JP5389216B2 - Information provision system - Google Patents

Description

  The present invention creates a virtual information space in which a server computer (hereinafter referred to as a server) provides data and responds to an access request in a logged-in state to a client computer (hereinafter referred to as a client) to the information space. It is related with the information provision system which permitted access of.

  This type of apparatus, method, and computer program is realized, for example, by processing on a server in a server client system. The server manages various data stored in the storage device and restricts access to this data from the client. That is, the client is permitted to log in on the condition of user authentication, and the data can be accessed. For user authentication, for example, security information such as a password or biometric information associated with the user ID of each client is used.

  The mechanism of restricting access to data from clients is generally employed to protect information and data itself contained in data and ensure security. Therefore, the information managed and protected by the server is inherently considered to be highly confidential and important information. Paradoxically, the information that must be protected by adopting a mechanism for restricting access from clients is highly valuable as information, and is therefore always exposed to risks such as information leakage and data destruction. . Information leakage is mainly performed by hacking from outside or taking out insiders. Data destruction is mainly performed by virus injection or unauthorized access modification / deletion processing. Both are fraudulent acts or criminal acts (hereinafter referred to as inappropriate acts).

  In order to protect valuable information, information leakage etc. has occurred unfortunately, as well as making a mechanism that can reliably prevent inappropriate acts such as information leakage itself. It is also important to find out the cause in some cases. Although it is an indirect protection, investigating the cause, that is, knowing who did what and when and how to do it is necessary to prevent inappropriate acts such as information leakage in advance and investigate afterwards. Because it is an essential matter.

  A common method for investigating the cause of inappropriate acts such as information leakage is to examine the log. For example, Patent Document 1 describes that an access history of accessing a database is recorded and output.

  However, logs are generally recorded over time and comprehensively, and as a result, contain enormous amounts of information, so it is easy to find inappropriate acts such as information leakage from the logs. Not. To put it in analogy, it is as difficult as searching for pebbles thrown into the ocean, and it takes a lot of time to complete.

  In this regard, Patent Document 2 describes a system in which an action history of a user who is given access authority by user authentication is recorded in units of individual users (see paragraphs 0108 and 0116). Since the user's behavior history (log) is recorded in units of users, it is expected that later tracking work will be easier than storing the behavior history (log) of the entire user.

  The device described in Patent Document 3 allows access after performing user authentication for each individual user for each program for which access restriction is set for a system user who uses a single personal computer with a common account. An authentication log (access history) is stored. By displaying the access history of the third party other than the system user in red, and the access history of the user who is a system user but is not permitted to access is displayed in yellow, the system displays the identification according to the access status of the access history. The effect of facilitating the tracking of the usage history of the device is reported (see paragraph 0090 etc.).

Japanese Patent Laid-Open No. 2002-041579 JP 2003-157240 A JP 2003-216260 A

  As described above, it is not easy to find the cause of inappropriate acts such as information leakage and data destruction from a log containing a large amount of information. If the technique described in this point and patent document 2 and patent document 3 is employ | adopted, the effort will surely be reduced.

  However, there is no difference that the user action history described in Patent Document 2 and the access history described in Patent Document 3 are also in the form of a so-called log. In particular, it is not systematized so that inappropriate acts such as information leakage can be detected at an early stage. Therefore, even if the techniques described in Patent Documents 2 and 3 are applied, finding the cause of an inappropriate act is a difficult task to some extent.

  The present invention has been made in view of such points, and when an inappropriate act such as information leakage or data destruction occurs for the data being managed, the work load for investigating the cause is reduced, The purpose is to reduce the time required to reach a solution.

  The present invention relates to a virtual information space based on data stored in a first storage device managed by a server computer (hereinafter referred to as a server) from a client computer (hereinafter referred to as a client) via a network. In the information providing system that enables access to the server, the processor of the server transmits a login request to the information space with login data that is a combination of user information for identifying a user and predetermined security information. Means for logging a client into the information space on condition that the security information is authentic, and a processor of the server permits access to the information space in response to an access request from the client who is logging in Means and a processor of the server, wherein the information Means for logging out the logged-in client from the information space, and the server processor sends the login and log-out request and the access request being logged-in transmitted from the client. A log including user information associated with the login request, date and time information of the request, and first access information indicating whether the login data associated with the login request is authentic; Means for storing in a storage device, and a first browsing in which the processor of the server records the use of the information space for each individual user together with the date information and the first access information from the log Means for generating data and storing it in a third storage device and processor of the server are reserved for the administrator. Means for transmitting and outputting the first browsing data to the requesting client in response to a request that satisfies a predetermined condition; and the information space included in the first browsing data received by the processor of the client. The use of the information space is rearranged in the form of a matrix display of users and dates, and the use of the information space is made different in the display mode when the login data is authentic and when it is not authentic. Means for displaying and outputting the first browsing screen shown in FIG.

  According to the present invention, whether or not each user's information space is used indicates whether or not the use is based on correct access (whether or not the login data is authentic) and the time series for each user (user and date). It is possible to make it clear at a glance who used what information in the information space in what way and, therefore, the data provided by the information space, such as information leakage and data destruction, etc. When inappropriate actions occur, the work load for investigating the cause can be lightened compared to referring to a log that contains a lot of data, and the time required to resolve it Can be shortened.

The schematic diagram which shows the hardware constitutions of the whole system which is one Embodiment, and the flow of a process. The block diagram which shows the hardware constitutions of a server. The block diagram which shows the hardware constitutions of an administrator terminal. The block diagram which shows the hardware constitutions of a user terminal. The schematic diagram which shows the screen hierarchy in the screen for management which can be browsed with an administrator terminal. The schematic diagram which shows an example of the screen image displayed on a 1st browsing screen. The schematic diagram which shows an example of the screen image displayed on a 2nd browsing screen (login list screen). The schematic diagram which shows an example of the screen image displayed on a 2nd browsing screen (management tool utilization list screen). The schematic diagram which shows an example of the screen image displayed on a 2nd browsing screen (database utilization list screen). The schematic diagram which shows an example of the screen image displayed on a 2nd browsing screen (file usage list screen). The schematic diagram which shows an example of the screen image displayed on a 3rd browsing screen (login logout log screen). The schematic diagram which shows an example of the screen image displayed on a 3rd browsing screen (database utilization log screen). The schematic diagram which shows an example of the screen image displayed on a 3rd browsing screen (file transfer log screen).

An embodiment will be described with reference to the drawings. This embodiment is an application example to a server client system suitable for use in various corporations and organizations such as private companies, educational institutions, medical institutions, welfare institutions, government offices, and local public organizations. Less than,
1. System configuration (1) Overview (2) Server (3) Client System processing contents (1) Application (2) Password application (3) Password issuance (4) Password notification (5) Use of information space (6) Log generation (7) Log data transfer for browsing data generation (8) No. 1. Generation of first and second browsing data (9) Browsing request and browsing data provision (10) Log provision processing (11) Generation data backup processing Function and effect 4. This will be described in terms of items of the modification.

1. System Configuration (1) Overview As shown in FIGS. 1 to 4, a system according to the present embodiment includes a plurality of server computers 11 (hereinafter referred to as servers 11) and a plurality of client computers 31 (hereinafter referred to as clients). Is a server client system connected via a network NT. A large host computer 51 is also connected to the server client system via the network NT.

  As can be seen from the fact that there are a plurality of servers 11, a distributed system is constructed. The servers 11 distributed in a plurality may be installed at the same location or may be installed at geographically separated locations. In FIG. 1, a server indicated by reference numeral 11 a is an aggregation server 11 a and plays a role of aggregating data of individual servers 11. Each server 11 includes an HDD 114 as a storage device (see FIGS. 2 to 4), and stores data such as various databases, various files, and management tools in the HDD 114. The database and the file are general concept data of these terms, and there is no point to be noted. The management tool is a tool for granting the management authority of the server 11 to the user of the client 31 in order to set or maintain the server 11. The server 11 controls access to those databases, files, and management tools stored in the HDD 114, and provides the data to the client 31 only when a predetermined condition is satisfied. In the present embodiment, the database, file, and management tool that are subjected to access control in this way are referred to as a virtual information space. Access control is performed by such a method of login and logout to the information space.

  As shown in FIG. 1, the client 31 includes an administrator terminal 31a for an administrator and a user terminal 31b for a general user. In both cases, the entity is the same personal computer. Whether to be the administrator terminal 31a or the user terminal 31b is determined by the authority when logging in to the client 31 itself. It is the user name and password that define the authority. The server 11 gives advanced and broader rights to the administrator terminal 31a logged in as an administrator than the user terminal 31b logged in as a general user. However, within the framework of the server client system, both general users and administrators are included in the category of users. The server 11 permits the use of the virtual information space from the administrator terminal 31a and the user terminal 31b as long as a predetermined condition is satisfied. That is, the client 31 is permitted to log in to the information space, access to the information space being logged in, and logout from the information space being logged in.

  The server 11 generates a history of commands and the like generated when the client 31 uses the information space (login logout, access) as a log, and records this in the HDD 114 and leaves it. A part of the logs generated and recorded by the individual servers 11 are extracted and collected in the aggregation server 11a, and edited as first and second browsing data. The first and second browsing data are sent to the requesting administrator terminal 31a in response to a request from the administrator terminal 31a and used for browsing. The first and second browsing data are also periodically transferred to the host computer 51 for backup.

(2) Server As shown in FIG. 2, the server 11 is a computer in which a CPU 111 that is a processor that executes various arithmetic processes and controls each unit is a main body, and a ROM 112 and a RAM 113 are connected to the CPU 111. The ROM 112 is an EEPROM such as an EPROM or a flash memory, for example, and describes BIOS and fixed data. The RAM 113 is a static memory that stores data in a rewritable manner, and is used as a work area, for example. Although the ROM 112 and the RAM 113 are shown as a single object in FIG. 2, this only shows the concept of the ROM 112 and the RAM 113. Actually, a plurality of memory devices are used as the ROM 112 and the RAM 113. For example, the concept of the RAM 113 includes a video memory for displaying an image on the display device 151 described later.

  An HDD 114 is connected to the CPU 111 of the server 11. In addition to the OS (operating system), various computer programs are installed in the HDD 114. One of them is a computer program that causes the server 11 to function as an information providing apparatus. For convenience, this computer program is called an information providing program. When the information providing program is started in the server 11, all or a part of the program is copied to the RAM 113, and thereafter the CPU 111 executes a process according to the information providing program copied to the RAM 113, and uses the server 11 as the information providing device. Make it work. The server 11 functioning as an information providing apparatus executes means, functions, and processes for realizing various functions described later.

  The HDD 114 is installed with an OS and various computer programs, and stores various data. Hereinafter, a part of the data stored in the HDD 114 will be introduced.

  The data introduced first is various databases, various files, and management tools. That is, it is data for providing a virtual information space that permits access to the client 31. Here, the HDD 114 that stores data for providing such an information space is referred to as a first storage device.

  The data to be introduced next is a log such as a command generated when the client 31 uses the information space (login logout, access). Here, the HDD 114 that stores such a log is referred to as a second storage device.

  The data to be introduced next is first and second browsing data edited by the aggregation server 11a from a part of the logs generated and recorded by the individual servers 11. These first and second browsing data are stored only in the HDD 114 of the aggregation server 11a. Here, the HDD 114 of the aggregation server 11a that stores such first and second browsing data is referred to as a third storage device.

  The data to be introduced next is login data. As described above, access control to a virtual information space is performed by a method of login and logout to the information space. Login data is used when logging in to such an information space. The login data is data obtained by combining user information for identifying a user and predetermined security information. As an example, the user information is a user ID, and the security information is a password. The server 11 stores correct login data in the HDD 114 in order to determine the authenticity of the login data input by the client 31. Here, the HDD 114 that stores such login data is referred to as a fourth storage device.

  The data introduced at the end is the access contents defined in the prior application for permission to access the virtual information space. Here, the HDD 114 that stores the contents of access to such an information space is referred to as a fifth storage device.

  An input device 131, a display device 151, and a communication interface 171 are further connected to the CPU 111 of the server 11. The input device 131 includes a pointing device such as a keyboard and a mouse, and inputs a signal to the CPU 111. The display device 151 is a liquid crystal display or the like, and displays an image according to the output from the CPU 111. The communication interface 171 is an interface for connecting the server 11 to the network NT.

(3) Client FIG. 3 shows the hardware configuration of the administrator terminal 31a, and FIG. 4 shows the hardware configuration of the user terminal 31b. As described above, since the administrator terminal 31a and the user terminal 31b are the same personal computer, they will be described here in a lump.

  As shown in FIGS. 3 and 4, the client 31 is a computer in which a CPU 311 that is a processor that executes various arithmetic processes and controls each unit is a main body, and a ROM 312 and a RAM 313 are connected to the CPU 311. The ROM 312 is, for example, an EEPROM such as an EPROM or a flash memory, and describes BIOS and fixed data. The RAM 313 is a static memory that stores data in a rewritable manner, and is used as a work area, for example. The ROM 312 and the RAM 313 are shown as a single object in FIGS. 3 and 4, but this only shows the concept of the ROM 312 and the RAM 313. Actually, a plurality of memory devices are used as the ROM 312 and the RAM 313. For example, the concept of the RAM 313 includes a video memory for displaying an image on the display device 351 described later.

  An HDD 314 is connected to the CPU 311 of the client 31. Various computer programs are installed in the HDD 314 in addition to the OS (operating system). One of them is a computer program that causes the client 31 to function as an information utilization device. For convenience, this computer program is called an information utilization program. When the information use program is started in the client 31, all or a part of the program is copied to the RAM 313. Thereafter, the CPU 311 executes a process according to the information use program copied to the RAM 313, and uses the client 31 as the information use apparatus. Make it work. The client 31 that functions as an information utilization apparatus executes means, functions, and processes for realizing various functions that will be described later.

  An input device 331, a display device 351, and a communication interface 371 are further connected to the CPU 311 of the client 31. The input device 331 includes a pointing device such as a keyboard and a mouse, and inputs a signal to the CPU 311. The display device 351 is a liquid crystal display or the like, and displays an image according to the output from the CPU 311. The communication interface 371 is an interface for connecting the client 31 to the network NT.

2. Processing Contents of System Hereinafter, processing executed between the server 11 that is activated by the information providing program and functioning as the information providing apparatus, and the client 31 that is activated by the information utilization program and is functioning as the information utilizing apparatus. And the process performed between the aggregation server 11a and the host computer 51 is demonstrated. The description will be made along (1) to (11) in FIG.

(1) Application As described above, the CPU 111 of the server 11 generates a virtual information space that provides data stored in the HDD 114. A general user who wants to use this virtual information space should first apply for obtaining a password as security information. In the system according to the present embodiment, the user can use a virtual information space by acquiring a password.

  An application for obtaining a password is made to the administrator. As an example, the information use program installed in the administrator terminal 31a and the user terminal 31b supports application from the user terminal 31b to the administrator terminal 31a. In this case, the information use program may be constructed so as to enable application for use of the information space from a general-purpose browser installed by the user terminal 31b. In addition, an application may be made by sending an e-mail from the user terminal 31b to the administrator terminal 31a. Furthermore, the application may be made verbally, in a document, or in a memo without using a client computer 31 at all.

For application,
・ User ID
・ Access contents to information space (access target, purpose of access, etc.)
Server 11 that wants access to information space
Is required. The user ID is unique data as user information that identifies a user who is an applicant.

  Here, the type of the server 11 is confirmed. As described above, the system according to the present embodiment is a distributed system in which the servers 11 are distributed to a plurality of units. In the system according to the present embodiment, names such as “Hiroshima”, “Yamaguchi”, “Tottori”, “Shimane”, “Okayama”,. The notification of the “server 11 that desires access to the information space” accompanying the application for acquiring the password means identification of these individual servers 11. It should be noted here that the password issued in response to the application is valid not only for the notified “server 11 that desires access to the information space” but also for all the servers 11. More precisely, the system according to the present embodiment makes it possible to log in to all the servers 11 by using the issued password. However, since this is an operational arrangement, the password may be used so that only the server 11 that has received the notification is logged in.

(2) Password application The administrator who has received the application from the general user makes a password application from the administrator terminal 31a to the server 11 that is the application target. As an example, the information providing program installed in the server 11 and the information use program installed in the client 31 (administrator terminal 31a) support the application from the administrator terminal 31a to the server 11. In this case, the information providing program may be constructed so as to enable a password application from a general-purpose browser installed by the administrator terminal 31a. At this time, the administrator terminal 31a also transmits the user ID of the applicant who desires to use the information space to the server 11 that is the application target.

  What is important when applying for a password is to register the access contents notified in the application in the server 11. This operation is performed on the administrator terminal 31a.

(3) Password issuance The CPU 111 of the server 11 issues a password with an expiration date to the administrator terminal 31a in response to a password application from the administrator terminal 31a. The expiration date of the password is, for example, one day only. At this time, the CPU 111 of the server 11 stores the password in association with the user ID provided from the administrator terminal 31a at the time of password application. As described above, the storage is performed by recording in the HDD 114 as the fourth storage device. In this case, the image may be stored only during the specified expiration date, or may be stored as being valid only during the specified expiration date although it is stored for a longer period. Or as another example, you may make it memorize | store temporarily, for example in the work area of RAM113 only during a regular expiration date. In this case, the RAM 113 is a fourth storage device. The combination of the user ID and the password stored in the fourth storage device (HDD 114 or RAM 113) in this way becomes login data.

  As an example, a plurality of passwords are generated in advance in units of years or months, and for example, a password that is treated as valid every day is changed and used. In this case, issue the same password to all applicants, issue the same password for each group of applicants, or issue separate passwords to all applicants. However, either is acceptable. As another example, the password may be generated at the timing of password application from the administrator terminal 31a.

  The important thing is to make the issued password recognizable within its validity period. The recognition may be performed by referring to the login data stored in the fourth storage device (HDD 114 or RAM 113), or may be performed by separately storing a valid password in another storage area of the HDD 114 or RAM 113. good. For example, when issuing the same password to all applicants or issuing the same password for each group of applicants, store it as a password valid today in a storage area separate from the login data. It is possible to manage. When login data is input from the client 31, it is possible to determine the authenticity of the password by comparing the password with a password that is valid today and stored.

  Another important point is that a password, which is security information generated by any method, is combined with a user ID, which is user information, as login data, which is stored in a fourth storage device (HDD 114 or RAM 113). It is to keep. When login data is input from the client 31, the authenticity of the login data can be determined by comparing with the stored login data.

  In addition, as described above, when the password application is made, the access contents for the information space notified in the application are registered in the server 11. The CPU 111 of the server 11 links the access content data to the information space to the login data and registers it in the HDD 114 as the fifth storage device.

(4) Password notification The administrator terminal 31a notifies the user terminal 31b of the password issued from the server 11. For the password notification, the same method as the various information transmission methods from the user terminal 31b to the administrator terminal 31a described in the above "(1) Application" can be adopted.

  By the above procedures (1) to (4), advance preparations for the user terminal 31b to use the virtual information space are completed. Here, the use of the information space by the user terminal 31b in the client 31 has been described, but the information space can also be used from the administrator terminal 31a. In this case, except that the procedures (1) and (4) are omitted, advance preparation for using the information space is performed by the same procedure as that for the user terminal 31b. Therefore, hereinafter, a person who uses the information space is referred to as a user, and a device that logs in, accesses and logs out of the information space is referred to as a client 31. The users are general users and administrators who are given a password and are allowed to use the information space. Therefore, the user holds the password even if it has an expiration date, such as the password notified by the procedure (4).

  However, in the procedure of “(9) Browsing request and browsing data provision” to be described later, the administrator accesses the server 11 exclusively by the manager terminal 31a. Therefore, in the description of the procedure (9) described later, the administrator and the general user are clearly distinguished, and the administrator terminal 31a and the user terminal 31b are clearly distinguished.

  Confirm one piece of login data that is a set of a user ID and a password. This login data is only data for using a virtual information space. When each user uses the client 31, it is necessary to log in to the client 31, and in this case as well, the user ID and password are input as described above. The set of user ID and password included in the login data is not a set of user ID and password used for login to the client 31 itself. The virtual information space is provided to the already-logged-in client 31, and in order to use the information space in such a logged-in client 31, input of log-in data for using the information space is further performed. It is something to be weighted.

(5) Use of Information Space As described above, the CPU 111 of each server 11 generates a virtual information space that provides data (various databases, various files, management tools) stored in its own HDD 114, Access to the information space from the client 31 via the network NT is permitted in response to an access request in the logged-in state. Therefore, the CPU 111 of the server 11 provides a login screen for a user who wants to use the information space. The login screen requests input of login data (a combination of a user ID and a password).

  The user browses the login screen provided by the server 11 via the network NT with the client 31, inputs the user ID and password, and transmits a “login request”. The CPU 111 of the server 11 causes the client 31 that has transmitted the login request to log in to the information space under a predetermined condition. The predetermined condition is password matching. The password match means that the password included in the login data accompanying the login request matches the password managed by the server 11 as a valid password today. In other words, it verifies the authenticity of the password. If the CPU 111 of the server 11 confirms that the passwords match as a result of the verification, the CPU 111 permits the client 31 that has transmitted the login request to log in to the information space.

  It should be noted here that the predetermined condition for permitting login to the information space is not a match of the pair of the user ID and the password included in the login data accompanying the login request, but only the password. It is a match. The reason will be described later.

  The client 31 transmits an access request when accessing the virtual information space provided by the HDD 114. At this time, the CPU 111 of the server 11 permits the access request if the client 31 is logged in. Thereby, the client 31 can access various data (various databases, various files, management tools) provided by the information space. For example, when the logged-in server 11 desires to use a database provided on the information space, the client 31 performs an operation for instructing activation of the database. At this time, the client 31 sends and outputs a command for starting the target database to the network NT with the server 11 as the destination. After the database is activated, for example, when browsing a specific record, a command for browsing request accompanied by data for specifying the record, and a command for requesting additional recording when adding a new record, the server 11 Is further transmitted from the client 31 onto the network NT. Similarly, when the logged-in server 11 desires to browse a file provided on the information space, the client 31 performs an operation for instructing opening of the file. At this time, the client 31 transmits and outputs a file data transfer command with data for specifying the target file on the network NT, with the server 11 as a destination. Although not specifically described, even when the logged-in server 11 desires to use a management tool provided on the information space, the server 11 is used as a destination, and commands and associated data are transmitted and output accordingly. . As described above, the client 31 accessing the information space provided by the logged-in server 11 transmits and outputs various commands and accompanying data to the network NT with the server 11 as a destination. In the present embodiment, the command and accompanying data thus transmitted and output are defined as “access requests”.

  When the user finishes using the information space generated by the server 11, the user logs out from this information space. In order to log out, the client 31 transmits and outputs a “logout request” destined for the logged-in server 11 on the network NT. In response to this, the CPU 111 of the server 11 executes logout processing of the client 31.

(6) Log generation The CPU 111 of the server 11 generates a log describing events from the login of the client 31 to the logout, and leaves them in the HDD 114 as the second storage device. The log is generated separately for a log of a login request and a logout request (hereinafter referred to as a login and logout request) and an access request log. The access request log is further divided into an access request log for using a database, an access request log for file transfer, and an access request log for using a management tool.

When the CPU 111 of the server 11 logs in the client 31,
・ Login data (a set of user ID and password)
・ Login time (date and time)
Obtain first access information indicating whether or not the login data is authentic. When the CPU 111 of the server 11 logs out the client 31,
・ Logout time (date and time)
To get. The “login time” can be easily obtained from a clock circuit (not shown) included in the CPU 111 when a login request is received. The “logout time” can be easily obtained from a clock circuit (not shown) included in the CPU 111 when a logout request is received. The “determination result of whether or not the login data is authentic” is acquired by comparing the login data transmitted from the client 31 at the time of login with the login data stored in the fourth storage device (HDD 114 or RAM 113). can do. The CPU 111 of the server 11 accompanies these acquired data in the log of login and logout requests.

When the CPU 111 of the server 11 accesses the logged-in client 31 to the database provided by the information space,
・ Login data at login (a combination of user ID and password)
Is known and
・ Access time (date and time)
・ Third access information indicating appropriateness of access contents ・ Logout time (date and time)
To get. The “access time” can be easily obtained from a clock circuit (not shown) included in the CPU 111 when an access request for using the database is received. The “third access information indicating appropriateness of access contents” matches the contents of the access request from the client 31 that is logged in and the access contents applied in advance registered in the HDD 114 as the fifth storage device. It can be obtained by checking whether or not. The CPU 111 of the server 11 causes these known data and acquired data to accompany the access request log for database use.

When the CPU 111 of the server 11 accesses the client 31 being logged in to a file provided by the information space,
・ Login data at login (a combination of user ID and password)
Is known and
・ Access time (date and time)
・ Third access information indicating appropriateness of access contents ・ Logout time (date and time)
To get. The “access time” can be easily obtained from a clock circuit (not shown) included in the CPU 111 when an access request for using the database is received. The “third access information indicating appropriateness of access contents” matches the contents of the access request from the client 31 that is logged in and the access contents applied in advance registered in the HDD 114 as the fifth storage device. It is data indicating whether or not. The CPU 111 of the server 11 causes these known data and acquired data to accompany the access request log for file transfer.

When the CPU 111 of the server 11 accesses the logged-in client 31 to the management tool provided by the information space,
・ Login data at login (a combination of user ID and password)
Is known and
・ Access time (date and time)
・ Third access information indicating appropriateness of access contents ・ Logout time (date and time)
To get. The “access time” can be easily obtained from a clock circuit (not shown) included in the CPU 111 when an access request for using the database is received. The “third access information indicating appropriateness of access contents” matches the contents of the access request from the client 31 that is logged in and the access contents applied in advance registered in the HDD 114 as the fifth storage device. It is data indicating whether or not. The CPU 111 of the server 11 causes these known data and acquired data to accompany the access request log for using the management tool.

Further, the CPU 111 of the server 11 verifies the use of all passwords described in the above “(3) Issue password”. That is, after the password is issued, it is checked whether or not the use of the information space using the password is within the expiration date. The use of the information space here refers to the presence / absence of a login / logout request, the presence / absence of an access request for using a database, the presence / absence of an access request for file transfer, and the presence / absence of an access request for using a management tool. When the CPU 111 of the server 11 does not use the information space for each item of login and logout, database use, file transfer, and management tool use as a result of this verification,
-Accompany the log with second access information indicating that the information space has not been used. The second access information indicating that there was no login and logout request is in the log of the login and logout request, and the second access information indicating that there is no access request for using the database is an access request for using the database. The second access information indicating that there is no access request for file transfer in the log of the second log indicates that there is no access request for using the management tool in the log of the access request for file transfer. The access information of 2 is in the log of the access request for using the management tool.

Logs of login and logout requests
・ Login data (a set of user ID and password)
・ Login time (date and time)
・ Logout time (date and time)
A data group specified by the login ID from the login time (date / time) to the logout time (date / time) and the log-in time (date / time) is generated as a unit. Information-Generated by adding second access information indicating that the information space has not been used. Therefore, when the same user logs in and logs out the same server 11 times a day, logs of login and logout requests are generated in the form of X chunks.

Logs of access requests (access requests for database use, access requests for file transfer, access requests for use of management tools)
・ Login data at login (a combination of user ID and password)
・ Access time (date and time)
・ Logout time (date and time)
The data group specified by the user ID and access time (date and time) quoted from is generated as a unit, where:-Second access information indicating that the information space was not used-Appropriate access contents The third access information is added and generated. Therefore, when the same user accesses the information server X times within the same login period with respect to the same server 11, an access request log is generated in the form of X chunks.

(7) Transferring log data for browsing data generation The CPU 111 of each server 11 transfers the various log data stored in the HDD 114 as the second storage device to the aggregation server 11a. At this time, the data to be collected in the aggregation server 11a is not the entire log but a part of the data extracted from the log. Accordingly, each server 11 generates log data in which a part is extracted from the log, and transfers it to the aggregation server 11a. As another example, each server 11 may transfer the entire log to the aggregation server 11a, and the aggregation server 11a may generate log data obtained by extracting a part of the entire log.

From the log of login and logout requests,
・ Login data (a set of user ID and password)
・ Login time (date and time)
・ Logout time (date and time)
First access information indicating whether the login data is authentic. Second access information indicating that the information space has not been used is extracted, and node information is added thereto. The node information is information that identifies each server 11. In this embodiment, as described above, names such as “Hiroshima”, “Yamaguchi”, “Tottori”, “Shimane”, “Okayama”,... Are assigned to the individual servers 11 as nodes. .

From the log of access requests (access requests for database use, access requests for file transfer, access requests for use of management tools)
・ Login data at login (a combination of user ID and password)
・ Access time (date and time)
・ Logout time (date and time)
-Second access information indicating that the information space has not been used-Third access information indicating appropriateness of access contents is extracted, and node information is added thereto.

  The transfer of the log data for generating browsing data described above is performed every day by night batch processing, for example.

(8) First and second browsing data generation The CPU 111 of the aggregation server 11a generates the first browsing data and the second browsing data from the logs collected from the individual servers 11, and generates the third browsing data. The data is stored in the HDD 114 that is a storage device.

The first browsing data indicates whether or not the information space for each user is used.-Login time (date and time)
・ Logout time (date and time)
・ Access time (date and time)
First access information indicating whether or not the login data is authentic Second access information indicating that the information space has not been used Data recorded together with third access information indicating appropriateness of access contents . The user is defined by a user ID. Use of the information space includes login / logout, database use, file transfer, and management tool use.

The second browsing data indicates whether or not the information space for each user is used ・ Login time (date and time)
・ Logout time (date and time)
・ Access time (date and time)
-Data to be recorded together with node information. The user is defined by a user ID. Use of the information space includes login / logout, database use, file transfer, and management tool use.

(9) Browsing request and provision of browsing data A description will be given with reference to FIGS. The administrator can access the aggregation server 11a and check the usage status of the virtual information space by each user. For this purpose, a request that satisfies a predetermined condition for the administrator is made to the aggregation server 11a. “Conditions determined in advance for the administrator” are satisfied by inputting the user ID and password for the administrator as an example. The CPU 111 of the server 11 transmits and outputs the first browsing data to the requesting client in response to a request that satisfies a predetermined condition for the manager from the manager terminal 31a.

  As shown in FIGS. 5 and 6, when the CPU 311 of the administrator terminal 31a receives the first browsing data, the matrix of the user and the date indicates whether or not the information space included in the received first browsing data is used. The first browsing screen IMG1 rearranged in the display form is displayed on the display device 351. The first browsing screen IMG1 shows users in columns and dates in rows. As for the user, the login / logout request and the access request for one user are shown in a form divided for each row. Moreover, the access request is shown in a form in which the access request for using the database, the access request for transferring the file, and the access request for using the management tool are further divided for each line. In FIG. 5 and FIG. 6, the usage classification is “privileged user”, login and logout requests, “PSQL” is the access request for database usage, and “FTP”. Is the access request for file transfer, and the “management tool” is the access request for using the management tool.

As described above, the first browsing data indicates whether or not the information space is used for each individual user. First access information indicating whether or not the login data is authentic. Second access information to be displayed ・ Recorded together with third access information indicating appropriateness of access contents. Based on these pieces of information, the CPU 311 of the manager terminal 31a identifies and displays the presence / absence of use of the information space in four ways: ◯, Δ, ×, and white.

  ○ indicates application and use. The condition that the login data is authentic in the first access information, the second access information does not indicate that the information space has not been used, and the third access information indicates that the access content is appropriate If the above is satisfied, a conclusion of application and use can be drawn.

  △ indicates application and no use. If the first access information satisfies the condition that the login data is authentic and the second access information indicates that the information space has not been used, a conclusion that there is an application and no use is derived. In this case, since there is no use, the third access information is, for example, a NULL value.

  X indicates no application and use. There are two cases. If the first access information does not indicate that the login data is not authentic but the second access information does not indicate that the information space has not been used, a conclusion of no application and use is derived. In this case, since there is no prior application for the use of the information space, the third access information has the content that the access content is inappropriate. This is so-called unauthorized login. For example, the so-called “today's password” may be fraudulently fraudulently by a technique such as unauthorized access to the server 11. If the user logs in with the fraudulent password in this way, the conclusion is that there is no application and that there is use. In such a case, “x” is also added to the item of unauthorized access in the “privileged user” column indicating login and logout requests. This is the first case.

  Another case that is × is that the login data is authentic in the first access information, and the second access information does not indicate that no information space was used, but the third access information accesses This is a case where the content is shown to be inappropriate. This is so-called unauthorized access. In this case, since some data provided by the information space is accessed without prior application, the conclusion is that there is no application and that there is use. In this case, although the “privileged user” column indicating the login and logout request is marked with a circle, the item for unauthorized access is marked with “X”.

  Open text indicates no application and no use. The first access information indicates that the information space is not used in the NULL value and the second access information, for example. If the third access information also satisfies the condition such as the NULL value, the conclusion that there is no application and no use Is guided.

  As shown in FIGS. 5 and 6, the CPU 311 of the administrator terminal 31a displays the first object OJ1 on the first browsing screen IMG1. The first object OJ1 is an object for designating one user and instructing the aggregation server 11a to transmit the second browsing data. The designation of one user is performed by, for example, selecting and designating one usage category of one user by the input device 331. Conventional means in this case is designation by a pointing device such as a mouse. When the first object OJ1 is operated in a state where one usage category of one user is selected and specified in this way, the CPU 311 of the administrator terminal 31a causes the second browsing data relating to one usage category of the one user specified and specified. The data transfer request is transmitted and output to the aggregation server 11a. In response to this, the aggregation server 11a transmits and outputs the corresponding second browsing data to the requesting administrator terminal 31a.

  As shown in FIGS. 5 and 7 to 10, the CPU 311 of the administrator terminal 31 a that has received the second browsing data indicates whether or not the information space included in the received second browsing data is used in order of date and time. The second browsing screen IMG2 is displayed on the display device 351. The second browsing screen IMG2 is a screen that displays information space usage status (login logout, access) in chronological order with dates in tandem. Nodes of individual dates (types of servers 11 such as Hiroshima and Tottori) And time.

  FIG. 7 shows an example of a screen image displayed on the login list screen IMG2a which is a kind of the second browsing screen IMG2. FIG. 7 is an example of a screen when one usage category of “privileged user” indicating login / logout of one user is selected and specified in the first browsing screen IMG1 shown in FIG. 6. Nodes, login time and logout time are displayed in chronological order.

  FIG. 8 shows an example of a screen image displayed on the management tool usage list screen IMG2b which is a kind of the second browsing screen IMG2. FIG. 7 is an example of a screen when one usage category “management tool” indicating the usage of a management tool of one user is selected and designated in the first browsing screen IMG1 shown in FIG. 6. Nodes and access time (start time) are displayed in date order.

  FIG. 9 shows an example of a screen image displayed on the database usage list screen IMG2c, which is a kind of the second browsing screen IMG2. FIG. 7 is an example of a screen when one usage category “PDSQL” indicating the database usage of one user is selected and designated in the first browsing screen IMG1 shown in FIG. 6. The nodes and the start time and end time are displayed in order of date.

  FIG. 10 shows an example of a screen image displayed on the file usage list screen IMG2d which is a kind of the second browsing screen IMG2. FIG. 7 is an example of a screen when one usage category “FTP” indicating file transfer of one user is selected and specified in the first browsing screen IMG1 shown in FIG. 6. The nodes and the start time and end time are displayed in order of date.

(10) Log Provision Processing FIGS. 11 to 13 will be described in addition to the reference drawings. As shown in FIGS. 5, 7, 9, and 10, the CPU 311 of the manager terminal 31a displays the second object OJ2 on the second browsing screen IMG2. The second object OJ2 is an object for designating one date and time and instructing the aggregation server 11a to output logs. The designation of one date and time is performed by selecting and designating one date and time with the input device 331, for example. Conventional means in this case is designation by a pointing device such as a mouse. When the first object OJ1 is operated in a state where one date and time is selected and specified in this manner, the CPU 311 of the administrator terminal 31a transmits and outputs a log data transfer request related to the one and date selected and specified to the aggregation server 11a. In response to this, the aggregation server 11a instructs the server 11 storing the corresponding log in the HDD 114 to transfer the corresponding log to the requesting administrator terminal 31a. Upon receiving this instruction, the server 11 transfers the log of the selected date and time to the administrator terminal 31a that is the request source.

  As illustrated in FIGS. 11 to 13, the CPU 311 of the administrator terminal 31 a that has received the log displays the received log on the display device 351 as a third browsing screen IMG3. The third browsing screen IMG3 is a screen that displays the raw log of the selected date and time as it is.

  FIG. 11 shows an example of a screen image displayed on a logout logout log screen IMG3a which is a kind of the third browsing screen IMG3. It is an example of a screen when an object called an execution command inquiry OJ2a as the second object OJ2 is operated in a state where one date is selected and specified in the login list screen IMG2a shown in FIG.

  FIG. 12 shows an example of a screen image displayed on the database usage log screen IMG3c which is a kind of the third browsing screen. FIG. 10 is a screen example when an object called a PSQL trace inquiry OJ2c as the second object OJ2 is operated in a state where one date is selected and specified in the database usage list screen IMG2c shown in FIG.

  FIG. 13 shows an example of a screen image displayed on the file transfer log screen IMG3d which is a kind of the third browsing screen. It is an example of a screen when an object called FTP trace inquiry OJ2d as the second object OJ2 is operated in a state where one date is selected and specified in the file usage list screen IMG2d shown in FIG.

(11) Generated Data Backup Process As shown in FIG. 1, the CPU 111 of the aggregation server 11a converts the first and second browsing data stored in the HDD 114 into a host computer by monthly processing, for example, once a month. (For the aggregation server 11a, CPU 111, and HDD 114, see FIG. 2). The host computer 51 backs up the received first and second browsing data. The aggregation server 11a deletes the first and second browsing data transferred to the host computer 51 in a timely manner.

3. Effect Each server 11 requires input of a set of a user ID and a password as login data for accessing the information space. In response to this, if the correct password obtained by the prior application is input together with the user ID of the user who has applied in advance, the login data including these is authentic. This is because both the user ID and password are correct. In contrast, the so-called “today's password” may be fraudulently fraudulently by a technique such as unauthorized access to the server 11. In this case, the fraudster who fraudulently fraudulently captured today's password would attempt to log in with a combination of his user ID and the fraudulent password. This is a process unique to the present system, but the server 11 permits such unauthorized login instead of rejecting it. If this happens, it is expected that the fraudster will modify, delete, or steal various databases and files provided by the virtual information space. At this point, the system administrator knows that an inappropriate act has been performed and begins to investigate the cause.

  The administrator who has begun to investigate the cause first browses the first browsing screen IMG1 illustrated in FIG. The first browsing screen IMG1 indicates whether or not each user's information space is used in a time series for each user (matrix of users and dates). Along with information on whether the use is based on correct access, ie, whether the login data was authentic. The reason why the authenticity of the login data is known is that the server 11 permits the login with the user ID and the fraudulent password as exemplified above. At this time, since the server 11 recognizes a combination of a user ID and a password that is different from the previously applied user ID and password, it can be determined that the long-in data is not authentic. In this way, the administrator can reveal those who have performed inappropriate acts.

  However, this system has the potential to once allow unfavorable actions such as modification and deletion of databases and files. If only this one aspect is seen, if it is going to log in with the combination of a user ID and a fraudulent password, the doubt that it may be better to refuse login will arise. However, those who do inappropriate acts usually continue to conduct inappropriate actions regularly using any means. Even if you refuse to log in once, you will try to force login with that hand. Given this, short-circuit login refusals are more likely to hide the long-standing inappropriate behavior. If this is the case, it can be said that the method of this system, in which a certain amount of damage is observed and the person who has performed inappropriate acts, is surely revealed, yields a larger fruit.

  The above description is about the event shown as x on the first browsing screen IMG1, that is, the use without application. There is a case in which data is used without an application, but login is correct, but data outside the application has been accessed. The first browsing screen IMG1 also shows such an example with x. In addition, △ indicates that there is an application but no use. As described above, the first browsing screen IMG1 indicates the use status of each user in an easy-to-understand manner by using a time series (a matrix of users and dates) for each user, and indicates the use status of ◯, Δ, × This is indicated using the symbol. In addition, if a noteworthy record is found on the first browsing screen IMG1, the second browsing screen IMG2 can be displayed for that record, and further, the third browsing screen IMG3 for a specific date therein. It is possible to display the log with. Therefore, it can be made clear at a glance who used what information in the information space at what time. As a result, when inappropriate acts such as information leakage or data destruction occur for the data provided by the information space, it is more than necessary to refer to the log where a lot of data is united. Therefore, the work load for the process can be made much lighter, and the time required to solve the problem can be dramatically shortened.

4). Modifications When implementing the system of the present embodiment, various modifications and changes can be made as described so far. For example, when browsing the first browsing screen IMG1, the second browsing screen IMG2, and the third browsing screen IMG3 on the administrator terminal 31a, browsing is possible only with a general-purpose browser installed in the administrator terminal 31a. You may make it.

11 server computer, server 31 client computer, client 111 CPU (server processor)
114 HDD (first to fourth storage devices)
311 CPU (client processor)
NT network IMG1 first browsing screen IMG2 second browsing screen IMG3 third browsing screen IMG2a login list screen (second browsing screen)
IMG2b management tool usage list screen (second browsing screen)
IMG2c database usage list screen (second browsing screen)
IMG2d file usage list screen (second browsing screen)
IMG3a login logout log screen (third viewing screen)
IMG3c database usage log screen (third viewing screen)
IMG3d file transfer log screen (third viewing screen)
OJ1 first object OJ2 second object

Claims (14)

A virtual information space based on data stored in a first storage device managed by a server computer (hereinafter referred to as a server) can be accessed from a client computer (hereinafter referred to as a client) via a network. In the information provision system to
The security information is authentic for the client in which the processor of the server transmits a login request to the information space with login data that is a combination of user information for identifying a user and predetermined security information. Means for logging in to the information space on the condition of,
Means for allowing the processor of the server to access the information space in response to an access request from the logged-in client;
Means for logging out the logged-in client from the information space, wherein the processor of the server sends a logout request from the information space;
With respect to the login / logout request and the access request being logged in sent from the client by the server processor, the user information accompanying the login request, the date / time information of the request, and the login request Generating a log including first access information indicating whether or not the login data is authentic, and storing the log in a second storage device;
The processor of the server generates, from the log, first browsing data indicating whether or not the information space is used for each user together with the date and time information and the first access information, and a third storage Means for storing in the device;
Means for transmitting and outputting the first browsing data to the requesting client in response to a request satisfying a predetermined condition for an administrator by the server processor;
The processor of the client sorts the presence or absence of use of the information space included in the received first browsing data in the form of a matrix display of users and dates, and the use of the information space Means for displaying and outputting a first browsing screen showing different display modes when the login data is authentic and when it is not authentic;
An information providing system comprising: The server processor is:
The login data combining the security information and the user information of the user is used as the security information, with a password having a predetermined validity period issued to the user who applied for permission to access the information space in advance as a fourth information. Register and manage in storage device
If the login request is accompanied by a password within the validity period, the security information is determined to be authentic, and the client is logged into the information space.
Determining whether or not the login data is authentic based on whether or not the login data accompanying the login request is registered in the fourth storage device, and generating the first access information;
The information providing system according to claim 1. The server processor is:
The log and the first browsing data include second access information indicating that the use of the information space using the password was not within the validity period after the password having a valid validity period was issued. Not
The client processor is:
Regarding the absence of use of the information space in the first browsing screen, the case where it is shown in the second access information and the case where it is not shown are shown in different display modes.
The information providing system according to claim 1 or 2, characterized in that The server processor is:
Generating the first browsing data by dividing the login and logout request and the access request for one user;
The client processor is:
Displaying and outputting the first browsing screen in a form in which the login / logout request and the access request are separated for one user;
The information providing system according to any one of claims 1 to 3, wherein The server processor is:
The access request is further divided into an access request for database use and an access request for file transfer to generate the first browsing data,
The client processor is:
Displaying and outputting the first browsing screen in a form in which an access request for using the database and an access request for file transfer are separated for one user;
The information providing system according to claim 4, wherein: The server processor is:
Register and manage the access contents specified in the prior application for permission to access the information space in the fifth storage device,
Third access information indicating whether or not the content of the access request from the client that is logged in matches the pre-applied access content registered in the fifth storage device includes the log and the first access information. In your browsing data,
The client processor is:
Regarding the use of the information space in the first browsing screen, the display mode differs depending on whether or not the access request matches the access content previously applied according to the third access information. Show
6. The information providing system according to claim 4 or 5, wherein Means for generating, from the log as a source, second browsing data indicating whether or not the information space is used for each user together with the date and time information, and storing the second browsing data in the third storage device; ,
Means for causing the processor of the client to include a first object in the first browsing screen for designating one user and instructing the server to transmit the second browsing data;
Means for the processor of the server to transmit and output the second browsing data of the designated one user to the requesting client in response to an instruction by the first object;
Means for displaying and outputting as a second browsing screen in a form in which the processor of the client indicates whether or not the information space included in the received second browsing data is used in order of date and time;
The information providing system according to any one of claims 1 to 3, further comprising: The server processor is:
Generating the first browsing data and the second browsing data by dividing the login and logout request and the access request for one user;
The client processor is:
Displaying and outputting the first browsing screen and the second browsing screen in a form in which the login and logout requests and the access request are separated for one user;
The information providing system according to claim 7. The server processor is:
Dividing the access request into an access request for database use and an access request for file transfer to generate the first browsing data and the second browsing data;
The client processor is:
Displaying and outputting the first browsing screen and the second browsing screen in a form in which an access request for using the database and an access request for file transfer are separated for one user;
The information providing system according to claim 8. The server processor is:
Register and manage the access contents specified in the prior application for permission to access the information space in the fifth storage device,
Third access information indicating whether or not the content of the access request from the client that is logged in matches the pre-applied access content registered in the fifth storage device includes the log and the first access information. In your browsing data,
The client processor is:
Regarding the use of the information space in the first browsing screen, the display mode differs depending on whether or not the access request matches the access content previously applied according to the third access information. Show
The information providing system according to claim 8 or 9, characterized in that Means for causing the client processor to include in the second browsing screen a second object for designating a date and time and instructing the server to send and output the log;
Means for the processor of the server to send and output the log at a designated date and time to the client of the request source in response to an instruction from the second object;
Means for displaying and outputting the received log as a third viewing screen by the processor of the client;
The information providing system according to any one of claims 7 to 10, further comprising: The server comprises a distributed system that individually includes the first storage device and executes login / logout and access permission to the information space for the client. The distributed system includes:
A process of generating the log and storing it in the second storage device is executed on each of the servers,
Executing the process of aggregating the logs into one server and generating the first browsing data by the one server and transmitting it to the client;
The information providing system according to any one of claims 1 to 6, wherein The server comprises a distributed system that individually includes the first storage device and executes login / logout and access permission to the information space for the client. The distributed system includes:
A process of generating the log and storing it in the second storage device is executed on each of the servers,
The log is collected in one server, and the one server generates the first browsing data and the second browsing data, and executes a process of transmitting and outputting to the client.
The information providing system according to any one of claims 7 to 10, wherein The server comprises a distributed system that individually includes the first storage device and executes login / logout and access permission to the information space for the client. The distributed system includes:
A process of generating the log and storing it in the second storage device, and a process of transmitting and outputting the log to the requesting client according to an instruction from the second object are executed by each of the servers. ,
The log is collected in one server, and the one server generates the first browsing data and the second browsing data, and executes a process of transmitting and outputting to the client.
The information providing system according to claim 11.

Images