JP7027647B2 - Programs, information processing equipment and information processing methods - Google Patents

Description

The present invention relates to a program, an information processing apparatus and an information processing method.

Patent Document 1 discloses a detection system that prevents an unknown attack from occurring and prevents a request having a legitimate parameter from being erroneously blocked.

WO-A1-2017 / 15003

However, the invention according to Patent Document 1 may not be able to determine an abnormality based on the login time and the area information at the time of login.

One aspect is to provide a program or the like capable of determining an abnormality based on the login time and the area information at the time of login.

In the web application firewall program, the program according to one aspect acquires the first IP address at the time of the first login when the user logs in to the protected website from the user terminal, and the provider is based on the acquired first IP address. And the first area information including the country is specified, the second IP address at the time of the second login different from the time of the first login is acquired, and the second area information is specified based on the acquired second IP address. Based on the first login time and the first area information at the time of the first login, the second login time at the time of the second login and the second area information, the first abnormality is determined , and the user terminal determines the first abnormality. Acquire multiple types of terminal information, read out multiple types of terminal information corresponding to the user terminal from the database that stores the terminal information, and compare the acquired multiple types of terminal information with the read out multiple types of terminal information. , The number of mismatches whose terminal information does not match each other is counted, and if the counted number of mismatches is equal to or greater than a predetermined number, it is determined as a second abnormality, the operation log of the user is acquired, and based on the acquired operation log, the operation log is acquired. When the second risk score is calculated and it is determined that the calculated second risk score is equal to or higher than the predetermined reference score, the third abnormality is determined, and the first abnormality, the second abnormality, or the abnormality including the third abnormality is determined. The computer is made to execute the process of outputting the access history information and the abnormality judgment result of the user to the observer terminal .

In one aspect, it is possible to determine anomalies based on login time and regional information at the time of login.

It is explanatory drawing which shows the outline of the system which provides the cloud type web application firewall service. It is a block diagram which shows the configuration example of a server. It is explanatory drawing which shows an example of the record layout of the terminal information DB. It is explanatory drawing which shows an example of the record layout of a risk score DB. It is explanatory drawing which shows an example of the record layout of the operation log DB. It is explanatory drawing which shows an example of the record layout of the abnormality determination result DB. It is explanatory drawing which shows an example of the record layout of the access history DB. It is a block diagram which shows the configuration example of a web server. It is a block diagram which shows the configuration example of a user terminal. It is a block diagram which shows the configuration example of the observer terminal. It is a structural diagram of a system that provides a cloud-type web application firewall service. It is explanatory drawing explaining the operation which determines an abnormality. It is a flowchart which shows the processing procedure at the time of determining an abnormality. It is a flowchart which shows the processing procedure at the time of determining an abnormality. It is a flowchart which shows the processing procedure of the subroutine of the processing which determines the 1st abnormality. It is a flowchart which shows the processing procedure of the subroutine of the processing which determines the 2nd abnormality. It is a flowchart which shows the processing procedure of the subroutine of the process of determining a third abnormality. It is an image diagram which displays the abnormality determination result on the observer terminal. It is a flowchart which shows the processing procedure at the time of performing the multi-factor authentication processing. It is a flowchart which shows the processing procedure of the subroutine of multi-factor authentication processing. It is a flowchart which shows the processing procedure at the time of determining an abnormality by the total risk score.

Hereinafter, the present invention will be described in detail with reference to the drawings showing the embodiments thereof.

(Embodiment 1)
The first embodiment relates to a mode in which an abnormality is determined by analyzing a user's behavior or detecting an unauthorized operation. The user's behavior includes, for example, accessing a website or changing the area information of the access source due to the movement of the user. An unauthorized operation is a suspicious operation detected based on a user's operation log, such as access without mouse operation, access to a page that does not exist, or access using a VPN (Virtual Private Network).

FIG. 1 is an explanatory diagram showing an outline of a system that provides a cloud-based web application firewall (WAF) service. The system of the present embodiment includes an information processing device 1, an information processing device 2, an information processing terminal 3, and an information processing terminal 4, and each device transmits and receives information via a network N such as the Internet.

The information processing device 1 is an information processing device that processes, stores, and transmits / receives various information. The information processing device 1 is, for example, a server device, a personal computer, or the like. In the present embodiment, the information processing device 1 is assumed to be a server device, and is referred to as a server 1 in the following for the sake of brevity.

The information processing device 2 is an information processing device that operates a web application, a website, or a web service, and is, for example, a server device, a personal computer, or the like. The information processing device 2 may be, for example, an information processing device for operating an EC (Electronic Commerce) site, a mail-order site, a game, or the like. An application that provides a WAF service for monitoring a website or a web application on the information processing device 2 is installed in the information processing device 2. In the present embodiment, the information processing device 2 is assumed to be a server device, and is hereinafter read as a web server 2 for the sake of brevity.

The information processing terminal 3 is a terminal device that accesses the web server 2 and displays web contents transmitted from the web server 2. The information processing terminal 3 is an information processing device such as a smartphone, a mobile phone, a wearable device such as an Apple Watch (registered trademark), a tablet, or a personal computer terminal. In the following, for the sake of brevity, the information processing terminal 3 will be read as the user terminal 3.

The information processing terminal 4 is a terminal device that receives and displays various abnormalities such as an unauthorized operation by a user or an external attack. The information processing terminal 4 is an information processing device such as a wearable device such as a smartphone, a mobile phone, or an Apple watch, a tablet, or a personal computer terminal. In the following, for the sake of brevity, the information processing terminal 4 will be read as the monitor terminal 4.

When the user accesses the protected website operated on the web server 2, the server 1 according to the present embodiment acquires the access information including the terminal information of the user terminal 3 and the login presence / absence information of the user. And remember. When the server 1 determines that the access is with login based on the presence / absence information of login, the server 1 determines various abnormalities based on the terminal information and the operation log of the user. The server 1 transmits the access history information of the user who has determined the abnormality and the abnormality determination result to the monitor terminal 4.

FIG. 2 is a block diagram showing a configuration example of the server 1. The server 1 includes a control unit 11, a storage unit 12, a communication unit 13, an input unit 14, a display unit 15, a reading unit 16, and a large-capacity storage unit 17. Each configuration is connected by bus B.

The control unit 11 includes an arithmetic processing unit such as a CPU (Central Processing Unit), an MPU (Micro-Processing Unit), and a GPU (Graphics Processing Unit), and reads and executes the control program 1P stored in the storage unit 12. , Performs various information processing, control processing, etc. related to the server 1. Although the control unit 11 is described as a single processor in FIG. 2, it may be a multiprocessor.

The storage unit 12 includes memory elements such as a RAM (Random Access Memory) and a ROM (Read Only Memory), and stores the control program 1P or data required for the control unit 11 to execute processing. Further, the storage unit 12 temporarily stores data and the like necessary for the control unit 11 to execute arithmetic processing. The communication unit 13 is a communication module for performing processing related to communication, and transmits / receives information to / from the web server 2, the user terminal 3, the monitor terminal 4, and the like via the network N.

The input unit 14 is an input device such as a mouse, a keyboard, a touch panel, and a button, and outputs the received operation information to the control unit 11. The display unit 15 is a liquid crystal display, an organic EL (electroluminescence) display, or the like, and displays various information according to the instructions of the control unit 11.

The reading unit 16 reads a portable storage medium 1a including a CD (Compact Disc) -ROM or a DVD (Digital Versatile Disc) -ROM. The control unit 11 may read the control program 1P from the portable storage medium 1a via the reading unit 16 and store it in the large-capacity storage unit 17. Further, the control unit 11 may download the control program 1P from another computer via the network N or the like and store it in the large-capacity storage unit 17. Furthermore, the control unit 11 may read the control program 1P from the semiconductor memory 1b.

The large-capacity storage unit 17 includes a recording medium such as an HDD (Hard disk drive) or SSD (Solid State Drive). The large-capacity storage unit 17 includes a terminal information DB 171, a risk score DB 172, an operation log DB 173, an abnormality determination result DB 174, and an access history DB 175.

The terminal information DB 171 stores the terminal information of the user. The risk score DB 172 stores risk score evaluation rules and the like for each evaluation item for determining (detecting) various abnormalities. The operation log DB 173 stores the user's operation log. The abnormality determination result DB 174 stores the determination results for determining various abnormalities. The access history DB 175 stores historical information such as the time when the user accesses the protected website.

In this embodiment, the storage unit 12 and the large-capacity storage unit 17 may be configured as an integrated storage device. Further, the large-capacity storage unit 17 may be composed of a plurality of storage devices. Furthermore, the large-capacity storage unit 17 may be an external storage device connected to the server 1.

In the present embodiment, the server 1 is described as one information processing device, but it may be distributed and processed by a plurality of servers, or it may be configured by a virtual machine.

FIG. 3 is an explanatory diagram showing an example of the record layout of the terminal information DB 171. The terminal information DB 171 includes a token column, a terminal ID column, an access destination host column, an access source column, a Tor network availability column, a VPN availability column, a proxy availability column, a public cloud availability column, an OS (Operating System) column, and an OS (Operating System) column. Includes browser column.

The token string stores the token issued in association with the user's terminal. A token is information issued by a server to identify a user's terminal when using a web service. The token may be, for example, information including a token ID, a generation date and time, a validity period, etc., in which a unique random alphanumerical character is issued with a predetermined length (16 digits, 32 digits, 64 digits, etc.).

The terminal ID column stores a unique ID for identifying a user's terminal, or a terminal ID generated based on terminal information (for example, OS information or browser information). The access destination host column stores the host information (IP address, host name, etc.) of the access destination. The access source column includes a global IP address column, a private IP address column, a country column, an ISP column, a city column, a latitude column, and a longitude column.

The global IP address string stores the global IP address (IzyInternet Protocol Address). The global IP address is an IP address assigned to a device such as a computer or a communication device connected to the Internet. When a device connected to the Internet communicates on the Internet, a unique global IP address is required.

The private IP address string stores the private IP address. A private IP address (local IP address) is an IP address that can be used only in a network within an organization (private network). A private IP address is an IP address that can be used only within an individual private network, but cannot be used more than once within the same network.

The country column stores information on the country of access. The ISP (Internet Services Provider) column stores a provider (provider) that provides a contractor with a connection to the Internet via a public communication line or the like. The city column stores information about the city. The latitude column and the longitude column store the location information of the access source. Specifically, the latitude column stores the latitude of the access source. The longitude column stores the longitude of the access source.

The Tor network availability column stores information on the availability of the Tor (The Onion Router) network. The VPN availability column stores VPN availability information. The proxy availability column stores proxy availability information. The public cloud availability column stores information on the availability of public clouds, which is an open form that provides a cloud computing environment for companies or individuals regardless of industry or industry. The OS column stores information about the operating system (version, security patch, etc.). The browser column stores information about the browser (version, plugin, etc.).

FIG. 4 is an explanatory diagram showing an example of the record layout of the risk score DB172. The risk score DB 172 includes an item ID column, an item name column, a risk score evaluation rule column, and a reference score column. The item ID column stores the ID of the evaluation item uniquely specified in order to identify each evaluation item. The item name column stores the name of the evaluation item. The risk score evaluation rule column stores the rules for assigning risk scores (scores) to the evaluation items. The reference score sequence stores the risk score as a reference for determining an abnormality.

FIG. 5 is an explanatory diagram showing an example of the record layout of the operation log DB 173. The operation log DB 173 includes a number string, a user ID column, a terminal ID column, an access destination IP address string, an access source IP address string, an operation column, and a date and time column. The number string stores the ID of the operation log uniquely identified in order to identify each operation log. The user ID column stores a user ID that identifies the user.

The terminal ID column stores a unique ID for identifying the user's terminal. The access destination IP address string stores the access destination IP address. The access source IP address string stores the access source IP address. The operation sequence stores the name of the operation. In the operation column, the name of the user operation such as "mouse click", "page access", "proxy use" or "Java (registered trademark) script browser ON" may be stored. The date and time column stores the date and time information of the operation.

FIG. 6 is an explanatory diagram showing an example of the record layout of the abnormality determination result DB 174. The abnormality determination result DB 174 includes a user ID column, a terminal ID column, an abnormality item column, an abnormality message column, a risk score column, and a determination date / time column. The user ID column stores a user ID that identifies the user. The terminal ID column stores a unique ID for identifying the user's terminal.

The abnormal item column stores the name of the abnormal item. The abnormal message string stores an abnormal message indicating the content of the abnormality. The risk score column stores the risk score corresponding to the abnormal item. The determination date / time column stores the date / time information in which the abnormality is determined.

FIG. 7 is an explanatory diagram showing an example of the record layout of the access history DB 175. The access history DB 175 includes a token column, a terminal ID column, an access destination host column, an access time zone column, an access date / time column without login, an access date / time column with login, and a login user ID column.

The token string stores the token issued in association with the user's terminal. The terminal ID column stores a unique ID for identifying the user's terminal. The access destination host column stores the host information of the access destination. The access time zone column includes a weekday column and a holiday column. The weekday column stores the time zone at the time of access when the user accesses the website on a weekday.

The holiday column stores the time zone at the time of access when the day when the user accesses the website is a holiday. The access date / time column without login stores the access date / time without login. The access date / time column with login stores the access date / time with login. The login user ID column stores the logged-in user ID.

The storage form of each DB described above is an example, and other storage forms may be used as long as the relationship between the data is maintained.

FIG. 8 is a block diagram showing a configuration example of the web server 2. The web server 2 includes a control unit 21, a storage unit 22, a communication unit 23, an input unit 24, a display unit 25, a reading unit 26, and a large-capacity storage unit 27. Each configuration is connected by bus B.

The control unit 21 includes arithmetic processing units such as a CPU, MPU, and GPU, and performs various information processing, control processing, and the like related to the web server 2 by reading and executing the control program 2P stored in the storage unit 22. .. Although the control unit 21 is described as a single processor in FIG. 8, it may be a multiprocessor.

The storage unit 22 includes memory elements such as RAM and ROM, and stores the control program 2P or data required for the control unit 21 to execute the process. Further, the storage unit 22 temporarily stores data and the like necessary for the control unit 21 to execute the arithmetic processing. The communication unit 23 is a communication module for performing processing related to communication, and transmits / receives information to / from the server 1 and the user terminal 3 via the network N.

The input unit 24 is an input device such as a mouse, a keyboard, a touch panel, and a button, and outputs the received operation information to the control unit 21. The display unit 25 is a liquid crystal display, an organic EL display, or the like, and displays various information according to the instructions of the control unit 21.

The reading unit 26 reads a portable storage medium 2a including a CD-ROM or a DVD-ROM. The control unit 21 may read the control program 2P from the portable storage medium 2a via the reading unit 26 and store it in the large-capacity storage unit 27. Further, the control unit 21 may download the control program 2P from another computer via the network N or the like and store it in the large-capacity storage unit 27. Furthermore, the control unit 21 may read the control program 2P from the semiconductor memory 2b.

The large-capacity storage unit 27 includes a recording medium such as an HDD or SSD. In this embodiment, the storage unit 22 and the large-capacity storage unit 27 may be configured as an integrated storage device. Further, the large-capacity storage unit 27 may be composed of a plurality of storage devices. Furthermore, the large-capacity storage unit 27 may be an external storage device connected to the web server 2.

In the present embodiment, the web server 2 is described as one information processing device, but it may be distributed and processed by a plurality of devices, or it may be configured by a virtual machine.

FIG. 9 is a block diagram showing a configuration example of the user terminal 3. The user terminal 3 includes a control unit 31, a storage unit 32, a communication unit 33, an input unit 34, and a display unit 35. Each configuration is connected by bus B.

The control unit 31 includes an arithmetic processing unit such as a CPU and an MPU, and performs various information processing, control processing, and the like related to the user terminal 3 by reading and executing the control program 3P stored in the storage unit 32. Although the control unit 31 is described as a single processor in FIG. 9, it may be a multiprocessor. The storage unit 32 includes memory elements such as RAM and ROM, and stores the control program 3P or data required for the control unit 31 to execute the process. Further, the storage unit 32 temporarily stores data and the like necessary for the control unit 31 to execute the arithmetic processing.

The communication unit 33 is a communication module for performing processing related to communication, and transmits / receives information to / from the server 1, the web server 2, etc. via the network N. The input unit 34 may be a keyboard, a mouse, or a touch panel integrated with the display unit 35. The display unit 35 is a liquid crystal display, an organic EL display, or the like, and displays various information according to the instructions of the control unit 31.

FIG. 10 is a block diagram showing a configuration example of the observer terminal 4. The observer terminal 4 includes a control unit 41, a storage unit 42, a communication unit 43, an input unit 44, and a display unit 45. Each configuration is connected by bus B.

The control unit 41 includes an arithmetic processing unit such as a CPU and an MPU, and performs various information processing, control processing, and the like related to the monitor terminal 4 by reading and executing the control program 4P stored in the storage unit 42. Although the control unit 41 is described as a single processor in FIG. 10, it may be a multiprocessor. The storage unit 42 includes memory elements such as RAM and ROM, and stores the control program 4P or data required for the control unit 41 to execute the process. In addition, the storage unit 42 temporarily stores data and the like necessary for the control unit 41 to execute arithmetic processing.

The communication unit 43 is a communication module for performing processing related to communication, and transmits / receives information to / from the server 1 or the like via the network N. The input unit 44 may be a keyboard, a mouse, or a touch panel integrated with the display unit 45. The display unit 45 is a liquid crystal display, an organic EL display, or the like, and displays various information according to the instructions of the control unit 41.

FIG. 11 is a structural diagram of a system that provides a cloud-based web application firewall service. A system that provides a cloud-type WAF service includes a user layer (player), a WAF layer, an IPS (Intrusion Prevention System) / IDS (Intrusion Detection System) layer, and a FW (Firewall) layer. The user layer is a user security layer that determines various abnormalities by analyzing user behavior or detecting unauthorized operations. The WAF layer is a layer that protects against attacks on web applications. The WAF layer detects the attack pattern that exploits the vulnerability of the web application and blocks the communication.

The IPS / IDS layer is a layer that protects against attacks on the network. IPS is a system that automatically shuts off communication when an abnormality such as unauthorized access or attack is detected. IDS is a system that detects intrusion and notifies the administrator when there is an abnormal communication such as unauthorized access or attack. The FW layer is a layer that protects an internal network such as a company or an organization from an attack or unauthorized intrusion from an external network.

The system can determine anomalies including first anomalies, second anomalies and third anomalies. The first abnormality is an abnormality detected based on the login time and the area information at the time of login. The second abnormality is an abnormality detected when a terminal different from the terminal at the time of login in the past is used with the same user ID. The third abnormality is an abnormality that detects an unauthorized operation based on the operation log of the user. As shown in the figure, the first abnormality and the second abnormality are detected from the user layer, and the third abnormality is detected from each layer.

FIG. 12 is an explanatory diagram illustrating an operation of determining an abnormality. When the user accesses the protected website operated on the web server 2, the control unit 31 of the user terminal 3 transmits an access request to the website to the server 1 via the communication unit 33. .. The control unit 11 of the server 1 receives the access request transmitted from the user terminal 3 via the communication unit 13, and extracts the access information from the received access request.

The access information includes a plurality of types of terminal information of the access source and login presence / absence information. Multiple types of terminal information include terminal ID, access destination host, access source IP address, location information (latitude and longitude), Tor network availability information, VPN availability information, proxy availability information, and public cloud. Includes availability information, OS information or browser information.

The control unit 11 acquires the terminal information included in the extracted access information. The control unit 11 acquires a terminal ID from the acquired plurality of types of terminal information. In this embodiment, an example in which the terminal ID is acquired from the terminal information has been described, but the present invention is not limited to this. For example, the control unit 11 may generate a terminal ID based on arbitrary terminal information (for example, OS information, browser information, etc.) in the acquired plurality of types of terminal information. The control unit 11 issues a token (Token) used for identifying the terminal in association with the acquired terminal ID. The control unit 11 acquires the IP address of the access source from the acquired terminal information. Based on the acquired IP address, the control unit 11 uses an API (Application Programming Interface) for extracting regional information by the IP address of the access source including the access source provider, country and region (for example, city). Identify regional information.

The control unit 11 stores the received terminal information and the specified area information in the terminal information DB 171 and the access history DB 175 of the large-capacity storage unit 17 in association with the issued token. Specifically, the control unit 11 associates with the token, the terminal ID, the access destination host, the IP address of the access source, the country, the provider, the city, the latitude, the longitude, the availability information of the Tor network, and the availability of the VPN. Information, proxy availability information, public cloud availability information, OS information, and browser information are stored in the terminal information DB 171 as one record. The control unit 11 stores the token, the terminal ID, the access destination host, the access time zone, the access date and time without login, the access date and time with login, and the user ID used at login as one record in the access history DB 175. do.

The control unit 11 acquires login presence / absence information from the access information, and determines whether or not the user is logged in based on the acquired login presence / absence information. When the control unit 11 determines that the user is logged in, the control unit 11 determines the first abnormality, the second abnormality, and the third abnormality.

Specifically, the control unit 11 obtains evaluation rules and reference scores associated with each evaluation item for determining the first abnormality, the second abnormality, and the third abnormality from the risk score DB 172 of the large-capacity storage unit 17. get. Evaluation items include global IP address, private IP address, country, ISP, city, VPN, proxy, OS, browser, response code, method, Tor network, public cloud ID, Tor network, Javascript, mouse operation, and non-existent URL. Includes access, browser plug-in or login time zone, etc.

First, the process of determining the first abnormality will be described. The control unit 11 acquires the token and the login time at the time of the previous login from the access history DB 175 of the large-capacity storage unit 17 based on the terminal ID. Based on the acquired token, the control unit 11 acquires the area information at the time of the previous login (hereinafter, read as "previous area information") from the terminal information DB 171 of the large-capacity storage unit 17. The control unit 11 determines whether or not it is the first abnormality based on the acquired previous login time and previous area information, and the current login time and current area information. The evaluation items for the first anomaly include the login time zone, country, provider, city, and the like.

For example, when the control unit 11 determines the first abnormality based on the login time, the control unit 11 "logs in" based on the time zone of the current login time and the time zone of the previous login time according to the evaluation rule of the "login time zone" evaluation item. Calculate the risk score for the "Login time zone" evaluation item. When the calculated risk score is equal to or higher than the reference score, the control unit 11 determines that the risk score is the first abnormality.

For example, when the control unit 11 determines the first abnormality based on the regional information (for example, "country" included in the regional information will be described as an example), the control unit 11 logs in this time according to the evaluation rule of the "country" evaluation item. Calculate the risk score of the "country" evaluation item based on the country information at the time and the country information at the time of the previous login. When the calculated risk score is equal to or higher than the reference score, the control unit 11 determines that the risk score is the first abnormality.

In this embodiment, examples of the previous login time and the previous regional information have been described, but the present invention is not limited to this. For example, the control unit 11 acquires the past multiple login times and regional information. The control unit 11 may determine the first abnormality based on the acquired average value of the plurality of login times. Alternatively, the control unit 11 totals the number of times of the logged-in area for the plurality of times of area information. The control unit 11 may determine the first abnormality based on the evaluation rule determined according to the total number of times. For example, if the number of logged-in areas is small, a high risk score may be set, or if the number of logged-in areas is large, a low risk score may be set. You may also set some ranks for the number of times you have logged in. For example, when the number of times is "5 times or less", the risk score is 40, and when the number of times is "5 to 10 times", the risk score is 30.

Next, a process for determining the second abnormality will be described. The control unit 11 acquires the token and the terminal ID at the time of the previous login from the access history DB 175 of the large-capacity storage unit 17 based on the user ID. Based on the acquired token and terminal ID, the control unit 11 acquires the terminal information stored in the terminal information DB 171 of the large-capacity storage unit 17 at the time of the previous login.

The control unit 11 compares the terminal information of the current login with the terminal information of the previous login based on a predetermined evaluation item. The evaluation items include, for example, a terminal ID, an IP address of an access source, an OS or a browser. For example, when the control unit 11 determines that the terminal ID of the login this time and the terminal ID of the previous login are different, it determines as a second abnormality.

When the control unit 11 determines that the terminal ID of the login this time and the terminal ID of the previous login match, the control unit 11 compares the evaluation items (IP address, OS, etc.) other than the terminal ID. When the control unit 11 determines that the number of mismatched evaluation items other than the terminal ID is a predetermined number (for example, 2) or more, the control unit 11 determines that it is a second abnormality.

Then, the process of determining the third abnormality will be described. The control unit 11 acquires the user's operation log from the operation log DB 173 of the large-capacity storage unit 17 based on the user ID and the terminal ID. The control unit 11 extracts an evaluation item for determining the third abnormality from the acquired operation log. Evaluation items include, for example, response codes, methods, Tor networks, JavaScript, mouse operations, access to non-existent URLs, browser plug-ins, and the like.

The control unit 11 calculates the risk score of each evaluation item for each acquired evaluation item based on the evaluation rule associated with each evaluation item. The control unit 11 compares the calculated risk score of each evaluation item with the reference score. When, for example, the control unit 11 determines that the risk score of any of the evaluation items is equal to or higher than the reference score, the control unit 11 determines that it is a third abnormality. Alternatively, when the control unit 11 determines that the number of evaluation items whose risk score of the evaluation item is equal to or greater than the reference score is equal to or greater than a predetermined number (for example, 4), the control unit 11 may determine that it is a third abnormality.

In the following, an example of the "method" evaluation item will be described. The control unit 11 determines whether or not a suspicious method has been used. The suspicious method may be, for example, a method having a high risk of attack by giving an unreliable argument, a method that will be abolished in the future, or the like. When the control unit 11 determines that a suspicious method has been used, the control unit 11 calculates the risk score of the "method" evaluation item based on the evaluation rule of the "method" evaluation item.

For example, if the evaluation rule of the "method" evaluation item is "suspicious method used: 30 suspicious method unused: 0", the control unit 11 calculates that the risk score of the "method" evaluation item is 30. .. The control unit 11 compares the calculated risk score of the “method” evaluation item with the reference score (for example, 30). When the control unit 11 determines that the risk score of the calculated "method" evaluation item is equal to or higher than the reference score, the control unit 11 determines that the risk score is the third abnormality.

In the above-mentioned processing, the first abnormality, the second abnormality, and the third abnormality determination process have been described in this order, but the present invention is not limited to this, and the abnormality may be determined in any order.

When the control unit 11 determines an abnormality including a first abnormality, a second abnormality, or a third abnormality, the control unit 11 stores the determination result of the determined abnormality in the abnormality determination result DB 174 of the large-capacity storage unit 17. Specifically, the control unit 11 stores the user ID, the terminal ID, the abnormal item, the abnormal message, the risk score, and the determination date and time as one record in the abnormality determination result DB 174.

The control unit 11 acquires the access history information of the user who has determined the abnormality from the access history information DB 176 of the large-capacity storage unit 17. The access history information includes a terminal ID, an access destination host, an access time zone, an access date and time with login presence / absence information, a user ID when there is a login, and the like. The control unit 11 transmits the acquired user access history information and the abnormality determination result to the monitor terminal 4 by the communication unit 13. The control unit 11 transmits a message including the determination of an abnormality to the user terminal 3 by the communication unit 13.

When the control unit 11 has not determined an abnormality including the first abnormality, the second abnormality, or the third abnormality, the control unit 11 transmits the access information to the web server 2 by the communication unit 13. Instead of the access information, the control unit 11 may transmit the access request transmitted from the user terminal 3 to the web server 2 as it is.

13 and 14 are flowcharts showing a processing procedure for determining an abnormality. The control unit 31 of the user terminal 3 transmits an access request to the protected website to the server 1 via the communication unit 33 (step S301). The control unit 11 of the server 1 receives the access request transmitted from the user terminal 3 via the communication unit 13 (step S101). The control unit 11 extracts access information from the received access request (step S102). The access information includes the terminal information of the access source and the presence / absence information of login.

The control unit 11 acquires a terminal ID from a plurality of types of terminal information included in the extracted access information (step S103), and issues a token used for identifying the terminal in association with the acquired terminal ID (step S103). S104). The control unit 11 acquires the IP address of the access source from the terminal information (step S105). Based on the acquired IP address, the control unit 11 identifies the access source area information including the access source provider, country, and region by using the API for extracting the area information by the IP address (step S106). The control unit 11 stores the received terminal information and the specified area information in the terminal information DB 171 and the access history DB 175 of the large-capacity storage unit 17 in association with the issued token (step S107).

The control unit 11 acquires login presence / absence information from the access information, and determines whether or not the user is logged in based on the acquired login presence / absence information (step S108). When the control unit 11 determines that the user is not logged in (NO in step S108), the control unit 11 transitions to step S118 described later. When the control unit 11 determines that the user is logged in (YES in step S108), the control unit 11 has an evaluation rule and a standard associated with each evaluation item for determining the first abnormality, the second abnormality, and the third abnormality. The score is acquired from the risk score DB172 of the large-capacity storage unit 17 (step S109).

The control unit 11 determines the first abnormality (step S110). The control unit 11 determines the second abnormality (step S111). The control unit 11 determines the third abnormality (step S112). The first abnormality, the second abnormality, and the third abnormality determination processing subroutine will be described later. The control unit 11 determines whether or not there is an abnormality based on the determination result of determining the first abnormality, the second abnormality, or the third abnormality (step S113).

When the control unit 11 determines that there is no abnormality (NO in step S113), the control unit 11 transmits the access information to the web server 2 by the communication unit 13 (step S118). The control unit 21 of the web server 2 receives the access information transmitted from the server 1 via the communication unit 23 (step S201).

When the control unit 11 determines that there is an abnormality (YES in step S113), the control unit 11 stores the abnormality determination result in the abnormality determination result DB 174 of the large capacity storage unit 17 (step S114). The control unit 11 acquires the access history information of the user who has determined the abnormality from the access history information DB 176 of the large-capacity storage unit 17 (step S115). The control unit 11 transmits the acquired user access history information and the abnormality determination result to the monitor terminal 4 by the communication unit 13 (step S116). The control unit 11 transmits an abnormality message including the fact that the abnormality has been determined to the user terminal 3 by the communication unit 13 (step S117).

The control unit 41 of the observer terminal 4 receives the user access history information and the abnormality determination result transmitted from the server 1 by the communication unit 43 via the communication unit 43 (step S401). The control unit 41 displays the received user access history information and the abnormality determination result on the display unit 45 (step S402). The control unit 31 of the user terminal 3 receives the abnormal message transmitted from the server 1 by the communication unit 33 (step S303), and displays the received abnormal message by the display unit 35 (step S304).

FIG. 15 is a flowchart showing a processing procedure of a subroutine of processing for determining the first abnormality. The control unit 11 acquires the token and the login time at the time of the previous login from the access history DB 175 of the large-capacity storage unit 17 based on the terminal ID (step S11). Based on the acquired token, the control unit 11 acquires the previous area information at the time of the previous login from the terminal information DB 171 of the large-capacity storage unit 17 (step S12).

The control unit 11 calculates the risk score of the "login time zone" evaluation item based on the time zone of the previous login time and the time zone of the current login time according to the evaluation rule of the "login time zone" evaluation item ( Step S13). The evaluation rule of the "login time zone" evaluation item may be set by the time interval between the end time of the past time zone and the start time of the current time zone. If the time interval is long, a high risk score may be set. Conversely, if the time interval is short, a low risk score may be set. For example, the evaluation rule of the "login time zone" evaluation item is "last time (8: 00-12: 00) and this time (19: 00-21: 00): 15 last time (8: 00-12: 00). And this time (21: 00-23: 00): 30 ". When it is determined that the time zone of the previous login time is "8: 00-12: 00" and the time zone of the login time this time is "19: 00-21: 00", the control unit 11 determines that " It is calculated that the risk score of the "login time zone" evaluation item is 15.

The control unit 11 determines whether or not the calculated risk score of the “login time zone” evaluation item is equal to or higher than the reference score (step S14). When the risk score of the calculated "login time zone" evaluation item is equal to or higher than the reference score (YES in step S14), the control unit 11 outputs the determination processing result of the first abnormality (step S22) and returns. When the risk score of the calculated "login time zone" evaluation item is less than the reference score (NO in step S14), the control unit 11 determines the country information at the time of the previous login according to the evaluation rule of the "country" evaluation item. And this time, the risk score of the "country" evaluation item is calculated based on the country information at the time of login (step S15).

The evaluation rule of the "country" evaluation item may be set according to the difference between the country information at the time of past login and the country information at the time of this login. If there is a change, a high risk score will be set. Also, if there is no change, a low risk score is set.

For example, the evaluation rule for the "country" evaluation item is "changed: 70 unchanged: 0". When the control unit 11 determines that the country information (for example, Japan) at the time of the previous login and the country information (for example, the United States) at the time of the current login do not match, the control unit 11 is based on the evaluation rule of the "country" evaluation item. Calculate that the risk score for the "country" endpoint is 70. When the control unit 11 determines that the country information (for example, Japan) at the time of the previous login matches the country information (for example, Japan) at the time of the current login, the control unit 11 determines that the country information (for example, Japan) matches, based on the evaluation rule of the "country" evaluation item, " Calculate that the risk score of the "country" endpoint is 0.

The control unit 11 determines whether or not the calculated risk score of the “country” evaluation item is equal to or higher than the reference score (step S16). When the risk score of the calculated "country" evaluation item is equal to or higher than the reference score (YES in step S16), the control unit 11 transitions to step S22. When the calculated risk score of the "country" evaluation item is less than the reference score (NO in step S16), the control unit 11 determines the city information at the time of the previous login and this time according to the evaluation rule of the "city" evaluation item. Based on the city information at the time of login, the risk score of the "city" evaluation item is calculated (step S17).

The evaluation rule of the "city" evaluation item may be set according to the difference between the city at the time of login in the past and the city at the time of login this time. If there is a change, a high risk score will be set. Also, if there is no change, a low risk score is set.

For example, the evaluation rule of the "city" evaluation item is "changed: 40 changed: 0". When the control unit 11 determines that the city information at the time of the previous login (for example, Tokyo) and the city information at the time of the current login (for example, Osaka) do not match, the control unit 11 is based on the evaluation rule of the "city" evaluation item. It is calculated that the risk score of the "city" evaluation item is 40. When the control unit 11 determines that the city information at the time of the previous login (for example, Tokyo) and the city information at the time of the current login (for example, Tokyo) match, the control unit 11 determines that the city information at the time of the previous login matches, based on the evaluation rule of the "city" evaluation item, " Calculate that the risk score of the "City" endpoint is 0.

Further, the evaluation rule of the "city" evaluation item may be set according to the distance between the city at the time of login in the past and the city at the time of login this time. If the distance is long, a high risk score is set. Also, if the distance is short, a low risk score is set. Depending on the distance, some ranks may be set. For example, an evaluation rule of "10 km (kilometer) or less: 5 10 km to 30 km: 10 30 km to 50 km: 15" may be set.

The control unit 11 determines whether or not the calculated risk score of the “city” evaluation item is equal to or higher than the reference score (step S18). When the risk score of the calculated “city” evaluation item is equal to or higher than the reference score (YES in step S18), the control unit 11 transitions to step S22. When the calculated risk score of the "city" evaluation item is less than the reference score (NO in step S18), the control unit 11 determines the provider information at the time of the previous login and this time according to the evaluation rule of the "provider" evaluation item. The risk score of the "provider" evaluation item is calculated based on the provider information at the time of login (step S19).

The evaluation rule of the "provider" evaluation item may be set according to the difference between the provider at the time of login in the past and the provider at the time of login this time. If there is a change, a high risk score will be set. Also, if there is no change, a low risk score is set.

For example, the evaluation rule of the "provider" evaluation item is "changed: 30 no change: 0". When the control unit 11 determines that the provider information (for example, provider A) at the time of the previous login and the provider information (for example, the provider B) at the time of the current login do not match, the control unit 11 sets the evaluation rule of the "provider" evaluation item. Based on this, it is calculated that the risk score of the "provider" evaluation item is 30. When the control unit 11 determines that the provider information (for example, provider A) at the time of the previous login and the provider information (for example, the provider A) at the time of the current login match, the control unit 11 is based on the evaluation rule of the "provider" evaluation item. , Calculate that the risk score of the "provider" evaluation item is 0.

The control unit 11 determines whether or not the calculated risk score of the “provider” evaluation item is equal to or higher than the reference score (step S20). When the risk score of the calculated "provider" evaluation item is equal to or higher than the reference score (YES in step S20), the control unit 11 transitions to step S22. When the calculated risk score of the "provider" evaluation item is less than the reference score (NO in step S20), the control unit 11 outputs a determination processing result that is not the first abnormality (step S21) and returns.

The process for determining the first abnormality is not limited to the above-mentioned "login time zone", "country", "city" and "provider" evaluation items, but is similarly applied to other evaluation items. For example, the control unit 11 may determine the first abnormality by using the interval between the current login time and the previous login time. Specifically, the control unit 11 calculates the interval between the current login time and the previous login time. The control unit 11 calculates the risk score of the "login interval" evaluation item based on the calculated interval according to the evaluation rule of the "login interval" evaluation item.

The evaluation rule of the "login interval" evaluation item may be set according to the time interval between the past login time and the current login time. If the time interval is long, a high risk score may be set. Conversely, if the time interval is short, a low risk score may be set.

For example, the evaluation rule for the "login interval" evaluation item is "less than 10 days: 5 ... 3 months to 6 months: 30 6 months to 1 year: 40". For example, when the calculated interval is "eight months", the control unit 11 calculates that the risk score of the "login interval" evaluation item is 40 based on the evaluation rule of the "login interval" evaluation item. When the risk score of the calculated "login interval" evaluation item is equal to or higher than the reference score (for example, 30), the control unit 11 determines that it is the first abnormality.

In addition to the "login time zone" and "login interval", for example, the control unit 11 specifies information such as weekdays / holidays and days of the week according to the login time, and uses the specified evaluation rules for weekdays / holidays and days of the week. The first abnormality may be determined based on the above.

FIG. 16 is a flowchart showing a processing procedure of a subroutine of processing for determining a second abnormality. The control unit 11 acquires the token and the terminal ID at the time of the previous login from the access history DB 175 of the large-capacity storage unit 17 based on the user ID (step S31). Based on the acquired token and terminal ID, the control unit 11 acquires the terminal information stored in the terminal information DB 171 of the large-capacity storage unit 17 at the time of the previous login (step S32).

The control unit 11 determines whether or not the terminal ID at the time of login this time and the terminal ID at the time of previous login match (step S33). When the control unit 11 determines that the terminal ID at the time of login this time and the terminal ID at the time of the previous login do not match (NO in step S33), the control unit 11 outputs the determination processing result of the second abnormality (step S42). , Return.

When the control unit 11 determines that the terminal ID at the time of login this time and the terminal ID at the time of the previous login match (YES in step S33), the IP address of the access source at the time of login this time and the IP address at the time of the previous login are used. It is determined whether or not the IP address of the access source matches (step S34). When the control unit 11 determines that the IP address at the time of login this time and the IP address at the time of the previous login do not match (NO in step S34), the control unit 11 accumulates the number of mismatched items (step S35), and steps described later. Transition to S36.

When the control unit 11 determines that the IP address at the time of this login and the IP address at the time of the previous login match (YES in step S34), the OS information at the time of this login and the OS information at the time of the previous login are used. It is determined whether or not they match (step S36). When the control unit 11 determines that the OS information at the time of login this time and the OS information at the time of the previous login do not match (NO in step S36), the control unit 11 accumulates the number of mismatched items (step S37), and steps described later. Transition to S38.

When the control unit 11 determines that the OS information at the time of this login and the OS information at the time of the previous login match (YES in step S36), the browser information at the time of this login and the browser information at the time of the previous login are used. It is determined whether or not they match (step S38). When the control unit 11 determines that the browser information at the time of login this time and the browser information at the time of the previous login do not match (NO in step S38), the control unit 11 accumulates the number of mismatched items (step S39), and steps described later. Transition to S40.

When the control unit 11 determines that the browser information at the time of login this time and the browser information at the time of the previous login match (YES in step S38), the cumulative number of non-matching items is a predetermined number (for example, 2) or more. It is determined whether or not there is (step S40). When the control unit 11 determines that the number of mismatched items is equal to or greater than a predetermined number (YES in step S40), the control unit 11 transitions to step S42. When the control unit 11 determines that the number of non-matching items is smaller than the predetermined number (NO in step S40), the control unit 11 outputs a determination processing result that is not a second abnormality (step S41), and returns.

The process for determining the second abnormality is not limited to the above-mentioned "terminal ID", "IP address", "OS" and "browser" evaluation items, but is similarly applied to other evaluation items.

FIG. 17 is a flowchart showing a processing procedure of a subroutine of processing for determining a third abnormality. The control unit 11 acquires the user's operation log from the operation log DB 173 of the large-capacity storage unit 17 based on the user ID and the terminal ID (step S61). The control unit 11 extracts a plurality of evaluation items for determining the third abnormality from the acquired operation log (step S62). Evaluation items include, for example, response codes, methods, Tor networks, JavaScript, mouse operations, access to non-existent URLs, browser plug-ins, and the like.

The control unit 11 acquires one evaluation item from the extracted plurality of evaluation items (step S63). For example, the "Tor network" evaluation item is acquired. The control unit 11 calculates the risk score of the evaluation item based on the evaluation rule associated with the acquired evaluation item (step S64). For example, the control unit 11 determines whether or not the Tor network is used based on the acquired "Tor network" evaluation item. When the control unit 11 determines that the Tor network has been used, the control unit 11 acquires the evaluation rule of the "Tor network" evaluation item.

For example, when the evaluation rule of the "Tor network" evaluation item is "Tor network use: 70 Tor network unused: 0", the control unit 11 calculates that the risk score of the "Tor network" evaluation item is 70. .. The control unit 11 determines whether or not the risk score of the calculated evaluation item is equal to or higher than the reference score (step S65). For example, when the reference score of the "Tor network" evaluation item is "50", the control unit 11 determines whether or not the risk score of the "Tor network" evaluation item is 50 or more.

When the control unit 11 determines that the calculated risk score of the evaluation item is equal to or higher than the reference score (YES in step S65), the control unit 11 accumulates the number of evaluation items (step S66) and transitions to step S67 described later. When the control unit 11 determines that the risk score of the calculated evaluation item is less than the reference score (NO in step S65), the control unit 11 determines whether or not the evaluation item is the last item among the plurality of evaluation items. (Step S67).

When the control unit 11 determines that the evaluation item is not the last item (NO in step S67), the control unit 11 transitions to step S63. When the control unit 11 determines that the evaluation item is the last item (YES in step S67), the control unit 11 determines whether or not the cumulative number of evaluation items is a predetermined number or more (step S68).

When the control unit 11 determines that the cumulative number of evaluation items is equal to or greater than a predetermined number (YES in step S68), the control unit 11 outputs a determination processing result of the third abnormality (step S70) and returns. When the control unit 11 determines that the accumulated number of evaluation items is smaller than the predetermined number (NO in step S68), the control unit 11 outputs a determination processing result that is not a third abnormality (step S69) and returns.

It should be noted that the present invention is not limited to the above-mentioned third abnormality determination process. For example, the control unit 11 totals the risk scores of the respective evaluation items, and compares the total risk score with the reference total risk score. When the control unit 11 determines that the total total risk score is equal to or higher than the reference total risk score, it may determine it as a third abnormality.

FIG. 18 is an image diagram for displaying the abnormality determination result on the observer terminal 4. The control unit 11 of the server 1 transmits the abnormality determination result to the monitor terminal 4 by the communication unit 13. The control unit 41 of the observer terminal 4 receives the abnormality determination result transmitted from the server 1 by the communication unit 43, and displays the received abnormality determination result on the display unit 45. As shown in the figure, the abnormality determination result includes a terminal ID, a user ID, a login time, an abnormality message, a risk score, an operation log, and detailed information.

According to this embodiment, it is possible to detect an abnormality based on the login time of the user and the area information of the access source.

According to this embodiment, it is possible to detect an abnormality when using a terminal different from the terminal used at the time of login in the past with the same user ID.

According to this embodiment, it is possible to detect an abnormality in an unauthorized operation based on a user's operation log.

According to this embodiment, by providing a cloud-type WAF service including a user group, it is possible to realize high security because user behavior analysis or unauthorized operation detection is performed.

(Embodiment 2)
The second embodiment relates to a mode in which multi-factor authentication processing is performed when a high risk is detected when a user logs in. The description of the contents overlapping with the first embodiment will be omitted.

When the user logs in to the protected website, the control unit 11 of the server 1 performs the login authentication process. Specifically, the control unit 11 extracts each evaluation item for performing the authentication process from the terminal information. The evaluation items include, for example, a global IP address, a private IP address, a country, a provider, a city, a VPN, a proxy, and the like. The control unit 11 acquires the evaluation rule and the reference score associated with each extracted evaluation item from the risk score DB 172 of the large-capacity storage unit 17.

The control unit 11 calculates a risk score for each evaluation item based on the acquired evaluation rule. Since the risk score calculation process is the same as the risk score calculation process in the first embodiment, the description thereof will be omitted. The control unit 11 compares the calculated risk score of each evaluation item with the reference score of each evaluation item. For example, when the control unit 11 determines that the number of evaluation items whose risk score is equal to or higher than the reference score is a predetermined number (for example, three) or more, the control unit 11 performs multi-factor authentication processing.

The determination process for whether or not to perform the multi-factor authentication process is not limited to the determination method described above. For example, if it is determined that the risk score of any of the evaluation items is equal to or higher than the reference score, multi-factor authentication processing is performed.

The multi-factor authentication process is to authenticate by combining two or more of the three elements of authentication, "knowledge information", "possession information", and "biological information". Knowledge information includes, for example, passwords, pin codes or secret questions. Possession information includes mobile phones, hardware tokens, IC cards, and the like. Biometric information includes fingerprints, veins, voiceprints, and the like.

For example, when a user logs in to a website using a user ID and password, the control unit 11 of the server 1 calculates a risk score for each evaluation item. When the control unit 11 determines that the risk score of any of the evaluation items is equal to or higher than the reference score, the control unit 11 issues an authentication code issuance instruction, a fingerprint authentication instruction, or the like to the user terminal 3. By performing the multi-factor authentication process, if it is determined that the attacker may have stolen information such as the user ID and password of the legitimate user, unauthorized access can be prevented.

FIG. 19 is a flowchart showing a processing procedure when performing multi-factor authentication processing. The control unit 11 of the server 1 extracts a plurality of evaluation items for performing the authentication process from the terminal information (step S121). The control unit 11 acquires the evaluation rule and the reference score associated with each extracted evaluation item from the risk score DB 172 of the large-capacity storage unit 17 (step S122).

The control unit 11 acquires one evaluation item from the extracted plurality of evaluation items (step S123). The control unit 11 calculates the risk score of the evaluation item based on the evaluation rule associated with the acquired evaluation item (step S124). The control unit 11 determines whether or not the risk score of the calculated evaluation item is equal to or higher than the reference score (step S125).

When the control unit 11 determines that the risk score of the calculated evaluation item is equal to or higher than the reference score (YES in step S125), the control unit 11 accumulates the number of evaluation items (step S126), and transitions to step S127 described later. When the control unit 11 determines that the risk score of the calculated evaluation item is less than the reference score (NO in step S125), the control unit 11 determines whether or not the evaluation item is the last item among the plurality of evaluation items. (Step S127).

When the control unit 11 determines that the evaluation item is not the last item (NO in step S127), the control unit 11 transitions to step S123. When the control unit 11 determines that the evaluation item is the last item (YES in step S127), the control unit 11 determines whether or not the cumulative number of evaluation items is a predetermined number or more (step S128).

When the control unit 11 determines that the cumulative number of evaluation items is equal to or greater than a predetermined number (YES in step S128), the control unit 11 performs multi-factor authentication processing (step S129). The subroutine that performs multi-factor authentication processing will be described later. The control unit 11 transmits the authentication result of the multi-factor authentication process to the web server 2 by the communication unit 13 (step S130). The control unit 21 of the web server 2 receives the authentication result transmitted from the server 1 by the communication unit 23 (step S221). When the control unit 11 determines that the accumulated number of evaluation items is smaller than the predetermined number (NO in step S128), the control unit 11 ends the process.

FIG. 20 is a flowchart showing a processing procedure of a subroutine of multi-factor authentication processing. Although FIG. 20 will be described as an example of issuing an authentication code, which is one element of the multi-factor authentication process, to the user terminal 3, the multi-factor authentication process may be performed by using another element.

The control unit 11 of the server 1 transmits the issuance instruction of the user ID and the authentication code to the web server 2 by the communication unit 13 (step S141). The control unit 21 of the web server 2 receives the user ID and authentication code issuance instruction transmitted from the server 1 by the communication unit 23 (step S241). The control unit 21 acquires the user's telephone number from the large-capacity storage unit 17 based on the received user ID in response to the instruction to issue the received authentication code (step S242). The control unit 21 transmits the acquired telephone number to the server 1 by the communication unit 23 (step S243).

The control unit 11 of the server 1 receives the telephone number of the user transmitted from the web server 2 by the communication unit 13 (step S142). The control unit 11 transmits an authentication code (for example, a 4-digit number or the like) to the user terminal 3 via, for example, SMS (Short Message Service) based on the received telephone number (step S143). The control unit 31 of the user terminal 3 receives the authentication code transmitted from the server 1 via SMS by the communication unit 33 (step S341).

The control unit 31 receives, for example, an authentication code input by the user on the authentication code input screen via the input unit 34 (step S342). The control unit 31 transmits the authentication code input by the user to the server 1 by the communication unit 33 (step S343). The control unit 11 of the server 1 receives the authentication code input by the user from the user terminal 3 via the communication unit 13 (step S144).

The control unit 11 compares the authentication code input by the user with the authentication code issued to the user terminal 3 and determines whether or not the authentication code input by the user is correct (step S145). When the control unit 11 determines that the authentication code input by the user is correct (YES in step S145), the control unit 11 outputs the result of successful multi-factor authentication (step S146) and returns. If the control unit 11 determines that the authentication code input by the user is incorrect (NO in step S145), the control unit 11 outputs the result of failure in multi-factor authentication (step S147), and returns.

According to this embodiment, by performing multi-factor authentication processing when a high risk is detected, it is possible to improve the security level because an attacker can prevent access to the website by impersonating a legitimate user. Become.

(Embodiment 3)
The third embodiment relates to a mode for determining a second abnormality by calculating a risk score of a predetermined evaluation item based on terminal information. The description of the contents overlapping with the first and second embodiments will be omitted.

The control unit 11 of the server 1 acquires the token and the terminal ID at the time of the previous login from the access history DB 175 of the large-capacity storage unit 17 based on the user ID. Based on the acquired token and terminal ID, the control unit 11 acquires the terminal information stored in the terminal information DB 171 of the large-capacity storage unit 17 at the time of the previous login. The control unit 11 compares the terminal information of the current login with the terminal information of the previous login based on a predetermined evaluation item. The evaluation items include, for example, a terminal ID, an IP address of an access source, an OS or a browser.

Specifically, the control unit 11 compares the evaluation item at the time of login this time with the evaluation item at the time of previous login. For example, the control unit 11 sets the item contents at the time of login this time and the item contents at the time of the previous login for the evaluation items of "terminal ID", "IP address of access source", "OS", and "browser". Compare.

When the control unit 11 determines that the evaluation items to be compared do not match, the control unit 11 calculates the risk score of the evaluation item according to the evaluation rule of the evaluation item. The evaluation rule may be, for example, "terminal ID mismatch: 100 match: 0, access source IP address mismatch: 60 match: 0, OS mismatch: 70 match: 0, browser mismatch: 30 match: 0" or the like.

For example, if the control unit 11 determines that the terminal ID at the time of the current login and the terminal ID at the time of the previous login do not match, the risk of the "terminal ID" evaluation item is based on the above-mentioned evaluation rule. It is calculated that the score is 100. The control unit 11 determines whether or not the calculated risk score of the "terminal ID" evaluation item is equal to or higher than the reference score (for example, 60). When the control unit 11 determines that the risk score of the "terminal ID" evaluation item is equal to or higher than the reference score, the control unit 11 determines that it is a second abnormality.

When the control unit 11 determines that the terminal ID at the time of the current login and the terminal ID at the time of the previous login match, the control unit 11 compares the evaluation items other than the terminal ID (for example, IP address, OS, etc.). In this case, for example, when the control unit 11 determines that the number of evaluation items for which the risk score of the evaluation item other than the terminal ID is equal to or greater than the reference score is a predetermined number (for example, 2) or more, the control unit 11 determines that the second abnormality.

Since the flow of the process of determining an abnormality based on the risk score described above is the same as the flow of the determination process in the first embodiment, the description of the flowchart will be omitted.

According to this embodiment, it is possible to determine the second abnormality by calculating the risk score of a predetermined evaluation item based on the terminal information.

(Embodiment 4)
The fourth embodiment relates to a mode in which an abnormality is determined based on the total risk score of the first abnormality, the second abnormality, and the third abnormality. The description of the contents overlapping with the first to third embodiments will be omitted.

When the control unit 11 of the server 1 determines the first abnormality, the control unit 11 calculates the first total risk score based on the risk score of each evaluation item for which the first abnormality is determined. When the second abnormality is determined, the control unit 11 calculates the second total risk score based on the risk score of each evaluation item for which the second abnormality is determined. When the third abnormality is determined, the control unit 11 calculates the third total risk score based on the risk score of each evaluation item for which the third abnormality is determined.

The control unit 11 calculates the total risk score of the calculated first total risk score, second total risk score, and third total risk score. The control unit 11 compares the calculated total risk score with the reference score for determining an abnormality based on the total risk score. When the control unit 11 determines that the calculated total risk score is equal to or higher than the reference score, the control unit 11 determines that the total risk score is abnormal.

The control unit 11 generates, for example, a column graph or a pie chart based on the first total risk score, the second total risk score, and the third total risk score. The control unit 11 transmits the generated graph information to the monitor terminal 4 via the communication unit 13. The observer terminal 4 receives the graph information transmitted from the server 1 by the communication unit 43, and displays the received graph information by the display unit 45. The graph is not limited to the above-mentioned graph. For example, the control unit 11 generates a report in the form of a table based on the first total risk score, the second total risk score, the third total risk score, or the total risk score of the three parties. The control unit 11 may transmit the generated report to the observer terminal 4 by the communication unit 13.

FIG. 21 is a flowchart showing a processing procedure when determining an abnormality based on the total risk score. Since the determination process of the first abnormality, the second abnormality, and the third abnormality is the same as the determination process in the first embodiment, the description thereof will be omitted.

The control unit 11 of the server 1 calculates the first total risk score based on the risk score of each evaluation item for which the first abnormality is determined (step S161). The control unit 11 calculates the second total risk score based on the risk score of each evaluation item for which the second abnormality is determined (step S162). The control unit 11 calculates the third total risk score based on the risk score of each evaluation item for which the third abnormality is determined (step S163).

The control unit 11 calculates the calculated total risk score of the first total risk score, the second total risk score, and the third total risk score (step S164). The control unit 11 acquires a reference score for determining an abnormality based on the total risk score from the storage unit 12 or the large-capacity storage unit 17 (step S165). The control unit 11 determines whether or not the calculated total risk score is equal to or higher than the reference score (step S166).

When the control unit 11 determines that the calculated total risk score is equal to or higher than the reference score (YES in step S166), the control unit 11 executes steps S167 to S169. The control unit 41 of the observer terminal 4 executes steps S461 to S462. Since the processes of steps S167 to S169 and S461 to S462 are the same as those of steps S114 to S116 and S401 to S402 in FIG. 14, the description thereof will be omitted. When the control unit 11 determines that the calculated total risk score is less than the reference score (NO in step S166), the control unit 11 transitions to step S118 in FIG.

According to the present embodiment, since the abnormality can be determined by the total risk score, it is possible to comprehensively determine the abnormality.

The embodiments disclosed this time should be considered to be exemplary in all respects and not restrictive. The scope of the present invention is indicated by the scope of claims, not the above-mentioned meaning, and is intended to include all modifications within the meaning and scope equivalent to the scope of claims.

1 Information processing device (server)
11 Control unit 12 Storage unit 13 Communication unit 14 Input unit 15 Display unit 16 Reading unit 17 Large-capacity storage unit 171 Terminal information DB
172 Risk score DB
173 Operation log DB
174 Abnormality judgment result DB
175 Access history DB
1a Portable storage medium 1b Semiconductor memory 1P Control program 2 Information processing device (web server)
21 Control unit 22 Storage unit 23 Communication unit 24 Input unit 25 Display unit 26 Reading unit 27 Large-capacity storage unit 2a Portable storage medium 2b Semiconductor memory 2P control program 3 Information processing terminal (user terminal)
31 Control unit 32 Storage unit 33 Communication unit 34 Input unit 35 Display unit 3P control program 4 Information processing terminal (monitorer terminal)
41 Control unit 42 Storage unit 43 Communication unit 44 Input unit 45 Display unit 4P Control program

Claims (7)

In the web application firewall program
Obtain the first IP address at the time of the first login when the user logs in to the protected website from the user terminal,
Based on the acquired first IP address, identify the first area information including the provider and country , and
Obtain a second IP address at the time of the second login, which is different from the time of the first login.
Based on the acquired second IP address, the second area information is specified,
Based on the first login time and the first area information at the time of the first login, and the second login time and the second area information at the time of the second login, the first abnormality is determined .
Obtaining multiple types of terminal information from the user terminal,
A plurality of types of terminal information corresponding to the user terminal are read from the database storing the terminal information, and the terminal information is read out.
Comparing the acquired multiple types of terminal information with the read out multiple types of terminal information,
Count the number of mismatches where the terminal information does not match each other,
If the counted number of discrepancies is equal to or greater than the predetermined number, it is determined to be the second abnormality.
Acquire the operation log of the user and
The second risk score is calculated based on the acquired operation log.
If it is determined that the calculated second risk score is equal to or higher than the predetermined reference score, the third abnormality is determined.
Output the access history information and abnormality judgment result of the user who judged the abnormality including the first abnormality, the second abnormality or the third abnormality to the monitor terminal.
A program that causes a computer to perform processing. Obtain terminal information from the user terminal and
Issue a token used to identify the user terminal,
The program according to claim 1, wherein a process of storing the acquired terminal information in the database in association with the issued token is executed. The terminal information includes access destination host information, access source information, and VPN (Virtual Private).
Network) The program according to claim 2, which includes usage information, proxy usage information, location information, operating system information or browser information. When it is determined that the user is logged in to the website, the risk score for performing the authentication process is calculated based on the terminal information.
The program according to any one of claims 1 to 3 , which executes a process of performing multi-factor authentication processing when it is determined that the calculated risk score is equal to or higher than a predetermined reference score. In an information processing device with a web application firewall installed
The first acquisition unit that acquires the first IP address at the time of the first login when the user logs in to the protected website from the user terminal,
Based on the acquired first IP address, the first specific part that specifies the first area information including the provider and the country, and
The second acquisition unit that acquires the second IP address at the time of the second login, which is different from the time of the first login, and
Based on the acquired second IP address, the second specific part that specifies the second area information and
A first determination unit that determines a first abnormality based on the first login time and the first area information at the time of the first login, the second login time at the time of the second login, and the second area information. And ,
A third acquisition unit that acquires a plurality of types of terminal information from the user terminal,
A reading unit that reads out a plurality of types of terminal information corresponding to the user terminal from a database that stores the terminal information.
A comparison unit that compares the acquired multiple types of terminal information with the read out multiple types of terminal information,
A counting unit that counts the number of mismatches where the terminal information does not match each other,
When the counted number of discrepancies is equal to or greater than a predetermined number, the second determination unit for determining the second abnormality and the second determination unit
The fourth acquisition unit that acquires the operation log of the user, and
A calculation unit that calculates the second risk score based on the acquired operation log,
When it is determined that the calculated second risk score is equal to or higher than the predetermined reference score, the third determination unit for determining the third abnormality and the third determination unit
An output unit that outputs the access history information and abnormality judgment result of the user who has determined the abnormality including the first abnormality, the second abnormality, or the third abnormality to the monitor terminal.
An information processing device characterized by being equipped with. On a computer with a web application firewall installed,
Obtain the first IP address at the time of the first login when the user logs in to the protected website from the user terminal,
Based on the acquired first IP address, identify the first area information including the provider and country , and
Obtain a second IP address at the time of the second login, which is different from the time of the first login.
Based on the acquired second IP address, the second area information is specified,
Based on the first login time and the first area information at the time of the first login, and the second login time and the second area information at the time of the second login, the first abnormality is determined .
Obtaining multiple types of terminal information from the user terminal,
A plurality of types of terminal information corresponding to the user terminal are read from the database storing the terminal information, and the terminal information is read out.
Comparing the acquired multiple types of terminal information with the read out multiple types of terminal information,
Count the number of mismatches where the terminal information does not match each other,
If the counted number of discrepancies is equal to or greater than the predetermined number, it is determined to be the second abnormality.
Acquire the operation log of the user and
The second risk score is calculated based on the acquired operation log.
If it is determined that the calculated second risk score is equal to or higher than the predetermined reference score, the third abnormality is determined.
Output the access history information and abnormality judgment result of the user who judged the abnormality including the first abnormality, the second abnormality or the third abnormality to the monitor terminal.
An information processing method characterized by executing processing. In the web application firewall program
Obtain the first IP address at the time of the first login when the user logs in to the protected website from the user terminal,
Based on the acquired first IP address, identify the first area information including the provider and country, and
Obtain a second IP address at the time of the second login, which is different from the time of the first login.
Based on the acquired second IP address, the second area information is specified,
A plurality of for determining a first abnormality based on the first login time and the first area information at the time of the first login, the second login time at the time of the second login, and the second area information. Calculate each of the risk scores of the evaluation items and
When the risk score of any of the calculated risk scores of the plurality of evaluation items is equal to or higher than the reference score, the first abnormality is determined.
A program that causes a computer to perform processing.

Images