WO2014057668A1 - Dispositif de traitement d'informations et procédé de commande à cet effet, système de traitement d'informations, ainsi que procédé de traitement d'informations - Google Patents

Dispositif de traitement d'informations et procédé de commande à cet effet, système de traitement d'informations, ainsi que procédé de traitement d'informations Download PDF

Info

Publication number
WO2014057668A1
WO2014057668A1 PCT/JP2013/006022 JP2013006022W WO2014057668A1 WO 2014057668 A1 WO2014057668 A1 WO 2014057668A1 JP 2013006022 W JP2013006022 W JP 2013006022W WO 2014057668 A1 WO2014057668 A1 WO 2014057668A1
Authority
WO
WIPO (PCT)
Prior art keywords
program
information processing
registered
list
whitelist
Prior art date
Application number
PCT/JP2013/006022
Other languages
English (en)
Japanese (ja)
Inventor
和希 高野
智 米川
あずさ 関口
智規 佐藤
Original Assignee
キヤノン電子株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from JP2013041248A external-priority patent/JP6165469B2/ja
Priority claimed from JP2013211424A external-priority patent/JP6253333B2/ja
Priority claimed from JP2013211423A external-priority patent/JP6254414B2/ja
Application filed by キヤノン電子株式会社 filed Critical キヤノン電子株式会社
Publication of WO2014057668A1 publication Critical patent/WO2014057668A1/fr
Priority to US14/664,410 priority Critical patent/US9767280B2/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/51Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems at application loading time, e.g. accepting, rejecting, starting or inhibiting executable software based on integrity or source reliability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Definitions

  • the present invention relates to an information processing apparatus, an information processing system, and an information processing method that perform control of whether or not to activate a program and network access control.
  • the updater usually generates a plurality of different executable files. Therefore, even if the update data is registered in the white list, the executable file generated by the update data is not registered in the white list. As a result, even if the executable file generated by the update data is installed on the computer and the update is completed, these executable files can not be activated, and the program after the update may not operate normally.
  • whitelist type network access control which permits network access by known programs and restricts network access by programs of other programs.
  • the program to be permitted is registered in the whitelist.
  • the permitted program registered in the whitelist is updated, and the updated program needs to be reregistered in the whitelist.
  • the newly generated program also needs to be registered in the white list.
  • a system administrator or the like extracts the executable file generated by the updater and registers the executable file in the whitelist or registers the program to be updated or the program generated by the updater in the whitelist each time the update is performed.
  • the update data can be trusted, but also to register the program to be updated and the program to be generated in the whitelist, and extract the executable file and update the whitelist, etc.
  • a burdensome task is required.
  • the information processing apparatus comprises: detection means for performing activation of a program and detection of generation or change of a program, or search for a program, identification means for identifying a program, and registration means for registering a program in a list
  • the identifying unit determines whether the program satisfies a predetermined criterion based on program information of the program whose activation has been detected by the detecting unit or the detected program; and the registration unit is configured to A program determined to meet predetermined criteria is registered in the list.
  • the information processing system includes the information processing apparatus and a server apparatus that transmits information related to a list of programs to the information processing apparatus via a network.
  • the information processing method includes the steps of: activating a program and detecting generation or change of a program or searching for a program, identifying a program, and registering the program in a list; Whether or not the program satisfies a predetermined standard is determined based on a program whose activation is detected in the detection step or program information of the detected program, and it is determined that the predetermined standard is satisfied in the registration step.
  • the registered program is registered in the list.
  • FIG. 4 is a block diagram showing the configuration of the whitelist control system of the first embodiment.
  • FIG. 2 is a block diagram showing the configuration of a whitelist control system according to the first embodiment in which there is no server.
  • the flowchart explaining the update process of the whitelist which makes program start a trigger.
  • FIG. 7 is a diagram showing an example of a white list of the second embodiment.
  • 10 is a flowchart illustrating whitelist control processing of the second embodiment.
  • 10 is a flowchart illustrating whitelist control processing of the second embodiment.
  • 12 is a flowchart for explaining white list control processing of the second embodiment when the installer is started.
  • 6 is a flowchart illustrating network access control.
  • 6 is a flowchart illustrating processing of creating an installer of a control program from a management console.
  • the block diagram of FIG. 1 shows the configuration of the whitelist control system.
  • the whitelist control system includes an information processing apparatus and a server apparatus that manages the information processing apparatus.
  • a client computer (hereinafter referred to as "client") 10 is an information processing apparatus in the whitelist control system.
  • the client 10 is, for example, a personal computer (PC) installed in a company, a school, an administration, a home or the like, or a computer device such as a tablet terminal or a smartphone used or owned by an individual.
  • PC personal computer
  • a server computer (hereinafter referred to as “server”) 20 is a server device that manages an information processing device in the whitelist control system.
  • the server 20 acquires the information of the whitelist 120 from the plurality of clients 10 and converts it into a database, or periodically transmits the whitelist data to the client 10 to update the whitelist 120.
  • the network 300 is a computer network such as the Internet or an intranet.
  • the client 10 connects to the server 20, a web server (not shown), a file transfer protocol (FTP) server, and the like via the network 300.
  • FTP file transfer protocol
  • FIG. 1 Although one client 10 and one server 20 are shown in FIG. 1 for simplification, in actuality, a plurality of clients and a plurality of servers can exist in the whitelist control system.
  • the computing device 10C is a microprocessor (CPU).
  • Arithmetic device 10C starts an operating system (OS) stored in storage device 10B according to a boot program such as BIOS (basic input / output system) stored in a read only memory (ROM) of memory 10E, and further according to the OS The various resident programs (for example, control program 113 etc.) are started.
  • the arithmetic unit 10C uses a random access memory (RAM) of the memory 10E as a work area.
  • the OS is, for example, Windows (registered trademark), Mac OS (registered trademark), Linux (registered trademark), iOS (trademark), Android (trademark) or the like.
  • the storage device 10B is a hard disk drive (HDD), a solid state drive (SSD) or the like, and stores various programs 100 and data 101 operating on the client 10 in addition to the OS.
  • the various programs 100 stored in the storage device 10B include an identification program 110, a registration program 111, a detection program 112, a control program 113, a file search tool 114, and the like.
  • the program 100 may include a plurality of programs for each of various functions such as the identification program 110 or may be one program having various functions.
  • the various data 101 stored in the storage device 10B includes a white list 120, a promotion reference rule 130, a black list 140, and the like.
  • the I / O device 10A is an input / output interface (I / F) for connecting to a pointing device (such as a mouse) or a keyboard, or a display incorporating a touch panel.
  • the keyboard may be a software keyboard.
  • the I / O device 10A may be a voice input unit including a microphone or the like that recognizes the input operator's voice by the voice recognition function and transmits the recognized voice to the computing device 10C.
  • the I / O device 10A also functions as a user interface (UI) for displaying information.
  • UI user interface
  • the network I / F 10D is an interface with the network 300, and is a communication circuit for communicating with another computer.
  • the arithmetic device 10C receives information such as partial data of the white list 120 from the server 20 via the network I / F 10D, and transmits various information to the server 20.
  • the computing device 20C is a microprocessor (CPU).
  • Arithmetic device 20C boots up the OS stored in storage device 20B according to a boot program such as BIOS stored in the ROM of memory 20E. Furthermore, the arithmetic device 20C loads the management console 210 from the storage device 20B into the RAM of the memory 20E. Then, information (for example, information of the white list 120 and the like) is acquired from the plurality of clients 10 and made into a database, and conversely, the information is transmitted to the client 10 to update the white list 120 and the like.
  • information for example, information of the white list 120 and the like
  • the storage device 20B is an HDD, an SSD, or the like, and stores various programs 200 and data 201 including a management console 210 operating on the server 20 in addition to the OS.
  • the various data 201 stored in the storage device 10B includes the whitelist master 220, the promotion reference rule 230, the blacklist master 240, the whitelist candidate 250, and the like.
  • the I / O device 20A is an interface (I / F) for connecting to a pointing device (mouse or the like), a keyboard, and a monitor, and the monitor functions as a UI for displaying information.
  • the network I / F 20D is an interface with the network 300, and is a communication circuit for communicating with another computer such as the client 10.
  • the computing device 20C receives information on the whitelist 120 and the blacklist 140 from the plurality of clients 10 via the network I / F 20D, and manages the whitelist master 220 and the blacklist master 250 based on the received information. .
  • the server 20 is not an essential component.
  • the block diagram of FIG. 2 shows the structure of the whitelist control system in which the server 20 does not exist. In the configuration of FIG. 2, communication between the client 10 and the server 20 is unnecessary, so the network 300 and the network I / F 10D are also optional.
  • the whitelist control system may be configured to use a thin client (for example, a terminal service or the like).
  • a thin client is a system that allows a client to remotely connect to a server and execute application programs on the server using a virtual desktop environment created on the server.
  • the identification program 110 is executed by the arithmetic device 10C, and separately starts information (such as program name), hash value, version information, file size, file path, digital signature, etc. (hereinafter referred to as "program information") from a separately activated program. get. And it has an identification function which identifies the said program based on the acquired program information. In addition, the identification program 110 inquires of the acquired program information and the promotion criterion rule 130 described later to determine whether the program satisfies the promotion criterion.
  • the white list 120 is a list of information on programs that may be executed.
  • the program information acquired by the identification program 110 is used as the information constituting the white list 120.
  • the white list 120 holds, for each program, four types of information of a program name, a hash value, version information, a file size, and a promotion authority flag described later. Note that FIG. 3 is an example, and the types and the number of pieces of information held as the white list 120 are not limited to FIG.
  • the whitelist master 220 is a list of a plurality of whitelists 120.
  • FIG. 4 shows an example of the whitelist master 220 existing in the server 20.
  • the whitelist master 220 holds information associated with the whitelist 120 of a plurality of clients in association with the name and code of the client.
  • the example of FIG. 4 shows an example in which process names, hash values, registration dates, and final activation dates of a plurality of programs are held as the white list 003 corresponding to the client PC 003. Note that FIG. 4 is an example, and the types and the number of information held as the white list master 220 are not limited to those in FIG.
  • the detection program 112 is executed by the arithmetic device 10C, and has a monitoring function that monitors the activation of the program and the generation of another program by the activated program, and a detection function that detects them.
  • the registration program 111 has a registration function of registering the program in the whitelist 120 based on the program information acquired by the identification program 110 of the program which is executed by the arithmetic device 10C and whose activation or generation is detected by the detection program 112. .
  • the control program 113 is executed by the arithmetic device 10C, and has a control function of start / no-permission that permits or prohibits (blocks) the start of a program to be started on the client 10.
  • the promotion criteria rule 130 is a rule for determining whether a program or file is issued by a trusted issuer.
  • the promotion criterion rule 130 is a rule defined by an administrator or a user based on program information.
  • the rule includes, for example, a digital signature attached to a program or file, verification of whether the digital certificate is valid, determination of whether or not the signer's name of the file is a name stored in advance, There is a determination of whether to satisfy or not.
  • the type and the number of rules applied as the promotion criterion rule 130 are not limited to the above specific example. For example, it is possible to apply a plurality of combinations of rules that "digital signature or digital certificate is valid, and the file name includes the characters" Setup "or” Update ". In this case, when the “malware that generates malware by taking advantage of the vulnerability of the image viewer (Viewer.exe)” operates, even if the digital signature of the image viewer is valid, the file name does not include the above character string. As a result, it is possible to prevent an attack that strikes the vulnerability of the image viewer.
  • the blacklist 140 is a list of programs whose activation and execution are prohibited.
  • the data structure of the blacklist 140 is substantially the same as the whitelist 120 shown in FIG.
  • the blacklist 140 is not essential and may not exist on the client 10, and when the blacklist 140 is not used, the blacklist master 240 of the server 20 is not essential.
  • the detection program 112 detects the activation of a program on the client 10 using a global hook (API (application programming interface) hook, filter driver) or the like, and calls the identification program 110 when it detects the activation of the program.
  • the identification program 110 acquires program information of a program to be activated, and verifies whether the program satisfies the promotion criteria rule 130 or not.
  • the control program 113 permits the activation of the program and calls the registration program 111.
  • the registration program 111 receives program information of the program from the identification program 110, and registers the program in the white list 120.
  • the control program 113 does not cause the registration program 111 to register the program. That is, the prohibition of activation and execution of the program is maintained.
  • the registration program 111 gives “promotion authority” to the program registered in the whitelist 120.
  • the presence or absence of the promotion authority is set, for example, in the promotion authority flag of the white list 120.
  • a table corresponding to the white list 120 may be stored in the storage device 10B, and the presence or absence of the promotion authority may be registered in each record of the table.
  • Elevated privileges are the privileges defined as follows.
  • the detection program 112 monitors the behavior of the parent program using a global hook or the like.
  • the detection program 112 causes the identification program 110 to acquire program information of the child program.
  • the identification program 110 passes the acquired program information to the registration program 111.
  • the registration program 111 creates data of records to be added to the whitelist 120 based on the received program information, and adds the created data to the whitelist 120.
  • the detection program 112 detects generation of a child program
  • the detection program 112 analyzes the generated file, and determines whether it is necessary to register information on the generated file in the white list. Then, when it is determined that the registration is not necessary, the subsequent processing is terminated without acquiring the program information by the identification program 110.
  • registration is unnecessary, for example, the binary header of the generated file is analyzed, and it can be determined that the configuration is not the PE (Portable Executable) format and not the executable file.
  • PE Portable Executable
  • the detection program 112 monitors the activation of the child program by the parent program.
  • the detection program 112 calls the registration program 111 when detecting the activation of the child program by the parent program.
  • the called registration program 111 sets "presence" in the promotion authority flag of the child program.
  • the control program 113 permits the activation of the child program.
  • a program generated by a program having a behavior for generating a child program such as a software security patch, can be automatically added to the white list 120. In other words, it is possible to reduce the task of updating the whitelist, which registers the generated child program in the whitelist 120.
  • the process relating to the promotion authority is not limited to the case where the child program is generated from the parent program, and can be performed even in the case of a change (for example, renaming) to the parent program or a change to the child program.
  • “determine whether the program has a valid digital signature added” is applied to the promotion criteria rule 130. In this way, it is possible to determine that the program is a program issued by a reliable publisher and not a malicious program such as malware, without the operator's awareness. Note that whether or not a valid digital signature is added is, for example, a method using Windows (registered trademark) application programming interface (API) or the like.
  • the control program 113 performs general white list control. That is, when the identification program 110 determines that the program does not satisfy the promotion criteria rule 130, the identification program 110 determines whether the program is registered in the white list 120. When it is determined that the program is registered in the whitelist 120, the control program 113 determines whether or not the user has the promotion right, and permits the activation of the program. If it is determined that the program is not registered in the whitelist 120, activation of the program is blocked using a global hook or the like.
  • the identification program 110 determines whether the program to be activated is registered in the blacklist 140 or not. It is also possible to adopt a method of blocking the activation of the program when it is registered in the blacklist 140, and permitting the activation of the program when it is not registered in the blacklist 140.
  • a state in which a program or the like is registered in the white list 120 or the black list 140 may be expressed as “exists in the list” and an unregistered state as “not in the list”.
  • the detection program 112 monitors the activation of the program (S201), and when detecting the activation of the program, advances the process to step S202.
  • the identification program 110 acquires program information of the program (S202), and determines whether the program is present in the blacklist 140 (S203). If it is determined that the program is present in the blacklist 140, the control program 113 prevents the activation of the program (S204), and returns the process to step S201.
  • the identification program 110 determines whether the program satisfies the promotion criteria rule 130 (S205). If the program does not satisfy the promotion criteria rule 130, the identification program 110 determines whether the program is present in the whitelist 120 (S206).
  • the identification program 110 determines whether the program has the promotion right (S206B). If it is determined that the user has the promotion authority, the control program 113 permits the activation of the program (S210).
  • control program 113 permits the activation of the program (S207), and returns the process to step S201. If it is determined that the program is not present in the whitelist 120, the control program 113 prevents the activation of the program (S204), and returns the process to step S201.
  • the control program 113 passes the program information of the program to the registration program 111.
  • the registration program 111 registers the program (parent program) in the white list 120 (S208), and sets "presence” in the promotion authority flag (S209). Subsequently, the control program 113 permits the activation of the parent program (S210).
  • the detection program 112 monitors the generation of a child program by the parent program to which the promotion authority is given (S211).
  • the detection program 112 advances the process to step S212 when the parent program generates a child program, and returns the process to step S201 when the parent program does not generate a child program.
  • the detection program 112 may monitor not only the generation of the child program but also a change (for example, renaming) to the child program or the parent program.
  • a change in the parent program is detected, the same process as the child program is performed on the program (parent program).
  • the identification program 110 acquires program information of the child program (S212), and passes the acquired program information to the registration program 111. Thereby, the registration program 111 registers the child program in the white list 120 (S213).
  • the detection program 112 monitors whether or not the parent program to which the promotion authority has been granted starts the child program (S214). If the parent program activates the child program, the detection program 112 proceeds to step S215. If the parent program does not activate the child program, the detection program 112 returns the process to step S201.
  • the identification program 110 determines whether the child program exists in the blacklist 140 (S215). If it is determined that the child program is present in the blacklist 140, the control program 113 prevents the start of the child program (S216). Then, the registration program 111 deletes the registration of the child program from the whitelist 120 (S217), and returns the process to step S201.
  • step S209 when it is determined that the child program is not present in the blacklist 140, the process returns to step S209. Therefore, "presence" is set to the promotion authority flag of the child program (S209), activation of the child program is permitted (S210), and generation of a grandchild program by the child program to which the promotion authority is given is monitored (S211) . Then, when the child program generates the grandchild program, the grandchild program is registered in the whitelist 120, and when the child program to which the promotion authority is given starts the grandchild program, the process (S209 to S215) giving recursive authority to the grandchild program is recursive. Repeated.
  • the identification program 110 passes the determination of step S215. In that case, "presence” is set in the promotion authority flag of the child program activated by the parent program or the grandchild program activated by the child program (S209), and activation of the child program is permitted (S210).
  • the detection program 112 determines whether the program to be activated is an installer program (for example, msiexec.exe in Windows (registered trademark)) stored in advance in the storage device 10B by comparison with the list. Determine if Then, if it is determined that the installer program (hereinafter referred to as “installer”) is activated, the operation of the installer is different from the operation of the other programs, so the processing after step S202 is switched.
  • an installer program for example, msiexec.exe in Windows (registered trademark)
  • the installer When the operator instructs execution of the installer package file (msi file, msp file, msu file, etc.), the installer is launched, and the installer extracts the file stored in the installer package file (hereinafter referred to as "package"). Therefore, the determination based on the promotion criterion rule 130 needs to be performed not on the installer but on the package, and the processing shown in FIGS. 5A and 5B can not be applied directly.
  • the identification program 110 acquires file information of the package (S221), and determines whether the package exists in the blacklist 140 (S222). If it is determined that the package is present in the blacklist 140, the control program 113 blocks the activation of the installer (S223), and returns the process to step S201. When the blacklist 140 does not exist, the identification program 110 passes the determination of step S222.
  • the identification program 110 determines whether the package satisfies the promotion criterion rule 130 (S224). If the package does not satisfy the promotion criteria rule 130, the identification program 110 determines whether the package is present in the whitelist 120 (S225). If it is determined that the package is present in the whitelist 120, the control program 113 sets the promotion authority flag of the installer to "present” (S209), and permits the installer to be activated (S210). If it is determined that the package does not exist in the whitelist 120, the installer is prevented from starting up (S223), and the process returns to step S201.
  • the process in the case where the package satisfies the promotion criteria rule 130 is the same as steps S209 to S217 shown in FIGS. 5A and 5B, and the promotion authority flag of the installer is set to "Yes" (S209). Is permitted (S210). Then, the program extracted from the package by the installer is treated the same as the child program generated by the parent program (in this case, the installer). That is, the program extracted from the package is registered in the white list 120 as a descendent program, and when the descendent program activates the program of the next generation, the process (S209 to S215) of giving promotion authority to the activated program is recursively performed. Repeated.
  • step S211 If, in step S211, an installer package is generated by the program (parent program) rather than by a parent program, the process of FIG. 6 can be applied to the package file. is there.
  • the update operation of Windows includes the above-described operation.
  • the method of pattern 1 it is possible to perform the update of Windows (registered trademark) without blocking it.
  • step S 214 it is determined in step S 214 shown in FIG. 5B that “a descendant program is activated by a program generated from a parent program or the same parent program and inheriting the promotion authority from the parent program?” Is done.
  • FIG. 5A and FIG. 5B consider a case where a program that does not have the promotion authority starts a child program generated from a program that has the promotion authority. At this time, two types of program groups, "generated program group” and "start program group” are defined in advance. Then, it is also possible to perform processing for granting the promotion authority to programs generated from programs belonging to the generation program group and started from programs belonging to the activation program group.
  • Some commercially available software performs the above operation at the time of installation. By implementing the method of pattern 3, it becomes possible to do without blocking the installation of such software.
  • the registration program 111 transmits the program information (hereinafter, "unregistered information") of the unregistered program passed from the identification program 110 to the server 20 (S302). Then, the process returns to step S301.
  • the unregistered information may be transmitted to the server 20 in a predetermined cycle without transmitting the unregistered information immediately after the detection of the unregistered program.
  • the registration program 111 temporarily stores unregistered information, for example, in a predetermined area of the storage device 10B or the memory 10E. Then, it is determined whether or not there is unregistered information stored (for example, every five minutes or every hour) in a predetermined cycle, and when the unregistered information is stored, the information is transmitted to the server 20 .
  • the management console 210 of the server 20 receives the unregistered information from the client 10 (S311), the management console 210 determines whether or not the information matching the received unregistered information exists in the whitelist candidate 250 (S312). If there is information matching the received unregistered information in the whitelist candidate 250, the process returns to step S311.
  • the management console 210 adds the received unregistered information to the whitelist candidate 250 (S313). Then, the unregistered information added to the whitelist candidate 250 is presented to the operator of the server 20 by, for example, an electronic mail or an alert window (S314).
  • the operator refers to the presented information to determine whether to register an unregistered program in the white list, and inputs an instruction according to the determination result to the management console 210.
  • the management console 210 determines whether the instruction of the operator indicates registration of the program (S315). If the instruction of the operator indicates registration, the program is registered in the whitelist master 220 (S316), and "registered” is recorded in the record of the program of the whitelist candidate 250 (S317). If the instruction of the operator indicates non-registration, “non-registration” is recorded in the record of the program of the whitelist candidate 250 without registering the program in the whitelist master 220 (S318). Then, the process returns to step S311.
  • the management console 210 transmits the data of the whitelist master 220 to the client 10 periodically (for example, every hour or every day). Thereby, the whitelist 120 of the client 10 is updated.
  • the file search tool 114 is activated by the instruction of the operator (or the server 20) of the client 10, and the file search is executed based on the instructed search condition (S401).
  • the file search is executed based on the instructed search condition (S401).
  • the identification program 110 receives the search result (S402).
  • the identification program 110 having received the search result acquires program information of the detected program (S403). Then, an unregistered program which does not satisfy the promotion criterion rule 130 and which does not exist in the whitelist 120 is extracted from the detected program (S404). When the unregistered program is extracted (S405), the registration program 111 transmits the program information of the unregistered program to the server 20 (S406).
  • the process of the management console 210 is the same as the process (S311 to S318 in FIG. 7) in the case of using the program activation as a trigger, and the detailed description will be omitted.
  • the determination using the promotion criteria rule 130 also reduces the task of determining whether the updater is reliable.
  • the management console 210 In response to an instruction from the operator of the server 20, the management console 210 is activated, and an installer of the control program 113 is created (S901). The management console 210 creates an installer and determines whether the information of the installer is present in the whitelist master 220 (S902). If the information of the installer already exists, the installer creating process is ended.
  • the management console 210 registers the information of the installer in the whitelist master 220 (S903). Then, the data of the whitelist master 220 is transmitted to the client 10 periodically (for example, every other hour or every other day) (S904). Thereby, the whitelist 120 of the client 10 is updated, and the launch of the installer in the client is permitted.
  • the processing after step S902 can be configured to register the designated program (file) in the whitelist master 220 by giving a specific start option to start of the management console 210.
  • the specific boot option is, for example, "-register c: ⁇ sample ⁇ sample.exe”.
  • the whitelist control can be performed for a predetermined operation such as network access.
  • the whitelist 120 includes the connection destination IP address, the connection destination port number, and the like.
  • Example 2 about the structure similar to Example 1, the same code
  • the configuration of the whitelist control system in the second embodiment is the same as the configuration shown in FIG. 1 or FIG. 2, and the detailed description will be omitted, and parts different from the first embodiment will be described.
  • the identification program 110 of the second embodiment acquires program information as in the first embodiment.
  • the program information acquired by the identification program 110 of the second embodiment includes the name of the PC in which the program is stored.
  • the identification program 110 of the second embodiment refers to the identification function of identifying the program based on the acquired program information, the acquired program information and the promotion reference rule 130, and the program is promoted. It has a function to determine whether the criteria are met.
  • the white list 120 of the second embodiment is a list of information on programs that permit network access.
  • the program information acquired by the identification program 110 is used as the information constituting the white list 120.
  • FIG. 9 shows an example of the white list 120 according to the second embodiment.
  • the white list 120 holds, for each program, seven types of information: program name (executable file name), hash value, version information, file size, connection destination IP address, connection destination port number, and promotion permission flag described later. Note that FIG. 9 is an example, and the types and the number of pieces of information stored as the white list 120 are not limited to those shown in FIG.
  • FIG. 10 shows an example of the whitelist master 220 of the second embodiment present in the server 20.
  • the whitelist master 220 holds information associated with the whitelist 120 of a plurality of clients in association with the name and code of the client.
  • the example of FIG. 10 shows an example in which process names, hash values, connection destination IP addresses, connection destination port numbers, registration date and time, and final start date and time of a plurality of programs are held as the white list 003 corresponding to the PC 003. Note that FIG. 10 is an example, and the types and the number of information held as the whitelist master 220 are not limited to those shown in FIG.
  • the detection program 112 and the registration program 111 of the second embodiment have the same functions as those of the first embodiment.
  • the control program 113 of the second embodiment has a control function of permitting or prohibiting the network access of the program started on the client 10 based on the white list 120.
  • the control program 113 of the second embodiment also has a control function of controlling network access using the IP address or port number of the connection destination to which the program is to access as a determination reference.
  • the promotion criterion rule 130 is the same as that of the first embodiment.
  • the blacklist 140 of the second embodiment is a list of programs for which network access is prohibited.
  • the data structure of the blacklist 140 is substantially the same as the whitelist 120 shown in FIG.
  • the blacklist 140 is not essential and may not exist on the client 10, and when the blacklist 140 is not used, the blacklist master 240 of the server 20 is not essential.
  • the detection program 112 detects the activation of the program on the client 10 using a global hook or the like, and calls the identification program 110 when it detects the activation of the program.
  • the identification program 110 acquires program information of a program to be activated, and verifies whether the program satisfies the promotion criteria rule 130 or not.
  • the control program 113 determines that the program is update data, and calls the registration program 111.
  • the registration program 111 receives program information of the program from the identification program 110, and registers the program in the white list 120. This registration enables network access of the program.
  • the control program 113 does not cause the registration program 111 to register the program. That is, the prohibition of network access of the program is maintained. If the prohibition of network access is maintained, execution of the started program may be blocked or permitted.
  • the registration program 111 registers, in the white list 120, a record (for example, the third line in FIG. 9) of a setting in which the IP address or port number of the connection destination is not limited. Therefore, a program determined to be updater can operate normally without being restricted by network access.
  • the registration program 111 gives “promotion authority” to the program registered in the white list 120, but this processing is the same as that of the first embodiment.
  • the control program 113 permits the network access of the child program.
  • the control program 113 performs general white list control. That is, when the identification program 110 determines that the program does not satisfy the promotion criteria rule 130, the identification program 110 determines whether the program is registered in the white list 120. If it is determined that the program is registered in the whitelist 120, the control program 113 determines whether or not the user has the promotion right, and permits the network access of the program. If it is determined that the program is not registered in the whitelist 120, the network access of the program is prohibited by global hook or packet filtering.
  • the identification program 110 determines whether the program to be activated is registered in the blacklist 140 or not. Then, it is also possible to adopt a method of prohibiting the network access of the program when it is registered in the blacklist 140, and permitting the network access of the program when it is not registered in the blacklist 140.
  • the detection program 112 monitors the activation of the program (S601), and when detecting the activation of the program, advances the process to step S602.
  • the identification program 110 acquires program information of the program (S602), and determines whether the program is present in the blacklist 140 (S603). If it is determined that the program is present in the blacklist 140, the control program 113 prohibits network access of the program (S604), and returns the process to step S601. When the blacklist 140 does not exist, the identification program 110 passes the determination of step S603.
  • the identification program 110 determines whether the program satisfies the promotion criteria rule 130 (S605). If the program does not satisfy the promotion criteria rule 130, the identification program 110 determines whether the program is present in the whitelist 120 (S606).
  • the identification program 110 determines whether the program has the promotion right (S606B). If it is determined that the user has the promotion right, the control program 113 permits the network access of the program (S610).
  • control program 113 permits the network access of the program (S607), and returns the process to step S601. If it is determined that the program is not present in the whitelist 120, the control program 113 prohibits the network access of the program (S604), and returns the process to step S601.
  • the control program 113 passes the program information of the program to the registration program 111.
  • the registration program 111 registers the program (parent program) in the white list 120 (S 608), and sets “promoted” in the promotion authority flag (S 609). Subsequently, the control program 113 permits the network access of the parent program (S610).
  • the detection program 112 monitors the generation of a child program by the parent program to which the promotion authority has been granted (S611).
  • the detection program 112 advances the process to step S612 when the parent program generates a child program, and returns the process to step S601 when the parent program does not generate a child program.
  • the detection program 112 may monitor not only the generation of the child program but also a change (for example, renaming) to the child program or the parent program.
  • a change in the parent program is detected, the same process as the child program is performed on the program (parent program).
  • the identification program 110 acquires program information of the child program (S612), and passes the acquired program information to the registration program 111.
  • the registration program 111 registers the child program in the white list 120 (S613).
  • the detection program 112 monitors whether or not the parent program to which the promotion authority has been granted starts the child program (S614). If the parent program activates the child program, the detection program 112 advances the process to step S615. If the parent program does not activate the child program, the detection program 112 returns the process to step S601.
  • the identification program 110 determines whether the child program exists in the blacklist 140 (S615). If it is determined that the child program exists in the blacklist 140, the control program 113 prohibits network access of the child program (S616). Then, the registration program 111 deletes the registration of the child program from the whitelist 120 (S617), and returns the process to step S601.
  • step S609 when it is determined that the child program is not present in the blacklist 140, the process returns to step S609. Therefore, "presence" is set in the promotion authority flag of the child program (S609), network access of the child program is permitted (S610), and generation of a grandchild program by the child program to which the promotion authority is given is monitored (S611). ). Then, when the child program generates the grandchild program, the grandchild program is registered in the whitelist 120, and when the child program to which the promotion authority is given starts the grandchild program, the processing (S609 to S615) giving recursive authority to the grandchild program is recursive. Repeated.
  • the identification program 110 passes the determination of step S615. In that case, "presence” is set in the promotion authority flag of the child program activated by the parent program or the grandchild program activated by the child program (S609), and network access of the child program is permitted (S610).
  • step S601 the detection program 112 determines whether the program to be activated is an installer stored in advance in the storage device 10B by comparison with a list. Then, if it is determined that the installer is activated, the operation of the installer is different from the operation of the other program, so the processing after step S602 is switched. That is, the determination based on the promotion reference rule 130 needs to be performed not on the installer but on the package, and the processing shown in FIGS. 11A and 11B can not be applied directly.
  • the identification program 110 acquires file information of the package (S621), and determines whether the package exists in the blacklist 140 (S622). If it is determined that the package is present in the blacklist 140, the control program 113 prohibits the installer from being activated (S623), and returns the process to step S601. If the blacklist 140 does not exist, the identification program 110 passes the determination of step S 622.
  • the identification program 110 determines whether the package satisfies the promotion criteria rule 130 (S624). If the package does not satisfy the promotion criteria rule 130, the control program 113 prohibits activation of the installer (S623), and returns the process to step S601. That is, the installation of a package registered in the blacklist 140 or a package which does not satisfy the promotion criterion rule 130 is stopped.
  • the identification program 110 determines whether the package satisfies the promotion criteria rule 130 (S624). If the package does not satisfy the promotion criteria rule 130, the identification program 110 determines whether the package is present in the whitelist 120 (S625). If it is determined that the package does not exist in the whitelist 120, the activation of the installer is blocked (S623), and the process returns to step S601.
  • the control program 113 permits the installer to be activated (S626).
  • the subsequent processing is the same as in steps S609 to S617 shown in FIGS. 11A and 11B, “promoted” is set in the promotion authority flag of the installer (S609), and the network access of the installer is permitted (S610).
  • the program extracted from the package by the installer is treated the same as the child program generated by the parent program (in this case, the installer).
  • the program extracted from the package is registered in the white list 120 as a descendent program, and when the descendent program activates the program of the next generation, the process (S609 to S615) recursively gives the activated authority to the activated program. Repeated.
  • step S611 If, in step S611, an installer package is generated by the program (parent program) instead of the generation of a child program by the parent program, the process of FIG. 12 can be applied to the package file. is there.
  • the elevation authority when a child program generated from a parent program having the elevation authority is launched by the parent program, the elevation authority is inherited, but as in the pattern 1-3 described in the first embodiment, the elevation authority is inherited or You may give it.
  • Network access control will be described with reference to the flowchart of FIG.
  • Network access control is performed by the arithmetic device 10C that executes the OS.
  • Information indicating permission or prohibition of network access for each program (for example, an access control list (ACL)) is stored by the control program 113 as a table in a RAM of the memory 10E or a predetermined area of the storage device 10B.
  • ACL access control list
  • the arithmetic device 10C monitors network access by the program (S501).
  • the computing device 10C refers to the ACL to determine permission or prohibition of network access of the program (S502). Then, according to the determination result, the network access of the program is controlled.
  • the arithmetic device 10C permits network access (S503). That is, the command or data issued by the program is transferred to the network I / F 10D, and the data for the program received by the network I / F 10D is transferred to the program.
  • the ACL may set restrictions on the IP address or port number of the connection destination for each program. In that case, the arithmetic device 10C performs filtering in accordance with the restriction.
  • the arithmetic device 10C does not permit the network access (S504). That is, data transfer between the program and the network I / F 10D is not performed, and an error message is returned in response to the network access request of the program.
  • the whitelist 120 may be updated based on the association.
  • records having the same settings as the program before updating can be registered in the whitelist 120, and the whitelist updating function can be made more secure. Details will be described below.
  • ⁇ Overwriting is detected and the white list is updated.
  • the white list 120 is monitored by monitoring the process of writing the process. An example of setting appropriately will be described.
  • the overwrite update is, for example, overwriting the data (file) before update with the data (file) after update.
  • the detection program 112 detects the write request (S1001), and determines whether the process which has made the write request has the promotion authority (S1002). ). If the process does not have the promotion authority, the detection program 112 ends the process for the write request, and monitors the write request from the process again.
  • the identification program 110 specifies a program to be written (hereinafter, “target program”) from the write request.
  • target program a program to be written
  • the target program may be specified from the file path and the file name.
  • the hash value of the target program is acquired, and it is determined whether the target program is registered in the white list 120 based on the hash value (S1003).
  • the processing shifts to the whitelist control processing shown in FIG. 11A, 11B or 12 and the target program is added to the whitelist 120 (S1007). finish.
  • the identification program 110 acquires information on the target program before writing (S1004).
  • the information to be acquired includes, for example, a hash value, a file path, a signer name, a creator name, a creation company name, and the like.
  • the identification program 110 acquires information of the target program after writing (S1005).
  • the information to be acquired includes, for example, a hash value, a file path, a signer name, a creator, a creation company name, and the like.
  • the information of the target program before and after the writing is compared to determine whether the overwrite update has been performed (S1006). This determination may be performed under the condition that, for example, the file path is the same, the file name is the same, or the signer's name is the same, and the determination condition may be one or more.
  • the process proceeds to step S1007 described above. Also, if it is determined that the overwrite update is performed, the identification program 110 acquires the permission information of the white list 120 based on the hash value before the writing (before the overwrite update) (S1008).
  • the permission information is, for example, a promotion authority, a connection destination port for which communication is permitted, a connection destination IP address for which communication is permitted (see FIG. 9).
  • the registration program 111 receives from the identification program 110 the hash value after writing (after overwrite update) acquired in step S1005 and the permission information acquired in step S1008. Then, the hash value and overwrite information after the overwrite update are associated with the overwrite updated target program and registered in the white list 120 (S1009), and the process for the write request is completed.
  • step S1009 the hash value before update overwrite, permission information, and the like may be deleted from the white list 120, or may be left in the white list 120. If the hash value before overwrite overwrite and permission information etc. are left in the white list 120, there is a case where it returns to the program before update due to a defect of the updated program, or a response when another user has not carried out the update. It will be possible.
  • a replacement update is a process of updating a program, for example, by deleting or moving a file, or changing a file name, then creating or moving an updated file, or changing a file name. .
  • FIG. 15 shows a process for an original file deletion request or a file name change request.
  • the detection program 112 detects the deletion request or change request (hereinafter referred to as "request") (S1101), and the process that made the request is promoted It is determined whether or not you have the authority (S1102). If the process does not have the promotion authority, the detection program 112 ends the process for the request and monitors the deletion request or change request from the process again.
  • request the deletion request or change request
  • the identification program 110 specifies a program (hereinafter, “target program”) to be deleted from the request or to change the file name.
  • target program a program to be deleted from the request or to change the file name.
  • the target program may be specified from the file path and the file name.
  • the hash value of the target program is acquired, and it is determined whether the target program is registered in the white list 120 based on the hash value (S1103).
  • the identification program 110 determines whether the request is a request for changing the file name (S1106). If it is not a change request for a file name (that is, a deletion request), the identification program 110 ends the processing for the request, and the detection program 112 again monitors a file deletion request or a file name change request from the process. Further, in the case of a file name change request, the process proceeds to the whitelist control process shown in FIG. 11A, 11B or 12, the target program is added to the whitelist 120 (S1107), and the process for the request ends.
  • the identification program 110 acquires information of the target program before deletion or file name change (S1104).
  • the information to be acquired includes, for example, a hash value, a file path, a signer name, a creator name, a creation company name, and the like.
  • the registration program 111 receives from the identification program 110 the process name and process ID of the process that issued the request, the file name of the target program, and the information acquired in step S1104. Then, the received information is registered in the list (S1105), and the processing for the request is completed.
  • FIG. 16 shows an example of a list in which the registration program 111 registers information.
  • FIG. 17 shows processing for a file creation request or a file name change request.
  • the detection program 112 detects the creation request or the change request ("request") (S1201), and the process which has made the request has the promotion authority Whether or not to hold is determined (S1202). If the process does not have the promotion authority, the detection program 112 terminates the processing for the request and monitors creation or change requests from the process again.
  • the identification program 110 determines whether the creation of the file or the change of the file name has ended (S1203). Then, when the creation of the file or the change of the file name is completed, the information of the created file or the file whose file name is changed ("target program") is acquired (S1204).
  • the information to be acquired includes, for example, a file name of a target program, a hash value, a file path, a signer name, a creator name, a creation company name, and the like.
  • the identification program 110 compares the process name and process ID of the process that has issued the request, and the information acquired in step S 1204 with the registered information in the list shown in FIG. 16 (S 1205). Then, it is determined whether a replacement update has been performed (S1206). This determination may be performed under the condition that, for example, the process ID is the same, the file path is the same, the file name is the same, or the signer's name is the same, etc. May be.
  • the process proceeds to the whitelist control process shown in FIG. 11A, 11B or 12, the target program is added to the whitelist 120 (S1207), and the process for the request ends.
  • the identification program 110 acquires the permission information of the white list 120 based on the hash value of the record corresponding to the target program of the list (S1208).
  • the permission information is, for example, a promotion authority, a connection destination port for which communication is permitted, a connection destination IP address for which communication is permitted (see FIG. 9).
  • the registration program 111 receives, from the identification program 110, the hash value of the target program after replacement update and the permission information acquired in step S1208. Then, the hash value and the permission information after the replacement update are associated with the target program replaced and updated, and registered in the white list 120 (S1209), and the processing for the request is completed.
  • step S1208 the hash value before replacement update, permission information, and the like may be deleted from the whitelist 120 or may be left in the whitelist 120. If the hash value before the replacement update, permission information, etc. are left in the white list 120, it is possible to return to the program before the update due to a defect in the updated program or the case where other users have not performed the update. become.
  • a PC for example, a network scanner
  • a terminal having no display for example, an embedded terminal
  • the white control system using the whitelist has been described.
  • the present invention is not limited to the whitelist, and the above process can be applied to a blacklist control system using a blacklist.
  • the client 10 may have an operation history (not shown).
  • program information and the like acquired by the identification program 110 are recorded as the user's operation history.
  • program start For example, for program start, operation file name (program name), hash value, version information, file size, file path, digital signature, program start / stop (success / failure), etc.
  • operation history Is recorded in Also, for network access requests, executable file name (program name), hash value, version information, file size, connection destination IP address, connection destination port number, network access permission / prohibition (success / failure), etc. Is recorded in the operation history. Further, the date and time when the movement of the process is detected is also recorded in the operation history.
  • the server 20 of the first and second embodiments may have an operation history (not shown).
  • the control program 113 periodically (for example, every hour or every day) transmits the operation history (data file) that the client 10 has to the server 20, and the operation history of the server 20 is transmitted from the client 10
  • the operation history may be recorded in association with the name or code of the client 10 and managed.
  • the control program 113 may transmit the operation history to the server 20 in real time.
  • the program recorded in the operation history is not activated for a predetermined period (for example, one month) and the whitelist 120 or the whitelist master 220 includes information of the program, the information may be automatically deleted. it can.
  • the present invention is also realized by executing the following processing. That is, software (program) for realizing the functions of the above-described embodiments is supplied to a system or apparatus via a network or various storage media, and a computer (or CPU or MPU or the like) of the system or apparatus reads the program. It is a process to execute.
  • the program may be executed by one computer or may be executed in conjunction with a plurality of computers.

Abstract

L'invention concerne la poursuite d'un lancement de programme, de même que d'une création ou un échange de programme, ou la réalisation d'une recherche de programme. Une détermination quant à savoir si le programme satisfait ou non un critère prescrit est faite sur la base d'informations de programme à propos du programme pour lequel un lancement a été poursuivi ou à propos d'un programme détecté. Un programme qui a été déterminé comme satisfaisant le critère prescrit est enregistré dans une liste.
PCT/JP2013/006022 2012-10-09 2013-10-09 Dispositif de traitement d'informations et procédé de commande à cet effet, système de traitement d'informations, ainsi que procédé de traitement d'informations WO2014057668A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/664,410 US9767280B2 (en) 2012-10-09 2015-03-20 Information processing apparatus, method of controlling the same, information processing system, and information processing method

Applications Claiming Priority (10)

Application Number Priority Date Filing Date Title
JP2012-224574 2012-10-09
JP2012-224575 2012-10-09
JP2012224575 2012-10-09
JP2012224574 2012-10-09
JP2013041248A JP6165469B2 (ja) 2013-03-01 2013-03-01 情報処理装置およびその制御方法、並びに、情報処理システム
JP2013-041248 2013-03-01
JP2013211424A JP6253333B2 (ja) 2012-10-09 2013-10-08 情報処理装置、情報処理システムおよび情報処理方法
JP2013-211424 2013-10-08
JP2013-211423 2013-10-08
JP2013211423A JP6254414B2 (ja) 2012-10-09 2013-10-08 情報処理装置、情報処理システムおよび情報処理方法

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US14/664,410 Continuation US9767280B2 (en) 2012-10-09 2015-03-20 Information processing apparatus, method of controlling the same, information processing system, and information processing method

Publications (1)

Publication Number Publication Date
WO2014057668A1 true WO2014057668A1 (fr) 2014-04-17

Family

ID=50477150

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2013/006022 WO2014057668A1 (fr) 2012-10-09 2013-10-09 Dispositif de traitement d'informations et procédé de commande à cet effet, système de traitement d'informations, ainsi que procédé de traitement d'informations

Country Status (1)

Country Link
WO (1) WO2014057668A1 (fr)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010182196A (ja) * 2009-02-06 2010-08-19 Kddi Corp 情報処理装置およびファイル検証システム
JP2011123675A (ja) * 2009-12-10 2011-06-23 Fujitsu Ltd 実行制御方法、実行制御プログラムおよび実行制御装置
WO2012027588A1 (fr) * 2010-08-25 2012-03-01 Lookout, Inc. Système et procédé adaptés pour prévenir un logiciel malveillant couplé à un serveur
JP2012185745A (ja) * 2011-03-07 2012-09-27 Kddi Corp 携帯端末、プログラム、および通信システム

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2010182196A (ja) * 2009-02-06 2010-08-19 Kddi Corp 情報処理装置およびファイル検証システム
JP2011123675A (ja) * 2009-12-10 2011-06-23 Fujitsu Ltd 実行制御方法、実行制御プログラムおよび実行制御装置
WO2012027588A1 (fr) * 2010-08-25 2012-03-01 Lookout, Inc. Système et procédé adaptés pour prévenir un logiciel malveillant couplé à un serveur
JP2012185745A (ja) * 2011-03-07 2012-09-27 Kddi Corp 携帯端末、プログラム、および通信システム

Similar Documents

Publication Publication Date Title
US11093625B2 (en) Adaptive file access authorization using process access patterns
US9767280B2 (en) Information processing apparatus, method of controlling the same, information processing system, and information processing method
JP6356158B2 (ja) 仮想化環境においてアプリケーション及びデバイスを制御する方法並びに技術
JP4828199B2 (ja) アンチウィルスソフトウェアアプリケーションの知識基盤を統合するシステムおよび方法
JP2019082989A (ja) 標的型攻撃をクラウド型検出、探索および除去するシステムおよび方法
JP6254414B2 (ja) 情報処理装置、情報処理システムおよび情報処理方法
JP2015212979A (ja) バーチャルマシーンモニタベースのアンチマルウェアセキュリティのためのシステム及び方法
EP3847568B1 (fr) Protection de disques sélectionnés sur un système informatique
JP2010160791A (ja) コンテキストアウェアによるリアルタイムコンピュータ保護システムおよび方法
US20180357416A1 (en) File-type whitelisting
CN105760787A (zh) 用于检测随机存取存储器中的恶意代码的系统及方法
JP6165469B2 (ja) 情報処理装置およびその制御方法、並びに、情報処理システム
US11636219B2 (en) System, method, and apparatus for enhanced whitelisting
US11507675B2 (en) System, method, and apparatus for enhanced whitelisting
US11275828B1 (en) System, method, and apparatus for enhanced whitelisting
US10963569B2 (en) Early boot driver for start-up detection of malicious code
JP6253333B2 (ja) 情報処理装置、情報処理システムおよび情報処理方法
JP2020181567A (ja) アクセス権に基づいてコンピューティングデバイス上でタスクを実行するシステムおよび方法
CN110659478A (zh) 在隔离的环境中检测阻止分析的恶意文件的方法
WO2014057668A1 (fr) Dispositif de traitement d'informations et procédé de commande à cet effet, système de traitement d'informations, ainsi que procédé de traitement d'informations
JP6884652B2 (ja) ホワイトリスト管理システムおよびホワイトリスト管理方法
RU2592383C1 (ru) Способ формирования антивирусной записи при обнаружении вредоносного кода в оперативной памяти
US20240152285A1 (en) Storage for AI Applications
US11182486B2 (en) Early boot driver for start-up detection of malicious code
US20220188409A1 (en) System, Method, and Apparatus for Enhanced Blacklisting

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13845589

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13845589

Country of ref document: EP

Kind code of ref document: A1