JP7403565B2 - Fraud detection device, fraud detection method, and fraud detection program - Google Patents

Description

The present invention relates to a fraud detection device, a fraud detection method, and a fraud detection program.

2. Description of the Related Art Conventionally, devices are known that detect fraudulent actions of users on the Internet, such as detecting fraudulent payments in payment processing.
In the system described in Patent Document 1, when each target server receives access token information from a user terminal, it receives an access token related to the user terminal from the authentication device, and accepts access from the user terminal for which access is permitted. The authentication device then makes a risk judgment based on the BP score, FP score, block list set based on the cumulative score, and rules such as whether the same authentication information was sent from the user terminal to multiple different target servers. Implement.

Japanese Patent Application Publication No. 2004-348536

By the way, in the conventional fraud detection system as described above, fraud is detected by determining whether a connection source IP or the like is registered in a block list as one rule for fraud detection. However, in order to avoid the block list, an unauthorized user may take evasive actions to avoid the block list, for example, by intentionally changing some information such as browser cookies. Once action is taken, it becomes difficult for blocklists to detect fraud.

An object of the present invention is to provide a fraud detection device, a fraud detection method, and a fraud detection program that can perform fraud detection with high accuracy.

A fraud detection device according to one aspect of the present invention includes action request information requesting execution of a predetermined action, including action content that is the content of the action and a plurality of parameters when requesting the action. a request receiving unit that receives the action request information; and a request reception unit that associates the action content and the plurality of parameters included in one action request information with each other, and associates the parameters of the newly received action request information with each other, and an association unit that associates the action contents associated with the parameter with each other when the parameter is the same as the parameter included in the action request information received in a fraud determination unit that determines whether the newly received action content is an illegal fraudulent action based on a block list; and when the fraudulent action associated with the previously received parameter satisfies a predetermined condition. and a list registration unit that registers the parameter as the illegal parameter in the block list.

In the present invention, when the action content associated with a parameter is an unauthorized action and the unauthorized action associated with the parameter satisfies a predetermined condition, the parameter is detected as an unauthorized parameter and registered in a block list. This allows the fraud parameters to be registered in the block list to be expanded, making it possible to detect user fraud in a wider range than, for example, when detecting user fraud using a block list containing only connection source IPs. Therefore, even if a user who uses the service illegally (unauthorized user) rewrites some information such as cookies and sends action request information, there is a high possibility that other parameters will be recorded in the block list. This makes it possible to suppress block list evasion behavior by unauthorized users, and to perform fraud detection with higher accuracy.

FIG. 1 is a diagram schematically showing a fraud detection system according to the present embodiment. 7 is a flowchart showing BL update processing in the fraud detection method of the present embodiment. FIG. 3 is a diagram for explaining a method of determining an incorrect parameter. The figure which shows an example of a network graph. 5 is a flowchart showing fraud determination processing in a fraud determination method. FIG. 3 is a schematic diagram for explaining association of parameters according to the present embodiment. A diagram for explaining the distance from an incorrect parameter.

Hereinafter, a fraud detection system according to an embodiment of the present invention will be described.
FIG. 1 is a schematic diagram showing the fraud detection system of this embodiment.
The fraud detection system 1 includes a service server 20, a fraud detection device 10, and a user terminal 30. These service server 20, fraud detection device 10, and user terminal 30 are communicably connected via the Internet.

In this embodiment, the service server 20 is a device that provides a predetermined service to a user who operates a user terminal 30, and provides a service corresponding to action request information transmitted from the user terminal 30. For example, the service server 20 may provide payment services using credit cards, electronic money, etc., may provide an online shop service or auction service for selling products over the Internet, or may provide other services. You can.
When action request information is transmitted from the user terminal 30 to the service server 20, the service server 20 transmits the action request information to the fraud detection device 10. Upon receiving action request information transmitted from the user terminal 30 via the service server 20, the fraud detection device 10 determines whether the action request information is an unauthorized action request. If no fraud is detected, the fraud detection device 10 returns a response to the service server 20 indicating that the action request information is appropriate, and the service server 20 thereby provides a service to the user terminal 30. On the other hand, if fraud is detected by the fraud detection device 10, a message indicating that the action request is fraudulent is returned to the service server 20, and in this case, the service server 20 does not provide any service to the user terminal 30. Furthermore, based on the result of fraud detection, the fraud detection device 10 records information regarding the user in a block list that records a list of users to whom services are not provided.
Each configuration will be explained in more detail below.

[Configuration of fraud detection device 10]
The fraud detection device 10 is configured by a computer, and includes a communication section 11, a storage section 12, a control section 13, and the like. Note that the number of computers that constitute the fraud detection device 10 is not particularly limited. For example, the fraud detection device 10 may be configured by one computer, or may be configured by a cloud server constructed by connecting a plurality of computers via a network.
The communication unit 11 is connected to a network (Internet) via, for example, a LAN, and communicates with external devices such as the service server 20 and the user terminal 30.

The storage unit 12 is a data recording device composed of, for example, a memory, a hard disk, or the like. This storage unit 12 includes an action database (action DB 121), a related database (related DB 122), a block list (BL 123), and the like.
Note that here, an example is shown in which the storage unit 12 of the fraud detection device 10 is provided with an action DB 121, a BL 123, etc., but other data servers or clouds that are communicably connected to the fraud detection device 10 via a network The configuration may be such that these data are recorded in the storage.
Further, the storage unit 12 stores various programs such as a fraud detection program for implementing fraud detection processing by the fraud detection device 10.

The action DB 121 stores action request information sent from the service server 20. The action request information includes a plurality of parameters necessary for the user to receive a service, and action details regarding the content of the service that the user desires to provide. For example, in the case of action request information that provides a payment service, the action content is payment processing, and the parameters include the connection source IP, account information that identifies the user, credit card number, user's location, user's phone number, and email. This includes message notification address, phone number, cookie information, etc.
Further, in the action request information stored in the action DB 121, a fraud determination flag indicating whether or not the content of the action has been determined to be fraudulent by the fraud detection device 10 is recorded. For example, in the case of a payment service, a fraud determination flag is recorded that indicates whether the payment process is a normal payment performed properly without any fraud, or a fraudulent payment.

The related DB 122 records the relationship between each action content and each parameter included in the action request information. For example, the related DB 122 may record a network graph in which each action content and each parameter are treated as nodes, and nodes corresponding to the action content and nodes corresponding to each parameter are connected by links. In this case, if a common parameter is included for a plurality of action contents, the plurality of action nodes are connected by a link via a node corresponding to the common parameter. These action nodes and nodes connected by links indicate mutually associated (linked) action contents and parameters. Note that the relationship between parameters recorded in the related DB 122 is not limited to the above; for example, the action content and parameters included in the action request information are treated as one record, and the records have common parameters. Other action contents may be associated, and the data management method is not particularly limited.

The BL 123 is a list that records information regarding users who do not provide service use, that is, users who should be blocked. For example, a large number of parameters that should be used as users to be blocked are recorded.

The control unit 13 includes an arithmetic circuit such as a CPU (Central Processing Unit), and a recording circuit such as a RAM (Random Access Memory). The control unit 13 loads various programs recorded in the storage unit 12 and the like into the RAM, and executes various processes in cooperation with the programs loaded into the RAM. Then, the control unit 13 reads and executes various programs including the fraud determination program recorded in the storage unit 12, so that the request reception unit 131, association unit 132, fraud parameter detection unit 133, etc. , a list registration section 134, a graph creation section 135, a fraud determination section 136, and the like.

The request receiving unit 131 receives action request information transmitted from the user terminal 30 via the service server 20.
The association unit 132 extracts a plurality of parameters included in the action request information, associates the extracted parameters, and updates the association DB 122.
The fraudulent parameter detection unit 133 detects a parameter that should be determined to be fraudulent (fraudulent parameter) and a parameter that may be fraudulent (fraudulent parameter candidate) based on the related DB 122 and BL 123.

The list registration unit 134 registers the invalid parameters in the BL 123.
The graph creation unit 135 creates a network graph showing the relationship between each parameter and each action content, and records it in the related DB 122.
The fraud determination unit 136 performs fraud determination processing to determine whether the action request information is fraudulent or appropriate based on the BL 123. For example, the fraud determining unit 136 determines action request information that includes parameters recorded in the BL 123 as fraudulent action request information.

[Configuration of service server 20 and user terminal 30]
The service server 20 is a computer owned by a service provider, and the user terminal 30 is a terminal device (computer) owned by a user.
Although illustration of the specific configuration of the service server 20 and user terminal 30 is omitted, they have the basic configuration of a general computer. That is, the service server 20 and the user terminal 30 are equipped with an input operation unit that accepts input operations, a display that displays image information, a recording device that records various information, and an arithmetic circuit (such as a CPU) that processes various information. There is.

[Operation of fraud detection system 1]
Next, a fraud detection method using the fraud detection system 1 of this embodiment will be explained.
First, the updating process of the BL 123 in the fraud determination method will be described.
FIG. 2 is a flowchart showing the update process of the BL 123 by the fraud detection system of this embodiment.
The update process of the BL 123 is performed using the BL 123 and action request information received in the past and stored in the action DB 121.
The invalid parameter detection unit 133 reads out the action request information stored in the action DB 121 (step S1). The action request information to be read may be all of the action request information, or may be the action request information of the most recent predetermined period.
Further, the fraudulent parameter detection unit 133 detects, for each parameter included in the read past action request information, the action content (normal action or fraudulent action) associated with the parameter.
Then, for each parameter, the fraudulent parameter detection unit 133 determines whether the number of fraudulent actions associated with the parameter is equal to or greater than a predetermined threshold (first threshold) (step S2).
If YES is determined in step S2, the fraud parameter detection unit 133 further determines whether the proportion of fraudulent actions in the action contents associated with each parameter is equal to or greater than a predetermined threshold (second threshold). Determination is made (step S3).

FIG. 3 is a diagram showing a method for determining fraudulent parameters to be registered in the BL 123 in steps S2 and S3.
FIG. 3 is an example of a part of a network graph, and shows a parameter to be determined (determination parameter R) and a plurality of action contents associated with the determination parameter R. Here, the action content shown in black is the fraudulent action _QF that was determined to be fraudulent, and the action content shown in white is the action content _QT that was normally processed.
In step S2, the fraud parameter detection unit 133 determines whether the number N ₁ of fraudulent actions Q _F associated with the determination parameter R is greater than or equal to the first threshold. If the determination is YES in step S2, the fraud parameter detection unit 133 further determines in step S3 that the proportion _N2 of the fraud action _QF in the action content associated with the determination parameter R is equal to or greater than the second threshold. Determine whether or not. If the determination is YES in both step S2 and step S3, the determination parameter R is detected as an incorrect parameter.
Note that the first threshold value and the second threshold value can be appropriately set by the administrator of the fraud detection device 10 or the administrator of the service server 20. For example, the determination parameter R shown in FIG. 3 is determined to be YES in step S2 when the first threshold value is set to 4. Further, the determination parameter R shown in FIG. 3 is determined to be YES in step S3 when the second threshold value is set to 0.5.

If YES is determined in steps S2 and S3 and the determination parameter R is detected as a fraudulent parameter, the list registration unit 134 newly registers the detected fraudulent parameter in the BL 123 (step S4). Note that the processes from step S2 to step S3 described above are performed for each parameter included in each action request information read in step S1.

Further, the graph creation unit 135 may create a network graph based on the accumulated past action request information and the BL 123, and record it in the related DB 122 of the storage unit 12 (step S5).
FIG. 4 is an example of a network graph.
The graph creation unit 135 arranges nodes N corresponding to each action content and nodes N corresponding to parameters on the graph, and creates a network graph in which mutually related nodes N are connected by links L. At this time, the display form such as the size and color of the node N determined to be an unauthorized parameter or an unauthorized action is changed. Further, the display form such as the size and color of the node may be changed depending on the number of related fraudulent parameters.
This network graph is stored in the storage unit 12 so that it can be viewed by the administrator, and by viewing the network graph as appropriate, the administrator can easily identify groups of invalid parameters that are related to each other, or frequently identify unauthorized action requests. It is possible to check the parameters used, etc., and it is possible to contribute to reviewing and updating the BL 123 in fraud detection processing.

Next, fraud determination processing using the updated BL 123 will be described.
FIG. 5 is a flowchart showing fraud determination processing in the fraud determination method.
In this embodiment, when a user receives a service from the service server 20, the user terminal 30 transmits action request information requesting the service server 20 to provide a predetermined service. When the service server 20 receives the action request information, it transmits the action request information to the fraud detection device 10 and inquires whether or not there is any fraud in the action request information.

In the fraud detection device 10, when the request receiving unit 131 receives the action request information from the service server 20 (step S6), the association unit 132 associates the parameters included in the action request information (step S7).
In the following description, the action content included in the action request information newly received in step S6 will be referred to as a target action, and the parameter will be referred to as a target parameter.

FIG. 6 is a schematic diagram for explaining the association of parameters, and shows an example of a network graph of each parameter and each action content.
In step S7, the action contents and parameters included in the action request information received in the past are associated with the target action and target parameters included in the action request information received in step S6. For example, P1 in FIG. 6 indicates one piece of newly received action request information, and the action request information P1 includes a target action Q1 and a plurality of target parameters R1, R2, and R3.
The association unit 132 associates these target actions Q1 and target parameters R1, R2, and R3 with each other.
Furthermore, if action request information including action content Q2 and parameters R1, R4, and R5 has been received in the past, the action content Q2 and parameters R1, R4, and R5 are stored in the related DB 122 as shown in FIG. It is recorded that they are associated. In this case, as shown in FIG. 6, the association unit 132 associates the target action Q1 and the action content Q2 via the common parameter R1. In other words, the target action Q1 and the action content Q2 are associated via the parameter R1.

Next, the invalid parameter detection unit 133 determines whether the target parameter is included in the BL 123 (step S8).

If it is determined NO in step S8, it is determined whether the distance from the fraudulent parameter already recorded in the BL 123 to the target action and target parameter is within a preset threshold (third threshold) (step S9).
FIG. 7 is a diagram for explaining the distance from a fraudulent parameter, and shows an example of a part of a network graph. In FIG. 7, the fraudulent action Q _BL and the fraudulent parameter R _BL are information already recorded in the BL 123.
Here, the action content (not including the fraudulent action _QBL ) linked to the fraudulent parameter RBL already registered in the _BL123 is defined as the action content with a distance of 1 (fraudulent action candidate _QF1 ), and the corresponding fraudulent action candidate Let the fraudulent parameter candidate linked to _QF1 be the fraudulent parameter candidate _RF1 with a distance of 1. In addition, the action content (not including the fraudulent action candidate Q _F1 ) linked to the fraudulent parameter candidate _RF1 is set as a fraudulent action candidate Q _F2 with a distance of 2, and the fraudulent parameter candidate linked to the fraudulent action candidate Q _F2 is set to a distance of 2. is an incorrect parameter candidate R _F2 with 2. Hereinafter, the action content (not including the fraudulent action candidate Q _Fi ) associated with the fraudulent parameter candidate R _Fi with distance i will be referred to as fraudulent action candidate Q _{Fi + 1} with distance i + 1, and the fraudulent action linked to the fraudulent action candidate Q _{Fi + 1} will be Let the parameter candidate R _F be an invalid parameter candidate R _Fi+1 with a distance of i+1.

If YES is determined in step S8 (if the target parameter is registered in BL123), and if YES is determined in step S9 (if the distance of the target parameter from the invalid parameter is within the third threshold) , the fraud determination unit 136 determines that the action request information including the target parameter is fraudulent through fraud determination processing based on the BL 123 (step S10). Further, if the determination in step S9 is NO (if the distance of the target parameter from the invalid parameter is greater than the third threshold), the action request information is determined to be normal unless other target parameters are determined to be invalid. Determination is made (step S11).

[Actions and effects of this embodiment]
In the fraud detection device 10 of the present embodiment, the control unit 13 reads and executes the fraud detection program stored in the storage unit 12, thereby controlling the request reception unit 131, the association unit 132, the list registration unit 134, and the fraud detection program. 136.
The request receiving unit 131 receives action request information transmitted from the user terminal 30. This action request information includes action content and parameters. For example, in the case of requesting payment processing, the action request information includes action content indicating payment processing and parameters such as connection source IP and credit card number.
The association unit 132 associates the action content and the plurality of parameters included in the same action request information with each other. Further, when the target parameter included in the newly received action request information is the same as the parameter included in the previously received action request information, the action content associated with the target parameter (parameter) is associated. In other words, two pieces of action request information are associated via the target attribute.
The fraud determining unit 136 determines whether the action request information is fraudulent based on the BL 123.
Based on the action request information received in the past, when the fraudulent action associated with the determination parameter included in the past action request information satisfies a predetermined condition, the list registration unit 134 sets the determination parameter as a fraud parameter in the BL123. Register.

In the present embodiment as described above, it is possible to suitably expand the parameters that should be used to determine fraud, suppress the avoidance behavior of the BL 123 by fraudulent users, and detect fraud with high accuracy.
A payment process will be explained as a specific example of the action content. In conventional fraud detection methods, when a fraudulent payment is found, only a single parameter (for example, connection source IP) associated with the fraudulent payment is registered as a block list. In this case, for example, if an unauthorized user takes evasive action such as going through another proxy server or changing part of the cookie information, fraud cannot be detected.
In contrast, in the present embodiment, a plurality of parameters associated with fraudulent payments are fraudulent parameter candidates, and among these fraudulent parameter candidates, parameters that satisfy a predetermined condition are registered in the BL 123. Therefore, compared to conventional fraud detection using a block list such as only connection source IPs based on fraudulent payments, a large number of parameters associated with fraudulent payments are registered in the BL 123. As a result, even if an unauthorized user performs payment processing via another proxy server or rewrites some information in the cookie, there is a possibility that other parameters may be registered as unauthorized parameters. This makes it possible to suitably detect fraudulent payments made by fraudulent users.

In this embodiment, the list registration unit 134 registers a determination parameter as a fraud parameter when a number of fraudulent actions equal to or greater than a first threshold are associated with the determination parameter.
As described above, by registering parameters related to fraudulent parameters in the BL 123, it is possible to suppress evasive behavior of the BL 123 by fraudulent users. However, if all parameters related to fraudulent parameters are registered in the BL 123, the incidence of erroneous detections in which actions are determined to be fraudulent even though they are not fraudulent increases. For example, many users may be determined to have the same connection source IP, for example, through a proxy server. In this case, if the connection source IP is registered in the BL 123, a large number of false positives will occur. In contrast, in this embodiment, in step S2, if the number of fraudulent actions associated with the determination parameter is equal to or greater than the first threshold, as described above, the parameter is detected as a fraudulent parameter. Therefore, even if a fraudulent action less than the first threshold is associated with a determination parameter, it is not considered to be a fraudulent parameter and is not registered in the BL 123. Thereby, the occurrence of false detection can be suppressed.

In the present embodiment, the list registration unit 134 detects a determination parameter as an unauthorized parameter when a proportion of action contents equal to or higher than a second threshold among a plurality of action contents associated with the determination parameter are unauthorized actions. do.
In other words, even if a fraudulent action is associated with a determination parameter at a rate less than the second threshold, it is not considered to be a fraudulent parameter and is not registered in the BL 123. This makes it possible to suppress the occurrence of false detections, similar to the above.

Further, when determining whether to register in the BL 123 only based on the number of fraudulent actions associated with a determination parameter, false detections may increase depending on the number of action contents associated with the determination parameter. For example, if the number of action contents associated with a judgment parameter is very large and the number of fraudulent actions is equal to or higher than the first threshold, but most of the actions are proper, the judgment parameter is stored in BL123 as a fraudulent parameter. Once registered, many legitimate actions will be detected as fraudulent. On the other hand, when determining whether to register in the BL 123 only based on the proportion of unauthorized actions associated with a determination parameter, false detections may increase if the number of action contents associated with the determination parameter is small. For example, if the number of actions associated with a determination parameter is about 2 to 3, even if the number of fraudulent actions is about 1, the percentage of fraudulent actions may be registered in the BL123 as being equal to or higher than the second threshold. . In such cases, the amount of data is small and fraud cannot be detected with sufficient accuracy.
On the other hand, in this embodiment, by performing both steps S2 and S3, the disadvantages of both can be compensated for, and a BL 123 that can appropriately detect unauthorized users can be created.

In the present embodiment, if the distance of a target parameter included in newly received action request information from a fraudulent parameter is within the third threshold, the action request information including the target parameter is determined to be fraudulent.
As a result, it is possible to expand the range of fraud determination to include not only the target parameter whose distance from the fraud parameter is 1, but also a wider range, and it is possible to expand the fraud judgment range to include a wider range of fraud when a fraudulent user circumvents BL123 and uses the service. Behavior can be restrained.

In this embodiment, the graph creation unit 135 connects a pair of nodes N corresponding to mutually associated action contents and parameters by a link L, with action contents and parameters as nodes N, and corresponds to invalid parameters and invalid parameter candidates. A network graph is created in which a node N with a parameter is displayed in a display format different from that of a node N with other normal parameters.
Thereby, the administrator of the fraud detection device 10 can easily update the BL 123 by checking the network graph. Further, in this embodiment, the above-mentioned first threshold, second threshold, and third threshold can be adjusted as appropriate by the administrator of the fraud detection device 10, and the administrator can adjust them by checking the network graph. , these threshold values can be easily adjusted to appropriate values.

In this embodiment, a fraud detection device 10 is provided separately from each service server 20, and receives action request information transmitted from a user terminal 30 via each service server 20. In this case, by receiving various parameters according to the service content of each service server 20, it is possible to associate these parameters. Therefore, in a certain service, if a parameter of a user determined to be using the service illegally is registered in the BL 123, there is a high possibility that other parameters related to that parameter will also be registered in the BL 123 as illegal parameters. Therefore, when the user uses another service, there is a high possibility that the user will be determined as an unauthorized user, which can act as a deterrent against the user's unauthorized use of the service.

[Modified example]
Note that the present invention is not limited to the embodiments described above, but includes the following modifications as long as the object of the present invention can be achieved.

[Modification 1]
In the embodiment described above, in step S9, action request information including a target parameter whose distance from the fraudulent parameter is within the third threshold is determined to be fraudulent. On the other hand, distance from other fraud parameters may be further considered.
For example, if a fraudulent parameter equal to or greater than the first threshold exists within a range within a third threshold from the target parameter, action request information including the target parameter may be determined to be fraudulent. In addition, if there are invalid parameters at a rate equal to or greater than the second threshold among the action contents whose distance from the target parameter is within the third threshold, the action request information including the target parameter is determined to be invalid. Good too.

[Modification 2]
In the above embodiment, when the determination in step S2 is YES, the process in step S3 is executed. However, it is also possible to perform the process in step S3 first and execute the process in step S2 when it is determined to be YES in step S3. You can. Even in this case, similarly to the above embodiment, if YES is determined in both step S2 and step S3, the target parameter is detected as an incorrect parameter.
Further, in the above embodiment, an example is shown in which both step S2 and step S3 are performed, but only either step S2 or step S3 may be performed.

[Modification 3]
In the above embodiment, the fraud detection device 10 and the service server 20 are provided separately, and the fraud detection device 10 is configured to receive action request information transmitted from the user terminal 30 via the service server 20. , but not limited to.
For example, each service server 20 may function as the fraud detection device 10. In this case, the control unit (processor) of each service server 20 reads and executes the fraud detection program stored in the storage unit, so that the request reception unit 131, association unit 132, fraud parameter detection unit 133, list registration unit 134 , a graph creation section 135, and a fraud determination section 136.

1... Fraud detection system, 10... Fraud detection device, 11... Communication unit, 12... Storage unit, 13... Control unit, 20... Service server, 30... User terminal, 131... Request receiving unit, 132... Association unit, 133 . . . Fraud parameter detection unit, 134 . . . List registration unit, 135 .

Claims (7)

a request receiving unit that receives action request information that requests execution of a predetermined action and includes action content that is the content of the action and a plurality of parameters when requesting the action;
The action content included in one piece of action request information and a plurality of the parameters are associated with each other, and the parameter of the newly received action request information is the parameter included in the previously received action request information. an association unit that associates the action contents associated with the parameter with each other when the parameter is the same as the parameter;
a fraud determining unit that determines whether or not the newly received action content is a fraudulent fraudulent action based on a block list that records fraudulent parameters that are the parameters that should be determined to be fraudulent;
A fraud detection device comprising: a list registration unit that registers the parameter as the fraud parameter in the block list when the fraud action associated with the parameter received in the past satisfies a predetermined condition. The list registration unit registers the parameter as a fraudulent parameter when a number of fraudulent actions equal to or greater than a first threshold are associated with the parameter received in the past.
The fraud detection device according to claim 1. The list registration unit determines when, among the plurality of action contents associated with the parameter included in the action request information received in the past, a proportion of the action contents equal to or higher than a second threshold value are the fraudulent actions. , registering the parameter as the invalid parameter;
The fraud detection device according to claim 1. The action content that is associated with the fraudulent parameter and does not include the fraudulent action is a fraudulent action candidate with a distance of 1, and the parameter that is associated with the fraudulent action candidate with a distance of 1 is The parameter that does not include a fraudulent parameter is defined as a fraudulent parameter candidate with a distance of 1, and the action content that is associated with a fraudulent parameter candidate with a distance of i and that does not include a fraudulent action candidate with a distance of i is defined as a distance. is a fraudulent action candidate with a distance of i+1, and the parameter that is associated with a fraudulent action candidate with a distance of i+1 and does not include a fraudulent parameter candidate with a distance of i is a fraudulent parameter candidate with a distance of i+1. ,
The fraud determining unit determines that the newly received action request information is fraudulent if a distance from the fraudulent parameter of a parameter included in the newly received action request information is within a third threshold.
The fraud detection device according to any one of claims 1 to 3. The action content and the parameter are used as nodes, a pair of nodes corresponding to the action content and the parameter that are associated with each other are connected by a link, and the node corresponding to the invalid parameter is connected to the node of the other parameter. further comprising a graph creation unit that creates a network graph displayed in a display format different from the
The fraud detection device according to any one of claims 1 to 4. A fraud detection method for detecting fraud in action request information sent by a computer from a user terminal requesting execution of a predetermined action, the method comprising:
The action request information includes action content that is the content of the action and a plurality of parameters when requesting the action,
The computer includes a request reception unit, an association unit, a fraud determination unit, and a list registration unit,
a request receiving step in which the request receiving unit receives the action request information;
The association unit associates the action content included in one piece of the action request information with a plurality of the parameters, and the parameter of the newly received action request information corresponds to the action request received in the past. an associating step of associating the action contents associated with the parameters when they are the same as the parameters included in the information;
a fraud determination step in which the fraud determination unit determines whether or not the newly received action content is a fraudulent action based on a block list that records fraud parameters that are the parameters to be determined as fraud; ,
a list registration step in which the list registration unit registers the parameter as the fraudulent parameter in the block list if the fraudulent action associated with the previously received parameter satisfies a predetermined condition;
A fraud detection method that implements. A fraud detection program readable and executable by a computer,
A fraud detection program that causes the computer to function as the fraud detection device according to any one of claims 1 to 5.

Images