JP2024046098A - Information management device and information management program - Google Patents

Abstract

To accurately detect information leakage in a computer network.SOLUTION: An information management device comprises: a use information acquisition section 111 that acquires use information including use history of a user who uses a service via a user terminal 40 from a plurality of server devices 20 each providing service on a network TG; a terminal information acquisition section 112 that acquires terminal information from a development dedicated PC 30 that performs user authentication when the user terminal 40 accesses the network TG and acquires terminal information including identification information of the user terminal 40; a risk degree calculation section 113 that, on the basis of the use information acquired by the use information acquisition section 111, calculates a risk index indicating a risk degree of information leakage by the user and stores the risk index in a storage section 12 in association with the use information and the terminal information; and a warning section 114 that generates warning information on the basis of a total value of the risk index stored in the storage section 12 in association with the user by the risk degree calculation section 113.SELECTED DRAWING: Figure 2

Description

The present invention relates to an information management device and an information management program that manage information on a computer network.

As a device of this kind, a device is known that generates an analysis screen based on the usage history of computer resources and outputs it to a display device so that an administrator can detect information leakage in a computer network. (For example, see Patent Document 1). The device described in Patent Document 1 generates display data including an analysis screen to be provided to an administrator based on usage history data transmitted from a user's terminal device.

Japanese Patent Application Publication No. 2007-304943

However, depending on the configuration of the computer network, it may be difficult to obtain the usage history of computer resources from the user's terminal device. In such a case, there is a possibility that information leakage cannot be accurately detected.

The information management device according to one aspect of the present invention includes a first acquisition unit that acquires usage information including usage history of a user who uses a service via a user terminal from a plurality of first server devices each providing a service on a communication network; a second acquisition unit that acquires terminal information from a second server device that performs user authentication when the user terminal is connected to the communication network and acquires terminal information including identification information of the user terminal; a calculation unit that calculates a risk index indicating the degree of risk of information leakage by the user based on the usage information acquired by the first acquisition unit and stores the risk index in a storage unit in association with the usage information and the terminal information; and a warning unit that generates warning information based on the total value of the risk index stored in the storage unit in association with the user by the calculation unit.

An information management program according to another aspect of the present invention causes a computer to execute a first process of acquiring usage information, including usage history, of a user who uses a service via a user terminal from a plurality of first server devices each providing a service on a communication network; a second process of acquiring terminal information from a second server device that performs user authentication when the user terminal is connected to the communication network and acquires terminal information including identification information of the user terminal; a third process of calculating a risk index indicating the degree of risk of information leakage by the user based on the usage information acquired in the first process, and storing the risk index in a storage unit in association with the usage information and the terminal information; and a fourth process of generating warning information based on the total value of the risk index stored in the storage unit in association with the user in the third process.

According to the present invention, information leakage in a computer network can be detected with high accuracy.

1 is a diagram showing an example of a computer network to which an information management device according to an embodiment of the present invention is applied; 1 is a block diagram showing a schematic configuration of a system including an information management device according to an embodiment of the present invention. FIG. 4 is a diagram showing an example of an access log stored in a log storage unit of the server device. An example of a table showing the correspondence between user action types and their risk levels. 3 is a flowchart showing an example of a process executed by a calculation unit of the information management device of FIG. 2 .

Embodiments of the present invention will be described below with reference to FIGS. 1 to 5. FIG. 1 is a diagram showing an example of a computer network (hereinafter referred to as a communication network or simply a network) to which an information management device (also referred to as an information leakage risk detection device) according to an embodiment of the present invention is applied. As shown in FIG. 1, the network TG to be managed (monitored) by the information management device 10 includes a server device 30 and a plurality of server devices 20 (20-1, 20-2, 20-3, ... 20- n). The communication terminal 40 is connected to an in-house LAN (Local Area Network) 50 of a company to which employees (users) such as developers belong, and is used by the users. The in-house LAN 50, as shown in FIG. 1, is a communication network independent of the network TG. The plurality of server devices 20 provide various services necessary for the user to develop software via the server device (hereinafter referred to as a development PC (personal computer)) 30 to the user's communication terminal (hereinafter referred to as the user's communication terminal). terminal or user terminal) 40. In this way, a software development environment is constructed in the network TG in FIG. 1, and the user can perform tasks such as software development using the software development environment via the user terminal 40. Note that in FIG. 1, one user terminal 40 is illustrated to simplify the explanation, but if multiple users use the software development environment built on the network TG, each user terminal 40 may be A user terminal 40 is connected to the in-house LAN 50.

By operating the user terminal 40 and logging into the development-dedicated PC 30 of the network TG, the user can transmit and receive data with each server device 20 of the network TG. Specifically, the user performs an authentication operation via the user terminal 40. When the development-dedicated PC 30 receives the user identification information (user ID) and password input by the user in the authentication operation from the user terminal 40, it performs user authentication. If the user authentication by the development-only PC 30 is successful, the user can use the services provided by the server device 20. Note that the development-only PC 30 has a single sign-on (SSO) function, and once the user is authenticated by the development-only PC 30, the user does not have to perform an authentication operation (login operation) for each server device 20 individually. , it becomes possible to use the services provided by each server device 20.

Each of the plurality of server devices 20 is managed by a so-called ASP (Application Service Provider), which is a business that provides services (SaaS (Software as a Service), etc.) on cloud computing (hereinafter simply referred to as cloud). . For example, the server device 20-1 is managed by an ASP that provides a messaging application. The server device 20-2 is managed by an ASP that provides task management services and document sharing services. The server device 20-3 is managed by an ASP that provides an online whiteboard (a whiteboard that can be shared online). The server device 20-4 is managed by an ASP that provides a platform for software development that allows sharing of source code.

In a system configuration (hereinafter referred to as a conventional system configuration) in which a software development environment is built on a network to which a user terminal 40 belongs, that is, an internal company LAN 50, access between the internal company LAN 50 and the outside world is restricted to connections via a VPN (Virtual Private Network) to prevent information leakage and ensure security. However, such access restrictions may cause inconveniences such as an inability to view technical information required for development (technical information published on a website) or slow communication speeds when accessing the outside world. In addition, with the recent spread of teleworking and remote work, the VPN load may further increase due to an increase in communication terminals (notebook PCs loaned to employees by the company and employees' home PCs) that access the internal company LAN 50 from outside the company.

In this regard, in the conventional system configuration in which a software development environment is constructed on a network TG outside the in-house LAN 50 as shown in FIG. 1, a VPN connection is not required, so the occurrence of problems associated with the VPN as described above can be suppressed. On the other hand, in the system configuration in which a software development environment is constructed using computer resources on the cloud as shown in FIG. 1, instead of a border defense type security architecture that restricts access to the outside, a zero trust type security architecture is introduced that eliminates implicit trust within the network, that is, that does not trust either the inside or outside of the network. In the zero trust type, logs are collected from communication terminals that use the software development environment, and the logs are centrally managed to monitor information leaks and ensure the security of computer resources. However, as shown in FIG. 1, when the user terminal 40 and the computer resources belong to different networks, it is not easy to collect logs from the communication terminals, and in this case, it is difficult to ensure the security of the computer resources. In consideration of this point, in this embodiment, the information management device 10 is configured as follows.

FIG. 2 is a block diagram showing a schematic configuration of a system including the information management device 10 according to the embodiment of the present invention. As shown in FIG. 2, the information management device 10 can communicate with the server device 20 of the network TG and the development-dedicated PC 30 via a wireless or wired communication line.

The server device 20 includes a log storage unit 21 such as ROM and RAM. The log storage unit 21 stores log data (hereinafter referred to as an access log) including an access history to the server device 20. FIG. 3 is a diagram showing an example of an access log stored in the log storage unit 21 of the server device 20, specifically, the server device 20-4. As shown in FIG. 3, the access log of the server device 20-4 includes, in chronological order, date and time information indicating the date and time of access, the IP address of the access source, and event information indicating the content (event) of the access. , the user ID of the user who made the access, and information regarding the file to be accessed (file storage location and file name). Note that the access log may include other information.

The development-only PC 30 includes a computer having an arithmetic unit 31 such as a CPU (microprocessor), a storage unit 32 such as ROM and RAM, and other peripheral circuits (not shown) such as an I/O interface.

The storage unit 32 includes a log storage unit 321, a user information storage unit 322 that stores user information, and a terminal information storage unit 323 that stores terminal information. The user information includes the user ID and password of a user who is registered in advance as a user of the server device 20 (hereinafter referred to as a registered user). Note that the user information may include personal information such as an email address of a registered user managed by an organization such as a company or a development group.

The calculation unit 31 has an account management unit 311, a terminal monitoring unit 312, and a data transmission/reception unit 313 as functional components.

Upon receiving the user ID and password from the user terminal 40, the account management unit 311 performs user authentication. More specifically, the account management unit 311 determines that user authentication is successful when the received combination of user ID and password is stored as user information in the user information storage unit 322, that is, when the user is a registered user. It is determined that the user has done so, and the user is permitted to use the server device 20. The account management unit 311 acquires the terminal information of the user terminal 40 during user authentication, and stores the acquired terminal information in the terminal information storage unit 323 in association with the user ID and password. The terminal information of the user terminal 40 includes the IP address of the user terminal 40. Note that the terminal information may include information other than the IP address, such as a MAC address.

The terminal monitoring unit 312 monitors the behavior of the endpoint (user terminal 40). More specifically, operation logs (log data indicating the history of operations performed on the user terminal 40) are collected from the user terminal 40, and security threats such as computer viruses and suspicious behavior of the user terminal 40 are detected. . The terminal monitoring unit 312 stores operation logs collected from the user terminals 40 in the log storage unit 321. Further, when the terminal monitoring unit 312 detects a security threat or the like, it transmits notification information (display information, etc.) for notifying the administrator of the detection result to the information management device 10. By displaying the notification information on the display included in the information management device 10, the administrator can be made aware that a security threat or the like has occurred at the user terminal 40.

The data transmission/reception unit 313 transmits and receives data (such as source code) to and from the user terminal 40 in response to a request from the user terminal 40. For example, when the user terminal 40 requests to upload source code to the server device 20-4, the data transmission/reception unit 313 receives the source code to be uploaded from the user terminal 40 and uploads it to the server device 20-4. Also, when the user terminal 40 requests to download source code from the server device 20-4, the data transmission/reception unit 313 downloads the source code to be downloaded from the server device 20-4 and transmits it to the user terminal 40. In this way, data transmission/reception between the user terminal 40 and the server device 20 is performed via the data transmission/reception unit 313. The log storage unit 321 stores log data (hereinafter referred to as a transmission/reception log) including a history of data transmission/reception between the user terminal 40 and the server device 20. The transmission/reception log includes, in chronological order, date and time information indicating the date and time when data transmission/reception was performed, the IP address of the user terminal 40 that performed the data transmission/reception, information about the file to be transmitted/received (file storage location and file name), and the like. The transmission/reception log may also include other information.

The information management device 10 includes a computer having a calculation section 11 such as a CPU (microprocessor), a storage section 12 such as ROM or RAM, a communication section 13, and other peripheral circuits (not shown) such as an I/O interface. It consists of: The information management device 10 is communicably connected to the server device 20 and the development-dedicated PC 30 via the communication unit 13 .

The calculation unit 11 has, as its functional configuration, a usage information acquisition unit 111, a terminal information acquisition unit 112, a risk level calculation unit 113, and a warning unit 114.

The usage information acquisition unit 111 acquires usage information indicating the usage history of the server device 20 by the user. The usage information includes at least the log data (access log) stored in the log storage unit 21 of the server device 20 and the log data (operation log and transmission/reception log) stored in the log storage unit 321 of the development PC 30. The usage information acquisition unit 111 acquires the log data from the server device 20 and the development PC 30 via the communication unit 13.

The terminal information acquisition unit 112 accesses the development-dedicated PC 30 and acquires the terminal information of the user terminal 40 and the user ID associated with the terminal information from the terminal information storage unit 323 of the development-dedicated PC 30.

When the usage information is acquired by the usage information acquisition unit 111, the risk degree calculation unit 113 calculates a risk index (hereinafter also referred to as risk degree) that indicates the degree of risk of information leakage from the network TG by the user, based on the usage information. ) is calculated. More specifically, first, the risk level calculation unit 113 identifies the user's action based on the usage information. FIG. 4 is an example of a table showing the correspondence between the types of user actions and their risk levels. The table in FIG. 4 is stored in the storage unit 12 in advance. Although 15 actions (actions #1 to #15) are illustrated in FIG. 4, the types of actions are not limited to 15. Furthermore, in the example shown in FIG. 4, the higher the action is on the table, the higher the risk level. The risk level calculation unit 113 identifies the user's action, and refers to the table in FIG. 4 to determine which of actions #1 to #15 the identified action corresponds to. A risk degree value is determined in advance for each type of action, and the risk degree calculation unit 113 outputs the value as a calculation result. Note that the risk degree calculation unit 113 may output a value obtained by multiplying the value by a predetermined coefficient as the calculation result. The risk degree calculation unit 113 stores the calculated risk degree in the storage unit 12 in association with the usage information acquired by the usage information acquisition unit 111 and the terminal information and user ID acquired by the terminal information acquisition unit 112. do.

For example, if the file "file001" in the log data (access log) in FIG. It is determined that the user's action at time t15 corresponding to “U006” corresponds to action #3 in FIG. 4 .

At this time, in addition to access logs collected by the server device 20, other information such as transmission/reception logs and operation logs collected by the development PC 30, user information stored in the user information storage unit 322, etc. The action may be determined. Thereby, user actions can be determined more accurately. For example, when "add_x" in Figure 3 is an IP address normally used in a company, the log data in Figure 3 alone indicates that the action of the user corresponding to the user ID "U123" is not any of the actions in Figure 4. It is difficult to determine whether this applies. However, by also using the operation log of the user terminal corresponding to the IP address "add_x" collected by the development-only PC 30, the user's actions can be identified. As a specific example, when the operation log includes an operation history of accessing a cloud outside the network TG at a time after t12, it can be determined that the user's action corresponds to action #1 in FIG. 4. Furthermore, when the operation log includes an operation history in which an electronic recording medium such as a USB memory (hereinafter simply referred to as an electronic medium) was connected at a time after t12, the user's action corresponds to action #4 in FIG. Then you can judge. Furthermore, when it is recognized that the user will retire within several days after t12 based on the user information corresponding to the user ID "U123" stored in the user information storage unit 322, the user's action is changed to action #2 in FIG. It can be determined that this applies to

The warning unit 114 calculates the total value of the risk level stored in the storage unit 12 in association with the user ID of the user by the risk level calculation unit 113, and determines whether or not a warning (alert) to the administrator is necessary based on the total value. More specifically, when the total value of the risk level is equal to or greater than a predetermined threshold, the warning unit 114 determines that the user may have leaked information, and determines that a warning to the administrator is necessary. When the warning unit 114 determines that a warning to the administrator is necessary, it generates information (hereinafter referred to as warning information) for notifying the administrator of the possibility of information leakage. The warning information may be display information including character information or the like, or may be audio information. In addition, the alarm information may include information that prompts the administrator to take security measures, may include a user ID so that the administrator can identify the user, or may include a total value of the risk level so that the administrator can recognize the degree of risk of information leakage. The warning unit 114 outputs the warning information to an output device (not shown) provided in the information management device 10. When the warning information includes display information, the display information is output to an output device (display). When the warning information includes audio information, the audio information is output to an output device (speaker). The warning unit 114 may also transmit the warning information to a communication terminal (mobile terminal such as a smartphone) carried by the administrator. In other words, the warning information may be output via a display or speaker of the administrator's mobile terminal.

Figure 5 is a flowchart showing an example of processing executed by the computing unit 11 of the information management device 10 of Figure 2 in accordance with a predetermined program (hereinafter referred to as the information management program). The processing shown in this flowchart is started, for example, when the information management device 10 is powered on, and is repeated at a predetermined interval.

First, in step S11, it is determined whether log data has been acquired. Specifically, it is determined whether the log data stored in the log storage unit 21 of the server device 20 has been updated, and when the log data has been updated, the server device 20 is accessed and the log data stored in the log storage unit 21 is Get data. Further, it is determined whether the log data stored in the log storage unit 321 of the development-only PC 30 has been updated, and when it has been updated, the log data stored in the log storage unit 321 is accessed by accessing the development-only PC 30. get. The log data acquired in step S11 is stored in the storage unit 12 as usage information. If the answer is affirmative in step S11, that is, if the log data is acquired from the server device 20 or the development-dedicated PC 30, the risk level is calculated based on the usage information stored in the storage unit 12 in step S12.

In step S13, it is determined whether an alert to the administrator is necessary based on the risk degree calculated in step S12. If the result in step S13 is negative, the process ends. If the answer is affirmative in step S13, warning information is generated and output to an output device (not shown) of the information management device 10.

According to the embodiment of the present invention, the following effects can be achieved.
(1) The information management device 10 acquires usage information including usage history of users who use the above-mentioned services via the user terminals 40 from a plurality of server devices 20 each providing a service on the network TG. A usage information acquisition unit 111 that performs processing, and a second unit that acquires terminal information from the development-dedicated PC 30 that performs user authentication when connecting the user terminal 40 to the network TG and acquires terminal information including identification information of the user terminal 40. When usage information is acquired by the terminal information acquisition unit 112 that performs processing and the usage information acquisition unit 111, a risk index indicating the degree of risk of information leakage by the user is calculated based on the usage information, and the risk index is used. A risk level calculation unit 113 performs a third process of storing the information in the storage unit 12 in association with the terminal information, and a risk level calculation unit 113 generates warning information based on the total value of the risk index stored in the storage unit 12 by the risk level calculation unit 113. and a warning unit 114 that performs a fourth generation process. Thereby, the possibility of information leakage in a computer network can be detected with high accuracy. Further, since the usage history acquired from the server device 20 is used in calculating the risk index, the possibility of information leakage can be detected even in a situation where operation logs cannot be acquired from the user terminal 40. Furthermore, it becomes possible to introduce software development environments built on the cloud with peace of mind, and it is possible to support operations such as software development in companies.

(2) The terminal information includes the IP address of the user terminal 40. This makes it possible to detect the possibility of information leakage by each user corresponding to each of the multiple user terminals 40, even when there are multiple user terminals 40 connected to the network TG.

(3) The usage information includes information regarding the downloading of files from multiple server devices 20 via the user terminal 40. This makes it possible to detect the removal of information managed within the computer network to the outside.

The above embodiment can be modified in various ways. Modifications are described below. In the above embodiment, the usage information acquisition unit 111 as the first acquisition unit acquires usage information including an access log acquired from a server device 20 as a first server device that provides a service on the network TG, and a transmission/reception log and an operation log acquired from a development-only PC 30 as a second server device. However, the usage information may also include other information (log data) that indicates the user's usage history.

In the above embodiment, the terminal information acquisition unit 112 as the second acquisition unit acquires terminal information including identification information (such as an IP address) of the user terminal 40 from the development-dedicated PC 30. However, when the second acquisition unit is able to acquire identification information, etc. of the user terminal 40 from the server device 20 or the user terminal 40, it may acquire the terminal information from the server device 20 or the user terminal 40.

In the above embodiment, the risk level value is determined in advance for each of the actions #1 to #15 in FIG. 4, and when the user's action corresponds to any of the actions #1 to #15, the risk level calculation unit 113 as a calculation unit outputs the corresponding risk level value as a calculation result. However, the method of calculating the risk level is not limited to this. For example, the calculation unit may calculate a risk level (hereinafter referred to as a provisional risk level) for each item such as the target (file) and content of the action, the execution date and time of the action, the execution source of the action, the number of times of the action (cumulative number of times), the presence or absence of an action after the action is executed (hereinafter referred to as a secondary action), the target and content of the secondary action, and the execution date and time of the secondary action, and output a value obtained by integrating the provisional risk levels of each item as a calculation result. In this case, a table such as that shown in FIG. 4 is stored in the storage unit 12 for each item. In each table, the value of the provisional risk level is determined according to the content of the item. For example, when the item is the "target of the action", examples of the content of the item include "important assets" with high confidentiality, "specific assets" with medium confidentiality, and "general assets" with low confidentiality. In this case, as an example of the provisional risk level value, 2 is set for "important assets," 1 is set for "specific assets," and 0 is set for "general assets." The calculation unit refers to the table for each item, calculates the provisional risk level of each item, and adds them up. At this time, rather than simply adding up the provisional risk levels of each item, the sum may be adjusted according to the combination of the contents of each item. More specifically, the sum may be multiplied by a coefficient that is predetermined according to the combination of the contents of the items.

Further, in the embodiment described above, the warning unit 114 calculates the total value of the risk degrees stored in the storage unit 12 in association with the user ID of the user by the risk degree calculation unit 113, and the total value is greater than or equal to the predetermined threshold value. Warning information is now output when this happens. However, when the warning unit outputs the warning information, the warning unit may execute a reset process of deleting all risk levels stored in the storage unit 12 in association with the user ID of the user. Further, the warning unit may store the number of times the reset process has been executed (the number of resets) in the storage unit 12 in association with the user ID of the user. In this case, the calculation unit may output a value obtained by multiplying the risk degree value calculated based on the usage information by a coefficient determined based on the number of resets stored in the storage unit 12 as the calculation result.

Furthermore, in the embodiment described above, the warning unit 114 outputs warning information to an output device (not shown) of the information management device 10. However, when the information management device 10 has a dashboard function, the warning unit uses the dashboard function to update each information based on the usage information (access log, operation log, transmission/reception log) stored in the storage unit 12. Display information in which log data is summarized in a graph or a table may be generated and output to an output device (not shown) of the information management device 10 periodically or at a predetermined timing.

The above description is merely an example, and the present invention is not limited to the above-mentioned embodiment and modified examples as long as the characteristics of the present invention are not impaired. It is also possible to arbitrarily combine one or more of the above-mentioned embodiment and modified examples, and it is also possible to combine modified examples together.

10 Information management device, 11 Calculation unit, 12 Storage unit, 20 Server device, 30 Development PC, 40 User terminal, 111 Usage information acquisition unit, 112 Terminal information acquisition unit, 113 Risk level calculation unit, 114 Warning unit

Claims (4)

a first acquisition unit that acquires usage information including a usage history of a user who uses a service via a user terminal from a plurality of first server devices each providing a service on a communication network;
a second acquisition unit that acquires terminal information from a second server device that performs user authentication when the user terminal is connected to the communication network and acquires terminal information including identification information of the user terminal;
a calculation unit that, when the usage information is acquired by the first acquisition unit, calculates a risk index indicating a degree of risk of information leakage by the user based on the usage information, and stores the risk index in a storage unit in association with the usage information and the terminal information;
a warning unit that generates warning information based on the total value of the risk index that is associated with the user and stored in the memory unit by the calculation unit. The information management device according to claim 1,
The information management device according to claim 1, wherein the terminal information includes an IP address of the user terminal. 3. The information management device according to claim 1,
The information management device, wherein the usage information includes information regarding downloading of files from the plurality of first server devices via the user terminal. a first process of acquiring usage information including a usage history of a user who uses the service via a user terminal from a plurality of first server devices each providing a service on a communication network;
a second process of acquiring terminal information from a second server device that performs user authentication when the user terminal connects to the communication network and acquires terminal information including identification information of the user terminal;
When the usage information is acquired in the first process, a risk index indicating the degree of risk of information leakage by the user is calculated based on the usage information, and the risk index is combined with the usage information and the terminal information. a third process of storing in the storage unit in association with the
An information management program that causes a computer to execute a fourth process of generating warning information based on the total value of the risk index stored in the storage unit in association with the user in the third process. .

Images