UNAUTHORIZED PROCESS DETECTION METHOD AND UNAUTHORIZED PROCESS DETECTION SYSTEM
First Claim
1. An unauthorized process detection method in an unauthorized process detection system for detecting an unauthorized process operated in a terminal connected to a network, comprising steps by the unauthorized process detection system of:
- monitoring system access which is access as a result of execution of a process in the terminal to a storage device and an input-output device in the terminal;
associating a first activity which is acquired by the monitoring of the system access and which is processing of the process with the process that executes the first activity and recording them in a system monitoring result database;
monitoring communication via the network as a result of the execution of the process in the terminal;
associating a second activity which is acquired by the monitoring of the communication and which is processing of the process with the process that executes the second activity and recording them in a communication monitoring result database;
determining whether an activity which is the same as at least one of the first and second activities and a process that executes which is the same process or its associated process is already recorded in the system monitoring result database or in the communication monitoring result database; and
determining that the process that executed is an unauthorized process when the activity judged to be recorded meets predetermined conditions.
1 Assignment
0 Petitions
Accused Products
Abstract
Provided is a system whereby information on activities obtained by way of monitoring system access to input and output devices and storage devices in a terminal as well as information on activities executed by way of a terminal and obtained by way of monitoring communications through a network are associated with processes in the terminal that generated the activities, and if the activities are predetermined activities executed by the same or related processes, the system detects that unauthorized processes are running on the terminal.
18 Citations
11 Claims
-
1. An unauthorized process detection method in an unauthorized process detection system for detecting an unauthorized process operated in a terminal connected to a network, comprising steps by the unauthorized process detection system of:
-
monitoring system access which is access as a result of execution of a process in the terminal to a storage device and an input-output device in the terminal; associating a first activity which is acquired by the monitoring of the system access and which is processing of the process with the process that executes the first activity and recording them in a system monitoring result database; monitoring communication via the network as a result of the execution of the process in the terminal; associating a second activity which is acquired by the monitoring of the communication and which is processing of the process with the process that executes the second activity and recording them in a communication monitoring result database; determining whether an activity which is the same as at least one of the first and second activities and a process that executes which is the same process or its associated process is already recorded in the system monitoring result database or in the communication monitoring result database; and determining that the process that executed is an unauthorized process when the activity judged to be recorded meets predetermined conditions. - View Dependent Claims (2, 3, 4, 5)
-
-
6. An unauthorized process detection system in a network to which a terminal, a communication monitoring apparatus and an unauthorized process determination apparatus are connected, comprising:
-
a terminal that monitors system access which is access as a result of the execution of a process to a storage device and an input-output device, that associates a first activity which is acquired by the monitoring of the system access and which is the processing of the process with the process that executed the first activity and notifies them as an access monitoring result, and that writes information showing the process that executed the communication to communication via the network; a communication monitoring apparatus which is connected to the terminal via the network, extracts information included in the communication via the network and showing the process, monitors the communication, associates a second activity acquired by the monitoring of the communication with the extracted process, and notifies them as a communication monitoring result; and an unauthorized process determination apparatus which is connected to the terminal and the communication monitoring apparatus, is provided with databases that record the access monitoring result notified from the terminal and the communication monitoring result notified from the communication monitoring apparatus, and determines that an unauthorized process is going on in the terminal when the first or second activity included in the access monitoring result or in the communication monitoring apparatus meets predetermined conditions and the first or the second activity is already recorded in the database as an activity executed by the same process or an associated process as/with the process associated with the first or second activity. - View Dependent Claims (7, 8, 9, 10, 11)
-
Specification