JP6180166B2 - Information processing apparatus, system, copy operation detection method, and computer program - Google Patents

Description

  The present invention relates to a technique for detecting a file copy operation.

  Windows (registered trademark) provided by Microsoft Corporation in the United States is an operating system (hereinafter referred to as OS) that is widely used. Therefore, there are many malicious programs that attack it. In addition, there are many applications that protect the system from malicious programs. For the purpose of maintaining security, it is important to detect access to the file system (for example, file creation, deletion, copying, etc.) via various applications. Patent Document 1 describes a technique for detecting access to a file system using a file operation API (Application Program Interface) provided by Windows (registered trademark).

JP 2007-48310 A

  In the invention described in Patent Document 1, it is necessary to register and monitor all APIs (CreateFileA, CloseHandle, CopyFileA, etc.) involved in file operations as hook targets. Moreover, in patent document 1, the file operation which does not use API cannot be detected. Furthermore, in Patent Document 1, since the API is a hook target, it depends on the application. As described above, the invention described in Patent Document 1 has several problems.

  Therefore, an object of the present invention is to solve at least one of the above problems and other problems. For example, an object of the present invention is to detect even a file copy operation by an application that executes a file operation without using an API.

The present invention is, for example,
Capture means for capturing a plurality of access requests to a file system from an arbitrary program by a filter driver;
Detecting means for detecting a copy operation on the file based on whether the order of the plurality of access requests captured by the capturing means is a specific order ;
Extracting means for extracting optional information accompanying the access request captured by the capturing means;
Counting means for incrementing the count value by one when the option information extracted by the extracting means is a specific type of option information and the count value is a predetermined value;
Have
The detection means includes
When the order of the plurality of access requests captured by the capturing unit is a specific order and the number of the plurality of access requests captured by the capturing unit is a specific number, a copy operation is performed on the file. Determine that it is about to be executed, and
When the count value counted by the counting means from the time the file subject to the access request is opened until it is closed is a value specific to the copy operation, the copy operation will be executed for the file. An information processing apparatus is provided that is characterized in that it is determined that

  According to the present invention, a copy operation is detected based on whether or not the order of issuing a plurality of access requests for a file is a specific order specific to the file copy operation. According to the present invention, since it is not necessary to monitor all APIs involved in file operations, it is not necessary to register all APIs involved in file operations. Furthermore, according to the present invention, it is possible to detect even a file copy operation by an application that executes a file operation without using an API. In addition, if the access request is captured by the filter driver, the effect on the application will be less than that of the prior art.

Block diagram of information processing device (computer) The figure which shows the program structure for detecting the access log to the file system driver Figure showing an example of the file information list Flow chart showing access request acquisition processing Flow chart showing file information list creation processing Flowchart showing file copy operation detection processing The figure which shows the conditions (copy operation detection conditions) for detecting the copy operation for every version of OS Figure showing an example of the copy source file list Diagram showing the timing of access requests involved in copy operations Figure showing an example of access log Diagram showing the program structure for detecting access requests to file system drivers and non-file system drivers Flow chart showing copy prohibition processing Flow chart showing copy prohibition processing

  The present invention captures a plurality of access requests issued from an arbitrary program such as an application, and detects a copy operation based on whether the order of issuing some of the captured access requests is a specific order. It is a feature. A copy operation cannot be detected from each access request among a plurality of access requests. However, when a copy operation is performed, a specific plurality of access requests are issued in a specific order. Therefore, the copy operation can be detected by confirming whether the issuance order of the plurality of captured access requests is a specific order. Although the access request can be captured by a hook, it is more advantageous to capture it by a filter driver. Of course, there is no intention to exclude access request capture by hooks. The point of the present invention is that a file copy is detected based on the order of issuing a plurality of access requests.

  In the following description, a request issued to a file system driver described later is an access request. However, a response (return) from the file system driver to the access request is also included in the access request.

  FIG. 1 shows a block diagram of the information processing apparatus 100 in the present embodiment. The information processing apparatus 100 is an example of a computer that functions as a client apparatus or a server apparatus. The CPU 101 is a control unit that comprehensively controls the entire information processing apparatus 100. The ROM 102 is a storage device that stores a BIOS and a boot program. The RAM 103 is a storage device on which an OS or application is loaded or used as a work area. The network interface 104 is a unit that communicates with a server device or the like via a network. The keyboard 105 and the pointing device 106 are units that input information to the CPU 101 via the USB interface 107. USB is an abbreviation for Universal Serial Bus. A USB memory, an external hard disk device, or an optical disk device may be connected to the USB interface 107. Note that the USB memory is a portable storage device that is used by connecting to a USB connector and has a built-in rewritable nonvolatile memory. The display control unit 109 performs drawing processing of an image to be displayed on the display device 108 in accordance with an instruction from the CPU 101. The storage device 110 is a hard disk device, but may be a USB (Universal Serial Bus) memory, an SSD (Solid State Drive), or the like, and the type thereof is not limited. It is assumed that an OS “Windows (registered trademark)” provided by Macro Software Inc. in the United States has already been installed in the storage device 110 and various computer programs and data files are also stored. It is also assumed that a filter driver described later has already been installed.

  In the above configuration, when the information processing apparatus 100 is powered on, the CPU 101 starts an operation according to the boot program stored in the ROM 102, accesses the storage device 110, and loads the OS onto the RAM 103. Furthermore, the user interface by the keyboard 105, the pointing device 106, and the display device 108 starts to function, and the information processing apparatus 100 functions as various means. At this time, a filter driver installed in the storage device 110 that captures an access request for a file and an analysis program that detects a copy operation and creates a log are also started. As a result, it is possible to monitor access to the file system included in the information processing apparatus 100, obtain an access log, and transfer the access log to a server device on a preset network. The analysis program may be provided in the server device. The functional blocks of the server apparatus are basically the same as those of the information processing apparatus 100.

  FIG. 2 is a diagram showing a program structure for detecting an access log to the file system driver. A file system generally exists for each logical drive. The application 201 accesses the file system via the file system driver 203. The file system driver 203 is a driver for operating a file system such as “NTFS”, “FAT”, and “FAT32”, for example.

  In this embodiment, a filter driver 202 is arranged between the application 201 and the file system driver 203. Since the filter driver 202 can capture all access requests issued to the file system driver 203 and responses (access requests) issued from the file system driver 203 to the access requests, it is included in the captured access requests. Information can be extracted, modified, and access requests can be discarded. Usually, the filter driver 202 transfers the access request to the file system driver 203. The filter driver 202 extracts information included in the access request and transfers it to the analysis program 204. Accordingly, the analysis program 204 can create an access log indicating when and what file the application 201 operated by the user has accessed. In particular, the analysis program 204 of the present embodiment detects a copy operation based on whether the order of a plurality of access requests captured by the filter driver 202 functioning as a capturing unit is a specific order. Depending on the timing at which the analysis processing is executed, the copy operation may be in progress for the file, or the copy operation may be completed. As described above, depending on the timing, the present embodiment can detect (estimate) that the copy operation is being performed or that the copy operation has been performed.

  In the prior art, the copy operation is detected by monitoring all APIs related to the file operation with hooks, but this has the problems described above. By the way, a plurality of access requests are issued in the file operation, but it is not known whether the copy operation has been executed with only one access request. The inventor has analyzed that when a copy operation is executed, a specific plurality of access requests are issued from the application 201 in a specific order. Therefore, if the CPU 101 detects that a plurality of access requests are issued in a specific order, it can be estimated that the copy operation is being executed or has been executed.

  In FIG. 2, an application 201 is an application program such as a document editing application or a spreadsheet application, but may be a virus program. The filter driver 202 intercepts an access request from the application 201 to the file system driver 203 and transfers information extracted from the access request to the analysis program 204. Here, as information transferred to the analysis program 204, information that can specify which application (eg, process name) and which file (eg, file name including path name) of which file system has made an access request. It is.

  For example, assume that the application 201 creates a file B by copying a file A. In this case, the filter driver 202 has an access request for opening the file A (example: IRP_MJ_CREATE), an access request for closing the file A (example: IRP_MJ_CLEANUP), and an access request for acquiring the file information of the file A ( Example: IRP_MJ_QUERY_INFOMATION) and access requests such as access requests for setting file information (example: IRP_MJ_SET_INFOMATION) are intercepted (intercepted).

  The analysis program 204 may also use information such as the user name that started the application 201, the copy source file name, the copy destination file name, and the copy end date and time. The copy source file is an original file to be copied, and the copy destination file is a file copied from the original file.

Information notified from the filter driver 202 to the analysis program 204 will be described in more detail. The information can include, for example, the following information.
-File identification ID (ID that can identify the file such as file object, file handle, full path, file name, hash value)
-Session ID of the user who performed the file operation (used to specify the login user name)
Application process ID (used to identify the process name)
-File operation time (copy start time and copy end time)
Access request name (the name of the access request issued to operate the file, such as IRP_MJ_CREATE described above)
The analysis program 204 receives the access request captured by the filter driver 202, creates an access log, and analyzes the access log. Also, the filter driver 202 passes the access request intercepted from the application 201 to the file system driver 203. Thus, the file system driver 203 can receive the access request from the application 201 and execute processing corresponding to the access request. In other words, the access request from the application 201 is passed to the file system driver 203 that is the initial destination, whereby access to the file system is executed.

  FIG. 3 is a diagram illustrating an example of the file information list. The analysis program 204 creates the file information list 300 based on the information received from the filter driver 202. The file information list 300 is a list that holds one or more file information 301 created based on an access request. The file information 301 includes time information indicating a file operation time, a file name, a session ID, a process ID, an access request list (hereinafter referred to as an access request list 302), a thread ID, and the like. The access request list 302 is a list that holds an access request name accompanying the access request and option information. Further, in order to distinguish each file information 301, a unique file identification ID 303 is given to each file information 301.

  FIG. 4 is a flowchart showing access request acquisition processing executed by the CPU 101 in accordance with the filter driver 202.

  In step S401, the CPU 101 creates an empty record for passing data (file information list) to the analysis program 204, and issues a file identification ID for identifying the file and assigns it to the record. Hereinafter, the data acquired by the filter driver 202 is added to this record. The file identification ID may be data as described above.

  In step S <b> 402, the CPU 101 captures an access request issued from the application 201 to the file system driver 203.

  In step S403, the CPU 101 acquires a session ID, access request name, option information, process ID, thread ID, and current time (date / time data) of the application 201 based on the captured access request and adds them to the record. The session ID is identification information issued by the OS when the user logs in. The process ID is identification information for the OS to identify the currently executed process, and is a unique identifier for each process. The thread ID is unique identification information for identifying each of a plurality of threads executed by the process. The current time is obtained from, for example, an RTC (real time clock). Information that is not included in the access request is acquired from the OS by the access request argument or return value. The time information includes, for example, time information when an access request for opening a file (example: IRP_MJ_CREATE) is issued, and time information when an access request for closing a file (example: IRP_MJ_CLEANUP) is issued. May be included.

  As shown in FIG. 3, the access request list is issued after an access request for opening a file (eg, IRP_MJ_CREATE) is issued until an access request for closing the file (eg, IRP_MJ_CLEANUP) is issued. For all access requests (eg, IRP_MJ_QUERY_INFORMATION and IRP_MJ_SET_INFORMATION), the access request name and option information are recorded. When the CPU 101 acquires the above information from the access request, the CPU 101 transfers the access request to the file system driver 203.

  In step S404, the CPU 101 acquires the file name of the file that is the target of the access request from the access request and adds it to the record.

  In step S <b> 405, the CPU 101 transmits the created record to the analysis program 204.

  Note that the timing of transmission to the analysis program 204 is not limited to every time a record is created, but may be every predetermined time. In that case, records may be collected and transmitted to the analysis program 204 for each access request (for example, IRP_MJ_CREATE).

  FIG. 5 is a flowchart showing the creation processing of the file information list 300 executed by the CPU 101 according to the analysis program 204.

  In step S <b> 501, the CPU 101 receives a record about an access request list from the filter driver 202. At this time, the CPU 101 may create an empty data structure for adding a record to the file information list and add the contents of the record to the data structure.

  In step S502, the CPU 101 extracts a file identification ID, a file name, a process ID, a session ID, an access request name, option information, a thread ID, time information, and the like from the record.

  In step S503, the CPU 101 creates file information 301 from the extracted information. For example, the CPU 101 adds a file identification ID, file name, process ID, session ID, thread ID, time information, and the like extracted from the record to the data structure. Further, the CPU 101 creates an access request list 302 from the access request name and option information and adds it to the data structure. Note that the CPU 101 may acquire the process name corresponding to the process ID from the OS and add it to the data structure. Similarly, the CPU 101 may acquire the login user name based on the session ID and add it to the data structure.

  In step S <b> 504, the CPU 101 registers (adds) the created data structure in the file information list 300.

  When the filter driver 202 creates and transmits one record for each access request, from the record related to the request to open the file (example: IRP_MJ_CREATE) to the record related to the request to close the file (example: IRP_MJ_CLEANUP) A plurality of records having the same file identification ID are registered in the same file information. An access request or the like for requesting file information is issued from the timing when the request to open the file is issued to the timing when the request to close the file is issued. Therefore, these access requests are also registered in the access request list 302 in the same file information as long as the file identification IDs match.

  The CPU 101 adds an access request name and option information to the access request list 302 so as to start with a request to open a file (for example, IRP_MJ_CREATE) and end with a request to close the file (for example, IRP_MJ_CLEANUP). Note that the items included in the file information 301 are examples, and the CPU 101 may acquire a process name (application name) from the OS based on the process ID and store the process name (application name) in the file information 301.

  When the CPU 101 detects that the process corresponding to the process ID included in the file information has ended, the CPU 101 may delete the file information from the file information list 300. Thereby, the enlargement of the file information list 300 can be suppressed. Of course, it may be deleted at a later timing or may not be deleted.

  FIG. 6 is a flowchart showing a file copy operation detection process executed by the CPU 101 in accordance with the analysis program 204.

  In step S <b> 601, the CPU 101 selects one file information 301 from the file information list 300 stored in the storage device 110, and further extracts one data (access request) from the access request list 302 of the file information 301. Here, it is assumed that the file information 301 is selected one by one from the oldest registered order among the plurality of file information 301 registered in the file information list 300. In the access request list, two or more access requests from a file open request to a file close request are registered. Therefore, data (access request name and option information) related to the request to open the file is first extracted from the access request list.

  In step S602, the CPU 101 determines whether option information of a request to open the extracted file (for example, IRP_MJ_CREATE) indicates “open”. For example, if the option information is FILE_OPENED, it means that the file is open. If the option information is FILE_CREATED, it means that a new file is created. If the file is open, the process proceeds to S603, and if the file is not open, the process proceeds to S610. For example, in FIG. 3, when the file information 301 having the file identification ID A is read, the process proceeds to S603. On the other hand, in FIG. 3, when the file information 301 having the file identification ID A ′ is read, the process proceeds to S610.

  In step S <b> 603, the CPU 101 extracts data of the next access request from the access request list 302.

  In step S <b> 604, the CPU 101 determines whether the access request name is an access request name (for example, IRP_MJ_QUERY_INFOMATION) for acquiring file information. If the access request name is an access request name for acquiring file information, the process proceeds to S605, and if it is any other access request name, the process proceeds to S607.

  In step S <b> 605, the CPU 101 determines whether the current count value (initial value is zero) of the counter for detecting the copy operation and the option information satisfy a condition for counting up the counter. As described above, when a file copy operation is executed, a specific plurality of access requests are issued in a specific order. For example, when the count value is 0, if the option information is option information (for example, FileAttributeTagInformation) meaning that the file attribute is acquired, the CPU 101 determines that the count-up condition is met. On the other hand, when the count value is 1, if the option information is option information (for example, FileStandardInformation) which means that file information is inquired, the CPU 101 determines that the count-up condition is met. If the count value is not 0, even if the option information is FileAttributeTagInformation, the CPU 101 does not determine that the count-up condition is met. Similarly, when the count value is not 1, even when the option information is FileStandardInformation, the CPU 101 does not determine that the count-up condition is met. Note that the count-up condition is different between Windows (registered trademark) Vista and later versions of OS and older versions of OS.

  For example, when the OS is an OS older than Windows (registered trademark) Vista, the following count-up conditions are set.

  When the count value is 0 and the option information is FileAttributeTagInformation, the count value is changed to 1.

  If the count value is 1 and the option information is FileStandardInformation, the count value is changed to 2.

  If the count value is 2 or 4, and the option information is option information (FileBasicInformation) for inquiring or setting file information, the count value is incremented by +1.

  If the count value is 3 and the option information is option information (FileStreamInformation) for enumerating data streams of files and directories, the count value is incremented by +1.

  If the count value is 5 and the file information is option information (FileEaInformation) for acquiring the size of the extension information of the file, the count value is increased to +1.

  These mean that the order of requests for obtaining file information registered in the access request list is also related to the count-up. That is, when the option order of the request for obtaining the file information is FileAttributeTagInformation-> FileStandardInformation-> FileBasicInformation-> FileStreamInformation-> FileBasicInformation-> FileEaInformation, the value is counted.

  In this way, the CPU 101 counts up, so that it can be determined from the count value of the counter that a certain specific plurality of access requests are issued in a specific order.

  FIG. 7 shows conditions (copy operation detection conditions) for detecting a copy operation for each version of the OS. When the OS is a version prior to Windows (registered trademark) Vista (for example, XP, 2000, etc.), it is recognized that the copy operation has been executed when the count value of the counter named count 1 is 6 (detection or detection). This is a condition for estimating. When the OS is a version of Windows (registered trademark) Vista or later, a plurality of specific access requests are assigned in a specific order by using five counts 1, 2, 3, 3, 4, and 5. It can be determined that it has been issued.

  If the count-up condition is satisfied, the process proceeds to S606, and the CPU 101 increments the counter value by one. If the count-up condition is not satisfied, the process advances to step S603, and the CPU 101 reads the next data from the access request list.

  In step S <b> 607, the CPU 101 determines whether the access request name is an access request name that means a request to close a file. If the access request name is not an access request name that means a request to close a file, the process returns to S603, and the CPU 101 reads the next data from the access request list. On the other hand, if the access request name is an access request name (eg, IRP_MJ_CLEANUP) indicating a request to close the file, the process proceeds to S608.

  In step S608, the CPU 101 determines whether the count value satisfies the copy operation detection condition. If the count value does not satisfy the copy operation detection condition, this process ends. On the other hand, if the count value satisfies the copy operation detection condition, the process proceeds to S609. If the count value satisfies the copy operation detection conditions, a new file is created by copying the file as the copy source (that is, the copy is about to be executed (during copying), or the copy is executed) The possibility is very high. At this point, it cannot be specified which file is a new file created by the copy operation, and only the copy source file can be specified. However, it can be detected that the copy operation is being executed.

  In step S <b> 609, the CPU 101 adds, to the copy source file list, the file identification ID (for example, file identification ID: A) that is the target of the current process as a file identification ID that indicates the copy source file. To do. A part of the file information may be registered as it is in the copy source file list, or only the file identification ID may be registered. This is because the file information 301 can be acquired from the file information list 300 using the file identification ID as a search key.

  FIG. 8 is a diagram showing an example of the copy source file list. The CPU 101 reads the file opening time, file closing time, file name, process name, process ID, and thread ID from the file information, and registers them in the copy source file list. The process name may be omitted, or the process name may be specified from the process ID and added to the copy source file list.

  Next, processing when the option information of the request to open the file extracted in S602 (for example, IRP_MJ_CREATE) does not indicate “open” will be described. This is a process for an access request for a new copied file.

  In step S610, the CPU 101 extracts data from the copy source file list illustrated in FIG. At this time, data (file information 301) of another file identification ID (file identification ID: A ′) is extracted from the file information list 300. Therefore, the data of the copy source file list and the data of the file identification ID: A ′ are compared in the subsequent processing. Note that the file identification ID: A ′ may be the file identification ID of a new file copied from the copy source file.

  In step S611, the CPU 101 determines whether data exists in the copy source file list. If there is no data in the copy source file list, this process ends. On the other hand, if data exists, the process proceeds to S612.

  In step S612, the CPU 101 determines whether both the process ID and thread ID included in the data of the copy source file list match the process ID and thread ID included in the data of the file identification ID: A ′. Determine. That is, the CPU 101 matches the process ID of the copy source file list with the process ID of the file identification ID: A ′, and matches the thread ID of the copy source file list with the thread ID of the file identification ID: A ′. Determine whether or not. If the process ID and the thread ID match, the process proceeds to S613. If the process IDs do not match or the thread IDs do not match, the process returns to S610, and the next data is extracted from the copy source file list.

  In step S613, the CPU 101 determines whether the time data read from the copy source file list matches a predetermined time condition. For example, the CPU 101 compares the open / close time of the copy source file stored in the data extracted from the copy source file list with the open / close time of the file identification ID: A ′.

  FIG. 9 shows the access request timing for the copy source file A and the access request timing for the copy destination file A 'when the copy operation is executed. The copy destination file is a file generated by copying from the copy source file.

  As shown in FIG. 9, when a copy operation is executed, the copy source file A is opened at time t1, and the copy destination file A 'is opened at time t2. Thereafter, the copy source file A is closed at time t3, and the copy destination file A 'is closed at time t4. Therefore, in S613, the opening time t2 of the copy destination file A ′ read from the file information list 300 is later than the opening time t1 of the copy source file A read from the copy source file list, and the copy source file A It is determined that it is before the closing time t3 and the closing time t4 of the copy destination file A ′ is later than the closing time t3 of the copy source file A (t1 <t2 <t3 <t4). ). If the time condition does not match, the process returns to S610 to extract the next data. If the time condition is met, the process proceeds to S614. When detecting in real time, it will be detected that at least t1 <t2 <t3. This is because the copy operation may not be completed.

  In step S <b> 614, the CPU 101 adds file information to the file access log and ends this process.

  FIG. 10 is a diagram illustrating an example of an access log. The CPU 101 writes the user name acquired from the OS based on the session ID in the access log. The CPU 101 writes the process name acquired from the file information 301 of the copy destination file A ′ in the access log. The CPU 101 writes a message “file copy” indicating that a file copy has been detected in the operation column. The CPU 101 writes the file name of the copy source file A read from the copy source list in the access log. The CPU 101 writes the file name acquired from the file information 301 of the copy destination file A ′ into the access log. Further, the CPU 101 writes the time information (information indicating the date / time when the file was opened / closed) acquired from the file information 301 of the copy destination file A ′ into the access log.

  In the above embodiment, the time information is compared, but other information may be used. For example, the CPU 101 may assign sequence numbers when detecting an access request for opening a file and an access request for closing a file, and may compare the magnitudes of the sequence numbers. In other words, since the sequence number increases with the passage of time, it is possible to determine before and after the time by determining the magnitude of the sequence number.

  As described above, according to the present embodiment, when a plurality of access requests for a file are issued in a specific order specific to the file copy operation, the copy operation is about to be executed or the copy operation is executed. recognize. According to the present embodiment, since it is not necessary to monitor all APIs involved in file operations, it is not necessary to register all APIs involved in file operations. Furthermore, according to the present embodiment, even a file copy operation by an application that executes a file operation without using an API can be detected. Also, if the access request is captured by the filter driver, the effect on the application will be less than that of the hook.

  Note that the CPU 101 is about to execute a copy operation on a file when the order of the plurality of captured access requests is a specific order and the number of the plurality of captured access requests is a specific number. It may be estimated that As described above, when the count value of the counter when the access request for closing the file is issued is a predetermined value (6 if the OS is earlier than Windows (registered trademark) Vista), the copy operation is performed. It can be detected that it has been executed.

  As described above, whether a plurality of access requests for a file are issued in a specific order can be determined using a counter. The counter may be realized by hardware or may be realized by software such as a variable. That is, the CPU 101 increases the count value by one when the captured access request is a specific type of access request. Then, the CPU 101 determines whether the copy operation is being executed for the file when the count value counted from when the file requested for access is opened until it is closed is a value specific to the copy operation. Determine that the operation is complete.

  The access request has an access request name and option information. Therefore, the CPU 101 monitors the order of a plurality of access requests by paying attention to the access request name and option information. The CPU 101 extracts option information accompanying the access request, and when the extracted option information is a specific type of option information and the count value is a predetermined value, the count value is incremented by one. As a result, the CPU 101 can determine that a plurality of specific access requests have been issued in a specific order. Note that one of the specific types of option information may be option information indicating that the access request is a file information acquisition request.

  In this way, by monitoring an access request for a copy source file, it is possible to detect that the file has been copied. However, it is impossible to specify which file is newly created by the copy operation. Therefore, the process ID, thread ID, and date / time information of the copy source file (first file) are compared with the process ID, thread ID, and date / time information of the file (second file) that may have been created by copying. By doing so, the copy destination file can be detected. If the copy destination file can be detected, it is possible to effectively prohibit the copy operation by deleting it later. That is, the CPU 101 may function as a deletion unit that deletes a new file created by the copy operation when the copy operation is detected. Further, the CPU 101 may function as a stopping unit that stops the copy operation when the copy operation is detected in real time. That is, when the copy destination file is specified, the CPU 101 may capture an access request for the copy destination file by the filter driver 202 and discard it. In this case, a part of the copy source file may have been copied, but the remaining part could be prohibited from being copied. Also at this time, the CPU 101 may delete an incomplete copy destination file.

  When the CPU 101 analyzes the file information list and detects a copy operation, the CPU 101 may function as a log creation unit that creates a log including the path name of the file that is the target of the copy operation. The log contains the pathname of the file, which can be useful for identifying the path of the virus. In particular, if you record the name of the process that performed the copy operation in the access log, you will know where the virus process copied the file from. This will also help in understanding the route of information leakage. Also, if the copied file is a virus program, it is possible to identify the path from which the virus program has been copied since it can be known from which path the virus program was copied. If the copy date and time is stored in the access log, the intrusion route of the virus program may be backtraced according to the date and time information.

  In the present embodiment, the filter driver 202 and the analysis program 204 are installed in the information processing apparatus 100. However, the analysis program 204 may be installed in another information processing apparatus 100 (that is, a server apparatus). Good. In this case, the record created by the filter driver 202 is transmitted via the network interface 104 to the analysis program 204 operating on the server device. The server apparatus analysis program 204 analyzes a record received from the information processing apparatus 100 as a client apparatus, detects a copy operation, and creates an access log. The hardware configuration of the server apparatus may be the same as the hardware configuration of the information processing apparatus 100.

  In this embodiment, the filter driver 202 and the analysis program 204 have been described as different program structures, but they may be the same. In addition, the filter driver 202 and the analysis program 204 include the above-described plurality of functions, but these functions may be included in either the filter driver 202 or the analysis program 204. Alternatively, some functions may be arranged in the third program.

<Access request acquisition processing>
In the above-described embodiment, it has been described that the access request to the file through the file system driver is detected. However, the filter driver 202 detects a copy operation by capturing an access request to a file on a removable medium connected via the USB interface 107 or an access request to a file via the network interface 104. Also good.

  FIG. 11 shows a program structure for detecting an access request to the file system driver and the non-file system driver. As can be seen from comparison with FIG. 2, in FIG. 11, the filter driver 202 also captures access requests to the non-file system driver 1101. The non-file system driver 1101 is a driver that controls the network interface 104 or a disk system that is connected to the USB interface 107. As described above, the non-file system driver 1101 is a driver that controls a file system created on a removable medium or a network drive. The file system driver 203 is a driver that controls a file system included in a hard disk device built in the information processing apparatus 100. When the non-file system driver 1101 is a driver that controls the network interface 104, the filter driver 202 may capture an access request regarding a file transmitted or received through the network interface 104. This means that a file copied by a terminal service or FTP service can be detected.

  In this way, the filter driver 202 captures an access request for not only the file system driver 203 but also the non-file system driver 1101 and passes it to the analysis program 204. Thereby, the analysis program 204 can also detect a copy operation executed between the file system driver 203 and the non-file system driver 1101. The detection procedure at this time is the same as the procedure already described.

  As shown in FIG. 10, when the copy source file is a file stored in the network drive (for example, \\ oka \\ moto \\ Arrest.xls), or when the copy destination file is a removable medium (example) : E: Escape.xls) also detects a copy operation and creates an access log. It is also assumed that not only the copy source file (eg: \\ oka \\ moto \\ Release.xls) but also the copy destination file (eg: E: Release.xls) is executed through the non-file system driver 1101. However, in the present embodiment, such a copy operation can also be detected.

  Thus, when a file is copied to an external storage medium such as a removable medium, the CPU 101 may display a warning message to the user through the display device 108. In this way, it may be possible to suppress taking out confidential texts and the like.

<Prohibit copy operation>
A copy prohibition list indicating files that are prohibited from being copied is stored in the storage device 110 in advance. As shown in FIG. 12, when a copy operation is detected in S608, the process proceeds to S1201. Note that the copy prohibition list is not limited to information (for example, a file name) indicating a file whose copy operation is prohibited, and may be a specific user or a specific process.

  In step S1201, the CPU 101 determines whether the file name of the copy source file that is the target of the copy operation is registered in the copy prohibition list. If the file name of the copy source file subject to the copy operation is registered in the copy prohibition list, the process proceeds to S1202. In step S1202, the CPU 101 executes copy prohibition processing. For example, the CPU 101 may turn off the power of the information processing apparatus 100 (shut down) or forcibly stop the process that executed the copy operation.

  Instead of executing this, as shown in FIG. 13, in step S1301, the CPU 101 determines whether the file name of the copy source file is registered in the copy prohibition list. If the file name of the copy source file is registered in the copy prohibition list, the process proceeds to S1302. Otherwise, the process proceeds to S614.

  In step S1302, the CPU 101 executes a copy prohibition process. For example, the CPU 101 causes the filter driver 202 to discard the access request for the copy destination file determined in S610 to S613. As a result, the copy operation can be stopped halfway. Further, the CPU 101 may forcibly delete the copy destination file that has been copied halfway. After that, in S614, the CPU 101 registers in the access log that the copy operation is about to be executed, that the copy operation is prohibited, and that the copy destination file is deleted.

  As described above, according to the present embodiment, by monitoring an access request, a copy operation of a copy prohibited file can be detected and a copy prohibition process can be executed. As a result, information leakage can be suppressed.

  In the embodiment of the present invention, Windows (registered trademark) has been described as an example. However, the present invention can be similarly applied to any OS in which a plurality of specific access requests are issued in a specific order when a file copy operation is executed.

  In FIG. 12 and FIG. 13, the copy prohibition list indicating the files that are prohibited from being copied is stored in advance and the copy prohibition file copy prohibition process is executed. However, the copy prohibition list is not stored in advance. It is also possible to execute copy prohibition processing.

  Specifically, in S609 of FIG. 13, the CPU 101 registers the file information of the copy source file that is the target of the copy operation in the copy prohibition list. In step S610, data is extracted from the copy prohibition list. If the time conditions match in step S613 (YES in step S613), the CPU 101 executes copy prohibition processing.

  As described above, by executing the copy prohibition process without storing the copy prohibition list in advance, a copy operation for an unknown file can be prohibited, and information leakage can be further suppressed.

Claims (11)

Capture means for capturing a plurality of access requests to a file system from an arbitrary program by a filter driver;
Detecting means for detecting a copy operation on the file based on whether the order of the plurality of access requests captured by the capturing means is a specific order ;
Extracting means for extracting optional information accompanying the access request captured by the capturing means;
Counting means for incrementing the count value by one when the option information extracted by the extracting means is a specific type of option information and the count value is a predetermined value;
Have
The detection means includes
When the order of the plurality of access requests captured by the capturing unit is a specific order and the number of the plurality of access requests captured by the capturing unit is a specific number, a copy operation is performed on the file. Determine that it is about to be executed, and
When the count value counted by the counting means from the time the file subject to the access request is opened until it is closed is a value specific to the copy operation, the copy operation will be executed for the file. An information processing apparatus characterized in that it is determined that Capture means for capturing a plurality of access requests to a file system from an arbitrary program by a filter driver;
Detecting means for detecting a copy operation on a file based on whether the order of the plurality of access requests captured by the capturing means is a specific order;
Have
The detection means includes a process ID, a thread ID, and a date and time extracted based on an access request for a newly created second file, and the order of a plurality of access requests for the first file is a specific order and information about, the first file of the process ID, when the information and matches about the thread ID and the date and time, determining that the said copy of the first file a second file is created A characteristic information processing apparatus. Wherein one of the option information of a particular type, the information processing apparatus according to claim 1, wherein the access request and wherein the optional information indicating a request for file information. When said detecting means detects copy operation, any one of claims 1, further comprising a log creation means for creating a log including the path name of the file that is the target of a copy operation 3 The information processing apparatus described in 1. Wherein when the detecting means detects the copy operation, the information processing apparatus according to any one of claims 1, further comprising a stop means for stopping the copy operation 3. Wherein when the detecting means detects the copy operation, the information processing apparatus according to any one of claims 1 to 3, further comprising a deleting means for deleting a new file created by the copy operation. The computer program for functioning a computer as each means of the information processing apparatus of any one of Claims 1 thru | or 6 . A capturing step in which a capturing means captures a plurality of access requests to a file system from an arbitrary program by a filter driver;
Detecting means, a detection step sequence of a plurality of access requests captured in said capturing step is based on whether a particular order, to detect a copy operation for the file,
An extracting step for extracting optional information accompanying the access request captured by the capturing unit in the capturing step;
A counting step in which the counting means increments the count value by one when the option information extracted by the extraction means in the extraction step is a specific type of option information and the count value is a predetermined value. When
Have
In the detection step, the detection means includes
When the order of the plurality of access requests captured by the capturing unit in the capturing step is a specific order, and the number of the plurality of access requests captured by the capturing unit in the capturing step is a specific number And determining that a copy operation is about to be performed on the file, and
When the count value counted by the counting means from the time the file subject to the access request is opened until it is closed is a value specific to the copy operation, the copy operation will be executed for the file. A copy operation detection method, characterized in that it is determined that the copy operation is performed. A capturing step in which a capturing means captures a plurality of access requests to a file system from an arbitrary program by a filter driver;
  A detecting step for detecting a copy operation on the file based on whether the order of the plurality of access requests captured by the capturing unit in the capturing step is a specific order;
Have
  In the detection step, the detection means includes a process ID extracted based on an access request for a newly created second file, and the order of a plurality of access requests for the first file is a specific order. When the information regarding the thread ID and the date and time match the information regarding the process ID, the thread ID and the date and time of the first file, the second file is created by copying the first file. A copy operation detection method characterized by determining that A system having an information processing device and a server device for detecting a copy operation executed in the information processing device,
The information processing apparatus includes:
Having a capturing means for capturing a plurality of access requests to a file system from an arbitrary program by a filter driver;
The server device
Detecting means for detecting a copy operation on a file based on whether the order of the plurality of access requests captured by the capturing means of the information processing apparatus is a specific order ;
Extracting means for extracting optional information accompanying the access request captured by the capturing means;
Wherein the option information extracted by the extracting means is a option information of a particular type, and, when the count value is a predetermined value, have a <br/> with counting means for increasing by one the count value ,
The detection means includes
When the order of the plurality of access requests captured by the capturing unit is a specific order and the number of the plurality of access requests captured by the capturing unit is a specific number, a copy operation is performed on the file. Determine that it is about to be executed, and
When the count value counted by the counting means from the time the file subject to the access request is opened until it is closed is a value specific to the copy operation, the copy operation will be executed for the file. A system characterized by determining that A system having an information processing device and a server device for detecting a copy operation executed in the information processing device,
  The information processing apparatus includes:
  Capture means for capturing multiple access requests to a file system from an arbitrary program by a filter driver
Have
  The server device
  Detection means for detecting a copy operation on a file based on whether the order of the plurality of access requests captured by the capture means of the information processing apparatus is a specific order
Have
  The detection means includes a process ID, a thread ID, and a date and time extracted based on an access request for a newly created second file, and the order of a plurality of access requests for the first file is a specific order. Determining that the second file has been created by copying the first file when the information regarding the process ID, thread ID, and date / time information of the first file match. Feature system.