JP5709448B2 - Access analysis device, access analysis method, and access analysis program - Google Patents

Description

  The present invention relates to an access analysis device, an access analysis method, and an access analysis program. The present invention particularly relates to a method for acquiring visitor information in a capture type web (Web) analysis system.

  Conventionally, there are mainly three types of web analysis technologies: an access log type, a beacon (tag) type, and a capture (packet capture) type. Among these, in the capture-type web analysis technology, the packet capture device captures all packets flowing on the network connecting the web server to the outside. Then, the access analysis device restores HTTP (Hypertext Transfer Protocol) communication from the packet captured by the packet capture device, and performs access analysis by analyzing the HTTP communication (see, for example, Patent Document 1).

JP 2009-181459 A

In the conventional capture-type web analysis technology, a visitor (user) is identified using, for example, a cookie that is valid for a long period of time. This method has the following problems, making it difficult to identify visitors.
-Users do not always access from the same browser on the same terminal.
・ Some users prohibit cookies.
・ Many sites do not use cookies that are valid for a long time.

  As described in Patent Document 1, the access analysis device restores the HTTP response from the packet captured by the packet capture device, and extracts individual setting data individually set for the user from the restored HTTP response. There is also a method used to identify visitors. However, in this method, it is necessary to include individual setting data in the HTTP response.

  The present invention uses a communication identification information for identifying a communication between an individual user terminal and a web server, such as an IP (Internet Protocol) address and cookie information, for example, to more reliably identify a visitor. The purpose is to do.

An access analysis device according to one aspect of the present invention includes:
To identify communications between individual user terminals and the web server from a packet capture device that collects and stores packets transmitted and received between a plurality of user terminals and a web server that distributes web pages to each user terminal Is a packet group including communication identification information, and sequentially acquires a packet group carrying an HTTP message used for transmission / reception of a web page, and restores the HTTP message from the acquired packet group by a processing device When,
When the message restoration unit restores the first message, which is an HTTP message including user identification information for identifying an individual user, and is an HTTP message transmitted to the web server to request authentication, An information acquisition unit for acquiring user identification information included in the first message by a processing device;
When an HTTP message transmitted from the web server to notify the success of authentication requested by the first message is restored by the message restoration unit, the message restoration unit restores the first message; An information storage unit that acquires the communication identification information included in the packet group that has been acquired by the processing device, and stores the acquired communication identification information in association with the user identification information acquired by the information acquisition unit in the storage device;
For each user identification information stored by the information storage unit, an access log storage unit that stores a user access log identified by the user identification information in a storage device;
A second message which is an HTTP message transmitted to the web server to request access to a web page from a packet group including the same communication identification information as the communication identification information stored by the information storage unit is the message restoration. The access log stored by the access log storage unit corresponding to the user identification information stored in association with the communication identification information by the information storage unit is requested by the second message. An access information recording unit that records access information indicating access to the web page by the processing device.

  The access information recording unit includes the second message for both the HTTP message transmitted to the web server before the first message and the HTTP message transmitted to the web server after the first message. The corresponding HTTP message is the processing target.

  The communication identification information includes at least one of an IP address and cookie information.

In the access analysis method according to one aspect of the present invention,
A processing device of a computer collects and stores packets transmitted and received between a plurality of user terminals and a web server that distributes web pages to each user terminal, from an individual user terminal and the web server Is a packet group including communication identification information for identifying the communication, and sequentially acquires a packet group carrying an HTTP message used for transmission / reception of a web page, and restores the HTTP message from the acquired packet group. ,
When the computer processing apparatus restores a first message that is an HTTP message including user identification information for identifying an individual user and is an HTTP message transmitted to the web server to request authentication, Obtaining user identification information included in the first message;
When the processing device of the computer restores the HTTP message transmitted from the web server in order to notify the success of the authentication requested by the first message, the packet group from which the first message is restored The communication identification information included is acquired, and the storage device of the computer stores the acquired communication identification information and user identification information in association with each other,
A storage device of the computer stores a user access log identified by the user identification information for each stored user identification information,
The processing device of the computer restored the second message, which is an HTTP message sent to the web server in order to request access to the web page, from the packet group including the same communication identification information as the stored communication identification information. In this case, the access information indicating the access to the web page requested by the second message is recorded in the access log corresponding to the user identification information stored in association with the communication identification information.

An access analysis program according to one aspect of the present invention includes:
To identify communications between individual user terminals and the web server from a packet capture device that collects and stores packets transmitted and received between a plurality of user terminals and a web server that distributes web pages to each user terminal Message recovery processing in which a packet group including communication identification information is sequentially acquired, and a packet group on which an HTTP message used for transmission / reception of a web page is loaded is acquired, and the HTTP message is recovered from the acquired packet group by a processing device When,
When an HTTP message including user identification information for identifying an individual user and the first message that is an HTTP message transmitted to the web server to request authentication is restored by the message restoration process, Information acquisition processing for acquiring user identification information included in the first message by a processing device;
When an HTTP message transmitted from the web server to notify the success of authentication requested by the first message is restored by the message restoration process, the message restoration process restores the first message; An information storage process for acquiring communication identification information included in the packet group, and storing the acquired communication identification information in association with the user identification information acquired by the information acquisition process in a storage device;
For each user identification information stored by the information storage process, an access log storage process for storing an access log of a user identified by the user identification information in a storage device;
A second message which is an HTTP message transmitted to the web server to request access to a web page from a packet group including the same communication identification information as the communication identification information stored by the information storing process is the message restoration. When restored by the process, the access log stored by the access log storage process corresponding to the user identification information stored in association with the communication identification information by the information storage process is requested by the second message. The computer is caused to execute access information recording processing for recording access information indicating access to the web page by the processing device.

  In the access information recording process, both the HTTP message transmitted to the web server before the first message and the HTTP message transmitted to the web server after the first message are included in the second message. The corresponding HTTP message is the processing target.

  The communication identification information includes at least one of an IP address and cookie information.

  According to one aspect of the present invention, visitor identification is more reliably performed using communication identification information such as an IP address and cookie information for identifying communication between an individual user terminal and a web server. Can be done.

FIG. 4 is a diagram illustrating an example of a usage pattern of the access analysis device according to the first embodiment. FIG. 3 shows an example of a web page displayed on the web browser screen in the first embodiment. FIG. 3 shows an example of HTTP communication in the first embodiment. FIG. 3 shows an example of a web page displayed on the web browser screen in the first embodiment. FIG. 3 shows an example of HTTP communication in the first embodiment. FIG. 3 shows an example of a web page displayed on the web browser screen in the first embodiment. FIG. 2 is a block diagram showing a configuration of an access analysis device according to the first embodiment. FIG. 3 is a diagram illustrating an example of hardware resources of the access analysis apparatus according to the first embodiment. 5 is a flowchart showing the operation of the access analysis apparatus according to the first embodiment. 10 is a flowchart showing the operation of the access analysis apparatus according to the second embodiment.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

Embodiment 1 FIG.
FIG. 1 is a diagram illustrating an example of a usage pattern of an access analysis device 100 according to the present embodiment.

  In FIG. 1, a plurality of user terminals 201 are computers used by the user, and operate a web browser for the user to browse web pages. The user terminal 201 is, for example, a PC (personal computer).

  The web server 202 is a server computer that realizes a website composed of a plurality of web pages, and delivers the web page to each user terminal 201. In the following, for the sake of simplification of description, as long as one web site is realized, even when there are two or more server computers, they are collectively considered as one web server 202. In addition to HTTP servers that simply provide HTML (Hyper Text Markup Language) files, Web application servers that have a login authentication function and database processing function necessary for providing electronic commerce services on a website are also summarized. Assume that one web server 202 is considered. Here, a server computer that is a combination of hardware and software and a server program that is only software are not strictly distinguished (in either case, they are referred to as the web server 202).

  Each user terminal 201 and the web server 202 perform IP communication via the Internet 203. In IP communication, each user terminal 201 transmits an IP packet 211 to the web server 202 via the Internet 203. Similarly, the web server 202 transmits an IP packet 212 to each user terminal 201 via the Internet 203. The web browser and web server 202 operating on each user terminal 201 perform HTTP communication using IP communication. That is, the web browser and the web server 202 exchange IP packets 211 and 212 carrying HTTP messages used for transmission and reception of web pages.

  Here, FIG. 2 shows an example of a web page 311 displayed on the web browser screen 301 of the user terminal 201 when the user is not logged in. FIG. 3 shows an example of HTTP communication for acquiring the web page 311 by a web browser operating on the user terminal 201. In HTTP communication, the web browser transmits an HTTP request 401, which is a kind of HTTP message, to the web server 202. In response to the HTTP request 401, the web server 202 returns an HTTP response 402, which is a kind of HTTP message, to the user terminal 201.

  In FIG. 3, the user inputs the URL 321 (Uniform / Resource / Locator) of the web page 311 on the web browser screen 301 (clicks a link in another web page being browsed on the web browser screen 301, etc.) When requesting access to the web page 311, another method may be used), the web browser generates an HTTP request 401 including the URL data 411 of the web page 311. The user terminal 201 transmits an HTTP request 401 on the IP packet 211 to the web server 202.

  When the web server 202 receives the IP packet 211 carrying the HTTP request 401 from the user terminal 201, the web server 202 identifies the web page 311 requested by the user to access based on the URL data 411 included in the HTTP request 401, An HTTP response 402 including page data 412 of the page 311 is generated. The page data 412 may be static data, but here, it is assumed that the web server 202 dynamically adds specific display data 413 to the page data 412. The web server 202 replies to the user terminal 201 with an HTTP response 402 including the page data 412 to which the specific display data 413 is added on the IP packet 212.

  When the user terminal 201 receives the IP packet 212 carrying the HTTP response 402 from the web server 202, the web browser operating on the user terminal 201 changes the web page 311 to the web page 311 based on the page data 412 included in the HTTP response 402. It is displayed on the browser screen 301. As shown in FIG. 2, for example, a web browser, a particular display data 413 added to the page data 412, and displays a portion of a web page 311 as a specific character string 322 of "hello.". In addition, the web browser displays a product category menu 323 handled by the website on a part of the web page 311. The web browser displays in the menu 323 a link 324 to the product sales web page of each product category.

  FIG. 4 shows an example of a web page 312 displayed on the web browser screen 301 of the user terminal 201 immediately after the user logs in. FIG. 5 shows an example of HTTP communication for acquiring the web page 312 by a web browser operating on the user terminal 201.

  In FIG. 5, the user inputs a combination of a user ID (identifier) and a password set in advance on the website into a form in the web page for login authentication being browsed on the web browser screen 301, and the website When requesting login to, the web browser generates an HTTP request 401 including the input user ID and password as authentication data 414. The user terminal 201 transmits an HTTP request 401 on the IP packet 211 to the web server 202. Here, the user ID is an example of user identification information for identifying individual users. The password is an example of authentication information that is stored in association with the user identification information in the web server 202 and verified for user authentication. For example, the user may input other types of authentication information such as a password or biometric information instead of a password. In this case, the authentication data 414 includes the authentication information together with the user ID.

  When the web server 202 receives the IP packet 211 carrying the HTTP request 401 from the user terminal 201, the web server 202 authenticates the user based on the authentication data 414 included in the HTTP request 401. Specifically, the web server 202 reads a password corresponding to the user ID included in the authentication data 414 from a database or the like, and checks whether the read password matches the password included in the authentication data 414. If the passwords match, the authentication has succeeded, and if the passwords do not match, the authentication has failed.

  When the user authentication is successful (which means that the user has logged in), the web server 202 generates an HTTP response 402 including the page data 412 of the web page 312 displayed by default for the logged-in user. The page data 412 may be static data, but here, it is assumed that the web server 202 adds individual setting data of the logged-in user to the page data 412. The individual setting data is individually set for the user (that is, information that can distinguish the user), and is, for example, user attribute data. Here, it is assumed that the web server 202 adds user name data 415 to the page data 412 as attribute data of the logged-in user. In addition to the attribute data, the web server 202 also includes a user ID, user point data (data recording points given to users who have purchased products on the website, etc.), user purchase history data (users on the website) Page, etc.), user preference data (link 324 to a web page dynamically generated according to the user's preference estimated by the product purchased by the user on the website), etc. It may be added to the data 412. The web server 202 replies to the user terminal 201 with an HTTP response 402 including the page data 412 to which the attribute data of the logged-in user is added added to the IP packet 212.

  When the user terminal 201 receives the IP packet 212 carrying the HTTP response 402 from the web server 202, the web browser operating on the user terminal 201 displays the web page 312 based on the page data 412 included in the HTTP response 402. It is displayed on the browser screen 301. As shown in FIG. 4, for example, a web browser, a particular display data 413 added to the page data 412, and displays a portion of a web page 312 as a specific character string 322 of "hello,". Further, the web browser displays the specific display data 416 added to the page data 412 as a specific character string 326 “san” on a part of the web page 312. Furthermore, the web browser changes the name 325 of the user “Taro Yamada” after the specific character string 322 (an example of a predetermined relative position) based on the user name data 415 added to the page data 412, or It is displayed between the specific character string 322 and the specific character string 326 (a range starting from the specific character string 322 and ending with the specific character string 326). Further, the web browser displays the web page 312 in which the user ID and the purchase history data of the user are embedded (as a hidden parameter or the like) based on other attribute data added to the page data 412. Alternatively, the web browser displays the user's point data on a part of the web page 312. Alternatively, the web browser displays a menu 323 including a link 324 that is user preference data on a part of the web page 312.

  FIG. 6 shows an example of a web page 313 displayed on the web browser screen 301 of the user terminal 201 while the user is logged in.

  Although not shown, when a logged-in user requests access to the web page 313 using the method described above, such as inputting the URL 321 of the web page 313 on the web browser screen 301, the web browser displays the web page. An HTTP request 401 including the URL data 411 of the page 313 is generated. At this time, the web browser adds data (user ID, data indicating that the user is logged in, etc.) written in the cookie when the user logs in to the website to the HTTP request 401. The user terminal 201 transmits an HTTP request 401 on the IP packet 211 to the web server 202.

  When the web server 202 receives the IP packet 211 carrying the HTTP request 401 from the user terminal 201, the web server 202 specifies the web page 313 requested by the user based on the URL data 411 included in the HTTP request 401, An HTTP response 402 including page data 412 of the page 313 is generated. As described above, the page data 412 may be static data, but here, the web server 202 adds specific display data 413 and 416 and user name data 415 to the page data 412. And The web server 202 may further add other attribute data to the page data 412. The web server 202 places an HTTP response 402 on the IP packet 212 and returns it to the user terminal 201.

  When the user terminal 201 receives the IP packet 212 carrying the HTTP response 402 from the web server 202, the web browser operating on the user terminal 201 changes the web page 313 to the web based on the page data 412 included in the HTTP response 402. It is displayed on the browser screen 301.

  When the web page 311 shown in FIG. 2 and the web page 312 shown in FIG. 4 are compared, the URL 321 and the displayed content are the same, but the upper part of the web page 311 shown in FIG. While only the specific character string 322 is displayed, the upper part of the web page 312 shown in FIG. 4 displays the name 325 of the currently logged-in user in addition to the specific character string 322. ing. Further, when the web page 312 shown in FIG. 4 is compared with the web page 313 shown in FIG. 6, the URL 321 and the displayed content are different, but the upper part of each of the web pages 312 and 313 is specified. In addition to the character string 322, the name 325 of the currently logged-in user is displayed. Thus, in the website in the above example, when the user logs in, the user name 325 is displayed in a common format at the top of each web page.

  In FIG. 1, a network device 204 is a communication device connected between the web server 202 and the Internet 203, and an IP packet 211 transmitted from each user terminal 201 to the web server 202 via the Internet 203, and a web The IP packet 212 transmitted from the server 202 to each user terminal 201 via the Internet 203 is relayed. The network device 204 also outputs all IP packets 211 and 212 to be relayed from the mirror port. The network device 204 is, for example, a switching hub or a router.

  The packet capture device 205 is a computer connected to the mirror port of the network device 204. The packet capture device 205 collects a plurality of IP packets 211 and 212 output from the mirror port of the network device 204 and stores them in a recording medium such as a hard disk. That is, the packet capture device 205 collects and stores IP packets 211 and 212 transmitted and received between each user terminal 201 and the web server 202.

  The access analysis device 100 is a computer connected to the packet capture device 205. The access analysis device 100 analyzes a plurality of IP packets 211 and 212 stored in the recording medium by the packet capture device 205, thereby analyzing an action for each user in the website. The access analysis device 100 may incorporate a packet capture device 205. Specifically, the access analysis device 100 may be a computer that executes a program having the function of the packet capture device 205.

  FIG. 7 is a block diagram illustrating a configuration of the access analysis device 100.

  7, the access analysis apparatus 100 includes a message restoration unit 101, an information acquisition unit 102, an information storage unit 103, an access log storage unit 104, an access information recording unit 105, and an access analysis unit 106. The operation of each part of the access analysis device 100 will be described later using a flowchart.

  The access analysis device 100 includes hardware such as a processing device 151, a storage device 152, an input device 153, and an output device 154. The hardware is used by each unit of the access analysis device 100. For example, the processing device 151 is used to perform calculation, processing, reading, writing, and the like of data and information in each unit of the access analysis device 100. The storage device 152 is used to store the data and information. The input device 153 is used to input the data and information, and the output device 154 is used to output the data and information.

  FIG. 8 is a diagram illustrating an example of a hardware configuration of the access analysis device 100.

  In FIG. 8, an access analysis apparatus 100 is a computer, and includes an LCD 901 (Liquid / Crystal / Display), a keyboard 902 (K / B), a mouse 903, an FDD 904 (Flexible / Disk / Drive), and a CDD 905 (Compact / Disk / Drive). ) And a hardware device such as a printer 906. These hardware devices are connected by cables and signal lines. Instead of the LCD 901, a CRT (Cathode / Ray / Tube) or other display device may be used. Instead of the mouse 903, a touch panel, a touch pad, a trackball, a pen tablet, or other pointing devices may be used.

  The access analysis apparatus 100 includes a CPU 911 (Central Processing Unit) that executes a program. The CPU 911 is an example of the processing device 151. The CPU 911 includes a ROM 913 (Read / Only / Memory), a RAM 914 (Random / Access / Memory), a communication board 915, an LCD 901, a keyboard 902, a mouse 903, an FDD 904, a CDD 905, a printer 906, and an HDD 920 (Hard / Disk) via a bus 912. Connected with Drive) to control these hardware devices. Instead of the HDD 920, a flash memory, an optical disk device, a memory card reader / writer, or other storage medium may be used.

  The RAM 914 is an example of a volatile memory. The ROM 913, the FDD 904, the CDD 905, and the HDD 920 are examples of nonvolatile memories. These are examples of the storage device 152. The communication board 915, the keyboard 902, the mouse 903, the FDD 904, and the CDD 905 are examples of the input device 153. The communication board 915, the LCD 901, and the printer 906 are examples of the output device 154.

  The communication board 915 is connected to a LAN (Local / Area / Network) or the like. The communication board 915 is not limited to a LAN, but is an IP-VPN (Internet, Protocol, Private, Network), a wide area LAN, an ATM (Asynchronous / Transfer / Mode) network, a WAN (Wide / Area / Network), or the Internet. 203 may be connected. LAN, WAN, and the Internet 203 are examples of networks.

  The HDD 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924. The programs in the program group 923 are executed by the CPU 911, the operating system 921, and the window system 922. The program group 923 includes programs that execute the functions described as “˜units” in the description of the present embodiment. The program is read and executed by the CPU 911. The file group 924 includes data, information, and signal values described as “˜data”, “˜information”, “˜ID (identifier)”, “˜flag”, and “˜result” in the description of this embodiment. And variable values and parameters are included as items of “˜file”, “˜database”, and “˜table”. The “˜file”, “˜database”, and “˜table” are stored in a storage medium such as the RAM 914 or the HDD 920. Data, information, signal values, variable values, and parameters stored in a storage medium such as the RAM 914 and the HDD 920 are read out to the main memory and the cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. It is used for processing (operation) of the CPU 911 such as calculation, control, output, printing, and display. During the processing of the CPU 911 such as extraction, search, reference, comparison, calculation, calculation, control, output, printing, and display, data, information, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory. Remembered.

  The arrows in the block diagrams and flowcharts used in the description of this embodiment mainly indicate input / output of data and signals. Data and signals are recorded in memory such as RAM 914, FDD904 flexible disk (FD), CDD905 compact disk (CD), HDD920 magnetic disk, optical disk, DVD (Digital Versatile Disc), or other recording media Is done. Data and signals are transmitted by a bus 912, a signal line, a cable, or other transmission media.

  In the description of the present embodiment, what is described as “to part” may be “to circuit”, “to device”, “to device”, and “to step”, “to process”, “to”. ~ Procedure "," ~ process ". That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, what is described as “˜unit” may be realized only by software, or only by hardware such as an element, a device, a board, and wiring. Alternatively, what is described as “to part” may be realized by a combination of software and hardware, or a combination of software, hardware and firmware. Firmware and software are stored as programs in a recording medium such as a flexible disk, a compact disk, a magnetic disk, an optical disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” described in the description of the present embodiment. Or a program makes a computer perform the procedure and method of "-part" described by description of this Embodiment.

  FIG. 9 is a flowchart showing the operation of the access analysis apparatus 100 (access analysis method according to the present embodiment, processing procedure of the access analysis program according to the present embodiment).

  In step S101 (part of message restoration processing), the message restoration unit 101 includes communication identification information for identifying communication between the individual user terminal 201 and the web server 202 from the packet capture device 205, and transmits an HTTP message. Packet groups placed one by one are acquired sequentially.

  A packet group transmitted from each user terminal 201 to the web server 202 includes a plurality of IP packets 211. Each IP packet 211 includes the IP address and port number of the transmission source. An IP address or a combination of an IP address and a port number is an example of communication identification information.

  A packet group transmitted from each user terminal 201 to the web server 202 includes an HTTP request 401 as an HTTP message. The HTTP request 401 includes user agent information, cookie information, and the like. User agent information, cookie information, and the like are also examples of communication identification information. Here, the user agent information is information indicating the type (program name, version, etc.) of the web browser operating on the user terminal 201 that is the transmission source of the HTTP request 401. The cookie information is information that the web server 202 writes in the cookie, and is information for identifying the user, such as a user ID, for example. The cookie is transmitted from the web server 202 when the user accesses the website, and is stored by the web browser operating on the user terminal 201. The cookie information is transmitted from the web browser operating on the user terminal 201 to the web server 202 if the cookie is already stored when the user accesses the website.

  A packet group transmitted from the web server 202 to each user terminal 201 includes a plurality of IP packets 212. Each IP packet 212 includes the IP address and port number of the transmission source. As described above, an IP address or a combination of an IP address and a port number is an example of communication identification information.

  In step S102 (part of the message restoration process), the message restoration unit 101 restores the HTTP message transmitted in the packet group from the packet group acquired in step S101 by the processing device 151. At this time, the message restoration unit 101 preferably stores the packet group in the storage device 152 in association with the HTTP request 401. Thereby, in step S107 described later, the information storage unit 103 can efficiently acquire the communication identification information included in the packet group. Similarly, in step S109 described later, the message restoration unit 101 can efficiently refer to the communication identification information included in the packet group.

  In step S103 (part of the message restoration process), the message restoration unit 101 determines the type of the HTTP message restored in step S102 by the processing device 151 (for example, by referring to the header). If the restored HTTP message is an HTTP request 401, the process proceeds to step S104. If the restored HTTP message is an HTTP response 402, the process proceeds to step S106.

  In step S104 (part of the message restoration process), the message restoration unit 101 determines that the HTTP request 401 restored in step S102 includes the user identification information and is transmitted to the web server 202 to request authentication. The processing device 151 determines whether the message is (first message). Specifically, the message restoration unit 101 determines whether or not the restored HTTP request 401 includes authentication data 414 including a user ID and a password. If authentication data 414 is included in the restored HTTP request 401, the process proceeds to step S105, and if authentication data 414 is not included, the process proceeds to step S109.

  In step S105 (information acquisition process), the information acquisition unit 102 acquires the user identification information included in the HTTP request 401 (first message) restored by the message restoration unit 101 in step S102 by the processing device 151. Specifically, the information acquisition unit 102 acquires a user ID as user identification information, and stores the acquired user ID in the storage device 152 as temporary data. Then, it returns to step S101.

  As described above, when receiving the HTTP request 401 (first message) including the authentication data 414 from the user terminal 201, the web server 202 authenticates the user based on the authentication data 414. When the user authentication is successful, the web server 202 includes the page data 412 of the web page 312 displayed by default for the logged-in user (including individual setting data of the logged-in user). A response 402 is generated and transmitted to the user terminal 201. That is, when the authentication requested by the HTTP request 401 (first message) is successful, the web server 202 transmits an HTTP response 402 for notifying the success of the authentication to the user terminal 201.

  In step S106 (part of the message restoration process), the message restoration unit 101 determines whether the HTTP response 402 restored in step S102 is the HTTP response 402 transmitted from the web server 202 to notify the success of the authentication. Is determined by the processing device 151. Specifically, the message restoration unit 101 determines whether or not the restored HTTP response 402 includes individual setting data of the logged-in user. If the restored HTTP response 402 includes the individual setting data of the logged-in user, the process proceeds to step S107. If the individual setting data of the logged-in user is not included, the process returns to step S101. When returning to step S101, the information acquisition unit 102 deletes the user ID stored as temporary data in the storage device 152.

  In step S106, instead of determining whether the restored HTTP response 402 includes the individual setting data of the logged-in user, the message restoration unit 101 includes an error message indicating an authentication failure. It may be determined whether or not there is. In this case, if no error message is included in the restored HTTP response 402, the process proceeds to step S107, and if an error message is included, the process returns to step S101.

  In step S107 (information storage processing), the information storage unit 103 is the source from which the message restoration unit 101 restores the HTTP request 401 (first message) corresponding to the HTTP response 402 restored by the message restoration unit 101 in step S102. The communication device 151 acquires the communication identification information included in the packet group. Then, the information storage unit 103 stores the acquired communication identification information and the user identification information acquired by the information acquisition unit 102 in association with each other in the storage device 152. Specifically, the information storage unit 103 uses, as communication identification information, at least one or at least one of an IP address and cookie information (IP address or a combination of an IP address and a port number and cookie information). (A combination with user agent information and the like) is acquired and stored in a database (user ID table) implemented in the storage device 152. Then, the information storage unit 103 stores the user ID stored as temporary data in the storage device 152 by the information acquisition unit 102 as the user ID corresponding to the IP address or the cookie information as formal data in the database. At this time, the user ID stored as temporary data in the storage device 152 is deleted.

  Here, if it is not the first time that the user logs in to the website, at the time of the previous login, the information storage unit 103 associates the IP address or cookie information with the user ID and stores them in the database (user ID table). Will be. In this case, in step S107, if the IP address or cookie information already stored in the database is different from the IP address or cookie information acquired this time, the information storage unit 103 updates the former with the latter. That is, the information storage unit 103 stores the IP address and cookie information acquired this time in the database in association with the user ID instead of the IP address and cookie information stored in the previous database.

  In step S105, when the information acquisition unit 102 acquires the user ID from the authentication data 414 included in the HTTP request 401 (first message), the information storage unit 103 transmits the HTTP request 401 to the message restoration unit 101. The IP address and cookie information included in the packet group that is the source of restoration may be acquired by the processing device 151 and stored as temporary data in the storage device 152. In this case, in step S107, the information storage unit 103 simply acquires temporary data such as an IP address and cookie information from the storage device 152, and stores it again in the database (user ID table) as formal data. At this time, the IP address and cookie information stored as temporary data in the storage device 152 are deleted.

  In step S105, the information acquisition unit 102 acquires a user ID from the authentication data 414 included in the HTTP request 401 (first message), and stores the acquired user ID as temporary data in a database (user ID table). Also good. At this time, the information storage unit 103 further acquires the IP address and cookie information included in the packet group from which the message restoration unit 101 restores the HTTP request 401, and stores temporary data in the database (user ID table). May be stored in association with the user ID. In this case, in step S107, the information storage unit 103 may simply update the temporary data of the IP address and cookie information stored in the database (user ID table) and the user ID to formal data (for example, the data is temporarily stored). Update the flag indicating whether the data is official or official data). In step S109 described later, the temporary data is ignored.

  In step S108 (access log storage processing), the access log storage unit 104 determines, for each user identification information stored by the information storage unit 103 in step S107, a user access log (access history information) identified by the user identification information. Is stored in the storage device 152. Specifically, the access log storage unit 104 displays a page in the HTTP response 402 restored by the message restoration unit 101 in step S102 as an access log corresponding to the user ID stored in the database (user ID table) in step S107. Data in which the URL 321 of the web page 312 including the data 412 is recorded is stored in the storage device 152. Then, it returns to step S101.

  Here, if it is not the first time that the user logs in to the website, the access log storage unit 104 has already stored the access log of the user in the storage device 152 at the previous login. In this case, in step S108, the access log storage unit 104 records the URL 321 or the like of the web page 312 in which the page data 412 is included in the HTTP response 402 restored this time, in the access log already stored in the storage device 152. .

  In step S109 (part of the message restoration process), the message restoration unit 101 restores the HTTP request 401 restored in step S102 from a packet group including the same communication identification information as the communication identification information stored by the information storage unit 103. The processing device 151 determines whether the request is an HTTP request 401 (second message) transmitted to the web server 202 in order to request access to the web page. Specifically, the message restoration unit 101 matches the IP address and cookie information included in the packet group from which the HTTP request 401 is restored in step S102 with those already stored in the database (user ID table). Determine whether or not. If the IP address and cookie information match those already stored, the process proceeds to step S110. If not, the process returns to step S101.

  In step S110 (access information recording process), the access information recording unit 105 includes communication included in the packet group that is the source of restoring the HTTP request 401 in step S102 among the user identification information stored by the information storage unit 103. The processing device 151 acquires user identification information corresponding to the same communication identification information as the identification information (identified in step S109). Then, the access information recording unit 105 adds the HTTP request 401 (restored by the message restoration unit 101 in step S102) to the access log corresponding to the acquired user identification information among the access logs stored by the access log storage unit 104. The access information indicating the access to the web page requested by the second message is recorded by the processing device 151. Specifically, the access information recording unit 105 acquires, from the database (user ID table), the user ID corresponding to the IP address and cookie information included in the packet group from which the HTTP request 401 is restored in step S102. . Then, the access information recording unit 105 adds the URL 321 indicated by the URL data 411 included in the HTTP request 401 (second message) restored by the message restoration unit 101 in step S102 to the access log corresponding to the acquired user ID. Record. Then, it returns to step S101.

  In step S110, instead of updating the access log based on the HTTP request 401 (second message), the access information recording unit 105 updates the access log based on the HTTP response 402 corresponding to the HTTP request 401. May be. In this case, the access information recording unit 105 waits until the HTTP response 402 corresponding to the HTTP request 401 restored by the message restoration unit 101 in step S102 is transmitted to the user terminal 201 and restored by the message restoration unit 101. Then, the access information recording unit 105 records the URL 321 or the like of the web page whose page data 412 is included in the HTTP response 402 in the access log stored by the access log storage unit 104.

  Although not shown, in the access analysis process, the access analysis unit 106 analyzes the behavior of each user by the processing device 151 based on the access log stored by the access log storage unit 104.

  As described above, in the present embodiment, in the access analysis device 100, the message restoration unit 101 sequentially acquires packet groups including communication identification information from the packet capture device 205, and restores the HTTP message. If the HTTP message includes a user ID and is an HTTP request 401 (first message) for requesting authentication, the information acquisition unit 102 acquires the user ID. If the HTTP message is an HTTP response 402 for notifying the success of authentication, the information storage unit 103 associates the communication identification information included in the packet group in which the corresponding HTTP request 401 is restored with the user ID. Store. Thereafter, each time an HTTP request 401 (second message) having the same communication identification information is restored, the access information recording unit 105 updates the access log of the user ID. Thereby, in this Embodiment, it becomes possible to identify a visitor more reliably using communication identification information, and to record more visitor actions.

  As described above, in this embodiment, a site where a user logs in is targeted, and the user ID input by the user during login authentication is used for visitor identification.

  First, the access analysis device 100 acquires visitor identification information as follows.

  When the user inputs a user ID and password as login authentication, the input information is transmitted from the user terminal 201. The access analysis device 100 analyzes the information transmitted from the user terminal 201 and acquires a user ID. When the web server 202 returns a content indicating that the authentication is successful, the access analysis apparatus 100 analyzes the content and stores the IP address, user agent information, cookie information and the like together with the user ID in the user ID table.

  Next, the access analysis device 100 identifies visitors after login authentication as follows.

  When the user terminal 201 accesses the web server 202, the access analysis device 100 captures the IP address and cookie information, and acquires the user ID from the user ID table. Then, the access analysis apparatus 100 writes the access information in the access log corresponding to the acquired user ID.

  As described above, the access analysis apparatus 100 according to the present embodiment can identify a visitor by capture-type web analysis and perform more realistic web analysis. Further, the access analysis apparatus 100 according to the present embodiment can identify an individual permanently by using a user ID instead of simply identifying an individual at a certain moment. Although the IP address and cookie information vary depending on the terminal, in this embodiment, since the IP address and cookie information are mapped to the user ID at least during login, it is possible to identify an individual regardless of the terminal. In addition, the IP address and cookie information may change depending on the time even on the same terminal. However, in this embodiment, the IP address and cookie information are mapped to the user ID at least at the time of login. Can be identified. Furthermore, the access analysis apparatus 100 according to the present embodiment does not use the user ID as information for personal identification every time, but associates the user ID with other identification information (IP address or cookie information). Can be identified permanently (for example, if there is a user ID only in the information at the time of login, the second and subsequent communications may not have a user ID).

Embodiment 2. FIG.
In the present embodiment, differences from the first embodiment will be mainly described.

  FIG. 10 is a flowchart showing the operation of the access analysis apparatus 100 according to the present embodiment (the access analysis method according to the present embodiment, the processing procedure of the access analysis program according to the present embodiment).

  The processing in steps S101 to S106 is the same as that in the first embodiment shown in FIG. Steps S107 and S108 will be described later.

  In step S109 (part of the message restoration process), the message restoration unit 101 determines that the HTTP request 401 restored in step S102 is the communication identification information stored in the information storage unit 103 (the one stored in step S111 described later). The processing apparatus determines whether or not the HTTP request 401 (second message) is restored to the web server 202 to request access to the web page. 151. Specifically, the message restoration unit 101 matches the IP address and cookie information included in the packet group from which the HTTP request 401 is restored in step S102 with those already stored in the database (user ID table). Determine whether or not. If the IP address and cookie information match those already stored, the process proceeds to step S110, and if not, the process proceeds to step S111.

  In step S110 (access information recording process), the access information recording unit 105 includes HTTP request 401 in step S102 among the user identification information stored in the information storage unit 103 (including information stored in step S111 described later). The processing device 151 acquires the user identification information corresponding to the same communication identification information as the communication identification information included in the packet group from which the data is restored. Then, the access information recording unit 105 adds the access log corresponding to the acquired user identification information among the access logs stored in the access log storage unit 104 (including those stored in step S112 described later) in step S102. Then, the processing device 151 records access information indicating access to the web page requested by the HTTP request 401 (second message) restored by the message restoration unit 101. Specifically, the access information recording unit 105 acquires, from the database (user ID table), the user ID corresponding to the IP address and cookie information included in the packet group from which the HTTP request 401 is restored in step S102. . Then, the access information recording unit 105 adds the URL 321 indicated by the URL data 411 included in the HTTP request 401 (second message) restored by the message restoration unit 101 in step S102 to the access log corresponding to the acquired user ID. Record. Then, it returns to step S101.

  In step S111 (part of the information storage process), the information storage unit 103 includes a communication included in the packet group from which the message restoration unit 101 restores the HTTP request 401 restored by the message restoration unit 101 in step S102. The identification information is acquired by the processing device 151. In addition, the information storage unit 103 newly generates temporary communication identification information by the processing device 151. Then, the information storage unit 103 stores the acquired communication identification information and the generated temporary user identification information in the storage device 152 in association with each other. Specifically, the information storage unit 103 acquires an IP address and cookie information as communication identification information and stores them in a database (user ID table) mounted on the storage device 152. Then, the information storage unit 103 stores the newly generated temporary user ID in the database as a user ID corresponding to the IP address or cookie information. Instead of the temporary user ID, an identifier having a format different from the user ID may be used. In this case, the IP address or cookie information may be used as it is as the identifier.

  In step S112 (part of the access log storage process), the access log storage unit 104 creates a new access log (access history information) in association with the temporary user identification information stored by the information storage unit 103 in step S111. Store in the storage device 152. Specifically, the access log storage unit 104 is included in the HTTP request 401 restored by the message restoration unit 101 in step S102 as an access log corresponding to the user ID stored in the database (user ID table) in step S111. Data in which the URL 321 indicated by the URL data 411 to be recorded is stored in the storage device 152. Then, it returns to step S101.

  In step S 112, the access log storage unit 104 may generate an access log based on an HTTP response 402 corresponding to the HTTP request 401 instead of generating an access log based on the HTTP request 401. In this case, the access log storage unit 104 waits until the HTTP response 402 corresponding to the HTTP request 401 restored by the message restoration unit 101 in step S102 is transmitted to the user terminal 201 and restored by the message restoration unit 101. Then, the access log storage unit 104 stores the data in which the URL 321 or the like of the web page including the page data 412 in the HTTP response 402 is recorded in the storage device 152 as an access log.

  In the present embodiment, in step S107 (part of the information storage process), the information storage unit 103 sends an HTTP request 401 (first message) corresponding to the HTTP response 402 restored by the message restoration unit 101 in step S102. The processing device 151 acquires communication identification information included in the packet group from which the message restoration unit 101 restores. In the present embodiment, when the acquired communication identification information is already stored in the storage device 152 in association with the temporary user identification information, the information storage unit 103 stores the temporary user identification information in the information acquisition unit 102. To the user identification information acquired by Specifically, when the information storage unit 103 acquires an IP address and cookie information, the processing device determines whether the acquired IP address and cookie information are stored in a database (user ID table) in association with a temporary user ID. 151 to confirm. If stored, the information storage unit 103 overwrites the temporary user ID with the user ID stored as temporary data in the storage device 152 by the information acquisition unit 102. At this time, the user ID stored as temporary data in the storage device 152 is deleted. Note that the information storage unit 103 operates in the same manner as in the first embodiment if the acquired IP address and cookie information are not yet stored in the database.

  If the information storage unit 103 changes the temporary user identification information to the user identification information acquired by the information acquisition unit 102 in step S107, the access log storage unit 104 in step S108 (part of the access log storage process) Of the access logs stored by the access log storage unit 104, the access log corresponding to the temporary user identification information is stored again in the storage device 152 as the access log corresponding to the changed user identification information. Specifically, when the temporary user ID is overwritten with the formal user ID in step S107, the access log storage unit 104 accesses the access log corresponding to the temporary user ID corresponding to the formal user ID. The log is converted (migrated), and the URL 321 and the like of the web page 312 in which the page data 412 is included in the HTTP response 402 restored by the message restoration unit 101 in step S102 are recorded in the converted access log. Then, it returns to step S101.

  As described above, in the present embodiment, in the access analysis apparatus 100, the access information recording unit 105 includes the user ID and transmits it to the web server 202 after the HTTP request 401 (first message) for requesting authentication. The HTTP request 401 including the user ID and transmitted to the web server 202 prior to the HTTP request 401 (first message) for requesting the authentication is not limited to the HTTP request 401 that has been transmitted, but has the same communication identification information. The request 401 (second message) is to be processed. Thereby, in this Embodiment, compared with Embodiment 1, it becomes possible to record more visitor's actions.

  As described above, in the present embodiment, the access analysis apparatus 100 also writes the access information of the user before login in the access log as follows.

  When the user terminal 201 accesses the web server 202, the access analysis apparatus 100 captures the IP address and cookie information and writes them as temporary data in the user ID table. At this time, the access analysis apparatus 100 may set a dummy user ID, and may hold an IP address, user agent information, cookie information, and the like together with the user ID in the user ID table. The access analysis device 100 writes the access information in the access log corresponding to the IP address, cookie information, or dummy user ID. Thereafter, when the visitor identification information can be acquired, the access analysis apparatus 100 changes the access log in which the access information has already been written to an access log corresponding to the actual user ID.

  As described above, the access analysis apparatus 100 according to the present embodiment can record the access log of the user before the user logs in, and thus can perform more detailed access analysis.

  As mentioned above, although embodiment of this invention was described, you may implement combining 2 or more embodiment among these. Alternatively, one of these embodiments may be partially implemented. Or you may implement combining two or more embodiment among these partially.

  DESCRIPTION OF SYMBOLS 100 Access analysis apparatus, 101 Message restoration part, 102 Information acquisition part, 103 Information storage part, 104 Access log storage part, 105 Access information recording part, 106 Access analysis part, 151 Processing apparatus, 152 Storage apparatus, 153 Input apparatus, 154 Output device, 201 User terminal, 202 Web server, 203 Internet, 204 Network device, 205 Packet capture device, 211, 212 IP packet, 301 Web browser screen, 311, 312, 313 Web page, 321 URL, 322, 326 Specific Character string, 323 menu, 324 link, 325 name, 401 HTTP request, 402 HTTP response, 411 URL data, 412 page data, 413, 416 Specific display data 414 Authentication data, 415 Name data, 901 LCD, 902 Keyboard, 903 Mouse, 904 FDD, 905 CDD, 906 Printer, 911 CPU, 912 Bus, 913 ROM, 914 RAM, 915 Communication board, 920 HDD, 921 Operating System, 922 window system, 923 programs, 924 files.

Claims (11)

To identify communications between individual user terminals and the web server from a packet capture device that collects and stores packets transmitted and received between a plurality of user terminals and a web server that distributes web pages to each user terminal Packet group including communication identification information of the above, and sequentially acquiring a packet group carrying an HTTP (Hypertext Transfer Protocol) message used for transmission / reception of a web page, and processing the HTTP message from the acquired packet group A message restoration unit to restore by
When the message restoration unit restores the first message, which is an HTTP message including user identification information for identifying an individual user, and is an HTTP message transmitted to the web server to request authentication, An information acquisition unit for acquiring user identification information included in the first message by a processing device;
When an HTTP message transmitted from the web server to notify the success of authentication requested by the first message is restored by the message restoration unit, the message restoration unit restores the first message; An information storage unit that acquires the communication identification information included in the packet group that has been acquired by the processing device, and stores the acquired communication identification information in association with the user identification information acquired by the information acquisition unit in the storage device;
For each user identification information stored by the information storage unit, an access log storage unit that stores a user access log identified by the user identification information in a storage device;
A second message which is an HTTP message transmitted to the web server to request access to a web page from a packet group including the same communication identification information as the communication identification information stored by the information storage unit is the message restoration. The access log stored by the access log storage unit corresponding to the user identification information stored in association with the communication identification information by the information storage unit is requested by the second message. And an access information recording unit that records access information indicating access to the web page by the processing device.   The access information recording unit includes the second message for both the HTTP message transmitted to the web server before the first message and the HTTP message transmitted to the web server after the first message. The access analysis apparatus according to claim 1, wherein a corresponding HTTP message is a processing target.   The access analysis apparatus according to claim 1 or 2, wherein the communication identification information includes at least one of an IP (Internet Protocol) address and cookie information. The information storage unit is a case where an HTTP message transmitted from the web server to notify the success of authentication requested by the first message is restored by the message restoration unit, and the information acquisition unit When the acquired user identification information is already stored by the information storage unit, the message recovery unit acquires the communication identification information included in the packet group from which the first message is recovered, and acquires the acquired communication. If the identification information is different from the communication identification information already stored in association with the user identification information by the information storage unit, the communication identification information already stored by the information storage unit is acquired. 4. The access analysis device according to claim 1, wherein the access analysis device is updated with identification information. The information storage unit does not include user identification information, and when the HTTP message transmitted to the web server is restored by the message restoration unit, the communication identification included in the packet group from which the HTTP message is restored The information is acquired by the processing device, the acquired communication identification information and temporary user identification information are stored in the storage device in association with each other, and then the web is sent to notify the success of the authentication requested by the first message. When the HTTP message transmitted from the server is restored by the message restoration unit, the message restoration unit obtains communication identification information included in the packet group from which the first message is restored, and the obtained communication identification If information is already stored in association with the temporary user identification information by the information storage unit, User identification information Kikari, any access analyzing apparatus 4 from claim 1, characterized in that updating the user identification information acquired by the information acquisition unit. A processing device of a computer collects and stores packets transmitted and received between a plurality of user terminals and a web server that distributes web pages to each user terminal, from an individual user terminal and the web server A packet group including communication identification information for identifying the communication of the packet, and sequentially acquiring a packet group carrying an HTTP (Hypertext Transfer Protocol) message used for transmission / reception of a web page, from the acquired packet group Restore the HTTP message,
When the computer processing apparatus restores a first message that is an HTTP message including user identification information for identifying an individual user and is an HTTP message transmitted to the web server to request authentication, Obtaining user identification information included in the first message;
When the processing device of the computer restores the HTTP message transmitted from the web server in order to notify the success of the authentication requested by the first message, the packet group from which the first message is restored The communication identification information included is acquired, and the storage device of the computer stores the acquired communication identification information and user identification information in association with each other,
A storage device of the computer stores a user access log identified by the user identification information for each stored user identification information,
The processing device of the computer restored the second message, which is an HTTP message sent to the web server in order to request access to the web page, from the packet group including the same communication identification information as the stored communication identification information. In this case, access information indicating access to the web page requested by the second message is recorded in an access log corresponding to the user identification information stored in association with the communication identification information. Method. To identify communications between individual user terminals and the web server from a packet capture device that collects and stores packets transmitted and received between a plurality of user terminals and a web server that distributes web pages to each user terminal Packet group including communication identification information of the above, and sequentially acquiring a packet group carrying an HTTP (Hypertext Transfer Protocol) message used for transmission / reception of a web page, and processing the HTTP message from the acquired packet group Message restoration process restored by
When an HTTP message including user identification information for identifying an individual user and the first message that is an HTTP message transmitted to the web server to request authentication is restored by the message restoration process, Information acquisition processing for acquiring user identification information included in the first message by a processing device;
When an HTTP message transmitted from the web server to notify the success of authentication requested by the first message is restored by the message restoration process, the message restoration process restores the first message; An information storage process for acquiring communication identification information included in the packet group, and storing the acquired communication identification information in association with the user identification information acquired by the information acquisition process in a storage device;
For each user identification information stored by the information storage process, an access log storage process for storing an access log of a user identified by the user identification information in a storage device;
A second message which is an HTTP message transmitted to the web server to request access to a web page from a packet group including the same communication identification information as the communication identification information stored by the information storing process is the message restoration. When restored by the process, the access log stored by the access log storage process corresponding to the user identification information stored in association with the communication identification information by the information storage process is requested by the second message. An access analysis program for causing a computer to execute access information recording processing for recording access information indicating access to a web page by a processing device. In the access information recording process, both the HTTP message transmitted to the web server before the first message and the HTTP message transmitted to the web server after the first message are included in the second message. 8. The access analysis program according to claim 7 , wherein the corresponding HTTP message is a processing target. It said communication identification information, IP (Internet Protocol) according to claim 7 or 8 access analysis program, characterized in that it comprises at least one of the address and cookie information. The information storage process is a case where an HTTP message transmitted from the web server to notify the success of the authentication requested by the first message is restored by the message restoration process, and the information acquisition process If the acquired user identification information is already stored by the information storage process, the message recovery process acquires the communication identification information included in the packet group from which the first message is recovered, and acquires the acquired communication. If the identification information is different from the communication identification information already stored in association with the user identification information by the information storage process, the communication identification information already stored by the information storage process is acquired. The access analysis program according to claim 7, wherein the access analysis program is updated with identification information. In the information storage process, when the HTTP message transmitted to the web server that does not include user identification information is restored by the message restoration process, the communication identification included in the packet group that is the origin of restoring the HTTP message The information is acquired by the processing device, the acquired communication identification information and temporary user identification information are stored in the storage device in association with each other, and then the web is sent to notify the success of the authentication requested by the first message. When the HTTP message transmitted from the server is restored by the message restoration process, the message restoration process obtains communication identification information included in the packet group from which the first message is restored, and the obtained communication identification Information has already been stored in association with the temporary user identification information by the information storage process. Put it, the user identification information of the temporary, any access analysis program according to claim 7 to 10, characterized in that updating the user identification information acquired by the information acquisition process.

Images