transmit data using MAC addresses. Here, network equipment 1001, such as a router, can transmit packets to the data management platform 10000 by mirroring only a specific port using SPAN (Switched Port Analyzer) mode. This will be explained in detail below.

TAP (Test Access Point) can be used to collect data on the network. More specifically, TAP is one of the network devices 1001 and corresponds to a device that is added to the back-bone line of the network and specializes only in mirroring. That is, packets can be delivered to the data management platform 10000 of the present invention through Network Test Access Point (TAP). Accordingly, packets can be copied and delivered to the data management platform without affecting the flow of data packets transmitted and received on the network.

The storage/database 1003 can store and manage data. Storage mainly uses hard disks or SSDs to store data, and databases manage structured data and can perform tasks such as search and modification.

Computing server 1004 is responsible for data processing. The task requested from the client (1000) is processed and the processing result is returned to the client (10000). For this purpose, calculation tasks can be performed using hardware such as a central processing unit (CPU) and RAM. Additionally, the computing server 1004 can control the input and output of various data and store the data processed by the data management platform 10000 in the storage/database 1003. At this time, the functions performed by the data management platform 10000 of the present invention may be performed by the processor of the computing server 1004. Additionally, computing server 1004 may include a system manager that monitors and controls the status of hardware components or modules within the data management platform.

Hereinafter, the hardware components of this drawing may be used to implement the present invention, and of course, a data processing method between the hardware components is included.

Figure 2 is a diagram disclosing an embodiment of the data management device of the present invention.

The embodiment of this drawing illustrates a data management device and includes a physical device and logical components to explain the data management device.

In one embodiment, the present invention may be provided to users through a SaaS (Software as a Service) platform. SaaS platform refers to software provided as a service to users through a network using cloud computing technology. To this end, the storage/database 1003, computing server 1004, and container platform 1005 support users/clients 1000 to use the data management platform 10000 and data management software package 20000 on the cloud. You can.

The present invention provides a user/client (1000), a storage/database (1003), an application server (1002), a computing server (1004), a container platform (1005), a data management platform (10000), and a data management software package for data processing. (20000) can be used.

At this time, the storage/database 1003 and the computing server 1004 may be hardware, and the application server 1002, container platform 1005, data management platform 10000, and data management software package 20000 may correspond to software. You can. For the hardware, refer to the above-described content, and an embodiment of the data management device will be described with reference to this drawing as follows.

User/client 1000 may access data management software 20000 for data processing.

The container platform 1005 is composed of an operating system (OS), a container, a docker, etc., and can provide a virtual environment for data processing.

The data management platform 10000 may control at least one engine or module included in the data management software package 20000. To this end, the data management platform 10000 can manage data using technologies such as an internal database (here, the database refers to an internal database within the data management software package 20000), storage, and distributed file system. there is. Additionally, the data management platform 10000 may include a system manager or management console for managing at least one engine or module included in the data management software package 20000.

The data management software package 20000 includes at least one of a collection module 20001, an analysis module 20002, a key management module 20003, a personal information management module 20004, a monitoring module 20005, and an AI engine 20006. It can be included. However, the modules and engines included in the data management software package 20000 are not essential components and correspond to elements for explaining the present invention. Therefore, of course, modules with different names for performing data embodiments may be included.

Collection module 20001 may collect data from various sources and transmit the data to a processing pipeline. The collection module 20001 may collect data (eg, packets) from various sources such as logs, events, sensors, and web servers. In particular, the collection module 20001 can centrally manage the agent when using the agent for log collection.

The analysis module 20002 can be used to analyze data and derive valuable insights. The analysis module 20002 may extract data by analyzing the collected packets. At this time, if the included data is personal information, functions related to personal information protection can be provided through the personal information management module 20004. Additionally, the included data can be mapped with previously collected behavior information (for example, including inquiry, deletion, addition, change, output, etc.).

The key management module 20003 can generate, store, and manage keys for data encryption and decryption. The key management module 20003 may manage keys using technologies such as tokens, symmetric keys, public keys, and digital certificates. If the data includes personal information, the key management module 20003 can generate, store, and manage keys for encrypting and decrypting personal information. Additionally, the key management module 20003 can use technologies such as tokens, symmetric keys, public keys, and digital certificates to secure data even if the data does not contain personal information.

The personal information management module 20004 may provide functions related to personal information protection. If the data includes personal information, the personal information management module (20004) can control the collection, extraction, encryption, storage, processing, search, and deletion of personal information.

The monitoring module 20005 may perform search and detection of data. Monitoring module 20005 may monitor data processing and the data processing environment and identify problems. Additionally, the monitoring module 20005 can monitor logs, performance indicators, events, etc. and generate alerts.

AI Engine (20006) can perform data processing and data analysis tasks using artificial intelligence technology (including machine learning). In particular, if the collected and stored log contains text, the AI Engine (20006) can classify the behavior of the collected text based on artificial intelligence.

Figure 3 is a diagram disclosing an embodiment of the data management platform of the present invention.

The embodiment of this figure illustrates a data management platform 10000 and includes physical devices and logical components. In particular, the data management platform 10000 in this figure can support a wider range than the data management platform described above. For example, the data management platform 10000 includes at least one of the modules implemented in the data management software package 20000 described above, and may include an application programming interface (API) running on a physical device. . For the physical device, please refer to the above-mentioned information.

The data management platform 10000 may use the resources of the computing server 1004 and the storage/database 1003 to perform the functions of modules included in the data management platform 10000. At this time, the system manager may control at least one of the modules or engines within the data management platform 10000, and the system manager may be located within the computing server 1004 or separately and control the data management platform 10000.

The data management platform 10000 includes at least one of a collection module 20001, an analysis module 20002, a key management module 20003, a personal information management module 20004, a monitoring module 20005, and an AI engine 20006. can do. The description of each module is as described above.

The data management platform (10000) transmits and receives data with the user/client (1000), and collects a collection module (20001), an analysis module (20002), a key management module (20003), and a personal information management module (20004) for the transmitted and received data. , at least one function performed by the monitoring module 20005 and the AI engine 20006 can be applied. At this time, the data management platform 10000 may independently use individual modules included in the data management platform 10000 at the request of the user/client 1000. For example, the user/client 1000 may selectively use only the functions of the key management module 20003 or the personal information management module 20004 within the data management platform 10000.

In addition, although not shown in the drawing, the data management platform 10000 may use an internal database different from the external storage/database 1003 to perform the functions of modules included therein.

Figure 4 is a flow chart explaining an embodiment of the data management method of the present invention.

The data management method disclosed by the present invention can collect packets in step S1000.

In one embodiment, a method of collecting packets may use an agent-type cloud-based packet collection method or a packet mirror-type packet collection method. A detailed explanation will be provided later.

In one embodiment, packets may be collected from a Network Interface Card (NIC). Here, the NIC is used for network connection and can be connected to the network in a wired or wireless manner. The NIC is responsible for sending and receiving packets to enable data transfer between the computer and the network, and may include a network card, LAN card, Ethernet card, etc.

Additionally, the data management method disclosed by the present invention can apply a filter to the collected packets.

More specifically, the data management method of the present invention can reassemble and filter the collected packets and distribute them to the analysis process. More specifically, packet recombination refers to combining each collected network packet into an analyzable packet, and filter application refers to a setting that determines whether to analyze the packet using preset filtering rules. . Accordingly, if the packet is a target for analysis, it can be distributed to an appropriate analysis process.

In step S2000, the packet may be analyzed. In one embodiment, packets may be analyzed according to the type of protocol on which the packet is based. More specifically, packets can be analyzed depending on whether they are based on RFC (Remote Function Call) protocol, GUI/SNC protocol, or HTTP/HTTPS. At this time, the data management method can set the number of processes by considering the number of cores and transaction amount of available computing servers. A detailed explanation will be provided later.

In step S3000, data can be monitored. In one embodiment, data included in the analyzed packet may be monitored. In addition, it is possible to monitor stored data in real time to detect abnormal behavior events and decide whether to issue a warning for the detected event.

To this end, in one embodiment, the data management method may extract data from the analyzed packet and store the extracted data. Data management methods can store extracted data in different ways depending on the information contained in the data. For example, if personal information is stored in the data, you can extract the personal information, encrypt the personal information, and then store the extracted data. Additionally, the data management method facilitates searching for important fields by extracting only important data from packets, and as a result, the performance of the data management method can be improved.

Figure 5 is a diagram disclosing an embodiment of the data management method of the present invention.

In step S1010, packets may be collected. In one embodiment, a method of collecting packets may use an agent-type cloud-based packet collection method or a packet mirror-type packet collection method. A detailed explanation will be provided later.

In step S1020, a filter may be applied to the collected packets. More specifically, the data management method of the present invention can reassemble and filter the collected packets and distribute them to the analysis process.

In step S1030, the packet to which the filter is applied can be analyzed.

Here, the packet can be analyzed differently depending on the type of protocol on which it is based. More specifically, in step S1031, packets based on RFC (Remote Function Call) protocol are analyzed, in step S1032, packets based on GUI protocol are analyzed, and in step S1033, packets based on HTTP/HTTPS are analyzed. packets can be analyzed.

In step S1031, RFC protocol-based packet analysis refers to the process of analyzing packets using the RFC protocol in a network. RFC is a protocol and mechanism for performing function calls between different systems or computers in a distributed environment. RFC operates based on a client and server model, allowing clients to call functions on a server on a remote system and execute them remotely. do. In other words, because the RFC protocol is a communication protocol for remote function calls, packets using the RFC protocol contain information about these remote function calls.

In step S1032, the GUI protocol-based packet analysis collects the GUI protocol-based packets communicated between the client and the application server, and analyzes the client IP or port, server IP or port, packet data (byte stream), etc. included in the packet. This is a method of extracting.

In step S1033, HTTP/HTTPS-based packet analysis is a method of extracting data included in packets by mirroring or SSL processing packets transmitted and received between a web browser and a server.

Detailed analysis methods for each will be described later.

In step S1040, personal information can be extracted from the analyzed packet using personal information metadata. In one embodiment, in order to check whether the analyzed packet contains personal information, the personal information may be extracted using stored personal information metadata. This will be described later.

In step S1050, the log can be saved. At this time, meaningful information included in the analyzed packet may be stored as a log. In one embodiment, the data management method may determine whether to store the analyzed information in an audit log. Additionally, if personal information is included, the personal information may be patterned and stored in the database. Lastly, the data management method operates in a multithreading manner to increase log storage speed, and can perform memory queuing and file queuing in case the database is temporarily inaccessible. there is.

In step S1060, abnormal behavior can be detected using the stored log. At this time, if abnormal behavior is detected, a new log recording information about the abnormal behavior detection can be created and the log can be saved again through step S1050. Additionally, the data management method can recreate the screen of the collected data when an audit log is requested from the user. More specifically, the GUI protocol is a protocol used to display and interact with graphical user interfaces. By analyzing these protocols, you can visually understand the user's workflow, input, output, etc., identify the operating state of the system, and solve problems. It can help in diagnosing. This will be explained in detail in the drawings below.

Figure 6 is a diagram illustrating an embodiment of the packet collection method of the present invention.

This diagram explains an agent-based cloud-based packet collection method. More specifically, one embodiment includes at least one client (1000a, 1000b, 1000c), a network (1001), a cloud AP (1010), and a data management platform (10000, 20000).

At least one client (1000a, 1000b, 1000c) is a device that generates packets to be collected and may include, for example, a server, a laptop, a smartphone, etc.

The network 1001 is a packet collection target network, and clients 1000a, 1000b, and 1000c may be connected to the network 1001.

The cloud AP 1010 may include at least one AP (1011, 1012, 1013, and 1014). Here, at least one AP (1011, 1012, 1013, 1014) is connected to a packet collection agent, and the packet collection agent can collect and process all packets generated by the AP (1011, 1012, 1013, 1014). .

More specifically, the packet collection agent can filter, extract, compress, and encrypt the collected packets into a recognizable form. The packet collection agent may be connected to the AP (1011, 1012, 1013, 1014), process the collected packets, and transmit them to the data management platform (10000, 20000).

The data management platform (10000, 20000) can receive collected packets, analyze and store the packets, and analyze the data through an analysis module.

In this way, the cloud-supported (agent method)-based packet collection method provides high scalability and flexibility and can be applied in various network environments. In addition, since data is processed in a cloud environment, hardware and software upgrades and maintenance are easy, and stable services can be provided.

The agent-based cloud-based packet collection method as shown in this figure can be applied when using the cloud.

Figure 7 is a diagram illustrating another embodiment of the packet collection method of the present invention.

This figure explains the packet mirror method of collecting packets. More specifically, an embodiment includes at least one client (1000a, 1000b, 1000c), a network (1001), a dedicated line/VPN (1001a), a CSP (1015), and a data management platform (10000, 20000). Includes. Descriptions that overlap with the above-described content will be omitted.

The network 1001 is connected to a dedicated line/VPN 1001a, and the dedicated line/VPN 1001a can be connected to each of the data management platforms 10000 and 20000 and a cloud service provider (CSP) 1015. Here, CSP refers to a cloud service provider such as, for example, AWS (Amason Web Service), GCP (Google Cloud Platform), and Azure.

Through the packet mirror method, the data management platforms (10000, 20000) replicate network traffic to receive packets from the dedicated line/VPN (1001a), and the same packets can be delivered to the CSP (1015).

Through this method, the data management platform (10000, 20000) can capture and analyze all collected packets.

The packet mirror method of packet collection as shown in this figure can be applied when using a CSP, its own cloud, or a private cloud (for example, SAP PCE) provided by an application server.

The present invention can analyze the collected packets as described above. Specifically, the collected packets may correspond to one of RFC protocol-based, GUI protocol-based, and HTTP/HTTPS-based. Accordingly, an embodiment of the present invention can analyze and store collected packets in different ways. This will be explained in detail.

Figure 8 is a diagram illustrating an example of RFC protocol-based packet analysis data collected according to the packet collection method of the present invention.

The data management platform can extract various data shown in this figure through protocol-based packets. In this drawing, packet analysis data based on the RFC protocol is used as an example, but the packet based on the RFC protocol does not include all of the information below. In particular, the information included in (6) and (8) described later corresponds to packet analysis data based on the GUI protocol.

More specifically, the data management platform can use RFC structure information to analyze packets and extract data. At this time, if there is no RFC structure information, the data management platform can request RFC information by creating an RFC information request file. A detailed explanation will be provided later.

(1) Time (including request time and start time of session information)

(2) Protocol information (including RFC protocol, GUI protocol, HTTP/HTTPS, etc.)

(3) Server IP or Port

(4) Client IP or Port (including the region where the client connects)

(5) Account (including user ID, employee number, organization name, etc.)

(6) Transaction name (including transaction code (T-code). Here, the transaction code is a kind of short code that specifies the transaction and is a logical business process.)

(7) RFC function name

(8) Event information (events include login (success/failure), personal information input, specific T-Code access, SAP ALL access, common account access, user error, file download, program dump, user password change, This includes whether or not metadata is modified, whether or not duplicate access is checked, and whether or not a specific GL account is checked (in the case of the GUI protocol, whether or not cumulative account information is checked).

(9) Number of personal information

In one embodiment, the data management platform can determine the task that the packet is intended to perform through the transaction name and event information.

Figure 9 is a diagram illustrating an example of a GUI protocol-based packet analysis device collected according to the packet collection method of the present invention.

In this drawing, an embodiment of analyzing packets when packets collected according to the packet collection method of the present invention are based on a GUI protocol will be described. One embodiment may include a user/client 1000 (hereinafter referred to as client), a network device 1001, a storage/database 1003, a computing server 1004, and an application server 1002. Descriptions that overlap with the above-described configuration will be omitted.

In one embodiment, packet analysis based on a GUI protocol can be performed using the above-described components. To achieve this, it is necessary to capture and analyze GUI protocol-based traffic occurring in the client 1000. To achieve this, the following tasks are required:

The client 1000 can use the network device 1001 to execute an application corresponding to the application server 1002 and log in to the application system. The client 1000 can perform necessary tasks through the application. The client 1000 may display information about input data or output data received through the application server 1002 on the screen.

Network equipment 1001 may capture network traffic between the client 1000 and the application server 1002. In particular, network equipment 1001 may include a TAP. This allows, for example, if the application server 1002 is an SAP operating server, to log GUI protocol-based packets that communicate with the SAP server from SAP application users, SAP EP servers, and legacy systems. Additionally, network equipment 1001 may include a switch. Through this, internal audit of the SAP server can be performed through a port mirror on the switch that transmits and receives the network to the SAP operation server, and personal information used in the SAP server can be monitored.

Traffic based on the GUI protocol may occur in the application server 1002.

The data management platform 10000 or data management software 20000 may capture traffic occurring in the application server 1002 and analyze the captured traffic. At this time, traffic occurring in the application server 1002 can be collected and analyzed through the collection module 20001 and analysis module 20002 in the data management platform 10000 or the data management software 20000. Accordingly, the structure and contents of the GUI protocol can be understood and analyzed. At this time, the application server 1002 can use the resources of the computing server 1004.

The storage/database 1003 may store analysis results or information necessary for the application server 1002.

Figure 10 is a diagram illustrating an example of a method for analyzing packets based on a GUI protocol collected according to the packet collection method of the present invention.

In step S2010, packets transmitted and received between the application displayed on the client screen and the application server may be collected. More specifically, it is possible to analyze packets based on the GUI protocol communicated between the client and the application server and collect information required for input/output data and monitoring. Here, the input data may include a user command that the client inputs using the client's terminal.

When the client inputs a user command as input data through the client terminal, the input data is transmitted to the application server through the network. In one embodiment, when input data is transmitted to an application server, the input data may be monitored.

More specifically, the data management platform can receive input data and analyze it. At this time, if the input packet includes a preset user command (for example, a specific event occurs), the data management platform may determine that access restrictions are necessary. Accordingly, the data management platform can control the client's access to the application server 1002 through a user command (here, the user command may be expressed in a language different from the user command included in the input packet). At this time, the input data may be data transmitted and received with the SAP application server through the SAP DIAG protocol.

Additionally, the client terminal can output data output from the application server. In other words, the application server may search the contents of the transmitted input data and transmit output data containing the contents of the search results to the client terminal so that the information is displayed on the screen of the client terminal. At this time, the application server outputs output data, and the output data may include at least one of server information, transaction code (T-code), program name, and status message.

As with input data, a data management platform can receive and analyze output data. At this time, the output data may include at least one of server information, transaction code (T-code), program name, and status message. As with input data, the data management platform may determine that access restrictions are necessary based on the analyzed output data. Accordingly, the data management platform can control access.

Additionally, output data may be data transmitted and received between the SAP application server and the client terminal through the SAP DIAG protocol.

In step S2020, it may be determined whether to analyze the collected packets. To this end, the present invention can perform filtering to improve performance by determining whether to analyze the collected information. Here, if you decide not to analyze the collected information, the analysis ends without proceeding.

In step S2030, the packet can be analyzed. In one embodiment, packet decoding and protocols may be analyzed to control the security of information contained within the packet. In one embodiment, input data or output data can be analyzed in detail by client IP or port, server IP or port, packet data (byte stream), etc.

In step S2040, data included in the analyzed packet may be configured as session information and stored. Session information can be created and stored using GUI protocol-based packet analysis information and input/output data. In one embodiment, the stored session information may be displayed on the client screen in a language that is easy for the user to understand.

In other words, by analyzing network connection information and input/output packets, input/output data, which is meaningful information, can be easily output, and the client can check a screen that is substantially similar to the GUI screen of the application server.

In this way, the client can be easily re-implemented in a form substantially similar to the GUI screen, so application server information, transaction code (T-code), program name, status messages, output data, etc. can be easily analyzed while being monitored through the screen. can do.

Figure 11 is a diagram illustrating an example of GUI protocol-based packet analysis data collected according to the packet collection method of the present invention.

In one embodiment, data on at least one of time, protocol information, server/client IP or port, account, transaction name, event information, and number of personal information can be extracted from a packet based on the GUI protocol. The contents of each definition are as described above.

In one embodiment, the results of packet analysis based on the GUI protocol may be provided to the client in the form of a “screen reproduction” as shown in this figure.

More specifically, the data management platform of the present invention can output data contained in the analyzed packet to the client in a way that is easy for the user to understand.

For example, if the first user connects to the application server and enters “1175”, the data management platform displays the screen entered by the first user by connecting to the application server through “Request Screen”. An example that reproduces is shown.

In addition, when the first user connects to the application server and inputs “1175” and outputs the data received from the application server, the data management platform displays the output screen received from the application server by the first user through “Response Screen”. It can be reproduced.

Through this, the second user (e.g., the administrator of the first user) uses the data management platform to create a “Request Screen” and a screen containing the data input by the first user and a screen containing output data, respectively. You can check it through “Response Screen”.

Figure 12 is a diagram illustrating an embodiment of a method for analyzing packets based on HTTP/HTTPS collected according to the packet collection method of the present invention.

HTTP (Hypertext Transfer Protocol) is one of the protocols for sending and receiving data on the Internet. Since HTTP basically communicates using plain text, anyone who can collect HTTP packets can check the contents contained in the packet. there is. In other words, since HTTP-based packets are vulnerable to security, in order to compensate for these security vulnerabilities, packets are sometimes transmitted and received based on HTTPS (HTTP Secure).

HTTPS is a secure version of HTTP and can communicate using SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocols. Because the SSL protocol encrypts and transmits data, even if a random target collects the packet, the packet cannot be analyzed unless the SSL encryption is deactivated.

Therefore, the present invention can perform SSL processing to analyze HTTPS-based packets. Here, SSL processing may include the process of encrypting and decrypting data in HTTPS communication. SSL processing can perform encryption key exchange, authentication, data encryption, and decryption between the client and server.

In more detail, the method of analyzing HTTP/HTTPS-based packets among the packet collection methods of the present invention will be described as follows.

When a user runs a web browser 1030, the web browser 1030 can send a request to a web server through HTTP/HTTPS, receive a response from the web server, and output data to the user.

A proxy server may perform a relay function between a client and a web server (eg, SAP server). When the web browser 1030 connects to a web server, requests and responses can be exchanged through a proxy server. Through this, you can perform functions such as hiding the user's IP address or improving network performance through caching.

SSL processing can verify SSL certificates in HTTPS connections and perform key exchange and encryption/decryption.

The data management platform can perform HTTP/HTTPS packet extraction and analysis. For this purpose, the collection module and analysis module included in the data management platform can be used. If the collected packets are HTTP-based packets, analysis can be performed immediately, and if the collected packets are HTTPS-based packets, analysis can be performed after SSL processing. HTTPS packets decrypted through SSL processing can be extracted and analyzed by a web browser or proxy server.

The data management platform can store packets generated through HTTP packets or SSL processing in a queue (1032), and extract and analyze packets from the queue (1032). Here, the size of the queue 1032 may be determined according to the bandwidth and processing power of SSL processing. Additionally, queue 1032 may include a memory queue and a file queue.

Accordingly, the present invention can analyze HTTP/HTTPS-based packets, and the method of performing SSL processing to analyze HTTPS-based packets will be described in detail below.

Figure 13 is a diagram illustrating an example of HTTP/HTTPS-based packet analysis data collected according to the packet collection method of the present invention.

In one embodiment, data on at least one of time, protocol information, server/client IP or port, account, transaction name, event information, and number of personal information can be extracted from packets based on HTTP/HTTPS. The contents of each definition are as described above.

In one embodiment, the results of HTTP/HTTPS-based packet analysis may be provided to the client in the form of “data” as shown in this figure.

The data management platform can extract data in HTML or function form by analyzing HTTP/HTTPS-based packets. At this time, the data management platform can output the web page as is in HTML format, and can output the function as is in the case of function format.

Figure 14 is a diagram illustrating an example of extracting personal information from data included in an analyzed packet of the present invention.

In one embodiment, the data management platform 10000 may extract personal information from an audit log 1033 including log data and an index using personal information metadata.

More specifically, the audit log 1033 is a set of logs that record events occurring on a network and may include log data and an index. Here, the audit log 1033 may be a set of log data for which index processing has been completed.

The data management platform 10000 may use personal information metadata to extract personal information from the audit log. Here, personal information metadata defines what form the personal information is stored in, what field it is stored in, and the regular expression patterns and masking patterns used for each type of personal information. For example, you can configure metadata for types of personal information such as name, address, and phone number. Accordingly, the analysis module can identify and extract personal information from log data based on personal information metadata.

In one embodiment, the extracted personal information may be encrypted according to a preset method for each type of personal information and stored again in the audit log 1033 or the internal database of the data management platform 10000. More details will be provided later.

In one embodiment, the data management platform 10000 can search log data for a specific period using the extracted personal information, and an administrator or user can search or check the retrieved log data when necessary. This will be described later.

Figure 15 is a diagram illustrating an embodiment of the present invention visualizing data included in an analyzed packet.

Data included in the packet analyzed through the above-described embodiment is as follows.

(1) Session information: Start time, Duration Time, Log ID, Session ID, Context ID

(2) Connection information: Server IP, Server Port, Server Mac, Client IP, Client Port, Client Mac

(3) SAP information: SID, protocol, SAP instance, client

(4) Program information: OK Code, T-code, Title App, Title Main

(5) CUA (Central User Administration) information: CUA Name, CUA Status

(6) User information: user ID, user UID, user name

(7) Event information: event category, event code, event name, event description, event value, notification level

(8) Custom information: events, warnings, event type, number of events, number of warnings, architecture, presence of personal information, number of personal information types, number of personal information

In one embodiment, the data management platform may extract the above data from the analyzed packets. At this time, if the data extracted from the packet includes personal information, the data management platform can perform encryption on the personal information and store it. In particular, the data management platform can output personal information on a separate screen.

Through this, all information required by law and certification (account information, access date and time, access location information, processed subject information, and performed tasks) can be collected. More specifically, the account information is provided through the user ID, employee number, and organization name of the user information, the connection date and time are provided through the start time of the session information, and the connection location information is provided through the client IP or port of the connection information. Information can be determined through user-defined information (existence of personal information, number of personal information items, resident registration number, alien registration number, passport information, card information, etc.), and work performed can be determined through program information and user-defined information.

Figure 16 is a diagram illustrating an embodiment of retrieving data included in an analyzed packet of the present invention.

In one embodiment, the data management platform may search the above-described data and provide search results to the user.

To this end, as shown in (a) of this drawing, the data management platform can provide a search interface so that users can easily search. The data management platform can search data based on fields in the analyzed data. For example, data fields may include protocol, system, account, employee number, server IP, server port, client IP, client port, instance name, transaction name, program name, etc. At this time, the data management platform may search data based on at least one of the fields input from the user and output the search results.

In another embodiment, the data management platform may provide a query search function, as shown in (b) of this drawing. For example, if a user enters protocol_type=GUI as the first query and server_ip=175.117.145.125 as the second query, the data management platform can retrieve data based on the first query and the second query. there is.

In one embodiment, the search results may be output in the form of “screen reproduction” or “data” as described above.

Figure 17 is a diagram illustrating an embodiment of monitoring data collected according to the data management method of the present invention.

As described above, the data management platform 10000 can collect and analyze packets from at least one client 1000a, 1000b, and 1000c through the network 1001 and the TAP 1001b.

Collected packets can be classified and stored based on predefined events. In one embodiment, data management platform 10000 may monitor data collected from analyzed packets.

More specifically, the data management platform 10000 may detect abnormal behavior in data collected through the monitoring module 20005 and provide an alarm to users of the clients 1000a, 1000b, and 1000c. For example, the data management platform 10000 can report abnormal behavior regarding collected data to the user through a dashboard, email, SMS, etc.

In one embodiment, the data management platform 10000 may control the connection of the clients 1000a, 1000b, and 1000c when abnormal behavior is detected. For example, if an event performed by the user by accessing the clients (1000a, 1000b, 1000c) is determined to be an abnormal behavior, the monitoring module (20005) provides an alarm to the user through the dashboard, etc. and simultaneously monitors the clients (1000a, 1000c). 1000b, 1000c) connections can be blocked.

In particular, the data management platform 10000 monitors clients (1000a, 1000b, 1000c) accessing the database 1003 containing archive files and generating events to provide an alarm or control access. there is. Here, the database 1003 corresponds to storage stored externally or internally to the data management platform 10000. Additionally, please refer to the above-mentioned information for information about the event.

Additionally, the data management platform 1000 may control access of the clients 1000a, 1000b, and 1000c when the behavior corresponds to a preset event even if it is not an abnormal behavior.

In addition, the data management platform 1000 can detect if the data input from the clients 1000a, 1000b, and 1000c is personal information and send a screen containing the input data to the security officer, for example, by email. .

Figure 18 is a diagram explaining an embodiment in which the data management platform of the present invention distributes collected packets.

In one embodiment, the data management platform may collect packets through collection module 20001.

More specifically, collection module 20001 may collect packets from the network (e.g., via the NIC described above). Here, packet collection can be performed by software running on the physical device or virtual machine described above. Here, the packet may include a packet consisting of a protocol header and payload data.

In one embodiment of the present invention, the data management platform may collect packets for all actions performed by the user by accessing the application server. For example, application users can access SAP servers using various protocols, including SAP GUI protocol, RFC protocol, and HTTP. In addition, application users can also access SAP servers using the SAP SNC protocol, HTTPS, etc. Each case will be explained in detail.

The analysis module 20002 may distribute packets collected through the collection module 20001 based on a protocol. More specifically, the analysis module 20002 reassembles the fragmented packets and analyzes the packets based on TCP information, protocol, port, IP address, etc. into the first analysis module 20002a and the second analysis module 20002b. ), … It can be distributed etc. Here, the first analysis module 20002a and the second analysis module 20002b are examples, and based on the protocol, the data management platform can create a module for analyzing packets.

The first analysis module 20002a and the second analysis module 20002b may analyze the packet and store data included in the packet in the database 20007.

The database 20007 stores log data of analyzed packets and may provide search and inquiry functions when necessary.

Below, packet analysis methods for each different protocol will be described in detail.

Figure 19 is a diagram illustrating an embodiment in which the data management platform of the present invention analyzes packets based on the RFC protocol.

In one embodiment, the data management platform 10000 may transmit and receive RFC information and packet analysis and structure information with the application server 1002 through the collection module 20001 and the analysis module 20002. Hereinafter, the data management platform 10000 may provide an API to support the functions performed by the collection module 20001 or the analysis module 20002.

The collection module 20001 may include an RFC packet collection unit 2001. Here, the RFC packet collection unit 2001 may extract RFC packets from the collected packets and transmit them to the analysis module 20002.

The analysis module 20002 may include an RFC information request unit 2002 and an RFC packet analysis unit 2003. That is, the analysis module 20002 can analyze the RFC packet received from the collection module 20001. More specifically, if there is RFC structure information in the data management platform 10000, the RFC packet can be analyzed using the RFC structure information. On the other hand, if there is no RFC structure information in the data management platform 10000, the RFC information request unit 2002 may generate an RFC information request file. When the RFC information request unit 2002 detects an RFC information request file, it may request RFC structure information from the application server 1002. Accordingly, the data management platform 10000 may request RFC information from the application server 1002 and receive RFC structure information. The RFC packet analysis unit 2003 can analyze the RFC packet using the RFC structure information received from the application server 1002.

Figure 20 is a diagram explaining an embodiment in which the data management platform of the present invention analyzes packets.

In one embodiment, the data management platform 10000 analyzes the packets through the analysis module 20002 when the packets collected through the collection module 20001 are HTTP/HTTPS-based packets or GUI/SNC protocol-based packets. can do. At this time, the data management platform 10000 may maintain a database 20007 that manages certificates used to analyze packets.

More specifically, the analysis module 20002 may include an HTTP packet analysis unit 2004, an HTTPS packet analysis unit 2005, a GUI packet analysis unit 2006, and an SNC packet analysis unit 2007.

Here, the HTTP packet analysis unit (2004) analyzes HTTP packets, the HTTPS packet analysis unit (2005) analyzes HTTPS packets, the GUI packet analysis unit (2006) analyzes GUI protocol-based packets, and the SNC packet analysis. Bu (2007) SNC protocol-based packet analysis can be performed.

The analysis module 20002 can analyze packets based on HTTP packets and GUI protocols with relatively low security levels according to the above-described embodiment.

On the other hand, HTTPS packets and SNC packets with relatively high security levels can be analyzed by decrypting the encrypted communication using the SSL certificate stored in the database (20007).

Accordingly, the data management platform 10000 can extract data from encrypted HTTPS-based packets in the same way as HTTP-based packets. Likewise, the data management platform 10000 can extract data from encrypted SNC protocol-based packets in the same way as GUI protocol-based packets.

Methods for analyzing HTTPS packets will be described later. At this time, the certificates used for HTTPS packets and SNC packets may correspond to the same or different certificates.

Figure 21 is a diagram illustrating an embodiment in which the data management platform of the present invention stores and monitors audit logs.

In one embodiment, the data management platform 10000 may generate an audit log 1033 by converting and processing the original data extracted according to the above-described embodiment according to defined field rules. Here, the generated audit log 1033 may be stored in the database 20007.

Additionally, the data management platform 10000 can extract personal information from processed data using personal information metadata. Accordingly, the data management platform 10000 may store the audit log 1033 and personal information in the database 20007, respectively. To this end, the analysis module 20002 may further include an audit log storage unit 2008.

Additionally, the analysis module 20003 may further include a correlation analysis rule generator 2009. The data management platform 10000 may generate correlation analysis rules through the analysis module 20002. Here, the correlation rule may represent a rule for determining abnormal behavior. For example, the data management platform 10000 may determine normal behavior when 1-2 pieces of data are input per second, and may judge it as abnormal behavior when more than 10 pieces of data are input per second. Here, the expression “correlation” may indicate correlation between logs. At this time, the data management platform 10000 may generate another event (log) according to the correlation rule. The log at this time can be defined as an incident. That is, a subject who wants to be monitored through the data management platform 10000 creates a correlation rule, and the data management platform 10000 analyzes logs based on the correlation rule and generates another login incident.

Additionally, correlation analysis rules may correspond to rules predefined by other platforms. Accordingly, the data management platform 10000 may generate an abnormal behavior event by analyzing the audit log 1033 using the generated correlation analysis rule. At this time, information about the generated correlation analysis rules and information about abnormal behavior events may be stored in the database 20007.

The monitoring module 20005 of the data management platform 10000 may further include an abnormal behavior monitoring unit 2010. The abnormal behavior monitoring unit 2010 may search or monitor the stored audit log 1033, personal information, etc. based on the generated abnormal behavior event.

Accordingly, the data management platform 10000 can extract personal information from the collected, analyzed, and stored data, and use the extracted personal information to statisticalize user behavior. Thereafter, if a violation occurs among the collected user actions, the data management platform 10000 may block the user or provide a warning to the administrator.

Figure 22 is a diagram illustrating an embodiment of distributing collected packets by the data management method of the present invention.

At step S10010, the data management method may collect packets and apply filters. At this time, the data management method can collect packets through network equipment such as NIC. Thereafter, the data management method can reassemble the collected packets and combine each network packet into a packet that can be analyzed.

In one embodiment, the data management method may determine whether to analyze the packet based on filtering rules. Here, filtering rules may be determined by the data management platform. More specifically, the data management method can collect packets through network equipment such as the NIC or router described above. At this time, since there may be performance issues if all collected packets are analyzed, the packets to be analyzed can be filtered using filtering rules. For example, packets based on HTTP or SAP GUI protocols may need to be analyzed, but packets collected using other protocols may not need to be analyzed. At this time, the data management method can filter the collected packets to analyze only desired protocol-based packets for each port or IP. At this time, the user can directly set filtering rules using a data management method.

In step S10020, the data management method may distinguish protocols based on TCP session information. As described above, the data management method can classify and analyze collected packets based on protocols.

The data management method may analyze packets in different ways based on the protocols identified in step S10020. The analysis methods for each are as described above.

In step S10030, the data management method may analyze the RFC protocol based packet.

In step S10040, the data management method may analyze packets based on the GUI/SNC protocol.

In step S10050, the data management method may analyze HTTP/HTTPS based packets.

In steps S10030 to S10050, the data management method may parse the packet and then perform processing rules for analysis. At this time, the data management method can extract various data (account data, SID, screen input data, screen output data, etc.) by analyzing the binary data of the packet. In addition, the processing rules process whether to store the data contained in the analyzed packet in the audit log 1033, whether to process or log the data contained within the analyzed packet, and whether to generate events and warnings. Settings can be displayed. In addition, the data management method can further perform filter rules for filtering out unnecessary logs and loading rules for loading data to process processing rules.

In step S10060, the data management method may generate an audit log 1033 based on the analyzed packet. At this time, the data management method operates in a multi-threading manner to increase log storage speed, and memory queuing and file queuing can be performed in case the database is temporarily inaccessible.

In step S10070, the data management method may extract personal information using personal information metadata for the generated audit log 1033.

In step S10080, the data management method may store the audit log 1033. At this time, the data management method can store the audit log 1033 and personal information, respectively.

In step S10090, the data management method may monitor abnormal behavior.

Figure 23 is a diagram explaining an embodiment in which the data management platform of the present invention analyzes HTTPS-based packets.

User actions in web browsers protected by HTTPS (SSL) cannot be logged using existing network traffic mirror technology. In particular, logs cannot be recorded when using the Diffie-Hellman algorithm for key exchange during an HTTPS connection. Here, the Diffie-Hellman algorithm is one of the algorithms used in the symmetric key encryption method and corresponds to a method for safely performing the key exchange protocol.

However, in order to monitor abnormal behavior and overuse of personal information within a company, there is a need to record and monitor logs of user behavior in web browsers.

According to one embodiment of the present invention, even when the Diffie-Hellman algorithm is used for key exchange, abnormal behavior and excessive abuse of personal information within a company can be monitored by recording a log of user behavior in a web browser.

To this end, the data management platform 10000 allows monitoring user behavior even when using the Diffie-Hellman algorithm.

More specifically, the analysis module 20002 of the data management platform 10000 includes a proxy server configuration unit 2011, an SSL setting unit 2012, an HTTP request/response data analysis unit 2013, and a message data generation unit 2014. ) may further be included.

Here, the proxy server configuration unit 2011 may configure the proxy server 1031 between the web browser 1030 and the web server 1034. Here, the proxy server 1031 is a server that mediates network communication between the client and the server. When using the proxy server 1031, the client does not communicate directly with the web server 1034 but indirectly through the proxy server 1031. Can communicate.

The SSL setting unit 2012 can set SSL in the proxy server 1031. More specifically, the SSL setting unit 2012 configures the proxy server 1031 and configures an SSL environment between the web browser 1030 and the proxy server 1031 using client SSL settings to provide HTTPS requests/responses. Processing can be performed. In one embodiment, the SSL configuration unit 2012 may use an SSL certificate to configure SSL. Here, the SSL certificate may correspond to a certificate different from the certificate for analyzing the packet described above. In other words, the SSL certificate at this time corresponds to supporting SSL settings.

The proxy server 1031 that receives the HTTPS request data can temporarily suspend the SSL connection, process the HTTP request/response data through the HTTP request/response analysis unit 2013, and perform the SSL connection again. .

Accordingly, the message data generator 2014 can generate message data 1035 by combining HTTP request/response data, and store the generated message data 1035 in the queue 1032. Here, the queue 1032 may include a memory queue and a file queue.

Thereafter, the data management platform 10000 may transmit the message data 1035 stored in the queue 1032 to the outside.

Finally, the data management platform 10000 can configure an SSL environment between the proxy server 1031 and the web server 1034 using server SSL settings to process HTTPS requests/responses and deliver HTTPS response data. there is.

This allows logs of user behavior in web browsers to be recorded even when using the Diffie-Hellman algorithm.

Figure 24 is a diagram explaining an embodiment of the data management method of the present invention analyzing HTTPS-based packets.

In step S20010, the data management method configures a proxy server and sets client SSL to collect HTTPS-based packets, and in step S20020, configures a proxy server and sets server SSL. In other words, the data management method configures a proxy server, configures an SSL environment between the proxy server and the web server using server SSL settings, processes HTTPS requests/responses, and delivers HTTPS response data.

If the proxy server is configured and SSL is set, in step S20030, the data management method may collect HTTPS packets. Unlike the above, in the data management method of this figure, the case of collecting HTTPS packets is explained as an example.

In the case of an HTTPS connection, the Diffie-Hellman algorithm is used for key exchange. When packets are encrypted using the Diffie-Hellman algorithm, logs of user behavior cannot be recorded using the existing network traffic mirror technology, so the present invention suggests the following method.

In step S20040, the data management method may perform processing on HTTPS requests/responses. In other words, the data management method is to configure a proxy server and configure an SSL environment between the web browser and the proxy server using client SSL settings to process HTTPS requests/responses. Afterwards, the proxy server that receives the HTTPS request data can suspend the SSL connection, process the HTTP request/response data, and then perform the SSL connection again.

In step S20050, the data management method may generate message data 1035 by combining HTTP request/response data. At this time, the data management method can filter out unnecessary data. More specifically, the data management method may generate message data 1035 by combining HTTP request/response data, and unnecessary data (e.g., image data) may not be transmitted when logging. .

In step S20060, the data management method may load the generated message data 1035 into at least one of a memory queue or a file queue. More specifically, the data management method may use a memory queue and a file queue as queues for storing message data 1035. At this time, if only the file queue is used to store the message data 1035, there is a risk that performance will be lowered, and if only the memory queue is used, data loss may occur, so a combination of the two queues can be used.

In step S20070, the data management method may transfer and store the message data 1035 loaded in the queue to the storage. Here, the repository corresponds to a database contained within the data management platform described above.

Figure 25 is a diagram explaining an embodiment of the data management method of the present invention.

In step S30010, the data management method may collect packets through the network. For details on how the data management method of the present invention collects packets through a network, refer to the embodiments of FIGS. 5 to 7, 18, and 19.

In step S30020, the data management method may distinguish protocols based on information included in the collected packets. Refer to the embodiments of FIGS. 5 and 18 for how the data management method of the present invention distinguishes protocols based on information included in collected packets.

In step S30030, the data management method may analyze the packet based on the protocol. Refer to the embodiments of FIGS. 5, 8 to 13, and 18 to 20 for the method of analyzing packets based on the protocol in the data management method of the present invention.

In step S30040, the data management method may generate a log based on information included in the analyzed packet. Refer to the embodiments of FIGS. 18 and 21 for how the data management method of the present invention generates a log based on information included in the analyzed packet.

Through this, it is possible to satisfy the requirements for the personal information processing system based on laws or regulations. For example, according to the present invention, the condition that access records to the personal information processing system must be semantically stored according to “Article 8 of the Standards for Ensuring the Safety of Personal Information” can be satisfied.

A method using regular expressions is mainly used to extract personal information. However, there is a risk of incorrect extraction when using regular expressions.

In order to compensate for this, the present invention can increase the accuracy of personal information extraction through a multidimensional extraction method using personal information metadata and exception handling lists as well as a regular expression method to extract personal information.

Figure 26 is a diagram explaining an embodiment of extracting and storing personal information in the data management platform of the present invention.

The personal information management module 20004 included in the data management platform 10000 of the present invention can define personal information types to extract personal information from the audit log 1033. Here, the audit log 1033 may include log data for which index processing has been completed. Additionally, the type of personal information may include types of personal information such as, for example, resident registration number, credit card number, account number, etc.

More specifically, the personal information type analysis unit 2019 of the personal information management module 20004 determines the personal information type and The extraction method can be analyzed. The analysis results can be stored in personal information metadata 1036. At this time, the personal information management module 20004 stores the fields included in the personal information metadata 1036 based on the type of architecture (here, the architecture includes an application development environment and a screen user interface (UI)). can be defined. Here, the architecture type corresponds to information that distinguishes the parser that analyzes the variables and values of log data. In one embodiment, the personal information management module 20004 can classify the architecture type of field information in log data based on protocol type and URL, and generate field information of the index accordingly. Additionally, personal information metadata 1036 may include architecture type (screen type), screen information (level 1, level 2), and personal information extraction rules.

To this end, the personal information pattern storage unit 2020 of the personal information management module 20004 can store patterns used for each type of personal information. The personal information management module (20004) can define personal information types and store regular expression patterns and masking patterns used for each personal information type. Here, the reason why the personal information management module 20004 defines personal information types and stores regular expression patterns used for each personal information type is to generate information included in the personal information metadata 1036.

In conclusion, the data management platform 10000 can create personal information metadata 1036 by defining personal information types and storing regular expression patterns used for each personal information type. A personal information extraction rule can be created using the personal information exception processing list 1037 described later, and personal information can be extracted using the personal information extraction rule.

In addition, the personal information exception processing list generator 2021 of the personal information management module 20004 can create a personal information exception processing list 1037, and the personal information extraction rule generator 2022 extracts the personal information to be extracted. You can create rules. At this time, the personal information management module 20004 can check personal information items virtually extracted from the audit log 1033 using the personal information metadata 1036 to create a personal information exception processing list 1037. , Exception handling rules included in the exception handling list 1037 can be defined based on extracted values or analyzed variables.

In another embodiment, the personal information hash value collection unit 2023 of the personal information management module 20004 may collect hash values for each personal information type and create a value filter for each personal information type. there is. Here, the value filter corresponds to a filter created using the Bloom-Filter data structure for the hash value of the personal information value. The present invention has the advantage of being able to quickly check whether a comparison value is included in a large data set through a value filter.

More specifically, the personal information management module 20004 can collect hash values for personal information values for various types and store them for each personal information type. The personal information value filter generation unit 2024 of the personal information management module 20004 may generate a value filter file for each personal information type based on the collected personal information data.

Afterwards, the personal information extraction unit 2025 of the personal information management module 20004 can extract personal information, the personal information encryption unit 2026 encrypts the extracted personal information, and the personal information storage unit 2027 Encrypted personal information can be stored. More specifically, the personal information management module 20004 analyzes the log data included in the audit log 1033 by architecture type to extract variables and values, and extracts personal information (extraction) rules included in the extracted values. Personal information can be extracted using information metadata 1036.

In one embodiment, the personal information management module 20004 may verify whether the hash value of the extracted personal information value is included in the value filter. At this time, if the hash value is included in the value filter, the personal information management module 20004 may store the extracted personal information in the index of the audit log 1033. On the other hand, if the hash value is not included in the value filter, the personal information management module 20004 may determine that it was extracted incorrectly and remove the extracted personal information.

Afterwards, when searching for encrypted personal information, the personal information management module 20004 may decrypt the encrypted personal information and then output the personal information processed by the masking rule.

Hereinafter, the functions performed by the personal information management module 20004 may be referred to as those performed by the data management platform 10000.

Through this, the accuracy of personal information extraction can be increased. Hereinafter, the present invention will be described in detail through the drawings described later.

Figure 27 is a diagram illustrating an example of a regular expression pattern used in the data management platform of the present invention.

In the above-described embodiment, the data management platform may store patterns used for each type of personal information. In particular, the data management platform can store regular expression patterns and masking patterns to be used for each type of personal information.

This diagram shows regular expression patterns for each type of personal information used in the data management platform. For example, if the personal information is a social security number, the regular expression pattern is “(\d{6}[ ,-]-?[1-4]\d{6})|(\d{6}[ ,-]? [1-4])”. Also, for another example, if the personal information is a driver's license number, the regular expression pattern may correspond to “(\d{2}-\d{2}-\d{6}-\d{2})” . In this way, the data management platform provides information on each type of personal information (resident registration number, driver's license number, phone number, email address, address, date of birth, passport number, account number, credit card number, health insurance number, alien registration number, etc.). You can define regular expression patterns. Additionally, regular expression patterns for each type of personal information can be preset and stored in the data management platform. At this time, the types of personal information included in this drawing are only examples, and of course, other personal information may be included.

Figure 28 is a diagram illustrating an example of a masking pattern used in the data management platform of the present invention.

In the above-described embodiment, the data management platform may store patterns used for each type of personal information. In particular, the data management platform can store regular expression patterns and masking patterns to be used for each type of personal information.

This diagram shows masking patterns for each type of personal information used in the data management platform. Masking processing rules may include partial masking, full masking, range masking, random masking, and consistent masking.

For example, if the personal information is a resident registration number, there are standards for masking processing, and the masking pattern can correspond to “11111-2******”. In other words, in this case, some masking pattern for the resident registration number was applied.

At this time, the masking processing standard may differ depending on the preset value. In this drawing, Java is used as the standard, but of course, other masking processing rules can be applied.

The data management platform can mask personal information by type according to masking processing rules. For example, the data management platform can mask the last 6 digits of a resident registration number, and only the last 3 digits of a driver's license number can be masked.

Personal information that has been masked according to the above-described embodiment may be output in a masked state when a personal information inquiry request is made later. Accordingly, personal information can be secured when using a data management platform.

Figure 29 is a diagram illustrating an example of personal information metadata 1036 defined in the data management platform of the present invention.

In one embodiment, the data management platform may use personal information metadata 1036 to extract personal information included in the audit log. To this end, the data management platform may generate and store personal information metadata 1036.

The data management platform can define the type and method of personal information to be extracted for each architecture type and store it in personal information metadata 1036. Here, the architecture type may indicate whether it is GUI data, json data, or WEBGUI. In other words, the data management platform can define the type and method of personal information to be extracted for each GUI data, store it in the personal information metadata 1036, and define the type and method of personal information to be extracted for each json data.

More specifically, personal information metadata 1036 may include architecture type, screen information (level 1), screen information (level 2), and personal information extraction rules.

Here, the architecture type corresponds to the screen type as described above. It contains information about what screen is actually displayed. In one embodiment, personal information extraction rules may be determined based on architecture type. Additionally, the personal information metadata 1036 may include level 1 screen information and level 2 screen information corresponding to the architecture type.

Personal information extraction rules may include extraction methods and values. Examples of extraction methods include value extraction method, variable extraction method, value content extraction method, professional regular expression extraction method, and complex personal information extraction method. The extraction method will be explained below.

The value extraction method is a method of extracting personal information based on the value of the extracted personal information. At this time, the data management platform of the present invention can use a personal information type list for the value of the value extraction method.

The variable extraction method is a method of extracting personal information based on variables included in the architecture type. At this time, the data management platform of the present invention can use a personal information type list and a variable name list together for the values of the variable extraction method. Here, the variable name list corresponds to the variable name list according to personal information type. For example, in screen A (type A), “Resident” may be included in the variable name list, and in screen B (type B), “SSN” may be included in the variable name list.

The professional regular expression extraction method extracts personal information based on the full text, which cannot be parsed in the absence of variables. At this time, the data management platform of the present invention can use a personal information type list and a pattern list together for the values of the professional regular expression extraction method. Here, the pattern list may include not only regular expressions for values, but also patterns added before or after the regular expression. For example, the data management platform can include cases where the resident registration number is a regular expression and “:” in front of the resident registration number in the pattern list.

The complex personal information extraction method is a method of extracting personal information based on two or more pieces of personal information rather than extracting personal information based on one piece of personal information. In one embodiment, the data management platform can determine personal information only when both “name” and “resident registration number” exist for each architecture type. On the other hand, the data management platform may determine that it is not personal information if there is only one of “name” or “resident registration number” for each architecture type.

In this way, the data management platform of the present invention can extract personal information based on the information included in the personal information metadata 1036.

Figure 30 is a diagram illustrating an embodiment of extracting personal information by classifying architecture types in the data management platform of the present invention.

In one embodiment, the architecture type analysis unit 2029 of the data management platform 10000 classifies the architecture type from the audit log 1033 and then extracts the personal information meta defined for each architecture type through the personal information extraction unit 2025. Personal information can be extracted using data 1036.

More specifically, the data management platform 10000 may define fields included in the personal information metadata 1036 based on the architecture type. Here, the architecture type corresponds to information that distinguishes the parser that analyzes the variables and values of log data. In other words, the parsing method for analyzing variables and values varies depending on the architecture type. Therefore, the data management platform 10000 must define fields included in the personal information metadata 1036 based on the architecture type.

In one embodiment, the architecture type analysis unit 2029 of the data management platform 10000 may distinguish the architecture type based on the protocol type and URL with respect to field information in the log data included in the audit log 1033. Accordingly, the field information of the index can be created.

Accordingly, the personal information extraction unit 2025 of the data management platform 10000 extracts personal information using at least one of the personal information metadata 1036 defined for each architecture type and the above-described exception handling list 1037. You can.

Afterwards, the data management platform can encrypt the extracted personal information and store the encrypted personal information.

Figure 31 is a diagram explaining an embodiment of creating a personal information extraction rule in the data management platform of the present invention.

In one embodiment, the data management platform may generate personal information extraction rules. To this end, this drawing explains a user interface for creating personal information extraction rules. To create a personal information extraction rule, the user interface may include at least one of basic information, value regular expression extraction information, and variable-based extraction information.

More specifically, basic information represents the target to which personal information extraction rules will be applied. Here, the basic information may include at least one of log type, level 1 (screen, transaction), and level 2 (program, service). Accordingly, the user may input at least one of a log type (eg, SAP GUI log), level 1, or level 2 as the target to which the personal information extraction rule is to be applied.

Additionally, the value regular expression extraction information may include personal information to be extracted for each personal information extraction method. More specifically, total personal information exists, and the data management platform can select which personal information to extract from the user. Accordingly, the data management platform can determine personal information by extracting values from the log for each personal information extraction method and comparing them with regular expression patterns. For this purpose, the data management platform can use regular expression pattern files stored for each personal information type, which is the embodiment described above.

Additionally, the data management platform can create personal information extraction rules using the values of variables analyzed by log type. For this purpose, the data management platform can receive variable-based extraction information from the user.

Figure 32 is a diagram illustrating an embodiment of generating a personal information exception processing list in the data management platform of the present invention.

In one embodiment, the data management platform may create a personal information exception handling list 1037. More specifically, the data management platform can confirm personal information items virtually extracted from the audit log 1033 using personal information metadata 1036. In other words, the data management platform can virtually extract personal information using the items included in the personal information metadata 1036 (e.g., key/value, screen name/field name, etc. described above). Here, the virtually extracted personal information items correspond to candidate data output based on the items of personal information metadata 1036 created according to an embodiment of the present invention from the original log data.

The data management platform can create an exception handling list 1037 based on extracted values or analyzed variables. More specifically, the data management platform may create an exception handling list 1037 based on the items included in the personal information metadata 1036.

At this time, the data management platform may create an exception handling list 1037 for at least one of the architecture type, screen information, and personal information extraction rule included in the personal information metadata 1036. For example, when the data management platform creates an exception handling list, “In the first architecture (UI) type, the corresponding key is not extracted because it is not personal information” or “In the second architecture (UI) type, the corresponding key is not extracted.” You can register as follows: “Because it is not personal information, it will not be extracted.”

For example, the data management platform can extract “account number” as virtual personal information from the audit log 1033. Here, “account number” corresponds to candidate data. Additionally, the screen name/field name of the personal information metadata 1036 may include product A/serial number. Here, it is assumed that the serial number of product A does not constitute personal information. At this time, if the serial number for product A is the same as the “account number” that is personal information, the data management platform determines that the extracted “account number” is not personal information and can register it in the exception handling list (1037).

That is, the data management platform can confirm virtually extracted personal information by referring to the personal information metadata 1036 defined according to the above-described embodiment. Since the personal information at this time is candidate data rather than accurate personal information, an exception handling list 1037 can be created based on the items included in the personal information metadata 1036 for the candidate data.

In one embodiment, when extracting personal information from the audit log 1033, the data management platform may extract personal information by excluding items included in the exception handling list 1037.

Accordingly, there is an advantage in lowering the probability of extracting incorrect personal information.

Figure 33 is a diagram explaining an embodiment of creating an exception filter of the data management platform of the present invention.

In one embodiment, the data management platform may create an exception handling list using the method described above. This drawing explains the exception filter user interface for creating an exception handling list. The exception filter user interface may include at least one personal information item.

In one embodiment, the data management platform may receive exception filter information for personal information items from the user. Here, the exception filter information may include at least one of architecture type (UI type), level 1 (screen, transaction), value, level 2 (program, service), and variable.

As an example in this figure, the data management platform receives exception filter information from the user: “Architecture type = SAP GUI” “Level 1 = SE16” “Level 2 = SAPMF02D-7230” “Variable = RDTMS_VAL2” “Value = 8201301037329” can receive.

Accordingly, the data management platform can create an exception handling list using exception filter information input from the user.

Figure 34 is a diagram explaining an embodiment of searching and outputting personal information extracted from the data management platform of the present invention.

The personal information decryption unit 2028 of the personal information management module 20004 included in the data management platform 10000 of the present invention can decrypt encrypted personal information. More specifically, when a user requests personal information search through the monitoring module 20005 of the data management platform 10000, the data management platform 10000 can decrypt the encrypted personal information. At this time, the data management platform 10000 can decrypt personal information using data included in the audit log 1033.

In one embodiment, the personal information management module 20004 may decrypt encrypted personal information using an encryption key included in the database 20007. Thereafter, the masking processing unit 2029 of the personal information management module 20004 may mask the decrypted personal information and provide it to the monitoring module 20005. Here, the method for masking personal information is as described above. Accordingly, the monitoring module 20005 can output personal information masked by the personal information management module 20004 and provide it to the user.

Through this, when there is a search request for extracted personal information, the data management platform can decrypt the personal information based on the encryption key, mask it, and provide it to the user. Accordingly, it can contribute to protecting personal information.

Figure 35 is a diagram explaining an embodiment of how the data management method of the present invention manages personal information.

In step S40010, the data management method may analyze the type of personal information. To this end, data management methods can analyze the types of personal information used in audit logs.

In step S40020, the data management method may define personal information types and store patterns used for each personal information type. The data management method can store regular expression patterns and masking patterns used for each type of personal information. Accordingly, the data management method can generate personal information metadata 1036 including key/value or screen name/field name. The specific method of generating personal information metadata 1036 is as described above.

In step S40030, the data management method may generate a personal information exception processing list 1037. The data management method uses personal information metadata (1036) to identify personal information items virtually extracted from the audit log, and includes exception handling in the exception handling list (1037) based on the extracted values or analyzed variables. Rules can be defined. Accordingly, the data management method can create a personal information exception processing list 1037.

In step S40040, the data management method may generate a personal information extraction rule based on the personal information metadata 1036 and the exception handling list 1037.

In step S40050, the data management method may extract personal information based on a personal information extraction rule.

In step S40060, the data management method may encrypt and store the extracted personal information. In one embodiment, the data management method may generate an encryption key to encrypt the extracted personal information.

In step S40070, the data management method may decrypt the encrypted personal information when requesting personal information search. At this time, the data management method can decrypt the encrypted personal information using the encryption key generated when requesting personal information search.

In step S40080, the data management method may mask the decrypted personal information. The method for masking personal information is the same as described above.

In step S40090, the data management method may output masked personal information. Through this, since the decrypted personal information is masked and output, users who request a search for personal information can search and use the personal information in the database without infringing on personal information.

Additionally, there is a risk that personal information extracted using the regular expression pattern method may be extracted incorrectly. Accordingly, in the present invention, in addition to the above-described embodiments, personal information actually existing in the log can be bloom-filtered to reduce the risk of personal information being extracted incorrectly. In other words, the accuracy of personal information extraction can be improved by applying a Bloom-filter to the extracted personal information and extracting it only when it is judged to be personal information. This will be explained in detail below.

Figure 36 is a diagram illustrating another embodiment in which the data management method of the present invention extracts and stores personal information.

In step S50010, the data management method may collect a hash value for personal information. More specifically, the data management method can collect hash values for various types of personal information values from a system/platform that manages personal information, such as a personal information encryption solution. Here, the system/platform that manages personal information may exist on an external server. In one embodiment, the data management method may store collected hash values for each type of personal information.

In step S50020, the data management method may create a value filter for each personal information type. Here, the value filter corresponds to a filter created using a bloom filter data structure for the hash value of the personal information value.

In step S50030, the data management method may extract personal information. In one embodiment, log data in the audit log is analyzed by architecture type to extract variables and values, and personal information can be extracted by applying personal information extraction rules to the extracted values. This is the same as described above.

In step S50040, the data management method may verify the personal information value. That is, in addition to the above-described content, a value filter can be used to verify the extracted personal information value.

In step S50050, if the hash value for personal information is included in the value filter, in step S50060, the data management method may store the extracted personal information in the index. More specifically, if the hash value for the extracted personal information is included in a value filter created using the Bloom-Filter data structure, the data management method can determine that the extracted personal information is real personal information. . Accordingly, the data management method can store an index called real personal information for personal information extracted from the audit log.

In step S50070, if the hash value for the personal information is not included in the value filter, the data management method may remove the extracted personal information in step S50080. More specifically, if the hash value for the extracted personal information is not included in the value filter created using the Bloom-Filter data structure, the data management method may determine the extracted personal information to be fake personal information. there is. Accordingly, the data management method may determine that the extracted personal information was extracted incorrectly and remove the extracted personal information. Here, removing extracted personal information may mean losing its value as personal information rather than removing the data itself.

Accordingly, in the present invention, it is possible to quickly compare personal information managed in large quantities and values extracted from personal information using the Bloom-filter data structure. Additionally, errors regarding types of personal information whose values are difficult to verify can be eliminated.

Figure 37 is a diagram explaining an embodiment of managing personal information in the data management method of the present invention.

In step S60010, the data management method may analyze the data. For information on how the data management method of the present invention analyzes data, refer to the embodiments of FIGS. 2 to 5, 8 to 26, 29, 30, and 35.

In step S60020, the data management method may extract personal information from the analyzed data.

Refer to the embodiments of FIGS. 5, 14, 26, 35, and 36 for the method of extracting personal information by the data management method of the present invention.

The user's work activities performed on the application are expressed differently depending on the developer's tastes and development standards. In other words, the present invention aims to facilitate the classification of user actions such as “view, delete, add, change, and print” for data based on the user's work actions.

Therefore, the present invention collects the text of the application's menu and icon, automatically classifies it based on artificial intelligence, and allows detailed classification of user behavior as required by law.

Additionally, the audit log is a log that records information such as events occurring in the system and user activities, and can be used for security and audit tracking. Here, the audit log may include log data and an index corresponding to the log data.

Log data is generally distinguished by information such as time, event/action, user/subject, target/object, and result. Each log data forms one record, and multiple records can be recorded continuously. You can.

Additionally, it is common for audit log data to be indexed and managed in a database, etc. At this time, in order to efficiently search and analyze log data, an index for each log record can also be managed. Here, the index usually includes information such as fields used for search and keys to improve search speed.

For example, to retrieve records of a user deleting a specific file in an audit log with fields such as time, event/action, user/subject, target/object, etc., an index can be created by combining the time field and the target field. You can. Using the index created in this way has the advantage of significantly reducing search time.

In addition, mapping user behavior to an index has the advantage of being able to classify log data based on user behavior, making it easier for security analysis and monitoring.

The data management platform of the present invention indexes log data included in the audit log based on user behavior classified based on artificial intelligence, allowing users to search log data based on user behavior. Hereinafter, the present invention will be described in detail.

Figure 38 is a diagram explaining an embodiment of collecting and mapping user behavior in the data management platform of the present invention.

The data management platform (10000) of the present invention collects user behavior using a collection module (20001), an analysis module (20002), a monitoring module (20005), and an AI engine (20006), maps it to log data, and indexes it. Afterwards, upon request for log data inquiry, log data indexed by user behavior can be provided.

More specifically, the collection module 20001 can be used to collect keys and text corresponding to user actions. At this time, the collection module 20001 can collect user behavior by connecting to the application development environment. In the application development environment, keys and text for menus and icons for selecting user actions are stored. Accordingly, the collection module 20001 included in the data management platform 10000 of the present invention can collect keys and texts corresponding to such user actions.

AI Engine (20006) can classify user actions based on artificial intelligence (AI) from the collected text. For example, user actions may include user work actions such as viewing, deleting, adding, changing, and printing. For this purpose, AI Engine (20006) can use methods such as machine learning, deep learning, Natural Language Processing (NLP), and Rule-Based Approach.

The analysis module 20002 may generate user action metadata 1038 by dividing data on classified user actions into keys and user actions. At this time, user behavior metadata 1038 may be stored in the internal database 20007 of the data management platform 10000.

The analysis module 20002 may map the stored user behavior metadata 1038 and log data included in the audit log 1033. At this time, in order to map log data and user behavior metadata 1038, the analysis module 20002 uses fields that can be used as keys for each application development environment type when indexing log data and keys in the user behavior metadata 1038. Information can be mapped and stored in the user behavior field of the index.

Here, key information represents identification information indicating user behavior. In one embodiment, the data management platform 10000 may not store user behavior as text, but may store it as an abbreviated ID (Identification) to identify user behavior. For example, the data management platform 10000 stores “R” as key information when the user action is “search”, stores “D” as key information when the user action is “delete”, and stores “D” as key information when the user action is “search”. If the user action is “Modify,” “U” can be stored as key information, and if the user action is “Print,” “P” can be stored as key information.

Users can view logs through the monitoring module (20005). In one embodiment, when providing log data included in the audit log 1033 in the database 20007, the monitoring module 20005 may provide information to the user by referring to the user behavior field of the index.

Hereinafter, the functions performed in each module within the data management platform 10000 will be described as being performed by the data management platform 10000.

Figure 39 is a diagram explaining an embodiment of generating user behavior metadata in the data management platform of the present invention.

In one embodiment, the data management platform 10000 can collect keys and text corresponding to user behavior through the above-described AI engine, and classify the collected text into user behavior based on artificial intelligence. Accordingly, the data management platform 10000 may generate user behavior metadata 1038 for keys and text corresponding to the collected user behavior.

More specifically, the data management platform 10000 may map keys and user behavior keys for each type of application development environment to generate user behavior metadata 1038. That is, the user behavior metadata 1038 may have a key for each application development environment type, a user behavior key, and a user behavior as fields.

Here, the application development environment type may include the above-described architecture type and screen user interface type. In other words, the application development environment type represents information fields that can be used for user work actions within the application development environment. For example, it may include menu icons, ok icons, cancel icons, etc. that exist on the screen. Additionally, the user action key represents an ID for identifying the above-described user action. Accordingly, the data management platform 10000 can map keys and user behavior keys for each application development environment type within the user behavior metadata 1038.

For example, if the key for each application development environment type is “del key in the first application,” through the AI engine and analysis module described above, the data management platform 10000 maps the user behavior key “D” to user behavior metadata. (1038) can be generated. At this time, the data management platform 10000 may store together in the user action metadata 1038 that the user action of “del key in the first application”, which is a key for each application development environment type, and “D”, which is the user action key, is “delete”. .

Figure 40 is a diagram explaining an embodiment of mapping user behavior metadata and log data in the data management platform of the present invention.

In one embodiment, the data management platform 10000 may map stored user behavior metadata 1038 and log data included in the audit log 1033.

More specifically, the data management platform 10000 may index log data to map log data and user behavior metadata 1038. Specifically, the data management platform 10000 can map key fields for each application development environment type and user behavior key fields in the user behavior metadata 1038 through the above-described embodiment. Additionally, in one embodiment, data management platform 10000 may store user behavior in user behavior metadata 1038 in a user behavior field of the index.

Accordingly, when the first log data stored in the audit log 1033 represents a log in which the user presses the del key on the first application screen, the data management platform 10000 receives a request to query the first log data. , the mapped user action “delete” can be provided directly.

Mapping user behavior to an index in this way has the advantage of being able to classify log data based on user behavior, making it easier for security analysis and monitoring.

Figure 41 is a diagram illustrating an embodiment in which the data management method of the present invention generates user behavior metadata.

In step S60030, the data management method may collect keys and text for menus, buttons, or icons representing user behavior in an application development environment. More specifically, the application development environment can store keys and text for menus that select user actions. Accordingly, the data management method can collect keys and text for menus that select user actions by connecting to the application development environment. For example, the data management method may connect to a first application development environment to collect the key and text “” for a first icon representing the user action “delete” in the first application development environment.

At this time, because the text collected through artificial intelligence is classified, even if the exact same word is not used, if the meaning is the same, it can be classified as the same user action. For example, depending on the application development environment, the text corresponding to the button representing user action may be different. For example, in the first application development environment, the text corresponding to the button indicating deletion may be “delete”, but in the second application development environment, the text corresponding to the button indicating deletion may be “remove”. In this case, according to the data management method of the present invention, even if different texts are used in different application development environments, if the meaning is the same, it can be classified as the same user action.

Refer to the embodiment of FIG. 38 for how the data management method of the present invention collects keys and text representing user behavior.

In step S60040, the data management method may classify the collected text through an AI engine. Referring to the above example, the data management method can classify the text “delete” as the user action “delete” through an AI engine.

In step S60050, the data management method may store classified data as user behavior metadata. As described above, the data management method may map the key and text “” for the first icon to the user action “delete” in the first application development environment and store it in user action metadata.

Figure 42 is a diagram illustrating an embodiment of the data management method of the present invention mapping user behavior metadata and log data.

In step S60060, the data management method may cache memory for mapping log data and user behavior metadata. Here, the user behavior metadata is characterized as being created and stored in the same manner as described above. In one embodiment, the data management method may cache information to be mapped in memory in order to quickly map log data and user behavior metadata. In other words, the data management method allows for quick access by reading the information to be mapped among log data and user behavior metadata into memory in advance rather than searching it in the database.

In step S60070, the data management method may index log data and user behavior metadata after mapping them. More specifically, when indexing log data, the data management method can map key fields and user behavior key fields for each type of application development environment and store them in the user behavior field of the index. In one example, when the data management method indexes log data, it may store the user behavior of the user behavior metadata in the user behavior field of the index.

In step S60080, when a log inquiry is requested, the data management method may provide information by referring to the user behavior field of the index.

Through this, user behavior can be mapped to all log data containing personal information.

Figure 43 is a diagram explaining an embodiment in which the data management method of the present invention generates user behavior metadata.

In step S70010, the data management method may collect data. For information on how the data management method of the present invention collects data, refer to the embodiments of FIGS. 2 to 7 and FIG. 38.

In step S70020, the data management method may classify the collected data. For information on how the data management method of the present invention classifies data, refer to the embodiments of FIGS. 38, 39, and 41.

In step S70030, the data management method may generate user behavior metadata by mapping at least one piece of information included in the data. Refer to the embodiments of FIGS. 39 and 41 for how the data management method of the present invention generates user behavior metadata.

Personal information encryption keys must be changed periodically to comply with legal standards. At this time, if the key value for encryption is changed, the existing key must be decrypted and re-encrypted with the new key. In other words, when changing the key, it takes a lot of time to decrypt and re-encrypt tens of millions of pieces of data. Therefore, most companies often do not perform encryption key changes even though they must comply with legal standards.

The present invention proposes a method of separately storing the token (replacement value) for the encryption value and the key ID for the encryption value. Through this, it is possible to encrypt in real time with a newly generated key value, and provide decryption and re-encryption functions with the new key value without affecting the operating server.

Additionally, in addition to the above-mentioned points, there is a need to process encrypted data according to the requirements of the application server. At this time, when the database encryption method is used, when the data is loaded, it is decrypted and transmitted as the original text, so the original text can be leaked through various methods. Therefore, encrypted data must be processed within server memory and decrypted only when necessary.

The data management platform of the present invention has the advantage that even if the encryption key is changed, the original text is not leaked because decryption and re-encryption of the data occurs internally.

Hereinafter, the present invention will be described in detail.

Figure 44 is a diagram explaining an embodiment of encrypting personal information in the data management platform of the present invention.

In one embodiment of the present invention, the data management platform 10000 generates an encryption key and key ID through the key management module 20003, encrypts personal information using the generated encryption key, and stores the encrypted personal information. A corresponding token value can be created.

To this end, the key management module 20003 of the data management platform 10000 includes an encryption key and key ID generation unit 2015, a personal information encryption unit 2016, a token value generation unit 2017, and a mapping information storage unit 2018. ) may include. Here, the key management module 20003 may use Java and RFC and may be responsible for encryption and decryption of personal information.

Here, the encryption key and key ID generator 2015 can generate and manage the encryption key and key ID for encrypting personal information. In one embodiment, the encryption key and key ID generator 2015 may generate a new encryption key and key ID based on user control. At this time, the encryption key can be changed by issuing a new key ID.

For example, the user can select the batch encryption key change function provided by the data management platform (10000), and the encryption key and key ID generation unit (2015) can accordingly generate the encryption key and key ID with new values. there is. Additionally, in another embodiment, the encryption key and key ID generator 2015 may update the encryption key and key ID based on a preset cycle even without user control.

The personal information encryption unit (2016) can encrypt personal information using an encryption key. The personal information encryption unit 2016 can encrypt personal information using the most recent encryption key stored in the data management platform 10000.

The token value generator 2017 may generate a token value (replacement value) corresponding to the encrypted personal information.

The information storage unit 2018 may store the generated token value, the encrypted copy corresponding to the encrypted personal information, and the key ID in the mapping information table 1039. Additionally, the information storage unit 2018 may separately store the token value in the task table 1040.

In other words, even if the encryption key is changed through the encryption key and key ID generator 2015, the value stored in the task table 1040 does not change, so the encryption key can be changed without stopping system operation.

Figure 45 is a diagram explaining an embodiment of encrypting personal information in the data management platform of the present invention.

In one embodiment, the data management platform may collect personal information. The data management platform can extract personal information from data analyzed from collected packets or from data received directly. Additionally, the data management platform may receive personal information itself (e.g., social security number “730101-1088123”).

In one embodiment, the data management platform may encrypt personal information using the encryption key and key ID generated through the encryption key and key ID generator described above.

Taking this drawing as an example, the data management platform can encrypt personal information using the generated first encryption key and key ID “KEY001”. Here, the encryption key can be generated in binary form. For example, the first encryption key may correspond to “01001000 01001010 00110001 00110001 00110011 00111000 00110000 00110001 01011010 00111101 00111101”. Using the above example, personal information, resident registration number “730101-1088123”, can be encrypted using the generated encryption key.

In one embodiment, encryption may be performed by encrypting the entire personal information or encrypting part of the personal information. In particular, the present invention is characterized by encrypting some of personal information. At this time, the key ID is mapped to an encryption algorithm. In one embodiment, available encryption algorithms may use SEED, ARIA128, ARIS192, ARIA256, AES128, AES192, DES, and TDES as a two-way algorithm, and SHA-256 may be used as a one-way algorithm. At this time, an encryption algorithm may be determined based on the key ID.

After personal information is encrypted, the data management platform can generate a token value corresponding to the encrypted personal information. In the example of this figure, the token value corresponds to “abcxxf”. At this time, the token value can maintain the number and format of the encrypted personal information. For example, when the last 6 digits of the personal information, resident registration number “730101-1088123”, are partially encrypted, the token value that replaces it may correspond to “abcxxf”, which has the same number of digits and format.

In one embodiment, the data management platform may store the generated token value, the encrypted copy corresponding to the encrypted personal information, and the key ID in a mapping information table, and store the token value in a business table. The mapping information table and task table will be described later.

Figure 46 is a diagram explaining the mapping information table and task table of the present invention.

This figure is a diagram illustrating the mapping information table 1039 and the task table 1040. In this drawing, the mapping information table 1039 and the task table 1040 only show fields related to the present invention, and of course, other fields may be included.

In one embodiment, the mapping information table 1039 may include a token value, a passphrase, and a key ID. The token value, encrypted copy, and key ID are composed of respective fields, and the mapping information table 1039 can include mapping values for each field. Taking the above-described embodiment as an example, personal information can be encrypted using the key ID “KEY001”, the encrypted copy corresponding to the encrypted personal information is “HJ113801Z==”, and the corresponding token value is “ abcxxf”, the mapping information table 1039 can store the token value, encrypted copy, and key ID by mapping them to the same row.

In one embodiment, task table 1040 may include token values. Here, since the business table 1040 cannot directly store the encrypted copy or key ID because the length of the field is fixed, the data management platform separately stores the encrypted copy and key ID mapped to the token in the mapping information table 1039. You can save it.

At this time, in order for an authorized user to check personal information, the encrypted copy included in the mapping information table 1039 can be used. Taking the above example, when an authorized user requests the data management platform to decrypt personal information, the data management platform uses the token value “abcxxf” included in the task table 1040 to create the mapping information table 1039. You can extract the password “” from and decrypt personal information using the password. In particular, the present invention is characterized in that the storage where the mapping information table 1039 and the task table 1040 are stored and the storage where the encryption key and key ID are stored are separated. In addition, the data management platform of the present invention may be separately equipped with a system in which the mapping information table 1039 and the task table 1040 are stored and a system in which the encryption key and key ID are stored. Through this, legal security requirements can be satisfied.

According to the above-described embodiment, the data management platform may store the token value in the task table 1040. Here, the data management platform can keep the token value unchanged even if the key ID or personal information encryption value changes.

Through this, the encryption key and key ID can be changed while the token value remains unchanged.

Figure 47 is a diagram explaining an embodiment of generating a new encryption key in the data management platform of the present invention.

In one embodiment, the encryption key and key ID generator 2015 may generate a new encryption key and key ID. For example, the encryption key and key ID generator 2015 may generate a second encryption key and key ID “KEY002”. Here, the second encryption key may be expressed in binary, similar to the above-described embodiment.

Accordingly, the data management platform can update the encrypted copy and key ID included in the existing mapping information table 1039 with the new encrypted copy and key ID.

More specifically, the data management platform can determine the encryption algorithm based on the newly generated key ID and change the personal information encryption value using the new encryption key. To this end, the data management platform can decrypt personal information using the existing encryption key and key ID, and then re-encrypt the personal information using the newly generated encryption key and key ID.

Accordingly, the token value included in the mapping information table 1039 is maintained, but the personal information encryption value and key ID are changed to newly generated values. At this time, the token value included in the task table 1040 does not change.

Figure 48 is a diagram explaining an embodiment of adding new work data in the data management platform of the present invention.

This drawing explains an embodiment in which new personal information is added to the data management platform. When the data management platform collects or receives new business data (for example, personal information), it can encrypt the new personal information using the most recent encryption key and key ID.

For example, if the account number “114-910224-12345” is received as new personal information, the data management platform can encrypt the personal information using the second encryption key and key ID “KEY002”, which is the most recent encryption key. . Afterwards, the data management platform can generate a token value corresponding to the personal information. For example, the token value corresponds to “hijklm”.

The data management platform may store the token value, encrypted copy, and key ID in the mapping information table 1039, and store the token value in the task table 1040.

The mapping information table 1039, which reflects the most recent encryption key and key ID before new personal information is added, stores the token value “abcxxf”, ciphertext “29AB3801Z==”, and key ID “KEY002” in the first row. . When new personal information is added, the mapping information table 1039 may further include token value “hijklm” ciphertext “AQ348701Z==” and key ID “KEY002” in the second row.

Likewise, before new personal information is added, the business table 1040 stores “abcxxf” in the first row, and when new personal information is added, “hijklm” can be stored in the second row.

In other words, the data management platform of the present invention can update the information included in the mapping information table 1039 based on the most recent encryption key and key ID, and can proceed with decryption and re-encryption of personal information by changing only the key ID. Therefore, tens of millions of pieces of data can be changed in real time.

Figure 49 is a diagram explaining an actual use example of personal information encryption of the present invention.

In one embodiment, the user may access the operating system 1041 of the application server and enter personal information. Accordingly, the data management platform 10000 can encrypt and decrypt personal information. At this time, the data management platform 10000 can encrypt personal information by generating the above-described encryption key and key ID. Additionally, the data management platform 10000 can change the key in real time based on the user's command, making it impossible to decrypt personal information with the existing key. Accordingly, the data management platform 10000 can decrypt and re-encrypt personal information using the most recent encryption key and key ID.

In one embodiment, the data management platform 10000 may generate a token value corresponding to the encrypted personal information. Thereafter, the data management platform 10000 may store the generated token value, password, and key ID in the mapping information table 1039, and store the token value in the task table 1040. Additionally, the mapping information table 1039 and the task table 1040 may be stored in an internal or external database of the data management platform 10000. At this time, the database stored in the mapping information table 1039 and the task table 1040 and the database storing the encryption key and key ID must be provided separately.

Accordingly, when an unauthorized user accesses the system 1041 and inquires personal information, the data management platform 10000 may return only the token value corresponding to the encrypted personal information.

Figure 50 is a diagram explaining an embodiment of the data management method of the present invention encrypting personal information.

At step S80010, the data management method may generate an encryption key and a key ID. At this time, the key ID is mapped to an encryption algorithm.

In step S80020, the data management method may encrypt personal information using the generated encryption key. In one embodiment, the data management method may encrypt personal information using the most recent encryption key.

In step S80030, the data management method may generate a token value (replacement value) corresponding to the encrypted personal information. In one embodiment, the token value may maintain the number and format of the encrypted personal information.

In step S80040, the data management method may store mapping information including a token value, encrypted copy, and key ID in a mapping information table.

In step S80050, the data management method may store the token value in a business table.

Figure 51 is a diagram illustrating an embodiment in which the data management method of the present invention generates a new encryption key.

In step S80060, the data management method may generate a new encryption key and a new key ID. In one embodiment, the data management method may automatically generate a new encryption key and a new key ID according to user settings or periodically.

In step S80070, the data management method may decrypt personal information encrypted using an existing encryption key.

In step S80080, the data management method may re-encrypt the personal information using a new encryption key.

In step S80090, the data management method may store mapping information including a token value, a new encrypted copy, and a new key ID in a mapping information table. At this time, there is no effect on the token value stored in the business table.

Figure 52 is a diagram illustrating an embodiment of the data management method of the present invention adding new work data.

In one embodiment, when receiving new business data, the data management method may determine whether information that requires encryption exists among information included in the new business data. More specifically, the data management method may encrypt the personal information and store it in a database when new work data is received and the new work data includes personal information. Hereinafter, an example will be given where the information included in newly received work data that requires encryption is personal information. However, of course, it can be applied to other information that requires encryption even if it is not personal information.

At step S90010, the data management method may receive new personal information. In one embodiment, the data management method may receive personal information from data analyzed from collected packets or from data received directly.

In step S90020, the data management method may encrypt personal information by applying the most recent encryption key and key ID to new personal information.

In step S90030, the data management method may generate a token value corresponding to personal information.

In step S90040, the data management method may store mapping information including a token value, encrypted copy, and key ID in a mapping information table.

In step S90050, the data management method may store the token value in a business table.

Figure 53 is a diagram explaining an embodiment of the data management method of the present invention encrypting personal information.

In step S90060, the data management method may collect first data. For information on how the data management method of the present invention collects first data, refer to the embodiments of FIGS. 2 to 7.

In step S90070, the data management method may analyze the first data. Refer to the embodiments of FIGS. 2 to 5 and 8 to 13 for how the data management method of the present invention analyzes the first data.

In step S90080, the data management method may extract first personal information from first data. For the method of extracting first personal information from first data by the data management method of the present invention, refer to the embodiments of FIGS. 2 to 5, 14, and 44.

In step S90090, the data management method may encrypt the first personal information. For the method of encrypting the first personal information in the data management method of the present invention, refer to the embodiments of FIGS. 44 to 48.

If the data contains personal information, it is necessary to encrypt the personal information and store it separately in accordance with legal conditions. That is, as described above, the data management platform of the present invention can store personal information as a token value. However, there are cases where personal information is used for testing at the request of the system operator.

In the present invention, the token value stored in the system is maintained, and only the encrypted data is altered so that it can be used in the test system. In other words, the present invention can provide data different from the encrypted data by providing altered data when encrypted personal information is searched in a test environment.

This has the advantage of being able to fulfill its intended purpose and prevent data leakage through internal/external developers.

Figure 54 is a diagram explaining an embodiment of modulating data in the data management platform of the present invention.

The data management platform 10000 of the present invention can modulate data through the key management module 20003. To this end, the key management module 20003 of the data management platform 10000 includes a token value/mapping information generation unit 2017, a mapping information storage unit 2018, a data modulation unit 2030, and a data inquiry unit 2031. Includes.

The token value/mapping information generator 2017 may generate a token value and mapping information corresponding to data to be modulated. Here, the token value supports the alteration of data and can be used in place of the original data.

The mapping information storage unit 2018 may store the generated token value in the task table 1040, and store the token value, the encrypted copy corresponding to the original data, and other information in the mapping information table 1039. Through this, it is possible to connect the falsified data and the original data and provide reliability for the falsified information.

Additionally, the mapping information storage unit 2018 allows information stored in the task table 1040 and the mapping information table 1039 to be searched based on external requests. Through this, access to and verification of falsified data can be facilitated.

The data modulator 2030 may modulate original data into altered data according to the modulation policy. In other words, the data modulation unit 2030 does not change the token value stored in the business table 1040, but modifies the password stored in the mapping information table 1039 with the altered password to achieve the effect of modifying business data. You can. Additionally, in one embodiment, the data modulation unit 2030 may manage the cycle and approval of policies for data modulation. More specifically, the policy for modification may include which original data will be modified using which key. Additionally, the modulation period can be set by the user. Additionally, the data management platform 10000 may request the user whether to apply the modulation after performing data modulation regarding whether to approve the modulation. Through this, it is possible to control data tampering operations and establish verification procedures for tampering operations.

The data search unit 2031 can search data using the token value stored in the task table 1040 and the mapping information stored in the mapping information table 1039. At this time, the data inquiry unit 2031 can maintain the safety of the original data by providing altered data to the user who requested the inquiry.

Figure 55 is a diagram illustrating an embodiment in which the data management method of the present invention generates token values and mapping information corresponding to data.

In step S11010, the data management method may receive data. Here, the received data may correspond to data subject to modulation. In one embodiment, it may respond to data that a user has requested to be altered.

In step S11020, the data management method may generate token values and mapping information corresponding to the received data. Here, the mapping information may include the encrypted text and other information about the encrypted text. At this time, other information may include information about the actual encrypted data of the original data, hash information, key ID, etc.

In step S11030, the data management method may store the generated token value and mapping information in a mapping information table. In one embodiment, the data management method may map token values and mapping information corresponding to data to be altered and store them in a mapping information table. Additionally, the data management method can store token values in a business table.

Figure 56 is a diagram explaining the mapping information table and task table of the present invention.

In one embodiment, the mapping information table 1039 may include a token value, encrypted copy, and other information corresponding to the data to be altered. For example, if the data to be altered is personal information and a resident registration number, and the original data is “730101-1111111”, the encrypted original data may correspond to “730101-1abcxxf”. In one embodiment, the data management platform may generate “abcxxf” as a token value for the original data “730101-1111111”, which is the target data.

Accordingly, the data management platform stores the password “HJ113801Z==” corresponding to the original data “730101-1111111”, the token value “abcxxf”, and other information about the original data “730101-1111111” in the mapping information table 1039. It can be mapped and saved. Here, other information may include encryption key information and original hash information for the original data “730101-1111111”. For example, other information may include the key ID for the original data “730101-1111111”. This is the same as described above.

In one embodiment, task table 1040 may include token values. Referring to the above example, if the data to be altered is personal information and a resident registration number, “730101-1abcxxf”, which is the original data in an encrypted state, may be stored in the work table 1040.

At this time, the token value stored in the business table 1040 does not change even if the data is encrypted or altered, so the integrity of the data can be guaranteed.

Figure 57 is a diagram explaining an embodiment in which the data management method of the present invention modifies data.

In step S11040, the data management method may modulate original data according to a modulation policy. Here, the modulation policy may include information about which data will be modulated with which key. More specifically, the definition of data modification refers to changing original data into other data. In the data management method of the present invention, the process of encrypting encrypted data into another data while maintaining the format, format, or length of the data can be viewed as a data modification process. To this end, the data management method can use a modulation key to modulate encrypted data into other data. Here, the modulation key may be the same as or different from the encryption key in the above-described embodiment. More specifically, the modulation key and the encryption key may be physically the same key, but may be used for different purposes.

In step S11050, the data management method may store the modulated data in a mapping information table. In one embodiment, the data management method may replace encrypted original data stored in a mapping information table with altered data.

Figure 58 is a diagram explaining the mapping information table and task table in which the modulated data of the present invention is stored.

In one embodiment, the mapping information table 1039 may include a token value corresponding to the data to be altered, an original data value, and other information. According to the above-described embodiment, when data modulation is performed, the mapping information table 1039 may include a token value corresponding to the data to be modulated, a modulated data value, and other information. That is, when data modification is performed, the data management platform can change the original data included in the mapping information table 1039 into the modified data.

Taking the above example, when the original data is an encrypted resident registration number, the mapping information table 1039 stores the first encrypted text “HJ113801Z==” corresponding to the original data “730101-1111111”. At this time, when data modification occurs through the data management platform, the original data is modified to “730101-1222222”, and the mapping information table 1039 contains the second password “AB123051X=” corresponding to the modified data “730101-1222222”. =” can be stored. At this time, the data management platform does not change the token value stored in the task table 1040.

Figure 59 is a diagram illustrating an embodiment of searching for altered data in the data management method of the present invention.

In step S11060, the data management method may receive a data inquiry request. For example, a first user may request data.

In step S11070, the data management method can query the altered data using mapping information and token values. More specifically, the data management method may retrieve a token value from a business table and provide modulated data corresponding to the token value from a mapping information table. Accordingly, the user requesting data can confirm the altered data.

Taking the above example, when a user requests data for the token value “abcxxf”, the data management method provides the first user with a modulated data value “730101-1222222” corresponding to the token value “abcxxf”. can do. At this time, the data management method may use the above-described second encryption copy to provide the modulated data value.

In other words, users may be provided with altered data rather than encrypted original data.

Figure 60 is a diagram explaining an embodiment of modulating data in the data management platform of the present invention.

The data management platform described above can be used in operational ERP (Enterprise Resource Planning) systems and test ERP systems. Here, the ERP system integrates and manages various departments and business areas within a company and corresponds to a software system that efficiently plans, coordinates, and manages resources centrally. In other words, the ERP system is composed of various modules, and each module can provide functions and data for specific tasks. At this time, the module used in the ERP system corresponds to the module of the data management platform (10000) of the present invention.

In one embodiment, a user 3001 of the operational ERP system may input encrypted data 3002 containing a token value into the operational ERP system and receive decrypted data 3003 through the data management platform 10000. You can. Accordingly, the user 3001 of the operational ERP system can decrypt and confirm personal information that requires encryption.

Thereafter, the developer 3004 of the test ERP system may input the encrypted data 3002 including the token value into the test ERP system. At this time, the data management platform can copy and then modify the data existing in the operational ERP system and transmit the modified data to the test ERP system. Additionally, data tampering can be performed in an operational ERP system or a test ERP system. For information on how to perform data falsification in an operational ERP system or a test ERP system, refer to the above-described embodiment. In one embodiment, the data modulation point may be determined according to a preset period. That is, the data management platform 10000 does not perform data modification in real time according to the request of the developer 3004.

Accordingly, the developer 3004 can receive the modulated data 3005. Through this, users (developer 3004 in this drawing) who need to transfer data from the operational ERP system to the development environment and use it for testing can comply with the regulations of the Financial Supervisory Service. (Reference: Article 9, Paragraph 10 of the Enforcement Decree of the Electronic Financial Supervision Regulations “Virtual data must be used preferentially when testing related to service development or improvement.”)

Figure 61 is a diagram explaining an embodiment of modulating data in the data management platform of the present invention.

Users of the operational ERP system can transfer operational data to the test ERP system (system copy). In other words, migration can be performed. Migration refers to the process of transferring or converting from one system to another. In particular, data migration involves transferring data created and stored in an existing system to a new system. Data migration must ensure normal operation in the new system while maintaining data consistency and integrity.

The data management platform (10000) of the present invention can help users of an operational ERP system transfer operational data to a test ERP system while altering the data to comply with laws or regulations.

More specifically, users of an operational ERP system can migrate encrypted data 3002 containing personal information to a test ERP system. Here, the encrypted data 3002 may include a token value. Taking this drawing as an example, if the personal information is a resident registration number, the encrypted data 3002 corresponds to “720403-1kjWkaq” including the token value. Here, the token value may correspond to “kjWkaq”.

In one embodiment, the test ERP system may request data tampering from the data management platform 10000. Accordingly, the data management platform 10000 can receive data from the application operation encryption server 1020a using the first encryption copy 3002a stored in the mapping information table and decrypt the encrypted data. When the encrypted data 3002 is decrypted, using the above example, the decrypted personal information corresponds to “720403-1234567”.

Thereafter, the data management platform 10000 may modulate the decrypted data 3003 using the key management module 20003 and transmit the altered data 3005 to the test ERP system. Taking the above example, the decrypted and altered personal information corresponds to “720403-1765432”. In other words, data altered through the data management platform 10000 maintains the same format as existing personal information before alteration, but may include different content.

Thereafter, the data management platform 10000 may transmit the second encrypted copy 3002b corresponding to the altered data 3005 to the application quality encryption server 1020b. The application quality encryption server 1020b transmits the second password 3002b to the test ERP system, allowing the developer of the test ERP system to use the altered personal information “720403-1765432” for testing.

Since anyone can access the test ERP system, even if the data is decrypted, the original data should not be used, and this can be prevented through the data management platform (10000) of the present invention.

Figure 62 is a diagram explaining an embodiment in which the data management method of the present invention modifies data.

In step S11081, the data management method of the present invention may receive a request for modulation of data. At this time, the data management method may receive a request for modification of data based on a request from a user of the system. For this, please refer to the embodiments of FIGS. 1 to 3 and FIG. 17.

In step S11082, the data management method of the present invention can decrypt data. At this time, the data management method can use the first encrypted copy included in the mapping information table to decrypt the data. For information on how the data management method of the present invention decrypts data, refer to the embodiments of FIGS. 54 to 61.

In step S11083, the data management method of the present invention can modulate the decrypted data. For a method of modulating decrypted data by the data management method of the present invention, refer to the embodiments of FIGS. 54 to 61.

In step S11084, the data management method of the present invention may store the token value corresponding to the altered data and the second encrypted copy corresponding to the altered data in the mapping information table. For information on how the data management method of the present invention stores token values and encrypted copies in a mapping information table, refer to the embodiments of FIGS. 44 to 53.

According to the present invention, there is an advantage in that a data modulation function can be provided in a test environment. In other words, if the development system contains actual operational data, serious problems such as external leakage may occur, so forgery/falsification and storage management are necessary. Modifying data through token processing as in the present invention has the advantage of increasing work efficiency because all values can be modulated by only modulating thousands of data excluding duplicates, rather than tens or hundreds of millions of data.

In addition, for all companies that require backup for business purposes, it has the advantage of being able to modify even old backed-up data.

Additionally, it has the advantage of being able to provide reliability for falsified data through token values and mapping information.

When using agents to collect logs, tasks such as changing settings for multiple agents, configuration management, and status monitoring require a lot of manual work and increase complexity. This may reduce work efficiency. The present invention seeks to solve this problem through central management of agents for data collection. Through this, work efficiency can be increased by automating and centralizing tasks such as patching, operation management, and settings management for agents.

Figure 63 is a diagram explaining an embodiment of managing agents in the data management platform of the present invention.

The collection module 20001 of the data management platform 10000 of the present invention can manage at least one agent 20008a, 20008b, ... through the agent management unit 2032. Here, the agent is a computer system or The agent of the present invention may correspond to a software module or program installed and executed to perform a specific task on a network and may be installed on a host server to perform a set function (for example, a data collection function).

To this end, the collection module 20001 of the data management platform 10000 may include an agent management unit 2032.

The agent management unit 2032 can manage the configuration of the agent. Here, the shape for the agent may represent the version of the agent. The agent management unit 2032 monitors shape information about the agent installed in the collection target and can execute a command to update the shape to a new version. Here, the collection object corresponds to the host server from which logs are to be collected in the data management platform 10000 of the present invention. Additionally, the agent management unit 2032 may monitor the collection status of at least one agent 20008a, 20008b,...

In one embodiment, the agent management unit 2032 may generate commands necessary for execution for each of at least one agent 20008a, 20008b, ... and distribute them to the corresponding agent. For example, the agent management unit 2032 may generate commands necessary for execution for each agent 20008a, 20008b, ... and distribute them to the corresponding agent. For example, the agent management unit 2032 may generate commands required for execution for each agent 20008a, 20008b, etc. A log data collection command for the agent 20008a may be created and the log data collection command may be distributed to the first agent 20008a.

In one embodiment, the agent management unit 2032 may manage a list of servers on which at least one agent 20008a, 20008b, ... is installed.

At this time, the agent may include at least one module to perform a data collection function. In one embodiment, the first agent 20008a may include a watchdog module 2033 and a worker module 2034. Here, the worker module actually performs the function of collecting data and may be referred to as an agent module.

Here, the watchdog module 2033 is one of the modules used in the first agent 20008a, and may perform a function of detecting an unexpected operation or abnormal state of the agent. In one embodiment, the watchdog module 2033 may be responsible for communication with the data management platform 10000 and may be responsible for controlling the worker module 2034.

The worker module 2034 is a module that performs the core functions of the first agent 20008a and mainly operates in the background and may be responsible for processing specific tasks and returning results.

In particular, in the present invention, the worker module 2034 can execute the command received from the watchdog module 2033 and return the execution result to the data management platform 10000.

Accordingly, the data management platform 10000 may store data collected from at least one agent 20008a and 20008b in the database 20007.

In particular, in this drawing, only two agents are used as an example, but the same can be applied even when there are dozens to hundreds of agents. In other words, policies can be distributed to update tens to hundreds of agents simultaneously, thereby maximizing work efficiency.

Figure 64 is a diagram explaining a method of managing an agent in the data management method of the present invention.

The following steps describe an example of how the data management method of the present invention is performed to manage the agent installed on the host server. In particular, it goes without saying that the following methods may not be performed simultaneously, but may be performed individually.

In step S12010, the data management method of the present invention can manage the shape of the agent. In one embodiment, the data management method can manage the configuration for the agent according to the administrator's request. For example, the manager may request shape updates for multiple agents through the agent management unit. Through this, agent updates, patches, and rollbacks can be easily performed.

In step S12020, the data management method of the present invention can generate commands necessary for execution for each agent and distribute them to the corresponding agents. In one embodiment, the data management method may generate commands required to perform updates for each agent based on the manager's request for a shape update and distribute them to the corresponding agents. For example, when an administrator uploads a patch file to the agent management unit and requests an agent update, the agent management unit can generate commands necessary to perform the update for each agent. Afterwards, the agent's watchdog module can receive the command and restart the worker module. The agent's operation will be described in detail below.

In step S12030, the data management method of the present invention can monitor the status of the agent. More specifically, the data management method can monitor the agent's operating status, connection status, etc. in real time and respond when problems occur.

Figure 65 is a diagram explaining a communication method with an agent in the data management method of the present invention.

In step S12040, the data management method of the present invention can transmit a command to the agent's watchdog module. More specifically, the data management method can generate commands necessary for operation for each agent and transmit them to the agent. Accordingly, the agent's watchdog module can receive commands from the outside.

In step S12050, the data management method of the present invention can store data collected from the agent's worker module. The agent's worker module can collect data from the server where the agent is installed. At this time, data collected through the worker module can be directly transmitted to the collection module of the data management platform. In one embodiment, data collected through the worker module may be encrypted for each agent and transmitted to the collection module of the data management platform. At this time, data collected based on a different encryption method for each agent may be delivered. For example, data transmitted from the agent to the data management platform may be encrypted and transmitted using SSL/TLS (Secure Sockets Layer/Transport Layer Security) encryption protocols, VPN encryption protocols, and symmetric key or asymmetric key encryption algorithms. Through this, data collected from individual agents can be safely encrypted and delivered to the data management platform.

Afterwards, the collection module of the data management platform can store the data collected from the agent. In one embodiment, the collection module of the data management platform may store data collected from agents in a database.

Through this, the data management method of the present invention can perform efficient communication with agents, data collection and storage.

Figure 66 is a diagram explaining the operation method of the agent in the data management method of the present invention.

In step S12060, the agent may communicate with the agent management unit of the collection module of the data management platform. The agent can receive commands required for execution from the agent management unit.

In step S12070, the agent may transmit the command received from the agent management unit to the worker module.

In step S12080, a command may be executed in the agent's worker module. The worker module is a module that performs the core functions of the agent and can execute commands and return results.

In step S12090, the agent can collect data corresponding to the performance results through the worker module. In one embodiment, when instructed to perform a function of collecting data from a host server on which an agent is installed, the worker module may collect data from the host server. Afterwards, the agent can encrypt the collected data and transmit it to the data management platform.

Figure 67 is a diagram explaining the operation method of the agent in the data management method of the present invention.

In step S13010, the data management method of the present invention can monitor shape information of at least one agent collecting data. The data management method of the present invention can collect data using the embodiments of FIGS. 1 to 7 or the embodiments of FIGS. 63 to 66. In step S13010, an agent can be installed on the host server to use the data collection method of FIGS. 63 to 66. At this time, unlike the embodiment of Figures 1 to 7, which collects data from packets transmitted and received on the network, since the agent is installed on the host server, all log data generated on the host server can be collected.

In step S13020, the data management method of the present invention can generate a command necessary for update based on a request for update of shape information. For this, please refer to the embodiment of Figure 64.

In step S13030, the data management method of the present invention may distribute the generated command to at least one agent. For this, please refer to the embodiment of Figure 64.

Some users may find it difficult to input regular expressions to extract necessary information from log data. The present invention seeks to solve this problem through normalization of log data. Through this, user convenience can be increased by easily creating a parser that includes regular expressions to extract a portion of meaningful data from log data.

Figure 68 is a diagram explaining an embodiment in which the data management platform of the present invention normalizes log data.

The data management platform (10000) of the present invention can normalize log data through a collection module (20001), an analysis module (20002), and a monitoring module (20005), and according to the event log search request of the user/client (1000) You can search log data.

Specifically, the collection module 20001 may include a log collection unit 2040. The log collection unit 2040 may acquire at least one log data transmitted from outside.

The analysis module 20002 may include a parser generator 2043, a conversion rule generator 2044, and a collection rule generator 2045. The parser generator 2043 can extract matching blocks for each regular expression pattern that is used more than a certain frequency in the selected text. Here, the regular expression pattern may include regular expression patterns that are frequently used more than a certain frequency, such as dates, times, and strings. Additionally, a matching block can represent text information that matches a regular expression pattern.

The parser generator 2043 may generate a parser including a regular expression for extracting text from log data based on a matching block selected by user input among a plurality of extracted matching blocks. In one embodiment, the parser may include field names based on user input.

In one embodiment, the parser generator 2043 may verify the regular expression by testing the regular expression in log data. That is, the parser generator 2043 can test whether the field value corresponding to each field is properly extracted from log data using regular expressions.

The conversion rule generator 2044 may generate a conversion rule including a parser based on a regular expression and an event type corresponding to the parser. The conversion rule generator 2044 may scan for a parser based on a regular expression that matches log data based on user input among previously generated parsers. The conversion rule generator 2044 may apply a parser based on user input among available parsers for the corresponding log data to a conversion rule and store it. In other words, the conversion rule may represent a rule on how to process and store the extracted fields when saving log data.

Therefore, according to the present invention, the convenience of completing the entire regular expression can be provided to users who have difficulty entering regular expressions by partially assisting them in entering regular expressions. Additionally, according to the present invention, it is possible to provide the convenience of scanning a previously created parser to increase the reusability of the registered parser.

The collection rule generator 2045 may select a transformation rule to be used for log data of the log collection device and create a collection path rule.

The monitoring module 20005 may include a search request processing unit 2041, a user input processing unit 2042, and an event log search unit 2046.

The search request processing unit 2041 may receive an event search request for an event type from the user/client 1000. Thereafter, the search request processing unit 2041 may transmit a search result extracted from at least one pre-stored log data to the user/client 1000. In this case, the transmitted search results may be displayed on the screen of the user/client 1000.

The user input processing unit 2042 may obtain information based on user input from the user/client 1000. That is, the user input processing unit 2042 can obtain information selected by user input through the user/client 1000.

In one embodiment, information based on user input is stored in log data for generating and testing regular expressions, text included in the log data, a matching block selected from a plurality of matching blocks representing text information, a field for text, and a parser. It may include at least one of the event type, registration information of the log collection device, and collection path rules.

The event log search unit 2046 may output search results extracted from at least one pre-stored log data based on at least one of a parser, a collection path rule, and a transformation rule in response to receiving an event search request for an event type. there is.

Figure 69 is a diagram explaining an embodiment of how the data management method of the present invention generates a parser.

In step S18010, the data management method may acquire log data. In one embodiment, the data management method may obtain log data input by the user through the user/client 1000.

In step S18020, the data management method may obtain text included in log data based on user input. In other words, the data management method can obtain text selected by the user to convert it into a regular expression from the original log data. In one embodiment, a regular expression may be referred to as a 'regular expression' or a term with an equivalent technical meaning.

In step S18030, the data management method may generate a matching block representing text information about the text. For example, text information may represent a variety of text information, such as one number, one or more numbers excluding spaces, one letter, one or more letters excluding spaces, and all characters between double quotation marks.

In step S18040, the data management method may generate a regular expression for extracting text from log data based on the matching block. In one embodiment, a regular expression is generated for each text included in log data, and an entire regular expression including each regular expression can be generated.

In step S18050, the data management method may obtain a field for text based on user input. In other words, the data management method can obtain field name information for setting the field name for the corresponding text.

At step S18060, the data management method may generate a parser including regular expressions and fields.

Figure 70 is a diagram explaining an example of a parser creation screen of the present invention.

In one embodiment, the parser creation screen may be displayed by the user/client 1000. The parser creation screen may include log data 1042, text 1043, matching block 1044, regular expression 1045, and field 1046.

Log data 1042 is input by the user, and text 1043 included in the log data 1042 can be selected and input. For example, text may consist of a string, which may represent the number 16.

When the input log data 1042 and text 1043 are delivered to the data management platform 10000, a number of matching blocks corresponding to the text 1043 generated by the data management platform 10000 are sent to the user/client 1000. ) can be displayed on the parser creation screen.

In this case, each of the multiple matching blocks may be distinguished by color, and each matching block may represent different text information. Afterwards, when one matching block 1044 representing text information of the text 1043 is selected among the plurality of matching blocks by user input, a regular expression 1045 corresponding to the selected matching block 1044 will be automatically generated. You can. For example, the regular expression 1045 can be expressed as (?<REPLACEGROUPNAME>/d+).

Additionally, the field 1046 corresponding to the text 1043 is entered by the user, and a parser including the entire regular expression and field can be created.

Figure 71 is a diagram illustrating an example of a parser test screen of the present invention.

In one embodiment, the parser test screen may be displayed by the user/client 1000. Testing can be done against the parser, including full regular expressions and fields. In this case, when the log data 1042 is input by the user and the test proceeds, field values corresponding to each field can be extracted from the log data.

For example, the field name of the field may include Facility, Severity, Action, Time, RuleID, Proto, Src, SrcPort, Dst, DstPort, and Direction, but is not limited to this and may be configured in various ways. Additionally, it can be confirmed that the field value of 124.243.76.7 was extracted for the Dst field, and through this test, the parser containing the corresponding regular expression can be verified.

Figure 72 is a diagram illustrating an embodiment of how the data management method of the present invention generates a conversion rule.

In step S19010, the data management method may acquire log data. In one embodiment, the data management method may obtain log data input by the user through the user/client 1000.

In step S19020, the data management method may determine a parser corresponding to the log data. That is, the parser corresponding to the log data can be determined through scanning the log data input by the user, and the parser name, version, and parser type for the parser can be determined. In this case, as described above, if the parser is based on a regular expression, the parser type may represent a regular expression.

At step S19030, the data management method may determine an event type for the parser based on user input. For example, event types may include, but are not limited to, personal information search logs and firewall logs, and may consist of various types.

In step S19040, the data management method may determine at least one field corresponding to the parser and event type. In one embodiment, the data management method may perform batch registration of the fields of each parser of the transformation rule. For example, during batch registration, the field, field name, field type (number or string), and data type can be determined.

In step S19050, the data management method may generate a conversion rule including a parser, an event type, and at least one field. That is, according to the present invention, the data management method can determine whether to store what to save and what not to save among the actually extracted field values through conversion rules. In other words, the data management method extracts field values from log data using a parser containing regular expressions, and determines which of the extracted field values and how to store them through conversion rules.

Figure 73 is a diagram explaining an embodiment of the conversion rule creation screen of the present invention.

In one embodiment, the conversion rule creation screen may be displayed by the user/client 1000. In this case, when log data 1042 is input by the user and scanning proceeds, a parser 1047 corresponding to the log data may be determined.

The event type 1048 for the parser 1047 may then be selected based on input by the user. For example, event type 1048 may be determined to be a firewall log.

In one embodiment, the configuration of the parser 1047 and event type 1048 determined for the corresponding log data 1042 may be included in the conversion code, and the conversion rule may include at least one conversion code.

For example, the transformation rule may include a first transformation code consisting of a parser and firewalllogin event type with the parser name FIREWALL_ADMITTED_PARSER and a second transformation code consisting of a parser and firewalllogin event type with the parser name FIREWALL_DENIED_PARSER.

Figure 74 is a diagram illustrating an embodiment of the parser field batch registration screen of the present invention.

In one embodiment, the parser field batch registration screen may be displayed by the user/client 1000. In this case, batch registration can be performed for each field 1046, and the matching method, field 1046, field name, field type, and data type can be set. For example, for a field whose matching method is new registration, the field 1046, field name, field type, and data type may be determined by user input. For example, a field type can contain number or string, and a data type can contain INT, which represents a number, or STRING, which represents a string.

In one embodiment, additional fields in addition to the fields corresponding to the host, source, time, device IP, and device name may be registered in batches. In one embodiment, when a conversion rule includes a plurality of conversion codes, for example, a first conversion code and a second conversion code, batch registration of fields for the first conversion code and batch registration of fields for the second conversion code Each of these can be done.

Figure 75 is a diagram illustrating an embodiment of how the data management method of the present invention creates a collection path rule.

In step S11110, the data management method may register a log collection device for collecting log data. In one embodiment, when registering a log collection device, the device name, device IP, device type, OS (operating system), and collection type for the log collection device can be set through the user/client 1000 by user input. there is.

In step S11120, the data management method may create a collection path rule by selecting a conversion rule to be used for log data of the log collection device based on user input. In one embodiment, the collection path rule may include at least one of a collection path, collection type, and equipment name.

In one embodiment, collection types may include agent method and system log method. Here, the agent method includes installing an agent program on the system and equipment to transmit necessary log data, and the system log method includes collecting logs from various complementary devices and network devices such as switches, routers, and firewalls. You can.

In step S11130, the data management method may apply a transformation rule to the collection path rule.

Figure 76 is a diagram illustrating an example of a collection path rule creation screen of the present invention.

In one embodiment, a collection path rule creation screen may be displayed by the user/client 1000. In this case, the equipment name 1049 and collection type 1050 based on user input may be displayed. The device name 1049 includes the device name of the log collection device and may change as the device linked to collect log data is set. The collection type 1050 can be set to either agent method or system log method. For example, SYSLOG, which is a system log method, may be displayed.

In one embodiment, the collection path rule creation screen may display information about the collection path, reflection start, last modification time, and whether reflection is necessary, in addition to the equipment name 1049 and collection type 1050. For example, a collection path may include collection type and device IP. In addition, whether reflection is necessary may indicate whether reflection in the collection path rule is necessary due to a change in the conversion rule included in the corresponding collection path rule.

When a conversion rule is applied to the collection path rule created in this way, the log collection device and the corresponding collection type may be linked to the conversion rule.

Figure 77 is a diagram illustrating an embodiment of the data management method of the present invention searching an event log.

In step S12110, the data management method may receive an event log search request for an event type from the user/client 1000. In one embodiment, an event log search request may be received for an event type selected by the user among multiple event types.

In step S12120, the data management method may output a search result extracted from at least one log data previously stored based on a collection path rule, a transformation rule, and a parser in response to an event log search request. In one embodiment, the at least one log data may correspond to an event type and may include log data collected over a certain period of time and stored in advance.

That is, according to the present invention, by parsing and distinguishing the information (i.e., field values) loaded in the log data using regular expressions, the user can more easily check the information contained in the divided log data when analyzing the log data. You can.

In step S12130, the data management method may transmit the search results to the user/client 1000. In this case, the search results may include field values parsed from log data, and according to the event log search request by the user, the field values parsed by the parser are displayed in the form of a dashboard on the screen of the user/client (1000). can be displayed.

Figure 78 is a diagram illustrating an example of an event log search screen of the present invention.

In one embodiment, an event log search screen may be displayed by the user/client 1000. In this case, an event type 1048 for searching the corresponding log data may be set. For example, a firewall log may be set as the event type 1048.

Afterwards, a period during which the search will be conducted can be set, and search results can be output from log data previously stored for that period. Search results can be displayed by organizing field values corresponding to each field (1049), for example, time, facility, severity, allow/block, time, firewall policy ID, protocol, source IP, source port, target. IP, target port and direction can be displayed. In this way, since the field values for each field 1049 are distinguished for each log data, the user can more easily analyze the log data.

For example, in the case of allow/block fields, ADMITTED or DENIED may be output as the field value depending on the log data. Additionally, as another example, in the case of the firewall policy ID field, 19 or 1 may be output as the field value depending on the log data.

Figure 79 is a diagram explaining an embodiment of the data management method of the present invention.

In step S13110, the data management method may acquire log data. Refer to the embodiments of FIGS. 2, 5, 68, and 69 for how the data management method of the present invention acquires multiple log data.

In step S13120, the data management method may generate a parser including a regular expression for extracting text from log data, based on a matching block representing text information about text included in the log data. Refer to the embodiments of FIGS. 2, 5, and 68 to 71 for how the data management method of the present invention acquires multiple log data.

In step S13130, the data management method may generate a transformation rule including a parser based on a regular expression and an event type corresponding to the parser. For details on how the data management method of the present invention acquires multiple log data, refer to the embodiments of FIGS. 2, 5, 68, and 72 to 74.

In step S13140, the data management method may output a search result extracted from at least one pre-stored log data based on a parser and transformation rule in response to receiving an event search request for an event type. Refer to the embodiments of FIGS. 2, 5, 16, 68, and 75 to 78 for how the data management method of the present invention acquires a large number of log data.

For large-capacity log searches, technology is needed to view sorted and filtered results in real time without loading the entire search results into memory. Additionally, you should be able to check some results in real time while searching.

The data management platform of the present invention efficiently processes large amounts of data and allows only necessary results to be viewed in real time.

Figure 80 is a diagram explaining an embodiment of searching a log in the data management platform of the present invention.

The monitoring module 20005 of the data management platform 10000 of the present invention may further include a coordinator control unit 2047 to support log search.

Here, the coordinator control unit 2047 can control the coordinator 2048 of the server 1002 based on the log search request of the user 1000.

Here, the coordinator 2048 (coordinator) can manage a list of available instances (2049a, 2049b, 2049c) among multiple instances (2049a, 2049b, 2049c) in the distributed system and distribute search requests.

Additionally, instances 2049a, 2049b, and 2049c are independent units running in a computing environment and can operate by being allocated resources such as processor, memory, and disk through hardware or virtualization technology. Instances 2049a, 2049b, and 2049c can run through specific operating systems and applications, and can generally be implemented in the form of servers, virtual machines, containers, etc.

The present invention will be described in detail below.

Figure 81 is a diagram explaining an embodiment of searching a log in the data management platform of the present invention.

The coordinator 2048 can manage the list of available instances and distribute users' search requests. A user can search log data for a specific period of time through the monitoring module of the data management platform of the present invention. Afterwards, the user can check the log data retrieved through instances 2049a, 2049b, and 2049c as needed.

At least one instance (2049a, 2049b, 2049c) may be divided into a search head and a search peer. In one embodiment, the instance that first receives the search request becomes the search head (e.g., 2049a) and can collect a list of available instances from the coordinator 2048.

The instance 2049a that becomes the search head may include a search request unit 2050, a search result file creation unit 2051, and a search result return unit 2052.

Here, the search request unit 2050 may issue a search ID based on the search request received from the user and request a search from each instance 2049b that has become a search peer, including the search ID and search query information.

The search result file generator 2051 may store the search results received from the search peer 2049b. More specifically, the search result file generator 2051 stores the log data received from the search peer 2049b in a search result data file, and stores the location information of the stored log data and the length information of the stored log data in the offset file. You can save it.

In one embodiment, the search result file generator 2051 may sort the search results by performing an external merge sort algorithm based on the value of the sort field. Here, the external merge sort algorithm will be described later.

The search result return unit 2052 can use the search ID, offset file, and limit information among the results received from the search peer 2049b to return the search results in real time to the requesting user. Here, limit information indicates the number of log data to be output per page. That is, the search result return unit 2052 can extract log data by referring to the location information of the log data and the length information of the log data in the offset file, and return the specified number to the monitoring module based on the limit information.

Additionally, the instance 2049b that becomes a search peer may include a search unit 2053.

Here, the search unit can classify the search target (Segment/Shard) based on the search query information received from the search head 2049a and search log data using the search target. At this time, Segment and Shard, which are search targets, are concepts used to organize the structure and storage method of data in a database system. Segment represents a logical data unit, and Shard represents physical data distribution. In other words, Segment divides the data into logical units, and Shard allows data to be distributed and stored.

This has the advantage of supporting efficient log search by processing large amounts of data and checking results in real time.

Figure 82 is a diagram illustrating an embodiment in which the data management method of the present invention searches logs.

In step S14110, the data management method of the present invention may receive a search request from the user.

Upon receiving a search request from the user, in step S14120, the data management method of the present invention may issue a search ID. In one embodiment, the search ID may correspond to a unique ID. This is because the user can repeatedly view results through one search ID.

In step S14130, the data management method of the present invention may receive a search result request from the user. More specifically, the data management method can request unique search results because it has a search ID. In particular, because search results may change in real time, the data management method may request search results corresponding to the first search request, second search request, through nth search request (where n is a natural number).

That is, when a search request is received from the user in step S14110, steps for performing a search, which will be described later, may be performed sequentially. In another embodiment, step S141440 may be performed according to step S14130 while the search is performed periodically before receiving a search request from the user.

In step S14140, the data management method of the present invention can provide search results to the user.

Figure 83 is a diagram explaining an embodiment of searching a log in the data management method of the present invention.

In step S15110, the data management method of the present invention can collect a list of available instances from the coordinator. In one embodiment, a search head among instances may receive a list of instances from a coordinator.

In step S15120, the search head may request a log search including a search ID and search query information from each instance.

In step S15130, the search head may receive search results from the search peer.

In step S15140, the search head stores the search results in a data file, and stores location information where the data is stored and length information of the data in an offset file. Since search results are continuously accumulated in the data file, search results can be distinguished by including data length information in the offset file.

In step S15150, the search head may perform an external merge sort algorithm. More details will be provided later.

In step S15160, the search head may return search results based on a search result request from a console (e.g., a monitoring module of the data management platform of the present invention).

More specifically, the search head refers to the position information of the first data in the data file corresponding to the offset item (e.g., the first data) in the offset file and the length information of the first data to retrieve the first data in the data file. You can extract data and return search results.

In one embodiment, when the search head returns search results, it may return a list containing a plurality of data. As described above, the user may request a log search multiple times based on time, such as a first search request, a second search request, or an nth search request. The search head returns the results for the first data to the a-th data according to the first search request and the results for the b-th data to the c-th data according to the second search request (where a to c are natural numbers) as a list. can do.

Figure 84 is a diagram explaining an embodiment of searching a log in the data management method of the present invention.

In step S15170, the search peer may receive a search request from the search head. Here, the search request may include a search ID and search query information.

In step S15180, the search peer may analyze the search query information based on the request, classify the search target, and perform the search using the index. Here, the search target can be divided into Segment or Shard.

In step S15190, the search peer may transmit the search results to the search head. At this time, the search peer can search log data using the search target (Segment/Shard) and transmit the search results to the search head. At this time, the search peer can search log data using the index included in the search target.

Figure 85 is a diagram explaining an embodiment of the external merge sort algorithm of the present invention.

The External Merge Sort algorithm is an algorithm used to sort large amounts of data, and operates particularly efficiently when sorting data that exceeds memory capacity. The external merge sort algorithm can sort data mainly by utilizing auxiliary memory such as disk or external storage device.

In step S16110, an index file that stores offset information of data can be created based on the value of the sort field. Here, the value of the sort field may indicate items included in the data. For example, items included within the data may include user name, email address, time, etc. Accordingly, the external merge sort algorithm can sort data based on the items included in the data. In addition, the offset information may include the reference value of the sort field, the position in the data file (e.g., the position of the first log in the data file), and the length information (e.g., the length information of the first log in the data file). You can. Additionally, the index file is characterized by having the data already sorted in an offset list in units of a specific number (for example, 1000).

In step S16120, if the number of data included in the sort result file for the merge sort is greater than or equal to the first number, the sort result file for the merge sort can be combined and generated.

More specifically, when creating an index file, if the number of files included in the index file is greater than or equal to the first number, a new index file can be created. For example, if the number of files included in the first sort result file is more than the nth number, a second sort result file can be generated.

In step S16130, when the search is terminated or the number of files included in the merge sort file is greater than or equal to the nth number, the newly created second sort result file can be merged to generate a new third sort result file. .

In other words, using the external merge sort algorithm has the advantage of optimizing overall performance because the sorting operation is performed while repeating the process of splitting and merging data.

Figure 86 is a diagram explaining the search result file of the present invention.

In one embodiment, the search result file may include a data file 3006 and an offset file 3007.

Here, the data file 3006 may include search results received from a search peer.

The offset file 3007 may include location information and data length information of data stored in the data file 3006. For example, the offset file 3007 may include location information of the first log data stored in the data file 3006 and length information of the first log data.

Through this, when there is a request from the user to return search results, the data management platform of the present invention based on the location information in the data file 3006 of the first log data within the offset file 3007 and the length information of the first log data. Thus, the first log data can be extracted from the data file 3006.

At this time, if the search result return request includes a request for return of the nth log data, the data management platform of the present invention provides location information within the data file of the nth log data in the offset file 3007 and the nth log data. Based on the length information of each log data, the nth log data can be extracted from the data file 3006 and a search result can be returned.

Figure 87 is a diagram illustrating an embodiment in which the data management method of the present invention searches logs.

In step S16140, the data management method of the present invention may receive a data search request. For how the data management method of the present invention receives a data search request from a user or client, refer to the embodiments of FIGS. 1 to 4, 16, and 17. That is, the data management method can receive a data search request from a user through a monitoring module and search distributed data through a coordinator installed on the host server and at least one instance.

In step S16150, the data management method of the present invention can search data based on a data search request. For information on how the data management method of the present invention searches data, refer to the embodiments of FIGS. 16, 17, and 80 to 84.

In step S16160, the data management method of the present invention can provide searched results. In one embodiment, the data management method may store search results including first data in a data file, and store location information where the first data is stored and length information of the first data in an offset file. For this, please refer to the embodiment of Figure 86.

Additionally, in one embodiment, the data management method may sort search results using an External Merge Sort Algorithm. For information on how the data management method of the present invention searches data, refer to the embodiments of FIGS. 16, 17, and 85.

A system that analyzes log data requires a user interface (UI) for users to process the stored data. At this time, from the perspective of users who want various analyses, the UI provided by the developer has limitations. In other words, a user interface is needed to perform more complex data analysis or searches, or to manipulate data and derive meaningful results by entering query commands in script form. To this end, the present invention seeks to provide a function to manipulate data without a program for UI development by using a script within the UI.

Figure 88 is a diagram explaining an embodiment of analyzing data in the data management platform of the present invention.

The present invention allows users to perform various data analysis and data manipulation using scripts through the analysis task editor 2056.

To this end, the analysis module 20002 of the data management platform 10000 of the present invention may include an analysis task execution unit 2054 and an analysis task management unit 2055.

Here, the analysis task execution unit 2054 may include an analysis engine that executes information input to the analysis task editor 2056. In one embodiment, the analysis task executing unit 2054 may execute an analysis task based on a command for executing the first analysis task input by the user through the analysis task editor 2056. Specifically, when a user executes a code cell within the analysis task editor 2056, the Lua script is transmitted to the analysis engine within the analysis task execution unit 2054, and the analysis engine interprets and executes the Lua script and returns the results. can do. To this end, the analysis task execution unit 2054 may utilize log data and statistical data of the database 20007.

The analysis task editor 2056 is an editor executable through an application, software, or web browser and may include at least one cell. Here, the cells include a Markdown cell for adding descriptive data about the execution script and a code cell for adding Lua script information for analysis.

The analysis task management unit 2055 can register the written Lua script. More specifically, the user can add a Lua script through the analysis task editor 2056 and register the added Lua script in the analysis task management unit 2055. The registered Lua script may be periodically executed by the analysis task scheduler included in the analysis task management unit 2055.

Thereafter, the monitoring module 20005 may output the results of periodically executing the analysis task managed through the analysis task management unit 2055.

Through this, users can analyze desired data without using the user interface provided by the developer.

Figure 89 is a diagram explaining an embodiment in which the data management method of the present invention analyzes data.

In step S17110, the data management method of the present invention may execute an analysis task editor. More specifically, the user can run the analysis task editor provided through the data management platform. Here, the analysis task editor can be executed through an application, software, or web browser.

In step S17120, the data management method of the present invention may receive cells input from the analysis task editor. More specifically, the user can input text into a Markdown cell included in the executed analysis task editor, and the data management method can receive the text included in the Markdown cell.

In step S17130, the data management method of the present invention can execute an analysis task through an analysis engine. More specifically, the user can enter text into the markdown cell of the analysis task editor, check the code output in the code cell included in the analysis task editor, and then execute the analysis task. Here, the code cell can provide functions to support various data within the Lua script and functions to create charts or data models using data as functions. Accordingly, the data management method of the present invention can execute an analysis task on cells input by the user by executing an analysis engine.

In one embodiment, the data management method may execute an analysis engine based on a command to execute a pre-registered first analysis task. At this time, the first user who registered the first analysis task and the second user who executes the first analysis task may be the same or different.

Figure 90 is a diagram illustrating an embodiment of the data management method of the present invention setting a schedule for analysis work.

In step S17140, the data management method of the present invention can register the Lua script written through the analysis task management unit. More specifically, the user can register a Lua script corresponding to the first analysis task through the markdown cell and code cell included in the analysis task editor.

In step S17150, the data management method of the present invention can set a schedule for the registered analysis task. If explained with reference to the above-described embodiment, the user may also input information for periodically executing the first analysis task. For example, the user may specify an execution cycle (e.g., 1 minute), an initial time (e.g., 5 minutes), and a delayed processing time (e.g., 1 minute) to periodically run the first analysis task. You can set it.

In step S17160, the data management method of the present invention can execute an analysis task through an analysis engine. More specifically, when the user sets the execution cycle, initial time, and delayed processing time for the first analysis task, the data management method may execute the analysis task based on the schedule for the first analysis task.

Thereafter, the data management method may provide the results of the first analysis task so that the user can periodically monitor them. For example, the data management method may provide the results of the first analysis task through a dashboard of a web browser or an email entered in advance by the user.

Figure 91 is a diagram illustrating an example in which the data management method of the present invention performs an analysis task.

At step S17170, the user can execute the code cell within the analysis task editor.

Accordingly, in step S17180, the data management method of the present invention can transmit the Lua script included in the code cell to the analysis engine.

In step S17190, the data management method of the present invention can interpret and execute the Lua script within the analysis engine and return the result.

Figure 92 is a diagram explaining an embodiment of modulating data in the data management platform of the present invention.

This diagram is a diagram explaining the functions available within the analysis task editor.

As described above, the analysis task editor includes a markdown cell and a code cell, and the code cell may include a Lua script for analysis. At this time, the code cell can provide functions to support various data within the Lua script and functions to create charts or data models using the data as functions.

At this time, the available functions are as follows.

- search: Function to search or input log data

- analytic: Function for viewing or entering statistical data

- jdbc: Function to access the database and perform queries

- weka: Function for saving or loading machine learning data models

- visualize: Function that creates a chart

Through this, when executing a code cell within the analysis task editor, the Lua script is transmitted to the analysis module, the Lua script can be interpreted and executed within the analysis module, and the execution result can be returned to the analysis task editor. In other words, you can print and check the execution results directly within the analysis task editor.

Figure 93 is a diagram illustrating the user interface of the analysis task editor provided by the data management platform of the present invention.

The analysis task editor 2056 of the present invention may include a Markdown cell (2057) and a code cell (Code cell, 2058). The analysis task editor 2056 may correspond to a unit storing multiple scripts and text blocks.

Here, the markdown cell 2057 corresponds to a description block, and the code cell 2058 corresponds to a script block.

In one embodiment, the user may input text into at least one of the markdown cell 2057 and the code cell 2058. For example, the user can write a description of the code cell 2058 in the markdown cell 2057. Additionally, the user can input the code he or she wants to actually execute into the code cell 2058. Accordingly, the analysis task editor 2056 can execute the code included in the code cell 2058.

In one embodiment, when the user presses the “+ button 2059” provided by the analysis task editor 2056, the analysis task editor 2056 adds a markdown cell add button and a code cell add button 2060a, 2060b. It can be output as . In one embodiment, the analysis task editor 2056 can output the + button 2059 both above and below the markdown cell 2057, so that the user can select the markdown cell 2057 or code cell to add. (2058) can be determined.

Accordingly, the user can add a plurality of markdown cells 2057 and similarly request a plurality of code cells 2058 from the analysis task editor 2056.

Figure 94 is a diagram illustrating the user interface of the analysis task editor provided by the data management platform of the present invention.

In one embodiment, as the user requests execution of the output code cell 2058, the analysis task editor may execute the analysis task included in the code cell 2058 through an analysis task execution unit.

For example, the user enters “Search session statistics data and visualize it as a line chart” in the first markdown cell (2057), and enters the Lua script corresponding to this description block in the first code cell (2058). You can enter it.

Thereafter, as the user requests execution of the output first code cell 2058, the analysis task editor may visualize the first line chart 2061 as shown in the drawing.

For another example, the user can enter “Query the resource utilization table in an external database and visualize it as a line chart” in the second Markdown cell and enter the Lua script corresponding to this description block in the second code cell. there is.

Thereafter, as the user requests execution of the output second code cell, the analysis task editor may visualize the second line chart as shown in the drawing.

Figure 95 is a diagram illustrating the user interface of the analysis task editor provided by the data management platform of the present invention.

Thereafter, referring to (a) of FIG. 95, the user can save the first analysis task including the first markdown cell, the first code cell, the second markdown cell, and the second code cell. At this time, the user can set the name of the first analysis task for differentiation.

Additionally, referring to (b) of FIG. 95, the stored first analysis task may be loaded by the same user or a different user. As the user executes the analysis task editor for the loaded first analysis task, the first analysis task may be executed. To this end, the data management platform of the present invention may provide at least one pre-stored analysis task list 2062.

Figure 96 is a diagram explaining the user interface provided by the monitoring module of the data management platform of the present invention.

In one embodiment, the data management platform of the present invention may provide monitoring of analysis tasks to users through a monitoring module. To this end, the data management platform may provide an analysis task scheduler 2063. For example, in order to use the analysis task scheduler 2063, the user can select the task creation button to display a pop-up window for registering an analysis task. Through this, users can manage the schedule of already registered analysis tasks. For example, the user may set the execution cycle (e.g., 1 minute), initial time (e.g., 5 minutes), and delay processing time (e.g., 1 minute) of the first analysis task through the analysis task scheduler 2063. minutes) can be set. Afterwards, when the user executes the analysis task, the first analysis task may be executed according to the set cycle.

Figure 97 is a diagram illustrating the user interface of the analysis task editor provided by the data management platform of the present invention.

In one embodiment, the monitoring module of the data management platform may output monitoring results of the analysis task according to the schedule of the analysis task.

For example, the first analysis task 2064 may be executed according to the task cycle, execution cycle, initial period, and delay processing period set based on the above-described embodiment, and the monitoring module may monitor the first analysis task 2064. The execution results can be printed.

Through this, users can perform analysis and manipulation of various data using scripts for data that is not provided through the basic UI. In other words, the present invention integrates the monitoring and analysis processes of data sources to enable more complex analysis tasks to be performed.

Figure 98 is a diagram explaining an embodiment of the data management method of the present invention analyzing data.

In step S18110, the data management method of the present invention can receive the input of the first markdown cell. Here, a markdown cell is a cell for adding descriptive data for an execution script, and can be provided to the user through the analysis task editor of the data management platform. For a description of this, please refer to the embodiments described above in FIGS. 88, 89, 93, and 94.

In step S18120, the data management method of the present invention can receive an input of the first code cell corresponding to the first markdown cell. Here, the first code cell is a cell for adding Lua script information for analysis, and can be provided to the user through the analysis task editor of the data management platform. For a description of this, refer to the embodiments described above in FIGS. 88, 92, 93, and 94.

In step S18130, the data management method of the present invention may execute a first analysis task based on the first code cell. For a description of this, refer to the embodiments described above in FIGS. 88, 89, 91, and 94.

In one embodiment, the data management method of the present invention utilizes the log data and statistical data of the database included in the function included in the first code cell and the data management platform to generate charts and models corresponding to the first code cell. You can. At this time, log data or statistical data included in the database may correspond to data collected and analyzed through the embodiments of FIGS. 1 to 25.

10000: Data Management Platform

Claims (9)

Receiving a first markdown cell as input;
Receiving a first code cell for the first markdown cell; and
executing a first analysis operation based on the first code cell,
The data used in the first analysis task corresponds to one matching block representing text information about the text selected by user input among a plurality of matching blocks representing different text information about the text included in the data. Extracted based on a parser containing generated regular expressions,
The one matching block represents text information matching the regular expression pattern of the regular expression,
The first markdown cell contains description data for the executable script,
A data management method, characterized in that the first code cell includes first Lua script information for analysis.
delete According to claim 1,
interpreting the first Lua script information within an analysis engine; and
Data management method further comprising returning a result for the first code cell.
According to claim 1,
registering a second analysis task in the analysis task scheduler; and
The data management method further includes performing the second analysis task periodically based on preset conditions. a database that stores data; and
Including a processor that processes the data,
The processor,
Receive the first Markdown cell as input,
Receive the first code cell for the first markdown cell,
Execute a first analysis operation based on the first code cell,
The data used in the first analysis task corresponds to one matching block representing text information about the text selected by user input among a plurality of matching blocks representing different text information about the text included in the data. Extracted based on a parser containing regular expressions,
The one matching block represents text information matching the regular expression pattern of the regular expression,
The first markdown cell contains description data for the executable script,
A data management device, characterized in that the first code cell includes first Lua script information for analysis.
delete According to claim 5,
The processor,
Interpret the first Lua script information within the analysis engine,
A data management device, characterized in that it returns a result for the first code cell.
According to claim 5,
The processor,
Register the second analysis task in the analysis task scheduler,
A data management device, characterized in that the second analysis task is periodically executed based on preset conditions. Receive the first Markdown cell as input,
Receive the first code cell for the first markdown cell,
executing a first analysis operation based on the first code cell,
The data used in the first analysis task corresponds to one matching block representing text information about the text selected by user input among a plurality of matching blocks representing different text information about the text included in the data. Extracted based on a parser containing regular expressions,
The one matching block represents text information matching the regular expression pattern of the regular expression,
The first markdown cell includes description data for the executable script,
A computer-readable storage medium storing a data management program, wherein the first code cell includes first Lua script information for analysis.

Images