Computer-readable recording medium storing security management program, security management system, and method of security management
First Claim
1. A computer-readable recording medium storing a security management program for use by a gateway computer to perform security management of jobs submitted to nodes on a network, the security management program, when executed on the gateway computer, causing the gateway computer to function as a system comprising:
- a service library management database to store associations between a job program describing processes of a job, and link libraries called by the job program;
a job submission destination management database to store associations between the job program, and job submission destination nodes to which the job has been submitted;
a job execution request-obtaining unit to receive input of a job execution request whereby the job program is obtained;
a service library-determining unit to analyze the job program obtained by said job execution request-obtaining unit, to determine the link libraries to be called by the job program, and to register associations between identification information for identifying the job program and identification information for identifying the link libraries in said service library management database;
a job submission unit to determine submission destination nodes for the job program obtained by said job execution request-obtaining unit, to register identification information identifying the submission destination nodes to which the obtained job program will be transmitted for execution thereon and the identification information identifying the job program in association with each other in said job submission destination management database, and to transmit the job program to the submission destination nodes for causing the submission destination nodes to execute the job program;
a submission destination-determining unit, operable once identification information to identify a vulnerable library having a security defect is input, to refer to said service library management database to thereby obtain the identification information for identifying the job program corresponding to the identification information for identifying the vulnerable library, and to refer to said job submission destination management database to thereby obtain the identification information for identifying the submission destination nodes corresponding to the obtained identification information for identifying the job program;
a forcible job stop unit to instruct the submission destination nodes to forcibly stop processes that are executing the job program using the identified vulnerable library, based on the identification information identifying the job program and the identification information identifying the submission destination nodes, which are obtained by said submission destination-determining; and
a vulnerable library information-obtaining unit to output only identification information for identifying a vulnerable library having a higher degree of risk than a predetermined degree of risk to said submission destination-determining unit, wherein degrees of risk indicative of levels of hazard to be caused by vulnerable libraries are set in a security database.
3 Assignments
0 Petitions
Accused Products
Abstract
A security management program coping with a security hole found in a library. When a request for executing jobs, including a job program, is input, a service library-determining section analyzes the job program and determines link libraries called by the job program. Then, a job submission section transmits the job program to submission destination nodes, and instructs the submission destination nodes to execute the jobs according to the request. After that, when identification information for identifying a vulnerable library having a security defect is input, a submission destination-determining section obtains identification information for identifying the job program corresponding to the vulnerable library, and identification information for identifying the submission destination nodes corresponding to the job program. Subsequently, a forcible job stop section instructs the submission destination nodes to stop processes for executing the job program.
7 Citations
10 Claims
-
1. A computer-readable recording medium storing a security management program for use by a gateway computer to perform security management of jobs submitted to nodes on a network, the security management program, when executed on the gateway computer, causing the gateway computer to function as a system comprising:
-
a service library management database to store associations between a job program describing processes of a job, and link libraries called by the job program; a job submission destination management database to store associations between the job program, and job submission destination nodes to which the job has been submitted; a job execution request-obtaining unit to receive input of a job execution request whereby the job program is obtained; a service library-determining unit to analyze the job program obtained by said job execution request-obtaining unit, to determine the link libraries to be called by the job program, and to register associations between identification information for identifying the job program and identification information for identifying the link libraries in said service library management database; a job submission unit to determine submission destination nodes for the job program obtained by said job execution request-obtaining unit, to register identification information identifying the submission destination nodes to which the obtained job program will be transmitted for execution thereon and the identification information identifying the job program in association with each other in said job submission destination management database, and to transmit the job program to the submission destination nodes for causing the submission destination nodes to execute the job program; a submission destination-determining unit, operable once identification information to identify a vulnerable library having a security defect is input, to refer to said service library management database to thereby obtain the identification information for identifying the job program corresponding to the identification information for identifying the vulnerable library, and to refer to said job submission destination management database to thereby obtain the identification information for identifying the submission destination nodes corresponding to the obtained identification information for identifying the job program; a forcible job stop unit to instruct the submission destination nodes to forcibly stop processes that are executing the job program using the identified vulnerable library, based on the identification information identifying the job program and the identification information identifying the submission destination nodes, which are obtained by said submission destination-determining; and a vulnerable library information-obtaining unit to output only identification information for identifying a vulnerable library having a higher degree of risk than a predetermined degree of risk to said submission destination-determining unit, wherein degrees of risk indicative of levels of hazard to be caused by vulnerable libraries are set in a security database. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A security management system for carrying out security management of jobs submitted to nodes on a network, the security management system comprising:
-
a processor;
memory;a service library management database to store associations between a job program describing processes of a job, and link libraries called by the job program; a job submission destination management database to store associations between the job program, and job submission destination nodes to which the job has been submitted; a job execution request-obtaining unit to receive input of a job execution request whereby the job program is obtained; a service library-determining unit to analyze the job program obtained by said job execution request-obtaining unit, determining the link libraries to be called by the job program, and registering associations between identification information for identifying the job program and identification information for identifying the link libraries in said service library management database; a job submission unit to determine submission destination nodes for the job program obtained by said job execution request-obtaining unit, register identification information identifying the submission destination nodes to which the obtained job program will be transmitted for execution thereon and the identification information identifying the job program in association with each other in said job submission destination management database, and transmit the job program to the submission destination nodes for causing the submission destination nodes to execute the job program; a submission destination-determining unit, operable when identification information, to identify a vulnerable library having a security defect is input, to refer to said service library management database to thereby obtain the identification information for identifying the job program corresponding to the identification information for identifying the vulnerable library, and refer to said job submission destination management database to thereby obtain the identification information for identifying the submission destination nodes corresponding to the obtained identification information for identifying the job program; a forcible job stop unit to instruct the submission destination nodes to forcibly stop processes that are executing the job program using the identified vulnerable library, based on the identification information identifying the job program and the identification information identifying the submission destination nodes, which are obtained by said submission destination-determining unit; and a vulnerable library information-obtaining unit to output only identification information for identifying a vulnerable library having a higher degree of risk than a predetermined degree of risk to said submission destination-determining unit, wherein degrees of risk indicative of levels of hazard to be caused by vulnerable libraries are set in a security database.
-
-
10. A method for use by a gateway computer to perform security management of jobs submitted to nodes on a network, the method comprising:
-
receiving input of a job execution request whereby the job program is obtained; analyzing the job program obtained in said job execution request-obtaining step, determining the link libraries to be called by the job program, and registering associations between identification information for identifying the job program and identification information for identifying the link libraries in a service library management database; determining submission destination nodes which are to be caused to execute the job program received; registering identification information identifying the submission destination nodes to which the obtained job program will be transmitted for execution thereon and the identification information identifying the job program in association with each other in a job submission destination management database; transmitting the job program to the submission destination nodes for causing the submission destination nodes to execute the job program; referring, when identification information for identifying a vulnerable library having a security defect is input, to the service library management database to thereby obtain the identification information for identifying the job program corresponding to the identification information for identifying the vulnerable library, and referring to the job submission destination management database to thereby obtain the identification information for identifying the submission destination nodes corresponding to the obtained identification information for identifying the job program; instructing the submission destination nodes to forcibly stop processes that are executing the job program using the identified vulnerable library, based on the identification information identifying the job program and the identification information identifying the submission destination nodes, which are obtained in said referring; outputting only identification information for identifying a vulnerable library having a higher degree of risk than a predetermined degree of risk, wherein degrees of risk indicative of levels of levels of hazard to be caused by vulnerable libraries are set in a security database.
-
Specification