KR20120056719A - Apparatus and method for total management of computating risk monitoring personal information - Google Patents
Apparatus and method for total management of computating risk monitoring personal information Download PDFInfo
- Publication number
- KR20120056719A KR20120056719A KR1020100118390A KR20100118390A KR20120056719A KR 20120056719 A KR20120056719 A KR 20120056719A KR 1020100118390 A KR1020100118390 A KR 1020100118390A KR 20100118390 A KR20100118390 A KR 20100118390A KR 20120056719 A KR20120056719 A KR 20120056719A
- Authority
- KR
- South Korea
- Prior art keywords
- access
- personal information
- time
- pattern
- attempts
- Prior art date
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3438—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment monitoring of user actions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6245—Protecting personal data, e.g. for financial or medical purposes
Abstract
The present invention relates to an apparatus and method for accessing a system having personal information, analyzing a pattern for inquiring and downloading personal information, and detecting abnormal signs, preventing leakage of personal information, and comprehensive management when a predetermined limit is exceeded.
In the enterprise, authorized or unauthorized attacker accesses the system that holds personal information, and accesses or downloads the personal information in a large amount by malicious intention, and uses the collected personal information for various criminal activities such as fraud. It is becoming. In particular, social and legal sanctions are increasing when personal information is leaked, which reduces the company's informatization business.
The present invention aims to activate a company's informatization business by minimizing the damage by early detection and early response of mass leakage incidents of personal information by monitoring and informing the administrator of such abnormal personal information mass search and download behavior in real time. .
Description
Personal information, comprehensive management, information leakage, real time detection, personal information life cycle
Risk calculation
The present invention analyzes the pattern of accessing and holding the personal information to access the system having personal information for the protection of personal information to detect the abnormal signs when exceeding a predetermined limit and to prevent the leakage of personal information It is about. With the development of IT technology, the company's work environment has shifted to e-business, and companies that provide products and services to customers are collecting, accumulating and using their personal information in the form of applications and databases.
However, as hacking technologies such as phishing and malware have developed due to the inverse function of information, companies are faced with the threat of large amount of personal information leakage if they are inadequate in internal control or vulnerable to hacking.
The leaked personal information can be misused due to privacy infringement or crime, which can damage the company's value such as legal disputes and financial loss. This may cause a problem in the vitalization of the company's informatization business. Therefore, it is necessary to monitor the risk of personal information leakage and minimize the damage in advance.
Typical systems for information security include firewalls, intrusion detection systems, IPS, and document security systems. However, such security products are limited in detecting and responding to the leakage of personal information by internal licensees. In addition, recently launched network traffic monitoring system analyzes general content types transmitted from the internal network of the company to the external Internet and blocks them when the pattern is the same. Indication of personal information leakage in terms of DBMS and application regardless of network location There is also a limit to intensive monitoring.
The present invention is to detect and prevent abnormal access based on the user pattern in order to prevent the limited personal information leakage by the above means.
In order to solve the problems described above, the access to personal information held by the enterprise has a unique pattern for the access location, type of access information, access frequency, access method, etc. for each access subject. That is, a specific accessing subject accesses a specific access method such as a direct query to a database storing personal information at a specific time or a query using an application program. In addition, the type of personal information that is accessed according to the nature of the work that the user is doing, such as social security number, mobile phone number, address, authentication information, personal biography, financial information, physical information is also specified. If the normal access history including these contents is databased for a certain period of time, the pattern can be set and normalized.
After creating such a normal access pattern and making a database, when the accessor accesses personal information, the pattern may be compared with the already stored pattern to determine whether it is a normal access attempt.
If it is out of the normal access pattern, it can be recognized as a sign of personal information leakage and real-time warning to personal information manager can prevent personal information leakage.
As described above, the present invention systemizes a method of capturing and warning normal personal information access patterns and access behaviors in violation of them in real time to prevent and manage personal information leakage by early detection and action of personal information leakage attempts. Characterized by characterization.
As described above, the present invention can easily visually check whether personal information to be protected by an enterprise is abnormally accessed, and contribute to minimizing damage by promptly preventing and responding to early warning signs of leakage in real time.
1 is a view showing a basic configuration of a real-time automatic monitoring device for the risk of personal information leakage according to an embodiment of the present invention;
2 is a flowchart illustrating a program for analyzing and analyzing a personal information access pattern according to an embodiment of the present invention to determine and warn of a personal information leakage crisis indication by comparing with a normal access pattern.
1) Collection of access attributes in attempting access to legitimate personal information
Attempts to access personal information held by a company have a unique pattern of access attributes, including access location, type of access information, access frequency, and access method, for each access subject.
The specific accessing subject accesses a specific approach such as direct query to a database where personal information is stored at a specific time or inquiry using an application program. In addition, the type of personal information that is accessed according to the nature of the work that the user is doing, such as social security number, mobile phone number, address, authentication information, personal biography, financial information, physical information is also specified.
In order to database these access attributes, attempts for a certain period of time are collected and classified by access attributes.
For example, access locations can be specified by the Internet, internal networks, specific network addresses, and so on. The access frequency can be specified by the number of accesses per day or the number of search records per access. In addition, the approach can be specified by the tool that takes the approach. Access information may be specified as authentication information, personal information, biography information, medical information, body information, and the like. The access time band may be specified in consideration of service characteristics such as business days, holidays, and business hours.
Specific techniques for collecting access attributes that accessors access personal information include the development of memory analysis (eg Oracle's SGA) dump analysis function directly from the DBMS, and the development of a program that records them when inquiries from applications. It can be a way.
2) Derivation of Normal Patterns by Access Attributes
Normal access attempts including these contents are collected, databased for a certain period of time, and probability analysis can be derived.
Based on the collected access attempts such as access location, access time band, access frequency, and access method for each subject, a pattern for judging normal access is determined by an appropriate method according to access attributes.
As a result of analysis of collected access attempts, if a specific user always accesses internally only at work, the internal network is True (1) and others are False (0) in case of access location.
The access time band can generate patterns by setting the time for business access to True (1) for each day of the week and business time zones, and False (0) for other time zones.
In the case of the approach frequency, the number of accesses (per hour) can be calculated and the collected information can be calculated for the analysis mean (m) and the standard deviation (α). In this case, the range of the normal pattern is m + according to the desired confidence level according to the probability theory. α, m + 2α or m + 3α can be set.
Such a pattern can be analyzed by access subject (user) and databased to detect abnormal access attempts in the future.
3) Capture leakage signs through pattern matching when accessing real personal information
In the case of accessing personal information, the number of personal information inquiry by access subject, access location, access time, and access method is detected and checked for consistency with the relevant pattern. The pattern agreement for this can be obtained by the following equation.
Pattern match (0 ~ 1)
= Approach position (0 ~ 1) x approach time band (0 ~ 1) x approach (0 ~ 1) x approach frequency (0 ~ 1)
In addition to the above, pattern matching can increase the number of individual access attributes to increase accuracy.
4) Set thresholds and warnings for signs of personal information leakage
The threshold for pattern matching is calculated for each sensitivity of personal information. For example, in the case of accessing medical information and financial related information that have a great influence on the privacy of the individual, the pattern matching is applied with higher pattern. To this end, sensitivity may be assigned from 0 to 1 for each personal information, and an alarm threshold may be derived by multiplying with (1-pattern matching degree).
Alarm threshold = sensitivity of access information (from 0 to 1) x (1- pattern agreement)
If the above analysis and comparison result exceeds the personal information leakage alarm threshold, it is judged to be a sign of crisis, and the personal information manager can be alerted using e-mail or SMS to monitor and prevent personal information leakage.
Meanwhile, in the detailed description of the present invention, specific embodiments have been described, but various modifications are possible without departing from the scope of the present invention. Therefore, the scope of the present invention should not be limited to the described embodiments, but should be determined not only by the scope of the following claims, but also by the equivalents of the claims.
none
Claims (2)
In order to collect and database information on access attempts for a certain period of time by access properties such as access location, access frequency, access method, and access target information, it is classified and stored by access properties.
Create a pattern according to the access location, including whether the specific user of the collected access attempts access only internally, internally and externally together,
Create a pattern for the access time band by setting True (1) as the time for business access by day of the week and business hours, and False (0) as the access time for other time zones.
By calculating the average and standard deviation for the number of accesses per hour, the range of the normal pattern is set to m + α, m + 2α or m + 3α, etc. according to the desired level of confidence to generate a range of normal patterns for the access frequency,
Comprehensive personal information through personal information risk estimation, characterized by judging whether or not the normal access by the appropriate method according to the access attribute by using the collected access attempts such as access location, access time band, access frequency, access method by population How to manage.
In order to collect and database information on access attempts for a certain period of time by access properties such as access location, access frequency, access method, and access target information, it is classified and stored by access properties.
Create a pattern according to the access location, including whether the specific user of the collected access attempts access only internally, internally and externally together,
Create a pattern for the access time band by setting True (1) as the time for business access by day of the week and business hours, and False (0) as the access time for other time zones.
By calculating the average and standard deviation for the number of accesses per hour, the range of the normal pattern is set to m + α, m + 2α or m + 3α, etc. according to the desired level of confidence to generate a range of normal patterns for the access frequency,
Comprehensive personal information through personal information risk estimation, characterized by judging whether or not the normal access by the appropriate method according to the access attribute by using the collected access attempts such as access location, access time band, access frequency, access method by population Management device.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| KR1020100118390A KR20120056719A (en) | 2010-11-25 | 2010-11-25 | Apparatus and method for total management of computating risk monitoring personal information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| KR1020100118390A KR20120056719A (en) | 2010-11-25 | 2010-11-25 | Apparatus and method for total management of computating risk monitoring personal information |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| KR20120056719A true KR20120056719A (en) | 2012-06-04 |
Family
ID=46608794
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| KR1020100118390A KR20120056719A (en) | 2010-11-25 | 2010-11-25 | Apparatus and method for total management of computating risk monitoring personal information |
Country Status (1)
| Country | Link |
|---|---|
| KR (1) | KR20120056719A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015119341A1 (en) * | 2014-02-07 | 2015-08-13 | Eglobal Systems Co., Ltd. | System and method for monitoring encrypted data and preventing massive decryption thereof |
| KR101663288B1 (en) * | 2015-09-04 | 2016-10-07 | (주)이지서티 | System and Method for Monitoring Personal Information |
-
2010
- 2010-11-25 KR KR1020100118390A patent/KR20120056719A/en not_active Application Discontinuation
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2015119341A1 (en) * | 2014-02-07 | 2015-08-13 | Eglobal Systems Co., Ltd. | System and method for monitoring encrypted data and preventing massive decryption thereof |
| US10181044B2 (en) | 2014-02-07 | 2019-01-15 | Eglobal Systems Co., Ltd. | System and method for monitoring encrypted data and preventing massive decryption thereof |
| KR101663288B1 (en) * | 2015-09-04 | 2016-10-07 | (주)이지서티 | System and Method for Monitoring Personal Information |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11271955B2 (en) | Platform and method for retroactive reclassification employing a cybersecurity-based global data store | |
| Lee et al. | An effective security measures for nuclear power plant using big data analysis approach | |
| CN108040493B (en) | Method and apparatus for detecting security incidents based on low confidence security events | |
| EP1708114B1 (en) | Aggregating the knowledge base of computer systems to proactively protect a computer from malware | |
| US20140172495A1 (en) | System and method for automated brand protection | |
| CN113542279B (en) | Network security risk assessment method, system and device | |
| CN112003838B (en) | Network threat detection method, device, electronic device and storage medium | |
| CN102546641B (en) | Method and system for carrying out accurate risk detection in application security system | |
| CN108650225B (en) | Remote safety monitoring equipment, system and remote safety monitoring method | |
| CN102045319B (en) | Method and device for detecting SQL (Structured Query Language) injection attack | |
| KR102222377B1 (en) | Method for Automatically Responding to Threat | |
| US8689341B1 (en) | Anti-phishing system based on end user data submission quarantine periods for new websites | |
| US20170155683A1 (en) | Remedial action for release of threat data | |
| GB2592132A (en) | Enterprise network threat detection | |
| CN116094817A (en) | Network security detection system and method | |
| KR20090115496A (en) | Method and System for Realtime Detection of Trial of Leakage of Personal Privacy Information By Access Pattern Matching | |
| KR20120056719A (en) | Apparatus and method for total management of computating risk monitoring personal information | |
| KR101081875B1 (en) | Prealarm system and method for danger of information system | |
| CN106453235A (en) | Network security method | |
| Xi et al. | Quantitative threat situation assessment based on alert verification | |
| CN114579636A (en) | Data security risk prediction method, device, computer equipment and medium | |
| CN114238279A (en) | Database security protection method, device, system, storage medium and electronic equipment | |
| CN113360354A (en) | User operation behavior monitoring method, device, equipment and readable storage medium | |
| AlMasri et al. | Detecting Spyware in Android Devices Using Random Forest | |
| Bo et al. | Tom: A threat operating model for early warning of cyber security threats |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| A201 | Request for examination | ||
| E902 | Notification of reason for refusal | ||
| E601 | Decision to refuse application | ||
| E601 | Decision to refuse application |