Classifications

• • G—PHYSICS
  • G06—COMPUTING OR CALCULATING; COUNTING
  • G06F—ELECTRIC DIGITAL DATA PROCESSING
  • G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
  • G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
  • G06F21/55—Detecting local intrusion or implementing counter-measures
  • G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action

Definitions

• the present invention relates to an evidence screen saving program, an evidence screen saving method, and an evidence screen saving device for saving an evidence screen of an unauthorized operation performed on a computer.
• a fraud is detected by the above method
• processing such as interrupting the operation being performed, reporting to the administrator, and warning to the operator are executed.
• processing such as interrupting the operation being performed, reporting to the administrator, and warning to the operator are executed.
• a method is disclosed in which, when monitoring unauthorized operation in a network, communication is cut off, and a notification report is sent to an administrator and a warning report is sent to an operator (see Patent Document 1).
• a method of issuing a warning message to a monitor when monitoring operations on a computer is disclosed (see Patent Document 2).
• Patent Document 1 Japanese Unexamined Patent Application Publication No. 2002-232232, paragraph number 0005
• Patent Document 2 JP-A-2002-258972, paragraph number 0034
• Such evidences must be identified by recording logs in the event that a fraudulent event occurs.
• the accessed file has been changed or the file has been deleted, there is a problem that the operation status at the time when the unauthorized operation was performed cannot be reproduced. In the event that fraud occurs, it is preferable to save credible evidence as soon as possible.
• the present invention has been made in response to such a problem, and it is possible to quickly save an evidence screen at the time of occurrence of an unauthorized operation performed on a computer. It is intended to provide a screen storage program, a evidence screen storage method, and a evidence screen storage device.
• a first invention for solving the above-mentioned problem is a proof screen storage program for storing a proof screen of an unauthorized operation performed on a computer, wherein the computer accepts the proof screen by the computer. Determining whether the operation performed is an unauthorized operation; obtaining the display data displayed on the screen of the computer by the operation if the operation is determined to be an unauthorized operation; And storing the evidence data with the information specifying the operation in the evidence data storage unit in the evidence data storage unit.
• the computer is caused to execute a step of recording at least one log of a keystroke, a network, an application, or an operation system applied to the computer. You can also.
• the evidence of the unauthorized operation can be saved quickly.
• the operation history of the computer may be recorded as a log at all times.However, by recording the log after it is determined that the operation is unauthorized, the evidence that the operation has been performed together with the data displayed on the screen is effective. Can be saved
• any judging method may be used for judging an unauthorized operation, such as judging based on a pre-registered rule base or judging based on a user profile obtained by analyzing a user's operation tendency.
• the file format of the display data to be saved is not limited to a specific format as long as it can reproduce the screen display.
• the information for specifying the operation uses the user ID of the user who performed the operation, the time when the operation was performed, and the like.
• a second invention for solving the above-mentioned problem is a proof screen storage program for storing a proof screen of an unauthorized operation performed on a computer, wherein the computer accepts the proof screen by the computer. Determining whether the operation performed is an unauthorized operation; obtaining the display data displayed on the screen of the computer by the operation if the operation is determined to be an unauthorized operation; And transmitting, to the management server via a network, evidence data with information specifying the operation. And causing the computer to execute a step of transmitting at least one log of a keystroke, a network, an application, or an operation system applied to the computer to the management server when the operation is determined to be an unauthorized operation. It may be characterized.
• the acquired display data is transmitted to the management server, and the management server monitors the unauthorized operation centrally, thereby saving the evidence of the unauthorized operation.
• the administrator can take quick and quick responses.
• the requirements for the ability to record logs to increase the evidentiality, the method of determining unauthorized operation, the file format of the display data, and the information for specifying the operation are the same as in the first invention.
• the step of obtaining the display data the data written by the operation in the virtualized display area is obtained as display data. It can also be a feature.
• the force required to identify the display data displayed on the screen by an unauthorized operation as evidence is that the display data displayed on the screen is written in a virtual display area such as a device context. It can be specified from the issued data.
• the step of obtaining the display data in the step of obtaining the display data, the data written by the operation in a buffer for displaying a screen of the computer is written. It can also be obtained as display data.
• the first invention and the second invention can also be grasped as an evidence screen saving method that can be performed by executing the above-described evidence screen saving program. Further, it can be configured as an evidence screen storage device using the above evidence screen storage program.
• the evidence screen saving method is an evidence screen saving method for saving an evidence screen of an unauthorized operation performed on a computer, wherein the computer A step of determining whether the received operation is an unauthorized operation; and a step of the computer acquiring display data displayed on a screen of the computer by the operation when the operation is determined to be an unauthorized operation. And storing the evidence data in which the information specifying the operation is added to the display data in the evidence data storage unit.
• An evidence screen saving method is an evidence screen saving method for saving an evidence screen of an unauthorized operation performed on a computer, wherein the computer accepts the evidence screen.
• An evidence screen storage device corresponding to the first invention is an evidence screen storage device for saving an evidence screen of an unauthorized operation performed on a computer, wherein the operation received by the computer is an unauthorized operation.
• Operation means for judging whether the operation is illegal, and when the operation is judged to be an illegal operation by the illegal operation judgment means, display data displayed on the screen of the computer is acquired by the operation.
• Evidence data storage means comprising: display data acquisition means; and evidence data storage means for storing evidence data obtained by adding information for specifying the operation to the display data acquired by the display data acquisition means.
• the information processing apparatus further comprises a log recording means for recording at least one log of a keystroke, a network, an application, or an operation system of the computer. You can also.
• An evidence screen storage device is an evidence screen storage device for saving an evidence screen of an unauthorized operation performed on a computer, wherein the operation received by the computer is an unauthorized operation.
• Operation means for judging whether the operation is illegal, and when the operation is judged to be an illegal operation by the illegal operation judgment means, display data displayed on the screen of the computer is acquired by the operation.
• Display data acquisition means, and evidence data transmission means for transmitting, via a network, evidence data in which display data acquired by the display data acquisition means with information specifying the operation is transmitted to a management server.
• This is the evidence screen storage device.
• the unauthorized operation determining means determines that the operation is an unauthorized operation, at least one log of a keystroke, a network, an application, or an operation system concerning the computer is transmitted to the management server. It can be characterized by having no transmission means.
• the evidence screen storage device corresponding to the first invention and the second invention is characterized in that the display data storage device
• the data acquisition means may acquire data written by the operation in the virtualized display area as display data.
• the display data obtaining means obtains, as display data, data written by the operation in a buffer for displaying a screen of the computer.
• FIG. 1 is a diagram showing an overall configuration of an example in which the evidence screen storage device according to the present invention is used for monitoring a terminal connected to a network.
• FIG. 2 is a diagram showing a monitoring position on a network in an example in which the evidence screen storage device according to the present invention is used for monitoring a terminal connected to the network.
• FIG. 3 is a diagram showing an outline of a function of an example in which the evidence screen storage device according to the present invention is used for monitoring a terminal connected to a network.
• FIG. 4 is a block diagram showing a configuration of a fraud monitoring system using the evidence screen storage program according to the present invention.
• FIG. 5 is a diagram showing an outline of the processing by the evidence screen saving program which is useful in the present invention.
• FIG. 6 is a diagram showing an example of a table for storing the evidence data acquired by the evidence screen saving program according to the present invention.
• FIG. 7 is a flowchart showing a processing procedure of an evidence screen storage program that is useful in the present invention.
• the evidence screen storage device saves an evidence screen of an unauthorized operation performed on a computer, but may be used in a stand-alone computer. To monitor computers connected to the network May be. In the former case, the data related to the evidence screen is stored in the combi- ter used by the user.
• FIG. 1 shows an example used for monitoring a computer connected to the latter network.
• a plurality of user terminals are connected by an in-house network such as a LAN, and the in-house network is connected to the Internet.
• the fraud monitoring server monitors data flowing on the network and monitors activities such as sending and receiving unauthorized information to and from the Internet.
• the evidence screen storage device working on the present invention monitors illegal operations in two parts.
• One is to monitor the operation performed on the user terminal, and if it is determined that the operation is unauthorized, capture the operation screen at the time of the unauthorized operation and store it in the user terminal or the unauthorized monitoring server.
• the other is that when the fraud monitoring server monitors data flowing through the network and detects data that corresponds to an unauthorized operation, it identifies the user terminal that sends and receives the data and displays the operation displayed on the user terminal based on the data. Capture the screen and store it on the user terminal or the fraud monitoring server.
• the position where the fraud monitoring server monitors the data on the network is, in addition to the monitoring of the data executed in the user terminal, the segment unit of the network. It can be placed in various locations, such as monitoring data transmitted and received by a mail server, monitoring data at a mail server, and monitoring data at a gateway.
• FIG. 3 shows an example of the respective functions of the user terminal and the fraud monitoring server in the case where the evidence screen storage device according to the present invention is used for monitoring a computer connected to a network.
• the evidence screen storage program according to the present invention is executed, and when an unauthorized operation is detected, a warning message is displayed on a display and a warning sound is generated.
• the screen displayed by the unauthorized operation is captured, and the display data of the screen together with the information such as the time of occurrence is transmitted to the fraud monitoring server as evidence data with the identification information of the terminal.
• the fraud monitoring server information such as terminal identification information and occurrence time is classified as a key. Evidence data is stored. In addition to the evidence data, it is also possible to obtain and store from the user terminal various types of operations after the fraud has occurred.
• the fraud monitoring server may also display a warning message on the display and generate a warning sound to promptly notify the administrator of the occurrence of an illegal operation.
• the user terminal 10 includes a CPU 11, a RAM 12, a ROM 13, a HDD 14, and a video board 15.
• the HDD 14 stores a fraud monitoring program 141 for monitoring for fraudulent operations including a evidence screen saving program that is useful for the present invention, and stores fraud rules for storing rules for judging fraudulent operations.
• Unit 142 is provided with an evidence data storage unit 143 that stores data related to an evidence screen when an unauthorized operation is performed.
• the video board 15 includes a VRAM 16 which is a buffer for writing screen content to be displayed on the display 17. It should be noted that the HDD 14 storing the fraud monitoring program 141 may use another storage medium such as a flash memory capable of storing a program!
• the display data of the screen to be captured is specified by acquiring the data written in the virtualized display area such as the device context in the arithmetic processing in the CPU 11 and the RAM 12. can do.
• the data written by the operation in the VRAM 16 which is a buffer for displaying on the display 17 can be acquired and specified.
• Display data of the captured screen includes data for identifying the operation, such as the time when the ID operation of the user who performed the operation was received. This is added to and stored in the evidence data storage unit 143.
• Figure 6 shows an example of a table that stores the evidence data obtained in this way.Records provided for each operation to be processed are displayed on the display together with the date and time of receipt of the operation and the user ID. The file name of the displayed data is recorded.
• the format of the powerful file stored in the evidence data storage unit 143 may be any format.
• logs of operations performed on the computer such as keystrokes, networks, applications, or operation systems, in addition to the direct operations of performing the fraudulent operations, are recorded. You can also record it.
• Such a log can be used to prove the operation history of the user and prove that unauthorized operation has been performed in conjunction with the evidence screen.
• the log is recorded after the occurrence of the fraud.
• the fraud rule storage unit 142 provided in the user terminal 10 may be provided as the fraud rule storage unit 21 in the fraud monitoring server 20 that monitors the network including the user terminal 10.
• a common rule is applied to a plurality of terminals belonging to the same network, where it is preferable to use the fraud rule storage unit 142 provided in the user terminal 10.
• the acquired evidence data may be stored in the evidence data storage unit 143 in the user terminal 10, but in order to reduce the risk of deleting the evidence data, the acquired evidence data is under the control of the administrator. It is preferable to use the evidence data storage unit 22 provided in the fraud monitoring server 20.
• FIG. 5 shows an outline of the processing by the evidence screen storage program that is useful in the present invention.
• the components described below are not physically separated, but are stored in the HDD 14 as a part of the fraud monitoring program 141 that executes each component as shown in FIG.
• the arithmetic processing may be executed by the CPU 11 while the RAM 12 functions as a work area.
• the fraud determining unit determines the operation. It is determined whether or not the racing is an illegal operation. Such a determination can be made in comparison with a rule stored in a fraudulent rule storage unit created based on a general fraudulent pattern pattern, but is not limited to a rule-based determination and can be performed by a user. Pattern power Compared with the created user profile or the like, an illegal operation may be determined from unique behavioral power.
• the display data acquisition unit acquires display data to be displayed on the display of the user terminal by the operation.
• the display data to be acquired is specified from the data written to VRAM or device context.
• the display data is saved as an image file and stored in the evidence data storage unit with information identifying the operation, such as the date and time of receipt of the operation and the user ID. Further, such evidence data may be transmitted to a management server or the like via a network and stored. Further, in order to stop the unauthorized operation, the stop processing execution unit may execute processing such as displaying a warning message, generating a warning sound, stopping the operation, and disconnecting the network.
• the display of the warning message and the generation of the warning sound may be performed on the user terminal side or may be performed on the management server side.
• various settings such as specific time, random, startup, etc. are performed and a dummy warning message or warning sound is emitted and monitoring is performed. It is possible to increase the deterrence effect on the user by clarifying that the information is being checked. In this case, it is possible to actually perform even the capture of the screen.
• the user checks whether the computer operated by the user is capable of generating a warning sound or a warning message (S04). Is set to occur In this case, a warning sound or a warning message is generated (S05). Subsequently, display data to be displayed by the operation of performing the fraud determination is obtained from the device context (S06). The display data is attached with information for identifying unauthorized operations such as a date (S07), and is stored as evidence in a database or the like (S08). Further, the setting of whether or not to transmit the display data to the management server is confirmed (S09), and if the transmission is set, it is also transmitted to the management server (S10).
• FIG. 1 A proof screen storage device according to the present invention is used for monitoring terminals connected to a network.
• V is a diagram illustrating an entire configuration of an example.
• FIG. 2 is a diagram showing a monitoring position on a network in an example in which the evidence screen storage device according to the present invention is used for monitoring a terminal connected to the network.
• the evidence screen storage device is used for monitoring terminals connected to a network.
• FIG. 5 is a diagram showing an outline of functions of an example.
• FIG. 4 is a block diagram showing a configuration of a fraud monitoring system using a proof screen storage program that is useful in the present invention.
• FIG. 5 is a diagram showing an outline of a process performed by the evidence screen storage program according to the present invention.
• FIG. 6 is a diagram showing an example of a table for storing evidence data obtained by an evidence screen saving program according to the present invention.
• FIG. 7 is a flowchart showing a processing procedure of an evidence screen storage program that is useful in the present invention.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Software Systems (AREA)
• Theoretical Computer Science (AREA)
• Computer Hardware Design (AREA)
• Physics & Mathematics (AREA)
• General Engineering & Computer Science (AREA)
• General Physics & Mathematics (AREA)
• Debugging And Monitoring (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=34616166

Family Applications (1)

Country Status (2)

Cited By (1)

Families Citing this family (10)

Citations (6)

• 2003
  • 2003-11-18 JP JP2003387671A patent/JP2005149267A/ja active Pending
• 2004
  • 2004-10-13 WO PCT/JP2004/015081 patent/WO2005050421A1/ja not_active Ceased

Patent Citations (6)

Also Published As

Similar Documents

Legal Events