[發明之背景] ^ 係關於用以分析由通信伺服器所2 4 記錄之q π。己錄的通信 〈通L己錄處理方法及其系統,尤其 出自庫用鞀^ 關於可將輸 " 式(可輸出多數之記錄)的通信記錄,4 AM 的方法者。 项統一分析 ^4 y s受破壞者(cracker)攻擊企業和官磨之網 :和伺服器等之事件。由於此事件,而 = ”集了注目。為了力,路保全,而首先必二;:; 用 :=,在網路保全之監視方面,最好記錄: 構成網路之伺服器等裝置的通信記錄。 w此通彳…己錄,係記錄㈣服H等之通信履歷者。即 糟耆刀析此通信履歷,而可檢出此祠服器所發生之所有1 象。例如’根據從外部對於前述伺服器有不自然之存取事 =可k測不正當之存取。因此,隨此檢測而建立某種對策 稭此可加強網路之保全。 [發明之概要] 」而通$ k伺服益輸出之記錄,係依電腦之〇s和所 使,之應用程式’而分別用不同之格式來記錄,以致成多 式多樣。X ’由於其量過於龐大,而無法核對内容或無法 確保用來㈣之時間等,以存在«統管理之問題的狀態 來運用網路。這是現在所面臨之-般性的問題。 又’對於網路發動攻擊之破壞者,有時候為了擦除自 己之網路進人的形跡而竄改或刪除前述記錄;此時,極難 以發現這種違規之存取。 1226984 A7 B7 五、發明説明(2 ) 本I月係蠢於此種事而做者,其目的係在於提供— 種可在不對保全管理要求高度之知識和經驗下發現達規存 取等之記錄處理方法及系統。 為了解決上述課題,而提供一種通信處理方法,其特 徵在於包含有: ' ' 、⑷變換處理工程—將由可記錄多數通信記錄的應用 程式所輸出之各分析對象記錄槽案,必要時變換處理成給 定之格式; (b)合併工程一將變換成前述給定格式之多數分析對 象記錄,予以合併;及 (C)判斷工程――分析合併後之記錄,藉此判斷達規存 取之有無。 右種構成,則用每一記錄播案所製定之方法, 來統-多數記錄標案之格式,並將之合併,藉此可檢出單 獨之記錄檔案時無法判別之違規存取。 在此,若依本發明之第一實施態樣,則前述多數之分 折對象記錄標案係以就同—系統記錄者為理想。又,此時, 此方法更宜備有⑷工程,就是在前述⑷Μ式⑻工程之 前判別前述多數分析對象記錄間之匹配性,將其判別結果 予以輸出。 』若依這種構成’則把關於同—系統(包括鏡像飼服器) 二己錄讀成多數之記錄檀案,以此作為對象時,將此等 5併,糟此可制㈣Μ之事件為含有達規存取者。又, 判別多數檔案間之匹配性,藉此 m^部分之檔案已被 本紙張尺度適用中國國家標準(CNS) A4規格(21〇><297公爱)[Background of the Invention] ^ is about q π for analyzing the 2 4 records recorded by the communication server. Recorded communication 〈Communication processing method and system, especially from library use 鼗 ^ About communication record that can input " (can output most records), 4 AM method. Item unified analysis ^ 4 y Incidents of a cracker attacking the enterprise and the official website: and servers. Because of this incident, "" has attracted attention. For the sake of power and road security, the first must be ;;; With: =, in the aspect of network security monitoring, it is best to record: communication of servers and other devices constituting the network Record. W This communication ... has been recorded, is to record the communication history of the server H and so on. That is, to analyze the communication history, and to detect all the phenomena that have occurred in this temple server. For example, 'from the outside There is an unnatural access to the aforementioned server = improper access can be measured. Therefore, establishing some countermeasures based on this detection can strengthen the security of the network. [Summary of the Invention] "through $ k The recording of the servo output is recorded in different formats according to the computer's application and the application program, so that it is various. X 'is too large to check the content or to ensure the time required to spend time, etc., and use the network in a state where there is a problem of «system management. This is a general problem now. Also, for the saboteurs of cyber attacks, sometimes the aforementioned records are altered or deleted in order to erase the traces of their own access to the internet; at this time, it is extremely difficult to detect such illegal access. 1226984 A7 B7 V. Description of the invention (2) This month I was stupid to do such a thing, the purpose is to provide-a kind of record processing that can find compliance access without the high level of knowledge and experience required for security management Methods and systems. In order to solve the above-mentioned problem, a communication processing method is provided, which includes: '', ⑷Conversion processing engineering—converts and analyzes each analysis target record slot output by an application program that can record most communication records, and converts and processes it as necessary. Given format; (b) the merge project will transform most of the analysis target records into the given format and merge them; and (C) judge the project—analyze the merged records to judge whether there is a qualified access. The right structure uses the method developed by each record broadcaster to unify the format of most record subject matter and merge them, so that it can detect illegal access that cannot be judged when individual record files are detected. Here, if according to the first embodiment of the present invention, the above-mentioned majority of the object of discounted object records are the same-system recorders. Also, at this time, this method is more suitable to have a project, that is, to judge the matching between the majority of the analysis target records before the aforementioned MM-type project, and output the discrimination results. "If this structure is used, then the case of the same system (including the mirror feeder) will be read as the majority of the record cases. If you take this as the target, you can combine these 5 cases, and you can make an event. Is a qualified visitor. In addition, the matching between most files is judged, so that the m ^ part of the files have been applied to the Chinese National Standard (CNS) A4 standard (21〇 > < 297 public love).
..... (請先閱讀背面之注意事項再塡寫本頁} 4 5 五 、發明說明(3 ) 竄改等之事。 變換:二,發明之另一實施形態,則前述⑷工程具有 爻秧工私,就是利用一按各已 之應用程式預先準傷之變換程序,;;前:::象記錄檔案 案變換成給定之格式。又,此方法,象記錄檔 就是以給定之時序,更新一按各前述應用更程’ 變換程序。 ^ 弋預先準備之 利用每一分析對象記錄檔案 _ 效地進行記錄之分析,又,適宜更新=序 錄分析之精度提高。 t新私序,稭此可使記 在前!(?)=:實施態樣’則更備有⑷分類工η 於同前,從前分析對象記錄,分類屬 對象^己釺二仃。此時,前述⑷工程,係以其為在分析 象销巾,根據其所屬之對㈣刊別 屬之=㈣無法判別之行究竟屬於那—對話期者m 依&種構成’則縱使看起來為無法判明屬於那一對 率=行,也可分類成適當之對話期。因此,具有可高效 率地進行往後之記錄分析的效果。 又,若依更另外-實施態樣,前述⑻卫程,係按每一 /、—對話期合併前述多數之分析對象記錄者。此時,前述 係按每—該同—對話期所合併之分析對象記錄’ ij別讀存取之有無者。此時,前述⑷工程係以其為每 =對話期,用色彩區別違規存取之可能性來顯示者,為 工 1226984 、發明說明(4 ) 處理二根據本發明之第二主要觀點,提供-種通信記錄 處理糸統,其特徵在於包含有: 用程(Γγ換處理手段,其係將*可記錄多數通信記錄之應 給定2柊^出之各刀析對象記錄檔案,必要時變換處理成 ν 併手奴,其係用以合併前述變換成給定格式之多 數分析對象記錄;及 、斷手奴其係藉著分析合併後之記錄而判斷違規 存取之有無。 右依此種構成,則可獲得可實行關於前述第一觀點之 方法的系統。 再者根據本發明之第三主要觀點,提供一種電腦軟 =式產=,其係與一安裝在電腦系統之操作系統協同 ,以進行通信記錄之分析處理的電腦“軟體程式產品 者’其特徵在於包含有: 記錄媒體; j ()艾換處理手& ’其係將由_存儲於此記憶媒體且可 €錄多數通信記錄之助程式所輸出之各分析對象記錄播 案,必要時變換處理成給定之格式; (b) 口併手& ’其係將存儲於前述記憶媒體且變換成前 述給定格式之多數分析對象記錄,予以合併;及 ⑷判斷手段’其係分析存儲於前述記憶媒體的合併後 之記錄,藉此判斷違規存取之有無。 若依此種構成,則可獲得與上述第一主要觀點之方法 本紙張尺度適用中國國家標準(CNS) A4規格(210X297公楚) ί 1 …餐… (請先閲讀背面之注意事項再填寫本頁) .訂- t 五、發明説明(5) 同樣之效果。 又,本發明之其他特徵及顯著效果,可藉著參考以下 發現之實施形態及圖式,而更明確地理解。 [發明之實施形態] 以下,根據圖式說明本發明之實施形態。 首先,於第1圖中,i為本實施形態之記錄分析系統, 2為監視對象之伺服器。此實施形態之記錄分析系統1,係 為了發現例如來自破壞者之違規存取,而在連線(⑽㈣ 接收由前述伺服器2所輸出之通信記錄,來分析者。 即,前述伺服器2,係用來利用log記錄程式4,來記錄· 輸出各飼服器應用程式3之通信處理。而且,同樣安▲於此 伺服器2之記錄轉送程式5,即時透過LAN,公用電路及其 他通信網’將前述記錄轉送至前述記錄分析系統卜此記錄 分析系統’即把所接收之通信記錄,存儲於設在該記錄分 析系統之分析對象記錄存儲部7。 於前述記錄分析系統i,取出以給定時序存儲於前述 對象記錄存儲部7之通信記錄,並加以分析,藉此探索違規 存取之有無(示於第1BI8之工程)。然後將其分析結果, 例如以一覽形成加以輸出之。 又,本發明之記錄分析系統i,係以合併處理多式多 樣之通信記錄為特徵者。為了採取對應措施,本實施形能 =服器2,於是把同-事記錄❹數之記錄㈣後,轉送 厂己錄分析系統卜第2a、_,就是例示這種通信記錄 之5己錄方法例者。 於滙流排15,連接程式存 ’其中滙流排15係連接於 、其他之輸入、輸出裝置14 1226984 A7 _______ B7 五、發明説明(6 ) 即’此時,前述伺服器2,一如第2a圖所示,可利用多 數之log記錄程式4A、4B,將關於同一事件之多數伺服器 應用程式A,B之通信記錄,記錄於不同通信記錄檔案,或 如第2b圖所示,也可利用單一之丨叫記錄程式々A,將多數之 應用程式A、B之通信記錄,記錄於不同通信記錄檔案a、 B 〇 此時,前述多數之記錄檔案,係以其為按各不同之設 施予以準備者,為理想。例如,依照本實施形態,就同一 之事件將每一設施之通信記錄記錄於r /var/1〇g/設施 名.log」。又,依照本實施形態,也將關於同一事件之所有 没施的通信記錄,記錄於一個檔案「/var/1〇g/aU.l〇g」,以 作為與上述每一設施之通信記錄的參考匹配之用。 其次,參考第3圖,就本實施形態之記錄分析系統1說 明之。 本糸統’係如第3圖所示 儲部16及資料存儲部17而成 CPU 11、RAM 12、通信裝置 13 等。 在資料存儲部17,除了前述分析對象記錄存儲部7以 外,還設有:分析條件存儲部19,其係用以存儲由分析系 統所實行之分析儲條件;統一記錄存儲部21,其係用以存 儲格式被統-後之記錄;合併完了分析對象記錄存儲二 22 ’其係用以分析被合併起來的分析對象記錄;及分析結 果存儲部23,其係用以存儲記之分析結果。 本紙張尺度適用中國國家標準(CNS) A4規格(210X297公楚) (請先閲讀背面之注意事項再填窝本頁) 、^τ— 1226984..... (Please read the precautions on the back before writing this page} 4 5 V. Description of the invention (3) Tampering, etc. Transformation: Second, in another embodiment of the invention, the aforementioned ⑷Engineering has 爻Yanggong Private is to use a conversion program that pre-acquires injuries according to the respective application programs ;; Before ::: Elephant record file is converted into a given format. In addition, this method, elephant record file is at a given timing, Update one according to each of the aforementioned applications. ^ 程序 弋 弋 Pre-prepared use of each analysis object record file _ effective analysis of records, and suitable update = improved accuracy of sequence analysis. TNew private sequence, straw This can be recorded in the first place! (?) =: Implementation mode 'is more equipped with the classification class η in the same as before, the previous analysis of the record of the object, the classification belongs to the object ^ Ji 釺 此时. At this time, the aforementioned ⑷ project, system Take it as an analysis of the elephant, and according to the pair it belongs to, you ca n’t tell what the line belongs to—the conversational person m according to the & species composition, even if it seems that it is impossible to tell which pair belongs Rate = line, can also be classified into appropriate dialogue periods. There is an effect that the subsequent record analysis can be performed efficiently. In addition, according to another implementation mode, the aforementioned security procedures are combined with the majority of the analysis target recorders for each period of dialogue. At this time The foregoing is the analysis object record 'ij not read and accessed according to each-the same-conversation period. At this time, the above-mentioned project is based on each = conversation period and uses color to distinguish the possibility of illegal access. According to the second main point of the present invention, a communication record processing system is provided, which includes: a process (Γγ for processing means, its system The * can record most communication records of each analysis object record file that should be given 2 柊 ^, if necessary, transform and process it into ν and slave, which is used to merge the foregoing majority of analysis object records transformed into a given format; And, the broken hand is determined by analyzing the merged records to determine the existence of unauthorized access. By right-handing such a structure, a system that can implement the method of the aforementioned first viewpoint can be obtained. Furthermore, according to the first aspect of the present invention, three From a viewpoint, a computer software = type product = is provided, which is a computer "software program product" that cooperates with an operating system installed in a computer system to analyze and process communication records, and is characterized by including: a recording medium; j () Ai Huan Hand & 'It will be a broadcast of each analysis object record output by a helper program stored in this memory medium and capable of recording most communication records, and transform and process it into a given format if necessary; (b) Mouth and hand & 'It is to merge the majority of the analysis object records stored in the aforementioned storage medium and transformed into the aforementioned given format; and' judgment means' which analyzes the combined records stored in the aforementioned storage medium, borrowing This judges the existence of illegal access. If it is constructed in this way, the method with the first main point mentioned above can be obtained. The paper size applies the Chinese National Standard (CNS) A4 specification (210X297). Ί 1… meal ... (please first Read the notes on the back and fill out this page). Order-t V. Description of the invention (5) The same effect. In addition, other features and significant effects of the present invention can be more clearly understood by referring to the embodiments and drawings found below. [Embodiments of the invention] Embodiments of the present invention will be described below with reference to the drawings. First, in FIG. 1, i is a record analysis system of this embodiment, and 2 is a server to be monitored. The record analysis system 1 of this embodiment is connected (to receive the communication record output by the aforementioned server 2 to analyze, for example, an unauthorized access from a saboteur. That is, the aforementioned server 2, It is used to use the log recording program 4 to record and output the communication processing of each feeder application program 3. It is also the same. ▲ The log transfer program 5 of the server 2 is immediately transmitted through the LAN, public circuit and other communication networks. 'Transfer the aforementioned record to the aforementioned record analysis system and the record analysis system' means to store the received communication record in the analysis target record storage unit 7 provided in the record analysis system. In the aforementioned record analysis system i, take it out to give The timing records are stored in the communication records of the aforementioned object record storage unit 7 and analyzed to explore the existence of unauthorized access (shown in the 1BI8 project). The analysis results are then output, for example, as a list. The record analysis system i of the present invention is characterized by merging and processing a variety of communication records. In order to take corresponding measures, this embodiment can Device 2 then transfers the records of the same-event records to the factory recorded analysis system (2a, _), which is an example of the recorded method of this communication record. At bus 15, the connection program stores 'Where the bus 15 is connected to other input and output devices 14 1226984 A7 _______ B7 V. Description of the invention (6) That is,' At this time, the aforementioned server 2, as shown in Figure 2a, can use most of the logs The recording programs 4A and 4B record the communication records of the most server application programs A and B about the same event in different communication log files, or as shown in Figure 2b, a single call recording program 々A can also be used. Record the communication records of the majority of application programs A and B in different communication record files a and B. At this time, the above-mentioned majority of record files are preferably prepared for different facilities. For example, according to In this embodiment, the communication log of each facility is recorded in r / var / 10g / facility name.log for the same event. In addition, according to this embodiment, all communication records regarding the same event are also recorded. , Recorded in A file "/var/1〇g/aU.10g" is used as a reference match with the communication records of each of the facilities described above. Next, referring to Fig. 3, the record analysis system 1 of this embodiment will be described. This system is a storage unit 16 and a data storage unit 17 as shown in FIG. 3, which is a CPU 11, a RAM 12, a communication device 13, and the like. In the data storage unit 17, in addition to the analysis target record storage unit 7, Also provided are: analysis condition storage section 19, which is used to store the analysis storage conditions implemented by the analysis system; unified record storage section 21, which is used to store the records after the format is unified; and the analysis target record storage after the merge is completed 22 'It is used to analyze the merged analysis target records; and the analysis result storage section 23 is used to store the recorded analysis results. This paper size applies to China National Standard (CNS) A4 (210X297). (Please read the precautions on the back before filling in this page), ^ τ— 1226984
發明説明 又’在前述分析條件存儲部19, 統設定分析條件檔荦24 更新兀了糸 其係由本案申請人等之伴全聿者 所提供;及利用者号宗八矛又保王系肴 者口又疋刀析條件檔案2仆, 利用者根據該***嗖定八此作 、糸由本糸、洗之 宁、、先°又&分析條件檔案來設定者。 又在私式存儲部16,若口兴ψ & 士 今t .八μα & /、舉出與本發明有關者則包 各有·刀析條件設定部25,Α 杜· ### a 八係用以δ又疋刖述分析之諸條 件,圮錄格式變換處理部26,並 ^ -V p; -Γ /、係夂換處理成給定之統一 秸式乂便可互相比較或結合 引述刀析對象記錄檔案,並將 之存儲於刖述統一記錄存儲· 4邛21 ,匹配性判別部27,其係 用以判別多數分析對象記錄 <匹配丨生,圮錄合併處理部 /係用以合併被變換成前述給定格式之多數分析對象 亲,記錄區分處理部29 ’其係從前述所合併的分析對象 錢’區分屬於同一設施之行;記錄分析處理部30,其係 错者分析前述所區分的分析對象記錄,而判斷違規存取之 $無,及分析結果反映處理部36,其係使藉助該記錄分析 处理部30之分析結果,反映於前述分析設定。 又,記錄合併處理部18,具有對話期判別部31,其係 在分析對象記錄中,就無法判別對話期之行,根據可分類 之行,判別究竟分類為那一對話期者。 又,記錄分析處理部30,包含有:連接Ip分析部33,其係 根據連鑛位址,判斷違規存取;連接時間分析糾,其係根 據連接時間,判斷違規存取;及型樣分析部%,其係與預先準 備有前述記錄之連接型樣比較,藉此判斷違規存取之有無。 此筆之構成要素,實際上,是由電腦系統之記憶媒體 一·· 本紙張尺度適用中國國家標準(CNS) A4規格(21〇χ297公釐) -----,-------------Φ:;--------------計----------------餐· (請先閲讀背面之注意事項再填寫本頁) 1226984 五、發明説明(8 ) 所確保之一定區域及安裝在此區域之程式 〇卩1;11叫出於尺八馗12上來杂 # 被刖述 工作以發揮本發明之機能。 予、、、无)口作 二:,說明本系統之處理程序,同時說明上述構成要 素之機此及動作。 第頂’係顯示依據本分析系統!之概略處理程序者。 如此圖所示’利用此分析系統1之通信記錄分析,例 如根據精靈(wizard)形式來進行。當開始分析精靈時(步驟 SU,首先’讓前述分析設定部25在步驟S2〜S6進行分析條 件之設定,此分析條件之設定,宜依分析政策之設定(步驟 S2),許可IP及否決IP之設定(步驟S3)、型樣設定(步賴)、 分析對象槽案選擇(步驟S5)、分析項目之選擇及報表輸出 種類之選擇(步驟S6)之順序實行。 在此’前述分析政策之設定(步驟S2),係用減輕不精 通於網路保全之操作者進行步驟S3〜S6時之負擔者。依據 本m態’ -如第5圖所示’作成可選擇:現在成有效之 设定亦即「規定」38、全面地進行違規存取分析之「基本 設定」39、分析關聯於CGI之其他WEB的違規存取之「貨^ 關係一般」40、核對關聯於Ftp之項目的「ftp動作分析」 4卜分析管理者以權限動作之記錄的「r〇〇t存取分析」42、 分析接收違規存取前之準備動作的「_動作分析」M、 分析郵件環境之異常動作的「郵件環境分析」44等。又, 作成選擇各設定’藉此可就如後述之各設定自動地設定被 系統設定之分析項目等。因此,操作者僅只修正此等分析 本紙張尺度適用中國國家標準(CNS) A4規格(21〇><297公釐) 11The description of the invention also states that in the aforementioned analysis condition storage unit 19, the analysis condition file 24 is set in its entirety and updated, which is provided by the companions such as the applicant of the present case; The user analyzes the condition file 2 by the user, according to the system, the user decides the eight files, and the set by the user and the analysis of the condition file. Also in the private storage section 16, if Xing Xing ψ & Shi Jin t. Eight μα & /, and those related to the present invention, each has a set of analysis conditions setting section 25, A Du ### a The eight systems use δ and describe the conditions of analysis, and record the format conversion processing unit 26, and ^ -V p; -Γ /, the system is processed into a given unified form, which can be compared or combined with each other. The analysis file of the analysis target is stored in the unified record storage. 4 邛 21, the matching determination unit 27, which is used to determine the majority of the analysis target records < matching, the record merge processing unit / system By merging the majority of the analysis objects that have been transformed into the given format described above, the record division processing unit 29 'division belongs to the same facility from the aforementioned analysis object money merged'; the record analysis processing unit 30, which analyzes the wrong person The analysis object records that have been distinguished as described above, and the non-authorized access is determined to be $ Nil, and the analysis result reflection processing unit 36 is to reflect the analysis results of the analysis analysis processing unit 30 by means of the records to the foregoing analysis settings. Further, the record merging processing unit 18 includes a conversation period determination unit 31, which cannot analyze the conversation period in the analysis target record. Based on the sortable rows, it is determined whether the conversation period is classified as that conversation period. In addition, the record analysis processing unit 30 includes a connection IP analysis unit 33 that judges unauthorized access based on the linked mine address; connection time analysis and correction that judges illegal access based on the connection time; and pattern analysis The percentage is compared with the connection pattern in which the aforementioned record is prepared in advance, thereby judging the existence of illegal access. The constituent elements of this pen are, in fact, the memory media of the computer system .... This paper size applies the Chinese National Standard (CNS) A4 specification (21〇χ297 mm) -----, ------ ------- Φ:; -------------- Counter ---------------- Meal · (Please read the note on the back first Please fill in this page again for details) 1226984 V. Description of the invention (8) A certain area guaranteed by the invention and the program installed in this area 〇1; 11 called out of shakuhachi 12 上来 杂 # It is described to work to exert the invention function. Yu ,,, Wu) Interpretation 2: Describe the processing procedure of this system, and explain the mechanism and action of the above constituent elements. The top one's display is based on this analysis system! The outline handler. As shown in the figure ', the communication record analysis using this analysis system 1 is performed, for example, in the form of a wizard. When the analysis wizard is started (step SU, first let the aforementioned analysis setting unit 25 set the analysis conditions in steps S2 to S6. The setting of this analysis condition should be based on the analysis policy setting (step S2), permit IP and reject IP The setting (step S3), pattern setting (step reliance), analysis target slot case selection (step S5), analysis item selection, and report output type selection (step S6) are carried out in the order. Here, the above-mentioned analysis policy The setting (step S2) is to reduce the burden when performing steps S3 to S6 by an operator who is not proficient in network security. According to this m-state-as shown in Figure 5, the option is made: it is now a valid setting This means "regulations" 38, "basic settings" for comprehensive analysis of unauthorized access 39, "good general relations" 40 for analyzing unauthorized access to other WEB related to CGI 40, "checking for items related to Ftp" ftp action analysis ”4" analysis of "r0〇t access analysis" by the administrator in the record of authority actions, "_action analysis" M that analyzes preparation actions before receiving unauthorized access, and analysis of abnormal actions in the mail environment " Environment analysis "44 etc. In addition, by selecting and selecting each setting, the analysis items set by the system can be automatically set for each setting as described below. Therefore, the operator only corrects these analyses. This paper standard applies Chinese national standards. (CNS) A4 specification (21〇 > < 297 mm) 11
!(請先閲讀背面之注意事i—〉 訂丨 1226984 A7 B7 五、發明説明(9 ) 項目即可。 又’依本實施形態之構成,可利用最新之更新完了系 統設定分析條件稽案24a’來進行前述「規定」以外之前述 保全政策之設定,其中該系統設定分析條件標案2乜係由如 本案申請人等之保全業者所準備者。因此,若要選擇前述 「規定」料之選擇肢時,操作者可在Μ識之狀態下, 利用最新之保全政策。 其次,在許可〗!>及否決ΙΡ之設定(步驟S3)方面,每一 設施可設定用來許可存取之IP(許可Ip)和用來否決存取之 IP(否決〇>)。依本實施形態之構成,可根據前述所選擇之 政策’自動地當作系統設;t來顯示:由前述保全業者追加 於前述更新完了系統設定分析條件檔案24a之「否決IP」; 及由前述分析結果反映處理部36,判斷此系統之保全診斷 之結果頗為適當之「否決IP」。 在型樣設定(步驟4)方面,每一設施可設定應監視之型 樣。例如,在APP方面,可就啟動力破壞和蟑掃描等設定 應監視之型樣。這種型樣,也可藉由提供自前述保全業者 之前述系統設定分析條件檔案24a,隨各政策而時常當做系 統設定提供最新者。因此,操作者,只要基本上適用系統 設定之型樣,即可進行最合適之設定。 其_人,雖選擇對象檔案(步驟S5),但本例可個別地指 定作為前述分析對象記錄存儲部7來設定之目錄及目錄内 之檔案。 ^ 又,在分析項目之選擇及報表輸出種類之選擇(步驟%) 本紙張尺度適用中國國家標準(CNS) A4規格(210X297公釐) 1226984 五、發明説明(l〇) 方面,就分析項目來說,可選擇連接ιρ分析 析及型樣分析,以對應於前述各連⑽分析部33、連寺= 間分析部34及型樣分析部35。又’在報表輪出項目方面,守 可指定應以報表輸出之項目’例如,可指定當 信記錄時,顯示時刻、設施各等之項目。 、 上述所設定之項目,於是被存儲於前述分析條件存儲 部19之利用者設定分析條件⑽,進而實行示於第 驟S7的分析。 / 以下,根據第6圖之流程圖,說明此程序。 T先,由前述格式變換處理部%,取出以前述分析條 件設定之分析對象通信記錄,變換處理成給定之格式,然 後將變換處理後之通信記錄存儲於前述統_記錄存儲部 21(步驟S7-1)。此袼式變換,係例如,使顯示位置,顯示 順序、時間戳記之位置等的,依對象設施和記錄程式而異 之格式,一致於統一格式者。 例如,假定記錄有ftp動作之第一記錄(sysl〇g)為示於 第7a圖者,以及記錄有ftp中之檔案移動的第二記錄幻 為不於第7b圖者。在此,第一記錄為,稱做{月、曰、時間、 伺服器、[PID]動作(包含連接IP、帳號)}等之書寫格式;反 觀,第二記錄成為,稱做{星期、月、曰、時間、年、連接 工?、檔案尺寸、檔案名、轉送模式、輸入·輸出、帳號、 協疋}專之書寫格式。如果,按照此格式而不變;則縱使進 行了後述之合併處理,也成為如第8圖所示而不易分析,所 以本實施形態,乃由格式變換處理部26,使該等格式一致 本紙張尺度適用中國國家標準(CNS) A4規格(210X297公釐)! (Please read the note on the back i—> order 丨 1226984 A7 B7 V. The invention description (9) item is enough. Also, according to the structure of this embodiment, the latest update can be used to complete the system setting analysis condition audit case 24a 'To carry out the setting of the aforementioned preservation policy other than the aforementioned "regulations", in which the system setting analysis condition proposal 2 is prepared by a security industry such as the applicant of this case. Therefore, if you want to choose the "regulations" When selecting a limb, the operator can use the latest security policy in the state of cognition. Secondly, in terms of permission and setting of veto IP (step S3), each facility can be set to permit access. IP (permission IP) and IP for veto access (veto 〇>). According to the constitution of this embodiment, it can be automatically set as a system according to the policy selected above; t is displayed by the aforementioned security provider "Rejected IP" added to the previously updated system setting analysis condition file 24a; and "Rejected IP" that the result of the security diagnosis of this system is judged to be appropriate by the foregoing analysis result reflection processing unit 36. In terms of pattern setting (step 4), each facility can set the pattern that should be monitored. For example, in the APP, you can set the pattern that should be monitored in terms of startup force destruction and cockroach scanning. This pattern can also be borrowed The aforementioned system setting analysis condition file 24a provided from the aforementioned security provider is often provided as the latest system setting according to each policy. Therefore, the operator can perform the most appropriate setting as long as the type of the system setting is basically applied. Although the person selects the target file (step S5), in this example, the directory set in the analysis target record storage unit 7 and the files in the directory can be individually designated. ^ Also, the selection of analysis items and the type of report output Choice (step%) This paper size applies Chinese National Standard (CNS) A4 specification (210X297 mm) 1226984 V. Description of invention (10) As far as the analysis items are concerned, you can choose to connect the analysis and sample analysis In order to correspond to the aforementioned flail analysis section 33, Liansi = inter-analysis section 34 and pattern analysis section 35. Also in terms of report rotation items, Shou can specify that the report should be output in a report For example, items such as time, facilities, etc. can be specified when the letter is recorded. The above-mentioned set items are then stored in the analysis condition storage unit 19 by the user to set the analysis conditions, and the execution is shown in the first step. The analysis of step S7. / The following describes the procedure according to the flowchart in FIG. 6. First, the format conversion processing unit% takes out the analysis target communication record set with the foregoing analysis conditions, and converts it into a given format. The communication records after the conversion process are then stored in the aforementioned system_record storage unit 21 (step S7-1). This type of conversion is performed, for example, by changing the display position, display order, time stamp position, etc., according to the target facility and The format of the recording program is different from the unified format. For example, suppose that the first record (sys10g) recorded with ftp action is shown in Fig. 7a, and the second record recorded with file movement in ftp is not shown in Fig. 7b. Here, the first record is called {month, day, time, server, [PID] action (including connection IP, account number)}, etc .; in contrast, the second record becomes, called {week, month , Day, time, year, connection worker? , File size, file name, transfer mode, input / output, account number, and association} are written in a special writing format. If this format is not changed, even if the merge processing described below is performed, it becomes difficult to analyze as shown in FIG. 8. Therefore, in this embodiment, the format conversion processing unit 26 makes these formats consistent with this paper. Standards apply to China National Standard (CNS) A4 (210X297 mm)
•、可丨 (請先閱讀背面之注意事項再填寫本頁) Φ! 1226984 五、發明説明(11 不 A7 於如第9圖所示之書寫格式。依卜 ^ 飞依此書寫格式,可使第7a圖與 第7b圖之書寫格式的時間戳記一 丁u歡z致,並使連接1P之顯示位 置與帳號之顯示位置一致。 接著,由前述匹配性判別部27,_別關於同一事件之 記錄間的匹配性,其中,該同—事件係存儲於前述統一記 錄存儲部21(步驟S7-2)。 例如,就同-事件來說’假定就tfp動作記錄之全記錄 (/猶/1〇g/alUog) ’為圖所示者,且,關於認證之記錄 (/樹/1〇g/_h.1〇g)為第10b圖所*者。在此,第i〇a圖之查 寫格式即成{月、曰、時間、祠服器、精靈(或服務程式 [PID]動作(包含連接IP、帳號)};就是為了說明之方便而進 行前述格式統一以前之格式者。此時,若把第⑽圖之記錄 適用於第10a圖之記述,則成為第9、16、17行。 前述匹配性判別部27,接著,把前述全記錄,隨前述 log記錄程式4之種類而用最合適之方法說明,俾與每—設 施之記錄比較。在本例方面,以「精靈名」為關鍵字,將 前述第10a圖之全記錄說出,俾與第1〇b圖比較。結果,若 兩者未一致時,可判斷那一個之記錄已被竄改。又,在此右 其所以用精靈名說出全記錄,是因為前述精靈名(或服務程 式名)係固定於各設施之故。一方面,ριρ(過程1〇卜若是 設施各別之記錄的話,同一PIP之記述將被分散成多數之2 錄,因而不適宜。 這種隶合適之開言方法,由於依記錄之書寫袼式而 同,所以依本貫施形態,實際上乃將此工程(步驟S']) 本紙張尺度適用中國國家標準(_) A4規格(21〇χ297公楚)• 、 Yes 丨 (Please read the precautions on the back before filling this page) Φ! 1226984 V. Description of the invention (11 not A7 in the writing format as shown in Figure 9). The time stamps in the writing format of Fig. 7a and Fig. 7b are consistent with each other, and the display position of the connection 1P is consistent with the display position of the account. The matching between records, in which the same-event is stored in the aforementioned unified record storage unit 21 (step S7-2). For example, in the case of the same-event, it is assumed that the full record of tfp action records (/ Ju / 1) 〇g / alUog) 'is the one shown in the figure, and the record of certification (/tree/1〇g/_h.10g) is the one shown in Figure 10b. Here, the check in Figure i〇a The writing format becomes {month, day, time, temple server, wizard (or service program [PID] action (including connection IP, account number)}); it is the one that unified the previous format for the convenience of explanation. At this time If the record of the second figure is applied to the description of the figure 10a, it will become lines 9, 16, and 17. The aforementioned matching determination unit 27 Then, the above-mentioned full record is described with the most suitable method according to the type of the above-mentioned log record program 4, and is compared with the record of each facility. In this example, using "elf name" as a keyword, The full record of Figure 10a is shown, and 俾 is compared with Figure 10b. As a result, if the two do not agree, it can be judged which record has been tampered with. Also, here is why he said the full record with the name of the elf. This is because the aforementioned elf name (or service program name) is fixed to each facility. On the one hand, if ριρ (process 10b is a separate record for the facility, the description of the same PIP will be dispersed into a majority of two records, This method is not suitable. Since the method of writing according to the record is the same according to the writing method of the record, it is actually implemented according to the original form (step S ']). This paper size applies Chinese national standards ( _) A4 specification (21〇χ297 公 楚)
•… (請先閲讀背面之注意事項再填寫本頁) 、^τ— Φ! 五、發明説明(l2) 本紙張尺度適用中國國家標準(OB) A4規格(210X297公嫠) 1226984 作成在前述書寫格式統—工程(步驟S7_D後進行。藉此 可用-定之方法來進行前述比較匹配。 其次,由前述記錄合併處理部28,合併被變換成前述 、-δ定格式之多數分析對象記錄(步驟s7_3)。在&,其所以 併疋口為如果要從各個之記錄擋案的話,有時候無 法得知不法侵襲之有無之故。 、…、 例如’在關於同一事件之系統記錄㈣slog)中,思考第 一記錄(/爾/10咖0.10§),為第lla圖所示者,而第二記錄 (/var/1〇g/auth_log)為第llb圖所示者之情形。此時,對話期 PID[2425]之ftp對話期有違規存取之嫌疑。然而,只要是第 一記錄,其痕跡即在PID[2421]之三次輸入時只留下一點 點,甚至連這一點也無法得知其與ρπ)[2425]之明確的關 聯。反之,在第二記錄’留有piD[2421]之失敗記錄,因而 /月邊了解 P51-dno9. * * * ne jp 挑動 了蠻力 force)。然而無法從此記錄判別該攻擊是否成功。又,在此 記錄中,並無PID「2421」之顯示。 然而,此等之動作,卻在觀看第12圖所示之全記錄 (/var/l〇g/lnf0.i〇g)時出現。即,可知此一連串之攻擊從 2/1615 · 〇9 ·· 〇4開始,而其方法為對於利用Tellnet之的 臺力攻擊(Brute Force Attack)。 這種分析,無法從第lla圖、第Ub圖之各個之記錄取 付。因此,有必要結合此兩個之記錄來分析。 以下’就本實施形態之記錄結合方法說明之。 此。己錄合併處理部2 8待以前述格式統一工程統一了 15• ... (Please read the notes on the back before filling in this page), ^ τ— Φ! V. Description of the invention (l2) The paper size is applicable to the Chinese National Standard (OB) A4 specification (210X297) 12 1226984 Format system-engineering (step S7_D is performed. This method can be used to perform the above-mentioned comparison and matching. Secondly, the aforementioned record merge processing unit 28 merges the majority of the analysis target records converted into the aforementioned, -δ format (step s7_3 ). In &, the reason is that if you want to file a case from each record, sometimes it is not possible to know the cause of the illegal attack.... For example, 'in the system record about the same event (sslog), Consider the case where the first record (/ er / 10c 0.10§) is shown in FIG. 11a, and the second record (/ var / 10g / auth_log) is shown in FIG. 11b. At this time, there is suspicion of unauthorized access during the FTP session of PID [2425] during the session. However, as long as it is the first record, its trace is only a little bit left in the three times of PID [2421] input, and even this point cannot know its clear connection with ρπ) [2425]. On the other hand, a failure record of piD [2421] is left in the second record ’, so / moon knows P51-dno9. * * * Ne jp provoked brute force). However, it is not possible to tell from this record whether the attack was successful. In this record, PID "2421" is not displayed. However, these actions occur when viewing the full record (/var/l0g/lnf0.i0g) shown in Fig. 12. That is, it can be seen that this series of attacks started from 2/1615 · 09 · · 〇4, and its method is to use the Brunet Force Attack of Tellnet. This kind of analysis cannot be paid from the records of Figures 11a and Ub. Therefore, it is necessary to analyze these two records. The following is a description of the recording combining method of this embodiment. this. Recorded merged processing department 2 8 To be unified in the aforementioned format 15
(請先閱讀背面之注意事項再填寫本頁) 1226984 A7 B7 發明説明( 各記錄之格式之後,將此等格式結合,取得如第9圖之結合 完了的記錄。即,如前所述,例如,就ftp而言,其本身之 動作及檀案之移動被記錄於各別之記錄標案(第8:圖及第 8b圖),此等兩個記錄為格式不同之記錄者,所以如果單純 地結合的話難以進行其分析。因此,“前述之方法統一 兩個書寫格式之後,再予以結合。 然而,於此種例,成為問題纟,係在於第8b圖之記錄 中沒有特定ftp之動作的記述,依第8圖及第9圖之例,由於 %只有-個而易於特定,可是,例如在同—時刻範圍有多 數之ftpim期時無法進行其特定,以致無法進行有效之分析。 為此,在本實施形態方面,由上述記錄合併處理部 ’判別記錄檔案之各行屬於那_對話期,進行將所屬對 話期之不明之行分開成適當的對話期之處理。 第13a圖,係在同時刻範圍有多數之對話期時的第一記 錄(sysiog)之例;第13b圖,係第二記錄(xferl〇g)之例。第 Μ圖就是,由前述記錄格式變換部26,將此兩個記錄與上 述同樣統一格式之後,由該記錄合併處理部28加以合併按 時間戳記順序排列之圖者。 此第14圖之合併完了記錄,係因具有同一時刻重覆 對話期,或具有來自同一巧之對話期,而相當不易解析 因此,此記錄合併處理部28,首先,判別對話期之 性(步驟S7-4)。此時,若按各PID分開前述第13a圖之記錄 刀類可判斷為同一對話期之行,則一如第第15a〜丨丸所 之 •屬 不 (請先閲讀背面之注意事項再填寫本頁) 、^τ— 本紙張尺度翻巾_緒準(CNS) Μ規格(210X297公釐) 1226984 A7 ___________B7_ 五、發明説明(14) " " ' '— 可知存在三個之對話期。因此,從此結果判別各對話期的 PID、IP及連接時間為如第16圖所示者(步驟S7-5)。 、 4 — llllllllt — — — — Iff f請先閲讀背面之注意事項再填窝本頁) 利用此資料,藉此可將前述第13b圖之記錄,—如第 17a〜17c圖所示,分類或某對話期。 前述記錄合併處理部28,接著,把前述第15圖及第17 圖按各對話期時間戳記之順序排列,獲得第18a〜18〇圖之处 果(步驟S7-6)。此種合併完了記錄即被輸入於前述合併完 了對象兄錄存儲部2 2。 接著,由前述區分分開部29,按各設施區分前述所人 併之記錄(步驟S7-7)。以本實施形態來說,取出前述合併 完了分析對象記錄存儲部中所存儲之記錄,將記錄中之各 行,在注目於精靈名(服務程式名)之狀態下,進行分開。 接著,由前述記錄分析處理部3〇,利用如前述所處理 之記錄檔案來實行違法存取之有無的分析處理驟 Φ, S7 8 S7_l〇)。各記錄,一如前述,被整理區分成易於分析 之狀態,因此,可有效地進行以下之分析。 首先,藉步驟S7-8之連接IP分析處理,來進行前述所 之「許可IP」或「否決IP」之檢出處理。許可IP中所 又定之IP及區域,即成為從以下之其他之分析對象摘除。 斗在作為卉可IP以外之ip或前述否決ip來檢出之ip之 中核出連接已確立之Ip,並抽出關於此1?之記錄。 ―其次,在步驟87-9之不正當連接時間檢出處理方面, 將作1連接時間帶設定之時間帶以外的連接,作為不正當 連接日^間檢出,抽出關於該不正#連接時間之記錄。 1226984 五、發明説明(IS) 則 、、其次’在步驟S7-10之型樣分析方面,判斷前述記錄與 述分析條件存儲料所存儲之型樣是否一致,若一致時 當做違法存取檢出。由於此型樣係以天天更新者為理想^ 所以,本實施形態,為此,從保全業者當做前述更新完了 系統設定分析條件㈣24a,供給被更新之難。於本實施 形態使用之型態大約有4〇〇種。 最後’藉第4圖之步驟輸出分析結果。此分析社果之 =出1為了因應違法存取之可能性,而例如以用紅色或 =色等來分類顯示為理想。此分析結果’即對於各對話期, 豎起對應於達法存取之可能性的旗標,然後存儲於前述分 析結果存儲部23。 又,像這樣實施之分析結果,於是藉前述分析結果反 映處理部36來反映於更新完了系統設定條件槽案—。例 =,若前述分析之結果具有被判斷為已進行違規存儲之卩 打该IP即當做否決IP而被存儲於前述系統設定分析條件 播案24a。 若依這種構成,則統一多數記錄檔案之格式,並將之 予以合併’藉此可檢出如果單獨之記錄槽案的話無法判別 之違規存取。又,此等之工程,例如,由保全業者根據在 給定之時序更新的最新格錢—方法和合併方法來實施, 因此即使未具有高度知識和經驗之保全管理者,也可發現 達規存取等。 又,本發明,並限定於上述一實施形態者,可在不變 更發明之要旨的範圍内,進行各種變形。 1226984 圖 A7 五、發明説明(l6) 例如,前述一實施形態雖說以伺服器2作為監視對 象,但不受其限期,作成監視選路器等也可。 又,上述一實施形態,雖提供本發明作為系統及方 法’但作為存儲於CD-ROM等之套裝軟體來提供,安裝於 電腦系統,藉此發揮本發明之機能者也可。 若依以上所述之構成,則可獲得不需對保全管理者要 求高度之知識和經驗也可發現違規存取之記錄處理方法及 系統。 [圖式之簡單說明] 第1圖係顯示本發明一實施形態之概略構成圖。 第2a、2b圖係顯示本實施形態之1〇g記錄方法的說明圖。 第3圖係顯示本實施形態之記錄分析系統的概略構成 第4圖係顯示本實施形態之概略處理工程的流程圖。 第5圖係用以說明分析政策之選擇肢的圖。 第6圖係顯示分析處理之處理工程的流程圖。 苐7a,7b圖係顯示顯示記之處理例。 第8圖係顯示通信記錄之處理例。 第9圖係顯示通信記錄之處理例。 第l〇a,10b圖係顯示通信記錄之處理例。 第lla,llb圖係顯示通信記錄之處理例。 弟12圖係顯示通信記錄之處理例。 第Ha’Ub圖係顯示通信記錄之處理例。 第14圖係顯示通信記錄之處理例。 本紙張尺度適用中國國家標準(CNS) A4規格(210X297公釐) (請先閲讀背面之注意事項再填寫本頁) 訂— fi 19 1226984 A7 B7 五、發明説明(l7) 第15 a〜1 5 c圖係顯示通信記錄之處理例。 第16圖係顯示通信記錄之處理例。 第17 a〜17 c圖係顯示通信記錄之處理例。 第18 a〜1 8 c圖係顯示通信記錄之處理例。 20 (請先閲讀背面之注意事項再填寫本頁) 本紙張尺度適用中國國家標準(CNS) A4規格(210X297公釐) 1226984 五、發明説明(〗8) 1…記錄分析系統 2···伺服器 3…伺服器應用程式 4…log記錄程式 5···記錄轉送程式 7···分析對象記錄存儲部 11 …CPU 12"-RAM 13…通信裝置 14…輸入·輸出裝置 15…滙流排 16…程式存儲部 17…資料存儲部 19…分析條件存儲都 21…統一記錄存儲部 22…合併完了分析對象記 錄存儲部 A7 23…分析結果存儲部 24a〜更新完了系統設定 分析條件檔案 ⑽…利用者設定分析條件 25…分析條件設定部 26…記錄格式變換處 理部 27…匹配性判別部 28…記錄區分處理部 29…記錄區分處理部 30…記錄區分處理部 31…對話期判別部 33…IP分析部 34…連接時間分析部 35…型樣分析部 36…分析結果反應處理部 本紙張尺度適用中國國家標準(_) A4規格(21〇χ297公爱)(Please read the notes on the back before filling out this page) 1226984 A7 B7 Invention Description (After formatting each record, combine these formats to obtain the completed record as shown in Figure 9. That is, as mentioned before, for example As far as ftp is concerned, its own actions and the movement of the case are recorded in separate record projects (Figure 8: Figure 8 and Figure 8b). These two records are recorded in different formats, so if you simply It is difficult to analyze it by combining the two places. Therefore, "the aforementioned method unifies the two writing formats before combining them. However, in this case, it becomes a problem. It is because there is no specific ftp action in the record in Figure 8b. It is described that according to the examples in Figs. 8 and 9, it is easy to specify because there is only one%. However, for example, it cannot be specified when there is a majority of ftpim periods in the same time range, so that effective analysis cannot be performed. In the aspect of this embodiment, the above-mentioned record merging processing unit 'determines which line of the record file belongs to the conversation period, and performs the process of dividing the unknown line of the conversation period into an appropriate conversation period. Figure 13a is an example of the first record (sysiog) when there is a majority of dialogue periods in the range at the same time; Figure 13b is an example of the second record (xferl0g). Figure M is converted from the foregoing record format The unit 26, after the two records have the same unified format as above, is merged by the record merge processing unit 28 and arranged in a time stamp order. The merged record of this figure 14 is due to repeated dialogue at the same time. Period, or have a dialogue period from the same coincidence, which is quite difficult to analyze. Therefore, the record merge processing unit 28 first determines the nature of the dialogue period (step S7-4). At this time, if the above-mentioned FIG. 13a is separated for each PID, The recording knife can be judged as a trip in the same dialogue period, as in Section 15a ~ 丨 Maruzo. It is not (please read the precautions on the back before filling this page), ^ τ— this paper size turning towel_ Introduction (CNS) M specifications (210X297 mm) 1226984 A7 ___________B7_ V. Description of the invention (14) " " '' — We know that there are three dialogue periods. Therefore, the PID, IP and The connection time is as described in Section 16. As shown in the figure (step S7-5). 4 — llllllllt — — — — Iff f Please read the notes on the back before filling in this page) Using this information, you can record the previous picture in Figure 13b, — As shown in Figs. 17a to 17c, classification or a certain conversation period. The aforementioned record merge processing unit 28 then arranges the above-mentioned Figs. 15 and 17 in the order of the timestamps of each conversation period to obtain pictures 18a to 18〇. The result (step S7-6). Such a merged record is entered in the previously-combined object sibling storage unit 22. Then, the aforementioned division and division unit 29 distinguishes the records of the aforementioned persons by each facility ( Step S7-7). In this embodiment, the records stored in the previously-combined analysis target record storage section are taken out, and each line in the record is separated while paying attention to the name of the wizard (service program name). Next, the foregoing record analysis processing unit 30 uses the record file processed as described above to perform the analysis processing of the presence or absence of illegal access (Φ, S7 8 S7 — 10). As described above, each record is sorted into a state that can be easily analyzed. Therefore, the following analysis can be performed efficiently. First, the connection IP analysis processing in step S7-8 is used to perform the above-mentioned check processing of "permitted IP" or "rejected IP". The IP and area specified in the license IP will be removed from other analysis objects below. The bucket checks the established IP in the IP that is checked out as an IP other than Hui IP or the aforementioned veto IP, and extracts a record about this 1 ?. ―Secondly, in the process of detecting the improper connection time in step 87-9, the connection other than the time band set by the 1 connection time band will be detected as the improper connection day, and the information about the improper connection time will be extracted. recording. 1226984 V. Description of the invention (IS) Then, secondly, in the analysis of the pattern in step S7-10, determine whether the aforementioned record is consistent with the pattern stored in the analysis condition storage material, and if it is consistent, it is detected as illegal access. . Since this type of sample is ideally updated every day ^ Therefore, in this embodiment, it is difficult for the supplier to update the analysis condition ㈣24a as a result of setting the analysis condition as described above. There are about 400 types used in this embodiment. Finally, the analysis result is output by the steps in FIG. 4. This analysis of social fruit = out 1 is in order to respond to the possibility of illegal access, and it is ideal to use red or = color for classification and display, for example. This analysis result ', that is, the flag corresponding to the possibility of Darfa access is erected for each session, and then stored in the analysis result storage section 23 described above. In addition, the analysis result implemented in this way is reflected by the analysis result reflection processing unit 36 in the case where the system setting condition is updated after the update. Example = If the result of the foregoing analysis has been judged to have been stored illegally, hitting the IP will be stored as a negative IP and stored in the aforementioned system setting analysis conditions. Case 24a. If this structure is adopted, the format of most record files will be unified and merged ', thereby detecting illegal access that cannot be discriminated if there is a separate record slot case. In addition, these projects are implemented, for example, by security professionals based on the latest money-methods and consolidation methods updated at a given timing, so that even security managers who do not have a high level of knowledge and experience can find compliance access, etc. . The present invention is limited to the one embodiment described above, and various modifications can be made without changing the gist of the invention. 1226984 Figure A7 V. Description of the Invention (16) For example, although the aforementioned embodiment uses the server 2 as a monitoring object, it is not limited to this period, and it is also possible to create a monitoring router or the like. In the above-mentioned embodiment, the present invention is provided as a system and a method ', but it is provided as a software package stored in a CD-ROM or the like, and may be installed in a computer system to perform the functions of the present invention. According to the structure described above, it is possible to obtain a record processing method and system that does not require a high level of knowledge and experience on the part of the security manager and can discover unauthorized access. [Brief Description of the Drawings] FIG. 1 is a schematic configuration diagram showing an embodiment of the present invention. Figures 2a and 2b are explanatory diagrams showing a 10 g recording method in this embodiment. Fig. 3 is a flowchart showing a schematic configuration of a record analysis system of this embodiment. Fig. 4 is a flowchart showing a schematic processing process of this embodiment. Figure 5 is a diagram illustrating the choice of limbs for policy analysis. FIG. 6 is a flowchart showing a processing process of analysis processing. Figures 7a and 7b are examples of processing for displaying display notes. Fig. 8 shows a processing example of the communication record. Fig. 9 shows a processing example of the communication record. Figures 10a and 10b show examples of processing of communication records. Figures 11a and 11b show processing examples of communication records. Figure 12 shows a processing example of the communication record. Figure Ha'Ub shows a processing example of the communication record. Fig. 14 shows a processing example of a communication record. This paper size applies Chinese National Standard (CNS) A4 specification (210X297 mm) (Please read the precautions on the back before filling this page) Order — fi 19 1226984 A7 B7 V. Description of the invention (l7) 15a ~ 1 5 Figure c shows a processing example of the communication record. Fig. 16 shows a processing example of a communication record. Figures 17a to 17c show examples of processing of communication records. Figures 18a to 1c show processing examples of communication records. 20 (Please read the precautions on the back before filling this page) This paper size applies Chinese National Standard (CNS) A4 specification (210X297 mm) 1226984 V. Description of the invention (〗 8) 1… Record analysis system 2 ··· Servo Device 3 ... Server application 4 ... Log recording program 5 ... Record transfer program 7 ... Analysis target record storage section 11 ... CPU 12 " -RAM 13 ... Communication device 14 ... Input / output device 15 ... Bus 16 ... program storage unit 17 ... data storage unit 19 ... analysis condition storage unit 21 ... uniform record storage unit 22 ... combined analysis target record storage unit A7 23 ... analysis result storage unit 24a ~ updated system setting analysis condition file ⑽ ... user Set analysis conditions 25 ... Analysis condition setting section 26 ... Record format conversion processing section 27 ... Matching determination section 28 ... Record discrimination processing section 29 ... Record discrimination processing section 30 ... Record discrimination processing section 31 ... Session discrimination section 33 ... IP analysis Section 34 ... connection time analysis section 35 ... pattern analysis section 36 ... analysis result response processing section The paper size applies the Chinese national standard (_) A4 specification (21〇χ 297 public love)
…t (請先閲讀背面之注意事项再填寫本頁) •訂— Φ, 21… T (Please read the notes on the back before filling out this page) • Order — Φ, 21