WO2010067703A1 - データ依存関係解析装置、情報処理装置、データ依存関係解析方法、及びプログラム - Google Patents
データ依存関係解析装置、情報処理装置、データ依存関係解析方法、及びプログラム Download PDFInfo
- Publication number
- WO2010067703A1 WO2010067703A1 PCT/JP2009/069837 JP2009069837W WO2010067703A1 WO 2010067703 A1 WO2010067703 A1 WO 2010067703A1 JP 2009069837 W JP2009069837 W JP 2009069837W WO 2010067703 A1 WO2010067703 A1 WO 2010067703A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- inter
- resource
- process communication
- security level
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3466—Performance evaluation by tracing or monitoring
- G06F11/3476—Data logging
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2113—Multi-level security, e.g. mandatory access control
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Definitions
- the present invention relates to a technique for monitoring or managing a data flow.
- Information leakage can occur if data flow monitoring is insufficient.
- USB Universal Serial Bus
- information can be easily exchanged, but information leakage may occur when the USB memory is lost.
- Non-Patent Document 1 monitors information leakage based on the similarity of data exchanged. Specifically, in a system using a DLP tool, a feature of highly confidential information is described in a policy in advance, and data having the feature is written to a USB memory or attached to an e-mail as an unreliable destination. To prevent information leakage.
- DLP Data Loss Prevention
- Non-Patent Document 2 proposes a method of hooking a system call and tracking not only file input / output and network I / O (Input / Output) but also inter-process communication using a memory map.
- the access management system described in Patent Document 1 collects file input / output and network input / output events that occur on a PC (Personal Computer) as a log.
- a PC Personal Computer
- operations such as file input / output, file name change, writing to a USB memory, and network communication by a process are recorded in association with time, process name / user name.
- the access management system can track the original name of the file written to the USB memory, where the file was copied from, etc., and monitor or prevent information leakage.
- Patent Document 2 discloses a method for preventing unauthorized interprocess communication by reading a filter program for a computer to monitor a user's operation on application software and detecting data transfer between applications. Using this method, the computer can determine the dependency between transferred data only for inter-process communication that transfers data between applications. However, in this method, the computer needs to create a filter program for each application software.
- the dependency between data refers to the relationship between data when all or part of certain data is a copy of all or part of other data.
- Patent Document 3 discloses a method of monitoring a user operation on an application, detecting a state of application software, and analyzing both in combination.
- the computer can relatively accurately track not only the inter-process communication but also the flow of information inside the process, and can determine an accurate data dependency.
- the computer needs to obtain a file describing a state detection rule for each application software.
- Non-Patent Document 1 In the method described in Non-Patent Document 1, Non-Patent Document 2, or Patent Document 1, an excessive dependency is easily acquired.
- excessive dependency refers to a case where it is determined that there is a dependency even though data copying has not occurred.
- IPC Inter Process Communication
- Non-Patent Document 1 In the method described in Non-Patent Document 1, Non-Patent Document 2, or Patent Document 3, since a dependency relationship is generated regardless of the contents of the IPC, it is determined that there is a dependency relationship even in such a case. As a result, many excessive dependencies are acquired, and there is a problem that data cannot be traced accurately.
- Patent Documents 2 and 3 need to create a filter program or a state detection rule for each application software. For this reason, these techniques require time and effort to track data, and it is difficult to track the flow of data. In addition, there is data that cannot be detected by a filter program or the like, and there is a problem that it is difficult to trace the flow of data.
- An object of the present invention is to provide a technique that makes it possible to easily and accurately track the flow of data.
- the data dependency analysis device of the present invention includes an inter-process communication detection unit that detects inter-process communication for transferring data copied between resources based on processing contents in inter-process communication.
- An access detection means for sequentially detecting access events to data in the resource by a process; and a recording means for recording data to be accessed in the access event for each access event detected by the access detection means; Search the data corresponding to the copy source and copy destination of the data passed in the inter-process communication detected by the inter-process communication detection means among the access target data recorded by the recording means, And an analysis means for giving a dependency relationship between searched data
- the inter-process communication detection unit detects inter-process communication that transfers data copied between resources based on the processing contents in the inter-process communication, and the access detection unit Sequentially detecting access events to the data in the resource by the recording means, for each access event detected by the access detection means, records the access target data in the access event, the analysis means, Search for data corresponding to the copy source and copy destination of the data passed in the inter-process communication detected by the inter-process communication detection unit from among the access target data recorded by the recording unit This is a method for providing a dependency between the data.
- the program according to the present invention includes an inter-process communication detection procedure for detecting inter-process communication for transferring data copied between resources to a computer based on processing contents in inter-process communication.
- An access detection procedure for sequentially detecting access events, a recording procedure for recording access target data in the access event for each access event detected in the access detection procedure, and an access target recorded in the recording procedure.
- Analysis for searching for data corresponding to a copy source and a copy destination of the data passed in the inter-process communication detected by the inter-process communication detection means, and adding a dependency between the searched data
- the data dependency analysis device detects inter-process communication for transferring data copied between resources based on the processing contents, so that a filter program and a state detection rule are individually created for each application.
- a copy of data can be detected without performing such complicated work, and the data flow can be easily traced.
- the dependency relation between the data corresponding to the copy destination and the copy source of the data transferred in the detected inter-process communication is given, the data flow can be accurately traced.
- FIG. It is the table
- FIG. It is a flowchart which shows operation
- FIG. 1 is a block diagram showing the configuration of the computer 1 of this embodiment.
- the computer 1 is a device for analyzing dependency relationships between data and tracking the flow of data.
- the computer 1 includes a monitoring unit 15, a storage unit 17, and an analysis unit 19.
- the monitoring unit 15 includes an IPC monitoring unit 151, an IPC analysis unit 153, an IO monitoring unit 155, and a log creation unit 157.
- the monitoring unit 15 is incorporated in a part of an operating system (OS). More specifically, the monitoring unit 15 can be realized by a technique for extending an OS kernel such as a device driver or a system call hook.
- the monitoring unit 15 may be implemented so as to operate in the user mode like an API hook instead of the kernel mode.
- the IPC monitoring unit 151 monitors (detects) inter-process communication (hereinafter referred to as “IPC”).
- the interprocess communication is, for example, a named pipe, an LPC (Local Procedure Call), or a shared memory.
- the IPC monitoring unit 151 monitors the IPC by opening a named pipe, LPC, shared memory, and the like, transmitting data to them, and mediating a system call for receiving data from them.
- the IPC monitoring unit 151 notifies the IPC analysis unit 153 of the detected IPC protocol type and the processing content.
- the IPC analysis unit 153 determines whether or not the detected IPC is for transferring data copied between resources.
- the IPC analysis unit 153 acquires the type of communication protocol used in the IPC and the processing content of the IPC in that protocol. This is because there are IPCs in which data is not copied depending on the type of protocol and the processing content, and excessive dependency relationships are acquired when data dependency relationships are obtained for all IPCs.
- the IPC analysis unit 153 analyzes the data flowing in the IPC channel by using a determination rule based on the type of protocol and the processing content, thereby determining whether data is copied between resources. This determination rule is described by the expert determining whether an explicit information flow exists between the communication source and the communication destination of the IPC commonly used between processes.
- the resource represents a device capable of inputting / outputting information by a user operation in the computer 1 and includes, for example, a file on a hard disk or a removable medium, and a network connection.
- the network connection includes, for example, transmission of data by FTP (File Transfer Protocol), HTTP (Hyper Text Transfer Protocol), and SMTP (Send Mail Transfer Protocol).
- the IPC analysis unit 153 determines the dependency based on the type of command transmitted within the protocol, the argument of the command, etc. (processing content).
- the IPC protocol is RPC (Remote Procedure Call)
- the IPC analysis unit 153 determines the dependency relationship based on the procedure name and its arguments (processing contents).
- the IPC protocol is a COM (Component Object Model) method call
- the IPC analysis unit 153 determines the dependency based on the interface name, the method name, its argument, and the like (processing content).
- the IPC analysis unit 153 When acquiring the processing contents, the IPC analysis unit 153 temporarily stores each time an IPC related system call is called. This is because one IPC having a certain function may be realized by a series of multiple system call calls. Then, when one IPC having a certain function is completed, the IPC analysis unit 153 reconstructs and acquires the processing content (communication content) of the IPC from the temporary storage.
- communication using a named pipe is a client-server type communication
- an IPC having a certain function may be realized by a plurality of communication using a named pipe.
- the IPC analysis unit 153 temporarily stores the contents of a series of named pipe communications.
- LPC is one of the mechanisms of IPC implemented in Windows (registered trademark), and is a client-server type communication like a named pipe. Also in this case, the IPC analysis unit 153 temporarily stores the contents of a series of named pipe communications. In particular, in LPC, there is a limit on the size of data to be transmitted. When transmitting large data, data is transmitted using a shared memory. In such a case, when reconfiguring the IPC communication content, the IPC analysis unit 153 reconfigures the LPC communication content and the content of the shared memory together.
- the IO monitoring unit 155 monitors access to resources by processes. For example, the IO monitoring unit 155 detects access by mediating a system call that opens a file or a network socket, or mediating communication from an OS kernel to a file system driver or a network driver.
- the log creation unit 157 creates a log in which the access event to the resource detected by the IO monitoring unit 155 and the IPC event detected by the IPC analysis unit 153 are recorded. Details of the recorded contents of the log will be described later.
- the storage unit 17 stores the log 171 created by the log creation unit 157.
- the storage unit 17 is a storage medium such as a hard disk.
- a known log falsification prevention technique may be used to prevent the user from falsifying the log 171.
- the analysis unit 19 analyzes the dependency relationship between the data accessed in each access event from the recorded contents of the log 171. In other words, the analysis unit 19 determines which access event the data targeted by the access event (access target) depends on the data targeted by the access event.
- the analysis unit 19 targets any file (data) among the access event targets.
- the analysis unit searches for all events whose target is the file to be investigated and whose type is “write”. An event that satisfies this condition is called event Z.
- the analysis unit 19 determines that there is no file depending on the investigation target file.
- event W the analysis unit 19 selects all “read” events (hereinafter referred to as “event W”) that occurred at a time before the event Z and have the same process name as the event Z. Search for.
- the analysis unit 19 determines whether there is an IPC event that targets the process name of the event Z among events that occurred at a time before the event Z.
- An event that satisfies this condition is referred to as an event W.
- the analysis unit 19 searches for all “read” events (W) that occurred at a time before the event W and have the same process name as the event W. The analysis unit 19 determines that it depends on the target of the searched W event.
- the analysis unit 19 investigates the dependency relationship for all the files (data) described in the log, and outputs the analysis result 191 describing the dependency relationship between the data.
- FIG. 2 is a table summarizing the contents of the log 171. Referring to the figure, the “type”, “process name”, and “target” of the event are recorded in the log 171 in chronological order.
- Type is the type of event detected by the IO monitoring unit 155 or the IPC analysis unit 153.
- the event detected by the IO monitoring unit 155 is an access event to the resource, and is a read from the resource (such as “read”) or a write to the resource (such as “write”).
- the event detected by the IO monitoring unit 155 is an IPC event (“ipc”) that delivers copied data.
- Process name is an identifier uniquely assigned to the process processed in the event.
- the detected event is an IPC event, the name of the communication source process is recorded.
- Target is data to be accessed in the case of an access event, and is a process of a communication destination in the case of an IPC event.
- FIG. 3 is a table summarizing the contents of the analysis result 191.
- the analysis result 191 describes the data to be investigated (“survey target file”) and the data of the dependency source (“dependence source”) in association with each other.
- FIG. 4 is a flowchart showing the operation of the computer 1. This operation starts when a predetermined application is executed.
- IPC monitoring unit 151 acquires the type of protocol in the detected IPC (step S5).
- the IPC monitoring unit 151 executes a communication content acquisition process (step S7), and the IPC analysis unit 153 detects an IPC that transfers data copied between resources based on the protocol type and the IPC processing content. (Step S9).
- the IO monitoring unit 155 detects an access event to the resource (step S11).
- the log creation unit 157 creates a log 171 that records the access event to the resource and the IPC event to which the data is copied, and stores it in the storage unit 17 (step S13).
- the analysis unit 19 reads the log 171 and executes an analysis process (step S15). After step S15, the computer 1 ends the operation.
- FIG. 5 is a flowchart showing communication content acquisition processing.
- the IPC monitoring unit 151 temporarily stores a series of IPC processing contents (step S71).
- the IPC monitoring unit 151 determines whether one IPC having a certain function is completed (step S73).
- step S73: NO the IPC monitoring unit 151 returns to step S71. If the IPC is completed (step S73: YES), the IPC monitoring unit 151 reconfigures the IPC processing content (communication content) from the temporary storage and notifies the IPC analysis unit 153 (step S75). After step S75, the IPC monitoring unit 151 ends the communication content acquisition process.
- FIG. 6 is an example of a computer program that realizes the content of step S9 for detecting an IPC in which data is copied between resources.
- the computer program in the figure is written in C ++ language.
- the communication protocol is a method call of COM
- the interface name of the method is “IDataObject”
- the method name is “GetData”
- data is copied between resources, that is, there is a dependency relationship. It is determined that it occurs (“true”) (step S91).
- This method call is called when dragging and dropping by OLE (Object Linking and Embedding) occurs between processes, and has a function of copying information held by the drag source process to the drag destination. Therefore, this method call causes data dependency.
- OLE Object Linking and Embedding
- the protocol of the communication content is a method call of COM
- the interface name of the method is “IDataObject”
- the method name is “QueryGetData”
- This method call is called when the mouse cursor enters the drop-destination window during OLE drag-and-drop, and has no function to send information held by the drag-source process to the drag-destination. . Therefore, this method call does not cause data dependency.
- FIG. 7 is a flowchart showing the analysis process.
- the analysis unit 19 sets one of the access event targets as the file X to be investigated (step S151).
- the analysis unit 19 determines whether or not the event Z whose type is “write” and the target is the file X is recorded in the log (step S153).
- the analysis unit 19 is an event “read” event that is an event before the event Z and is associated with the same process name as the event Z. Search for W. The analysis unit 19 adds the searched event W to the set Y (step S155).
- the set Y is a set of events that target data having a dependency relationship with X.
- the analysis unit 19 determines whether an IPC event W that is an event before the event Z and is associated with the same process name as the event Z is recorded (step S157).
- step S157 If the event W is recorded (step S157: YES), the analysis unit 19 sets the event W as the event Z (step S159), and returns to step S153.
- step S157 if the event W is not recorded (step S157: NO), the analysis unit 19 determines that X depends on the target of the event included in Y, and analyzes these data by adding a dependency relationship. It describes in the result 191 (step S161).
- step S153 If the event Z is not recorded (step S153: NO), it is determined that there is no file on which the file X depends (step S163).
- step S165 the analysis unit 19 performs all the files. It is determined whether or not an investigation has been performed (step S165). If all the files have not been investigated (step S165: NO), the analysis unit 19 returns to step S151. If all the files have been investigated (step S165: YES), the analysis unit 19 ends the analysis process.
- FIG. 8A to FIG. 10 are diagrams showing a series of file operations by the user.
- the computer 1 stores files “aaa.txt”, “bbb.doc”, and “ccc.doc”, and processes “wordpad” and “winword”. Has been started.
- the user performed an operation of reading “aaa.txt” and the file in the process “wordpad”.
- the user opens another “winword” execution screen, and performs an operation of reading “ccc.doc” and a file in “winword”.
- the user stored the read files (“aaa.txt”, “ccc.doc”) as “ddd.doc” in the resource.
- the computer 1 records an access event and an IPC event in the log 171 as shown in FIG. 2 (step S13). Specifically, as shown in FIGS. 8A, 8B, and 9A, when files are read from resources in the “wordpad” and “winword” processes, Those access events are recorded.
- FIG. 9B while the file is being dragged, IPC is intermittently performed between the drag source process and the process currently under the mouse cursor. Since no information flows, IPC events during this period are not recorded in the log.
- FIG. 9B when a file is dropped, since data is copied between resources, an IPC event is recorded.
- the “ddd.doc” file passes through the “wordpad” and “winword” processes, and the “aaa.txt”, “bbb.doc”, and “ccc.doc” files Parsed as copied from. That is, the “ddd.doc” file depends on the “aaa.txt”, “bbb.doc”, and “ccc.doc” files.
- the computer 1 detects inter-process communication that transfers data copied between resources based on the processing content.
- a copy of data can be detected without performing a complicated operation such as creating a filter program and a state detection rule individually for each, and the data flow can be easily traced.
- the dependency relation between the data corresponding to the copy destination and the copy source of the data transferred in the detected inter-process communication is given, the data flow can be accurately traced.
- the data dependency analysis device detects inter-process communication in which data copied based on the processing content of the inter-process communication is transferred based on the type of protocol and the processing content used in the inter-process communication. As a result, it is possible to exclude interprocess communication using a protocol that does not deliver copied data, and as a result, data can be traced more accurately.
- the analysis unit 19 associates the read event and the write event via the detected inter-process communication event, determines the copy dependency using the read data as the copy source, and the write data as the copy destination. Even if the data is copied via the network, the copied data can be accurately traced.
- FIG. 11 is a table summarizing the contents of the log 171 created by the log creation unit 157 of the present embodiment.
- the target data size is further recorded in association with each event.
- the data size to be transferred is recorded.
- “2” is recorded in the “data size” column when the data size is larger than the predetermined value, and “1” is recorded otherwise.
- FIG. 12 shows the configuration of the analysis result 191 of this embodiment.
- the analysis result 191 further describes “dependency” for each dependency source file.
- the degree of dependence is the degree of dependence between targeted data, and the computer 1 evaluates that the degree of dependence is larger as the data size of each piece of data having the dependence is larger.
- FIG. 13 is a flowchart showing the operation of the computer 1 of this embodiment. Referring to the figure, the operation of the computer 1 of the present embodiment is the same as that of the first embodiment, except that step S9a is executed instead of step S9.
- step S9a the IPC analysis unit 153 acquires an IPC in which data is copied between resources and a data size of the copied data.
- FIG. 14 is an example of a computer program that realizes the processing content of step S9a of the present embodiment.
- the IPC analysis unit 153 calculates the size of the dragged and dropped data from the IPC communication content, and returns “2” if the data size is larger than a predetermined value (step S91a). If the data size is equal to or smaller than the predetermined value, the IPC analysis unit 153 returns “1” (step S93a). If the processing content does not cause a data copy, the IPC analysis unit 153 returns “0” (step S95a).
- the IPC analysis unit 153 returns “2” conservatively (step S97a).
- the log creation unit 157 records the IPC event in the log 171 when the IPC analysis unit 153 returns “1” or “2”.
- FIG. 15 is a flowchart showing the analysis processing of this embodiment.
- the analysis process of the present embodiment is the same as the analysis process of the first embodiment except that the analysis unit 19 executes step S156 after step S155 and executes step S159a instead of step S159. It is the same.
- step S156 the analysis unit 19 multiplies the “data size” corresponding to the event Z by the “data size” corresponding to the event W, and sets the multiplied value as the “dependency” of the W.
- step S159a when the event W is the event Z, the analysis unit 19 calculates the dependency of the event Z.
- the computer 1 since the computer 1 evaluates the degree of dependence higher as the target data size is larger, the computer 1 can grasp the strength of dependency between data. Become. The computer 1 can further improve the efficiency of data tracking by preferentially tracking data having a strong dependency.
- FIG. 16 is a block diagram showing the configuration of the computer 1b of this embodiment.
- the computer 1b is different from the computer 1 of the first embodiment in that the monitoring unit 15 further includes a dynamic information flow analysis unit 156.
- the dynamic information flow analysis unit 156 uses the definition information 1561 that defines the system call that causes the process to read the resource and the system call that causes the process to write the resource. Inspect the data transfer in the process before writing.
- the dynamic information flow analysis unit 156 is a non-patent document 3 (Feng Qin, Cheng Wang, Zhenmin Li, Ho-seop Kim, Yuanyuan Zhou, and Youfeng Wu LIFT: A Low-Overhead Practical Information Flow Tracking System for Detecting Security Attacks / IEEE International Symposium on Microarchitecture (MICRO'06), 2006), or Non-Patent Document 4 (Prateek Saxena, R. Sekar and Varun Puranik Efficient Fine-Grained Binary Instrumentation with Applications to Taint-Tracking ACM / IEEE and inspection of data transfer within the process by the method described in Optimization, 2008).
- the dynamic information flow analysis unit 156 associates a tag indicating what information is currently stored in the memory, and generates a code for propagating the tag corresponding to the memory operation processing of the process. By embedding and executing the process, it is determined whether data on one memory depends on data on another memory. Using this technique, when the system call reads a certain resource A onto the memory buffer, the dynamic information flow analysis unit 156 adds a tag corresponding to the resource A to the memory buffer.
- the dynamic information flow analysis unit 156 propagates the tag according to the processing of the data on the buffer, and when the content on the memory buffer is finally written into another resource B by the system call, If a tag corresponding to resource A is added to the memory buffer, resource B outputs information indicating that it depends on resource A.
- the dynamic information flow analysis unit 156 propagates the tag between the input to the IPC and the output from the IPC.
- the log creation unit 157 In the event of writing to a resource and the IPC event, the log creation unit 157 outputs data derived from which resource or process (dependence source) for the resource or process that is the output destination (target) in the event. Is identified from the tag notified from the dynamic information flow analysis unit 156. In each event, the log creation unit 157 records not only the event type and target but also the resource of the dependency source in the log 171.
- the analysis unit 19 searches for a file whose type is write and whose target is ZX when examining a file on which the file X to be investigated depends. If there is no corresponding file, the analysis unit 19 determines that there is no file dependent on X. If there is a corresponding file, the analysis unit 19 determines that the dependency source file recorded in association with the file is the X dependency source.
- FIG. 17 is a table summarizing the contents of the definition information 1561 of this embodiment.
- the definition information 1561 defines a system call (for example, read) that causes reading of a resource and a system call (for example, write) that causes writing of the resource.
- the definition content includes the name of the system call and the meaning content of each argument (whether it is a data transfer source or a data transfer destination).
- FIG. 18 is a table summarizing the contents of the log 171 of this embodiment. Referring to the figure, in each event, the log 171 records not only the event type and target but also the data of the dependence source.
- FIG. 19 is a flowchart showing the operation of the computer 1b of this embodiment.
- the operation of the computer 1b in the present embodiment is the same as that of the first embodiment except that the computer 1b further executes step S12 after step S11 and executes steps S13c and 15c instead of steps S13 and S15.
- the operation of the computer 1 of the embodiment is the same.
- the dynamic information flow analysis unit 156 checks the data transfer inside the process, and outputs information for specifying the IPC or the resource that depends on the target of the process (step S12).
- the log creation unit 157 records the target and the resource of the dependence source in association with the event type (step S13c).
- FIG. 20 is a flowchart showing the analysis process (step S15c) of the present embodiment.
- the analysis process of this embodiment is the same as the analysis process of the first embodiment except that step S154 is executed instead of steps S155 to S159.
- step S153 If the type is “write”, the target is the file X, and the event Z is recorded in the log 171 (step S153: YES), the analysis unit 19 adds the file from which the event Z depends to Y. (Step S154). After step S154, the analysis unit 19 executes step S161.
- the computer 1b corresponds to the written access target data based on the definition information defining the argument of the data transfer source for the system call that causes the data to be written.
- the access target data set in the argument of the transfer source is further recorded as the copy source, it becomes easier to trace the data flow.
- FIG. 3 For example, in FIG. 3 according to the first embodiment, three files (aaa.txt, bbb.doc, ccc.doc) are acquired as dependency sources for the investigation target file (ccc.doc). In FIG. 18 in the embodiment, for the same target (ccc.doc), only two files (aaa.txt, ccc.doc) are acquired as dependency sources.
- the computer 1 detects data transfer between processes, but does not detect data transfer within the process (such as data transfer between a memory and a memory buffer). Because. For this reason, the computer 1 according to the first embodiment obtains a dependency source that is not dependent on the file to be investigated (ccc.doc) (bbb.doc), and obtains an excessive dependency relationship compared to the present embodiment. It was.
- the computer 1b can specify the drag-and-drop source document by the dynamic information flow analysis unit 156, and further suppress the generation of excessive dependency. Even when the number of resources having dependencies increases, the computer 1b can accurately track the data.
- FIG. 21 is a block diagram showing the configuration of the computer 1c of this embodiment.
- the computer 1c is different from the computer 1 of the first embodiment in that the monitoring unit 15 further includes a security level determination unit 150.
- the security level determination unit 150 determines the security level (high confidentiality) of the resource to be read.
- the security level determination unit 150 determines that a file stored in a specific directory has a higher security level than a file that does not. Further, the security level determination unit 150 determines the level of the security level according to the contents of the read file as described in JP-A-2006-209649.
- the log creation unit 157 further records the security level in association with each event.
- the analysis unit 19 searches for the file from which the investigation target file is read, only the file having a security level lower than that of the investigation target file is used as the dependency source.
- FIG. 22 is a table summarizing the contents of the log 171 of the present embodiment. As shown in the figure, the log 171 further records the security level of each target in association with each event.
- the security level is, for example, two levels: “0” (no need for confidentiality) and “1” (needs confidentiality).
- FIG. 23 is a flowchart showing the operation of the computer 1c of this embodiment.
- the operation of the computer 1c is the same as that of the first embodiment except that the security level determination unit 150 executes step S5 after acquiring the security level of the source resource (step S3). This is the same as the operation of No. 1.
- FIG. 24 is a flowchart showing the analysis processing of this embodiment.
- the analysis process of the present embodiment is the same as the analysis process of the first embodiment except that the analysis unit 19 executes steps S154 and S155c instead of step S155.
- step S153 If there is an event Z (step S153: YES), the analysis unit 19 searches for a “read” event W that is an event before the event Z and is associated with the same process name as the event Z (step S154). ). If the security level corresponding to the event W is lower than the security level corresponding to the event Z, the analysis unit 19 adds the searched event W to the set Y (step S155c).
- the security level determination unit 150 acquires the security level of the source resource, and the analysis unit 19 determines only the dependency relationship between files having a security level equal to or higher than a predetermined value.
- the computer 1c can further improve the efficiency of data tracking as a result of omitting the acquisition of the dependency relationship between files having a relatively low security level.
- FIG. 25 is a flowchart showing the operation of the computer 1c of this embodiment. Referring to the figure, the operation of the computer 1c is the same as the operation of the computer 1 of the first embodiment, except that the log creation unit 157 executes step S13d instead of step S13.
- the log creation unit 157 discards the recording of the event whose security level is lower than the predetermined value, and records only the access event whose security level is higher than the predetermined value (step S13d).
- the computer 1c can suppress the size of the log 171.
- FIG. 26 is a block diagram showing the configuration of the computer 1e of this embodiment. Referring to the figure, the computer 1e is different from the computer 1c of the fourth embodiment in that it further includes an IO mediating unit 11.
- the security level determination unit 150 further acquires the security level of the data write destination resource.
- the security level determination unit 150 In the determination of the security level of the write destination resource, the security level determination unit 150 assumes that a specific storage device such as a USB (Universal Serial Bus) memory has a lower security level than other storage devices. In addition, the security level determination unit 150 determines that a specific directory has a higher or lower security level than other directories. The security level determination unit 150 determines that HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) transmission to a specific server has a higher security level than transmission to an unspecified server.
- HTTPS Hypertext Transfer Protocol over Secure Socket Layer
- the IO mediation unit 11 When the IO mediation unit 11 mediates the IO to be written to the resource, the IO mediation unit 11 has a security level lower than the security level of the read source (the dependence source of the write destination). Prohibit writing by making the system call call fail.
- FIG. 27 is a flowchart showing the operation of the computer 1e of this embodiment. Referring to the figure, the operation of the computer 1e is the same as the operation of the computer 1 of the first embodiment except that the step S5 is executed after the IO mediation process (step S1).
- FIG. 28 is a flowchart showing the operation of the IO mediation process of this embodiment.
- the security level determination unit 150 determines whether a read process has been executed (step S101). If the read process has been executed (step S101: YES), the security level determination unit 150 acquires the security level of the reading source (step S103).
- step S105 determines whether the write process for writing the read data has been executed. If the write process has been executed (step S105: YES), the security level determination unit 150 acquires the security level of writing (step S107).
- the IO mediation unit 11 determines whether or not the security level of the write destination resource is higher than the read source resource than the read source resource (step S109).
- step S109 If the security level of the writing destination resource is higher than the reading source (step S109: YES), the IO mediation unit 11 prohibits writing of data to the resource (step S111). After step S111, the computer 1e ends the IO mediation process.
- the configuration is such that only confidential information is prevented from leaking outside, but the security level is also defined for the user, and only the user who can read the confidential information can read the confidential information. It is also possible to adopt a configuration that allows for loading.
- the security level of the user is allocated to the process activated by the user, and the IO mediation unit 11 may be configured to prohibit reading of resources having a security level higher than the security level of the process. . In this way, even if an attempt to read a resource having a security level higher than the security level of the user fails, disclosure of confidential information to the user can be prevented.
- the IO mediation unit 11 permits writing to a resource if the security level of the resource of the writing source is higher than the security level of the resource of the reading source. It is possible to prevent high data (high security level) from being written to resources with low confidentiality (low security level).
- Non-Patent Document 1 tools for prohibiting only writing of highly confidential files to a USB memory have been put into practical use, but these are such that the confidentiality of the file cannot be determined by encryption or the like. If it has been modified, it will not work correctly.
- the computer 1e of the present embodiment tracks the exchange of data between processes, the computer 1e can correctly prohibit writing based on the security level before being altered so that the confidentiality cannot be determined.
- this embodiment is characterized in that it controls access to process files and networks but does not control IPC. As a result, it minimizes the possibility of destabilizing the operation of existing applications. , Leakage of confidential data can be prevented.
- FIG. 29 is a block diagram illustrating a configuration of the computer 1f according to the present embodiment.
- the computer 1f is different from the computer 1f of the first embodiment in that it further includes an encryption unit 12, a decryption unit 13, and a key management unit 14.
- the encryption unit 12 When the data is written to the resource, the encryption unit 12 encrypts the target data with a key corresponding to the security level if the security level of the destination resource is equal to or higher than a predetermined value.
- the decryption unit 13 determines whether the data read from the resource is encrypted. For example, a specific header is added to an encrypted file or network packet, and the decryption unit 13 determines the presence or absence of encryption by examining the header of the read data. If encrypted, the decryption unit 13 obtains the key from the key management unit 14 and decrypts the data.
- the key management unit 14 manages keys for encrypting and decrypting files.
- the computer 1f executes the IO mediation process (step S1) before step S5, as in the sixth embodiment.
- FIG. 30 is a flowchart showing the IO mediation process of the present embodiment.
- the decoding unit 13 determines whether or not a read process has been executed (step S101). If the read process has been executed (step S101: YES), the decoding unit 13 executes a decoding process (step S102).
- step S105 determines whether or not the write process has been executed. If the write process has been executed (step S105: YES), the encryption unit 12 executes encryption processing (step S106). If the write process has not been executed (step S105: NO), or after step S106, the computer 1f ends the IO mediation process.
- FIG. 31 is a flowchart showing the decoding process.
- the decryption unit 13 determines whether or not the read data is encrypted by the read process (step S121).
- step S121 If the data is encrypted (step S121: YES), the decryption unit 13 acquires the key from the key management unit 14, and decrypts the data with the key (step S123). Then, the decryption unit 13 sets the security level of the data to 1 (step S125).
- step S121 If the data is not encrypted (step S121: NO), the decryption unit 13 sets the security level of the data to 0 (step S127). After steps S125 and S127, the decoding unit 13 ends the decoding process.
- FIG. 32 is a flowchart showing the encryption process.
- the encryption unit 12 acquires the security level set for the target data in the writing process (step S161).
- the encryption unit 12 determines whether or not the acquired security level is 1 (step S163).
- step S163: YES the encryption unit 12 acquires the key from the key management unit 14 and encrypts the target data (step S165). If the security level is not 1 (step S163: NO) or after step S165, the encryption unit 12 ends the encryption process.
- the secret key may be used only by the decryption unit 13 using a public key cryptosystem.
- the security level is set to two levels (“0”, “1”), but three or more levels may be set.
- the computer 1f may record information corresponding to the security level in the header and change the key according to the security level.
- the configuration is such that only confidential information is prevented from leaking out in plain text.
- the security level is also defined for the user, and only the user who can read the confidential information can access the confidential information. It is also possible to adopt a configuration that enables reading. For example, a security level of the user is assigned to a process activated by the user, and the decryption unit 13 does not distribute a key corresponding to a security level higher than the security level of the process. In this way, even if a resource having a security level higher than the security level of the user is read, it cannot be decrypted, so that confidential information can be prevented from being disclosed to the user.
- the computer 1f since the computer 1f encrypts and writes out confidential information, even if the confidential information may be leaked to the outside through a USB memory or an e-mail, the computer 1f does not leak the key. Can keep the data confidential.
- ERM Enterprise Rights Management
- DRM Digital Rights Management
- IRM Information Rights Management
- the computer 1 is configured to perform both log recording and dependency analysis, but in each embodiment, as illustrated in FIG. It is good also as a structure which a separate apparatus (1,2) performs a dependency analysis.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Debugging And Monitoring (AREA)
- Storage Device Security (AREA)
Abstract
Description
本発明の第2の実施形態について説明する。本実施形態のコンピュータ1は、依存関係の度合いを更に求める点で、第1の実施形態のコンピュータ1と異なる。
本発明の第3の実施形態について説明する。図16は、本実施形態のコンピュータ1bの構成を示すブロック図である。同図を参照すると、コンピュータ1bは、監視部15において、動的情報フロー分析部156を更に有する点で、第1の実施形態のコンピュータ1と異なる。
本発明の第4の実施形態について説明する。図21は、本実施形態のコンピュータ1cの構成を示すブロック図である。同図を参照すると、コンピュータ1cは、監視部15において、セキュリティレベル判定部150を更に有する点で第1の実施形態のコンピュータ1と異なる。
本発明の第5の実施形態について説明する。本実施形態のコンピュータ1cの構成は、ログ作成部157が、セキュリティレベルが所定値以下のアクセスイベントについては、記録しない以外は、第4の実施形態のコンピュータ1cと同様である。
本発明の第6の実施形態について説明する。図26は、本実施形態のコンピュータ1eの構成を示すブロック図である。同図を参照すると、コンピュータ1eは、IO仲介部11を更に有する点で第4の実施形態のコンピュータ1cと異なる。
本発明の第7の実施形態について説明する。図29は、本実施形態のコンピュータ1fの構成を示すブロック図である。同図を参照すると、コンピュータ1fは、暗号化部12、復号部13、および鍵管理部14を更に有する点で第1の実施形態のコンピュータ1fと異なる。
2 解析装置
12 暗号化部
13 復号部
14 鍵管理部
15 監視部
17 記憶部
19 解析部
150 セキュリティレベル判定部
151 IPC監視部
153 IPC分析部
155 IO監視部
156 動的情報フロー分析部
157 ログ作成部
171 ログ
193 解析結果
1561 定義情報
S5~S15、S71~S75、S91~S95、S151~S165、S9a、S91a~S97a、S159a、S13c、S15c、S155c、S13d、S101~S111、S121~S127、S161~S165 ステップ
Claims (10)
- プロセス間通信における処理内容に基づいて、リソース間でコピーされるデータを受け渡すプロセス間通信を検知するプロセス間通信検知手段と、
プロセスによる前記リソース内のデータへのアクセスイベントを順次検知するアクセス検知手段と、
前記アクセス検知手段により検知された前記アクセスイベント毎に、該アクセスイベントにおけるアクセス対象のデータを記録する記録手段と、
前記記録手段により記録された前記アクセス対象のデータのうち、前記プロセス間通信検知手段により検知された前記プロセス間通信において受け渡された前記データのコピー元とコピー先に該当するデータを検索し、検索したデータ間に依存関係を付与する解析手段と、
を有するデータ依存関係解析装置。 - 前記プロセス間通信検知手段は、プロセス間通信で使用されるプロトコルの種類と、該プロセス間通信における処理内容に基づいて、リソース間でコピーされるデータを受け渡すプロセス間通信を検知する、請求項1に記載のデータ依存関係解析装置。
- 前記記録手段は、前記アクセス対象データの容量を前記アクセスイベントに更に対応付けて記録し、
前記解析手段は、前記コピー元のデータと前記コピー先のデータとに対応付けられた前記容量に基づいて前記依存関係の度合いを更に定める、請求項1又は2に記載のデータ依存関係解析装置。 - 前記解析手段は、前記プロセス間通信検知手段より検知された前記プロセス間通信における通信先のプロセスにより、リソースへ書き出されたデータを検索して前記コピー先のデータとし、該プロセス間通信における通信元のプロセスにより、該コピー先のデータが書き出されるより前にリソースから読み出されたデータを検索して前記コピー元のデータとする、請求項1乃至3のいずれか1項に記載のデータ依存関係解析装置。
- リソースへデータを書き出すプロセスにより呼び出される書き出しシステムコールと、該書き出しシステムコールにおいて受け渡し元のデータが設定される引数とを定義した定義情報を更に有し、
前記記録手段は、前記定義情報に基づいて、前記書き出しシステムコールがプロセスにより呼び出されたとき、前記引数に設定された前記受け渡し元のデータを、前記アクセス対象のデータに対応づけて更に記憶し、
前記解析手段は、前記プロセス間通信検知手段より検知された前記プロセス間通信における通信先のプロセスにより、リソースへ書き込まれたデータを検索して前記コピー先のデータとし、該コピー先のデータに対応付けられた前記受け渡し元のデータを前記コピー元のデータとする、請求項1乃至3のいずれか1項に記載のデータ依存関係解析装置。 - 前記リソースには、機密性の高さを示すセキュリティレベルが設定されており、
前記リソースからデータが読み出されたとき、該リソースに設定されたセキュリティレベルを取得するセキュリティレベル取得手段を更に有し、
前記記録手段は、前記セキュリティレベル取得手段により取得された前記セキュリティレベルを前記アクセ対象データに更に対応付けて記録し、
前記解析手段は、所定値より高い前記セキュリティレベルが対応づけられたアクセス対象のデータのうち、前記プロセス間通信検知手段により検知された前記プロセス間通信において受け渡された前記データのコピー元とコピー先に該当するデータを検索する、請求項1乃至5のいずれか1項に記載のデータ依存関係解析装置。 - 前記セキュリティレベル取得手段は、データをリソースへ書き出すとき、該リソースに設定されたセキュリティレベルを更に取得し、
読み出し元のリソースから読み出したデータを書き出し先のリソースへ書き出すとき、該書き出し先のリソースについて前記セキュリティレベル取得手段により取得されたセキュリティレベルが、該読み出し元のリソースについて前記セキュリティレベル取得手段により取得されたセキュリティレベルより低ければ、該データを書き出す書き出し手段を更に有する、請求項6に記載のデータ依存関係解析装置。 - リソースへデータを書き出すとき、該リソースに設定されたセキュリティレベルを取得し、該セキュリティレベルが所定値以上であれば、該データを暗号化して該リソースへ書き出す暗号化手段と、
前記暗号化手段により書き出された前記データを前記リソースから読み出すとき、該リソースに設定された前記セキュリティレベルを取得し、該セキュリティレベルに基づいて該データを復号する復号手段と、
請求項6に記載のデータ依存関係解析装置。 - プロセス間通信検知手段が、プロセス間通信における処理内容に基づいて、リソース間でコピーされるデータを受け渡すプロセス間通信を検知し、
アクセス検知手段が、プロセスによる前記リソース内のデータへのアクセスイベントを順次検知し、
記録手段が、前記アクセス検知手段により検知された前記アクセスイベント毎に、該アクセスイベントにおけるアクセス対象のデータを記録し、
解析手段が、前記記録手段により記録された前記アクセス対象のデータのうち、前記プロセス間通信検知手段により検知された前記プロセス間通信において受け渡された前記データのコピー元とコピー先に該当するデータを検索し、検索したデータ間に依存関係を付与する、データ依存関係解析方法。 - コンピュータに、
プロセス間通信における処理内容に基づいて、リソース間でコピーされるデータを受け渡すプロセス間通信を検知するプロセス間通信検知手順、
プロセスによる前記リソース内のデータへのアクセスイベントを順次検知するアクセス検知手順、
前記アクセス検知手順で検知された前記アクセスイベント毎に、該アクセスイベントにおけるアクセス対象のデータを記録する記録手順、及び
前記記録手順で記録された前記アクセス対象のデータのうち、前記プロセス間通信検知手段により検知された前記プロセス間通信において受け渡された前記データのコピー元とコピー先に該当するデータを検索し、検索したデータ間に依存関係を付与する解析手順、
を実行させるためのプログラム。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US13/132,233 US9027123B2 (en) | 2008-12-08 | 2009-11-25 | Data dependence analyzer, information processor, data dependence analysis method and program |
JP2010542072A JP5387584B2 (ja) | 2008-12-08 | 2009-11-25 | データ依存関係解析装置、情報処理装置、データ依存関係解析方法、及びプログラム |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2008-312242 | 2008-12-08 | ||
JP2008312242 | 2008-12-08 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2010067703A1 true WO2010067703A1 (ja) | 2010-06-17 |
Family
ID=42242693
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2009/069837 WO2010067703A1 (ja) | 2008-12-08 | 2009-11-25 | データ依存関係解析装置、情報処理装置、データ依存関係解析方法、及びプログラム |
Country Status (3)
Country | Link |
---|---|
US (1) | US9027123B2 (ja) |
JP (1) | JP5387584B2 (ja) |
WO (1) | WO2010067703A1 (ja) |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012046406A1 (ja) * | 2010-10-04 | 2012-04-12 | パナソニック株式会社 | 情報処理装置およびアプリケーション不正連携防止方法 |
JP2012104121A (ja) * | 2010-11-11 | 2012-05-31 | Samsung Sds Co Ltd | カーネルネイティブapiのフッキング処理によるデジタル著作権管理装置及び方法 |
JP2013247664A (ja) * | 2012-05-29 | 2013-12-09 | Kddi Corp | 携帯通信端末、データ通信検知装置、データ通信検知方法、およびプログラム |
KR20160114037A (ko) * | 2013-09-12 | 2016-10-04 | 버섹 시스템즈, 인코포레이션 | 멀웨어의 자동화된 런타임 검출 |
US10114726B2 (en) | 2014-06-24 | 2018-10-30 | Virsec Systems, Inc. | Automated root cause analysis of single or N-tiered application |
US10331888B1 (en) | 2006-02-09 | 2019-06-25 | Virsec Systems, Inc. | System and methods for run time detection and correction of memory corruption |
US10354074B2 (en) | 2014-06-24 | 2019-07-16 | Virsec Systems, Inc. | System and methods for automated detection of input and output validation and resource management vulnerability |
CN111158741A (zh) * | 2019-12-23 | 2020-05-15 | 北京五八信息技术有限公司 | 监控业务模块对第三方类库依赖关系变化的方法及装置 |
US11409870B2 (en) | 2016-06-16 | 2022-08-09 | Virsec Systems, Inc. | Systems and methods for remediating memory corruption in a computer application |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8924443B2 (en) * | 2012-10-05 | 2014-12-30 | Gary Robin Maze | Document management systems and methods |
US10326748B1 (en) | 2015-02-25 | 2019-06-18 | Quest Software Inc. | Systems and methods for event-based authentication |
US10417613B1 (en) | 2015-03-17 | 2019-09-17 | Quest Software Inc. | Systems and methods of patternizing logged user-initiated events for scheduling functions |
US10536352B1 (en) | 2015-08-05 | 2020-01-14 | Quest Software Inc. | Systems and methods for tuning cross-platform data collection |
US10642988B2 (en) * | 2016-08-04 | 2020-05-05 | Honeywell International Inc. | Removable media protected data transfer in a cyber-protected system |
CN110659386B (zh) * | 2019-09-12 | 2022-11-22 | 北京达佳互联信息技术有限公司 | 数字资源处理方法、装置、电子设备及存储介质 |
CN111556503B (zh) * | 2020-03-30 | 2024-06-18 | 三六零数字安全科技集团有限公司 | 一种基于Windows操作系统的个人WIFI热点管理方法 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0887440A (ja) * | 1994-09-16 | 1996-04-02 | Toshiba Corp | データ入出力管理装置及びデータ入出力管理方法 |
JP2002232451A (ja) * | 2001-02-02 | 2002-08-16 | Layer Seven Co Ltd | 通信管理方法、通信監視装置、および、コンピュータシステム |
JP2005275669A (ja) * | 2004-03-24 | 2005-10-06 | Nec Corp | データ監視方法、情報処理装置、プログラム及び記録媒体、並びに情報処理システム |
JP2008027389A (ja) * | 2006-07-25 | 2008-02-07 | Nec System Technologies Ltd | 文書データ移動追跡システム、文書データ移動追跡方法および文書データ移動追跡プログラム |
Family Cites Families (36)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5652885A (en) * | 1993-05-25 | 1997-07-29 | Storage Technology Corporation | Interprocess communications system and method utilizing shared memory for message transfer and datagram sockets for message control |
US5870467A (en) | 1994-09-16 | 1999-02-09 | Kabushiki Kaisha Toshiba | Method and apparatus for data input/output management suitable for protection of electronic writing data |
US5913041A (en) * | 1996-12-09 | 1999-06-15 | Hewlett-Packard Company | System for determining data transfer rates in accordance with log information relates to history of data transfer activities that independently stored in content servers |
IL120420A (en) * | 1997-03-10 | 1999-12-31 | Security 7 Software Ltd | Method and system for preventing the downloading and execution of executable objects |
US6226694B1 (en) * | 1998-04-29 | 2001-05-01 | Hewlett-Packard Company | Achieving consistency and synchronization among multiple data stores that cooperate within a single system in the absence of transaction monitoring |
US6505300B2 (en) * | 1998-06-12 | 2003-01-07 | Microsoft Corporation | Method and system for secure running of untrusted content |
US6192410B1 (en) * | 1998-07-06 | 2001-02-20 | Hewlett-Packard Company | Methods and structures for robust, reliable file exchange between secured systems |
WO2000051338A1 (fr) * | 1999-02-26 | 2000-08-31 | Matsushita Electric Industrial Co., Ltd. | Procede de surveillance de donnees, dispositif de surveillance de donnees, dispositif de copiage et support d'enregistrement |
SE517808C2 (sv) * | 2000-11-16 | 2002-07-16 | Protegrity Res & Dev | Kombinerad hårdvaru- och mjukvarubaserad kryptering av databaser |
JP3431017B2 (ja) | 2001-01-19 | 2003-07-28 | 松下電工株式会社 | キッチンカウンター |
JP3927376B2 (ja) | 2001-03-27 | 2007-06-06 | 日立ソフトウエアエンジニアリング株式会社 | データ持ち出し禁止用プログラム |
US20030120936A1 (en) * | 2001-08-01 | 2003-06-26 | Eft Datalink | Encryption of financial information |
US7814021B2 (en) | 2003-01-23 | 2010-10-12 | Verdasys, Inc. | Managed distribution of digital assets |
US7356594B2 (en) * | 2003-10-03 | 2008-04-08 | Motorola, Inc. | Interprocessor communication protocol providing intelligent targeting of nodes |
US7103874B2 (en) * | 2003-10-23 | 2006-09-05 | Microsoft Corporation | Model-based management of computer systems and distributed applications |
ES2423491T3 (es) * | 2003-11-12 | 2013-09-20 | The Trustees Of Columbia University In The City Of New York | Aparato, procedimiento y medio para detectar una anomalía de carga útil usando la distribución en n-gramas de datos normales |
US7441249B2 (en) * | 2003-11-13 | 2008-10-21 | International Business Machines Corporation | Activity monitoring without accessing a process object |
US7774604B2 (en) * | 2003-12-10 | 2010-08-10 | Mcafee, Inc. | Verifying captured objects before presentation |
US7571302B1 (en) * | 2004-02-04 | 2009-08-04 | Lei Chen | Dynamic data dependence tracking and its application to branch prediction |
US20050182966A1 (en) * | 2004-02-17 | 2005-08-18 | Duc Pham | Secure interprocess communications binding system and methods |
JP2005250649A (ja) * | 2004-03-02 | 2005-09-15 | Nec Corp | プロセス間通信アクセス制御方式及び方法 |
JP2006031109A (ja) * | 2004-07-12 | 2006-02-02 | Ntt Docomo Inc | 管理システム及び管理方法 |
JP4322763B2 (ja) | 2004-09-22 | 2009-09-02 | Necシステムテクノロジー株式会社 | 文書ファイルコピー移動監視システム、方法及びプログラム |
JP4628073B2 (ja) | 2004-11-30 | 2011-02-09 | 株式会社エヌ・ティ・ティ・ドコモ | アクセス制御装置及びアクセス制御方法 |
US7539132B2 (en) * | 2005-01-21 | 2009-05-26 | At&T Intellectual Property Ii, L.P. | Methods, systems, and devices for determining COS level |
US20070266390A1 (en) * | 2005-10-31 | 2007-11-15 | Mark Emmerich | Automated management of application-specific tasks from the Internet via distributed task manager agents in a local area network |
US20070113282A1 (en) * | 2005-11-17 | 2007-05-17 | Ross Robert F | Systems and methods for detecting and disabling malicious script code |
US20070198420A1 (en) * | 2006-02-03 | 2007-08-23 | Leonid Goldstein | Method and a system for outbound content security in computer networks |
EP1892620B1 (en) * | 2006-08-21 | 2017-04-19 | BlackBerry Limited | Auditing application activities |
CN101281461B (zh) * | 2007-04-04 | 2012-07-04 | 国际商业机器公司 | 用于迁移应用所依赖的系统环境的方法和装置 |
US20090063587A1 (en) * | 2007-07-12 | 2009-03-05 | Jakob Holger | Method and system for function-specific time-configurable replication of data manipulating functions |
US20090024424A1 (en) * | 2007-07-16 | 2009-01-22 | Antony Raja T | System and method for dynamic linking of business processes |
US8464270B2 (en) * | 2007-11-29 | 2013-06-11 | Red Hat, Inc. | Dependency management with atomic decay |
WO2009096970A1 (en) * | 2008-01-31 | 2009-08-06 | Hewlett-Packard Development Company, L.P. | Automated application dependency mapping |
US8826443B1 (en) * | 2008-09-18 | 2014-09-02 | Symantec Corporation | Selective removal of protected content from web requests sent to an interactive website |
US20100088137A1 (en) * | 2008-10-06 | 2010-04-08 | Klaus Weiss | Work lists and cockpit to control complex processes |
-
2009
- 2009-11-25 US US13/132,233 patent/US9027123B2/en active Active
- 2009-11-25 WO PCT/JP2009/069837 patent/WO2010067703A1/ja active Application Filing
- 2009-11-25 JP JP2010542072A patent/JP5387584B2/ja active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH0887440A (ja) * | 1994-09-16 | 1996-04-02 | Toshiba Corp | データ入出力管理装置及びデータ入出力管理方法 |
JP2002232451A (ja) * | 2001-02-02 | 2002-08-16 | Layer Seven Co Ltd | 通信管理方法、通信監視装置、および、コンピュータシステム |
JP2005275669A (ja) * | 2004-03-24 | 2005-10-06 | Nec Corp | データ監視方法、情報処理装置、プログラム及び記録媒体、並びに情報処理システム |
JP2008027389A (ja) * | 2006-07-25 | 2008-02-07 | Nec System Technologies Ltd | 文書データ移動追跡システム、文書データ移動追跡方法および文書データ移動追跡プログラム |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10331888B1 (en) | 2006-02-09 | 2019-06-25 | Virsec Systems, Inc. | System and methods for run time detection and correction of memory corruption |
US11599634B1 (en) | 2006-02-09 | 2023-03-07 | Virsec Systems, Inc. | System and methods for run time detection and correction of memory corruption |
CN102630320A (zh) * | 2010-10-04 | 2012-08-08 | 松下电器产业株式会社 | 信息处理装置以及应用程序不正当协作防止方法 |
US8566937B2 (en) | 2010-10-04 | 2013-10-22 | Panasonic Corporation | Information processing apparatus and method for preventing unauthorized cooperation of applications |
JP5891414B2 (ja) * | 2010-10-04 | 2016-03-23 | パナソニックIpマネジメント株式会社 | 情報処理装置およびアプリケーション不正連携防止方法 |
WO2012046406A1 (ja) * | 2010-10-04 | 2012-04-12 | パナソニック株式会社 | 情報処理装置およびアプリケーション不正連携防止方法 |
JP2012104121A (ja) * | 2010-11-11 | 2012-05-31 | Samsung Sds Co Ltd | カーネルネイティブapiのフッキング処理によるデジタル著作権管理装置及び方法 |
JP2013247664A (ja) * | 2012-05-29 | 2013-12-09 | Kddi Corp | 携帯通信端末、データ通信検知装置、データ通信検知方法、およびプログラム |
US11146572B2 (en) | 2013-09-12 | 2021-10-12 | Virsec Systems, Inc. | Automated runtime detection of malware |
KR20160114037A (ko) * | 2013-09-12 | 2016-10-04 | 버섹 시스템즈, 인코포레이션 | 멀웨어의 자동화된 런타임 검출 |
US10079841B2 (en) | 2013-09-12 | 2018-09-18 | Virsec Systems, Inc. | Automated runtime detection of malware |
KR102368170B1 (ko) * | 2013-09-12 | 2022-02-25 | 버섹 시스템즈, 인코포레이션 | 멀웨어의 자동화된 런타임 검출 |
US10114726B2 (en) | 2014-06-24 | 2018-10-30 | Virsec Systems, Inc. | Automated root cause analysis of single or N-tiered application |
US11113407B2 (en) | 2014-06-24 | 2021-09-07 | Virsec Systems, Inc. | System and methods for automated detection of input and output validation and resource management vulnerability |
US10354074B2 (en) | 2014-06-24 | 2019-07-16 | Virsec Systems, Inc. | System and methods for automated detection of input and output validation and resource management vulnerability |
US11409870B2 (en) | 2016-06-16 | 2022-08-09 | Virsec Systems, Inc. | Systems and methods for remediating memory corruption in a computer application |
CN111158741A (zh) * | 2019-12-23 | 2020-05-15 | 北京五八信息技术有限公司 | 监控业务模块对第三方类库依赖关系变化的方法及装置 |
CN111158741B (zh) * | 2019-12-23 | 2024-04-12 | 北京五八信息技术有限公司 | 监控业务模块对第三方类库依赖关系变化的方法及装置 |
Also Published As
Publication number | Publication date |
---|---|
JPWO2010067703A1 (ja) | 2012-05-17 |
US9027123B2 (en) | 2015-05-05 |
JP5387584B2 (ja) | 2014-01-15 |
US20110239309A1 (en) | 2011-09-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5387584B2 (ja) | データ依存関係解析装置、情報処理装置、データ依存関係解析方法、及びプログラム | |
US10447560B2 (en) | Data leakage protection in cloud applications | |
US8914892B2 (en) | Method and system to enhance accuracy of a data leak prevention (DLP) system | |
JP4759513B2 (ja) | 動的、分散的および協働的な環境におけるデータオブジェクトの管理 | |
US8671276B2 (en) | Method for passing selective encrypted attributes of specific versions of objects in a distributed system | |
US10289694B1 (en) | Method and system for restoring encrypted files from a virtual machine image | |
JP5306348B2 (ja) | データ発信源の追跡及びデータ伝送の制御 | |
JP5598547B2 (ja) | アクセス制限装置、アクセス制限プログラム及びアクセス制限方法 | |
US9397981B2 (en) | Method and system for secure document exchange | |
US20110060915A1 (en) | Managing Encryption of Data | |
JP2022522645A (ja) | セキュア・ゲストのセキュア鍵をハードウェア・セキュリティ・モジュールに結びつけること | |
US8776258B2 (en) | Providing access rights to portions of a software application | |
JP2015527803A (ja) | クラウド・コンピューティング環境での暗号化のためのユーザ端末装置及び暗号化方法 | |
US8904359B2 (en) | On-demand monitoring of memory usage | |
Birrell et al. | SGX enforcement of use-based privacy | |
JP3976738B2 (ja) | 機密文書管理装置、機密文書管理方法および機密文書管理プログラム | |
JP6256781B2 (ja) | システムを保護するためのファイルセキュリティ用の管理装置 | |
JP4471129B2 (ja) | 文書管理システム及び文書管理方法、文書管理サーバ、作業端末、並びにプログラム | |
JP4802732B2 (ja) | データ通信監視プログラム、システム及び方法 | |
US20090150682A1 (en) | Third Party Secured Storage for Web Services and Web Applications | |
Bates et al. | Secure and trustworthy provenance collection for digital forensics | |
US20200125735A1 (en) | Non-intrusive method of detecting security flaws of a computer program | |
KR20140119422A (ko) | 데이터 보안장치, 이를 구비하는 단말기 및 데이터 보안 방법과 컴퓨터로 읽을 수 있는 기록매체 | |
Halsey et al. | Microsoft Sysinternals Suite | |
JP6053182B2 (ja) | トレースシステム及びトレース方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 09831808 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13132233 Country of ref document: US |
|
ENP | Entry into the national phase |
Ref document number: 2010542072 Country of ref document: JP Kind code of ref document: A |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 09831808 Country of ref document: EP Kind code of ref document: A1 |