KR102715592B1 - Data management device, data management method and a computer-readable storage medium for storing data management program - Google Patents

Abstract

The present invention provides a data management method, comprising: a step of collecting data; a step of classifying the collected data; and a step of generating user behavior metadata by mapping at least one piece of information included in the data.

Description

{DATA MANAGEMENT DEVICE, DATA MANAGEMENT METHOD AND A COMPUTER-READABLE STORAGE MEDIUM FOR STORING DATA MANAGEMENT PROGRAM}

The present invention relates to a data management device, a data management method, and a computer-readable storage medium storing a data management program.

As the amount and variety of data increases due to technological advancements, the importance of data management is becoming more prominent. Data management means that companies or organizations effectively collect, store, analyze, and utilize data.

Enterprise Resource Planning (ERP) systems, which manage the core functions of a company in an integrated manner, are widely used as tools for efficiently managing important data within a company. Key functions of a company, such as budget management, production management, inventory management, and purchasing management, can be integrated and operated effectively in one system. In this case, SAP products can be cited as a representative ERP system.

However, in existing systems, it may be difficult to directly understand the meaning of packets generated in communication with servers using general analysis methods. In particular, in cases where data is exchanged using complex data structures and specific protocols such as SAP systems, it is more difficult to extract or interpret meaningful values from packets, so a specific method for analyzing packets is required.

In addition, if the collected and analyzed data contains personal information, the personal information must be extracted and stored separately. However, there are various methods for extracting personal information, and the extraction results may vary depending on the accuracy of the pattern, etc., and there is a concern that incorrect personal information extraction may occur due to incorrect pattern settings.

In addition, the collected and analyzed log data can be managed in a database, etc., and there is no distinction as to what specific work actions the managed log data is related to.

Accordingly, the present invention aims to provide a data management device, a data management method, and a computer-readable storage medium storing a data management program for managing data by mapping user actions to solve the problems of the existing technology.

One embodiment of the present invention provides a data management method, comprising: a step of collecting data; a step of classifying the collected data; and a step of mapping at least one piece of information included in the data to generate user behavior metadata.

The above data management method is characterized by including a step of collecting keys and text representing user actions in an application development environment; a step of classifying the collected text through an AI engine; and a step of mapping the application development environment, the keys representing the user actions, and the classified text and storing them in the user action metadata.

The above data management method is characterized by further including a step of indexing the log data to map the user action metadata and the stored log data, and adding the classified text included in the user action metadata to the index.

The above data management method is characterized by further including a step of receiving a request for a query on the log data; and a step of providing the classified text included in the index.

One embodiment of the present invention provides a data management device including a database for storing data; and a processor for processing the data, wherein the processor performs the steps of: collecting data; classifying the collected data; and generating user behavior metadata by mapping at least one piece of information included in the data.

The above processor is characterized by collecting keys and texts representing user actions in an application development environment, classifying the collected texts through an AI engine, and mapping the application development environment, the keys representing the user actions, and the classified texts to store them in the user action metadata.

The above processor is characterized by indexing the log data to map the user action metadata and the stored log data, and adding the classified text included in the user action metadata to the index.

The above processor is characterized in that, when a query for the above log data is requested, it provides the classified text included in the above index.

One embodiment of the present invention provides a computer-readable storage medium storing a data management program that performs the steps of collecting keys and text representing user actions in an application development environment, classifying the collected text through an AI engine, and mapping the application development environment, the keys representing the user actions, and the classified text and storing the mapped text in user action metadata.

According to one embodiment of the present invention, by providing an innovative technology for data management in an ERP system, the needs of enterprises for data security and monitoring can be met.

In addition, according to one embodiment of the present invention, there is an advantage in that all access records to the server can be created as logs, thereby ensuring stability of log records.

In addition, according to one embodiment of the present invention, there is an advantage in that the integrity and confidentiality of data can be ensured by decrypting SSL encryption, recording logs, and transmitting data to a business system in a secure manner even when using the Diffie-Hellman algorithm.

In addition, according to one embodiment of the present invention, there is an advantage in that the accuracy of personal information extraction can be increased through a multidimensional extraction method using personal information metadata and an exception handling list.

In addition, according to one embodiment of the present invention, there is an advantage in that user actions can be mapped to all log data containing personal information.

FIG. 1 is a diagram disclosing hardware for explaining a data management device of the present invention.
FIG. 2 is a drawing disclosing one embodiment of a data management device of the present invention.
FIG. 3 is a diagram disclosing one embodiment of the data management platform of the present invention.
FIG. 4 is a flow chart illustrating one embodiment of a data management method of the present invention.
FIG. 5 is a diagram disclosing one embodiment of a data management method of the present invention.
FIG. 6 is a diagram disclosing one embodiment of a packet collection method of the present invention.
FIG. 7 is a diagram disclosing another embodiment of the packet collection method of the present invention.
FIG. 8 is a diagram disclosing one embodiment of packet analysis data based on RFC protocol collected according to the packet collection method of the present invention.
FIG. 9 is a drawing disclosing one embodiment of a packet analysis device based on a GUI protocol collected according to the packet collection method of the present invention.
FIG. 10 is a diagram disclosing one embodiment of a packet analysis method based on a GUI protocol collected according to the packet collection method of the present invention.
FIG. 11 is a diagram disclosing one embodiment of packet analysis data based on a GUI protocol collected according to a packet collection method of the present invention.
FIG. 12 is a diagram disclosing one embodiment of a packet analysis method based on HTTP/HTTPS collected according to the packet collection method of the present invention.
FIG. 13 is a diagram disclosing one embodiment of analysis data of HTTP/HTTPS-based packets collected according to the packet collection method of the present invention.
FIG. 14 is a diagram disclosing an embodiment of extracting personal information from data included in an analyzed packet of the present invention.
FIG. 15 is a diagram disclosing an embodiment of visualizing data included in an analyzed packet of the present invention.
FIG. 16 is a diagram disclosing one embodiment of searching data included in an analyzed packet of the present invention.
FIG. 17 is a diagram disclosing an embodiment of monitoring data collected according to a data management method of the present invention.
FIG. 18 is a diagram illustrating an embodiment in which the data management platform of the present invention distributes collected packets.
FIG. 19 is a diagram illustrating an embodiment in which the data management platform of the present invention analyzes packets based on the RFC protocol.
FIG. 20 is a diagram illustrating an embodiment in which the data management platform of the present invention analyzes packets.
FIG. 21 is a diagram illustrating an embodiment in which the data management platform of the present invention stores and monitors audit logs.
FIG. 22 is a drawing illustrating an embodiment of a data management method of the present invention distributing collected packets.
FIG. 23 is a diagram illustrating an embodiment in which the data management platform of the present invention analyzes HTTPS-based packets.
FIG. 24 is a drawing illustrating an embodiment of a data management method of the present invention analyzing HTTPS-based packets.
FIG. 25 is a drawing illustrating one embodiment of a data management method of the present invention.
FIG. 26 is a drawing illustrating an example of extracting and storing personal information in the data management platform of the present invention.
Figure 27 is a drawing illustrating an example of a regular expression pattern used in the data management platform of the present invention.
Figure 28 is a drawing illustrating an example of a masking pattern used in the data management platform of the present invention.
Figure 29 is a drawing illustrating an example of personal information metadata (1036) defined in the data management platform of the present invention.
Figure 30 is a drawing explaining an example of extracting personal information by distinguishing architecture types in the data management platform of the present invention.
FIG. 31 is a diagram illustrating an example of generating a personal information extraction rule in the data management platform of the present invention.
Figure 32 is a drawing illustrating an example of creating a personal information exception processing list in the data management platform of the present invention.
FIG. 33 is a diagram illustrating an embodiment of creating an exception filter of the data management platform of the present invention.
Figure 34 is a drawing illustrating an embodiment of searching and outputting personal information extracted from the data management platform of the present invention.
Figure 35 is a drawing explaining an embodiment of a data management method of the present invention for managing personal information.
FIG. 36 is a drawing illustrating another embodiment of the data management method of the present invention for extracting and storing personal information.
Figure 37 is a drawing explaining an embodiment of managing personal information in the data management method of the present invention.
FIG. 38 is a diagram illustrating an embodiment of collecting and mapping user behavior in the data management platform of the present invention.
FIG. 39 is a diagram illustrating an example of generating user behavior metadata in the data management platform of the present invention.
FIG. 40 is a diagram illustrating an example of mapping user behavior metadata and log data in the data management platform of the present invention.
FIG. 41 is a drawing illustrating an embodiment of a data management method of the present invention that generates user action metadata.
FIG. 42 is a diagram illustrating an embodiment of a data management method of the present invention that maps user behavior metadata and log data.
FIG. 43 is a drawing illustrating an embodiment of a data management method of the present invention that generates user action metadata.

Hereinafter, various embodiments will be described in detail with reference to the drawings. The embodiments described below may be modified and implemented in various different forms. In order to more clearly explain the features of the embodiments, detailed descriptions of matters that are widely known to those skilled in the art to which the embodiments below belong will be omitted.

Meanwhile, when it is said in this specification that a certain configuration is "connected" to another configuration, this includes not only the case where it is "directly connected" but also the case where it is "connected with another configuration in between." In addition, when it is said that a certain configuration "includes" another configuration, this means that, unless specifically stated otherwise, it does not exclude other configurations but may include other configurations as well.

Additionally, terms including ordinal numbers, such as “first” or “second,” used herein may be used to describe various components, but the components should not be limited by the terms. The terms are used only for the purpose of distinguishing one component from another.

In addition, since the function units included in each module are a logical structure for explaining the function performed by the module, it goes without saying that the module can perform the function performed by each function unit. In other words, each module does not need to include all the function units included in the module, and can include at least one function unit for performing the function.

Hereinafter, embodiments will be described in detail with reference to the attached drawings. In the embodiments, the framework, modules, application program interfaces, etc. may be implemented as devices combined with physical devices or may be implemented as software. In this case, if the embodiments are implemented as software, they may be stored in a storage medium and installed on a computer or the like and executed by a processor.

FIG. 1 is a diagram disclosing hardware for explaining a data management device of the present invention.

This drawing illustrates an embodiment of data transmission and reception between hardware components related to the data management platform described below.

The present invention can be provided to a user through a platform. To this end, a user/client (1000) can access a network device (1001) through a web browser or the like and use data and applications stored in a separate storage/database (1003) under the control of a computing server (1004).

More specifically, a user/client (1000) may request a service (e.g., a task such as searching, modifying, or deleting data) through a client terminal, and may output data calculated through a computing server (1004) and received through a network device (1001) on a screen. In one embodiment, the user/client (1000) may include all objects that access the data management platform of the present invention. That is, in this drawing, the user/client (1000) may access the data management platform using the network device (1001), and is not limited to the network device (1001).

The network device (1001) mediates data transmission between a user/client (1000) and a computing server (1004). Here, the network device (1001) may include a router, a TAP, a switch, etc. The router transmits data using an IP address, and the switch transmits data using a MAC address. Here, the network equipment (1001) such as the router may transmit packets to the data management platform (10000) by mirroring only a specific port using the SPAN (Switched Port Analyzer) mode. This will be described in detail below.

TAP (Test Access Point) can be used for the purpose of collecting data on a network. More specifically, TAP corresponds to a device that is added to the back-bone line of a network as one of the network devices (1001) and specializes only in mirroring. That is, packets can be transmitted to the data management platform (10000) of the present invention through the Network TAP (Test Access Point, hereinafter, TAP). Accordingly, packets can be copied and transmitted to the data management platform without affecting the flow of data packets transmitted and received on the network.

Storage/database (1003) can store and manage data. Storage mainly stores data using a hard disk or SSD, and the database manages structured data and can perform tasks such as searching and modifying.

The computing server (1004) is responsible for data processing. It processes a task requested from a client (1000) and returns the processing result to the client (10000). To this end, a calculation task can be performed using hardware such as a central processing unit (CPU) and RAM. In addition, the computing server (1004) can control the input/output of various data and store data processed by the data management platform (10000) in the storage/database (1003). At this time, the function performed by the data management platform (10000) of the present invention can be performed by the processor of the computing server (1004). In addition, the computing server (1004) can include a system manager that monitors and controls the status of hardware components or modules within the data management platform.

Hereinafter, the hardware components of this drawing can be used to implement the present invention, and of course, a data processing method between the hardware components is included.

FIG. 2 is a drawing disclosing one embodiment of a data management device of the present invention.

An embodiment of this drawing illustrates a data management device, including physical components and logical components for describing the data management device.

The present invention may be provided to a user through a SaaS (Software as a Service) platform in one embodiment. The SaaS platform refers to software that is provided as a service to a user through a network using cloud computing technology. To this end, the storage/database (1003), the computing server (1004), and the container platform (1005) may support the user/client (1000) to use the data management platform (10000) and the data management software package (20000) on the cloud.

The present invention can use a user/client (1000), a storage/database (1003), an application server (1002), a computing server (1004), a container platform (1005), a data management platform (10000), and a data management software package (20000) for data processing.

At this time, the storage/database (1003) and the computing server (1004) may be hardware, and the application server (1002), the container platform (1005), the data management platform (10000) and the data management software package (20000) may correspond to software. For hardware, refer to the above-described contents, and an embodiment of the data management device will be described with reference to this drawing as follows.

A user/client (1000) can access data management software (20000) for data processing.

The container platform (1005) can provide a virtual environment for data processing by being composed of an operating system (OS), a container, and docker.

The data management platform (10000) can control at least one engine or module included in the data management software package (20000). To this end, the data management platform (10000) can manage data using technologies such as an internal database (here, the database means an internal database within the data management software package (20000)), storage, and a distributed file system. In addition, the data management platform (10000) can include a system manager or management console for managing at least one engine or module included in the data management software package (20000).

The data management software package (20000) may include at least one of a collection module (20001), an analysis module (20002), a key management module (20003), a personal information management module (20004), a monitoring module (20005), and an AI engine (20006). However, the modules and engines included in the data management software package (20000) are not essential components and are elements for explaining the present invention. Therefore, it goes without saying that a module with a different name for performing a data embodiment may be included.

The collection module (20001) can collect data from various sources and transmit the data to a processing pipeline. The collection module (20001) can collect data (e.g., packets) from various sources such as logs, events, sensors, and web servers. In particular, the collection module (20001) can centrally manage agents when using agents for log collection.

The analysis module (20002) can be used to analyze data and derive valuable insights. The analysis module (20002) can analyze collected packets to extract data. At this time, if the included data is personal information, functions related to personal information protection can be provided through the personal information management module (20004). In addition, the included data can be mapped with previously collected behavior information (e.g., including inquiry, deletion, addition, change, output, etc.).

The key management module (20003) can generate, store, and manage keys for data encryption and decryption. The key management module (20003) can manage keys using technologies such as tokens, symmetric keys, public keys, and digital certificates. If the data contains personal information, the key management module (20003) can generate, store, and manage keys for encrypting and decrypting the personal information. In addition, the key management module (20003) can use technologies such as tokens, symmetric keys, public keys, and digital certificates to secure the data even if the data does not contain personal information.

The personal information management module (20004) can provide functions related to personal information protection. The personal information management module (20004) can control the collection, extraction, encryption, storage, processing, search, deletion, etc. of personal information when personal information is included in the data.

The monitoring module (20005) can perform data search and detection. The monitoring module (20005) can monitor data processing and data processing environment and identify problems. In addition, the monitoring module (20005) can monitor logs, performance indicators, events, etc. and generate alerts.

The AI engine (20006) can perform data processing and data analysis tasks using artificial intelligence technology (including machine learning). In particular, if the collected and stored log contains text, the AI engine (20006) can classify the collected text into actions based on artificial intelligence.

FIG. 3 is a diagram disclosing one embodiment of the data management platform of the present invention.

The embodiment of this drawing illustrates a data management platform (10000), which includes a physical device and a logical component. In particular, the data management platform (10000) in this drawing can correspond to a wider range than the data management platform described above. For example, the data management platform (10000) can include at least one of the modules implemented in the data management software package (20000) described above, and can include an application programming interface (API) that runs on a physical device. For the physical device, refer to the above-described content.

The data management platform (10000) can perform the functions of the modules included in the data management platform (10000) by utilizing the resources of the computing server (1004) and the storage/database (1003). At this time, the system manager can control at least one of the modules or engines within the data management platform (10000), and the system manager can be located within the computing server (1004) or located separately to control the data management platform (10000).

The data management platform (10000) may include at least one of a collection module (20001), an analysis module (20002), a key management module (20003), a personal information management module (20004), a monitoring module (20005), and an AI engine (20006). The description of each module is as described above.

The data management platform (10000) transmits and receives data with a user/client (1000), and can apply at least one function performed by a collection module (20001), an analysis module (20002), a key management module (20003), a personal information management module (20004), a monitoring module (20005), and an AI engine (20006) to the transmitted and received data. At this time, the data management platform (10000) can independently use individual modules included in the data management platform (10000) at the request of the user/client (1000). For example, the user/client (1000) can selectively use only the functions of the key management module (20003) or the personal information management module (20004) in the data management platform (10000).

Additionally, although not shown in the drawing, the data management platform (10000) may use an internal database different from the external storage/database (1003) to perform the functions of the modules included therein.

FIG. 4 is a flow chart illustrating one embodiment of a data management method of the present invention.

The data management method disclosed in the present invention can collect packets in step (S1000).

In one embodiment, the method of collecting packets may utilize an agent-based cloud-based packet collection method or a packet mirror-based packet collection method. A detailed description will be given later.

In one embodiment, packets can be collected from a NIC (Network Interface Card). Here, the NIC is used for network connection and can be connected to the network in a wired or wireless manner. The NIC serves to send and receive packets to enable data transmission between the computer and the network, and can include a network card, a LAN card, an Ethernet card, etc.

Additionally, the data management method disclosed in the present invention can apply a filter to collected packets.

More specifically, the data management method of the present invention can reassemble and filter collected packets and distribute them to an analysis process. More specifically, packet reassembly means merging each collected network packet into an analyzable packet form, and filter application means a setting that determines whether to analyze the packet using a preset filtering rule. Accordingly, if the packet is a target for analysis, it can be distributed to an appropriate analysis process.

In step (S2000), a packet can be analyzed. In one embodiment, a packet can be analyzed according to the type of protocol on which the packet is based. More specifically, a packet can be analyzed according to whether the packet is based on RFC (Remote Function Call) protocol, GUI/SNC protocol, or HTTP/HTTPS. At this time, the data management method can set the number of processes by considering the number of cores and transaction amount of the available computing server. A detailed description will be given later.

In step (S3000), data can be monitored. In one embodiment, data included in the analyzed packet can be monitored. In addition, stored data can be monitored in real time to detect abnormal behavior events and determine whether to generate an alert for the detected event.

To this end, in one embodiment, the data management method can extract data from the analyzed packet and store the extracted data. The data management method can store the extracted data in different ways depending on the information contained in the data. For example, if personal information is stored in the data, the personal information can be extracted, the personal information can be encrypted, and then the extracted data can be stored. In addition, the data management method can facilitate the search of important fields by extracting only important data in the packet, thereby improving the performance of the data management method.

FIG. 5 is a diagram disclosing one embodiment of a data management method of the present invention.

In step (S1010), packets can be collected. In one embodiment, a method of collecting packets can use an agent-based cloud-based packet collection method or a packet mirror-based packet collection method. A detailed description will be given later.

In step (S1020), a filter can be applied to the collected packets. More specifically, the data management method of the present invention can reassemble and filter the collected packets and distribute them to an analysis process.

In step (S1030), packets to which a filter is applied can be analyzed.

Here, the packet can be analyzed differently depending on the type of protocol that is the basis of the packet. More specifically, in step (S1031), a packet based on RFC (Remote Function Call) protocol can be analyzed, in step (S1032), a packet based on GUI protocol can be analyzed, and in step (S1033), a packet based on HTTP/HTTPS can be analyzed.

In step (S1031), packet analysis based on the RFC protocol means the process of analyzing packets using the RFC protocol in a network. RFC is a protocol and mechanism for performing function calls between different systems or computers in a distributed environment. RFC operates based on a client and server model, allowing a client to call a function of a server in a remote system and execute it remotely. In other words, since the RFC protocol is a communication protocol for remote function calls, packets using the RFC protocol contain information about such remote function calls.

In step (S1032), packet analysis based on the GUI protocol collects packets based on the GUI protocol that communicate between the client and the application server, and extracts the client IP or port, server IP or port, packet data (byte stream), etc. included in the packets.

In step (S1033), HTTP/HTTPS-based packet analysis is a method of extracting data included in packets by mirroring or SSL processing packets transmitted and received between a web browser and a server.

Detailed analysis methods for each will be described later.

In step (S1040), personal information can be extracted by utilizing personal information metadata from the analyzed packet. In one embodiment, in order to check whether personal information is included in the analyzed packet, personal information can be extracted by utilizing stored personal information metadata. This will be described later.

In step (S1050), a log can be stored. At this time, meaningful information included in the analyzed packet can be stored as a log. In one embodiment, the data management method can determine whether to store the analyzed information in an audit log. In addition, if personal information is included, the personal information can be patterned and stored in a database. Finally, the data management method operates in a multithreading manner to increase the log storage speed, and can perform memory queuing and file queuing in preparation for cases where the database is temporarily not accessed.

In step (S1060), abnormal behavior can be detected using the stored log. At this time, if an abnormal behavior is detected, a new log recording information on the detection of the abnormal behavior can be created and the log can be stored again through step (S1050). In addition, the data management method can re-implement the screen of the collected data when an audit log is requested from a user. In more detail, the GUI protocol is a protocol used to display and interact with a graphical user interface, and by analyzing this protocol, the user's work flow, input, output, etc. can be visually understood, and the operating status of the system can be identified and problems can be diagnosed. This will be described in detail in the following drawings.

FIG. 6 is a diagram disclosing one embodiment of a packet collection method of the present invention.

This drawing describes a cloud-based packet collection method in the agent manner. More specifically, one embodiment includes at least one client (1000a, 1000b, 1000c), a network (1001), a cloud AP (1010), and a data management platform (10000, 20000).

At least one client (1000a, 1000b, 1000c) is a device that generates packets to be collected, and may include, for example, a server, a laptop, a smartphone, etc.

Network (1001) is a packet collection target network, and clients (1000a, 1000b, 1000c) may be connected to network (1001).

Cloud AP (1010) may include at least one AP (1011, 1012, 1013, 1014). Here, at least one AP (1011, 1012, 1013, 1014) is connected to a packet collection agent, and the packet collection agent may collect and process all packets generated in the AP (1011, 1012, 1013, 1014).

More specifically, the packet collection agent can filter, extract, compress, and encrypt the collected packets into a recognizable form. The packet collection agent can be connected to APs (1011, 1012, 1013, 1014), process the collected packets, and transmit them to a data management platform (10000, 20000).

The data management platform (10000, 20000) can receive collected packets, analyze and store the packets, and analyze data through the analysis module.

In this way, the cloud-supported (agent-based) packet collection method provides high scalability and flexibility and can be applied in various network environments. In addition, since data is processed in a cloud environment, hardware or software upgrades and maintenance are easy and stable services can be provided.

An agent-based, cloud-based packet collection method like this drawing can be applied when using a cloud.

FIG. 7 is a diagram disclosing another embodiment of the packet collection method of the present invention.

This drawing describes a packet collection method using a packet mirror method. More specifically, an embodiment includes at least one client (1000a, 1000b, 1000c), a network (1001), a dedicated line/VPN (1001a), a CSP (1015), and a data management platform (10000, 20000). Any description overlapping with the above will be omitted.

The network (1001) is connected to a dedicated line/VPN (1001a), and the dedicated line/VPN (1001a) can be connected to each of a data management platform (10000, 20000) and a CSP (Cloud Service Provider, 1015). Here, the CSP means a cloud service provider such as, for example, AWS (Amason Web Service), GCP (Google Cloud Platform), and Azure.

Through the packet mirror method, the data management platform (10000, 20000) can replicate network traffic and receive packets from the dedicated line/VPN (1001a), and the same packets can be transmitted to the CSP (1015).

Through this method, the data management platform (10000, 20000) can capture and analyze all collected packets.

The packet mirror method of packet collection, as shown in this drawing, can be applied when using a private cloud (e.g., SAP PCE) provided by a CSP, self-cloud, or application server.

The present invention can analyze collected packets as described above. Specifically, the collected packets can correspond to any one of RFC protocol-based, GUI protocol-based, and HTTP/HTTPS-based. Accordingly, one embodiment of the present invention can analyze and store collected packets in a different manner. This will be described in detail.

FIG. 8 is a diagram disclosing one embodiment of packet analysis data based on RFC protocol collected according to the packet collection method of the present invention.

The data management platform can extract various data as shown in this figure through packets based on the protocol. In this figure, packet analysis data based on the RFC protocol is explained as an example, but the packet based on the RFC protocol does not include all the information below. In particular, the information included in (6) and (8) described below corresponds to packet analysis data based on the GUI protocol.

More specifically, the data management platform can analyze packets and extract data using RFC structure information. At this time, if there is no RFC structure information, the data management platform can generate an RFC information request file to request RFC information. A detailed explanation will be provided later.

(1) Time (including request time and start time of session information)

(2) Protocol information (including RFC protocol, GUI protocol, HTTP/HTTPS, etc.)

(3) Server IP or Port

(4) Client IP or Port (including the region from which the client connected)

(5) Account (including user ID, employee number, organization name, etc.)

(6) Transaction name (including transaction code (T-code). Here, transaction code is a kind of short code that specifies the transaction and is a logical business process.)

(7) RFC function name

(8) Event information (events include login (success/failure), personal information input, access to specific T-Code, access to SAP ALL, access to common account, user error, file download, program dump, user password change, metadata modification, duplicate access check, specific GL account (in the case of GUI protocol, cumulative account information check, etc.)

(9) Number of personal information

In one embodiment, the data management platform can determine the task that a packet is intended to perform through the transaction name and event information.

FIG. 9 is a drawing disclosing one embodiment of a packet analysis device based on a GUI protocol collected according to the packet collection method of the present invention.

In this drawing, an embodiment of analyzing a packet when a packet collected according to the packet collection method of the present invention is based on a GUI protocol is described. One embodiment may include a user/client (1000, hereinafter, client), a network device (1001), a storage/database (1003), a computing server (1004), and an application server (1002). Descriptions that overlap with the above-described configuration will be omitted.

In one embodiment, packet analysis based on the GUI protocol can be performed using the above-described components. To do this, it is necessary to capture and analyze GUI protocol-based traffic occurring in the client (1000). To do this, the following tasks are required.

The client (1000) can execute an application corresponding to the application server (1002) using the network device (1001) and log in to the application system. The client (1000) can perform necessary tasks through the application. The client (1000) can output information on input data input or output data received through the application server (1002) to the screen.

The network device (1001) can capture network traffic between the client (1000) and the application server (1002). In particular, the network device (1001) can include a TAP. Through this, for example, when the application server (1002) is an SAP operation server, packets based on the GUI protocol that communicate with the SAP server from an SAP application user, an SAP EP server, and a legacy system can be logged. In addition, the network device (1001) can include a switch. Through this, an internal audit on the SAP server can be performed through a port mirror in a switch that transmits and receives network traffic to and from the SAP operation server, and personal information used in the SAP server can be monitored.

Traffic based on the GUI protocol may occur in the application server (1002).

The data management platform (10000) or data management software (20000) can capture traffic generated from the application server (1002) and analyze the captured traffic. At this time, the traffic generated from the application server (1002) can be collected and analyzed through the collection module (20001) and analysis module (20002) within the data management platform (10000) or data management software (20000). Accordingly, the structure and content of the GUI protocol can be understood and analyzed. At this time, the application server (1002) can utilize the resources of the computing server (1004).

The storage/database (1003) can store the analyzed results or information required by the application server (1002).

FIG. 10 is a diagram disclosing one embodiment of a packet analysis method based on a GUI protocol collected according to the packet collection method of the present invention.

In step (S2010), packets transmitted and received between an application displayed on a client screen and an application server can be collected. More specifically, packets based on a GUI protocol that communicates between a client and an application server can be analyzed, and input/output data and information necessary for monitoring can be collected. Here, the input data can include a user command that a client inputs using a terminal of the client.

When a client inputs a user command as input data through a client terminal, the input data is transmitted to an application server through a network. In one embodiment, when the input data is transmitted to the application server, the input data can be monitored.

More specifically, the data management platform can receive and analyze input data. At this time, if the input packet includes a preset user command (e.g., occurrence of a specific event), the data management platform can determine that access restriction is necessary. Accordingly, the data management platform can control the client's access to the application server (1002) through the user command (here, the user command can be expressed in a language different from the user command included in the input packet). At this time, the input data can be, for example, data transmitted and received with the SAP application server through the SAP DIAG protocol.

In addition, the client terminal can output data output from the application server. That is, the application server can search for content regarding the input data being transmitted and transmit output data including content regarding the searched result to the client terminal so that information is displayed on the screen of the client terminal. At this time, the application server outputs output data, and the output data can include at least one of server information, transaction code (T-code), program name, and status message.

As with input data, the data management platform can receive and analyze output data. At this time, the output data can include at least one of server information, transaction code (T-code), program name, and status message. As with input data, the data management platform can determine that access restriction is necessary based on the analyzed output data. Accordingly, the data management platform can control access.

Additionally, output data can be, for example, data transmitted and received between the SAP application server and client terminal via the SAP DIAG protocol.

In step (S2020), it is possible to determine whether to analyze the collected packets. To this end, the present invention can perform filtering to improve performance by determining whether to analyze the collected information. Here, if it is determined not to analyze the collected information, the analysis is terminated without proceeding.

In step (S2030), the packet can be analyzed. In one embodiment, packet decoding and protocol can be analyzed to control the security of information included in the packet. In one embodiment, the client IP or Port, server IP or Port, packet data (byte stream), etc. for input data or output data can be analyzed in detail.

In step (S2040), data included in the analyzed packet can be configured as session information and stored. Session information can be generated and stored using analysis information and input/output data analyzed from packets based on the GUI protocol. In one embodiment, the stored session information can be output on the client screen in a language that is easy for the user to understand.

That is, by analyzing network connection information and input/output packets, meaningful information such as input/output data can be easily output, so that the client can check a screen that is substantially similar to the GUI screen of the application server.

In this way, since the client can be easily re-implemented in a form substantially similar to the GUI screen, it can easily analyze application server information, transaction code (T-code), program name, status messages, output data, etc. by monitoring them through the screen.

FIG. 11 is a diagram disclosing one embodiment of packet analysis data based on a GUI protocol collected according to a packet collection method of the present invention.

In one embodiment, data on at least one of time, protocol information, server/client IP or port, account, transaction name, event information, and number of personal information can be extracted from a packet based on a GUI protocol. The contents of each definition are as described above.

In one embodiment, the analysis results of packets based on the GUI protocol can be provided to the client in the form of a “screen reproduction” as shown in the drawing.

More specifically, the data management platform of the present invention can output data included in an analyzed packet to a client in a manner that is easy for a user to understand.

For example, by way of explanation through this drawing, when a first user accesses an application server and inputs “1175”, an embodiment is shown in which the data management platform reproduces the screen input by the first user when accessing the application server through the “Request Screen”.

In addition, when the first user accesses the application server and enters “1175”, and then receives and outputs the output screen from the application server, the data management platform can reproduce the output screen received by the first user from the application server through the “Response Screen”.

Through this, a second user (e.g., an administrator of the first user) can use the data management platform to check the screen containing the data entered by the first user and the screen containing the output data, respectively, through the “Request Screen” and “Response Screen.”

FIG. 12 is a diagram disclosing one embodiment of a method for analyzing HTTP/HTTPS-based packets collected according to the packet collection method of the present invention.

HTTP (Hypertext Transfer Protocol) is one of the protocols for sending and receiving data on the Internet. Since HTTP basically uses plain text for communication, anyone who can collect HTTP packets can check the contents of the packets. In other words, HTTP-based packets are vulnerable to security, so in order to supplement this security vulnerability, packets are sometimes sent and received based on HTTPS (HTTP Secure).

HTTPS is a secure version of HTTP, and can communicate using the SSL (Secure Sockets Layer) or TLS (Transport Layer Security) protocol. Since the SSL protocol encrypts and transmits data, even if a random target collects packets, they cannot analyze the packets unless the SSL encryption is decrypted.

Accordingly, the present invention can perform SSL processing to analyze HTTPS-based packets. Here, SSL processing can include a process of encrypting and decrypting data in HTTPS communication. SSL processing can perform encryption key exchange, authentication, data encryption, decryption, etc. between a client and a server.

In more detail, a method of analyzing HTTP/HTTPS-based packets among the packet collection methods of the present invention is described as follows.

When a user runs a web browser (1030), the web browser (1030) can send a request to a web server via HTTP/HTTPS, receive a response from the web server, and output data to the user.

A proxy server can perform an intermediary function between a client and a web server (e.g., an SAP server). When accessing a web server from a web browser (1030), requests and responses can be exchanged via the proxy server. Through this, functions such as hiding a user's IP address or improving network performance through caching can be performed.

SSL processing can verify SSL certificates, exchange keys, and perform encryption/decryption over HTTPS connections.

The data management platform can perform HTTP/HTTPS packet extraction and analysis. For this purpose, the collection module and analysis module included in the data management platform can be used. If the collected packet is an HTTP-based packet, analysis can be performed immediately, and if it is an HTTPS-based packet, analysis can be performed after SSL processing. HTTPS packets decrypted through SSL processing can be extracted and analyzed by a web browser or proxy server.

The data management platform can store packets generated through HTTP packets or SSL processing in a queue (1032), and extract packets from the queue (1032) and analyze them. Here, the size of the queue (1032) can be determined according to the bandwidth and processing capability of SSL processing. In addition, the queue (1032) can include a memory queue and a file queue.

Accordingly, the present invention can analyze HTTP/HTTPS-based packets, and a method for performing SSL processing to analyze HTTPS-based packets will be described in detail below.

FIG. 13 is a diagram disclosing one embodiment of analysis data of HTTP/HTTPS-based packets collected according to the packet collection method of the present invention.

In one embodiment, data on at least one of time, protocol information, server/client IP or port, account, transaction name, event information, and number of personal information can be extracted from a packet based on HTTP/HTTPS. The contents of each definition are as described above.

In one embodiment, the HTTP/HTTPS-based packet analysis results can be provided to the client in the form of “data” as shown in the drawing.

The data management platform can extract data in HTML or function form by analyzing HTTP/HTTPS-based packets. In this case, the data management platform can output the web page as is in HTML form, and can output the function as is in function form.

FIG. 14 is a diagram disclosing an embodiment of extracting personal information from data included in an analyzed packet of the present invention.

In one embodiment, the data management platform (10000) can extract personal information from an audit log (1033) including log data and an index using personal information metadata.

More specifically, the audit log (1033) is a set of logs that record events occurring on a network and may include log data and an index. Here, the audit log (1033) may be a set of log data for which index processing has been completed.

The data management platform (10000) can use personal information metadata to extract personal information from audit logs. Here, personal information metadata defines the form in which personal information is stored, the field in which it is stored, regular expression patterns and masking patterns used for each type of personal information, etc. For example, metadata for personal information types such as name, address, and phone number can be configured. Accordingly, the analysis module can identify and extract personal information from log data based on the personal information metadata.

In one embodiment, the extracted personal information may be encrypted according to a preset method for each type of personal information and stored again in an audit log (1033) or an internal database of a data management platform (10000). This will be described in more detail later.

In one embodiment, the data management platform (10000) can search log data for a specific period of time using the extracted personal information, and an administrator or user can search or check the searched log data when necessary. This will be described later.

FIG. 15 is a diagram disclosing an embodiment of visualizing data included in an analyzed packet of the present invention.

The data included in the packet analyzed through the above-described example are as follows.

(1) Session information: Start time, Duration Time, Log ID, Session ID, Context ID

(2) Connection information: Server IP, Server Port, Server Mac, Client IP, Client Port, Client Mac

(3) SAP information: SID, protocol, SAP instance, client

(4) Program information: OK Code, T-code, Title App, Title Main

(5) CUA (Central User Administration) information: CUA Name, CUA Status

(6) User information: User ID, User UID, User name

(7) Event information: event category, event code, event name, event description, event value, notification level

(8) User-defined information: events, warnings, event types, number of events, number of warnings, architecture, presence of personal information, number of personal information types, number of personal information

In one embodiment, the data management platform can extract the above data from the analyzed packet. At this time, if the data extracted from the packet contains personal information, the data management platform can perform encryption on the personal information and store it. In particular, the data management platform can output the personal information on a separate screen.

Through this, all information required by law and certification (account information, access date and time, access location information, information on the subject being processed, and tasks performed) can be collected. More specifically, account information can be determined through the user ID, employee number, and organization name of the user information, access date and time can be determined through the start time of the session information, access location information can be determined through the client IP or port of the access information, processed information subject information can be determined through user-defined information (whether personal information exists, number of personal information, resident registration number, alien registration number, passport information, and card information, etc.), and tasks performed can be determined through program information and user-defined information.

FIG. 16 is a diagram disclosing one embodiment of searching data included in an analyzed packet of the present invention.

In one embodiment, the data management platform can search the data described above and provide search results to the user.

To this end, the data management platform can provide a search interface so that the user can easily search, as in (a) of the drawing. The data management platform can search data based on fields of the analyzed data. For example, the data fields can include protocol, system, account, employee number, server IP, server port, client IP, client port, instance name, transaction name, program name, etc. In this case, the data management platform can search data based on at least one of the fields input by the user and output the search results.

In another embodiment, the data management platform may provide a query search function, such as (b) of the present drawing. For example, if a user inputs protocol_type=GUI as a first query and server_ip=175.117.145.125 as a second query, the data management platform may search for data based on the first query and the second query.

In one embodiment, the search results may be output in the form of a “screen representation” or “data” as described above.

FIG. 17 is a diagram disclosing an embodiment of monitoring data collected according to a data management method of the present invention.

As described above, the data management platform (10000) can collect and analyze packets from at least one client (1000a, 1000b, 1000c) through the network (1001) and TAP (1001b).

The collected packets can be classified and stored based on predefined events. In one embodiment, the data management platform (10000) can monitor data collected from the analyzed packets.

More specifically, the data management platform (10000) can detect abnormal behavior in the collected data through the monitoring module (20005) and provide an alarm to the users of the clients (1000a, 1000b, 1000c). For example, the data management platform (10000) can report abnormal behavior in the collected data to the users through a dashboard, email, SMS, etc.

In one embodiment, the data management platform (10000) can control the access of clients (1000a, 1000b, 1000c) when an abnormal behavior is detected. For example, when an event performed by a user by accessing a client (1000a, 1000b, 1000c) is determined to be an abnormal behavior, the monitoring module (20005) can provide an alarm to the user through a dashboard or the like and block the access of the client (1000a, 1000b, 1000c).

In particular, the data management platform (10000) can monitor when a client (1000a, 1000b, 1000c) accesses a database (1003) containing an archive file and generates an event, thereby providing an alarm or controlling access. Here, the database (1003) corresponds to a storage stored outside the data management platform (10000) or a storage stored inside the same. In addition, for information on the event, refer to the above-described content.

In addition, the data management platform (1000) can control access of clients (1000a, 1000b, 1000c) if it corresponds to a preset event, even if it is not an abnormal behavior.

In addition, the data management platform (1000) can detect if data entered from a client (1000a, 1000b, 1000c) is personal information and send a screen containing the entered data to a security officer, for example, by email.

FIG. 18 is a diagram illustrating an embodiment in which the data management platform of the present invention distributes collected packets.

In one embodiment, the data management platform can collect packets through a collection module (20001).

More specifically, the collection module (20001) can collect packets from a network (e.g., via the NIC described above). Here, packet collection can be performed by software running on the physical device described above or a virtual machine. Here, the packet can include a packet composed of a protocol header and payload data.

In one embodiment of the present invention, the data management platform can collect packets for all actions performed by a user when accessing an application server. For example, an application user can access an SAP server using various protocols such as SAP GUI protocol, RFC protocol, HTTP, etc. In addition, an application user can access an SAP server using SAP SNC protocol, HTTPS, etc. Each case will be described in detail.

The analysis module (20002) can distribute packets collected through the collection module (20001) based on the protocol. More specifically, the analysis module (20002) can reassemble fragmented packets and distribute the packets to the first analysis module (20002a), the second analysis module (20002b), etc. based on TCP information, protocol, port, IP address, etc. Here, the first analysis module (20002a) and the second analysis module (20002b) are examples, and based on the protocol, the data management platform can generate a module for analyzing the packets.

The first analysis module (20002a) and the second analysis module (20002b) can analyze packets and store data included in the packets in a database (20007).

The database (20007) stores log data of analyzed packets and can provide search and query functions when necessary.

Below, we will explain packet analysis methods for each different protocol in detail.

FIG. 19 is a diagram illustrating an example of a data management platform of the present invention analyzing a packet based on the RFC protocol.

In one embodiment, the data management platform (10000) can transmit and receive RFC information and analysis and structure information on packets to and from the application server (1002) through the collection module (20001) and the analysis module (20002). Hereinafter, the data management platform (10000) can provide an API to support the functions performed by the collection module (20001) or the analysis module (20002).

The collection module (20001) may include an RFC packet collection unit (2001). Here, the RFC packet collection unit (2001) may extract RFC packets from among the collected packets and transmit them to the analysis module (20002).

The analysis module (20002) may include an RFC information request unit (2002) and an RFC packet analysis unit (2003). That is, the analysis module (20002) may analyze an RFC packet received from the collection module (20001). More specifically, if there is RFC structure information in the data management platform (10000), the RFC packet may be analyzed using the RFC structure information. On the other hand, if there is no RFC structure information in the data management platform (10000), the RFC information request unit (2002) may generate an RFC information request file. If the RFC information request unit (2002) detects an RFC information request file, it may request RFC structure information from the application server (1002). Accordingly, the data management platform (10000) may request RFC information from the application server (1002) and receive RFC structure information. The RFC packet analysis unit (2003) can analyze RFC packets using RFC structure information received from the application server (1002).

FIG. 20 is a diagram illustrating an embodiment in which the data management platform of the present invention analyzes packets.

In one embodiment, the data management platform (10000) can analyze packets through the analysis module (20002) if the packets collected through the collection module (20001) are HTTP/HTTPS-based packets or GUI/SNC protocol-based packets. At this time, the data management platform (10000) can maintain a database (20007) that manages certificates used to analyze packets.

More specifically, the analysis module (20002) may include an HTTP packet analysis unit (2004), an HTTPS packet analysis unit (2005), a GUI packet analysis unit (2006), and an SNC packet analysis unit (2007).

Here, the HTTP packet analysis unit (2004) can analyze HTTP packets, the HTTPS packet analysis unit (2005) can analyze HTTPS packets, the GUI packet analysis unit (2006) can analyze GUI protocol-based packets, and the SNC packet analysis unit (2007) can perform SNC protocol-based packet analysis.

The analysis module (20002) can analyze packets based on HTTP packets and GUI protocols with relatively low security levels according to the above-described embodiment.

On the other hand, HTTPS packets and SNC packets with relatively high security levels can be analyzed by decrypting encrypted communications using the SSL certificate stored in the database (20007).

Accordingly, the data management platform (10000) can extract data from an encrypted HTTPS-based packet in the same way as an HTTP-based packet. Similarly, the data management platform (10000) can extract data from an encrypted SNC protocol-based packet in the same way as a GUI protocol-based packet.

The method of analyzing HTTPS packets will be described later. At this time, the certificates used for HTTPS packets and SNC packets may correspond to the same or different certificates.

FIG. 21 is a diagram illustrating an embodiment in which the data management platform of the present invention stores and monitors audit logs.

In one embodiment, the data management platform (10000) may convert and process the original data extracted according to the above-described embodiment according to defined field rules to generate an audit log (1033). Here, the generated audit log (1033) may be stored in a database (20007).

In addition, the data management platform (10000) can extract personal information using personal information metadata from the processed data. Accordingly, the data management platform (10000) can store audit logs (1033) and personal information in a database (20007), respectively. For this purpose, the analysis module (20002) can further include an audit log storage unit (2008).

In addition, the analysis module (20003) may further include a correlation analysis rule generation unit (2009). The data management platform (10000) may generate a correlation analysis rule through the analysis module (20002). Here, the correlation rule may represent a rule for determining abnormal behavior. For example, the data management platform (10000) may determine that if 1-2 pieces of data are input per second, it is a normal behavior, and if 10 or more pieces of data are input per second, it is an abnormal behavior. Here, the expression “correlation” may represent a correlation between logs. At this time, the data management platform (10000) may generate another event (log) by the correlation rule. The log at this time may be defined as an incident. That is, a subject wishing to monitor can create a correlation rule through the data management platform (10000), and the data management platform (10000) can analyze logs based on the correlation rule and generate another login incident.

In addition, the correlation analysis rule can correspond to a rule predefined by another platform. Accordingly, the data management platform (10000) can analyze the audit log (1033) using the generated correlation analysis rule to generate an abnormal behavior event. At this time, information about the generated correlation analysis rule and information about the abnormal behavior event can be stored in the database (20007).

The monitoring module (20005) of the data management platform (10000) may further include an abnormal behavior monitoring unit (2010). The abnormal behavior monitoring unit (2010) may search or monitor stored audit logs (1033), personal information, etc. based on generated abnormal behavior events.

Accordingly, the data management platform (10000) can extract personal information from the collected, analyzed, and stored data, and can use the extracted personal information to compile statistics on user behavior. Thereafter, if a violation occurs among the collected user behaviors, the data management platform (10000) can block the user or provide a warning to the administrator.

FIG. 22 is a drawing illustrating an embodiment of a data management method of the present invention for distributing collected packets.

In step (S10010), the data management method can collect packets and apply a filter. At this time, the data management method can collect packets through network equipment such as a NIC. Thereafter, the data management method can reassemble the collected packets and combine each network packet into an analyzable packet form.

In one embodiment, the data management method can determine whether to analyze packets based on filtering rules. Here, the filtering rules can be determined by the data management platform. More specifically, the data management method can collect packets through network equipment such as the NIC or router described above. At this time, since analyzing all collected packets may cause performance issues, packets to be analyzed can be filtered by filtering rules. For example, packets based on HTTP or SAP GUI protocols need to be analyzed, but packets collected using other protocols may not need to be analyzed. At this time, the data management method can filter the collected packets so that only packets based on the desired protocol are analyzed by port or IP. At this time, the user can directly set the filtering rules using the data management method.

In step (S10020), the data management method can distinguish protocols based on TCP session information. As described above, the data management method can analyze collected packets by distinguishing them based on protocols.

The data management method can analyze packets in different ways based on the protocols distinguished in step (S10020). The analysis methods for each are as described above.

In step (S10030), the data management method can analyze a packet based on the RFC protocol.

In step (S10040), the data management method can analyze a GUI/SNC protocol-based packet.

In step (S10050), the data management method can analyze HTTP/HTTPS-based packets.

In steps (S10030) to (S10050), the data management method may perform processing rules for analysis after parsing the packet. At this time, the data management method may analyze binary data of the packet to extract various data (account data, SID, screen input data, screen output data, etc.). In addition, the processing rules may indicate settings for processing whether to store data included in the analyzed packet in an audit log (1033), whether to process or log data included in the analyzed packet, and whether to generate events and warnings. In addition, the data management method may further perform a filter rule for filtering out unnecessary logs and an upload rule for loading data for processing the processing rules.

In step (S10060), the data management method can generate an audit log (1033) based on the analyzed packet. At this time, the data management method operates in a multi-threading manner to increase the log storage speed, and can perform memory queuing and file queuing in preparation for cases where database access is temporarily impossible.

In step (S10070), the data management method can extract personal information using personal information metadata for the generated audit log (1033).

In step (S10080), the data management method can store an audit log (1033). At this time, the data management method can store the audit log (1033) and personal information, respectively.

In step (S10090), the data management method can monitor abnormal behavior.

FIG. 23 is a diagram illustrating an embodiment in which the data management platform of the present invention analyzes HTTPS-based packets.

User behavior in a web browser protected by HTTPS (SSL) cannot be logged using existing network traffic mirror technology. In particular, logs cannot be recorded when the Diffie-Hellman algorithm is used for key exchange during HTTPS connection. Here, the Diffie-Hellman algorithm is one of the algorithms used in symmetric key encryption, and corresponds to a method for safely performing key exchange protocols.

However, in order to monitor abnormal behavior and misuse of personal information within a company, there is a need to record and monitor logs of user behavior in web browsers.

According to one embodiment of the present invention, even when the Diffie-Hellman algorithm is used for key exchange, logs of user actions in a web browser can be recorded to monitor abnormal behavior and misuse of personal information within a company.

To this end, the data management platform (10000) enables monitoring of user behavior even when using the Diffie-Hellman algorithm.

More specifically, the analysis module (20002) of the data management platform (10000) may further include a proxy server configuration unit (2011), an SSL setting unit (2012), an HTTP request/response data analysis unit (2013), and a message data generation unit (2014).

Here, the proxy server configuration unit (2011) can configure a proxy server (1031) between a web browser (1030) and a web server (1034). Here, the proxy server (1031) is a server that mediates network communication between a client and a server, and when a client uses the proxy server (1031), it can communicate indirectly through the proxy server (1031) without directly communicating with the web server (1034).

The SSL setting unit (2012) can set up SSL in the proxy server (1031). More specifically, the SSL setting unit (2012) can configure the proxy server (1031) and use the client SSL setting to configure an SSL environment between the web browser (1030) and the proxy server (1031) to perform processing for HTTPS requests/responses. In one embodiment, the SSL setting unit (2012) can use an SSL certificate for SSL setting. Here, the SSL certificate can correspond to a certificate different from the certificate for analyzing the packet described above. That is, the SSL certificate at this time corresponds to supporting the SSL setting.

A proxy server (1031) that receives HTTPS request data can temporarily suspend the SSL connection, process the HTTP request/response data through the HTTP request/response analysis unit (2013), and perform the SSL connection again.

Accordingly, the message data generation unit (2014) can generate message data (1035) by combining HTTP request/response data and store the generated message data (1035) in a queue (1032). Here, the queue (1032) can include a memory queue and a file queue.

Afterwards, the data management platform (10000) can transmit message data (1035) stored in the queue (1032) to the outside.

Finally, the data management platform (10000) can configure an SSL environment between a proxy server (1031) and a web server (1034) using server SSL settings to process HTTPS requests/responses and transmit HTTPS response data.

This allows us to log user actions in web browsers even when using the Diffie-Hellman algorithm.

FIG. 24 is a drawing illustrating an embodiment of a data management method of the present invention analyzing HTTPS-based packets.

In step (S20010), the data management method may configure a proxy server and set client SSL to collect HTTPS-based packets, and in step (S20020), the proxy server may be configured and server SSL may be set. That is, the data management method may configure a proxy server, configure an SSL environment between the proxy server and a web server using the server SSL settings, perform processing for HTTPS requests/responses, and transmit HTTPS response data.

When a proxy server is configured and SSL is set up, in step (S20030), the data management method can collect HTTPS packets. Unlike the above, the data management method of this drawing explains an example of collecting HTTPS packets.

In the case of HTTPS connections, the Diffie-Hellman algorithm is used for key exchange. Since it is impossible to record logs of user actions using the existing network traffic mirror technology when encrypting packets using the Diffie-Hellman algorithm, the present invention proposes the following method.

In step (S20040), the data management method can perform processing for HTTPS requests/responses. That is, the data management method can configure a proxy server and configure an SSL environment between a web browser and the proxy server using client SSL settings to perform processing for HTTPS requests/responses. Thereafter, the proxy server that has received the HTTPS request data can terminate the SSL connection, process the HTTP request/response data, and then perform the SSL connection again.

In step (S20050), the data management method can generate message data (1035) by combining HTTP request/response data. At this time, the data management method can filter out unnecessary data. More specifically, the data management method can generate message data (1035) by combining HTTP request/response data, and when logging, unnecessary data (e.g., image data) may not be transmitted.

In step (S20060), the data management method can load the generated message data (1035) into at least one of a memory queue or a file queue. More specifically, the data management method can use a memory queue and a file queue as queues for storing the message data (1035). At this time, if only a file queue is used to store the message data (1035), there is a risk of performance degradation, and if only a memory queue is used, data loss may occur, so the two queues can be used in combination.

In step (S20070), the data management method can transfer message data (1035) loaded into the queue to a storage and store it. Here, the storage corresponds to a database included in the data management platform described above.

FIG. 25 is a drawing illustrating one embodiment of a data management method of the present invention.

In step (S30010), the data management method can collect packets through a network. The method of collecting packets through a network by the data management method of the present invention will be described with reference to the embodiments of FIGS. 5 to 7, FIG. 18, and FIG. 19.

In step (S30020), the data management method can distinguish protocols based on information included in collected packets. The method of distinguishing protocols based on information included in collected packets by the data management method of the present invention will be described with reference to the embodiments of FIG. 5 and FIG. 18.

In step (S30030), the data management method can analyze packets based on a protocol. The method of analyzing packets based on a protocol by the data management method of the present invention will be described with reference to the embodiments of FIGS. 5, 8 to 13, and 18 to 20.

In step (S30040), the data management method can generate a log based on information included in the analyzed packet. The method of generating a log based on information included in the analyzed packet by the data management method of the present invention will be described with reference to the embodiments of FIG. 18 and FIG. 21.

Through this, requirements for personal information processing systems based on laws or regulations can be satisfied. For example, according to the present invention, the condition that access records for personal information processing systems must be meaningfully stored according to “Article 8 of the Personal Information Security Measures Standards” can be satisfied.

The method mainly used to extract personal information is a method using regular expressions. However, there is a risk of incorrect extraction using methods using regular expressions.

To complement these points, the present invention can increase the accuracy of personal information extraction through a multidimensional extraction method using personal information metadata and an exception handling list as well as a regular expression method to extract personal information.

FIG. 26 is a drawing illustrating an example of extracting and storing personal information in the data management platform of the present invention.

The personal information management module (20004) included in the data management platform (10000) of the present invention can define a personal information type in order to extract personal information from an audit log (1033). Here, the audit log (1033) can include log data for which index processing has been completed. In addition, the personal information type can include a type of personal information such as, for example, a resident registration number, a credit card number, an account number, etc.

More specifically, the personal information type analysis unit (2019) of the personal information management module (20004) can analyze the personal information type and extraction method used in the stored audit log (1033) to generate personal information metadata (1036) for personal information extraction. The analysis result thereof can be stored in the personal information metadata (1036). At this time, the personal information management module (20004) can define the fields included in the personal information metadata (1036) based on the architecture type (here, the architecture includes an application development environment and a screen user interface (UI)). Here, the architecture type corresponds to information that distinguishes a parser that analyzes variables and values of log data. In one embodiment, the personal information management module (20004) can distinguish the architecture type based on the protocol type and URL for field information in the log data, and generate field information of the index accordingly. Additionally, personal information metadata (1036) may include architecture type (screen type), screen information (level 1, level 2), and personal information extraction rules.

To this end, the personal information pattern storage unit (2020) of the personal information management module (20004) can store patterns used for each personal information type. The personal information management module (20004) can define personal information types and store regular expression patterns and masking patterns used for each personal information type. Here, the reason why the personal information management module (20004) defines personal information types and stores regular expression patterns used for each personal information type is to generate information included in the personal information metadata (1036).

In conclusion, the data management platform (10000) can create personal information metadata (1036) by defining personal information types and storing regular expression patterns used for each personal information type, and can create personal information extraction rules using the personal information metadata (1036) and the personal information exception processing list (1037) described below, and can extract personal information using the personal information extraction rules.

In addition, the personal information exception processing list generation unit (2021) of the personal information management module (20004) can generate a personal information exception processing list (1037), and the personal information extraction rule generation unit (2022) can generate personal information extraction rules to be extracted. At this time, the personal information management module (20004) can use personal information metadata (1036) to virtually check personal information items extracted from the audit log (1033) in order to generate the personal information exception processing list (1037), and can define exception processing rules included in the exception processing list (1037) based on the extracted values or analyzed variables.

In another embodiment, the personal information hash value collection unit (2023) of the personal information management module (20004) can collect hash values for each personal information type and generate a value filter for each personal information type. Here, the value filter corresponds to a filter created using a Bloom-filter data structure for the hash value of the personal information value. In the present invention, there is an advantage in that it is possible to quickly check whether a comparison value is included in a large data set through the value filter.

More specifically, the personal information management module (20004) can collect hash values for personal information values by type and store them by personal information type. The personal information value filter generation unit (2024) of the personal information management module (20004) can generate a personal information type-specific value filter file based on the collected personal information data.

Thereafter, the personal information extraction unit (2025) of the personal information management module (20004) can extract personal information, the personal information encryption unit (2026) can encrypt the extracted personal information, and the personal information storage unit (2027) can store the encrypted personal information. More specifically, the personal information management module (20004) can analyze the log data included in the audit log (1033) by architecture type to extract variables and values, and extract personal information using personal information metadata (1036) that includes personal information (extraction) rules in the extracted values.

In one embodiment, the personal information management module (20004) can verify whether the hash value of the extracted personal information value is included in the value filter. At this time, if the hash value is included in the value filter, the personal information management module (20004) can store the extracted personal information in the index of the audit log (1033). On the other hand, if the hash value is not included in the value filter, the personal information management module (20004) can determine that the extracted personal information is incorrectly extracted and remove the extracted personal information.

Thereafter, when searching for encrypted personal information, the personal information management module (20004) can decrypt the encrypted personal information and then output the personal information processed by the masking rule.

Hereinafter, the function performed by the personal information management module (20004) may be referred to as that performed by the data management platform (10000).

Through this, the accuracy of personal information extraction can be improved. Hereinafter, the present invention will be described in detail through the drawings described below.

Figure 27 is a drawing illustrating an example of a regular expression pattern used in the data management platform of the present invention.

In the above-described embodiment, the data management platform can store patterns used for each type of personal information. In particular, the data management platform can store regular expression patterns and masking patterns to be used for each type of personal information.

This diagram shows regular expression patterns for each type of personal information used in the data management platform. For example, if the personal information is a resident registration number, the regular expression pattern can correspond to “(\d{6}[ ,-]-?[1-4]\d{6})|(\d{6}[ ,-]?[1-4])”. In addition, as another example, if the personal information is a driver’s license number, the regular expression pattern can correspond to “(\d{2}-\d{2}-\d{6}-\d{2})”. In this way, the data management platform can define regular expression patterns for each type of personal information (resident registration number, driver’s license number, phone number, email address, address, date of birth, passport number, account number, credit card number, health insurance number, alien registration number, etc.). In addition, regular expression patterns for each type of personal information can be preset and stored in the data management platform. At this time, the personal information types included in this diagram are only examples, and it goes without saying that other personal information, etc. may be included.

Figure 28 is a drawing illustrating an example of a masking pattern used in the data management platform of the present invention.

In the above-described embodiment, the data management platform can store patterns used for each type of personal information. In particular, the data management platform can store regular expression patterns and masking patterns to be used for each type of personal information.

This diagram shows masking patterns for each type of personal information used in the data management platform. Masking processing rules may include partial masking, full masking, range masking, random masking, and consistent masking.

For example, if the personal information is a resident registration number, there is a masking processing standard, and the masking pattern can correspond to “11111-2******”. That is, in this case, some masking pattern is applied to the resident registration number.

At this time, the masking processing criteria may vary depending on the preset value, and although Java is used as the standard in this drawing, it is of course possible to apply other masking processing rules.

The data management platform can mask personal information by type according to the masking processing rules. For example, the data management platform can mask and process the last six digits of the resident registration number, and in the case of the driver's license number, only the last three digits can be masked.

Personal information that has been masked according to the above-described embodiment can be output in a masked state when a personal information inquiry request is made thereafter. Accordingly, personal information can be secured when using a data management platform.

Figure 29 is a drawing illustrating an example of personal information metadata (1036) defined in the data management platform of the present invention.

In one embodiment, the data management platform can extract personal information included in the audit log using personal information metadata (1036). To this end, the data management platform can generate and store personal information metadata (1036).

The data management platform can define the type and method of personal information to be extracted by architecture type and store them in personal information metadata (1036). Here, the architecture type can indicate whether it is GUI data, json data, WEBGUI, etc. In other words, the data management platform can define the type and method of personal information to be extracted by GUI data and store them in personal information metadata (1036), and can define the type and method of personal information to be extracted by json data.

More specifically, personal information metadata (1036) may include architecture type, screen information (level 1), screen information (level 2), and personal information extraction rules.

Here, the architecture type corresponds to the screen type as described above. It includes information about what screen is actually output. In one embodiment, a personal information extraction rule can be determined based on the architecture type. In addition, the personal information metadata (1036) can include level 1 screen information and level 2 screen information corresponding to the architecture type.

Personal information extraction rules can include extraction methods and values. Extraction methods include, for example, value extraction methods, variable extraction methods, value content extraction methods, specialized regular expression extraction methods, and complex personal information extraction methods. The extraction methods are described below.

The value extraction method is a method of extracting personal information based on the value of the extracted personal information. At this time, the data management platform of the present invention can use a list of personal information types for the value of the value extraction method.

The variable extraction method is a method of extracting personal information based on variables included in an architecture type. At this time, the data management platform of the present invention can use a personal information type list and a variable name list together for the value of the variable extraction method. Here, the variable name list corresponds to a variable name list according to the personal information type. For example, in screen A (type A), “resident” may be included in the variable name list, and in screen B (type B), “SSN” may be included in the variable name list.

The specialized regular expression extraction method is a method of extracting personal information based on the full text that cannot be parsed in the absence of variables. At this time, the data management platform of the present invention can use the personal information type list and the pattern list together for the value of the specialized regular expression extraction method. Here, the pattern list can include not only the regular expression for the value, but also the pattern added before or after the regular expression. For example, if the resident registration number is a regular expression, the data management platform can include the case where there is “:” before the resident registration number in the pattern list.

The composite personal information extraction method is a method of extracting personal information based on two or more pieces of personal information, rather than extracting personal information based on one piece of personal information. In one embodiment, the data management platform can determine that it is personal information only when both “name” and “resident registration number” exist for each architecture type. On the other hand, the data management platform can determine that it is not personal information when only one of “name” or “resident registration number” exists for each architecture type.

In this way, the data management platform of the present invention can extract personal information based on information included in personal information metadata (1036).

Figure 30 is a drawing explaining an example of extracting personal information by distinguishing architecture types in the data management platform of the present invention.

In one embodiment, the architecture type analysis unit (2029) of the data management platform (10000) can distinguish the architecture type from the audit log (1033) and then extract personal information using personal information metadata (1036) defined for each architecture type through the personal information extraction unit (2025).

More specifically, the data management platform (10000) can define fields included in the personal information metadata (1036) based on the architecture type. Here, the architecture type corresponds to information that distinguishes a parser that analyzes variables and values of log data. That is, the parsing method for analyzing variables and values varies depending on the architecture type. Therefore, the data management platform (10000) must define fields included in the personal information metadata (1036) based on the architecture type.

In one embodiment, the architecture type analysis unit (2029) of the data management platform (10000) can distinguish the architecture type based on the protocol type and URL for field information in the log data included in the audit log (1033), and generate the field information of the index accordingly.

Accordingly, the personal information extraction unit (2025) of the data management platform (10000) can extract personal information by utilizing at least one of the personal information metadata (1036) defined by architecture type and the exception handling list (1037) described above.

Afterwards, the data management platform can encrypt the extracted personal information and store the encrypted personal information.

FIG. 31 is a diagram illustrating an example of generating a personal information extraction rule in the data management platform of the present invention.

In one embodiment, the data management platform can generate a personal information extraction rule. To this end, the drawing describes a user interface for generating a personal information extraction rule. To generate a personal information extraction rule, the user interface can include at least one of basic information, value regular expression extraction information, and variable-based extraction information.

More specifically, the basic information indicates the target to which the personal information extraction rule is to be applied. Here, the basic information may include at least one of a log type, level 1 (screen, transaction), and level 2 (program, service). Accordingly, the user may input at least one of a log type (e.g., SAP GUI log), level 1, or level 2 as the target to which the personal information extraction rule is to be applied.

In addition, the value regular expression extraction information may include personal information to be extracted by personal information extraction method. More specifically, the entire personal information exists, and the data management platform may select personal information to be extracted from the user. Accordingly, the data management platform may extract values from the log by personal information extraction method and then compare them with the regular expression pattern to determine personal information. To this end, the data management platform may use the regular expression pattern file stored by personal information type, which is the embodiment described above.

In addition, the data management platform can create personal information extraction rules using the values of variables analyzed by log type. To this end, the data management platform can receive variable-based extraction information from users.

Figure 32 is a drawing illustrating an example of creating a personal information exception processing list in the data management platform of the present invention.

In one embodiment, the data management platform can generate a personal information exception processing list (1037). More specifically, the data management platform can check personal information items virtually extracted using personal information metadata (1036) from the audit log (1033). That is, the data management platform can virtually extract personal information using items included in the personal information metadata (1036) (e.g., key/value, screen name/field name, etc. described above). Here, the virtually extracted personal information items correspond to candidate data output based on items of personal information metadata (1036) generated according to an embodiment of the present invention from the original log data.

The data management platform can generate an exception handling list (1037) based on the extracted values or analyzed variables. More specifically, the data management platform can generate an exception handling list (1037) based on items included in personal information metadata (1036).

At this time, the data management platform can generate an exception handling list (1037) for at least one of the architecture type, screen information, and personal information extraction rules included in the personal information metadata (1036). For example, when the data management platform generates an exception handling list, it can register, “In the first architecture (UI) type, the corresponding key is not extracted because it is not personal information” or “In the second architecture (UI) type, the corresponding value is not extracted because it is not personal information.”

For example, the data management platform can extract “account number” as virtual personal information from the audit log (1033). Here, the “account number” corresponds to the candidate data. In addition, the screen name/field name of the personal information metadata (1036) may include the A product/serial number. Here, it is assumed that the serial number of the A product does not correspond to personal information. In this case, if the serial number for the A product is identical to the “account number” which is personal information, the data management platform can determine that the extracted “account number” is not personal information and register it in the exception processing list (1037).

That is, the data management platform can verify the virtually extracted personal information by referring to the personal information metadata (1036) defined according to the above-described embodiment. Since the personal information at this time is candidate data and not exact personal information, an exception processing list (1037) can be created based on the items included in the personal information metadata (1036) for the candidate data.

In one embodiment, when extracting personal information from an audit log (1033), the data management platform may extract personal information excluding items included in the exception handling list (1037).

Accordingly, there is an advantage in reducing the probability of extracting incorrect personal information.

FIG. 33 is a diagram illustrating an embodiment of creating an exception filter of the data management platform of the present invention.

In one embodiment, the data management platform can generate an exception handling list in the manner described above. This drawing illustrates an exception filter user interface for generating an exception handling list. The exception filter user interface can include at least one personal information item.

In one embodiment, the data management platform may receive exception filter information for personal information items from a user. Here, the exception filter information may include at least one of an architecture type (UI type), level 1 (screen, transaction), value, level 2 (program, service), and variable.

For example, in this diagram, the data management platform may receive “Architecture Type=SAP GUI”, “Level 1=SE16”, “Level 2=SAPMF02D-7230”, “Variable=RDTMS_VAL2”, “Value=8201301037329” as exception filter information from the user.

Accordingly, the data management platform can create an exception handling list using exception filter information input by the user.

Figure 34 is a drawing illustrating an embodiment of searching and outputting personal information extracted from the data management platform of the present invention.

The personal information decryption unit (2028) of the personal information management module (20004) included in the data management platform (10000) of the present invention can decrypt encrypted personal information. More specifically, when a user requests personal information search through the monitoring module (20005) of the data management platform (10000), the data management platform (10000) can decrypt encrypted personal information. At this time, the data management platform (10000) can decrypt personal information using data included in the audit log (1033).

In one embodiment, the personal information management module (20004) can decrypt encrypted personal information using an encryption key included in the database (20007). Thereafter, the masking processing unit (2029) of the personal information management module (20004) can mask the decrypted personal information and provide it to the monitoring module (20005). Here, the method of masking the personal information is as described above. Accordingly, the monitoring module (20005) can output the personal information masked by the personal information management module (20004) and provide it to the user.

Through this, the data management platform can decrypt personal information based on an encryption key and provide it to the user after masking it when there is a search request for extracted personal information. Accordingly, it can contribute to personal information protection.

Figure 35 is a drawing explaining an embodiment of a data management method of the present invention for managing personal information.

In step (S40010), the data management method can analyze the type of personal information. To this end, the data management method can analyze the type of personal information used in the audit log.

In step (S40020), the data management method can define personal information types and store patterns used for each personal information type. The data management method can store regular expression patterns and masking patterns used for each personal information type. Accordingly, the data management method can generate personal information metadata (1036) including key/value or screen name/field name. The specific method of generating personal information metadata (1036) is as described above.

In step (S40030), the data management method can generate a personal information exception processing list (1037). The data management method can verify personal information items virtually extracted from an audit log using personal information metadata (1036), and can define exception processing rules included in the exception processing list (1037) based on the extracted values or analyzed variables. Accordingly, the data management method can generate a personal information exception processing list (1037).

In step (S40040), the data management method can generate a personal information extraction rule based on personal information metadata (1036) and an exception handling list (1037).

In step (S40050), the data management method can extract personal information based on personal information extraction rules.

In step (S40060), the data management method can encrypt and store the extracted personal information. In one embodiment, the data management method can generate an encryption key for encrypting the extracted personal information.

In step (S40070), the data management method can decrypt encrypted personal information when a personal information search request is made. At this time, the data management method can decrypt encrypted personal information using an encryption key generated when a personal information search request is made.

In step (S40080), the data management method can mask the decrypted personal information. The method for masking the personal information is as described above.

In step (S40090), the data management method can output masked personal information. Through this, since the decrypted personal information is output with masking, a user who requests a search for personal information can search and use the personal information in the database without infringing on the personal information.

In addition, there is a risk that personal information extracted in a regular expression pattern manner may be incorrectly extracted. Accordingly, in addition to the above-described embodiments, the present invention can Bloom-filter personal information that actually exists in the log in order to reduce the risk of incorrectly extracting personal information. That is, by applying Bloom-filter to the extracted personal information, only those items that are determined to be personal information can be extracted, thereby increasing the accuracy of personal information extraction. This will be explained in detail below.

FIG. 36 is a drawing illustrating another embodiment of the data management method of the present invention for extracting and storing personal information.

In step (S50010), the data management method can collect hash values for personal information. More specifically, the data management method can collect hash values for various types of personal information values from a system/platform that manages personal information, such as a personal information encryption solution. Here, the system/platform that manages personal information can exist on an external server. In one embodiment, the data management method can store the collected hash values by type of personal information.

In step (S50020), the data management method can generate a value filter for each personal information type. Here, the value filter corresponds to a filter created using a bloom filter data structure for a hash value of a personal information value.

In step (S50030), the data management method can extract personal information. In one embodiment, log data in the audit log can be analyzed by architecture type to extract variables and values, and personal information can be extracted by applying a personal information extraction rule to the extracted values. This is as described above.

In step (S50040), the data management method can verify personal information values. That is, in addition to the above-described contents, a value filter can be used to verify the extracted personal information values.

In step (S50050), if the hash value for the personal information is included in the value filter, in step (S50060), the data management method can store the extracted personal information in the index. More specifically, if the hash value for the extracted personal information is included in the value filter created using the Bloom-filter data structure, the data management method can determine that the extracted personal information is real personal information. Accordingly, the data management method can store an index called real personal information for the extracted personal information in the audit log.

In step (S50070), if the hash value for the personal information is not included in the value filter, in step (S50080), the data management method can remove the extracted personal information. More specifically, if the hash value for the extracted personal information is not included in the value filter created using the Bloom-filter data structure, the data management method can determine that the extracted personal information is fake personal information. Accordingly, the data management method can determine that the extracted personal information is extracted incorrectly and remove the extracted personal information. Here, removing the extracted personal information may mean losing the value as personal information rather than removing the data itself.

Accordingly, in the present invention, it is possible to quickly compare personal information managed in bulk with values extracted from personal information using a bloom-filter data structure. In addition, it is possible to eliminate errors in personal information of a type whose values are difficult to verify.

Figure 37 is a drawing explaining an embodiment of managing personal information in the data management method of the present invention.

In step (S60010), the data management method can analyze data. The method of analyzing data by the data management method of the present invention will be described with reference to the embodiments of FIGS. 2 to 5, FIGS. 8 to 26, FIG. 29, FIG. 30, and FIG. 35.

In step (S60020), the data management method can extract personal information from the analyzed data.

The method of extracting personal information in the data management method of the present invention will be described with reference to the embodiments of FIGS. 5, 14, 26, 35, and 36.

The user's work actions performed on the application are expressed differently depending on the developer's taste and development standards. That is, through the present invention, it is intended to facilitate the distinction of user actions such as "search, delete, add, change, and print" for data based on the user's work actions.

Accordingly, the present invention can collect texts of menus and icons of an application, automatically classify them based on artificial intelligence, and make detailed distinctions about user actions required by law.

In addition, the audit log is a log that records information such as events and user activities occurring in the system, and can be used for security and audit tracking. Here, the audit log can include log data and an index corresponding to the log data.

Log data is generally distinguished by information such as time, event/action, user/subject, target/object, and result, and each log data forms one record, and multiple records can be recorded continuously.

In addition, audit log data is usually managed by indexing in a database, etc. At this time, an index for each log record can also be managed to efficiently perform search and analysis of log data. Here, the index usually includes information such as fields used for search and keys to improve search speed.

For example, in order to search for records of users deleting specific files in audit logs with fields such as time, event/action, user/subject, and target/object, an index can be created by combining the time field and the target field. Utilizing the index created in this way has the advantage of significantly reducing search time.

In addition, mapping user behavior to an index has the advantage of allowing log data to be classified based on user behavior, making it easy to conduct security analysis or monitor.

The data management platform of the present invention indexes log data included in an audit log based on user behavior classified based on artificial intelligence, thereby allowing a user to search log data based on user behavior. Hereinafter, the present invention will be described in detail.

FIG. 38 is a diagram illustrating an embodiment of collecting and mapping user behavior in the data management platform of the present invention.

The data management platform (10000) of the present invention can collect user actions using a collection module (20001), an analysis module (20002), a monitoring module (20005), and an AI engine (20006), map the collected actions to log data, index them, and then provide log data indexed with user actions in response to a log data query request.

More specifically, the collection module (20001) can be used to collect keys and texts corresponding to user actions. At this time, the collection module (20001) can be connected to an application development environment to collect user actions. The application development environment stores keys and texts for menus and icons for selecting user actions. Accordingly, the collection module (20001) included in the data management platform (10000) of the present invention can collect keys and texts corresponding to such user actions.

The AI engine (20006) can classify collected text into user actions based on artificial intelligence (AI). For example, the user actions may include user work actions such as inquiry, deletion, addition, change, and printing. To this end, the AI engine (20006) can use methods such as machine learning, deep learning, natural language processing (NLP), and a rule-based approach.

The analysis module (20002) can generate user action metadata (1038) by dividing data on classified user actions into keys and user actions. At this time, the user action metadata (1038) can be stored in an internal database (20007) of the data management platform (10000).

The analysis module (20002) can map the stored user behavior metadata (1038) and the log data included in the audit log (1033). At this time, in order to map the log data and the user behavior metadata (1038), the analysis module (20002) can map the key information in the user behavior metadata (1038) and the field that can be used as a key for each application development environment type when indexing the log data and store it in the user behavior field of the index.

Here, the key information represents identification information indicating the user action. In one embodiment, the data management platform (10000) may store the user action as an abbreviated ID (Identification) for identifying the user action, rather than storing it as text. For example, the data management platform (10000) may store “R” as key information when the user action is “search”, store “D” as key information when the user action is “delete”, store “U” as key information when the user action is “modify”, and store “P” as key information when the user action is “print”.

A user can view logs through the monitoring module (20005). In one embodiment, the monitoring module (20005) may provide information to the user by referencing the user action field of the index when providing log data included in the audit log (1033) in the database (20007).

Hereinafter, the functions performed in each module within the data management platform (10000) are described as being performed by the data management platform (10000).

FIG. 39 is a diagram illustrating an embodiment of generating user behavior metadata in the data management platform of the present invention.

In one embodiment, the data management platform (10000) can collect keys and texts corresponding to user actions through the AI engine described above, and classify the collected texts into user actions based on artificial intelligence. Accordingly, the data management platform (10000) can generate user action metadata (1038) for the keys and texts corresponding to the collected user actions.

More specifically, the data management platform (10000) can map a key by application development environment type and a user action key to generate user action metadata (1038). That is, the user action metadata (1038) can have a key by application development environment type, a user action key, and a user action as fields.

Here, the application development environment type may include the architecture type and screen user interface type described above. That is, the application development environment type represents an information field that can be used as a user task action within the application development environment. For example, it may include a menu icon, an OK icon, a cancel icon, etc. that exist on the screen. In addition, the user action key represents an ID for identifying the user action described above. Accordingly, the data management platform (10000) may map the application development environment type-specific key and the user action key within the user action metadata (1038).

For example, if the key by application development environment type is “del key in application 1,” the data management platform (10000) can generate user action metadata (1038) by mapping it with the user action key “D” through the AI engine and analysis module described above. At this time, the data management platform (10000) can store the user action of the “del key in application 1,” which is the key by application development environment type, and the user action key “D,” which is “deletion,” together in the user action metadata (1038).

FIG. 40 is a diagram illustrating an example of mapping user behavior metadata and log data in the data management platform of the present invention.

In one embodiment, the data management platform (10000) can map stored user action metadata (1038) and log data included in an audit log (1033).

More specifically, the data management platform (10000) can index the log data in order to map the log data and the user action metadata (1038). Specifically, the data management platform (10000) can map the key field for each application development environment type in the user action metadata (1038) and the user action key field through the above-described embodiment. In addition, in one embodiment, the data management platform (10000) can store the user action of the user action metadata (1038) in the user action field of the index.

Accordingly, if the first log data stored in the audit log (1033) indicates a log in which a user presses the del key on the first application screen, the data management platform (10000) can immediately provide the mapped user action, “delete,” when receiving a request to view the first log data.

Mapping user behavior to an index in this way has the advantage of allowing log data to be classified based on user behavior, making it easy to conduct security analysis or monitor.

FIG. 41 is a drawing illustrating an embodiment of a data management method of the present invention that generates user action metadata.

In step (S60030), the data management method can collect keys and text for menus, buttons, or icons representing user actions in an application development environment. More specifically, the application development environment can store keys and text for a menu for selecting a user action. Accordingly, the data management method can connect to the application development environment and collect keys and text for a menu for selecting a user action. For example, the data management method can connect to a first application development environment and collect keys and text “” for a first icon representing “delete”, which is a user action, in the first application development environment.

At this time, since the collected text is classified through artificial intelligence, even if the exact same words are not used, if the meaning is the same, it can be classified as the same user action. For example, depending on the application development environment, the text corresponding to the button indicating the user action may be different. For example, in the first application development environment, the text corresponding to the button indicating deletion may be “delete,” but in the second application development environment, the text corresponding to the button indicating deletion may be “remove.” In this case, according to the data management method of the present invention, even if different texts are used in different application development environments, if the meaning is the same, it can be classified as the same user action.

The method of collecting keys and texts representing user actions by the data management method of the present invention will be described with reference to the embodiment of FIG. 38.

In step (S60040), the data management method can classify the collected text through the AI engine. Referring to the example described above, the data management method can classify the text “delete” as the user action “delete” through the AI engine.

In step (S60050), the data management method can store the classified data as user action metadata. As described above, the data management method can map the key and text “” for the first icon to the user action “delete” in the first application development environment and store it in the user action metadata.

FIG. 42 is a diagram illustrating an embodiment of a data management method of the present invention that maps user behavior metadata and log data.

In step (S60060), the data management method can cache a memory for mapping log data and user behavior metadata. Here, the user behavior metadata is characterized by being generated and stored in the method described above. In one embodiment, the data management method can cache information to be mapped in a memory in order to quickly map the log data and the user behavior metadata. That is, the data management method can read information to be mapped among the log data and the user behavior metadata into a memory in advance to enable quick access, rather than searching for it in a database.

In step (S60070), the data management method can map log data and user action metadata and then perform index processing. More specifically, when indexing log data, the data management method can map a key field by application development environment type and a user action key field and store them in a user action field of the index. In one example, when indexing log data, the data management method can store a user action of the user action metadata in a user action field of the index.

In step (S60080), the data management method can provide information by referencing a user action field of an index when a log query is requested.

This allows us to map user behavior to all log data that contains personal information.

FIG. 43 is a drawing illustrating an embodiment of a data management method of the present invention that generates user action metadata.

In step (S70010), the data management method can collect data. The method of collecting data by the data management method of the present invention will be described with reference to the embodiments of FIGS. 2 to 7 and FIG. 38.

In step (S70020), the data management method can classify the collected data. The method of classifying data in the data management method of the present invention will be described with reference to the embodiments of FIGS. 38, 39, and 41.

In step (S70030), the data management method can generate user behavior metadata by mapping at least one piece of information included in the data. The method of generating user behavior metadata by the data management method of the present invention will be described with reference to the embodiments of FIG. 39 and FIG. 41.

10000: Data Management Platform

Claims (9)

A step of collecting data including key IDs for identifying keys and user actions by application development environment type;
A step of classifying and analyzing the collected data;
A step of generating user action metadata by mapping a key ID for identifying a user action and a key for each type of application development environment, identifying the user action using the key ID for identifying the user action and the key for each type of application development environment, and storing the identified user action in the user action metadata;
A data management method, wherein the above application development environment type includes an architecture type, and the architecture type is at least one of a GUI data type, a json data type, and a WEBGUI data type.
In paragraph 1,
If the above data contains personal information, a step of defining fields included in personal information metadata based on the above data;
A step of storing patterns used for each type of the above personal information;
Steps to create a list of personal information exceptions;
A step of generating a personal information extraction rule based on the above personal information metadata and the above personal information exception processing list;
A step of extracting the personal information based on the above personal information extraction rules;
Step of creating a value filter for each of the above personal information types; and
A data management method, comprising a step of verifying the extracted personal information based on the value filter. In paragraph 1,
Further comprising a step of indexing the log data to map the user action metadata and the stored log data,
A data management method, wherein the step of indexing the log data further includes the step of adding text to the index, wherein the text is classified as text related to the user action among the collected data through an AI engine. In the third paragraph,
A step of requesting an inquiry for the above log data; and
A data management method further comprising the step of providing the classified text included in the above index. a database that stores data; and
Including a processor for processing the above data,
The above processor,
Collect data including key IDs to identify keys and user actions by application development environment type,
Classify and analyze the collected data above,
By mapping the key for each type of application development environment and the key ID for identifying the user action, user action metadata is created, and the user action is identified using the key for each type of application development environment and the key ID for identifying the user action, and the identified user action is stored in the user action metadata.
A data management device, wherein the above application development environment type includes an architecture type, and the architecture type is at least one of a GUI data type, a json data type, and a WEBGUI data type.
In paragraph 5,
The above processor,
If the above data contains personal information, define the fields included in the personal information metadata based on the above data,
Store the patterns used for each type of personal information above,
Create a list of personal information exceptions,
Create a personal information extraction rule based on the above personal information metadata and the above personal information exception processing list,
Extract the personal information based on the above personal information extraction rules,
Create a value filter for each of the above personal information types,
The extracted personal information is verified based on the above value filter.
is a data management device. In paragraph 5,
The above processor
Indexing the log data to map the user action metadata and the stored log data,
A data management device, characterized in that it adds text to the above index, wherein the text is classified by using an AI engine as text related to the user action among the collected data. In paragraph 7,
The above processor
A data management device that provides the classified text included in the index when a query for the above log data is requested. A step of collecting data including key IDs for identifying keys and user actions by application development environment type;
A step of classifying and analyzing the collected data;
A step of generating user action metadata by mapping a key ID for identifying a user action and a key for each type of application development environment, identifying the user action using the key ID for identifying the user action and the key for each type of application development environment, and storing the identified user action in the user action metadata;
A computer-readable recording medium storing a computer program for executing a data management method on a computer, wherein the application development environment type includes an architecture type, and the architecture type is characterized in that at least one of a GUI data type, a json data type, and a WEBGUI data type.

Images