WO2005050421A1 - Evidential image preservation program, evidential image preservation method, and evidential image preservation device - Google Patents

Evidential image preservation program, evidential image preservation method, and evidential image preservation device Download PDF

Info

Publication number
WO2005050421A1
WO2005050421A1 PCT/JP2004/015081 JP2004015081W WO2005050421A1 WO 2005050421 A1 WO2005050421 A1 WO 2005050421A1 JP 2004015081 W JP2004015081 W JP 2004015081W WO 2005050421 A1 WO2005050421 A1 WO 2005050421A1
Authority
WO
WIPO (PCT)
Prior art keywords
evidence
computer
screen
display data
unauthorized
Prior art date
Application number
PCT/JP2004/015081
Other languages
French (fr)
Japanese (ja)
Inventor
Osamu Aoki
Hiroaki Kawano
Original Assignee
Intelligent Wave Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Intelligent Wave Inc. filed Critical Intelligent Wave Inc.
Publication of WO2005050421A1 publication Critical patent/WO2005050421A1/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Definitions

  • the present invention relates to an evidence screen saving program, an evidence screen saving method, and an evidence screen saving device for saving an evidence screen of an unauthorized operation performed on a computer.
  • a fraud is detected by the above method
  • processing such as interrupting the operation being performed, reporting to the administrator, and warning to the operator are executed.
  • processing such as interrupting the operation being performed, reporting to the administrator, and warning to the operator are executed.
  • a method is disclosed in which, when monitoring unauthorized operation in a network, communication is cut off, and a notification report is sent to an administrator and a warning report is sent to an operator (see Patent Document 1).
  • a method of issuing a warning message to a monitor when monitoring operations on a computer is disclosed (see Patent Document 2).
  • Patent Document 1 Japanese Unexamined Patent Application Publication No. 2002-232232, paragraph number 0005
  • Patent Document 2 JP-A-2002-258972, paragraph number 0034
  • Such evidences must be identified by recording logs in the event that a fraudulent event occurs.
  • the accessed file has been changed or the file has been deleted, there is a problem that the operation status at the time when the unauthorized operation was performed cannot be reproduced. In the event that fraud occurs, it is preferable to save credible evidence as soon as possible.
  • the present invention has been made in response to such a problem, and it is possible to quickly save an evidence screen at the time of occurrence of an unauthorized operation performed on a computer. It is intended to provide a screen storage program, a evidence screen storage method, and a evidence screen storage device.
  • a first invention for solving the above-mentioned problem is a proof screen storage program for storing a proof screen of an unauthorized operation performed on a computer, wherein the computer accepts the proof screen by the computer. Determining whether the operation performed is an unauthorized operation; obtaining the display data displayed on the screen of the computer by the operation if the operation is determined to be an unauthorized operation; And storing the evidence data with the information specifying the operation in the evidence data storage unit in the evidence data storage unit.
  • the computer is caused to execute a step of recording at least one log of a keystroke, a network, an application, or an operation system applied to the computer. You can also.
  • the evidence of the unauthorized operation can be saved quickly.
  • the operation history of the computer may be recorded as a log at all times.However, by recording the log after it is determined that the operation is unauthorized, the evidence that the operation has been performed together with the data displayed on the screen is effective. Can be saved
  • any judging method may be used for judging an unauthorized operation, such as judging based on a pre-registered rule base or judging based on a user profile obtained by analyzing a user's operation tendency.
  • the file format of the display data to be saved is not limited to a specific format as long as it can reproduce the screen display.
  • the information for specifying the operation uses the user ID of the user who performed the operation, the time when the operation was performed, and the like.
  • a second invention for solving the above-mentioned problem is a proof screen storage program for storing a proof screen of an unauthorized operation performed on a computer, wherein the computer accepts the proof screen by the computer. Determining whether the operation performed is an unauthorized operation; obtaining the display data displayed on the screen of the computer by the operation if the operation is determined to be an unauthorized operation; And transmitting, to the management server via a network, evidence data with information specifying the operation. And causing the computer to execute a step of transmitting at least one log of a keystroke, a network, an application, or an operation system applied to the computer to the management server when the operation is determined to be an unauthorized operation. It may be characterized.
  • the acquired display data is transmitted to the management server, and the management server monitors the unauthorized operation centrally, thereby saving the evidence of the unauthorized operation.
  • the administrator can take quick and quick responses.
  • the requirements for the ability to record logs to increase the evidentiality, the method of determining unauthorized operation, the file format of the display data, and the information for specifying the operation are the same as in the first invention.
  • the step of obtaining the display data the data written by the operation in the virtualized display area is obtained as display data. It can also be a feature.
  • the force required to identify the display data displayed on the screen by an unauthorized operation as evidence is that the display data displayed on the screen is written in a virtual display area such as a device context. It can be specified from the issued data.
  • the step of obtaining the display data in the step of obtaining the display data, the data written by the operation in a buffer for displaying a screen of the computer is written. It can also be obtained as display data.
  • the first invention and the second invention can also be grasped as an evidence screen saving method that can be performed by executing the above-described evidence screen saving program. Further, it can be configured as an evidence screen storage device using the above evidence screen storage program.
  • the evidence screen saving method is an evidence screen saving method for saving an evidence screen of an unauthorized operation performed on a computer, wherein the computer A step of determining whether the received operation is an unauthorized operation; and a step of the computer acquiring display data displayed on a screen of the computer by the operation when the operation is determined to be an unauthorized operation. And storing the evidence data in which the information specifying the operation is added to the display data in the evidence data storage unit.
  • An evidence screen saving method is an evidence screen saving method for saving an evidence screen of an unauthorized operation performed on a computer, wherein the computer accepts the evidence screen.
  • An evidence screen storage device corresponding to the first invention is an evidence screen storage device for saving an evidence screen of an unauthorized operation performed on a computer, wherein the operation received by the computer is an unauthorized operation.
  • Operation means for judging whether the operation is illegal, and when the operation is judged to be an illegal operation by the illegal operation judgment means, display data displayed on the screen of the computer is acquired by the operation.
  • Evidence data storage means comprising: display data acquisition means; and evidence data storage means for storing evidence data obtained by adding information for specifying the operation to the display data acquired by the display data acquisition means.
  • the information processing apparatus further comprises a log recording means for recording at least one log of a keystroke, a network, an application, or an operation system of the computer. You can also.
  • An evidence screen storage device is an evidence screen storage device for saving an evidence screen of an unauthorized operation performed on a computer, wherein the operation received by the computer is an unauthorized operation.
  • Operation means for judging whether the operation is illegal, and when the operation is judged to be an illegal operation by the illegal operation judgment means, display data displayed on the screen of the computer is acquired by the operation.
  • Display data acquisition means, and evidence data transmission means for transmitting, via a network, evidence data in which display data acquired by the display data acquisition means with information specifying the operation is transmitted to a management server.
  • This is the evidence screen storage device.
  • the unauthorized operation determining means determines that the operation is an unauthorized operation, at least one log of a keystroke, a network, an application, or an operation system concerning the computer is transmitted to the management server. It can be characterized by having no transmission means.
  • the evidence screen storage device corresponding to the first invention and the second invention is characterized in that the display data storage device
  • the data acquisition means may acquire data written by the operation in the virtualized display area as display data.
  • the display data obtaining means obtains, as display data, data written by the operation in a buffer for displaying a screen of the computer.
  • FIG. 1 is a diagram showing an overall configuration of an example in which the evidence screen storage device according to the present invention is used for monitoring a terminal connected to a network.
  • FIG. 2 is a diagram showing a monitoring position on a network in an example in which the evidence screen storage device according to the present invention is used for monitoring a terminal connected to the network.
  • FIG. 3 is a diagram showing an outline of a function of an example in which the evidence screen storage device according to the present invention is used for monitoring a terminal connected to a network.
  • FIG. 4 is a block diagram showing a configuration of a fraud monitoring system using the evidence screen storage program according to the present invention.
  • FIG. 5 is a diagram showing an outline of the processing by the evidence screen saving program which is useful in the present invention.
  • FIG. 6 is a diagram showing an example of a table for storing the evidence data acquired by the evidence screen saving program according to the present invention.
  • FIG. 7 is a flowchart showing a processing procedure of an evidence screen storage program that is useful in the present invention.
  • the evidence screen storage device saves an evidence screen of an unauthorized operation performed on a computer, but may be used in a stand-alone computer. To monitor computers connected to the network May be. In the former case, the data related to the evidence screen is stored in the combi- ter used by the user.
  • FIG. 1 shows an example used for monitoring a computer connected to the latter network.
  • a plurality of user terminals are connected by an in-house network such as a LAN, and the in-house network is connected to the Internet.
  • the fraud monitoring server monitors data flowing on the network and monitors activities such as sending and receiving unauthorized information to and from the Internet.
  • the evidence screen storage device working on the present invention monitors illegal operations in two parts.
  • One is to monitor the operation performed on the user terminal, and if it is determined that the operation is unauthorized, capture the operation screen at the time of the unauthorized operation and store it in the user terminal or the unauthorized monitoring server.
  • the other is that when the fraud monitoring server monitors data flowing through the network and detects data that corresponds to an unauthorized operation, it identifies the user terminal that sends and receives the data and displays the operation displayed on the user terminal based on the data. Capture the screen and store it on the user terminal or the fraud monitoring server.
  • the position where the fraud monitoring server monitors the data on the network is, in addition to the monitoring of the data executed in the user terminal, the segment unit of the network. It can be placed in various locations, such as monitoring data transmitted and received by a mail server, monitoring data at a mail server, and monitoring data at a gateway.
  • FIG. 3 shows an example of the respective functions of the user terminal and the fraud monitoring server in the case where the evidence screen storage device according to the present invention is used for monitoring a computer connected to a network.
  • the evidence screen storage program according to the present invention is executed, and when an unauthorized operation is detected, a warning message is displayed on a display and a warning sound is generated.
  • the screen displayed by the unauthorized operation is captured, and the display data of the screen together with the information such as the time of occurrence is transmitted to the fraud monitoring server as evidence data with the identification information of the terminal.
  • the fraud monitoring server information such as terminal identification information and occurrence time is classified as a key. Evidence data is stored. In addition to the evidence data, it is also possible to obtain and store from the user terminal various types of operations after the fraud has occurred.
  • the fraud monitoring server may also display a warning message on the display and generate a warning sound to promptly notify the administrator of the occurrence of an illegal operation.
  • the user terminal 10 includes a CPU 11, a RAM 12, a ROM 13, a HDD 14, and a video board 15.
  • the HDD 14 stores a fraud monitoring program 141 for monitoring for fraudulent operations including a evidence screen saving program that is useful for the present invention, and stores fraud rules for storing rules for judging fraudulent operations.
  • Unit 142 is provided with an evidence data storage unit 143 that stores data related to an evidence screen when an unauthorized operation is performed.
  • the video board 15 includes a VRAM 16 which is a buffer for writing screen content to be displayed on the display 17. It should be noted that the HDD 14 storing the fraud monitoring program 141 may use another storage medium such as a flash memory capable of storing a program!
  • the display data of the screen to be captured is specified by acquiring the data written in the virtualized display area such as the device context in the arithmetic processing in the CPU 11 and the RAM 12. can do.
  • the data written by the operation in the VRAM 16 which is a buffer for displaying on the display 17 can be acquired and specified.
  • Display data of the captured screen includes data for identifying the operation, such as the time when the ID operation of the user who performed the operation was received. This is added to and stored in the evidence data storage unit 143.
  • Figure 6 shows an example of a table that stores the evidence data obtained in this way.Records provided for each operation to be processed are displayed on the display together with the date and time of receipt of the operation and the user ID. The file name of the displayed data is recorded.
  • the format of the powerful file stored in the evidence data storage unit 143 may be any format.
  • logs of operations performed on the computer such as keystrokes, networks, applications, or operation systems, in addition to the direct operations of performing the fraudulent operations, are recorded. You can also record it.
  • Such a log can be used to prove the operation history of the user and prove that unauthorized operation has been performed in conjunction with the evidence screen.
  • the log is recorded after the occurrence of the fraud.
  • the fraud rule storage unit 142 provided in the user terminal 10 may be provided as the fraud rule storage unit 21 in the fraud monitoring server 20 that monitors the network including the user terminal 10.
  • a common rule is applied to a plurality of terminals belonging to the same network, where it is preferable to use the fraud rule storage unit 142 provided in the user terminal 10.
  • the acquired evidence data may be stored in the evidence data storage unit 143 in the user terminal 10, but in order to reduce the risk of deleting the evidence data, the acquired evidence data is under the control of the administrator. It is preferable to use the evidence data storage unit 22 provided in the fraud monitoring server 20.
  • FIG. 5 shows an outline of the processing by the evidence screen storage program that is useful in the present invention.
  • the components described below are not physically separated, but are stored in the HDD 14 as a part of the fraud monitoring program 141 that executes each component as shown in FIG.
  • the arithmetic processing may be executed by the CPU 11 while the RAM 12 functions as a work area.
  • the fraud determining unit determines the operation. It is determined whether or not the racing is an illegal operation. Such a determination can be made in comparison with a rule stored in a fraudulent rule storage unit created based on a general fraudulent pattern pattern, but is not limited to a rule-based determination and can be performed by a user. Pattern power Compared with the created user profile or the like, an illegal operation may be determined from unique behavioral power.
  • the display data acquisition unit acquires display data to be displayed on the display of the user terminal by the operation.
  • the display data to be acquired is specified from the data written to VRAM or device context.
  • the display data is saved as an image file and stored in the evidence data storage unit with information identifying the operation, such as the date and time of receipt of the operation and the user ID. Further, such evidence data may be transmitted to a management server or the like via a network and stored. Further, in order to stop the unauthorized operation, the stop processing execution unit may execute processing such as displaying a warning message, generating a warning sound, stopping the operation, and disconnecting the network.
  • the display of the warning message and the generation of the warning sound may be performed on the user terminal side or may be performed on the management server side.
  • various settings such as specific time, random, startup, etc. are performed and a dummy warning message or warning sound is emitted and monitoring is performed. It is possible to increase the deterrence effect on the user by clarifying that the information is being checked. In this case, it is possible to actually perform even the capture of the screen.
  • the user checks whether the computer operated by the user is capable of generating a warning sound or a warning message (S04). Is set to occur In this case, a warning sound or a warning message is generated (S05). Subsequently, display data to be displayed by the operation of performing the fraud determination is obtained from the device context (S06). The display data is attached with information for identifying unauthorized operations such as a date (S07), and is stored as evidence in a database or the like (S08). Further, the setting of whether or not to transmit the display data to the management server is confirmed (S09), and if the transmission is set, it is also transmitted to the management server (S10).
  • FIG. 1 A proof screen storage device according to the present invention is used for monitoring terminals connected to a network.
  • V is a diagram illustrating an entire configuration of an example.
  • FIG. 2 is a diagram showing a monitoring position on a network in an example in which the evidence screen storage device according to the present invention is used for monitoring a terminal connected to the network.
  • the evidence screen storage device is used for monitoring terminals connected to a network.
  • FIG. 5 is a diagram showing an outline of functions of an example.
  • FIG. 4 is a block diagram showing a configuration of a fraud monitoring system using a proof screen storage program that is useful in the present invention.
  • FIG. 5 is a diagram showing an outline of a process performed by the evidence screen storage program according to the present invention.
  • FIG. 6 is a diagram showing an example of a table for storing evidence data obtained by an evidence screen saving program according to the present invention.
  • FIG. 7 is a flowchart showing a processing procedure of an evidence screen storage program that is useful in the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Debugging And Monitoring (AREA)

Abstract

[PROBLEMS] To provide an evidential image preservation program capable of rapidly preserving an evidential image when an unauthorized operation is caused to a computer. [MEANS FOR SOLVING PROBLEMS] When a computer receives an operation, the computer references a rule or the like to judge whether the operation is an unauthorized operation. If the operation is judged to be unauthorized, display data displayed on the screen by the operation is acquired from a VRAM or a device context and stored as an evidential material having a date and the like in an evidential data storage unit. The evidential data and an unauthorized report may be transmitted via the network to the administrator. For an unauthorized operation, the operation is interrupted and the network connection is cut off.

Description

明 細 書  Specification
証拠画面保存プログラム、証拠画面保存方法及び証拠画面保存装置 技術分野  Evidence screen storage program, evidence screen storage method and evidence screen storage device
[0001] 本発明は、コンピュータに対して行われた不正操作の証拠画面を保存するための 証拠画面保存プログラム、証拠画面保存方法及び証拠画面保存装置に関するもの である。  The present invention relates to an evidence screen saving program, an evidence screen saving method, and an evidence screen saving device for saving an evidence screen of an unauthorized operation performed on a computer.
背景技術  Background art
[0002] 特に企業等がコンピュータで重要情報を取り扱う場合、コンピュータをインターネット 等のネットワークに接続して使用する場合であれば、外部からの不正なデータの侵入 を防止するとともに、コンピュータの不正操作による内部からのデータ流出や漏洩を 防止することが必要になる。また、コンピュータをネットワークに接続せずにスタンドア ローンで用いる場合も、コンピュータ内のデータの不正なコピーやデータを消去、破 壊する操作など、不正操作を防止することが必要になる。  [0002] In particular, when a company or the like handles important information on a computer and uses the computer by connecting it to a network such as the Internet, it is possible to prevent intrusion of unauthorized data from the outside and prevent unauthorized access to the computer. It is necessary to prevent data leakage and leakage from inside. Also, when a computer is used stand-alone without being connected to a network, it is necessary to prevent unauthorized operations such as illegal copying of data in the computer, erasing or destroying data.
[0003] このような不正操作を防止するために、一つにはコンピュータやネットワークの操作 履歴をログとして記録し、トラブルが生じた場合にはログを参照して不正の発生源を 特定することが一般的に行われている。また、不正操作を速やかに検出してトラブル の発生を未然に防止するために、不正操作のパターンをルールとして登録し、コンビ ユータの実行するオペレーションを力かるルールと対比して不正操作を判定する方 法も用いられるようになって ヽる。  [0003] In order to prevent such unauthorized operations, one is to record the operation history of the computer or network as a log, and in the event of trouble, refer to the log to identify the source of the unauthorized operation. Is commonly done. In addition, in order to detect unauthorized operations promptly and prevent problems from occurring, register unauthorized operation patterns as rules and judge illegal operations by comparing the operations performed by the computer with rules that enforce the operations. Methods have also been used.
[0004] 上記の方法により不正が検出された場合、不正を停止させるための方法として、実 行中のオペレーションの中断、管理者への報告や操作者への警告などの処理が実 行される。例えば、ネットワークにおける不正操作を監視する場合であれば、通信を 切断するとともに、管理者に通知レポートを、操作者に警告レポートを送信する方法 が開示されている (特許文献 1参照)。また、コンピュータに対する操作を監視する場 合であれば、モニタに警告メッセージを出す方法が開示されている(特許文献 2参照 [0004] When a fraud is detected by the above method, as a method for stopping the fraud, processing such as interrupting the operation being performed, reporting to the administrator, and warning to the operator are executed. . For example, a method is disclosed in which, when monitoring unauthorized operation in a network, communication is cut off, and a notification report is sent to an administrator and a warning report is sent to an operator (see Patent Document 1). Also, a method of issuing a warning message to a monitor when monitoring operations on a computer is disclosed (see Patent Document 2).
) o ) o
特許文献 1:特開 2002 - 232451号公報 段落番号 0005 特許文献 2 :特開 2002-258972号公報 段落番号 0034 Patent Document 1: Japanese Unexamined Patent Application Publication No. 2002-232232, paragraph number 0005 Patent Document 2: JP-A-2002-258972, paragraph number 0034
発明の開示  Disclosure of the invention
発明が解決しょうとする課題  Problems to be solved by the invention
[0005] 前記特許文献記載の方法のように、不正操作そのものを停止させることは重要であ る力 例えば不正操作を行った者に対して法的措置をとる場合においては、不正操 作の証拠を保存することが重要である。また、法的措置にまでは至らなくても、社内に ぉ 、て業務時間中に社員が娯楽用の Webサイトを閲覧して 、ることに注意を与える 場合など、閲覧を行った記録が保存されて 、ることが好ま 、。  [0005] As in the method described in the patent document, it is important to stop the unauthorized operation itself. For example, when legal action is taken against a person who has performed the unauthorized operation, evidence of the unauthorized operation is required. It is important to save. In addition, even if legal action is not taken, records of browsing are kept in-house, such as when employees are cautioned to visit a recreation website during business hours. Being preferred to be.
[0006] このような証拠資料は、ログを記録することによつても可能である力 不正が発生し た場合には該当するログの特定を行わなければならない。また、アクセスしたファイル が変更されていたり、ファイルが削除されてしまったりした場合には、不正が行われて V、た時点での操作状況を再現することができな 、と 、う問題を有しており、不正が発 生した時点にぉ 、て即座に確実な証拠を保存することが好ま 、。  [0006] Such evidences must be identified by recording logs in the event that a fraudulent event occurs. In addition, if the accessed file has been changed or the file has been deleted, there is a problem that the operation status at the time when the unauthorized operation was performed cannot be reproduced. In the event that fraud occurs, it is preferable to save credible evidence as soon as possible.
[0007] 本発明は、このような課題に対応してなされたものであり、コンピュータに対して行 われた不正操作の発生時点にぉ ヽて、速やかに証拠画面を保存することが可能な 証拠画面保存プログラム、証拠画面保存方法及び証拠画面保存装置を提供するこ とを目的とするものである。  [0007] The present invention has been made in response to such a problem, and it is possible to quickly save an evidence screen at the time of occurrence of an unauthorized operation performed on a computer. It is intended to provide a screen storage program, a evidence screen storage method, and a evidence screen storage device.
課題を解決するための手段  Means for solving the problem
[0008] 上記の課題を解決する第 1の発明は、コンピュータに対して行われた不正操作の証 拠画面を保存するための証拠画面保存プログラムであって、前記コンピュータに、前 記コンピュータが受け付けたオペレーションが不正操作であるかを判定するステップ と、前記オペレーションが不正操作であると判定されると、前記オペレーションにより 前記コンピュータの画面に表示される表示データを取得するステップと、前記表示デ ータに前記オペレーションを特定する情報を付した証拠データを証拠データ格納部 に格納するステップと、を実行させるための証拠画面保存プログラムである。前記コン ピュータに、前記オペレーションが不正操作であると判定されると、前記コンピュータ に力かるキーストローク、ネットワーク、アプリケーション又はオペレーションシステムの 少なくとも一つのログを記録するステップを実行させることを特徴とすることもできる。 [0009] 第 1の発明においては、不正操作と判定されたオペレーションによりコンピュータの 画面に表示される表示データを保存することにより、不正操作が行われた証拠を速 やかに保存することができる。コンピュータの操作履歴は常時ログとして記録してもよ いが、不正操作であると判定された後のログを記録することにより、画面の表示デー タと併せて不正操作が行われた証拠を効果的に保存することができる。 [0008] A first invention for solving the above-mentioned problem is a proof screen storage program for storing a proof screen of an unauthorized operation performed on a computer, wherein the computer accepts the proof screen by the computer. Determining whether the operation performed is an unauthorized operation; obtaining the display data displayed on the screen of the computer by the operation if the operation is determined to be an unauthorized operation; And storing the evidence data with the information specifying the operation in the evidence data storage unit in the evidence data storage unit. When the operation is determined to be an unauthorized operation, the computer is caused to execute a step of recording at least one log of a keystroke, a network, an application, or an operation system applied to the computer. You can also. [0009] In the first invention, by storing the display data displayed on the computer screen by the operation determined to be the unauthorized operation, the evidence of the unauthorized operation can be saved quickly. . The operation history of the computer may be recorded as a log at all times.However, by recording the log after it is determined that the operation is unauthorized, the evidence that the operation has been performed together with the data displayed on the screen is effective. Can be saved
[0010] 尚、本発明において不正操作の判定には、予め登録されたルールベースによる判 定の他、ユーザの操作傾向を分析したユーザプロファイルによる判定などどのような 判定方法を用いてもよい。また、保存する表示データのファイル形式は、画面表示を 再現できるものであればよぐ特定の形式に限定されるものではない。オペレーション を特定するための情報には、オペレーションを行ったユーザのユーザ ID、オペレー シヨンが行われた時刻等が用いられる。  [0010] Incidentally, in the present invention, any judging method may be used for judging an unauthorized operation, such as judging based on a pre-registered rule base or judging based on a user profile obtained by analyzing a user's operation tendency. The file format of the display data to be saved is not limited to a specific format as long as it can reproduce the screen display. The information for specifying the operation uses the user ID of the user who performed the operation, the time when the operation was performed, and the like.
[0011] 上記の課題を解決する第 2の発明は、コンピュータに対して行われた不正操作の証 拠画面を保存するための証拠画面保存プログラムであって、前記コンピュータに、前 記コンピュータが受け付けたオペレーションが不正操作であるかを判定するステップ と、前記オペレーションが不正操作であると判定されると、前記オペレーションにより 前記コンピュータの画面に表示される表示データを取得するステップと、前記表示デ ータに前記オペレーションを特定する情報を付した証拠データを、ネットワークを通じ て管理サーバに送信するステップと、を実行させるための証拠画面保存プログラムで ある。前記コンピュータに、前記オペレーションが不正操作であると判定されると、前 記コンピュータに力かるキーストローク、ネットワーク、アプリケーション又はオペレー シヨンシステムの少なくとも一つのログを前記管理サーバに送信するステップを実行さ せることを特徴としてもよい。 [0011] A second invention for solving the above-mentioned problem is a proof screen storage program for storing a proof screen of an unauthorized operation performed on a computer, wherein the computer accepts the proof screen by the computer. Determining whether the operation performed is an unauthorized operation; obtaining the display data displayed on the screen of the computer by the operation if the operation is determined to be an unauthorized operation; And transmitting, to the management server via a network, evidence data with information specifying the operation. And causing the computer to execute a step of transmitting at least one log of a keystroke, a network, an application, or an operation system applied to the computer to the management server when the operation is determined to be an unauthorized operation. It may be characterized.
[0012] 第 2の発明においては、第 1の発明と同様に取得した表示データを管理サーバに 送信して、管理サーバで不正操作を集中監視することにより、不正操作が行われた 証拠を保存するとともに、管理者による速やカゝな対応を行うことができる。ログを記録 して証拠性を高めることができることや、不正操作の判定方法、表示データのフアイ ル形式、オペレーションを特定する情報に関する要件については、第 1の発明と同様 である。 [0013] また、第 1の発明及び第 2の発明は、前記表示データを取得するステップにおいて は、仮想化されたディスプレイ領域に前記オペレーションによって書き出されたデー タを表示データとして取得することを特徴とすることもできる。 [0012] In the second invention, as in the first invention, the acquired display data is transmitted to the management server, and the management server monitors the unauthorized operation centrally, thereby saving the evidence of the unauthorized operation. In addition, the administrator can take quick and quick responses. The requirements for the ability to record logs to increase the evidentiality, the method of determining unauthorized operation, the file format of the display data, and the information for specifying the operation are the same as in the first invention. [0013] Further, in the first invention and the second invention, in the step of obtaining the display data, the data written by the operation in the virtualized display area is obtained as display data. It can also be a feature.
[0014] 本発明においては、証拠として不正操作によって画面に表示される表示データを 特定することが必要になる力 画面に表示される表示データは、デバイスコンテキスト 等の仮想化されたディスプレイ領域に書き出されたデータより特定することができる。  [0014] In the present invention, the force required to identify the display data displayed on the screen by an unauthorized operation as evidence is that the display data displayed on the screen is written in a virtual display area such as a device context. It can be specified from the issued data.
[0015] さらに、第 1の発明及び第 2の発明は、前記表示データを取得するステップにおい ては、前記コンピュータの画面表示の行うためのバッファに前記オペレーションによつ て書き出されたデータを表示データとして取得することを特徴とすることもできる。  [0015] Further, in the first invention and the second invention, in the step of obtaining the display data, the data written by the operation in a buffer for displaying a screen of the computer is written. It can also be obtained as display data.
[0016] 不正操作によって画面に表示される表示データを特定するためには、コンピュータ の画面表示用のビデオボードに設けられた VRAM等の画面表示を行うためのバッフ ァに書き出されたデータを取得することとしてもょ 、。  [0016] In order to identify display data displayed on the screen due to unauthorized operation, data written to a buffer for displaying a screen, such as VRAM, provided on a video board for displaying a screen of a computer is used. You can get it.
[0017] 第 1の発明及び第 2の発明は、上記の証拠画面保存プログラムの実行により行うこ とができる証拠画面保存方法として把握することもできる。また、上記の証拠画面保 存プログラムを用いた証拠画面保存装置として構成することもできる。  [0017] The first invention and the second invention can also be grasped as an evidence screen saving method that can be performed by executing the above-described evidence screen saving program. Further, it can be configured as an evidence screen storage device using the above evidence screen storage program.
[0018] つまり、第 1の発明に対応する証拠画面保存方法は、コンピュータに対して行われ た不正操作の証拠画面を保存するための証拠画面保存方法であって、前記コンビュ 一タカ 前記コンピュータが受け付けたオペレーションが不正操作であるかを判定す るステップと、前記コンピュータが、前記オペレーションが不正操作であると判定され ると、前記オペレーションにより前記コンピュータの画面に表示される表示データを取 得するステップと、前記コンピュータが、前記表示データに前記オペレーションを特 定する情報を付した証拠データを証拠データ格納部に格納するステップと、を有する ことを特徴とする証拠画面保存方法である。  That is, the evidence screen saving method according to the first invention is an evidence screen saving method for saving an evidence screen of an unauthorized operation performed on a computer, wherein the computer A step of determining whether the received operation is an unauthorized operation; and a step of the computer acquiring display data displayed on a screen of the computer by the operation when the operation is determined to be an unauthorized operation. And storing the evidence data in which the information specifying the operation is added to the display data in the evidence data storage unit.
[0019] 第 2の発明に対応する証拠画面保存方法は、コンピュータに対して行われた不正 操作の証拠画面を保存するための証拠画面保存方法であって、前記コンピュータが 、前記コンピュータが受け付けたオペレーションが不正操作であるかを判定するステ ップと、前記コンピュータが、前記オペレーションが不正操作であると判定されると、 前記オペレーションにより前記コンピュータの画面に表示される表示データを取得す るステップと、前記コンピュータが、前記表示データに前記オペレーションを特定する 情報を付した証拠データを、ネットワークを通じて管理サーバに送信するステップと、 前記管理サーバが、前記証拠データを証拠データ格納部に格納するステップと、を 有することを特徴とする証拠画面保存方法である。 An evidence screen saving method according to a second invention is an evidence screen saving method for saving an evidence screen of an unauthorized operation performed on a computer, wherein the computer accepts the evidence screen. A step of determining whether the operation is an unauthorized operation; and, if the operation is determined to be an unauthorized operation, the computer acquires display data displayed on a screen of the computer by the operation. Transmitting the evidence data with the information specifying the operation to the display data to a management server via a network; and the management server stores the evidence data in an evidence data storage unit. And storing the evidence screen.
[0020] 第 1の発明に対応する証拠画面保存装置は、コンピュータに対して行われた不正 操作の証拠画面を保存するための証拠画面保存装置であって、前記コンピュータが 受け付けたオペレーションが不正操作であるかを判定する不正操作判定手段と、前 記不正操作判定手段にぉ ヽてオペレーションが不正操作であると判定されると、前 記オペレーションにより前記コンピュータの画面に表示される表示データを取得する 表示データ取得手段と、前記表示データ取得手段の取得した表示データに前記ォ ペレーシヨンを特定する情報が付された証拠データを格納する証拠データ格納手段 と、を備えることを特徴とする証拠画面保存装置である。前記不正操作判定手段にお いてオペレーションが不正操作であると判定されると、前記コンピュータにかかるキー ストローク、ネットワーク、アプリケーション又はオペレーションシステムの少なくとも一 つのログを記録するログ記録手段を備えることを特徴とすることもできる。  [0020] An evidence screen storage device corresponding to the first invention is an evidence screen storage device for saving an evidence screen of an unauthorized operation performed on a computer, wherein the operation received by the computer is an unauthorized operation. Operation means for judging whether the operation is illegal, and when the operation is judged to be an illegal operation by the illegal operation judgment means, display data displayed on the screen of the computer is acquired by the operation. Evidence data storage means, comprising: display data acquisition means; and evidence data storage means for storing evidence data obtained by adding information for specifying the operation to the display data acquired by the display data acquisition means. Device. When the unauthorized operation determining means determines that the operation is an unauthorized operation, the information processing apparatus further comprises a log recording means for recording at least one log of a keystroke, a network, an application, or an operation system of the computer. You can also.
[0021] 第 2の発明に対応する証拠画面保存装置は、コンピュータに対して行われた不正 操作の証拠画面を保存するための証拠画面保存装置であって、前記コンピュータが 受け付けたオペレーションが不正操作であるかを判定する不正操作判定手段と、前 記不正操作判定手段にぉ ヽてオペレーションが不正操作であると判定されると、前 記オペレーションにより前記コンピュータの画面に表示される表示データを取得する 表示データ取得手段と、前記表示データ取得手段の取得した表示データに前記ォ ペレーシヨンを特定する情報を付した証拠データを、ネットワークを通じて管理サーバ に送信する証拠データ送信手段と、を備えることを特徴とする証拠画面保存装置で ある。前記不正操作判定手段にお!ヽてオペレーションが不正操作であると判定され ると、前記コンピュータにかかるキーストローク、ネットワーク、アプリケーション又はォ ペレーシヨンシステムの少なくとも一つのログを前記管理サーバに送信するログ送信 手段を備免ることを特徴とすることちできる。  [0021] An evidence screen storage device according to the second invention is an evidence screen storage device for saving an evidence screen of an unauthorized operation performed on a computer, wherein the operation received by the computer is an unauthorized operation. Operation means for judging whether the operation is illegal, and when the operation is judged to be an illegal operation by the illegal operation judgment means, display data displayed on the screen of the computer is acquired by the operation. Display data acquisition means, and evidence data transmission means for transmitting, via a network, evidence data in which display data acquired by the display data acquisition means with information specifying the operation is transmitted to a management server. This is the evidence screen storage device. When the unauthorized operation determining means determines that the operation is an unauthorized operation, at least one log of a keystroke, a network, an application, or an operation system concerning the computer is transmitted to the management server. It can be characterized by having no transmission means.
[0022] また、第 1の発明及び第 2の発明に対応する証拠画面保存装置は、前記表示デー タ取得手段は、仮想化されたディスプレイ領域に前記オペレーションによって書き出 されたデータを表示データとして取得することを特徴とすることもできる。さらに、前記 表示データ取得手段は、前記コンピュータの画面表示を行うためのバッファに前記ォ ペレーシヨンによって書き出されたデータを表示データとして取得することを特徴とす ることちでさる。 [0022] Further, the evidence screen storage device corresponding to the first invention and the second invention is characterized in that the display data storage device The data acquisition means may acquire data written by the operation in the virtualized display area as display data. Further, the display data obtaining means obtains, as display data, data written by the operation in a buffer for displaying a screen of the computer.
発明の効果  The invention's effect
[0023] 本発明により、コンピュータに対して行われた不正操作の発生時点において、速や かに証拠資料として画面に表示されたデータを保存することができるので、法的措置 が必要な場合等においても不正操作の事実を容易に証明することが可能になる。そ の結果、コンピュータの利用者に対しても抑止効果が働き、不正操作の発生を予防 する効果も期待することができる。  [0023] According to the present invention, at the time of occurrence of an unauthorized operation performed on a computer, data displayed on a screen can be promptly saved as evidence, so that legal action is required. It is also possible to easily prove the fact of unauthorized operation. As a result, a deterrent effect works for computer users, and an effect of preventing the occurrence of unauthorized operations can be expected.
発明を実施するための最良の形態  BEST MODE FOR CARRYING OUT THE INVENTION
[0024] 本発明を実施するための最良の形態について、図面を用いて以下に詳細に説明 する。尚、以下の説明は本発明の実施形態の一例であって、本発明はかかる実施形 態に限定されるものではない。  The best mode for carrying out the present invention will be described below in detail with reference to the drawings. The following description is an example of an embodiment of the present invention, and the present invention is not limited to such an embodiment.
[0025] 図 1は、本発明にかかる証拠画面保存装置をネットワークに接続された端末の監視 に用いる例の全体構成を示す図である。図 2は、本発明にかかる証拠画面保存装置 をネットワークに接続された端末の監視に用いる例におけるネットワーク上の監視位 置を示す図である。図 3は、本発明にかかる証拠画面保存装置をネットワークに接続 された端末の監視に用いる例の機能の概要を示す図である。図 4は、本発明にかか る証拠画面保存プログラムを用いた不正監視システムの構成を示すブロック図である 。図 5は、本発明に力かる証拠画面保存プログラムによる処理の概要を示す図である 。図 6は、本発明にカゝかる証拠画面保存プログラムにより取得された証拠データを格 納するテーブルの一例を示す図である。図 7は、本発明に力かる証拠画面保存プロ グラムの処理手順を示すフローチャートである。  FIG. 1 is a diagram showing an overall configuration of an example in which the evidence screen storage device according to the present invention is used for monitoring a terminal connected to a network. FIG. 2 is a diagram showing a monitoring position on a network in an example in which the evidence screen storage device according to the present invention is used for monitoring a terminal connected to the network. FIG. 3 is a diagram showing an outline of a function of an example in which the evidence screen storage device according to the present invention is used for monitoring a terminal connected to a network. FIG. 4 is a block diagram showing a configuration of a fraud monitoring system using the evidence screen storage program according to the present invention. FIG. 5 is a diagram showing an outline of the processing by the evidence screen saving program which is useful in the present invention. FIG. 6 is a diagram showing an example of a table for storing the evidence data acquired by the evidence screen saving program according to the present invention. FIG. 7 is a flowchart showing a processing procedure of an evidence screen storage program that is useful in the present invention.
[0026] 本発明に力かる証拠画面保存装置はコンピュータに対して行った不正操作の証拠 画面を保存するものであるが、スタンドアローンで使用されて 、るコンピュータに用い るものであってもよいし、ネットワークに接続されたコンピュータの監視に用いることと してもよい。前者の場合は、証拠画面に関するデータはユーザが使用するコンビユー タに保存されるが、後者の場合は、ネットワーク全体の不正を監視する不正監視サー バにまとめて保存することとしてもよい。 [0026] The evidence screen storage device according to the present invention saves an evidence screen of an unauthorized operation performed on a computer, but may be used in a stand-alone computer. To monitor computers connected to the network May be. In the former case, the data related to the evidence screen is stored in the combi- ter used by the user.
[0027] 図 1は、後者のネットワークに接続されたコンピュータの監視に用いる例を示したも のである。図 1において、複数のユーザ端末は LAN等の社内ネットワークで接続され 、社内ネットワークはインターネットと接続されている。不正監視サーバはネットワーク 上を流れるデータを監視して、インターネットとの間での不正な情報の送受信などの 行為を監視している。  FIG. 1 shows an example used for monitoring a computer connected to the latter network. In FIG. 1, a plurality of user terminals are connected by an in-house network such as a LAN, and the in-house network is connected to the Internet. The fraud monitoring server monitors data flowing on the network and monitors activities such as sending and receiving unauthorized information to and from the Internet.
[0028] 図 1の例においては、本発明に力かる証拠画面保存装置は、 2つの部分において 不正操作を監視して ヽる。一つはユーザ端末上で実行されるオペレーションを監視 し、不正操作であると判定されると、不正操作時点の操作画面をキヤプチヤーして、 当該ユーザ端末又は不正監視サーバに格納する。もう一つは、不正監視サーバが ネットワークを流れるデータを監視し、不正操作に該当するデータを検出すると、当 該データを送受信するユーザ端末を特定して、当該データによりユーザ端末に表示 される操作画面をキヤプチヤーして、当該ユーザ端末又は不正監視サーバに格納す る。  In the example of FIG. 1, the evidence screen storage device working on the present invention monitors illegal operations in two parts. One is to monitor the operation performed on the user terminal, and if it is determined that the operation is unauthorized, capture the operation screen at the time of the unauthorized operation and store it in the user terminal or the unauthorized monitoring server. The other is that when the fraud monitoring server monitors data flowing through the network and detects data that corresponds to an unauthorized operation, it identifies the user terminal that sends and receives the data and displays the operation displayed on the user terminal based on the data. Capture the screen and store it on the user terminal or the fraud monitoring server.
[0029] 尚、不正監視サーバがネットワーク上でデータを監視する位置については、図 2の 例に示したように、ユーザ端末内において実行されるデータの監視の他に、ネットヮ ークのセグメント単位で送受信されるデータの監視、メールサーバにおけるデータの 監視、ゲートウェイにおけるデータの監視など、様々な位置に配置することができる。  As shown in the example of FIG. 2, the position where the fraud monitoring server monitors the data on the network is, in addition to the monitoring of the data executed in the user terminal, the segment unit of the network. It can be placed in various locations, such as monitoring data transmitted and received by a mail server, monitoring data at a mail server, and monitoring data at a gateway.
[0030] 図 3は、本発明に力かる証拠画面保存装置をネットワークに接続されたコンピュータ の監視に用いる場合について、ユーザ端末と不正監視サーバのそれぞれの機能の 一例を示したものである。ユーザ端末では本発明に力かる証拠画面保存プログラム が実行され、不正操作を検出すると、ディスプレイに警告メッセージを表示するととも に、警告音を発生させる。併せて、不正操作により表示された画面をキヤプチヤーし て、発生時刻等の情報とともに画面の表示データを、端末の識別情報を付した証拠 データとして不正監視サーバに送信する。  FIG. 3 shows an example of the respective functions of the user terminal and the fraud monitoring server in the case where the evidence screen storage device according to the present invention is used for monitoring a computer connected to a network. At the user terminal, the evidence screen storage program according to the present invention is executed, and when an unauthorized operation is detected, a warning message is displayed on a display and a warning sound is generated. At the same time, the screen displayed by the unauthorized operation is captured, and the display data of the screen together with the information such as the time of occurrence is transmitted to the fraud monitoring server as evidence data with the identification information of the terminal.
[0031] 不正監視サーバでは、端末の識別情報や発生時刻等の情報をキーに分類された 証拠データが格納される。証拠データの他に、不正発生後の操作についての各種口 グをユーザ端末から取得して格納することとしてもよい。不正監視サーバにおいても ディスプレイに警告メッセージを表示するとともに、警告音を発生させて、管理者に不 正操作の発生を速やかに通知することとしてもょ ヽ。 [0031] In the fraud monitoring server, information such as terminal identification information and occurrence time is classified as a key. Evidence data is stored. In addition to the evidence data, it is also possible to obtain and store from the user terminal various types of operations after the fraud has occurred. The fraud monitoring server may also display a warning message on the display and generate a warning sound to promptly notify the administrator of the occurrence of an illegal operation.
[0032] 図 4を用いて、本発明に力かる証拠画面保存プログラムを用いた不正監視システム の構成について説明する。ユーザ端末 10には、 CPU11、 RAM 12, ROM13、 HD D14及びビデオボード 15を備えられている。 HDD14には、本発明に力かる証拠画 面保存プログラムを含めた不正操作を監視するための不正監視プログラム 141が格 納されて 、て、不正操作を判定するためのルールを格納する不正ルール格納部 14 2、不正操作が行われた場合の証拠画面に関するデータを格納する証拠データ格 納部 143が備えられている。ビデオボード 15には、ディスプレイ 17に表示するための 画面内容を書き込むバッファである VRAM16が備えられている。尚、不正監視プロ グラム 141を格納する HDD14については、フラッシュメモリなどプログラムを格納す ることができるその他の記憶媒体を用いるものであってもよ!/、。  With reference to FIG. 4, the configuration of the fraud monitoring system using the evidence screen saving program that works on the present invention will be described. The user terminal 10 includes a CPU 11, a RAM 12, a ROM 13, a HDD 14, and a video board 15. The HDD 14 stores a fraud monitoring program 141 for monitoring for fraudulent operations including a evidence screen saving program that is useful for the present invention, and stores fraud rules for storing rules for judging fraudulent operations. Unit 142 is provided with an evidence data storage unit 143 that stores data related to an evidence screen when an unauthorized operation is performed. The video board 15 includes a VRAM 16 which is a buffer for writing screen content to be displayed on the display 17. It should be noted that the HDD 14 storing the fraud monitoring program 141 may use another storage medium such as a flash memory capable of storing a program!
[0033] HDD14に格納された不正監視プログラム 141による監視を実行するためには、 R OM13に記憶された入力制御や出力制御などのハードウェア制御のための基本的 な各種プログラムを起動し、 RAM12を不正監視プログラム 141のワークエリアとして 機能させながら、 CPU11が演算処理を行う。不正操作の判定は、ユーザ端末 10が 受け付けたオペレーションを不正ルール格納部 142に格納されたルールと対比する 演算処理により行われ、不正操作であると判定されると当該オペレーションによりディ スプレイ 17に表示される画面のキヤプチヤーを行う。  [0033] In order to perform monitoring by the fraud monitoring program 141 stored in the HDD 14, basic various programs for hardware control such as input control and output control stored in the ROM 13 are started, and the RAM 12 The CPU 11 performs arithmetic processing while making the function as a work area of the fraud monitoring program 141. Judgment of unauthorized operation is performed by arithmetic processing that compares the operation accepted by the user terminal 10 with the rule stored in the illegal rule storage unit 142, and when it is determined that the operation is unauthorized, the operation is displayed on the display 17 Perform the screen capture.
[0034] ここでキヤプチヤーすべき画面の表示データは、 CPU11及び RAM12における演 算処理にお!ヽて、デバイスコンテキスト等の仮想化されたディスプレイ領域に書き出 されたデータを取得することにより、特定することができる。又は、ディスプレイ 17に表 示を行うためのバッファである VRAM16に当該オペレーションによって書き出された データを取得して、特定することもできる。  Here, the display data of the screen to be captured is specified by acquiring the data written in the virtualized display area such as the device context in the arithmetic processing in the CPU 11 and the RAM 12. can do. Alternatively, the data written by the operation in the VRAM 16 which is a buffer for displaying on the display 17 can be acquired and specified.
[0035] キヤプチヤーされた画面の表示データは、オペレーションを行ったユーザの IDゃォ ペレーシヨンを受け付けた時刻など、当該オペレーションを識別するためのデータを 付与して、証拠データ格納部 143に格納される。図 6は、このように取得された証拠 データを格納するテーブルの一例を示すものである力 対象となるオペレーション毎 に設けられたレコードに、オペレーションの受付日時やユーザ IDとともに、ディスプレ ィに表示された表示データのファイル名が記録されて 、る。力かる画面ファイル自体 も、証拠データ格納部 143に格納される力 ファイルの形式はどのような形式であつ てもよい。 [0035] Display data of the captured screen includes data for identifying the operation, such as the time when the ID operation of the user who performed the operation was received. This is added to and stored in the evidence data storage unit 143. Figure 6 shows an example of a table that stores the evidence data obtained in this way.Records provided for each operation to be processed are displayed on the display together with the date and time of receipt of the operation and the user ID. The file name of the displayed data is recorded. As for the powerful screen file itself, the format of the powerful file stored in the evidence data storage unit 143 may be any format.
[0036] また、不正が発生した後は、不正操作を行った直接のオペレーション以外にも、当 該コンピュータに対して行われた操作、例えばキーストローク、ネットワーク、アプリケ ーシヨン又はオペレーションシステムなどのログを記録することとしてもよ 、。かかる口 グは、当該ユーザの操作履歴を証明し、証拠画面と併せて不正操作が行われたこと を立証することに用いることができるため、不正の発生の如何に関わらず常時ログを とることとしてもよいが、ログを記録するハードウェアのリソースを考慮すると、不正の 発生後からログを記録するよう構成することが好ま 、。  [0036] Further, after the occurrence of fraud, logs of operations performed on the computer, such as keystrokes, networks, applications, or operation systems, in addition to the direct operations of performing the fraudulent operations, are recorded. You can also record it. Such a log can be used to prove the operation history of the user and prove that unauthorized operation has been performed in conjunction with the evidence screen. However, considering the resources of the hardware that records the log, it is preferable that the log is recorded after the occurrence of the fraud.
[0037] 尚、ユーザ端末 10に設けられる不正ルール格納部 142は、ユーザ端末 10を含む ネットワークを監視する不正監視サーバ 20に不正ルール格納部 21として設けられて いてもよい。一般に、不正を判定するルールをユーザ単位で設定する場合には、ュ 一ザ端末 10に設けられる不正ルール格納部 142を用いることが好ましぐ同一のネッ トワークに属する複数の端末に共通ルールを適用するときは、不正監視サーバ 20に 設けられる不正ルール格納部 21を用いることが好まし 、。  Note that the fraud rule storage unit 142 provided in the user terminal 10 may be provided as the fraud rule storage unit 21 in the fraud monitoring server 20 that monitors the network including the user terminal 10. Generally, when a rule for judging fraud is set for each user, a common rule is applied to a plurality of terminals belonging to the same network, where it is preferable to use the fraud rule storage unit 142 provided in the user terminal 10. When applying, it is preferable to use the fraud rule storage unit 21 provided in the fraud monitoring server 20.
[0038] また、取得した証拠データはユーザ端末 10内の証拠データ格納部 143に格納して もよいが、証拠データを削除されるリスクを軽減するためには、管理者の管理下にあ る不正監視サーバ 20に設けられる証拠データ格納部 22を用いることが好ましい。  [0038] The acquired evidence data may be stored in the evidence data storage unit 143 in the user terminal 10, but in order to reduce the risk of deleting the evidence data, the acquired evidence data is under the control of the administrator. It is preferable to use the evidence data storage unit 22 provided in the fraud monitoring server 20.
[0039] 図 5は、本発明に力かる証拠画面保存プログラムによる処理の概要を示して 、る。  FIG. 5 shows an outline of the processing by the evidence screen storage program that is useful in the present invention.
尚、以下に説明する各部は物理的に分離されているものではなぐ図 4で示したよう に各々を実行する不正監視プログラム 141の一部のプログラムとして HDD14に格納 されており、順次読み出されて RAM12をワークエリアとして機能させながら、 CPU1 1により演算処理が実行されるものであってもよ 、。  Note that the components described below are not physically separated, but are stored in the HDD 14 as a part of the fraud monitoring program 141 that executes each component as shown in FIG. The arithmetic processing may be executed by the CPU 11 while the RAM 12 functions as a work area.
[0040] まず、ユーザ端末がオペレーションを受け付けると、不正判定部において当該オペ レーシヨンが不正操作であるか否かの判定を行う。かかる判定は、一般的な不正のパ ターンカゝら作成された不正ルール格納部に格納されたルールと対比して行うことがで きるが、ルールベースによる判定に限定されるものではなぐユーザの操作パターン 力 作成されたユーザプロファイル等と対比して、特異な行動カゝ否カゝから不正操作を 判定することとしてもよい。 [0040] First, when the user terminal accepts the operation, the fraud determining unit determines the operation. It is determined whether or not the racing is an illegal operation. Such a determination can be made in comparison with a rule stored in a fraudulent rule storage unit created based on a general fraudulent pattern pattern, but is not limited to a rule-based determination and can be performed by a user. Pattern power Compared with the created user profile or the like, an illegal operation may be determined from unique behavioral power.
[0041] 当該オペレーションが不正操作であると判定されると、表示データ取得部において 当該オペレーションによりユーザ端末のディスプレイに表示される表示データを取得 する。取得する表示データは、 VRAM又はデバイスコンテキストに書き出されたデー タから特定する。表示データは画像ファイルとして保存され、オペレーションの受付日 時やユーザ IDなど当該オペレーションを特定するための情報を付して、証拠データ 格納部に格納される。また、かかる証拠データは、ネットワークを通じて管理用のサー バ等に送信して保存することとしてもよい。さらに、不正操作を中止させるために、停 止処理実行部において警告メッセージの表示、警告音の発生、オペレーションの中 止処理、ネットワークの切断などの処理を実行することとしてもょ 、。  When it is determined that the operation is an unauthorized operation, the display data acquisition unit acquires display data to be displayed on the display of the user terminal by the operation. The display data to be acquired is specified from the data written to VRAM or device context. The display data is saved as an image file and stored in the evidence data storage unit with information identifying the operation, such as the date and time of receipt of the operation and the user ID. Further, such evidence data may be transmitted to a management server or the like via a network and stored. Further, in order to stop the unauthorized operation, the stop processing execution unit may execute processing such as displaying a warning message, generating a warning sound, stopping the operation, and disconnecting the network.
[0042] 警告メッセージの表示や警告音の発生は、ユーザ端末側にお 、て行ってもょ 、し、 管理用のサーバ側にぉ ヽて行うこととしてもょ ヽ。ユーザ端末側で行う場合にっ 、て は、不正を検出しない場合においても、特定の時間、ランダム、起動時など様々な設 定を行ってダミーの警告メッセージや警告音を発して監視が行われていることを明ら かにすることにより、ユーザに対する抑止効果を高めることもできる。この場合は、実 際に画面のキヤプチヤーまで行うこととしてもよ 、。  The display of the warning message and the generation of the warning sound may be performed on the user terminal side or may be performed on the management server side. In the case of performing on the user terminal side, even if no fraud is detected, various settings such as specific time, random, startup, etc. are performed and a dummy warning message or warning sound is emitted and monitoring is performed. It is possible to increase the deterrence effect on the user by clarifying that the information is being checked. In this case, it is possible to actually perform even the capture of the screen.
[0043] 図 7のフローチャートを用いて、本発明に力かる証拠画面保存プログラムの処理手 順について説明する。まず、不正操作である力否かを判定するための、コンピュータ が受け付けたデータを取得する(S01)。次に、不正ルールデータベースに格納され たルールを参照し (S02)、取得したデータと対比して不正ルールに該当する力否か を判定する(S03)。不正ルールに該当しなければ、不正操作の判定処理は終了す る。  With reference to the flowchart of FIG. 7, a description will be given of a processing procedure of an evidence screen storage program that is useful for the present invention. First, data received by the computer for determining whether or not the power is an unauthorized operation is acquired (S01). Next, by referring to the rules stored in the fraud rule database (S02), it is determined whether or not the power falls under the fraud rules by comparing the obtained data (S03). If it does not correspond to the illegal rule, the illegal operation determination processing ends.
[0044] 不正ルールに該当する場合には、ユーザが操作するコンピュータに警告音又は警 告メッセージを発生させる力否かの設定を確認する(S04)。発生の設定がされてい る場合には、警告音又は警告メッセージを発生させる(S05)。続いて、デバイスコン テキストから不正判定を行った操作により表示される表示データを取得する(S06)。 表示データは、日付等の不正操作を特定するための情報が付されて (S07)、証拠 資料としてデータベース等に格納される(S08)。さらに、表示データを管理サーバに 送信するか否かの設定を確認し (S09)、送信の設定がされている場合には管理サ ーバにも送信される(S 10)。 [0044] If the user falls under the fraudulent rule, the user checks whether the computer operated by the user is capable of generating a warning sound or a warning message (S04). Is set to occur In this case, a warning sound or a warning message is generated (S05). Subsequently, display data to be displayed by the operation of performing the fraud determination is obtained from the device context (S06). The display data is attached with information for identifying unauthorized operations such as a date (S07), and is stored as evidence in a database or the like (S08). Further, the setting of whether or not to transmit the display data to the management server is confirmed (S09), and if the transmission is set, it is also transmitted to the management server (S10).
図面の簡単な説明  Brief Description of Drawings
[0045] [図 1]本発明にかかる証拠画面保存装置をネットワークに接続された端末の監視に用 [FIG. 1] A proof screen storage device according to the present invention is used for monitoring terminals connected to a network.
V、る例の全体構成を示す図である。 V is a diagram illustrating an entire configuration of an example.
[図 2]本発明にかかる証拠画面保存装置をネットワークに接続された端末の監視に用 いる例におけるネットワーク上の監視位置を示す図である。  FIG. 2 is a diagram showing a monitoring position on a network in an example in which the evidence screen storage device according to the present invention is used for monitoring a terminal connected to the network.
[図 3]本発明にかかる証拠画面保存装置をネットワークに接続された端末の監視に用 [Fig. 3] The evidence screen storage device according to the present invention is used for monitoring terminals connected to a network.
V、る例の機能の概要を示す図である。 FIG. 5 is a diagram showing an outline of functions of an example.
[図 4]本発明に力かる証拠画面保存プログラムを用いた不正監視システムの構成を 示すブロック図である。  FIG. 4 is a block diagram showing a configuration of a fraud monitoring system using a proof screen storage program that is useful in the present invention.
[図 5]本発明にかかる証拠画面保存プログラムによる処理の概要を示す図である。  FIG. 5 is a diagram showing an outline of a process performed by the evidence screen storage program according to the present invention.
[図 6]本発明に力かる証拠画面保存プログラムにより取得された証拠データを格納す るテーブルの一例を示す図である。  FIG. 6 is a diagram showing an example of a table for storing evidence data obtained by an evidence screen saving program according to the present invention.
[図 7]本発明に力かる証拠画面保存プログラムの処理手順を示すフローチャートであ る。  FIG. 7 is a flowchart showing a processing procedure of an evidence screen storage program that is useful in the present invention.
符号の説明  Explanation of symbols
[0046] 10 ユーザ端末 [0046] 10 user terminals
11 CPU  11 CPU
12 RAM  12 RAM
13 ROM  13 ROM
14 HDD  14 HDD
141 不正監視プログラム  141 Fraud Monitoring Program
142 不正ルール格納部 証拠データ格納部 ビデ才ボード VRAM 142 Fraud Rule Storage Evidence data storage Bidet board VRAM
ディスプレイ 不正監視サーバ 不正ルール格納部 証拠データ格納部 Display Fraud monitoring server Fraud rule storage Evidence data storage

Claims

請求の範囲 The scope of the claims
[1] コンピュータに対して行われた不正操作の証拠画面を保存するための証拠画面保 存プログラムであって、前記コンピュータに、  [1] An evidence screen saving program for saving an evidence screen of an unauthorized operation performed on a computer, the program comprising:
前記コンピュータが受け付けたオペレーションが不正操作であるかを判定するステツ プと、  Determining whether the operation received by the computer is an unauthorized operation;
前記オペレーションが不正操作であると判定されると、前記オペレーションにより前記 コンピュータの画面に表示される表示データを取得するステップと、  Acquiring the display data displayed on the computer screen by the operation when the operation is determined to be an unauthorized operation;
前記表示データに前記オペレーションを特定する情報を付した証拠データを証拠デ ータ格納部に格納するステップと、  Storing, in the evidence data storage unit, evidence data obtained by adding information identifying the operation to the display data;
を実行させるための証拠画面保存プログラム。  Screen save program to run
[2] 前記コンピュータに、前記オペレーションが不正操作であると判定されると、前記コ ンピュータにかかるキーストローク、ネットワーク、アプリケーション又はオペレーション システムの少なくとも一つのログを記録するステップを実行させること  [2] causing the computer to execute a step of recording at least one log of keystrokes, a network, an application, or an operation system applied to the computer when the operation is determined to be an unauthorized operation.
を特徴とする請求項 1記載の証拠画面保存プログラム。  The evidence screen storage program according to claim 1, wherein:
[3] コンピュータに対して行われた不正操作の証拠画面を保存するための証拠画面保 存プログラムであって、前記コンピュータに、  [3] An evidence screen saving program for saving an evidence screen of an unauthorized operation performed on a computer, wherein the computer has:
前記コンピュータが受け付けたオペレーションが不正操作であるかを判定するステツ プと、  Determining whether the operation received by the computer is an unauthorized operation;
前記オペレーションが不正操作であると判定されると、前記オペレーションにより前記 コンピュータの画面に表示される表示データを取得するステップと、  Acquiring the display data displayed on the computer screen by the operation when the operation is determined to be an unauthorized operation;
前記表示データに前記オペレーションを特定する情報を付した証拠データを、ネット ワークを通じて管理サーバに送信するステップと、  Transmitting, via a network, evidence data obtained by adding information specifying the operation to the display data,
を実行させるための証拠画面保存プログラム。  Screen save program to run
[4] 前記コンピュータに、前記オペレーションが不正操作であると判定されると、前記コ ンピュータにかかるキーストローク、ネットワーク、アプリケーション又はオペレーション システムの少なくとも一つのログを前記管理サーバに送信するステップを実行させる こと [4] causing the computer to execute a step of transmitting, to the management server, at least one log of keystrokes, a network, an application, or an operation system relating to the computer when the operation is determined to be an unauthorized operation. thing
を特徴とする請求項 3記載の証拠画面保存プログラム The evidence screen storage program according to claim 3, characterized in that:
[5] 前記表示データを取得するステップにおいては、仮想化されたディスプレイ領域に 前記オペレーションによって書き出されたデータを表示データとして取得すること を特徴とする請求項 1又は 3記載の証拠画面保存プログラム。 [5] The evidence screen storage program according to claim 1 or 3, wherein in the step of acquiring the display data, the data written by the operation in the virtualized display area is acquired as display data. .
[6] 前記表示データを取得するステップにおいては、前記コンピュータの画面表示を行 うためのバッファに前記オペレーションによって書き出されたデータを表示データとし て取得すること [6] In the step of acquiring the display data, acquiring the data written by the operation in a buffer for displaying a screen of the computer as the display data.
を特徴とする請求項 1又は 3記載の証拠画面保存プログラム。  The evidence screen storage program according to claim 1 or 3, characterized in that:
[7] コンピュータに対して行われた不正操作の証拠画面を保存するための証拠画面保 存方法であって、 [7] An evidence screen saving method for saving an evidence screen of an unauthorized operation performed on a computer,
前記コンピュータ力 前記コンピュータが受け付けたオペレーションが不正操作であ るかを判定するステップと、  Determining whether the operation received by the computer is an unauthorized operation;
前記コンピュータが、前記オペレーションが不正操作であると判定されると、前記オペ レーシヨンにより前記コンピュータの画面に表示される表示データを取得するステップ と、  The computer acquiring display data displayed on the computer screen by the operation when the operation is determined to be an unauthorized operation;
前記コンピュータが、前記表示データに前記オペレーションを特定する情報を付した 証拠データを証拠データ格納部に格納するステップと、  A step in which the computer stores, in the evidence data storage unit, evidence data in which information for specifying the operation is added to the display data;
を有することを特徴とする証拠画面保存方法。  A method of saving an evidence screen, comprising:
[8] コンピュータに対して行われた不正操作の証拠画面を保存するための証拠画面保 存方法であって、 [8] An evidence screen saving method for saving an evidence screen of an unauthorized operation performed on a computer,
前記コンピュータ力 前記コンピュータが受け付けたオペレーションが不正操作であ るかを判定するステップと、  Determining whether the operation received by the computer is an unauthorized operation;
前記コンピュータが、前記オペレーションが不正操作であると判定されると、前記オペ レーシヨンにより前記コンピュータの画面に表示される表示データを取得するステップ と、  The computer acquiring display data displayed on the computer screen by the operation when the operation is determined to be an unauthorized operation;
前記コンピュータが、前記表示データに前記オペレーションを特定する情報を付した 証拠データを、ネットワークを通じて管理サーバに送信するステップと、  The computer transmitting, via a network, evidence data obtained by adding information identifying the operation to the display data, to a management server;
前記管理サーバが、前記証拠データを証拠データ格納部に格納するステップと、 を有することを特徴とする証拠画面保存方法。 A step of storing the evidence data in the evidence data storage unit by the management server.
[9] コンピュータに対して行われた不正操作の証拠画面を保存するための証拠画面保 存装置であって、 [9] An evidence screen storage device for saving an evidence screen of an unauthorized operation performed on a computer,
前記コンピュータが受け付けたオペレーションが不正操作であるかを判定する不正 操作判定手段と、  Unauthorized operation determining means for determining whether the operation received by the computer is an unauthorized operation;
前記不正操作判定手段においてオペレーションが不正操作であると判定されると、 前記オペレーションにより前記コンピュータの画面に表示される表示データを取得す る表示データ取得手段と、  A display data acquisition unit configured to acquire display data displayed on the screen of the computer by the operation when the operation is determined to be an unauthorized operation by the unauthorized operation determination unit;
前記表示データ取得手段の取得した表示データに前記オペレーションを特定する情 報が付された証拠データを格納する証拠データ格納手段と、  Evidence data storage means for storing evidence data in which information for specifying the operation is added to the display data acquired by the display data acquisition means;
を備えることを特徴とする証拠画面保存装置。  An evidence screen storage device, comprising:
[10] 前記不正操作判定手段にお!、てオペレーションが不正操作であると判定されると、 前記コンピュータに力かるキーストローク、ネットワーク、アプリケーション又はオペレ ーシヨンシステムの少なくとも一つのログを記録するログ記録手段を備えること を特徴とする請求項 9記載の証拠画面保存装置。 [10] When the unauthorized operation determining means determines that the operation is an unauthorized operation, a log recording at least one log of a keystroke, a network, an application, or an operation system applied to the computer. The evidence screen storage device according to claim 9, further comprising a recording unit.
[11] コンピュータに対して行われた不正操作の証拠画面を保存するための証拠画面保 存装置であって、 [11] An evidence screen storage device for saving an evidence screen of an unauthorized operation performed on a computer,
前記コンピュータが受け付けたオペレーションが不正操作であるかを判定する不正 操作判定手段と、  Unauthorized operation determining means for determining whether the operation received by the computer is an unauthorized operation;
前記不正操作判定手段においてオペレーションが不正操作であると判定されると、 前記オペレーションにより前記コンピュータの画面に表示される表示データを取得す る表示データ取得手段と、  A display data acquisition unit configured to acquire display data displayed on the screen of the computer by the operation when the operation is determined to be an unauthorized operation by the unauthorized operation determination unit;
前記表示データ取得手段の取得した表示データに前記オペレーションを特定する情 報を付した証拠データを、ネットワークを通じて管理サーバに送信する証拠データ送 信手段と、  Evidence data transmitting means for transmitting, via a network, evidence data obtained by adding information for specifying the operation to the display data obtained by the display data obtaining means,
を備えることを特徴とする証拠画面保存装置。  An evidence screen storage device, comprising:
[12] 前記不正操作判定手段にお!、てオペレーションが不正操作であると判定されると、 前記コンピュータに力かるキーストローク、ネットワーク、アプリケーション又はオペレ ーシヨンシステムの少なくとも一つのログを前記管理サーバに送信するログ送信手段 を備免ること [12] If the unauthorized operation determining means determines that the operation is an unauthorized operation, at least one log of a keystroke, a network, an application, or an operation system applied to the computer is stored in the management server. Log sending means to send to To reserve
を特徴とする請求項 11記載の証拠画面保存装置。  12. The evidence screen storage device according to claim 11, wherein:
[13] 前記表示データ取得手段は、仮想化されたディスプレイ領域に前記オペレーション によって書き出されたデータを表示データとして取得すること [13] The display data obtaining means obtains, as display data, data written by the operation in a virtual display area.
を特徴とする請求項 9又は 11記載の証拠画面保存装置。  The evidence screen storage device according to claim 9 or 11, wherein:
[14] 前記表示データ取得手段は、前記コンピュータの画面表示を行うためのバッファに 前記オペレーションによって書き出されたデータを表示データとして取得すること を特徴とする請求項 9又は 11記載の証拠画面保存装置。 [14] The evidence screen storage according to claim 9 or 11, wherein the display data obtaining unit obtains, as display data, data written by the operation in a buffer for displaying a screen of the computer. apparatus.
PCT/JP2004/015081 2003-11-18 2004-10-13 Evidential image preservation program, evidential image preservation method, and evidential image preservation device WO2005050421A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2003387671A JP2005149267A (en) 2003-11-18 2003-11-18 Evidence screen storage program, evidence screen storage method, and evidence screen storage system
JP2003-387671 2003-11-18

Publications (1)

Publication Number Publication Date
WO2005050421A1 true WO2005050421A1 (en) 2005-06-02

Family

ID=34616166

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2004/015081 WO2005050421A1 (en) 2003-11-18 2004-10-13 Evidential image preservation program, evidential image preservation method, and evidential image preservation device

Country Status (2)

Country Link
JP (1) JP2005149267A (en)
WO (1) WO2005050421A1 (en)

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5041516B2 (en) * 2007-01-22 2012-10-03 力 松田 USB memory for computer screen monitoring
JP4216881B2 (en) * 2007-02-02 2009-01-28 Sky株式会社 Terminal monitoring device and program for terminal monitoring device
JP3954642B1 (en) * 2007-02-26 2007-08-08 Sky株式会社 Screen storage system
JP4264113B2 (en) * 2007-04-23 2009-05-13 Sky株式会社 Terminal monitoring apparatus and terminal monitoring program
JP4066033B1 (en) * 2007-08-22 2008-03-26 Sky株式会社 Client terminal monitoring system
JP5334739B2 (en) * 2009-08-10 2013-11-06 株式会社日立ソリューションズ Log monitoring program, log monitoring system
JP2011048547A (en) * 2009-08-26 2011-03-10 Toshiba Corp Abnormal-behavior detecting device, monitoring system, and abnormal-behavior detecting method
JP6003969B2 (en) * 2013-11-28 2016-10-05 キヤノンマーケティングジャパン株式会社 Information processing apparatus, information processing system, control method, program
JP6852379B2 (en) * 2016-12-14 2021-03-31 富士通株式会社 Operation log output program, operation log output method, and information processing device
JP7519283B2 (en) 2020-12-08 2024-07-19 株式会社日立ソリューションズ・クリエイト Tamper detection system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10222274A (en) * 1997-02-03 1998-08-21 Sefuto Kenkyusho:Kk Input information recording device
JP2000112890A (en) * 1998-09-30 2000-04-21 Mitsubishi Electric Corp Prevention of wrong operation and tracking device
JP2002026935A (en) * 2000-07-11 2002-01-25 Lac Co Ltd Frame monitoring device and storage medium
JP2002149602A (en) * 2000-11-13 2002-05-24 Ntt Software Corp Network connector for protection from unauthorized access
JP2002232451A (en) * 2001-02-02 2002-08-16 Layer Seven Co Ltd Communication management method, communication monitoring system, and computer system
JP2003066826A (en) * 2001-08-22 2003-03-05 Nippon Telegr & Teleph Corp <Ntt> Method, system, device, and program for monitoring illegal act, and storage medium stored with the illegal act monitoring program

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH10222274A (en) * 1997-02-03 1998-08-21 Sefuto Kenkyusho:Kk Input information recording device
JP2000112890A (en) * 1998-09-30 2000-04-21 Mitsubishi Electric Corp Prevention of wrong operation and tracking device
JP2002026935A (en) * 2000-07-11 2002-01-25 Lac Co Ltd Frame monitoring device and storage medium
JP2002149602A (en) * 2000-11-13 2002-05-24 Ntt Software Corp Network connector for protection from unauthorized access
JP2002232451A (en) * 2001-02-02 2002-08-16 Layer Seven Co Ltd Communication management method, communication monitoring system, and computer system
JP2003066826A (en) * 2001-08-22 2003-03-05 Nippon Telegr & Teleph Corp <Ntt> Method, system, device, and program for monitoring illegal act, and storage medium stored with the illegal act monitoring program

Also Published As

Publication number Publication date
JP2005149267A (en) 2005-06-09

Similar Documents

Publication Publication Date Title
TWI678616B (en) File detection method, device and system
CN108121914B (en) Document divulgence protection tracking system
US8051204B2 (en) Information asset management system, log analysis server, log analysis program, and portable medium
US7673324B2 (en) Method and system for tracking an operating performed on an information asset with metadata associated therewith
KR100836439B1 (en) Storage medium comprising invalidity monitoring program, invalidity monitoring method, and invalidity monitoring system
US20070283166A1 (en) System and method for state transition intrusion detection
US20080201464A1 (en) Prevention of fraud in computer network
KR101011456B1 (en) Method for accounting information leakage, computer-readable medium for storing a program for executing the method, and system for preforming the same
CN107409134B (en) Forensic analysis method
KR20010078840A (en) Security System detecting the leak of information using computer storage device
WO2005050421A1 (en) Evidential image preservation program, evidential image preservation method, and evidential image preservation device
JPWO2005048119A1 (en) Unauthorized operation determination system, unauthorized operation determination method, and unauthorized operation determination program
GB2592132A (en) Enterprise network threat detection
JP6851212B2 (en) Access monitoring system
JP4256107B2 (en) Method and program for dealing with unauthorized intrusion to data server
JP2007004415A (en) Pharming fraud prevention system
JP2004164226A (en) Information processor and program
JP6636605B1 (en) History monitoring method, monitoring processing device, and monitoring processing program
JP2001265217A (en) Device and method for monitoring alteration of digital contents, and recorded medium therefor
JP2006295232A (en) Security monitoring apparatus, and security monitoring method and program
JP2010055566A (en) Client/server system and inspection method for the client/server system
JP4857199B2 (en) Information asset management system, log analysis device, and log analysis program
US20220083646A1 (en) Context Based Authorized External Device Copy Detection
JP6517416B1 (en) Analyzer, terminal device, analysis system, analysis method and program
CN111259383A (en) Safety management center system

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP