In recent years, by a computer terminal or a server (hereinafter, referred to as “host” without distinguishment between them) becoming infected with malware, which is malicious software, destruction of information inside the host and cases where the host itself is abused as a stepping stone to new attacks have been occurring. Further, the malware is also able to leak out information in the host to outside without permission. Since not only personal information, but also confidential information of a company, a government, a military organization, or the like may be leaked out, information leakage by malware infection has been a problem.
Infection means through various infection routes have been confirmed for malware, including, for example: infection by a user clicking and installing malware appearing as a file attached to an e-mail; malware appearing as general software distributed on a Web site; malware appearing as a P2P file; infection by malware being automatically downloaded and installed when a Web site including an attack code is browsed with a Web browser having vulnerability; and the like.
Further, there has been unauthorized access to various services provided on the Internet. Much of the unauthorized access is performed by breaking thorough authentication information (for example, an account name and a password) by brute force (login attempted by an attacker using all possible combinations of account names and passwords) or performed by using genuine authentication information stolen by some means from a user in advance. Since logins are continuously executed when authentication information is broken through by brute force, based on a threshold of the number of login trials per unit time, the detection and protection are possible by an intrusion prevention system (IPS) or the like (see, for example, Non-Patent Literature 1).
Further, against such malware infection, antivirus vendors generate signatures of malware to prevent hosts from being infected with malware. However, for these signatures, detailed analysis of malware is required, and thus signature generation is costly time-wise.
Many conventional measures against information leakage prevent leakage of confidential data by setting access rights with respect to information for users. These do not cover a case in which a user having an access right intentionally leaks out information to outside. Further, if that user copies the information, protection with respect to the copied data is not covered.
A technique called data loss prevention or data leak prevention (DLP) has been recently used as a method of preventing information leakage by control focused on information (see, for example, Non-Patent Literatures 2 to 4). In DLP, access to or transmission of information having confidentiality is monitored, and in particular, the transmission to outside is prevented. This may be achieved by a method of controlling information on a host, or by a method of performing control by monitoring contents of communication on a network.
As the former method of controlling information on a host, a method of monitoring access to confidential information by using an agent program installed on a host used by a user has been known. For example, if confidential information is attempted to be downloaded from a file server and to be copied into an external storage, such as a USB memory, protection is performed by a warning sentence or the like being displayed on a screen. If the confidential information is attempted to be transmitted to outside as a file attached to an e-mail, protection is performed by a similar process.
As the latter method of monitoring contents of communication on a network, a method of monitoring contents of communication on a network by using an appliance that analyzes the communication on the network has been known. For example, if confidential information is attempted to be transmitted to outside as a file attached to an e-mail, the appliance checks contents of the communication and blocks the transmission.