JP2004206683A - System management device, method and program, management server system and its control process, insurance method, security program, security management method, computer, and server computer - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To facilitate the improvement of security and the proof of damage by a record of a history and automatic transmission to a server about damage in the case of using a network. <P>SOLUTION: An unauthorized access countermeasure function part 1 detects unauthorized access from the outside to a personal computer P based on a preset prescribed pattern, records its access history and transmits the history to a prescribed management server system 10 via the Internet N. An anti-virus function part 3 updates prepared virus definition pattern data by access to a prescribed providing origin server, records the operation history of an anti-virus program for at least detecting a virus by using the virus definition pattern data for a personal computer P and transmits the history to the prescribed server system 10 via the Internet N. <P>COPYRIGHT: (C)2004,JPO&NCIPI

Description

  The present invention provides a system management device, method, and program, management server system, control method, and insurance method that facilitate security improvement and damage verification by recording a history of damage when using the network and automatically transmitting the damage to a server. To provide.

  2. Description of the Related Art In recent years, electronic information processing systems typified by personal computers (personal computers) have been used in environments that are constantly or frequently connected to a communication network such as the Internet due to the spread and low price of always-on connections such as ADSL and FTTH. Has been generalized. In connection with this, in electronic information processing systems in offices and private homes, destruction, stealing, falsification, and startup failure of programs and data due to unauthorized access by intruders such as hackers (crackers) from the Internet side and computer virus infection. Faced with the threat of infringement that causes damage, etc., the number and extent of actual damage is increasing at an accelerating rate, and it is becoming a social problem.

  For example, the number of reported cases of virus infection / detection in Japan in 2001 alone doubled from the previous year to 22,000 or more, and the total damages such as data loss, loss of business opportunity profits, and labor costs required for recovery were tentatively averaged. Even 30,000 yen (one day) will reach 660 million yen, and in the next fiscal year will double to 1,320 million yen, and if the same amount of unauthorized access damages it, it will reach 2,640 million yen. Considering the potential damage and the cost of introducing countermeasure software, the national loss can be much higher than these. Furthermore, the total loss of the world economy due to computer security issues as a whole is estimated to be $ 12.9 billion (more than 1.6 trillion yen) in 2001 alone due to viruses.

In combination with insurance for the amount of damage such as restoration costs, data backup on a server (Patent Document 1), calculation of the amount of damage (Patent Document 2), monitoring of homepage tampering (Patent Document 3), and the like are performed. There are also suggestions.
JP-A-2002-99457 JP-A-2002-83136 JP-A-2002-73969

  However, the conventional techniques described above do not provide a technique for specifically utilizing the information processing capability of the computer itself simply by combining the ex post action and insurance. In addition, since the causes of damage when using the Internet are diverse and complex, it is difficult to prove the causal relationship of what caused and how much damage was caused even if the insurance claim was made ex post facto. There was a problem that the advantage of the combination with insurance was not fully exhibited.

  The present invention has been proposed to solve the above-mentioned problems of the prior art. The purpose of the present invention is to improve the security and reduce the damage by recording the history of damage when using the Internet and automatically transmitting it to the server. An object of the present invention is to provide a system management device, a method and a program, a management server system and a control method thereof, an insurance method, a security program, a security management method, a computer, and a server computer which facilitate verification.

  Another object of the present invention is to effectively counter unknown threats such as a new kind of virus by detecting an illegal event regardless of a so-called virus pattern.

  In order to achieve the above object, a first aspect of the present invention is a system management apparatus that manages an electronic information processing system having a connection device to a communication network as a management target. Detection means for detecting based on a set predetermined pattern, recording the access history, and transmitting the access history to a predetermined management server system via a communication network is realized by control processing of a computer.

  An eleventh aspect of the present invention is directed to a system management method for managing an electronic information processing system provided with a connection device to a communication network as an object to be managed. The computer performs detection processing of detecting unauthorized access to the target based on a predetermined pattern set in advance, recording the access history, and transmitting the history to a predetermined management server system via a communication network. And

  According to a twenty-first aspect of the present invention, the inventions of the first and eleventh aspects are grasped from the viewpoint of a computer program. By controlling an electronic information processing system having a connection device to a communication network, the computer is controlled. In the system management program for managing, the program causes the computer to detect an unauthorized access to the management target from the outside based on a predetermined pattern, record the access history, and record the history via a communication network. And transmits the data to a predetermined management server system.

  In these modes, unauthorized access is detected and recorded, and the history is automatically transmitted to the server and recorded in a database or the like. Therefore, when damage due to unauthorized access occurs, the record should be used as evidence for damage recognition or damage report confirmation. Thereby, it becomes easy to approve whether or not it is covered by insurance.

  According to a second aspect of the present invention, in the system management apparatus according to the first aspect, the connection device includes at least a WAN-side connection port, and the detection unit is provided integrally with the connection device, or the WAN-side connection port The connection device is provided on the WAN side as a device separate from the connection device.

  In this embodiment, the system management device for detecting unauthorized access is provided integrally with a connection device such as a router or a broadband modem with a router function or on the upstream side thereof, so that the efficiency of the entire LAN including a plurality of personal computers is improved. Application is possible.

  According to a third aspect of the present invention, there is provided a system management apparatus for managing an electronic information processing system having a means for connecting to a communication network as a management target, wherein the virus definition pattern data prepared in advance is accessed by accessing a predetermined provider server. Means for updating, and an operation history of an antivirus program that performs at least virus detection using the virus definition pattern data for the management target, and transmits the history to a predetermined management server system via a communication network. Means are realized by control processing of a computer.

  According to a twelfth aspect of the present invention, the invention of the third aspect is grasped from the viewpoint of a method. In a system management method for managing an electronic information processing system having means for connecting to a communication network as a management target, the invention is provided in advance. Updating the virus definition pattern data by accessing a predetermined provider server, and recording the operation history of an anti-virus program that performs at least virus detection using the virus definition pattern data for the management target, Transmitting the history to a predetermined management server system via a communication network by a computer.

  The invention of claim 22 captures the invention of claims 3 and 12 from the viewpoint of a computer program, and controls an electronic information processing system having means for connecting to a communication network by controlling the computer. In a system management program for managing, the program causes the computer to update virus definition pattern data prepared in advance by accessing a predetermined provider server, and use the virus definition pattern data for the management target. It is characterized in that at least an operation history of an antivirus program for detecting a virus is recorded, and the history is transmitted to a predetermined management server system via a communication network.

  In these embodiments, the history of the start of an anti-virus program (anti-virus software) and the history of virus detection are recorded and automatically transmitted to a server and recorded in a database or the like. Providing evidence for confirmation makes it easier to approve whether the product is covered by insurance.

  According to a fourth aspect of the present invention, there is provided a system management apparatus for managing an electronic information processing system having a means for connecting to a communication network as a management target, wherein the system management device detects tampering of system data including a predetermined type of file in the management target, and A means for recording a history and transmitting the history to a predetermined management server system via a communication network is realized by control processing of a computer.

  According to a thirteenth aspect of the present invention, there is provided a system management method for managing an electronic information processing system provided with a means for connecting to a communication network as a management target. It is characterized in that a computer performs processing for detecting falsification of system data including a predetermined type of file, recording the history thereof, and transmitting the history to a predetermined management server system via a communication network.

  The invention of claim 23 captures the invention of claims 4 and 13 from the viewpoint of a computer program. By controlling an electronic information processing system having means for connecting to a communication network, the computer is controlled. In a system management program to be managed, the program causes the computer to detect tampering of system data including a predetermined type of file in the management target, record the history, and transmit the history to a predetermined management server system via a communication network. It is characterized by the following.

  In these embodiments, for system data such as a predetermined type of system file or registry having a predetermined extension, tampering such as rewriting, addition, or deletion is detected, a history is recorded, and the history is automatically transmitted to a server and recorded in a database or the like. Therefore, in addition to unauthorized access and computer virus countermeasures, if there is damage due to insiders, the record of the damage at the time of damage occurrence will be used as evidence for damage recognition and damage report confirmation, so that it can be covered by insurance, etc. Approval becomes easier.

  The invention of claim 5 is a system management apparatus for managing an electronic information processing system provided with means for connecting to a communication network as a management target, wherein a file within a preset range or a copy thereof is added, changed, or deleted. Means for detecting transmission to the outside or copying to a removable drive, recording the history thereof, and transmitting the history to a predetermined management server system via a communication network by computer control processing.

  According to a fourteenth aspect of the present invention, the invention of the fifth aspect is grasped from the viewpoint of a method. In a system management method for managing an electronic information processing system having a means for connecting to a communication network as a management target, a predetermined range is set. Process of adding / modifying / deleting the file or its copy, transmitting to the outside of the system or detecting the copy to the removable drive, recording its history, and transmitting it to a predetermined management server system via a communication network. It is performed by a computer.

  In these aspects, for a predetermined range of files corresponding to a predetermined server, extension, directory, etc., addition / change / deletion, transmission via a communication network, copying to a removable drive is detected, the history is recorded, and the server is recorded. To automatically record the data in a database, etc., and record the widespread damage such as unauthorized access, computer virus, and data leakage, falsification, and destruction due to internal crimes as evidence for damage recognition and damage report confirmation when they occur. This makes it easy to approve whether or not the item is covered by insurance.

  According to a sixth aspect of the present invention, in the system management apparatus according to any one of the first to fifth aspects, means for notifying a predetermined user of any of the detections is realized by a control process of a computer.

  According to a fifteenth aspect, the invention of the sixth aspect is grasped from the viewpoint of a method. In the system management method according to any one of the eleventh to fourteenth aspects, a process of notifying a predetermined user of any one of the detections Is performed by a computer.

  In these modes, the detection of a problem event such as an unauthorized access or a virus is notified to the user by displaying a dialog box or the like, so that it is possible to quickly and easily deal with a backup copy or a request for recovery, thereby improving security.

  According to a seventh aspect of the present invention, there is provided a management server system for receiving and recording at least one of the histories with respect to the system management apparatus according to any one of the first to sixth aspects, after identifying each of them. This is realized by control processing of a computer.

  According to a sixteenth aspect of the present invention, the invention of the seventh aspect is grasped from the viewpoint of a method. In a control method of a management server system, a management target in which the system management method according to any one of the eleventh to fifteenth aspects is executed. In response to this, the computer performs a process of identifying each of them and receiving and recording the transmission of at least one of the histories.

  In these embodiments, the history regarding the threat such as unauthorized access is transmitted to and recorded on a management server system other than the electronic information processing system that is the management target, and the history file is stored on the management target system due to the threat. Even if damage such as deletion of a hard disk or formatting of a hard disk occurs, the progress can be easily confirmed and proved.

  The invention of claim 8 is the management server system according to claim 7, wherein the management target receives at least one of a damage report or a restoration request by a CTI (Computer Telephony Integration) system or a website, and A means for recording a history to be transmitted and a means for outputting all or a part of the history recorded for the management object together with the received content are realized by control processing of a computer. .

  According to a seventeenth aspect of the present invention, the invention of the eighth aspect is grasped from the viewpoint of a method. In the control method of the management server system according to the sixteenth aspect, a CTI (Computer Telephony Integration) system or a website A process for receiving at least one of a damage report or a restoration request, a process for recording a history transmitted from the management target, and the received content, and all or a part of the history recorded for the management target, The output processing is performed by a computer.

  In these modes, the history of the corresponding management target is output together with the contents of the damage report and recovery request received on the CTI system and websites including the call center, so that the response such as recovery support and the insurance claim procedure are smoothly and promptly performed. It is possible to proceed.

  According to a ninth aspect of the present invention, there is provided a system management apparatus for remotely managing an electronic information processing system having a connection device to a communication network as a management target via a communication network. It is characterized in that means for relaying as a proxy server with an object and recording the authentication and access history thereof is realized by control processing of a computer.

  The invention according to claim 18 is an invention in which the invention according to claim 9 is viewed from the viewpoint of a method. In a system management method for remotely managing an electronic information processing system provided with a connection device to a communication network via a communication network as a management target. In addition, a computer performs a process of relaying as a proxy server between the management target and the external device after authenticating access to the management target from outside and recording the authentication and access history.

  In these aspects, security is improved and proof of damage is facilitated by substituting authentication for the management target in the manner of a proxy server having an ASP (Application Service Provider) function.

  A tenth aspect of the present invention is the system management apparatus according to the ninth aspect, further comprising means for transmitting the access history to a predetermined management server system via a communication network.

  According to a nineteenth aspect of the present invention, in the system management method of the eighteenth aspect, the process of transmitting the access history to a predetermined management server system via a communication network is performed. It is characterized by including.

  In these embodiments, the history of authentication and access is transmitted and recorded to another management server system, so that the history is protected even if the authenticated proxy server itself is cracked (intruded).

  The insurance method according to claim 20 is a system management method according to any one of claims 11 to 15, 18, and 19 or a control method of the management server system according to claim 16 or 17, and a management method connected to a communication network. It is characterized by a combination of insurance for damages caused by unauthorized events in the target system.

  In this aspect, by recording the history of damage when using the Internet and automatically transmitting the damage to the server, security is improved and damage verification is facilitated, so that appropriate and effective use of insurance that compensates for damage such as recovery costs Becomes possible.

  According to a twenty-fourth aspect of the present invention, there are provided: a unit for recording registry information indicating a setting in the operation of a computer; a unit for recording installation information on installation and uninstallation of a program in the computer; and a network access function. In a security program that manages unauthorized events including at least one of unauthorized access and virus by controlling a computer, the program causes the computer to periodically or randomly control all or a part of each item in the registry information. Causes the fraudulent event to be detected when the item or the relationship between the item and the installation information satisfies or does not satisfy a predetermined condition. An application program, a process, an event log including information on an event relating to at least one of the unauthorized event and a predetermined security-related matter, and the event log is stored for a predetermined period, and is stored when the unauthorized event is detected; Is transmitted to a predetermined destination.

  The invention according to claim 32 is an aspect of the invention according to claim 24, in which a computer having a network access function records registry information indicating operational settings of the computer, In a security management method for recording installation information relating to installation and uninstallation of a program and managing an unauthorized event including at least one of an unauthorized access and a virus, all or a part of each item in the registry information is periodically or randomly determined. By scanning the information, the unauthorized event is detected when the item or the relationship between the item and the installation information satisfies or does not satisfy a predetermined condition, and the operating system and the application program in the computer are detected. , A process, an event log including information on an event relating to at least one of the unauthorized event and a predetermined security-related item is recorded and stored for a predetermined period, and all of the event logs stored when the unauthorized event is detected are stored. Alternatively, a part is transmitted to a predetermined destination.

  The invention of claim 37 relates to the invention of claims 24 and 32 from the viewpoint of an apparatus, and relates to a means for recording registry information indicating a setting on operation of a computer, and installation and uninstallation of a program in the computer. In a computer having means for recording installation information and a network access function, and managing an unauthorized event including at least one of an unauthorized access and a virus, all or a part of each item in the registry information is periodically updated. Or a means for detecting the unauthorized event when the item or the relationship between the item and the installation information satisfies or does not correspond to a predetermined condition by scanning at random, an operating system and an application in the computer. An event log including information on an event relating to at least one of a program, a process, the unauthorized event, and predetermined security-related matters, and stores the event log for a predetermined period of time; and the event log stored when the unauthorized event is detected. Means for transmitting all or a part of the information to a predetermined destination.

  In these embodiments, unauthorized access and viruses are detected based on the registry information and the installation information. Therefore, even if there is no so-called virus pattern or its update, it is easy to check the defense and damages caused by other responsibilities. It is a target. In addition, by recording the event log and transmitting the event log in a predetermined manner, evidence for confirming the extent and liability of the damage caused by the unauthorized event is secured, so that it is easy to operate, for example, the application of the recovery cost compensation insurance. It should be noted that a random scan does not generate a regular blank time than a periodic scan, so that the possibility of a spoof virus or a so-called Trojan horse entering the blank time is suppressed.

  According to a twenty-fifth aspect of the present invention, in the security program according to the twenty-fourth aspect, the registry information includes items configured in a plurality of layers, and the program causes the computer to execute all or a part of each of the items in the registry information. The contents of the item are copied to a predetermined array variable with a multi-dimensional subscript according to the hierarchy at the time of starting the computer, and during operation, each item is replaced with the subscript corresponding to the branch of the hierarchy to the item. It is characterized in that it is referred to by reading the array variable accompanied by designation.

  The invention according to claim 33 is an invention in which the invention according to claim 25 is viewed from the viewpoint of a method. In the security management method according to claim 32, all or all of the registry information including items configured in a plurality of layers is provided. The contents of a part of each item are copied to a predetermined array variable with a multi-dimensional subscript according to the hierarchy at the time of starting the computer, and each item corresponds to a branch of the hierarchy to the item during operation. The reading is performed by reading the array variable accompanied by the designation of each of the subscripts.

  According to a thirty-eighth aspect of the present invention, in the computer according to the thirty-seventh aspect, the registry information includes items arranged in a plurality of layers, and the detection means Copy the contents of all or part of each item in the registry information into a predetermined array variable with a multi-dimensional subscript according to the hierarchy at the time of starting the computer, and copy each item during operation. It is characterized in that it is configured to refer to by reading the array variable accompanied by designation of each subscript corresponding to the branch of the hierarchy to an item.

  In these embodiments, by copying the contents of the registry into an array variable whose subscript corresponds to the hierarchical branch of the registry, frequent accesses to the registry can be omitted for unauthorized access or virus detection after the computer is started. In addition, the computer is not loaded and can contribute to stable operation.

  According to a twenty-sixth aspect of the present invention, in the security program according to the twenty-fourth or twenty-fifth aspect, the program causes the computer to execute a phenomenon that a predetermined number of processes occur in a predetermined number or more within a predetermined time, a use state of computer resources, The fraudulent event is detected by monitoring at least one of the number.

  According to a thirty-fourth aspect of the present invention, the invention of the twenty-sixth aspect is grasped from the viewpoint of a method. In the security management method according to the thirty-second or thirty-third aspect, a phenomenon that a predetermined number of processes occur in a predetermined number of times or more, The unauthorized event is detected by monitoring at least one of a resource use state and the amount of the network access.

  According to a thirty-ninth aspect of the present invention, the invention of the twenty-sixth and thirty-fourth aspects is grasped from the viewpoint of a device. The fraudulent event is detected by monitoring at least one of a phenomenon that occurs, a use state of computer resources, and the amount of the network access.

  In these embodiments, by determining the event that occurs as a result of the occurrence of a large number of virus-specific processes and pressure on computer resources, even if there is no virus pattern or its update, it is possible to detect unknown viruses that are not included in the pattern. Also, effective detection becomes possible.

  According to a twenty-seventh aspect of the present invention, in the security program according to any one of the twenty-fourth to twenty-sixth aspects, the program causes the computer to try at least one of blocking an unauthorized access detected as an unauthorized event and removing a virus. And, if the attempt fails, the shared resource related to the network access is temporarily disconnected from the network access.

  According to a thirty-fifth aspect of the present invention, the security management method according to any one of the thirty-two to thirty-fourth aspects of the invention is characterized in that the invention of the thirty-seventh aspect is regarded as a method. And removing at least one of the virus removal and temporarily disconnecting the shared resource related to the network access from the network access when the attempt fails.

  The invention according to claim 40 is obtained by capturing the invention according to claim 35 from the viewpoint of an apparatus, wherein in the computer according to any one of claims 37 to 39, an unauthorized access block detected as an unauthorized event, and a virus. And a means for temporarily disconnecting the shared resource related to the network access from the network access when the attempt fails.

  In these embodiments, while attempting to block unauthorized access and remove viruses, if the attempt fails, the target shared resources, such as unauthorized access, are temporarily disconnected from network access, so until waiting for failure recovery or insurance application In addition, valuable shared resources such as files in the shared folder are effectively protected from damages such as leakage, deletion, virus infection, etc., and the effect of reducing the burden on the insurance contractor and maintaining a favorable insurance rate can be obtained.

  A security management method according to claim 28, wherein for a client computer in which the security program according to any one of claims 24 to 27 is installed, a server computer receives at least reception information including the event log; A process of receiving a report of a failure regarding the client computer by a web page including a plurality of check items, detecting a logical inconsistency between the check items, or an actual measurement result transmitted from the security program in relation to the check items. Based on the process of detecting the inconsistency of the failure, the content of the check item, the result of the detection of the inconsistency, and the received information, determine and output the content and the existence or degree of other liability for the declared fault. And processing.

  A server computer according to a twenty-first aspect of the present invention captures the invention of the twenty-eighth aspect from the viewpoint of an apparatus, and identifies a client computer on which the security program according to any one of the twenty-fourth to twenty-fourth aspects is installed as a counterpart. Means for receiving at least the reception information including the event log, means for receiving a report of a failure relating to the client computer by a web page including a plurality of check items, and detection or check of logical inconsistency between the check items Means for detecting inconsistency with an actual measurement result transmitted from the security program in relation to the item, and the failure reported based on the content of the check item, the result of detecting the inconsistency, and the received information. Judge the content and the presence or degree of other liability Characterized by comprising a means for outputting.

  In these modes, a fault report can be easily made by a simple operation of checking the corresponding item on the web page, and the inconsistency can be detected, and the subsequent process can be easily automated by automatically judging the state, cause, and other responsibility. , Work efficiency is effectively improved. In addition, by judging the degree as well as the existence of other responsibilities, it is possible to flexibly operate according to the actual situation, such as partially covering the cost of recovering from a failure with insurance.

  According to a twenty-ninth aspect of the present invention, in the security program according to any one of the twenty-fourth to twenty-fourth aspects, the program is transmitted to the computer when a detection of the unauthorized event or a predetermined connection operation is performed. In addition to the connection, the remote control from the communication destination to the computer is accepted.

  The invention of claim 36 captures the invention of claim 29 from the viewpoint of a method, and in the security management method according to any one of claims 32 to 35, detects the unauthorized event or performs a predetermined connection operation. Is performed, a connection is established to a predetermined communication destination, and a remote operation from the communication destination to the computer is accepted.

  The invention according to claim 42 is an invention in which the invention according to claims 29 and 36 is grasped from the viewpoint of an apparatus, wherein the computer according to any one of claims 37 to 40 detects the unauthorized event or performs a predetermined connection operation. When the communication is performed, a connection is established to a predetermined communication destination, and a means for receiving a remote operation from the communication destination to the computer is provided.

  In these embodiments, since a computer is connected to a recovery support call center or the like and a fault recovery procedure can be performed by remote control, recovery is quicker and recovery costs are saved.

  A security management method according to claim 30 is characterized in that, for a client computer in which the security program according to any one of claims 24 to 27 or 29 is installed, the client computer is configured to execute at least one of predetermined antivirus or firewall programs. On one side, at least one of confirmation of the presence or absence of installation or download sales is executed, and the client computer or the server computer calculates different insurance conditions based on the result of the execution, and the insurance content according to the calculation result is stored on the server. The computer is registered.

  In these aspects, on the client side such as a personal computer, for each predetermined anti-virus and firewall program, the presence or absence of installation is checked and downloaded and sold, based on the results, different insurance conditions are calculated and registered on the server side. I do. As a result, insurance conditions according to the degree of protection against viruses and unauthorized access are applied, and fairness among insurance subscribers is realized.

  The security management method according to the thirty-first aspect captures the invention according to the thirty-third aspect from the viewpoint of a method, and relates to a client computer in which the security program according to any one of the twenty-fourth to twenty-ninth aspects is installed. The client computer aggregates information on at least one of what programs are installed on the client computer and what access destinations are accessed via the communication network, and based on the result of the aggregation. The client computer or a predetermined server computer calculates the risk amount and the insurance conditions according to the risk amount, and the server computer registers the insurance content according to the calculation result.

  In these embodiments, a client such as a personal computer collects information on the contents of the installed program and access destinations such as a viewing URL for the client computer by using a program such as an installation guide (wizard), and executes the risk management. The insurance conditions according to the amount are calculated and registered on the server side. As a result, insurance conditions according to the amount of risk of causing virus or unauthorized access are applied, and fairness among insurance subscribers is realized.

  As described above, according to the present invention, a system management device, a method, a program, a management server system, and a system that facilitate security improvement and damage verification by recording a history of damage when using the Internet and automatically transmitting the damage to a server are provided. The control method, the insurance method, the security program, the security management method, the computer, and the server computer can be provided.

  Next, the best mode for carrying out the present invention (hereinafter, referred to as “embodiment”) will be specifically described with reference to the drawings. Note that the embodiment can be realized by controlling a computer such as a personal computer and a server with a program, and can be grasped in any category of the device, the method, and the program, and the mode of hardware and software in the realization can be variously changed. . Therefore, in the following description, virtual circuit blocks that realize the functions of the present invention and the present embodiment are used.

[1. Configuration, operation, and effect of first embodiment]
First, the configuration of the present embodiment is shown in the functional block diagram of FIG. That is, the personal computer P in the present embodiment is an electronic information processing system provided with a connection device (for example, a network card based on Ethernet (registered trademark)) to a communication network, such as an in-house LAN or the Internet N. The function also serves as a system management device that manages the personal computer P as a management target, but the system management device may be provided separately from the management target.

  Further, a management server system 10 for recording a history (log) of access and the like transmitted from the personal computer P via the Internet N is separately provided, and this management server system 10 cooperates with telephone answering equipment for user support and the like. It will be called a call center because it is operated.

  How to use the personal computer P to be managed is not questionable, such as configuring a stand-alone or small-scale LAN. For example, in order to receive the service according to the present embodiment from a service provider as a managed object for a certain personal computer, Install the dedicated program on the personal computer P and apply for the service.

  These use, for example, via an ISP (Internet Service Provider), over-the-counter sales of CD-ROM kits with services, online downloads and procedures via the Internet, etc., and simultaneous purchase applications with a personal computer. In addition, in addition to these, an identification ID is assigned to each personal computer, and registered with the server as information to be managed together with information such as system specifications. In the personal computer P, the functions of the following parts shown in FIG. 1 are realized by the dedicated program.

[1-1. Unauthorized access measures)
The unauthorized access countermeasure function unit 1 detects an unauthorized access from the outside to the management target based on a predetermined pattern, records the access history, and records the access history to the management server system 10 via the Internet N. The transmitting means is realized by control processing of a computer.

  That is, while detecting unauthorized access and recording the history, the history is automatically transmitted to the management server system 10 and recorded in a database or the like at a predetermined time interval if the connection is always on, or at the time of the Internet connection if the connection is dial-up or the like. Therefore, in the event of damage due to unauthorized access, by using the record as evidence data for damage recognition and damage report confirmation, it is easy to approve whether or not the item is covered by insurance.

  As a specific example, external access that is not requested by the user, particularly, intrusion directed to a personal computer from an arbitrary port of a line connection device such as a router, a terminal adapter (TA), or a DSU not specified by the user in advance. The access history including the access such as the access and the authentication pass enables the identification and countermeasure of the intrusion route and the breakthrough.

  Also, when monitoring whether or not a connection request from a PC other than the permitted PC has been issued for each personal computer port in IP (Internet Protocol), the port is monitored one by one, and the other ports are kept closed. It is desirable to do. As a result, it is possible to increase the resistance to attacks such as port scans, and to suppress the consumption of memory and resources as compared with the batch monitoring of many standby ports.

[1-2. Other aspects of unauthorized access countermeasures]
As another mode of using the function of the unauthorized access countermeasure unit 1 (detection means) as described above, for example, the connection device may connect a LAN-side connection port and a WAN-side connection port like an ADSL modem with a router function. If provided, the detection means may be provided integrally within the modem to provide a system management device, or the system management device including such detection means may be located closer to the WAN than the modem's WAN connection port (ie, to the central office). May be provided as a separate device from the modem. In this case, the detecting means may be provided integrally with or near the collective modem at the central office, for example.

  As described above, if the system management device for detecting unauthorized access is provided integrally with a connection device such as a router or a broadband modem with a router function or on the upstream side thereof, the efficiency of the entire LAN including a plurality of personal computers can be improved. Application is possible.

[1-3. Antivirus〕
The anti-virus function unit 3 updates the virus definition pattern data prepared in advance by accessing a predetermined provider server, and detects at least virus by using the virus definition pattern data for the management target. Means for recording an operation history of the anti-virus program for performing the above and transmitting the history to a predetermined management server system 10 via the Internet N by computer control processing. The provider server may be shared by the management server system 10 or may be provided separately.

  In other words, the history of the activation of the antivirus program (anti-virus software) and the detection of the virus are recorded and automatically transmitted to the management server system 10 to be recorded in a database or the like. When the damage occurs due to the computer virus, the record is recognized and the damage report is confirmed. For example, it becomes easy to approve whether or not it is covered by insurance. Also, it may be possible to prevent a virus from automatically transmitting an infected file.

[1-4. Tampering measures)
Further, the falsification countermeasure function unit 4 controls the computer to detect a falsification of the system data including a predetermined type of file in the management target, record the history thereof, and transmit the history to the predetermined management server system 10 via the Internet N. This is realized by processing.

  That is, with respect to system data such as a predetermined type of system file having a predetermined extension or a registry, tampering such as addition, change, or deletion is detected, a history is recorded, and the history is automatically transmitted to the management server system 10 and recorded in a database or the like. .

  The target can be set freely. For example, depending on the type of the OS (operating system), the user may set the program / file extension to exe, com, scr, reg, shs, pif, bat, vbs, etc. This is when a failure occurs due to a change, deletion, or copying of a file that is normally required for starting and using a personal computer and that should rarely change.

  According to the falsification countermeasure function unit 4, in addition to countermeasures against unauthorized access and computer viruses, even in the case of fraud by an insider, when the damage occurs, the record is used as evidence material for damage recognition and damage report confirmation, It becomes easy to approve whether the product is covered by insurance.

[1-5. Data leak countermeasures)
The leak prevention function unit 5 detects addition, change, or deletion of a file or a copy of the file in a predetermined range of the management target, transmission to the outside of the system or copy to a removable drive, and records the history. In addition, means for transmitting to the predetermined management server system 10 via the Internet N is realized by control processing of a computer.

  As described above, in the present embodiment, addition, modification, and deletion of files in a predetermined range corresponding to a predetermined server, extension, directory, and the like, transmission via the Internet N, copying to a removable drive are detected, and the history is detected. Since it is recorded and automatically transmitted to the management server system 10 to be recorded in a database, etc., for a wide range of damages such as unauthorized access, computer virus, data leakage, falsification and destruction due to internal crimes, the record is recorded at the time of occurrence, and damage recognition and damage report confirmation For example, it becomes easy to approve whether or not it is covered by insurance.

[1-6. Notification section)
Further, the notification unit 6 controls the computer to execute means for notifying a predetermined user such as a system administrator of the detection by the unauthorized access countermeasure function unit 1, the virus countermeasure function unit 3, the falsification countermeasure function unit 4, and the leak countermeasure function unit 5 by the computer. This is realized by:

  That is, a predetermined user such as a system administrator is notified of the detection of a problem event such as an unauthorized access or a virus by displaying a dialog box or the like, so that it is possible to quickly and easily deal with a backup copy or a recovery request, thereby improving security.

[1-7. About management server system]
On the other hand, the management server system 10 identifies an unauthorized access countermeasure function unit 1, a virus countermeasure function unit 3, and a falsification countermeasure function unit 4 with a system management device relating to each management target registered in advance, after identifying each. The means for accepting and recording the transmission of each history by the leakage countermeasure function unit 5 is realized by a control process of a computer.

  In other words, by transmitting the history regarding the threat such as unauthorized access to the management server system 10 that is different from the information processing system that is the management target, and recording the history, the management system can delete the history file due to the threat. Even if damage such as a hard disk format occurs, the progress can be easily confirmed and proved.

  In the management server system 10, the following elements shown in FIG. 1 are realized by the control processing of the computer. Among them, the reception unit 11 performs a CTI (Computer Telephony Integration) system or a website This is a means for receiving at least one of a damage report and a restoration request by a (support site). The history recording unit 12 is a unit that records the history transmitted from the management target. In addition, the history output unit 13 is a unit that outputs the received contents and all or a part of the history recorded for the management target.

  As described above, in the present embodiment, the history of the corresponding management target is output together with the contents of the damage report and the restoration request received on the CTI system and the website, so that the response such as restoration support and the insurance claim procedure can be smoothly and promptly performed. You can proceed.

  Of course, the damage report and the restoration request may be received by other means such as a call center other than the CTI system and the support site. In any case, we will provide user support such as recovery, give the user various specialized instructions, provide virus removal tools, system recovery tools, etc. by FD, remote control by RAS, local business trip, pickup, parts By providing such services, support for system and data recovery services is provided, and any damages, including costs, will be borne by insurance if an insurance claim is granted.

[1-8. Example of processing procedure)
Here, as an example, an example of a processing procedure regarding unauthorized access is shown in the flowchart of FIG. That is, in this procedure, when the unauthorized access countermeasure function unit 1 detects an access to the personal computer P from inside or outside the LAN in the monitoring state (step 01), it determines whether or not the access source has been permitted (step 02). Access from internal PCs (PCs inside the LAN) and authorized external PCs (PCs outside the LAN) is approved as authorized access (step 03), but other access from unauthorized external PCs is unauthorized access. (Step 04).

  Then, an unauthorized access history (log) is recorded (step 05), and the notification unit 6 displays an information dialog of unauthorized access detection, and confirms with the user whether or not to transmit to the call center with an option of YES / NO (step 05). Step 06). If transmission is not selected (step 07), the state returns to, for example, the menu or the monitoring state (steps 08 and 09). If transmission is selected (step 07), an unauthorized access log is sent to the call center, that is, the management server system 10. Transmit (step 10).

  In this case, the management server system 10, that is, the call center, records the history, which is the received data, in a database or the like (step 11), and uses it for investigation / tracking and other materials, and returns to the menu or monitoring state on the personal computer P (step 12).

[2. Other embodiments]
The present invention is not limited to the above embodiment, but includes other embodiments as exemplified below. For example, the following embodiment can be considered in combination with the above embodiment or alone. That is, in a system management device that remotely manages an electronic information processing system having a connection device to the Internet N via the Internet N as a management target, authenticates access to the management target from the outside and exchanges authentication with the management target. The means for relaying as a proxy server and recording the authentication and access history may be realized by control processing of a computer.

  In other words, by performing the authentication of the management target on behalf of the proxy server having the ASP (Application Service Provider) function, the security can be improved and the damage can be easily verified.

  Further, such a system management device may include means for transmitting the access history to a predetermined management server system via the Internet N. By transmitting and recording the history of authentication and access to another management server system, the history is protected even if the authenticated proxy server itself is cracked (intruded).

  Further, an insurance method combining any one of the above-described system management methods or the control method of any one of the management server systems, and insurance for damage caused by an unauthorized event in a managed system connected to the Internet N. In this way, it is possible to improve the security and facilitate the proof of damage by recording the history of damage when using the Internet and automatically transmitting it to the server, thereby making it appropriate for insurance to compensate for damage such as recovery costs. And effective utilization becomes possible.

[3. Second Embodiment]
Next, the present invention will be rearranged, and specific supplements will be described as a second embodiment. Of course, the second embodiment can be implemented in combination with each of the components described above, whereby the respective synergistic effects can be obtained. Note that components that are basically the same as those in the first embodiment are denoted by common reference numerals, and description thereof is omitted.
[3-1. Constitution〕
The second embodiment relates to a client server system in which a personal computer on which the security program of the present invention is installed is a client computer C and is combined with a server computer S of a damage recovery call center, as shown in the functional block diagram of FIG. Such a program, the security management method, and the client computer C and the server computer S can be grasped independently.

  In the client computer C in the second embodiment, the following components shown in FIG. 3 are realized by the security program, and each component is configured as a unit that operates as follows.

  First, in the client computer C, a predetermined memory and a hard disk drive are operated by the operating system (for example, Windows (registered trademark) series manufactured by Microsoft (registered trademark)) to register the registry information 20 indicating the operation setting of the computer and the registry information 20. The installation information 25 about installation and uninstallation of the program in the computer is recorded. Further, the client computer C and the server computer S are provided with hardware such as an IEEE802.3 compliant LAN card and a modem board, a TCP / IP program, and the like as a network access function.

  By controlling such a client computer C, the security program prevents at least one of unauthorized access such as hacking and cracking or a virus (for example, a worm, a macro virus, a Trojan horse, of any type or name). This is a security program that manages illegal events, including:

  In such a security program, it is possible to accept settings of a firewall function such as whether to permit or deny access from a user or an external access, and settings of other functions on a setting screen as illustrated in FIG. desirable.

[3-2. Basic action)
Then, in the client computer C, the unauthorized event detection unit 30 realized by the above-described security program (FIG. 3) performs all or some of the items (for example, predetermined caution items) in the registry information 20. By scanning periodically or randomly, the fraudulent event is detected when the item or the relationship between the item and the installation information 25 satisfies or does not satisfy a predetermined condition.

  For example, unauthorized access or tampering with viruses is possible if the settings that many viruses habitually change are not legitimate, or the registry items corresponding to the absence of the program installation history are changed. High.

  In addition, for example, by a user operation on the registry monitoring screen illustrated in FIG. 5, it is possible to perform a scan instruction, display details and details of the detected change, and transmit information to the server computer S of the failure recovery call center. It is desirable.

  Further, the history processing unit 35 records an event log including information on an operating system, an application program, a process, an unauthorized event, and / or an event relating to at least one of predetermined security-related matters in the client computer C. In addition to storing the event log for a predetermined period of time, when the illegal event is detected, all or a part of the stored event log is transmitted to a predetermined destination such as the server computer S of the damage recovery call center. Here, the contents of the event log are illustrated in FIG.

  In the above-described second embodiment (FIG. 3), an unauthorized access and a virus are detected by the unauthorized event detection unit 30 based on the registry information 20 and the installation information 25, so that there is no so-called virus pattern or update thereof. It also makes it easier to identify defenses and other damages, and is effective against new types of viruses. In addition, by recording the event log and transmitting the event log in a predetermined manner, evidence for confirming the extent and liability of the damage caused by the unauthorized event is secured, so that it is easy to operate, for example, the application of the recovery cost compensation insurance. It should be noted that a random scan does not generate a regular blank time than a periodic scan, so that the possibility of a spoof virus or a so-called Trojan horse entering the blank time is suppressed.

[3-3. Registry information processing)
The registry information 20 in the client computer C includes items configured in a plurality of layers. In response to this, the unauthorized event detection unit 30 realized by the security program in the second embodiment changes the contents of all or some of the items in the registry information 20 according to the hierarchy. When the computer or the program is started, the program is copied to a predetermined array variable having a multi-dimensional subscript, and during operation, each item is read out with the designation of the subscript corresponding to the branch of the hierarchy to the item. Done by

  For example, as a simple example, when the registry information has a tree structure having 64 items specified by tracing four branches from 0 to 3 in three layers, an array variable A (0, 0, If the value of each item is copied from 0) to A (3,3,3), the value of the registry specified by tracing the branch options, for example, 0 → 2 → 1, is a variable A (0,2,2). Obtained from 1).

  In this way, by copying the contents of the registry to an array variable whose subscript corresponds to the hierarchical branch of the registry, frequent accesses to the registry are omitted to detect unauthorized access and viruses after the client computer C is started. This can contribute to stable operation without imposing a load on the client computer C.

[3-4. Example of unauthorized event detection)
The fraudulent event detection unit 30 of the client computer C can also detect the fraudulent event by the following method. That is, for example, a phenomenon of a large number of processes specific to a virus, such as a case where a predetermined process occurs in a predetermined number or more within a predetermined time, is monitored. The monitoring is performed by a program, a benchmark test, or the like, and furthermore, the amount of the network access is monitored, and an unauthorized event is detected based on the occurrence or fluctuation.

  As a more specific example, for example, when the TCP / IP link suddenly increases or decreases in an idling state in which the user does not perform an operation such as browsing the web using a browser, an unauthorized event such as an unauthorized access or a virus activity exists. Probability is high.

  In the second embodiment, the event that occurs as a result of the occurrence of a large number of virus-specific processes and the compression of computer resources is set as a judgment target. Effective detection is possible even for unknown viruses.

  Note that, for example, FIG. 7 illustrates a list screen of all processes in progress on the client computer C. However, any information referred to in the first and second embodiments can be freely called by the user on the screen. It is desirable to be able to confirm the contents.

[3-5. Unauthorized event response processing)
The following response processing is performed for the above-described fraudulent event. That is, (FIG. 3), the defense processing unit 45 attempts to block unauthorized access detected as an unauthorized event by a firewall function such as packet filtering, port closing, and network access closing, or attempts to remove a virus, The contents, results, and the like are recorded in a log, and when the attempt fails, shared resources such as a shared folder and a shared file related to the network access are temporarily disconnected from the network access.

  As described above, in the second embodiment, an attempt is made to block unauthorized access and remove viruses, and if the attempt fails, the target shared resource such as unauthorized access is temporarily disconnected from the network access. Without waiting for insurance coverage, valuable shared resources, such as files in shared folders, are effectively protected from damage such as leakage, deletion, virus infection, etc., reducing the burden on insurance contractors and maintaining good insurance rates Is also obtained.

[3-6. Acceptance of damage report)
For the client computer C in which the above-described security program is installed, the history recording unit 12 of the server computer S receives at least the reception information including the event log. Further, the receiving unit 11 receives a report of a failure, that is, a damage related to the client computer C, by a web page illustrated in FIG. 8 including a plurality of check items. Further, the other responsibility determining unit 70 detects a logical inconsistency between the check items, or detects an inconsistency with an actual measurement result transmitted from the security program in relation to the check items, and Based on the content, the result of the detection of the contradiction, and the received information, the content and the existence or degree of other liability of the declared fault are determined and output.

  In the second embodiment, a failure report can be easily made by a simple operation of checking a corresponding item on a web page, and the inconsistency can be detected, and the subsequent processing can be automated by automatically judging the state, cause, and liability. And the work efficiency is effectively improved. In addition, by judging the degree as well as the existence of other responsibilities, it is possible to flexibly operate according to the actual situation, such as partially covering the cost of recovering from a failure with insurance.

[3-7. Recovery support)
Based on the damage report as described above, regarding damage such as system failure due to an unauthorized event, in addition to telephone advice and dispatch of specialists by a call center, recovery by remote control (remote operation) depending on the situation is also conceivable. That is, (FIG. 3), when the unauthorized event is detected in the client computer C or a predetermined connection operation is performed by the user, the recovery support unit 50 of the client computer C performs a predetermined operation such as the server computer S of the recovery support call center. RAS, dial-up, or the like, and accepts a remote operation from the communication destination to the client computer C.

  By doing so, a fault recovery procedure can be performed by remote control from a recovery support call center or the like, so that recovery is quicker and recovery costs are saved.

[3-8. Precautionary measures and corresponding insurance conditions)
In addition to the above fraud detection and countermeasures, when introducing a security program, for example, when making an insurance contract by online procedures, etc., the client computer C checks and introduces fraudulent event preventive measures using the program. Different insurance conditions can be registered in the server computer S in accordance with them.

  In other words, the environment detection processing unit 55 of the client computer C confirms the presence / absence of installation and executes download sales for at least one of the predetermined anti-virus or firewall programs at the time of introduction of the security program or at an appropriate timing thereafter. . In the download sales, for example, a predetermined sales site is accessed, and the user inputs necessary information items such as credit card information with the client computer C, transmits the information to the sales site, downloads and starts the installation file.

  Then, the insurance condition processing unit 75 of the server computer S calculates different insurance conditions based on the result of the execution received from the client computer C, and the server computer registers the insurance content according to the calculation result. The calculation of the insurance condition may be performed on the client side.

  As described above, in the second embodiment, on the client side such as a personal computer, for each of the predetermined anti-virus and firewall programs, the presence / absence of the installation is checked and the download is sold, and different insurance conditions are calculated based on the results. And register it on the server side. As a result, insurance conditions according to the degree of protection against viruses and unauthorized access are applied, and fairness among insurance subscribers is realized.

[3-9. Insurance conditions according to usage)
Furthermore, in the second embodiment, different insurance conditions can be applied depending on how the client computer C is used. For example, the environment detection processing unit 55 of the client computer C compiles information on at least one of what program is installed on the client computer and what access destination is accessed via the communication network. . Then, the environment detection processing unit 55 based on the security program on the client computer C calculates the risk amount based on the result of the aggregation and the insurance condition corresponding to the risk amount, or the insurance condition processing unit 75 of the predetermined server computer S In addition to the calculation, the insurance content corresponding to the calculation result is registered in the server computer S.

  Some of these processes may be performed on the client computer C by a program that operates when the security program is introduced, such as an installation guide (wizard).

  As described above, in the second embodiment, the client side such as a personal computer collects information on the access destination such as the content of the installed program and the browsing URL for the client computer C, and obtains the insurance condition according to the risk amount. Is calculated and registered on the server side. As a result, insurance conditions according to the amount of risk of causing virus or unauthorized access are applied, and fairness among insurance subscribers is realized.

FIG. 2 is a functional block diagram showing the configuration of the first embodiment of the present invention. 5 is a flowchart illustrating an example of a processing procedure according to the first embodiment of the present invention. FIG. 6 is a functional block diagram showing a configuration of a second embodiment of the present invention. FIG. 10 is a diagram illustrating a setting screen according to the second embodiment of the present invention. FIG. 9 is a diagram illustrating a registry monitoring screen according to the second embodiment of the present invention. FIG. 14 is a diagram illustrating a display example of an event log according to the second embodiment of the present invention. FIG. 10 is a diagram illustrating a display example of a process according to the second embodiment of the present invention. The figure which illustrates the failure report screen in 2nd Embodiment of this invention.

Explanation of reference numerals

DESCRIPTION OF SYMBOLS 1 ... Unauthorized access countermeasure function part 3 ... Antivirus function part 4 ... Tampering countermeasure function part 5 ... Leakage countermeasure function part 6 ... Notification part 10 ... Management server system 11 ... Reception part 12 ... History recording part 13 ... History output part S ... Server computer C ... Client computer N ... Internet 20 ... Registry information 25 ... Install information 30 ... Illegal event detection unit 35 ... History processing unit 40 ... History 45 ... Defense processing unit 50 ... Recovery support unit 55 ... Environment detection processing unit 70 ... Other Responsibility judgment part 75… Insurance condition processing part

Claims (42)

In a system management device that manages an electronic information processing system including a connection device to a communication network as a management target,
Detecting means for detecting unauthorized access to the management target from outside based on a predetermined pattern set in advance, recording the access history, and transmitting the history to a predetermined management server system via a communication network; A system management device realized by control processing. The connection device includes at least a WAN connection port,
The system management according to claim 1, wherein the detection unit is provided integrally with the connection device, or provided as a device separate from the connection device on the WAN side with respect to the WAN connection port. apparatus. In a system management apparatus that manages an electronic information processing system having means for connecting to a communication network as a management target,
Means for updating virus definition pattern data prepared in advance by accessing a predetermined provider server;
Means for recording an operation history of an antivirus program that performs at least virus detection using the virus definition pattern data for the management target, and transmitting the history to a predetermined management server system via a communication network;
A system management device characterized by realizing the above by computer control processing. In a system management apparatus that manages an electronic information processing system having means for connecting to a communication network as a management target,
A means for detecting falsification of system data including a predetermined type of file in the management target, recording the history thereof, and transmitting the history to a predetermined management server system via a communication network is realized by a control process of a computer. System management device. In a system management apparatus that manages an electronic information processing system having means for connecting to a communication network as a management target,
Detects addition / change / deletion, transmission to the outside of the system or copying to a removable drive for a file or a copy of the file within a preset range, records the history, and records the history to a predetermined management server system via a communication network. A system management apparatus wherein transmission means is realized by control processing of a computer.   6. The system management apparatus according to claim 1, wherein means for notifying a predetermined user of any of the detections is realized by a control process of a computer.   A means for receiving and recording at least one of the histories with respect to the system management device according to any one of claims 1 to 6 after identifying each of the histories, by computer control processing. The management server system characterized by the above. Means for receiving at least one of a damage report and a restoration request by a CTI (Computer Telephony Integration) system or a website for the management target;
Means for recording a history transmitted from the management target,
Means for outputting all or a part of the history recorded for the management target, together with the received content,
8. The management server system according to claim 7, wherein the control is realized by a control process of a computer. In a system management device that remotely manages an electronic information processing system having a connection device to a communication network via a communication network with an electronic information processing system as a management target,
Authentication is performed for access to the management target from outside and relaying is performed as a proxy server with the management target, and means for recording the authentication and access history is realized by control processing of a computer. System management device to do.   10. The system management apparatus according to claim 9, further comprising means for transmitting the access history to a predetermined management server system via a communication network. In a system management method for managing an electronic information processing system including a connection device to a communication network as a management target,
The computer detects the unauthorized access to the management target from the outside based on a predetermined pattern set in advance, records the access history, and transmits the history to a predetermined management server system via a communication network. A system management method characterized by performing. In a system management method for managing an electronic information processing system having means for connecting to a communication network as a management target,
A process of updating virus definition pattern data prepared in advance by accessing a predetermined provider server;
A process of recording an operation history of an antivirus program that performs at least virus detection using the virus definition pattern data for the management target, and transmitting the history to a predetermined management server system via a communication network;
A computer-implemented system management method. In a system management method for managing an electronic information processing system having means for connecting to a communication network as a management target,
A system management method, wherein a computer performs processing of detecting tampering of system data including a predetermined type of file in the management target, recording a history of the tampering, and transmitting the history to a predetermined management server system via a communication network. In a system management method for managing an electronic information processing system having means for connecting to a communication network as a management target,
Detects addition / change / deletion, transmission to the outside of the system or copying to a removable drive for a file or a copy of the file within a preset range, records the history, and records the history to a predetermined management server system via a communication network. A system management method, wherein a computer performs transmission processing.   15. The system management method according to claim 11, wherein a computer performs a process of notifying a predetermined user of any of the detections.   A computer performs a process of receiving and recording at least one of the histories after identifying each of the histories corresponding to a management target on which the system management method according to any one of claims 11 to 15 is executed. A method for controlling a management server system, characterized by performing the following. Processing for receiving at least one of a damage report and a restoration request by a CTI (Computer Telephony Integration) system or a website for the management target;
A process of recording a history transmitted from the management target,
A process of outputting all or a part of the history recorded for the management target together with the received content,
17. The method according to claim 16, wherein the control is performed by a computer. In a system management method for remotely managing an electronic information processing system having a connection device to a communication network as a management target via a communication network,
A system management method, comprising: performing a process of relaying access to the management target from outside to the management target as a proxy server after authentication, and recording a history of the authentication and access by a computer. .   19. The system management method according to claim 18, further comprising transmitting the access history to a predetermined management server system via a communication network.   A system management method according to any one of claims 11 to 15, 18 or 19, or a control method of a management server system according to claim 16 or 17, and damage caused by an unauthorized event in a management target system connected to a communication network. An insurance method characterized by a combination of the above insurance. In a system management program for managing an electronic information processing system having a connection device to a communication network by controlling a computer,
The program is stored on the computer
An unauthorized access to the management target from the outside is detected based on a predetermined pattern set in advance, the access history is recorded, and the history is transmitted to a predetermined management server system via a communication network. System management program. In a system management program for managing an electronic information processing system having means for connecting to a communication network by controlling a computer,
The program is stored on the computer
Update the virus definition pattern data prepared in advance by accessing a predetermined provider server,
An operation history of an anti-virus program that performs at least virus detection using the virus definition pattern data for the management target is recorded, and the history is transmitted to a predetermined management server system via a communication network. System management program. In a system management program for managing an electronic information processing system having means for connecting to a communication network by controlling a computer,
A computer-readable storage medium storing a system management program, wherein a computer performs a process of detecting falsification of system data including a predetermined type of file in the management target, recording a history thereof, and transmitting the history to a predetermined management server system via a communication network. By controlling a computer having a means for recording registry information representing settings on the operation of the computer, a means for recording installation information relating to installation and uninstallation of a program in the computer, and a network access function, In a security program that manages unauthorized events including at least one of unauthorized access and virus,
The program is stored on the computer
By scanning all or some of the items in the registry information periodically or randomly, the item or the relationship between the item and the installation information is determined to meet or not satisfy a predetermined condition. Detect fraudulent events,
An event log including information on an operating system, an application program, a process, the unauthorized event and / or an event relating to at least one of predetermined security-related matters in the computer is recorded and stored for a predetermined period, and is stored when the unauthorized event is detected. A security program for transmitting all or a part of said event log to a predetermined destination. The registry information includes each item configured in a plurality of layers,
The program is stored in the computer,
The contents of all or part of each item in the registry information are copied to a predetermined array variable with a multi-dimensional subscript according to the hierarchy at the time of starting the computer, and each item is copied to the item during operation. 25. The security program according to claim 24, wherein the reference is made by reading the array variable accompanied by the designation of each of the subscripts corresponding to the branch of the hierarchy. The program is stored in the computer,
25. The fraudulent event is detected by monitoring at least one of a phenomenon in which a predetermined process occurs in a predetermined number or more within a predetermined time, a use state of computer resources, and a level of the network access. 25. The security program according to item 25. The program is stored in the computer,
At least one of blocking an unauthorized access detected as an unauthorized event and removing a virus is attempted, and if the attempt fails, the shared resource related to the network access is temporarily disconnected from the network access. The security program according to any one of items 24 to 26. Regarding a client computer in which the security program according to any one of claims 24 to 27 is installed, a server computer comprises:
A process of receiving reception information including at least the event log;
A process of receiving a report of a failure regarding the client computer by a web page including a plurality of check items;
A process of detecting logical inconsistency between the check items, or detecting inconsistencies with actual measurement results transmitted from the security program in relation to the check items;
Based on the content of the check items and the result of the detection of the contradiction and the received information, a process of determining and outputting the content and the existence or degree of other liability for the declared failure, and
A security management method. The program is stored in the computer,
28. The method according to claim 24, wherein when the illegal event is detected or a predetermined connection operation is performed, a connection to a predetermined communication destination is made, and a remote operation from the communication destination to the computer is received. Security program described in section. A client computer in which the security program according to any one of claims 24 to 27 or 29 is installed,
For the client computer, at least one of the predetermined anti-virus or firewall programs, at least one of confirming the presence or absence of installation or performing download sales,
A security management method, wherein a client computer or a server computer calculates different insurance conditions based on a result of the execution, and the server computer registers insurance contents according to the calculation result. A client computer in which the security program according to any one of claims 24 to 27 or 29 is installed,
The client computer compiles information on at least one of what programs are installed on the client computer and what access destinations are accessed via the communication network,
The client computer or a predetermined server computer calculates the risk amount based on the result of the aggregation and the insurance condition corresponding to the risk amount, and the server computer registers the insurance content according to the calculation result. Security management method. A computer with network access capabilities
In a security management method for recording registry information indicating settings on the operation of the computer, recording installation information on installation and uninstallation of a program in the computer, and managing unauthorized events including at least one of unauthorized access and virus,
By periodically or randomly scanning all or a part of each item in the registry information, the item or the relationship between the item and the installation information is determined to meet or not satisfy a predetermined condition. Detect fraudulent events,
An event log including information on an operating system, an application program, a process, the unauthorized event, and / or an event relating to a predetermined security-related matter in the computer is recorded and stored for a predetermined period, and is stored when the unauthorized event is detected. Transmitting all or part of the event log to a predetermined destination. Regarding the registry information including each item configured in a plurality of layers,
The contents of all or a part of each item are copied to a predetermined array variable with a multi-dimensional subscript according to the hierarchy at the time of starting the computer, and during operation, each item is copied to the item with the hierarchy. 33. The security management method according to claim 32, wherein the reference is made by reading the array variable accompanied by designation of each of the subscripts corresponding to the branch.   33. The fraudulent event is detected by monitoring at least one of a phenomenon in which a predetermined process occurs in a predetermined number or more within a predetermined time, a use state of computer resources, and a level of the network access. 33. The security management method according to claim 33.   At least one of an unauthorized access block detected as an unauthorized event and a virus removal is attempted, and when the attempt fails, the shared resource related to the network access is temporarily disconnected from the network access. 35. The security management method according to any one of 32 to 34.   36. The method according to claim 32, wherein when the illegal event is detected or a predetermined connection operation is performed, a connection to a predetermined communication destination is made, and a remote operation from the communication destination to the computer is received. Security management method described in. A means for recording registry information indicating settings on the operation of the computer, a means for recording installation information relating to installation and uninstallation of a program in the computer, and a network access function, and at least one of unauthorized access and virus In computers that manage fraudulent events including
By scanning all or some of the items in the registry information periodically or randomly, the item or the relationship between the item and the installation information is determined to meet or not satisfy a predetermined condition. Detecting means for detecting an unauthorized event;
An event log including information on an operating system, an application program, a process, the unauthorized event, and / or an event relating to a predetermined security-related matter in the computer is recorded and stored for a predetermined period, and is stored when the unauthorized event is detected. Means for transmitting all or a part of the event log to a predetermined destination,
A computer comprising: The registry information includes each item configured in a plurality of layers,
The detecting means,
Copy the contents of all or part of each item in the registry information into a predetermined array variable with a multi-dimensional subscript according to the hierarchy at the time of starting the computer, and copy each item to that item during operation 38. The computer according to claim 37, wherein the computer is configured to refer to the array variable by reading the array variable accompanied by designation of each of the subscripts corresponding to the branch of the hierarchy. The detecting means,
It is characterized in that the unauthorized event is detected by monitoring at least one of a phenomenon in which a predetermined process occurs in a predetermined number or more within a predetermined time, a use state of computer resources, and a level of the network access. 39. The computer of claim 37 or claim 38.   Means for attempting at least one of blocking an unauthorized access detected as an unauthorized event and removing a virus, and temporarily disconnecting the shared resource related to the network access from the network access when the attempt fails. A computer according to any one of claims 37 to 39. A client computer on which the security program according to any one of claims 24 to 27 is installed is identified as a partner, and
Means for receiving reception information including at least the event log;
Means for receiving a report of a failure relating to the client computer by a web page including a plurality of check items;
Means for detecting a logical inconsistency between the check items, or detecting inconsistencies with an actual measurement result transmitted from the security program in relation to the check items,
Based on the content of the check items and the result of the detection of the contradiction and the received information, means for determining and outputting the content and the existence or degree of other liability for the declared failure,
A server computer comprising:   41. The system according to claim 37, further comprising means for connecting to a predetermined communication destination when the detection of the unauthorized event or a predetermined connection operation is performed, and for receiving a remote operation from the communication destination to the computer. A computer according to any one of the preceding claims.

Images