JP2013092998A - Access determination device, access determination method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To achieve a target type attack countermeasure device for detecting and blocking communication of malware used in a target type attack.SOLUTION: A determination part 114 determines whether or not a URL to which access is requested by a terminal 102 is stored in a URL access history DB 116 as a proper address being proper. Only for access requests to URLs which are not stored in the URL access history DB 116, an authentication part 113 determines whether or not the terminal 102 is transmitting the access request by human operation, and the authentication part 113 detects and blocks the access request which is not transmitted by the human operation, as communication by malware.

Description

  The present invention relates to an access determination device, an access determination method, and a program for determining whether or not a terminal device can access an access destination address that requests access.

  Conventional anti-malware measures are mainly anti-virus software measures. However, in recent years, malware has been infected in the organization or personal terminal devices targeted as targets by tricking the user into executing or downloading programs or exploiting unknown vulnerabilities. Targeted attacks aimed at stealing and destroying internal systems are increasing. The malware used in targeted attacks is designed to avoid detection by anti-virus software. Therefore, it is difficult for anti-virus software to detect malware used in targeted attacks.

  One of the characteristics of malware used in targeted attacks is that a terminal device inside an organization infected with malware communicates with a command server on the Internet. The command server has a role of transmitting commands that the attacker wants the malware to execute to the malware. Thereby, the attacker can operate the terminal device inside the organization protected by a firewall or the like from the Internet.

  Usually, communication (HTTP (Hyper Text Transfer Protocol), HTTPS (Hyper Text Transfer Protocol over Secure Socket Layer), etc.) permitted by an organization security policy is used for communication from the malware to the command server. Such communication is generally performed via a proxy (for example, a proxy server device) that relays communication between a terminal device on the Internet and a terminal device in the organization. Therefore, there is a possibility that malware communication can be blocked by using a proxy with a user authentication function.

In the conventional proxy with user authentication function, when a user uses a proxy, whether or not the user has authority to access services on the Internet using the proxy is authenticated by a password entered by the user. Then, permission to connect to the Internet and permission to access services are provided. Here, the user authentication is to determine whether or not a specific user is authorized to access a predetermined service on the Internet.
For the purpose of single sign-on to different services on the Internet, the proxy with the user authentication function links the proxy service and the security token service, and the connection request is issued to the service that the user has requested to connect. There has been proposed a method for determining whether or not it is legitimate (for example, Patent Document 1).

JP 2005-62556 A

In the conventional proxy with a user authentication function, once the user authentication is successful, there is a problem that even if it is malware, communication can be freely performed by using the access function of the browser.
Also, a method of requesting user authentication every time the proxy is accessed can be considered, but user authentication requires processing by the user such as input of a password. And since the number of times of communication to the Internet occurs several times a day from one user, performing user authentication each time increases the processing by the user, increases the burden on the user, and significantly improves the convenience. There is a problem of losing.
In either case, there is a problem that user authentication can be avoided if a password is analyzed due to a keylogger or password eavesdropping by malware.

  The main object of the present invention is to solve the above-mentioned problems. For example, the main object of the present invention is to reduce the processing by the user and detect the communication of malware used in the targeted attack.

The access determination device according to the present invention is:
A legitimate address storage unit that stores at least one legitimate address information indicating a legitimate address that is an authorized address;
Any valid address information in which an access command indicating an access destination address that is an access destination address that the terminal device attempts to access is received, and the access destination address indicated in the received access command is stored in the valid address storage unit An address determination unit that determines whether or not it matches the valid address shown in FIG.
Access command determination for determining whether or not the terminal device is transmitting the access command by a human operation when the address determination unit determines that the access destination address does not match any of the valid addresses And a section.

The access determination device according to the present invention determines whether or not the terminal device transmits an access command by a human operation only for an access command that attempts to access an address that is not a valid address. For this reason, the user only needs to perform processing indicating that the access command is transmitted by the user's own operation for only a limited access command, and the processing by the user is reduced.
Since an access command that has not been transmitted by a human operation is likely to be an access command transmitted by malware, the access determination device according to the present invention can detect malware communication.

FIG. 3 shows the first embodiment and is a diagram showing an example of a configuration of a target-type attack countermeasure device. FIG. 5 shows the first embodiment and shows an example of a valid address information table 301. FIG. 5 is a diagram illustrating the first embodiment, and is a flowchart illustrating an example of determination processing of the determination unit 114 and authentication processing of the authentication unit 113; FIG. 4 shows the first embodiment and shows an example of an authentication management DB table 201. FIG. 5 is a diagram illustrating the first embodiment, and is a flowchart illustrating an example of a valid address registration process and an access request rejection process of the authentication unit 113. FIG. 3 is a diagram illustrating the first embodiment and is a sequence diagram illustrating an example of information flow in the case of access permission. FIG. 5 is a diagram illustrating the first embodiment, and is a sequence diagram illustrating an example of a flow of information when access is permitted after successful authentication. FIG. 5 is a diagram illustrating the first embodiment, and is a sequence diagram illustrating an example of an information flow in the case of access refusal due to authentication failure. FIG. 5 is a diagram illustrating the first embodiment and is a sequence diagram illustrating an example of an information flow when access is denied due to timeout. FIG. 9 shows the second embodiment and shows an example of the valid address information table 301. FIG. 11 is a diagram illustrating the second embodiment and is a flowchart illustrating an example of registration data deletion processing by the authentication unit 113; FIG. 10 shows the third embodiment and shows an example of the valid address information table 301. FIG. 10 is a diagram illustrating the third embodiment and is a flowchart illustrating an example of registration data deletion processing by the authentication unit 113; The figure which shows Embodiment 1-3, The figure which shows the example of the hardware resource of the target type attack countermeasure apparatus 101 shown to this Embodiment.

Embodiment 1 FIG.
(Configuration of targeted attack countermeasure device)
FIG. 1 is a diagram illustrating an example of a configuration of a target-type attack countermeasure device.
Here, the target-type attack countermeasure device 101 corresponds to an access determination device.

The targeted attack countermeasure device 101, the terminal device 102, the proxy 103, and the firewall 104 are connected to an intra-organization network 106 inside an organization such as a company. Here, the intra-organization network 106 is realized by, for example, a LAN (Local Area Network).
The proxy 103 is, for example, a proxy server device that relays communication from the intra-organization network 106 to the Internet 105. The firewall 104 is installed at the boundary between the intra-organization network 106 and the Internet 105. The proxy 103 has a transfer unit 121, and can transfer an access request from the terminal device 102 to a server on the Internet 105.

  In FIG. 1, the target-type attack countermeasure device 101 is described as a device separate from the proxy 103, but part or all of the functions of the target-type attack countermeasure device 101 may be implemented in the proxy 103. .

  The target-type attack countermeasure device 101 includes a reception unit 111, a transmission unit 112, an authentication unit 113, a determination unit 114, an authentication management DB 115, and a URL access history DB 116.

The receiving unit 111 receives an inquiry from the proxy 103. Here, the inquiry from the proxy 103 means that the proxy 103 receives an access request indicating an access destination address that is an access destination address to which the terminal device 102 tries to access, and the proxy 103 receives the received access request as a targeted attack. This is transferred to the countermeasure device 101.
Here, the access request corresponds to an access command.
That is, the reception unit 111 receives an access command (access request) indicating an access destination address that is an access destination address to which the terminal device 102 attempts to access.
Here, the reception unit 111 corresponds to an access command determination unit and an address determination unit.
Here, the access destination address is, for example, a URL (Uniform Resource Locator) of a server that performs services on the Internet 105.

The transmission unit 112 transmits a response to the inquiry from the proxy 103.
Here, the transmission unit 112 corresponds to an access command determination unit.

The URL access history DB 116 stores a valid address information table 301. Although details will be described later, the valid address information table 301 is configured by valid address information indicating a valid address that is an address authenticated as valid.
Here, the URL access history DB 116 corresponds to a valid address storage unit.

The determination unit 114 determines whether or not the access destination address indicated in the access request received by the reception unit 111 matches the valid address indicated in any valid address information stored in the URL access history DB 116.
If the determination unit 114 determines that the access destination address matches any of the valid addresses, the determination unit 114 permits the terminal device to access the access destination address.
Here, the determination unit 114 corresponds to an address determination unit and an access command determination unit.

The authentication unit 113 authenticates the access request from the terminal device 102 when the determination unit 114 determines that the access request from the terminal device 102 requires authentication.
Here, when the determination unit 114 determines that the access request from the terminal device 102 requires authentication (hereinafter, that the access request requires authentication is referred to as “authentication required”) This is a case where it is determined by 114 that the access destination address does not match any of the valid addresses.

The authentication performed by the authentication unit 113 for the terminal device 102 or the authentication performed by the authentication unit 113 for the access request determines whether or not the terminal device 102 has transmitted the access request by a human operation. It is to be. That is, the authentication performed by the authentication unit 113 in response to the access request is different from the above-described user authentication and is not for determining whether or not the user is authorized to access, but from the terminal device 102. It is performed for the purpose of determining whether the access request to the transmitted URL is due to a human operation or a program.
Further, “determination that authentication is successful” means that the terminal device 102 has transmitted an access request by human operation, and “determination that authentication has failed” means that the terminal device 102 has been operated by human operation. That is, it is not determined that the device 102 is transmitting an access request.

Specifically, the authentication unit 113 transmits a response indicating that authentication is required to the proxy 103 via the transmission unit 112 so as to display an authentication screen on the terminal device 102. This response indicating that authentication is required is hereinafter referred to as “authentication required response”. Here, the authentication unit 113 may directly send an authentication response to the terminal device 102 without going through the proxy 103. That is, the authentication unit 113 generates an authentication required response, and transmits the generated authentication required response to the terminal device 102 by the transmission unit 112.
Then, the authentication unit 113 registers authentication information (information used at the time of authentication) in the authentication management DB 115 (described later). Here, the authentication information is, for example, a password used when authenticating the terminal device 102 that has requested access.
Here, the authentication unit 113 corresponds to an access command determination unit and a valid address information update unit.

(Description of authentication response required)
Here, the authentication required response will be described.
The authentication-required response is a response made to the access request in order to determine whether or not the access request transmitted by the terminal apparatus 102 is made by a human operation.
The authentication required response is an inquiry message for making an inquiry to the terminal device 102 generated by the authentication unit 113 in a format that cannot be understood by anyone other than a human being.

  The authentication required response is also information for displaying an authentication screen on the display device of the terminal device 102, and the terminal device 102 that has received the authentication required response can display the authentication screen on the display device of the terminal device 102. is there. That is, information for displaying the authentication screen also corresponds to the inquiry message.

Here, the authentication screen is a screen that indicates a request for input of response information for a response requiring authentication to a user using the terminal device 102.
The response information is authentication information input (transmitted) by the terminal device 102 in which a response from the terminal device 102 is shown in response to the authentication required response transmitted by the transmitting unit 112.

Here, a specific example of a method in which the authentication unit 113 determines whether or not the terminal device 102 has transmitted an access request by human operation (that is, an authentication method) will be described.
The authentication unit 113 first generates authentication information. The authentication information may be stored in advance in the storage device of the target-type attack countermeasure device 101.

And the authentication part 113 produces | generates the question of the content which can be answered easily if it is a human but cannot be answered by a program as an authentication required response.
Here, existing challenge and response authentication is used as a question that can be answered easily by humans but cannot be answered by the program. For example, there is a CAPTCHA (Completely Automated Public Testing to tell Computers and Humans Apart) technology, a one-time password technology, and the like.

As a specific example, an example of the CAPTCHA technique is shown.
It is assumed that the authentication unit 113 has generated authentication information “1234”. In this case, the authentication unit 113 generates image data that is displayed as a character with a distorted number “1234”, for example, together with a question (instruction) “Please input the number displayed in this image”. Here, the image data may be displayed such that the numbers “1234” overlap each other, or may display other image data superimposed on the background or foreground of the numbers “1234”. Good.
Then, the transmission unit 112 transmits the question and the image data to the terminal device 102 as an authentication required response. At this time, the transmission unit 112 may transmit an authentication response required to the terminal device 102 via the proxy 103.
Then, the terminal device 102 displays the question and the image data on the display device of the terminal device 102 as an authentication screen.

  If the person operating the terminal device 102 is a human, it is possible to decode the distorted characters shown in the image data, and the person (user) operating the terminal device 102 It is possible to input the response information “1234” by operating the input device.

If the response from the terminal device 102 is appropriate, the authentication unit 113 determines that the terminal device 102 is operated by a human.
Here, an appropriate response is, for example, that the response indicated in the response information matches the generated authentication information. (As will be described later, the authentication information is stored in the authentication management DB 115.) That is, an appropriate response is a correct answer (response) shown in the response information for the question indicated in the authentication required response. Is the case.
If response information “1234” is obtained for authentication information “1234”, this is an appropriate response.
On the other hand, an inappropriate response is a case where the answer (response) shown in the response information for the question shown in the authentication required response is incorrect.

For example, the question when the authentication information is “1234” may be “Please input a numerical value obtained by adding 1 to 1233”.
Further, for example, unaligned image data is displayed on the authentication screen, and the question “Please align displayed images” may be used. For example, in the authentication screen, the image is changed and displayed according to the amount of displacement input by the user in order to align the images. In this case, the response information indicates the amount of displacement input by the user. And the authentication part 113 determines whether this displacement amount corresponds with the numerical value produced | generated as authentication information.
The question may be voice data.

(Description of URL access history DB 116)
FIG. 2 is a diagram illustrating an example of the valid address information table 301.
The URL access history DB 116 stores the valid address information table 301 as described above.
Here, for example, each row in FIG. 2 (for example, row D301) is one valid address information, and the valid address information is authenticated as valid, for example, “http://www.aaa.com/”. The legitimate address that is the registered address is indicated.
That is, the URL access history DB 116 stores at least one legitimate address information indicating a legitimate address that is an address authenticated as legitimate.

  Further, the authentication unit 113 stores, in the URL access history DB 116, valid address information indicating the access destination address indicated in the access request authenticated (determined) that the terminal device 102 has transmitted the access request by human operation as the valid address. Remember.

At this time, the authentication unit 113 registers the URL (access destination address) indicated in the access request from the beginning to the destination host part as a valid address.
For example, when the access destination address indicated in the access request is “http://www.aaa.com/menu/samples.html”, the authentication unit 113 includes the part “http://www.aaa.com/”. Is registered as a valid address.

  By registering the destination host part as a legitimate address, when the terminal device 102 makes a plurality of access requests to the content of the same host, or a server such as a news site whose URL changes every day is wasted. prevent. Hereinafter, unless otherwise specified, the URL (address) refers to a portion from the top of the URL of the access request to the destination host portion.

  Note that when the target-type attack countermeasure apparatus 101 is introduced, no valid address may be registered in the URL access history DB 116. However, every time the terminal device 102 makes an access request to a URL that is not registered in the URL access history DB 116, the authentication unit 113 authenticates the terminal device 102. A person who operates the terminal device 102 must input response information (authentication information) for authentication. For this reason, the number of times that a human must input response information (authentication information) increases.

  Therefore, a URL access request for a certain period of time (a state in which no malware exists in the terminal device 102 of the organization network 106) is observed for a certain period, and the URL indicated in the observed URL access request is registered in the URL access history DB 116. It can also be used as an initial value of a valid address. By using in this way, the URL that is frequently accessed from the organization is already registered in the URL access history DB 116. That is, since the authentication unit 113 does not perform authentication for URLs that are frequently accessed from an organization, the number of times that a person operating the terminal device 102 inputs response information (authentication information) can be reduced.

(Explanation of the operation of the emotion target type attack countermeasure device 101)
The operation of the target-type attack countermeasure device 101 will be described.

FIG. 3 is a flowchart illustrating an example of the determination process of the determination unit 114 and the authentication process of the authentication unit 113.
FIG. 4 is a diagram illustrating an example of the authentication management DB table 201.
FIG. 5 is a flowchart illustrating an example of a valid address registration process and an access request rejection process of the authentication unit 113.

There are two operations as the operation of the target-type attack countermeasure device 101.
First, when there is an access request from the terminal device 102 to the proxy 103, the determination unit 114 refers to the URL access history DB 116 to determine whether or not to permit access to the URL for which the access request has been made (FIG. 3).
Then, when the determination unit 114 suspends access to the URL for which an access request has been made (when it has not been determined to permit access to the URL for which an access request has been made), the authentication unit 113 performs an authentication (FIG. 3). And FIG. 5).

  First, referring to FIG. 3, an operation will be described in which the determination unit 114 refers to the URL access history DB 116 to determine whether or not to permit access to the URL requested to be accessed.

First, the receiving unit 111 performs the process of S401 in FIG. 3 until an inquiry from the proxy 103 is received.
When the reception unit 111 receives an inquiry from the proxy 103 (when it is determined “YES” in the process of S401 in FIG. 3), the determination unit 114 stores the valid address information table 301 as illustrated in FIG. 2, for example. The stored URL access history DB 116 is referred to. Then, the determination unit 114 determines whether or not the URL included in the received inquiry is registered in the URL access history DB 116 (S402 in FIG. 3).

If the determination unit 114 determines that the URL included in the received inquiry is registered in the URL access history DB 116 (“YES” in S402 in FIG. 3), the determination unit 114 issues an access request to the URL from the terminal device 102. To give permission. That is, when the determination unit 114 determines that the access destination address indicated in the access request matches any of the valid addresses, the determination unit 114 permits the terminal device 102 to access the access destination address.
Then, the transmitting unit 112 responds (transmits) the permission of the access request to the proxy 103 (S403 in FIG. 3). Then, the reception unit 111 continues to perform the process of S401 in FIG.

On the other hand, when the determination unit 114 determines that the URL included in the received inquiry is not registered in the URL access history DB 116 (“NO” in S402 in FIG. 3), the terminal device 102 accesses from the terminal device 102. Determine that the request is pending.
Then, the access request suspended by the determination unit 114 is processed by the authentication unit 113.

Next, the operation of the authentication unit 113 will be described with reference to FIG.
The authentication unit 113 generates authentication information corresponding to the access request suspended by the determination unit 114 and registers it in the authentication management DB 115 (S406 in FIG. 3). At this time, the authentication unit 113 assigns an authentication number and an authentication time limit (authentication timeout time) to the authentication information (S404 and S405 in FIG. 3). The authentication number and the authentication time limit will be described later.
Then, the transmission unit 112 responds to the proxy that the terminal device 102 that has made the access request needs to be authenticated (authentication required) (S407 in FIG. 3). That is, the transmission unit 112 transmits an authentication request response to the access request to the proxy.
Here, the transmission unit 112 transmits the authentication number assigned when the authentication unit 113 registers the authentication information in the authentication management DB 115 to the authentication-required response to the access request corresponding to the authentication information with the authentication number. To do. Further, the transmission unit 112 can encrypt the authentication information so that it can be decrypted only by the target-type attack countermeasure device 101 (authentication unit 113), and can also transmit it by including it in an authentication response required.
Further, the transmission unit 112 can also directly transmit an authentication response to the terminal apparatus 102 without going through the proxy 103.

Here, the authentication management DB 115 will be described.
The authentication management DB 115 stores an authentication management DB table 201 as shown in FIG.
For example, as shown in D201 of FIG. 4, the authentication information “1234” is given an authentication number “1” and an authentication time limit “2011/08/20 12:10:56”.
Here, the authentication number is a number used to uniquely identify the authentication required response when the authentication unit 113 responds that authentication is required for a plurality of access requests (transmits an authentication required response). As the authentication number, a continuous value may be given for each authentication to be identified (each authentication response required), or a random number that does not overlap may be given.
That is, the authentication management DB 115 stores the contents of the authentication response required for the terminal device 102 in association with each authentication response required.
The authentication deadline is a time-out time for authentication, and is a time when a preset time is added after the authentication unit 113 transmits an authentication response required. If the authentication is not performed before the time indicated by the authentication time limit, the authentication unit 113 determines that the authentication has failed.

Next, an operation in which the authentication unit 113 performs authentication will be described with reference to FIG.
The operation described here is an access request for which access permission determination is suspended by the determination unit 114 in S402 of FIG. 3 (the determination unit 114 accesses an URL that is not registered as a valid address in the URL access history DB 116). This is a process for the access request that has been processed in S404 to S407 in FIG.

The authentication unit 113 refers to the authentication management DB 115 to check whether there is authentication information that has reached the set authentication time limit (S501 in FIG. 5). That is, the authentication management DB 115 is referred to by the authentication unit 113 when determining the success or failure (success / failure) of the authentication.
If there is authentication information that has reached the set authentication time limit (“YES” in S501 in FIG. 5), the transmission unit 112 responds to the proxy 103 with a rejection of the access request (S506 in FIG. 5).

Then, the authentication unit 113 deletes the authentication information (including the authentication number and the authentication time limit) corresponding to the denied access request (507 in FIG. 5).
In other words, the authentication unit 113 transmits a required authentication response to the terminal device 102 (including a request for transmitting an authentication required response to the terminal device 102 via the proxy 103), and a predetermined predetermined value. Delete authentication information for which time has passed.
Here, as will be described later, the authentication unit 113 also deletes authentication information that has been successfully authenticated from the authentication management DB 115. Therefore, when authentication information is still stored in the authentication management DB 115 even after a predetermined time elapses, the response information for the authentication response required is sent to the terminal even when the predetermined time elapses. This is a case where the authentication unit 113 does not receive authentication from the device 102 and the authentication unit 113 does not determine that authentication is successful.
Therefore, in such a case, the authentication unit 113 determines that the terminal device 102 has not transmitted an access request due to a human operation (that is, the authentication unit 113 determines that authentication has failed).

  On the other hand, if there is no authentication information that has reached the set authentication time limit (“NO” in S501 in FIG. 5), the authentication unit 113 determines whether the reception unit 111 has received response information from the terminal device 102. Determination is made (S502 in FIG. 5). Here, the response information includes information received from the terminal apparatus 102 via the proxy 103.

  If the reception unit 111 has not received response information from the terminal device 102 (“NO” in S502 of FIG. 5), the authentication unit 113 continues the process of S501 of FIG.

When the reception unit 111 has received response information from the terminal device 102 (“YES” in S502 in FIG. 5), the authentication unit 113 determines that the response indicated by the received response information is appropriate for the authentication response required. It is determined whether or not it is a response (S503 in FIG. 5).
Here, in the response information, the authentication number given to the authentication required response is given as it is, and the authentication unit 113 compares with the authentication information of the authentication management DB 115 to which the same authentication number is given.

  When the response indicated in the response information is an appropriate response to the authentication required response, the authentication unit 113 determines that the terminal device 102 is transmitting the access request by human operation. That is, the authentication unit 113 determines that the authentication is successful (“YES” in S503 in FIG. 5).

Then, the authentication unit 113 registers the URL of the access request determined to be successful in the URL access history DB 116 (S504 in FIG. 5).
That is, the authentication unit 113 stores, in the URL access history DB 116, the URL of the access request that has been determined by the determination unit 114 to be inconsistent with any of the legitimate addresses (access destination address) and that has been successfully authenticated. sign up.

Then, the authentication unit 113 responds to the proxy 103 with permission of the access request via the transmission unit 112 (S505 in FIG. 5).
That is, the authentication unit 113 permits the terminal device 102 to access the access destination address when it is determined that the terminal device 102 is transmitting an access request by a human operation (when authentication is determined to be successful). To do.
Then, the authentication unit 113 deletes the authentication information for the access request to the URL registered in the URL access history DB 116 from the authentication management DB 115 (S507 in FIG. 5), and continues the process of S501 in FIG.

On the other hand, when the response indicated in the response information is not an appropriate response to the authentication required response, the authentication unit 113 determines that the terminal device 102 has not transmitted the access request by human operation. That is, the authentication unit 113 determines that the authentication has failed (“NO” in S503 in FIG. 5).
Although illustration is omitted, since there is a possibility that an error may occur in a human operation, the authentication unit 113 can repeatedly perform the authentication process a predetermined number of times when it is determined that the authentication has failed. That is, the authentication unit 113 can repeatedly perform the process of S407 in FIG. 3 and the processes of S501 to S503 in FIG. 5 a predetermined number of times.

Then, the authentication unit 113 responds to the proxy 103 via the transmission unit 112 to reject the access request (S506 in FIG. 5).
That is, the authentication unit 113 prohibits the terminal device 102 from accessing the access destination address when it is determined that the terminal device 102 has not transmitted an access request by human operation (when authentication is determined to have failed). To do.
Here, the access request transmitted by the terminal device 102 regardless of a human operation is considered to be an access request transmitted by the terminal device 102 by malware (by malware operation). Therefore, the authentication unit 113 prohibits (blocks) access to the access destination address indicated in the access request that is considered to be transmitted by the terminal device 102 by malware (by operation of the malware).

  Then, the authentication unit 113 deletes the authentication information for the access request for which access has been denied from the authentication management DB 115 (S507 in FIG. 5), and continues the processing in S501 in FIG.

(Explanation of information flow using sequence diagram)
A flow of information after the access request to the URL is issued from the terminal apparatus 102 will be described with reference to a sequence diagram. Here, it is assumed that the terminal device 102 makes an access request to a server on the Internet 105.
FIG. 6 is a sequence diagram illustrating an example of information flow in the case of access permission.
FIG. 7 is a sequence diagram illustrating an example of the flow of information in the case of access permission after successful authentication.
FIG. 8 is a sequence diagram illustrating an example of the flow of information in the case of access refusal due to authentication failure.
FIG. 9 is a sequence diagram illustrating an example of information flow in the case of access refusal due to timeout.

  In the sequence diagram, transmission / reception of information between the terminal apparatus 102 and the target-type attack countermeasure apparatus 101 is shown to be performed through the proxy 103 once. However, as described above, the communication after making an inquiry from the proxy 103 to the target-type attack countermeasure device 101 can be performed directly between the target-type attack countermeasure device 101 and the terminal device 102. In response to the inquiry from the proxy 103, the target-type attack countermeasure device 101 may return only permission or denial of the access request as a response.

(Explanation of information flow when access is permitted)
First, the case of access permission will be described with reference to FIG.
First, an access request from the terminal device 102 to the URL of the server on the Internet 105 is transmitted to the proxy 103.
The proxy 103 that has received the access request from the terminal device 102 transmits an inquiry to the target attack countermeasure device 101 as to whether or not to permit an access request to the URL. The inquiry includes the URL for which an access request has been made.
The target-type attack countermeasure apparatus 101 refers to the URL access history DB 116 based on the URL included in the inquiry. As a result, the URL requested to be accessed is registered in the URL access history DB 116. Request permission is sent to the proxy 103.
The proxy 103 receives the access request permission from the target attack countermeasure device 101 as a response, and transmits the access request transmitted from the terminal device 102 to the server on the Internet 105 represented by the URL.
A response to the access request is transmitted from the server on the Internet 105 to the proxy 103, and the proxy 103 transmits a response from the server on the Internet 105 to the terminal device 102.

(Description of information flow when access is permitted after successful authentication)
Next, the case of access permission after successful authentication will be described with reference to FIG.
The flow from when the terminal device 102 sends an access request to the URL of the server on the Internet 105 to the proxy 103 until the target attack countermeasure device 101 is inquired from the proxy 103 is the same as in the case of access permission. .
The target-type attack countermeasure apparatus 101 refers to the URL access history DB 116 based on the URL included in the inquiry. As a result, the URL is not registered in the URL access history DB 116. It transmits to the proxy 103 (the target type attack countermeasure apparatus 101 transmits an authentication required response). The authentication response includes an authentication number and a question displayed on the authentication screen transmitted to the terminal device 102.
When the proxy 103 receives an authentication required response, the proxy 103 transmits an authentication number and an authentication screen to the terminal device 102.
When the authentication screen is displayed, the user operating the terminal device 102 inputs an answer to the question displayed on the authentication screen, and transmits the response information to the proxy 103 together with the authentication number.
The proxy 103 transmits the authentication number and response information received from the terminal device 102 to the target attack countermeasure device 101.
The target-type attack countermeasure device 101 refers to the authentication management DB 115 based on the authentication number, verifies the received response information, confirms that the answer is correct, and then transmits an access request permission to the proxy 103 as a response. .
Thereafter, a response is returned from the server on the Internet 105 to the terminal device 102 in the same flow as in the case of access permission.

(Explanation of information flow when access is denied due to authentication failure)
Next, the case of access refusal due to authentication failure will be described with reference to FIG.
The flow from the time when the access request to the URL of the server on the Internet 105 is transmitted from the terminal device 102 to the proxy 103 to the time when the authentication information is transmitted to the target-type attack countermeasure device 101 is the access permission after successful authentication Same as the case.
The target-type attack countermeasure device 101 that has received the authentication number and the authentication information from the proxy 103 returns a rejection of the access request to the proxy 103 because a correct answer has not been obtained as a result of verifying the received authentication information.
The proxy 103 that has received the access request rejection response rejects the URL access request transmitted from the terminal device 102.
For this reason, the terminal device 102 cannot access the server on the Internet 105 indicated by the URL requested to be accessed.

(Explanation of information flow when access is denied due to timeout)
Next, the case of access refusal due to timeout will be described with reference to FIG.
The flow from when the terminal device 102 sends an access request to the URL of the server on the Internet 105 to the proxy 103 until the authentication screen is sent from the proxy 103 to the terminal device 102 is the case of access permission after successful authentication. This is the same as the case of access denial due to authentication failure.
The target-type attack countermeasure apparatus 101, when it is determined that authentication is required at the time of access determination, gives an authentication time limit to the authentication information and registers it in the authentication management DB 115. The target-type attack countermeasure apparatus 101 refers to the authentication management DB 115 to determine whether there is any authentication information that has passed the authentication deadline. If there is authentication information that has reached the authentication deadline, the target attack countermeasure apparatus 101 sends an access request to the proxy 103. Responds to rejection. The subsequent flow is the same as in the case of access denial due to authentication failure.

(Effect of Embodiment 1)
The targeted attack countermeasure apparatus 101 according to the first embodiment determines whether the access request from the terminal apparatus 102 to the server on the Internet 105 is a URL registered in the URL access history DB 116. If the URL of the access request is not registered in the URL access history DB 116, the targeted attack countermeasure apparatus 101 can easily answer whether or not the access request to the URL is caused by a human operation. Is determined by authenticating with questions that cannot be answered by the program.
That is, the targeted attack countermeasure apparatus 101 according to the first embodiment performs authentication only for an access request that attempts to access an address that is not a legitimate address, thereby reducing user authentication processing and impairing user convenience. In addition, communication to a server on the Internet 105 by malware can be blocked.
As a result, even if the terminal device 102 in the organization is infected with malware, the server 102 is operated from the server on the Internet 105 via the Internet 105 or confidential information is stolen. Can be prevented.
In addition, on a Web page that accesses a plurality of servers to display one page, the user operating the terminal device 102 intentionally authenticates access to a server that does not need to be accessed. By canceling, only the content that the user wants to see can be displayed on the Web browser.

As described above, in the first embodiment, the target-type attack countermeasure device 101 including the following means has been described.
(1) Means for determining whether to permit an access request to a server on the Internet with reference to the URL access history DB 116;
(2) Means that can be answered easily by humans but cannot be answered by the program, and is authenticated by a question of content;
(3) Means for managing transmitted authentication with an authentication number;
(4) means for registering the URL requested to be accessed in the URL access history DB 116 when the authentication is successful;
(5) A means for determining that the access request is rejected when the authentication fails.

Embodiment 2. FIG.
(Outline of Targeted Attack Countermeasure Device 101 in Embodiment 2)
In the target-type attack countermeasure apparatus 101 according to the first embodiment, every time an access request to a new URL is permitted, valid address information indicating a URL (valid address) is registered in the URL access history DB 116. On the other hand, in the target type attack countermeasure device 101 according to the second embodiment, the size of the URL access history DB 116 is reduced when the size of the URL access history DB 116 is enlarged due to an increase in registered valid address information. The form is shown.
Specifically, the authentication unit 113 of the target type attack countermeasure device 101 according to the second embodiment determines that the valid address information stored in the URL access history DB 116 matches the access destination address by the determination unit 114. The legitimate address information indicating the legitimate address that is rarely deleted is deleted.
The authentication unit 113 corresponds to a valid address information update unit.

  The target-type attack countermeasure device 101 of the second embodiment has the same configuration as the target-type attack countermeasure device 101 of the first embodiment shown in FIG. Therefore, the description of the same components and the same processing contents as those of the first embodiment is omitted.

(Description of URL access history DB 116)
FIG. 10 is a diagram illustrating an example of the valid address information table 301.
Compared to the example (FIG. 2) of the valid address information table 301 in the first embodiment, the number of accesses and the last access date are added.
Similarly to FIG. 2, for example, the row of D1001 is one legitimate address information.

  The authentication unit 113 registers the number of accesses and the last access date together with the URL when newly registering the legitimate address information indicating the URL requested to be accessed in the URL access history DB 116.

Here, the number of accesses is the number of times the determination unit 114 has permitted access to the URL for which an access request has been made, and is “1” at the time of new registration. Then, when the access request is determined, the determination unit 114 refers to the URL access history DB 116, and if the URL for which the access request has been made is registered, the determination unit 114 adds the number of accesses to the corresponding URL.
That is, the access count is the cumulative number of determinations that the determination unit 114 determines that the legitimate address matches the access destination address.
The URL access history DB 116 stores at least one valid address information in which a valid address is associated with the number of accesses.

The last access date is the time when the determination unit 114 permits access to the URL requested to be accessed. The last access date may be a date indicated by an internal clock provided in the target-type attack countermeasure device 101. Note that only the date may be indicated as the last access date, or time (hour, minute, second) information may be added to the date (the same applies to the first access date described later).
Then, when determining the access request, the determination unit 114 refers to the URL access history DB 116 and updates the last access date when the URL for which the access request has been made is registered.
In other words, the last access date is the last determination time that is determined last by the determination unit 114 when the legitimate address matches the access destination address.
The URL access history DB 116 stores at least one valid address information in which a valid address and a last access date are shown in association with each other.

(Explanation of the operation of the emotion target type attack countermeasure device 101)
FIG. 11 is a flowchart illustrating an example of registration data deletion processing by the authentication unit 113.
The authenticating unit 113 receives registration data (legitimate address information) that has not been accessed in a predetermined period (threshold 1) from the last access date and whose access count is lower than a predetermined value (threshold 2) as a URL. A search is made from the access history DB (S1101 in FIG. 11).

  If there is corresponding registration data (legitimate address information) as a result of the search (“YES” in S1102 in FIG. 11), the authentication unit 113 deletes the registration data (legitimate address information) from the URL access history DB 116 ( S1103 in FIG. 11).

  That is, the authentication unit 113 deletes the valid address information indicating the number of determinations (access times) smaller than a preset threshold value of the number of determinations (access times) from the URL access history DB 116. That is, the authentication unit 113 deletes valid address information indicating a valid address that is rarely determined by the determination unit 114 to be coincident with the access destination address.

As a result of the search, the authentication unit 113 finds that there is no corresponding registration data (legitimate address information) (“NO” in S1102 of FIG. 11), or the corresponding registration data (legitimate address information) in S1103 of FIG. After deleting, the process of S1104 in FIG. 11 is performed.
In S1104 of FIG. 11, the authentication unit 113 sets registration data (legitimate address information) that has passed a certain period (threshold 3: threshold 3 is longer than threshold 1) from the last access date to the URL. Search from the access history DB 116.

  When there is corresponding registration data (legitimate address information) as a result of the search (“YES” in S1105 in FIG. 11), the authentication unit 113 deletes the registration data (legitimate address information) from the URL access history DB 116 ( S1106 in FIG.

  In other words, the authentication unit 113 indicates a final determination time (last access date) that is older than a time that is back from the predetermined time by a preset valid period at a predetermined time (for example, during the search process of S1104 in FIG. 11). The valid address information is deleted from the URL access history DB 116. In other words, the authentication unit 113 deletes valid address information indicating a valid address that is rarely determined to match the access destination address by the determination unit 114 at a time that is a predetermined effective period after a predetermined time. .

  In S1106 of FIG. 11, the authentication unit 113 receives the registration data (legitimate address information) from the URL access history DB 116 even if the number of accesses of the corresponding registration data (legitimate address information) is larger than the threshold value 2. delete.

If there is no corresponding registration data (legitimate address information) as a result of the search (“NO” in S1105 in FIG. 11), the authentication unit 113 or the corresponding registration data (legitimate address information) in the process of S1106 in FIG. ) Is deleted, the registered data deletion process shown in FIG. 11 is terminated.
FIG. 11 illustrates that the authentication unit 113 performs the processes of S1104 to S1106 after performing the processes of S1101 to S1103. However, although not shown, the authentication unit 113 can perform the processing of S1101 to S1103 after performing the processing of S1104 to S1106.

(Effect of Embodiment 2)
The target-type attack countermeasure apparatus 101 according to the second embodiment periodically accesses the URL from the registered data (legitimate address information) in the URL access history DB 116 according to the threshold of the number of accesses and the threshold of the number of days elapsed from the last access date. Registration data (legitimate address information) in the history DB 116 is deleted. Therefore, the target-type attack countermeasure device 101 according to the second embodiment can prevent the size of the URL access history DB 116 from increasing without limit. Further, the smaller the size of the URL access history DB 116 is, the shorter the time taken to refer to the URL access history DB 116 is. Therefore, the targeted attack countermeasure apparatus 101 according to the second embodiment can also speed up the processing.

As described above, in the second embodiment, the target-type attack countermeasure device 101 including the following means has been described.
(1) A means for counting the number of accesses and registering it in the URL access history DB 116;
(2) means for registering the last access date in the URL access history DB 116;
(3) Means for deleting registration data in the URL access history DB in which a predetermined time has elapsed from the last access date and the number of accesses is equal to or less than a threshold value;
(4) Means for deleting registered data in the URL access history DB after a long time has passed since the last access day.

Embodiment 3 FIG.
(Outline of Targeted Attack Countermeasure Device 101 in Embodiment 3)
In the targeted attack countermeasure apparatus 101 according to the second embodiment, the number of registered data (legitimate address information) in the URL access history DB 116 is reduced based on the number of accesses to the URL and the number of days elapsed since the last access date. On the other hand, in the target type attack countermeasure device 101 according to the third embodiment, an embodiment in which registration data (legitimate address information) in the URL access history DB is deleted according to the access frequency to the URL is shown.
Specifically, the authentication unit 113 of the target-type attack countermeasure device 101 according to the third embodiment determines that the valid address is accessed by the determination unit 114 for each valid address information stored in the URL access history DB 116 for a predetermined period. The determination frequency determined to match the address is calculated, and legitimate address information indicating that the calculated determination frequency is lower than a predetermined determination frequency threshold is deleted from the URL access history DB.
Note that deleting legitimate address information with a low access frequency means that the authenticating unit 113 of the targeted attack countermeasure apparatus 101 of the third embodiment stores the legitimate address stored in the URL access history DB 116 as in the second embodiment. In the address information, the valid address information indicating the valid address that is rarely determined to match the access destination address by the determination unit 114 is deleted.

  The target type attack countermeasure device 101 of the third embodiment has the same configuration as the target type attack countermeasure device 101 of the first embodiment or the second embodiment shown in FIG. Therefore, the description of the same components and the same processing contents as those in the first embodiment or the second embodiment is omitted.

(Description of URL access history DB 116)
FIG. 12 is a diagram illustrating an example of the valid address information table 301.
Compared to the example of the valid address information table 301 in the second embodiment (FIG. 10), an initial access date is added.
Similarly to FIG. 2 or FIG. 10, for example, the row of D1201 is one legitimate address information.

  The authentication unit 113 registers the number of accesses, the first access date, and the last access date together with the URL when newly registering valid address information indicating the URL for which an access request has been made in the URL access history DB 116.

Here, since the number of accesses and the last access date are the same as those in the second embodiment, description thereof will be omitted.
The first access date is the first determination time when the determination unit 114 first determines that the legitimate address matches the access destination address. Alternatively, the first access date may be a time when the valid address information is newly registered in the URL access history DB 116 by the authentication unit 113.
The URL access history DB 116 stores at least one legitimate address information in which the legitimate address, the first access date, the last access date, and the number of accesses are associated with each other.

(Explanation of the operation of the emotion target type attack countermeasure device 101)
FIG. 13 is a flowchart illustrating an example of registration data deletion processing by the authentication unit 113.
The authentication unit 113 has a value (threshold value 4) that is a value (threshold 4) obtained by dividing the number of accesses by the difference between the last access date and the first access date (access frequency) when the first access date is earlier than the last access date. ) Lower registration data (legitimate address information) is searched from the URL access history DB 116 (S1301 in FIG. 13).
That is, the authentication unit 113 determines the cumulative total for each valid address information stored in the URL access history DB 116, with the time from the initial determination time (first access date) to the final determination time (final access date) as a predetermined period. A determination frequency (access frequency), which is a value obtained by dividing the number of times (access number) by a predetermined period, is calculated.

  If there is corresponding registration data (legitimate address information) as a result of the search (“YES” in S1302 in FIG. 13), the authentication unit 113 deletes the registration data (legitimate address information) from the URL access history DB 116 ( S1303 in FIG. 13).

  That is, for each valid address information stored in the URL access history DB 116, the authentication unit 113 calculates and calculates a determination frequency at which the determination unit 114 determines that the valid address matches the access destination address in a predetermined period. The legitimate address information whose determination frequency is lower than a predetermined determination frequency threshold is deleted from the URL access history DB 116.

  If there is no corresponding registration data (valid address information) as a result of the search (“NO” in S1302 in FIG. 13), the authentication unit 113 or the corresponding registration data (valid address information) in the processing of S1303 in FIG. ) Is deleted, the registered data deletion process shown in FIG. 13 is terminated.

(Effect of Embodiment 3)
Since the targeted attack countermeasure apparatus 101 according to the third embodiment deletes the registration data from the registration data (legitimate address information) in the URL access history DB 116 according to the access frequency from the first access date to the last access date. It is possible to delete registration data (legitimate address information) of URLs accessed with a high access frequency and low access frequency thereafter. Therefore, the targeted attack countermeasure apparatus 101 according to the third embodiment can preferentially leave URL registration information (legitimate address information) with a high access frequency in the URL access history DB 116. Thereby, the target-type attack countermeasure device 101 according to the third embodiment can suppress the size of the URL access history DB 116 while suppressing the number of times of access authentication for a frequently accessed URL.

  As described above, in the third embodiment, the target-type attack countermeasure apparatus 101 including the means for deleting the registration data in the URL access history DB regarding the URL with low access frequency has been described.

(Hardware Configuration of Targeted Attack Countermeasure Device 101 of Embodiments 1 to 3)
Finally, a hardware configuration example of the target-type attack countermeasure device 101 shown in the first to third embodiments will be described.
FIG. 14 is a diagram illustrating an example of hardware resources of the target-type attack countermeasure device 101 illustrated in the present embodiment.
14 is merely an example of the hardware configuration of the target-type attack countermeasure device 101, and the hardware configuration of the target-type attack countermeasure device 101 is not limited to the configuration described in FIG. It may be a configuration.

In FIG. 14, the targeted attack countermeasure device 101 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, an arithmetic unit, a microprocessor, a microcomputer, and a processor) that executes a program.
The CPU 911 is connected to, for example, a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, and a magnetic disk device 920 via a bus 912. Control hardware devices.
Further, the CPU 911 may be connected to an FDD 904 (Flexible Disk Drive) or a compact disk device 905 (CDD). Further, instead of the magnetic disk device 920, a storage device such as an SSD (Solid State Drive), an optical disk device, or a memory card (registered trademark) read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device.
The storage device, authentication management DB 115, and URL access history DB 116 of the target-type attack countermeasure device 101 described in the present embodiment are realized by a magnetic disk device 920 or the like.
The communication board 915, the keyboard 902, the mouse 903, the FDD 904, and the like are examples of input devices.
The communication board 915, the display device 901, and the like are examples of output devices.

  The communication board 915 is connected to the intra-organization network 106.

The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924.
The programs in the program group 923 are executed by the CPU 911 using the operating system 921 and the window system 922.

The RAM 914 temporarily stores at least part of the operating system 921 program and application programs to be executed by the CPU 911.
The RAM 914 stores various data necessary for processing by the CPU 911.

The ROM 913 stores a BIOS (Basic Input Output System) program, and the magnetic disk device 920 stores a boot program.
When the target-type attack countermeasure device 101 is activated, the BIOS program in the ROM 913 and the boot program in the magnetic disk device 920 are executed, and the operating system 921 is activated by the BIOS program and the boot program.

  The program group 923 stores programs for executing functions described as “˜unit” (except for “˜storage unit” in the following) in the description of the present embodiment. The program is read and executed by the CPU 911.

In the description of this embodiment, the file group 924 includes “determination of”, “calculation of”, “comparison of”, “collation of”, “reference of”, “search of”, “Extract”, “examine”, “generate”, “set”, “register”, “select”, “input”, “receive”, “to” Information, data, signal values, variable values, and parameters indicating the results of the processing described as “determination of”, “definition of”, “calculation of”, “update of”, “registration of”, etc. , “File” and “database” are stored as items.
The “file” and “database” are stored in a recording medium such as a disk or a memory.
Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit.
The read information, data, signal values, variable values, and parameters are extracted, searched, referenced, compared, computed, calculated, processed, edited, output, printed, displayed, controlled, determined, identified, detected, identified. Used for CPU operations such as selection, calculation, derivation, update, generation, acquisition, notification, instruction, judgment, distinction, distinction, deletion, registration, and grant.
Extraction / Search / Reference / Comparison / Calculation / Processing / Edit / Output / Print / Display / Control / Judgment / Identification / Detection / Distinction / Selection / Calculation / Derivation / Update / Generation / Acquisition / Notification / Instruction / Judgment / Information, data, signal values, variable values, and parameters are temporarily stored in a main memory, a register, a cache memory, a buffer memory, and the like during CPU operations such as discrimination, deletion, registration, and assignment.
In addition, the arrows in the flowchart described in this embodiment mainly indicate input / output of data and signals.
Data and signal values are recorded on a recording medium such as a memory of the RAM 914, a flexible disk of the FDD 904, a compact disk of the CDD 905, a magnetic disk of the magnetic disk device 920, other optical disks, a mini disk, and a DVD.
Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

In addition, what is described as “˜unit” in the description of the present embodiment may be “˜circuit”, “˜device”, “˜device”, and “˜step”, “˜”. “Procedure” and “˜Process” may be used.
That is, the information processing method according to the present invention can be realized by the steps, procedures, and processes shown in the flowchart described in this embodiment.
Further, what is described as “˜unit” may be realized by firmware stored in the ROM 913.
Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware.
Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD.
The program is read by the CPU 911 and executed by the CPU 911.
In other words, the program causes the computer to function as “to part” of the present embodiment. Alternatively, the procedure or method of “˜unit” in the present embodiment is executed by a computer.

As described above, the target-type attack countermeasure device 101 shown in this embodiment includes a CPU as a processing device, a memory as a storage device, a magnetic disk, a keyboard as an input device, a mouse, a communication board, a display device as an output device, and a communication device. A computer including a board or the like.
Then, as described above, the functions indicated as “˜units” are realized using these processing devices, storage devices, input devices, and output devices.

  101 Target Attack Countermeasure Device, 102 Terminal Device, 103 Proxy, 104 Firewall, 105 Internet, 106 Intra-organizational Network, 111 Receiving Unit, 112 Transmitting Unit, 113 Authentication Unit, 114 Judgment Unit, 115 Authentication Management DB, 116 URL Access History DB, 121 transfer unit, 201 authentication management DB table, 301 valid address information table, 901 display device, 902 keyboard, 903 mouse, 904 FDD, 905 compact disk device, 911 CPU, 912 bus, 913 ROM, 914 RAM, 915 communication Board, 920 magnetic disk unit, 921 operating system, 922 window system, 923 program group, 924 file group.

Claims (14)

A legitimate address storage unit that stores at least one legitimate address information indicating a legitimate address that is an authorized address;
Any valid address information in which an access command indicating an access destination address that is an access destination address that the terminal device attempts to access is received, and the access destination address indicated in the received access command is stored in the valid address storage unit An address determination unit that determines whether or not it matches the valid address shown in FIG.
Access command determination for determining whether or not the terminal device is transmitting the access command by a human operation when the address determination unit determines that the access destination address does not match any of the valid addresses An access determination device. The access command determination unit
Generate an inquiry message for making an inquiry to the terminal device in a format that cannot be understood by anyone other than humans, and send the generated inquiry message to the terminal device.
When response information indicating a response from the terminal device is received in response to the transmitted inquiry message, and the response indicated in the received response information is an appropriate response to the inquiry message, It is determined that the terminal device is transmitting the access command,
2. The apparatus according to claim 1, wherein when the response indicated by the received response information is not an appropriate response to the inquiry message, the terminal device determines that the access command is not transmitted by a human operation. The access determination device according to the description. The access command determination unit
When it is determined by the address determination unit that the access destination address matches any of the valid addresses, or when it is determined that the terminal device is transmitting the access command by a human operation, the terminal device Permit access to the access address;
3. The access according to claim 1, wherein when the terminal device determines that the access command is not transmitted by a human operation, the terminal device is prohibited from accessing the access destination address. Judgment device. The access command determination unit
Any one of Claims 1-3 which determines whether the said terminal device is transmitting the said access command by human operation using the CAPTCHA (Completely Automated Public Testing to tell Computers and Humans Apart) technique. Or an access determination device. The access command determination unit
4. The access determination device according to claim 1, wherein the terminal device determines whether or not the terminal device is transmitting the access command by a human operation using a one-time password technique. The access determination device further includes:
A legitimate address information updating unit for deleting legitimate address information indicating a legitimate address that is rarely determined to be coincident with the access destination address by the address determination unit among the legitimate address information stored in the legitimate address storage unit; The access determination apparatus according to claim 1, further comprising: The valid address storage unit
Storing at least one legitimate address information in which the legitimate address and the last judgment time determined when the legitimate address matches the access destination address by the address determination unit are associated with each other;
The valid address information update unit
7. The valid address information indicating a final determination time that is older than a time that is set in advance by a preset effective period from the predetermined time is deleted from the valid address storage unit at a predetermined time. Access determination device. The valid address storage unit
Storing at least one legitimate address information in which the legitimate address and the cumulative determination number determined by the address determination unit to match the access destination address are associated with each other;
The valid address information update unit
The access determination apparatus according to claim 6, wherein valid address information indicating a determination count smaller than a predetermined determination count threshold is deleted from the valid address storage unit. The valid address information update unit
For each legitimate address information stored by the legitimate address storage unit, a judgment frequency is determined that the legitimate address is determined to match the access destination address by the address judgment unit during a predetermined period. The access determination apparatus according to claim 6, wherein valid address information indicating a determination frequency lower than a set determination frequency threshold is deleted from the valid address storage unit. The valid address storage unit
The first address that is determined first when the valid address matches the access destination address by the address determination unit, and the last time that is determined last by the address determination unit when the valid address matches the access destination address. Storing at least one legitimate address information in which the judgment time and the cumulative judgment number at which the legitimate address is determined to match the access destination address are associated with each other by the address judgment unit;
The valid address information update unit
For each valid address information stored by the valid address storage unit, a determination frequency that is a value obtained by dividing the total number of determinations by the predetermined period, with the time from the initial determination time to the final determination time being the predetermined period. The access determination apparatus according to claim 9, wherein the access determination apparatus performs calculation. The access command determination unit
The access destination address determined by the address determination unit to be inconsistent with any of the valid addresses, and the access destination address indicated in the access command determined that the terminal device is transmitting the access command by a human operation The access determination apparatus according to claim 1, wherein valid address information indicating a valid address is stored in the valid address storage unit. The access command determination unit
When the terminal device does not receive response information for the inquiry message from the terminal device within a predetermined time after the inquiry message is transmitted to the terminal device, the terminal device performs the access by a human operation. 3. The access determination apparatus according to claim 2, wherein it is determined that a command has not been transmitted. A legitimate address storage step in which the computer stores at least one legitimate address information indicating a legitimate address that is an authorized address;
The computer receives an access command indicating an access destination address that is an access destination address to which the terminal device tries to access, and the access destination address indicated in the received access command is stored in any one of the predetermined storage areas An address determination step for determining whether or not the address matches the correct address indicated in the correct address information;
When the computer determines that the access address does not match any of the valid addresses in the address determination step, the computer determines whether or not the terminal device is transmitting the access command by a human operation An access determination method comprising: an access command determination step. A legitimate address storage step of storing at least one legitimate address information indicating a legitimate address which is an address authenticated as legitimate in a predetermined storage area;
Any valid address information in which an access command indicating an access destination address that is an access destination address that the terminal device tries to access is received, and the access destination address indicated in the received access command is stored in the predetermined storage area An address determination step for determining whether or not it matches the valid address shown in FIG.
Access command determination for determining whether or not the terminal device transmits the access command by a human operation when it is determined in the address determination step that the access destination address does not match any of the valid addresses A program that causes a computer to execute the steps.

Images