Various kinds of information are exchanged on an IT (Information Technology) system, and it is important to suitably monitor or manage the flow of these kinds of information according to the degree of confidentiality of the information.
When the flow of the data is insufficiently monitored, information leakage occurs. It is possible to simply exchange information by using, for example, an USB (Universal Serial Bus) memory, but information leakage occurs, for example, when the USB memory is lost.
In order to prevent such information leakage, a so-called DLP (Data Loss Prevention) tool described in Non Patent Literature 1 monitors information leakage on the basis of the degree of similarity of data which are exchanged. In particular, a system using the DLP tool prevents information leakage in such a manner that a feature of information having high confidentiality is written in the policy beforehand so as to detect that the data having feature are written to a USB memory or attached to an e-mail to be transmitted to an untrusted destination.
Non Patent Literature 2 proposes a method for hooking a system call and tracking not only a file input/output and network I/O (Input/Output) but also inter-process communication using a memory map.
Further, an access management system described in Patent Literature 1 collects, as logs, events of file input/output and network input/output occurring in a PC (Personal Computer). In the logs, operations, such as an input/output of a file, a change of a file name, writing to a USB memory, and network communication, performed during a process are recorded so as to be associated with time, the name of the process, and a user name. By checking the logs, the access management system can track the original name of the file written to the USB memory, the copy source of the file, and the like, so as to monitor or prevent the leakage of information.
Patent Literature 2 discloses a method in which a computer reads a filter program used to monitor a user's operation for application software and detects data transfer between the applications so as to thereby prevent unauthorized inter-process communication. With this method, the computer can obtain the dependence relationship between data transferred only through inter-process communication for transferring the data between applications. However, in this method, the computer needs to create a filter program for each piece of application software.
Here, the dependence relationship between data means a relationship between a certain data and the other data, all or part of the certain data being formed by copying all or part of the other data.
Patent Literature 3 discloses a method which monitors a user's operation for application software and detects the state of the application software, and which performs analysis by combining the operation and the state. With this method, the computer can comparatively accurately track not only the inter-process communication but also the flow of information inside the process, so as to obtain an accurate dependence relationship between data. However, in this method, the computer needs to acquire a file in which a rule for detecting the state of each piece of application software is written.