TWI444920B - System and method for information risk management - Google Patents

Description

System and method of information risk management

The present invention relates to information security, and more particularly to a system and method for managing risks associated with access to information.

In today's knowledge economy era, information is power, and having the right information means that we have the advantage of competition. Each business organization therefore does not exercise extreme care to protect its own operations-related information. Traditionally, confidential information has been restricted to access by a small number of authorized personnel. This method of controlling access is simple and easy to implement, but it is not flexible enough when the requirements change.

If a user is considered to have a high risk, his access to the system should be limited; conversely, if the user is considered safe, his access to the system can be less restricted. However, the permissions granted to a user are generally not changed. Once given, the risk of his access is no longer evaluated, and the system usually does not have such a mechanism for real time auditing. Therefore, a highly privileged but malicious user can abuse his or her authority until the hazard or major loss occurs.

Therefore, there is a need for the system to assess and monitor the risks associated with various accesses, and the present invention is directed to the creation of such requirements.

In one embodiment of the invention, the present invention provides a method of calculating the total risk of an information access in a system. This method contains the following steps. First, a multi-dimensional risk model is established, in which each dimension represents a type of risk; next, an information access is received from an information access monitoring unit; and then each dimension is defined in advance according to each dimension. A good policy calculates the risk of each dimension of the information access (similar to the coordinates of each dimension); finally, calculates the overall risk from the risk of these dimensions (similar to defining a point in the multidimensional space). Calculate the "distance" between this point and the origin.

In another embodiment of the present invention, the present invention provides a method of managing the risk of an information access in a system. This method contains the following steps. First, calculating a plurality of risks related to an information access according to a criterion obtained from a policy storage unit; then, storing the information access to a storage unit; and then, a controller (controller) Calculate an overall risk from these risks; then create an event to associate the overall risk with the information access; next, select multiple filtering criteria Events; presenting the events to a report or a display device; and creating the filter conditions as a template.

In still another embodiment of the present invention, the present invention provides an apparatus for managing the risk of information access in a system. The device comprises an information access monitoring unit that receives information access, a criteria storage unit for storing criteria, and a controller that applies the criteria to information access to calculate its risk and generate a report according to the template. The controller can also create a template based on the filter conditions.

In still another embodiment of the present invention, the present invention provides a method of presenting a report that is defined in advance and related to information access risk. This method contains the following steps. First, receiving multiple information accesses from an information access monitoring unit; then, each information access is associated with a risk, and the risk is calculated based on a plurality of criteria obtained from a standard storage unit; Receiving a report selection from a user interface unit; then, adjusting the filtering conditions associated with the selected report; then, fetching the information access according to the selected report; finally, presenting the information access, and the office Selected report.

The system and method provided by the present invention have the advantages of being able to identify abnormal information access behaviors, and the above and other objects and advantages of the present invention will be described in detail below with reference to the drawings, the detailed description of the embodiments, and the claims. Later. However, it should be understood that the drawings are purely illustrative of the spirit of the invention, and are not considered as a definition of the scope of the invention. For a definition of the scope of the invention, please refer to the attached patent application.

As used in this specification, the term "application" (文件) means the executable and non-executable software files, raw data, aggregated data, patches, and other code segments ( Code segment). In addition, the term "exemplary" is used to describe an embodiment or an element as an example and does not indicate a preference. In addition, "baseline", "baseline information", "baseline database", and "historical behavior information" are synonymous.

Basically, the present invention provides a system and method for managing risks associated with access to information. The system proposed by the present invention discloses a model of risk management. According to the model, the system proposed by the present invention collects and analyzes information about information access according to a set of risk criteria and various risk levels, and the analysis result is then presented to a system administrator, and Different presentations are made because of the different selection criteria.

Figure 1 is a schematic illustration of a model 100 of an information risk management mechanism 102 implemented by the present invention. The information risk management mechanism 102 includes the following functional blocks: a risk analysis 104, a customized report 106, and a plurality of risk criteria 108. The risk analysis 104 refers to an analysis of information access in the system. The collection of intelligence for information access may be based on different risk criteria 108, different risk aspects 110, and different time and conditions 112. The application of risk criteria 108 is triggered by events and alerts 118 occurring within the system. After the risk is analyzed, the results are presented to the system administrator. The manner in which it is presented may be selected by the system administrator as a pre-established template 114, 116. The system implementing the information risk management mechanism 102 can record the risk analysis performed by the system administrator as a new model for future reusability.

Figure 2 is a schematic representation of a model 200 of risk criteria implemented by the present invention. The risk criteria 220 is typically defined by the system administrator to apply to each of the information accesses 201. The system then triggers events and alerts with different risk levels based on risk criteria 220. Risks can be classified into access risk 202, behavior risk 204, content risk 206, and performance risk 208. Each risk is defined by a user-defined risk criterion. For example, some content is confidential, such as a credit card database, and the content risk 206 associated with this content should have a higher risk rating. The risk criteria may also include searching for keyword words represented by regular expressions to search for certain confidential information and information in the archive or file transmission.

Access risk 202 is subject to risks as defined by user defined criteria. For example, a system administrator can set a risk level for certain profiles or user behaviors associated with information access. Information access can be defined by five elements: who (who) requests for access (ie, the subject of access), how (how) access (ie, access methods, methods), what information to access (what) (ie, the object being accessed) 208, where to access (ie, the location of the access), and when to access (that is, the time of access), the relevant details In the case of the creator of this case, "System and Method for Detecting Abnormal Information Access Behavior", the invention patent application (application date: June 10, 1998, application number 098119308) has detailed descriptions. Each information access will be assigned a risk level when it meets a risk criterion, as well as an event that triggers an audit or an action that triggers an alert.

Behavioral risk 204 is related to the aforementioned requirements, such as user profile, object profile, method profile, location profile, and time profile. . When a user's behavior deviates from his user's settings, the level of behavioral risk should be increased. Similarly, when a data item is accessed at a normal time by a user who has not regularly accessed the object, or is accessed in a non-general manner, the risk level is also increased. The behavioral risk 204 has concepts that are disclosed in the aforementioned invention patent applications, such as requirements, members, and groups. Behavioral risk 204 is associated with a behavior profile, and behavioral settings are further related to each member of each member group. The behavior setting itself is defined by the relationship between the requirements. These associations are implemented using bit maps, counters, each counter further having at least one threshold, and a level of risk when the limit is exceeded. When a counter reaches its limit, an alert is issued and the system administrator can then take certain actions.

The performance risk 208 is related to the response time and is also dictated by various settings. The response time of each information access includes the processing time of the server and the time of network transmission. Each reaction time is given a limit. For each transaction, a transaction time and a limit can also be assigned. Similarly, each connection can also be assigned a connection time and a limit. Depending on the performance risk, some information access may take up to 10 microseconds, and when the access time exceeds X microseconds, or exceeds a certain limit set by the information related setting, The risk level should be increased.

As indicated previously, the present invention provides a total of four risks (access, behavior, content, performance risk), and each risk has a risk level. Because of these different types of risks, the present invention further provides a presentation of the total risk representing an information access. Figure 3 is a schematic representation of one of the spatial models of the present invention presenting an overall risk. As shown, under this model 300, each risk is presented using a standard axis. For example, the access risk is represented by the coordinate x on the X-axis (relative to the origin O), the behavioral risk is represented by the coordinate y on the Y-axis, the performance risk is represented by the coordinate w on the W-axis, and the content risk is represented by the Z-axis. The coordinates z on the top are indicated. The overall risk R _T can be expressed by the "distance" D obtained by a calculation method combining various risks. For example R _T =sqr(x ² +y ² +z ² +w ² ), where sqr is a function of the square root, or R _T =sqr((a ² x ² +b ² y ² +c ² z ² +d ^{2 )} w ² ) / (a ² + b ² + c ² + d ² )), where a, b, c, d represent weights for access, behavior, content, and performance risk, respectively.

As a matter of fact, the present invention provides a clear overview of a system from a risk perspective, and the present invention further defines various templates for repeating the risk analysis defined in the past. Please note that each access to information is recorded and then given risk based on pre-defined criteria. Information access with certain risks constitutes an event, while events with urgency constitute a warning. All events and alerts are collected and processed in advance for future analysis. Figure 4 is a schematic representation of a model for analyzing risk in accordance with the present invention. First, step 402 presents the collected information in time series, that is, the events are arranged in order of occurrence. Step 404 then uses filters to filter the requirements associated with these events. For example, a filter condition is to pick out the most relevant elements (such as the top N requirements), assuming that the requirement is a database (this database belongs to what), and then, step 406 is further The most frequently accessed files (these files are members of what) are filtered from these events, and the results are presented in a graphical user interface (GUI). If the system administrator intends to explore these events further, he may review these events and alerts using other filters at step 408. Finally, in step 410, the system administrator can view the raw data that constitutes the access to the information behind these events and alerts. As described above, the present invention thus allows the system administrator to have an overview of the risk profile of information access in the system, and then further explore the details of some high-risk events and warnings.

Figure 5 is a schematic illustration of a system architecture 500 in accordance with an embodiment of the present invention. As mentioned earlier, all information access is recorded and given a risk. These information accesses can be filtered based on specific time and filter conditions 502. Time and filter conditions 502 can also be used to process risk related information 504 and alerts 514. The risk related information 504 is the result of the application criteria, and may be filtered to produce information 506 about the requirements (each risk related information 504 may deconstruct the element information). The associations between the members included in the requirement related information 506 can be further analyzed and processed at the intelligence center 508. If the system administrator needs it, the affair center 508 can present the actual event information 510 recorded by the system, or the original data 512 of the information access.

The time and filter condition 502 can be further used to select and process access information, real time alerts 514, information provided by event radar 516, risk related information 504, requirements related information 506, top N names Event 518. The time and filter condition 502 can also be used by the RISC 508 to process archived events and alerts 510, as well as raw material 512. The immediate alert 514 can be considered an urgency event and is immediately disposed of by the Emotional Center 508. The instant alert 514 may be triggered by a high-risk information access or because of user-customized conditions. The instant alert 514 typically involves an immediate notification or action, such as an immediate delivery to the system administrator via email, text message, or voice message. The instant alert 514 can also be divided into different priorities such as high, medium, and low. Event radar 516 is a subsystem that detects all events and presents them to the system administrator. Since the number of events can be very large, events can be categorized and presented. In addition, the top N event 518 can also be presented after appropriate screening. Resource 520 refers to the "who", "what", "how" requirements and their members. More specifically, resource 520 includes individual users, databases, and individual instructions. Resource 520 can be used by affair center 508 to process and interpret events and alerts.

In practice, the system according to the present invention performs on-line monitoring of information access. The system collects and analyzes the information access to each database and presents it to the system administrator. The monitored object can be accessed not only by access but also by the content being accessed. The number of accesses, the number of records accessed, and the frequency of these accesses can be collected and analyzed. Figure 6 shows an operational flow 600 in accordance with an embodiment of the present invention. As shown, first step 602 receives and monitors the information access, and then at step 604 evaluates and stores the archive. In this way, every information access will be audited and judged. Each information access will be given a risk level according to the criteria set by the user, the subject to which it accesses, the accessed object, the method of access, the time of access, and the location of the access. Each information access can be assigned several risks, and then the overall risk is calculated based on these risks. All information access will be recorded and stored archived. If an information access is classified as high risk at step 606, step 608 will alert. Otherwise, step 610 will pre-process the information access as a general event for screening, analysis, and correlation with future system administrators.

Alerts and general events are presented to the system administrator for decision at step 612 to determine whether to investigate further. When the system administrator chooses to investigate further, he can choose whether to use a predefined template for analysis in step 613. If the template is selected for use, he selects an applicable template from a plurality of existing templates in step 624. Then at step 626, the system analyzes the report based on the selected template output and presents it to the system administrator. If there is no applicable template, he can also choose an existing template and then modify the filter conditions. If no template is used, step 614 analyzes the risk associated with the event or alert from the level of the requirement. For example, if the event or alert indicates that the personnel database is at an abnormal risk, the analysis of step 614 can identify which users are accessing the personnel database or the risk of such an increase. For another example, the event or alert indicates that a particular database has an abnormal access frequency (the number of accesses exceeds a predetermined upper limit), and the analysis of step 614 can find out which users are accessing the database and accessing the database. nature. Alternatively, if the event or alert indicates that the information access by a particular port has an excessive number of failures, the analysis of step 614 can identify the port and the nature of the failed access. The system can then retrieve the events associated with these high-risk accesses at step 616, and then retrieve the information associated with the accesses at step 618. Next, the result is presented to the system administrator at step 620. After such customized analysis and presentation, the system administrator can record the conditions used in step 622 and store them in a new template. This template can be selected in the future at step 624 to repeat the same analysis for other events or alerts.

The establishment of the template is an important feature of the present invention. The template records all the filter conditions used by the user, so the analysis of the same filter conditions can be performed quickly in the future. The filter conditions recorded in the template can be modified. For example, when a user views a report produced according to a template, the user can modify the filter conditions, and the modified result can be used to create a new template.

The method proposed by the present invention can be performed by a program stored in a computer readable medium. The program causes a server or similar computing device having a computer platform to perform the various steps of the method. The computer readable medium can be the memory of the server or the memory of a connected database. Alternatively, the computer readable medium can also be a secondary storage media loaded into a connected computer, such as a magnetic disk, a magnetic tape, a compact disk, a hard disk, a flash memory, or other Know the storage media. Figure 7 is a schematic illustration of a system that supports the method of the present invention.

The system 700 includes an information access monitoring unit 702, a policy storage unit 704, a user interface unit 708, a controller 710, and a storage unit. Unit 706. The information access monitoring unit 702 monitors traffic for information access to one or more databases located in one or more systems. Information access in the traffic is copied and transmitted to the information access monitoring unit 702. These information accesses are then stored in storage unit 706 and processed by controller 710 in accordance with the criteria stored by criteria storage unit 704. The storage unit 706 also stores a template for generating a report. Based on these criteria, the controller 710 will obtain various risks and then aggregate these risks to calculate an overall risk. One of ordinary skill in the art would appreciate that the criteria storage unit 704 and the storage unit 706 can be integrated together or that different criteria are stored in different criteria storage unit 704. The processed information access is then presented to the system administrator via the user interface unit 708. The user can also select the report to be viewed through the user interface unit 708, and the report will be generated according to the template on which it is based. The user can also modify the filtering conditions through the user interface unit 708. The controller 710 performs the functions of all of the aforementioned event centers 508. The system manager can instruct system 700 to perform an analysis via a display unit (not shown) coupled to user interface unit 708.

The figures shown in Figures 4, 5, and 6 do not require or imply any particular sequence of actions. These actions can be performed sequentially or in parallel. The method can be implemented in an arithmetic device of a network device (such as a router or a network server) to execute a series of machine readable instructions. These instructions can be stored on a variety of primary, secondary, or secondary media that carry signals, store data. The medium includes at least media that is accessible to components of the network device or built into components of the network device, such as random access memory (RAM). In addition, it can also include the following machine-readable digital or analog data storage media: DASD (direct access storage device) (such as traditional hard disk or disk array), magnetic tape, electronic read-only memory (such as ROM, EPROM) , EEPROM), flash memory card, optical storage device (such as CD-ROM, WORM, DVD, digital optical tape), computer paper card, etc. When these instructions are executed by a computer, the computer will perform the steps shown in Figures 4, 5, and 6.

The features and spirit of the present invention will be more apparent from the detailed description of the preferred embodiments. On the contrary, the intention is to cover various modifications and equivalents within the scope of the invention as claimed.

100. . . Risk management model

102. . . Information risk management mechanism

104. . . Risk Analysis

106. . . Customized report

108. . . Risk criteria

110. . . Risk project

112. . . Time and conditions

114. . . Template

116. . . Template

118. . . Events and warnings

200. . . Risk criterion model

201. . . Information access

202. . . Access risk

204. . . Behavioral risk

206. . . Content risk

208. . . Performance risk

300. . . Overall risk model

400. . . Risk analysis model

402-410. . . step

500. . . system structure

502. . . Time and filter

504. . . Risk related information

506. . . Essential information

508. . . Emotional center

510. . . Archived events and alerts

512. . . Source material

514. . . Instant warning

516. . . Event radar

518. . . Top N events

520. . . Resource

600. . . operation flow

600~626. . . step

700. . . system

702. . . Information access monitoring unit

704. . . Criterion storage unit

706. . . Storage unit

708. . . User interface unit

710. . . Controller

D. . . distance

O. . . origin

R _T . . . Overall risk

X, Y, Z, W. . . Coordinate axis

x, y, z, w. . . Coordinate value

Figure 1 is a schematic diagram showing the model of the information risk management mechanism implemented by the present invention.

Figure 2 is a schematic representation of a model of the risk criteria implemented by the present invention.

Figure 3 is a schematic representation of a model of the present invention that expresses overall risk.

Figure 4 is a schematic representation of a model for analyzing risk in accordance with the present invention.

Figure 5 is a schematic illustration of a system architecture in accordance with an embodiment of the present invention.

Figure 6 is a flow chart showing the operation of an embodiment of the present invention.

Figure 7 is a schematic illustration of a system that supports the method of the present invention.

600. . . operation flow

600~626. . . step

Claims (9)

A method for managing the risk of information access includes at least the following steps: for each information access, based on criteria obtained from a standard storage unit, calculating a plurality of risks associated with the access to the information; storing the information access In a storage unit; for each information access, a controller calculates an overall risk of the information access based on the risks accessed by the information; and links the information access with the overall risk to establish a plurality of An event; selecting a plurality of events using a plurality of filter conditions; presenting the selected events to a report through a display device; and establishing a template for recording the filter conditions. The method for managing the risk of information access in the first application of the patent scope further includes the following steps: receiving a plurality of information accesses from an information access monitoring unit. The method for managing the risk of information access in the first application of the patent scope further includes the following steps: if a total risk of information access exceeds an upper limit, a warning is generated. The method for managing the risk of information access, as in claim 3 of the patent application, further includes the following steps: transmitting the alert to a system administrator. For example, the method of managing the risk of information access in the fourth application of the patent scope, wherein the warning is transmitted by email. For example, the management of information on access to the fourth paragraph of the patent application is related to the risk of information access. The method wherein the alert is transmitted via a short message. For example, the method of managing the risk of information access in item 1 of the patent application scope, wherein the events are presented in time series. For example, the method of managing the risk of information access in item 1 of the scope of patent application, wherein the plurality of risks include the following types of risks: access risk, content risk, behavioral risk, and performance risk. The method for managing the risk of information access, as in claim 1 of the patent application, further includes the steps of: receiving the filter conditions from a user interface.