JP2001202333A - Illegal hacker detecting server and recording medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To speedily discover the presence of a hacker who hacks a certain specified network and acts as a regular user. SOLUTION: This device is provided with a packet acquiring/selecting means 10 for a acquiring and selecting a prescribed packet flowing on the specified computer network, a user data preparing means 21 for preparing feature data with which the personal features of a user transmitting the prescribed packet selected by the packet acquiring/selecting means 10 are digitized as user data on the basis of information provided from the relevant packet, and an auditing data storage part 30 for preparing the feature data with which the personal features of the regular user on the specified computer network are digitized on the basis of information provided from packets transmitted by the relevant regular user in the past and recording these data as auditing data. The user data prepared by the user data preparing means 21 are compared with the auditing data recorded in the auditing data storage part 30 by a user deciding means 22, and it is decided whether or not a user corresponding to the relevant user data is the regular user on the specified computer network.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an unauthorized intruder detection server for detecting an unauthorized intruder into a computer network, and a program for determining whether or not an unauthorized intruder has been invaded by the unauthorized intruder detection server. The present invention relates to a recorded computer-readable recording medium.

[0002]

2. Description of the Related Art Computer networks are rapidly expanding from academic networks to corporations and homes. On the other hand, there is a problem of unauthorized access to machines that are not permitted to access from outside using these networks, and unauthorized access by internal parties. A person who performs such unauthorized access (intruder) intrudes into a computer system such as an individual or a company by impersonating an internal regular user, and exploits, destroys, or hinders the operation of information, resulting in great damage. There is.

[0003]

In recent years, among such unauthorized accesses, for example, the discovery of an intruder who attempts unauthorized access to a specific computer network from the outside has been recently performed by detecting some intruders. System (In
The trusion detection system (IDS) has been developed.
However, these systems basically use a database of known intrusion methods and security holes, and only detect unauthorized access by checking the monitored packets against intrusion methods in the database. It is. In other words, since these intruder detection systems reject intrusions into the network, they are useful for preventing unauthorized access before they occur. If intruded, it does not help to later find the intruder. New methods are being developed every day for intrusion methods and the like, and it is difficult to ensure thoroughness only with the above-mentioned intruder detection system that is based on the premise of checking with known intrusion methods and the like. Also, once an intruder impersonating a legitimate user is left undiscovered after invading the network, the longer the idle time, the greater the damage caused by it.

[0004] Such a situation also applies to an insider who attempts to gain unauthorized access to a machine, a file, or the like, to which access is restricted. It cannot be prevented by an intruder detection system that detects intruders. In this specification, an intruder is also referred to as a third party who intrudes from the outside, as well as an insider who performs such unauthorized access.

[0005] The present invention has been made in view of the above points, and in addition to an intruder trying to invade a specific network, there is also an intruder who invades the specific network and impersonates a legitimate user. It is an object of the present invention to provide an intruder detection server capable of detecting an intruder at an early stage and minimizing damage caused by unauthorized access, and a recording medium recording a program capable of detecting an intruder by being installed in a computer. .

[0006]

In order to solve the above-mentioned problems, an unauthorized intruder detection server according to the present invention obtains predetermined information flowing through a specific computer network, and based on this information, User data creation means for creating, as user data, feature data obtained by digitizing personal characteristics of a user who transmitted the information; and feature data obtained by digitizing personal features of a regular user in the specific computer network, An audit data storage unit created based on information transmitted by the user in the past and recorded as audit data, and the user data created by the user data creation unit, the audit data recorded in the audit data storage unit Compared with, the user corresponding to the user data, in the specific computer network ; And a user determination means for determining whether the regulations user, wherein said are intended to be placed on a particular computer network.

According to a second aspect of the present invention, there is provided an unauthorized intruder detection server for acquiring a predetermined packet flowing through a specific computer network, and selecting a predetermined packet from the acquired packets. A user data creation unit for creating, as user data, feature data obtained by quantifying personal features of a user who transmitted the packet based on information obtained from a predetermined packet selected by the packet acquisition / selection unit; Characteristic data in which the personal characteristics of a legitimate user in the computer network are digitized, created based on information obtained from a packet transmitted by the legitimate user in the past, and an audit data storage unit recorded as audit data. The user data created by the user data creating means, Comparing the audit data recorded in the data storage unit and determining whether or not the user corresponding to the user data is an authorized user in the specific computer network; It is characterized by being arranged on a network.

According to a third aspect of the present invention, there is provided an unauthorized intruder detection server according to the first or second aspect, wherein the server is determined to be user data relating to an authorized user by the user determination means. Further, the audit data recorded in the audit data storage unit is sequentially updated with the latest user data and recorded.

According to a fourth aspect of the present invention, there is provided an unauthorized intruder detection server according to any one of the first to third aspects, wherein the information acquired to create the characteristic data is provided. Is the arrival time of the information or packet,
It is characterized by being at least one of the key information input by the user who transmitted the information or the packet.

According to a fifth aspect of the present invention, there is provided an unauthorized intruder detection server according to the fourth aspect, wherein each time the user performs an input operation while logging in to the specific network, The key information is obtained, and the user data created by the user data creating means is:
It is characterized by being sequentially updated based on the key information.

According to a sixth aspect of the present invention, there is provided an unauthorized intruder detection server according to any one of the first to fifth aspects, wherein the intruder detection server is used as the user data and the audit data. The feature data includes a table created by arranging the occurrence probabilities of the input characters in descending order, and the user determination unit determines the difference between the two created tables to determine whether the user is an authorized user. It is characterized by having a function to perform.

According to a seventh aspect of the present invention, there is provided an unauthorized intruder detection server according to any one of the first to sixth aspects, wherein the intruder detection server is used as the user data and audit data. The feature data includes a two-dimensional array table in which, for two consecutively input characters, the ASCII code of the previously input character is set as a row and the ASCII code of the input character is set as a column. Wherein the user determination means has a function of determining whether or not the user is a legitimate user based on a difference in occurrence probabilities of two characters continuously input from the two created tables. And

According to an eighth aspect of the present invention, there is provided an unauthorized intruder detection server according to any one of the first to seventh aspects, wherein the intruder detection server is used as the user data and the audit data. In the feature data, the ASCII code of the previously input character is created as a line for the two consecutively input characters, and the ASCII code of the later input character is created as a column.
The table includes a two-dimensional array table in which transition probabilities from a certain character to a next character are stored. In the user determination unit, two characters consecutively input from the two created tables are included. Is characterized in that it has a function of determining whether or not the user is a legitimate user based on the difference in the transition probabilities of.

According to a ninth aspect of the present invention, there is provided an unauthorized intruder detection server according to any one of the first to eighth aspects, wherein the intruder detection server is used as the user data and the audit data. In the feature data, among the input characters, for the two characters consecutively input in the command and its argument, the ASCII code of the character input first is lined, and the ASCII code of the character input later Contains a two-dimensional array table created as a column,
The user judging means has a function of judging whether or not the user is a legitimate user based on a difference in the occurrence probabilities of the two consecutively input characters from the two created tables. .

According to a tenth aspect of the present invention, there is provided an unauthorized intruder detection server according to any one of the first to ninth aspects, wherein the intruder detection server is used as the user data and the audit data. In the feature data, among the input characters, for the two characters consecutively input in the command and its argument, the ASCII code of the character input first is lined, and the ASCII code of the character input later And a two-dimensional array table in which, for two consecutive characters, a transition probability from one character to the next occurring character is stored. A function of determining whether or not the user is a legitimate user based on the difference in transition probabilities of the two consecutively inputted characters from the two tables.

According to an eleventh aspect of the present invention, there is provided an unauthorized intruder detection server according to any one of the sixth to tenth aspects, wherein the user determining means includes user data and audit data. And a calculation method for calculating a difference between each occurrence probability or each transition probability as a distance value, and a determination method for determining whether or not the user is a legitimate user by using the distance value.

According to a twelfth aspect of the present invention, there is provided an unauthorized intruder detection server according to any one of the sixth to tenth aspects, wherein the user determining means includes user data and audit data. A calculation method of calculating a correlation coefficient from each occurrence probability or each transition probability in the above, and a determination method of determining whether the user is an authorized user by comparing the correlation coefficient with a predetermined threshold It is characterized by being.

According to a thirteenth aspect of the present invention, there is provided an unauthorized intruder detection server according to any one of the first to twelfth aspects, wherein the intruder detection server is used as the user data and the audit data. The characteristic data includes the time of the typing interval of the input character, and the user determination unit determines whether or not the user is a regular user based on the typing interval in the user data and the typing interval in the audit data. It is characterized by having a function.

According to a fourteenth aspect of the present invention, a computer readable recording medium obtains predetermined information flowing through a specific computer network, and digitizes personal characteristics of a user who transmitted the information based on the information. User data creating step of creating the feature data as user data, and creating feature data in which the personal features of the authorized user in the specific computer network are quantified based on information transmitted by the authorized user in the past, Comparing the audit data stored in the audit data storage unit with the audit data stored in the audit data storage unit, and the user data created in the user data creation step, corresponding to the user data. The user is authorized to use the legitimate computer network A user determining step of determining whether or not the intruder is a user, and recording a program for determining whether or not an unauthorized intruder has entered by a computer arranged on the specific computer network. Features.

According to a fifteenth aspect of the present invention, a computer readable recording medium of the present invention obtains a predetermined packet flowing through a specific computer network, and selects a predetermined packet from the obtained packets. A user data creation step of creating, as user data, feature data obtained by quantifying personal features of a user who transmitted the packet based on information obtained from a predetermined packet selected by the packet selection step; An audit data storage step of creating feature data obtained by digitizing the personal features of the authorized user based on information obtained from packets transmitted by the authorized user in the past, and recording the audit data in the audit data storage unit. The user data creation step Comparing the created user data with the audit data recorded in the audit data storage unit, and determining whether the user corresponding to the user data is an authorized user in the specific computer network. And recording a program for determining whether or not an unauthorized intruder has entered by a computer arranged on the specific computer network.

[0021] A computer readable recording medium of the present invention according to claim 16 is the computer readable recording medium according to claim 14 or 15, wherein the characteristic data used as the user data and the audit data. And creating a table by arranging the occurrence probabilities of the input characters in descending order. The user determining step includes a function of determining a difference between the two created tables to determine whether the user is a legitimate user. It is characterized by having.

A computer-readable recording medium according to a seventeenth aspect of the present invention is the computer-readable recording medium according to any one of the fourteenth to sixteenth aspects, and is used as the user data and the audit data. Creating the feature data as a two-dimensional array table in which, for two consecutively input characters, the ASCII code of the previously input character is lined and the ASCII code of the later input character is a column The user determining step includes a function of determining whether or not the user is a legitimate user based on a difference in occurrence probability of two characters continuously input from the two created tables. It is characterized by.

A computer-readable recording medium according to the present invention is the computer-readable recording medium according to any one of claims 14 to 17, and is used as the user data and the audit data. For the two consecutively input characters, the ASCII code of the previously input character is set as a line, the ASCII code of the second input character is set as a column, and two consecutive characters are input. A step of creating a two-dimensional array table in which transition probabilities from the character to the next occurring character are stored. In the user determination step, two consecutively inputted two tables are created from the two created tables. It has a function of determining whether or not the user is a legitimate user based on a difference in transition probabilities of characters.

According to a nineteenth aspect of the present invention, a computer-readable recording medium according to any one of the fourteenth to eighteenth aspects is used as the user data and the audit data. For the two characters consecutively entered in the command and its arguments among the inputted characters, the ASCII code of the previously entered character is executed, and A step of creating a two-dimensional array table having codes as columns, wherein the user determination step is based on a difference in the occurrence probabilities of the two consecutively input characters from the two created tables. And a function of determining whether the user is an authorized user.

According to a twentieth aspect of the present invention, a computer readable recording medium according to any one of the fourteenth to nineteenth aspects is used as the user data and the audit data. For the two characters consecutively entered in the command and its arguments among the inputted characters, the ASCII code of the previously entered character is executed, and The method includes the steps of creating a code as a column and creating a two-dimensional array table in which transition probabilities from one character to the next occurring character are stored for two consecutive characters. From the two tables, it is determined whether or not the user is a legitimate user based on the difference in transition probabilities of the two characters that are consecutively input. Characterized in that a function of.

A computer-readable recording medium according to a twenty-first aspect of the present invention is the computer-readable recording medium according to any one of the sixteenth to twentieth aspects, wherein the user determining step includes the step of determining user data and It is characterized by comprising a calculation method of calculating the difference between each occurrence probability or each transition probability in the audit data as a distance value, and a determination method of determining whether or not the user is a legitimate user using the distance value. I do.

A computer-readable recording medium according to a twenty-second aspect of the present invention is the computer-readable recording medium according to any one of the sixteenth to twentieth aspects, wherein the user judging step comprises the steps of: A calculation method of calculating a correlation coefficient from each occurrence probability or each transition probability in the audit data, and a determination method of determining whether or not the user is an authorized user by comparing the correlation coefficient with a predetermined threshold value It is characterized by having.

A computer readable recording medium according to the present invention according to claim 23 is the computer readable recording medium according to any one of claims 14 to 22, and is used as the user data and the audit data. Creating the characteristic data from the time of the typing interval of the input characters, wherein the user determining step determines whether the user is a regular user based on the typing interval in the user data and the typing interval in the audit data. It has a function of determining whether

[0029]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, embodiments of the present invention will be described in more detail with reference to the drawings. FIG. 1 is a system configuration diagram of an unauthorized intruder detection server according to one embodiment of the present invention. The computer constituting the unauthorized intruder detection server includes a packet acquisition / selection unit 10 and a user determination unit 20.
And an audit data storage unit 30 and the like.

The packet acquisition / selection means 10 is a LAN device 11 such as an Ethernet device.
A packet collection device (for example, nit (Network Interface Tap) provided as a pseudo device in SunOS) 12 that collects a packet through the network, and a packet that selects a predetermined packet from the packets collected by the packet collection device 12 And a packet filtering program 13 for executing the selecting step.

As the predetermined packet, for example, rlogin or telnet which are applications for remote login can be used. The reason for using rlogin and telnet is
This is because the user's input data can be directly viewed. However, the method is not limited to this, and h
It is also possible to adopt a configuration in which the contents of a file transferred at http. In addition, a character string used in a file name remaining in a log is obtained and selected as information, not limited to a packet sent as a packet as described above, and based on this information, a user data creation unit 21 described later A configuration for creating feature data may also be used. In this case, instead of the packet acquisition / selection unit 10 of the present embodiment, a unit capable of acquiring and selecting such information is adopted.

The user judgment section 20 stores user data creation means 21 and user data judgment means 22 as programs. The user data creation means 21
Based on information obtained from a predetermined packet (rlogin and telnet) selected by the packet acquisition / selection means 10, a step of creating, as user data, characteristic data in which personal characteristics of a user who transmitted the packet are digitized. Is a program that executes Various means are conceivable as means for creating feature data in which the personal characteristics of the user are quantified, and preferred means used in the present embodiment will be described later.

The user data created by the user data creating means 21 is recorded in the memory (main storage unit) only during login to a specific computer network in which the unauthorized intruder detection server is located. It is deleted when you log out of the computer network. Further, as described later, in the present embodiment, when the feature data is created, the key information (ASCII code) input by the user included in each of the above packets is input.
Is updated every time the user inputs characters during login.

However, if the user data created by the user data creating means 21 is determined to be related to an authorized user, the user data is deleted from the above-mentioned memory (main storage unit) by logout. However, at the same time, the audit data storage unit 3 formed in the storage device
It is used as the audit data of the legitimate user recorded in 0. Therefore, each time new user data relating to the authorized user is created, the audit data is sequentially updated with the new user data.

Here, the audit data recorded in the audit data storage unit 30 is characteristic data obtained by quantifying personal characteristics of an authorized user in a specific computer network. The specific method of creating the feature data is the same as the method of creating the feature data used as the user data. The details will be described later, but the creation method is based on information obtained from packets transmitted by the legitimate user in the past. This is recorded in the audit data storage unit 30 by the audit data storage step included in the program, and is updated each time new user data relating to the authorized user is created as described above. .

The user data determining means 22 converts the user data created by the user data creating means 21 into
This is a program for executing a step of comparing with audit data recorded in an audit data storage unit to determine whether or not the user is an authorized user. This program uses a different calculation method depending on the means for creating feature data used as user data or audit data, and based on the calculation result, determines whether or not the user is an authorized user.
This will be described later together with a feature data creation unit.

Next, a description will be given of the means for creating feature data used as user data or audit data included in the program of the present embodiment, and the user data determining means 22 used in correspondence with each means for creating feature data. Several techniques are described.

1. Method 1 (1) Means for Creating Feature Data The occurrence probabilities of the characters input in each packet of rlogin and telnet are calculated, and the occurrence probabilities are arranged in a descending order into a table. The ASCII code of the target character is limited to 128 7-bit characters specified by NVT ASCII. This is the data in the packet that flows from the client, characters of 8 bits or more are mainly used in Japanese, but are rarely used in rlogin or telnet for command input on the terminal, and should be investigated. This is because if the number of characters is 256, the storage capacity will be consumed more.

(2) Calculation Method in User Data Determining Means The above table created as user data is compared with the above table created as audit data recorded in the audit data storage unit 30 to determine a difference. . That is, first, the ASCII code is set to i (0 ≦ i ≦ 127). For the table related to the audit data, the occurrence probabilities of all characters

(Equation 1) And the order of ASCII code i when these are arranged in descending order is

(Equation 2) And Similarly, for the user data, the probability of occurrence of the ASCII code i is

(Equation 3) And the order of ASCII code i when these are arranged in descending order is

(Equation 4) And

Then, the distance D ⁽¹⁾ is obtained by the following equations (1) and (2). In general, the larger the value of the distance D ⁽¹⁾ , the smaller the possibility that the logged-in user is an authorized user, and the smaller the value of the distance D ⁽¹⁾ , the more likely the logged-in user is an authorized user. Is high. In the following equation (1), n ₁ = 127.

(Equation 5)

(Equation 6)

In the above formula (1), individual distances are obtained for each set of two characters having the same ASCII code in the audit data and the user data, and the total distance is calculated. The three items are multiplied so that the distance becomes a large value according to the occurrence probability and the difference in the rank. In the first and second items in the equation (1), the difference between the probability of two characters and the difference between the ranks are multiplied. In the third item, it is considered that a character with a higher occurrence probability indicates the characteristic of the user, and a weight is applied according to the height of the rank of the set of two characters. Also, the distance D obtained by the above equation (2)
⁽¹⁾ has the following features a and b.

A. If the character with the higher (lower) occurrence probability in the audit data changes in the user data, the rate of increase in the distance value is large (small). When there is not much change, the reduction rate is large (small). b. In the audit data and the user data, the rate of change in the distance value is greater (smaller) as the change in rank between the corresponding two characters is greater (smaller).

In order to reduce the load on the server, the above-described determination means is executed every time, for example, 60 characters are input during login to obtain the distance D ⁽¹⁾ .

If the intruder is not determined when logging out, the following formulas (3) and (4) are used.

(Equation 7) as well as

(Equation 8) And the probability of occurrence

(Equation 9) In descending order,

(Equation 10) And These are recorded in the audit data storage unit 30 as new audit data.

[Equation 11]

(Equation 12)

2. Method 2 (1) Means for creating feature data The probability of occurrence of two consecutively input characters included in each packet of rlogin and telnet is calculated, the ASCII code of the previously input character is lined, and the character code is input later. 2 with 128 × 128 elements with ASCII codes of characters
Make a table with a dimensional array. The ASCII code of the target character is limited to 128 7-bit characters specified by NVT ASCII, as in Method 1.

(2) Calculation Method in User Data Determining Unit The above table created as user data is compared with the above table created as audit data recorded in the audit data storage unit 30, and a difference is obtained. .

That is, first, the ASCII code is set to i (0
≤ i ≤ 127), the row of the two-dimensional array is i, and the column is j. A table of a two-dimensional array stored as audit data is defined as X2 _ij , and a table of a two-dimensional array of user data is defined as Y2 _ij . Table X2 _ij , Y2
_ij is a connection probability between two characters, where i and j are ASCII codes, and is obtained by the following equations (5) and (6). Note that _Y2ij is obtained from the current input character. X2
_ij is obtained when the user logged out last time. X2 _ij = Pr (i, j) (5) Y2 _ij = Pr (i, j) (6) where n ₂ = 127,

(Equation 13) Becomes From these, the distance D ^{(2) is obtained} by the following equation (8).

[Equation 14]

The distance D ⁽²⁾ is a two-dimensional array X2 _ij , Y2
_{ij is} the total value of the absolute values of the differences between the elements of _ij .
From Expression (7), the maximum value of the distance D ⁽²⁾ is 1.0.

The logged-in user is an authorized user,
If you enter the same command as the last time, Y2 _ij becomes X
As the distance approaches _2ij , the distance also decreases. Conversely, if you start entering a different command, X2 _ij and Y2
_ij has a different distribution on the two-dimensional array, and the distance also becomes larger.

In order to reduce the load on the server, the above-mentioned determination means is executed every time, for example, 50 characters are input during login to obtain the distance D ⁽¹⁾ .

If the intruder is not determined at the time of logout, X2 _ij and T2 are _calculated by the following equations (9) and (10).
^X2 is obtained and recorded in the audit data storage unit 30 as new audit data. However, (0 ≦ i, j ≦ 127). ^{_{X2 ij = (X2 ij T X2}} + Y2 ij T Y2) / (T X2 + T Y2) (9) T X2 = T X2 + T Y2 (10)

3. Method 3 (1) Means for Creating Feature Data First, for two consecutively input characters included in each packet of rlogin and telnet, the ASCII code of the previously input character is lined, and The table is a two-dimensional array table having 128 × 128 elements in which ASCII codes are arranged as columns. Further, a state transition diagram is assumed on this table, and the transition probability from one character to the next occurring character is stored. The ASCII code of the target character is NVTASC in the same manner as in Methods 1 and 2.
Limited to 128 7-bit characters specified in II.

(2) Calculation Method in User Data Determining Means The above table created as user data is compared with the above table created as audit data recorded in the audit data storage unit 30 to determine a difference. .

That is, first, the ASCII code is set to i (0
≤ i ≤ 127), the row of the two-dimensional array is i, and the column is j. A table of a two-dimensional array stored as audit data is defined as X3 _ij , and a table of a two-dimensional array of user data is defined as Y3 _ij . Table X3 _ij , Y3
_ij is a conditional probability between two characters and is obtained by the following equation (11).

(Equation 15) Here, n3 = 127, (i = 0,..., 127)

(Equation 16) Becomes Further, assuming that the total number of characters input after the user has logged in is T ^Y3 and that the character input at the _u-th character is s _u (0 ≦ s _u ≦ 127), the set s of the input characters is It is represented as s = {s0, s1,..., sT ^Y3 }, # s = T ^Y3 (13) From these, _au = _su−1 , _bu = _su , and the distance D
^{(3) is obtained} by the following equation (14).

[Equation 17]

[0055] equation (14), the distance ^{D (3)} is increased when the user _{Y 3} in which the user (regular user) _{X 3} has logged much used not character began to use, it has been used by the _{X 3} well It decreases when the character just the started using the Y _3. Also, the character X ₃ was using, does not change much when Y ₃ is used in the same proportions.

In order to reduce the load on the server, the determination means obtains the distance D ⁽³⁾ every time 70 characters are input during login, for example.

[0057] If it is determined that an intruder when logging out, the following equation (15), (16), (17) by ^{_X3 ij, T _X3, T} 'seek _l ^X3, new _{X 3} audit data Is recorded in the audit data storage unit 30. Here, (0 ≦ i, j, l ≦ 127). _{X3 ij = (X3 ij T '} j X3 T X3 + Y3 ij T' j Y3) / (T 'i X3 + T' i Y3) (15) T X3 = T X3 + T Y3 (16) T 'l X3 = T' _l ^X3 + T ' _l ^Y3 (17)

(Examples 1 to 3) Using the above-mentioned methods 1 to 3, evaluation experiments were conducted by a plurality of users for about one month. The unauthorized intruder detection server (CPU: SuperSPARC, memory: 64 Mby) used in the embodiment.
te, OS: SunOS 4.1.4) 1 is arranged on the same network as shown in FIG. 2 in order to monitor packets to four host computers (UNIX servers) 2 to 5, as shown in FIG. The data transmitted to the host computers 2 to 5 via the Internet and the data flowing through the internal network between the host computers 2 to 5 are all arranged to be monitored by the intruder detection server 1. .

FIG. 3 shows experimental results obtained by the method 1 (Example 1). FIG. 3 shows the experimental results of two representative users, user D and user E.
The data for the eighth login and the user E are data for the fifth and eleventh logins.

As is apparent from FIG. 3, the result of the second user D sharply increases. This is because this is the second login, and the audit data recorded in the audit data storage unit 30 does not sufficiently show the characteristics of the individual. On the other hand, in the graph of the user E, the fifth and eleventh
There is little difference from the second login. Therefore, it can be seen that the distance becomes smaller as the characteristics of the person appear, and the graph as a whole also decreases.

FIG. 4 (Example 2) shows the results of the experiment by Method 2, and FIG. 5 (Example 3) shows the results of the experiment by Method 3. These also show the experimental results of typical users D and E, and the graphs of the entire users D and E decrease as the number of logins increases. Thus, it can be said that the audit data more accurately represents the characteristics of the user by increasing the number of times the authorized user logs in.

Next, the user determination means 22 calculates the distances D ⁽¹⁾ , D
^{(2) A} description will be given of a determination method for determining whether or not an authorized user is available using D ⁽³⁾ . As described above, in general, the calculated distance D
^The smaller the values of ⁽¹⁾ , D ⁽²⁾ , and D ⁽³⁾ , the higher the possibility that the user is the same as the user who has been approved as the authorized user in the previous login, indicating that the value is higher. When an apparently large value appears, it can be determined that there is a high possibility that the user is an impersonator (intruder).

However, it is generally unlikely that the same command sequence is input every time. If the user is a regular user, it is supposed that the command sequence gradually decreases while changing up and down in the graphs shown in FIGS. Conceivable. Therefore,
To more accurately determine whether a user is a legitimate user, the graph shows how the distance value obtained from the currently logged-in user has decreased compared to the distance value obtained by logging in the same user up to the previous time. It is preferable to consider the area above.

First, as preparation for that, an average value and a 90% confidence interval are obtained from the distance values obtained in the previous login. When obtaining the area, the distance value obtained by the previous login is subtracted from the distance value obtained by the currently logged-in user, and the obtained value is added. As described above, if the value added until logout is the area, theoretically, if the area increases, it will be separated from the characteristics of the audit data, and if it decreases, the input according to the characteristics of the audit data will be input And 90%
If the area value is within the confidence interval, the area value becomes a negative value. Therefore, if the area value is positive, it can be determined that the user is an impersonator (intruder), and if the area value is negative, it can be determined that the user is a legitimate user.

Table 1 shows that two users (spoofing users) are intentionally impersonated as legitimate users A and B to log in, and the distance value is calculated based on each of the above methods 1 to 3, and 90% It is an experimental result which calculated the area exceeding the confidence limit. That is, the audit data is created by logging in to the authorized users A and B up to a predetermined number of logins, and then the area when the impersonated user is logged in is calculated.

[0066]

[Table 1]

As can be seen from Table 1, the method 1 and method 2 have small area values, and it cannot be said that the determination is clear, but the method 3 significantly increases the area value. Therefore, from the experimental results, it can be said that if the area value is a positive value, there is a high possibility that the user is an impersonator (intruder).

4. Method 4 (1) Means for creating feature data The probability of occurrence of two consecutively input characters included in each packet of rlogin and telnet is calculated, the ASCII code of the previously input character is lined, and the input is performed later. 2 with 128 × 128 elements with ASCII codes of characters
Make a table with a dimensional array. However, the table of the user data stores the data of the occurrence probability and the total number of input characters, and the data of the occurrence probability is updated every time one character is input. Further, the audit data includes the occurrence probability data updated by the previous (past) login and the sum total of the number of characters input by all the logins so far.

Unlike the first to third methods, the ASCII codes of the target characters are only 94 characters from ASCII codes 33 to 126 among 128 characters of 7-bit characters specified by NVT ASCII. . The ASCII codes from 0 to 32 and 127 are
It is called a control code, and corresponds to input other than characters such as the Enter key and the space key. Since these characters are commonly used, if these characters are included, other characters (command and These control codes reduce the amount of information of characters (characters used for the argument). Therefore, in order to create feature data in which the personal features of the user appear more prominently, the present method is limited to 94 characters of ASCII codes 33 to 126. It should be noted that, even when creating the feature data in the above methods 1 to 3, the feature data can be made more conspicuous by limiting to these 94 characters.

(2) Calculation Method in User Data Determining Means The above table created as user data is compared with the above table created as audit data recorded in the audit data storage unit 30, and the two are compared. The number of relations is obtained, and whether or not the user is an authorized user is determined based on whether or not the correlation coefficient is larger than a certain threshold.

Table Y 'of occurrence probabilities between two characters before and after typed obtained from the logged-in user
_{Assuming that} the total number of characters is k for _{C1 and C2} , the following equation (1)
8) and (19). C1 is the ASCII code of the character just typed, and C2 is the ASCII code of the currently typed character. Here, since the target characters are 94 characters from the ASCII code Nos. 33 to 126, k = 94. Note that, for convenience of the symbols, ASCII code No. 33 is made to correspond to 0, and 0 ≦ C1 and C2 ≦ 93.

[0072]

(Equation 18)

[Equation 19]

Similarly, tables X ′ _{C1 and C2 of the} probability of occurrence between two characters of the audit data are also _expressed by the following equations (20) and (2).
Determined by 1).

(Equation 20)

(Equation 21)

Next, in order to numerically determine the difference between the tables of the occurrence probabilities of the audit data and the user data, the correlation coefficient between the two data is determined as follows.

First, respective characteristic vectors are obtained from the tables of the occurrence probabilities of the audit data and the user data by the following equations (22) and (23).

(Equation 22)

(Equation 23)

These feature vectors are generated from the occurrence probabilities as follows. M is the number of elements in the two-dimensional table of occurrence probabilities. From 94 × 94 = 8836, m = 88
36. Also, the correspondence between the table of occurrence probabilities and the elements of the vector is Y ' _{C1, C2} = Y
_{(C1 × 94 + C2)} , _{X′C1, C2} = X
_{(C1 × 94 + C2)} .・ Each component has 2
The probability that characters occur consecutively.

From these, the correlation coefficient u ′ (x, y) is obtained by the following equation (24).

(Equation 24) here,

(Equation 25)

(Equation 26)

The inner product is the correlation coefficient represented by the equation (24). The inner product is the feature vector x and y of the audit data and the user data, and the occurrence probability of the same two characters (X _n1 , Y _n2 , n)
1 = n2), the higher the value, the larger the value. That is, in both data, the larger the number of frequently input character strings and the larger the number of characters constituting the character string, the larger the value.

The maximum value of the inner product is determined by the feature vectors x and y
, All elements having the same subscript are equal X _n1 =
Y _n1 , and at this time, the equations (25) and (2)
6)

[Equation 27]

[Equation 28] Therefore, the maximum value of the correlation coefficient is 1. At this time, the logged-in user has input the same characters as the audit data (regular user) in the same order.

Conversely, the minimum inner product means that, in the two feature vectors of the audit data and the user data, one of all elements having the same subscript is 0, and the inner product becomes 0 at this time. Become. Therefore, the minimum value of the correlation coefficient is 0
It is. At this time, the logged-in user has input characters in an order that has not been input in the audit data (authorized user).

From the above, the range of the correlation coefficient is 0 ≦ u ′.
(X, y) ≦ 1. Using this correlation coefficient u '(x, y), a certain threshold value Th is provided, and whether or not the threshold value is larger than the threshold value Th is determined as follows. u '(x, y) ≤Th: impersonating user u' (x, y) ≥Th: regular user

(Example 4) Using the above-described method 4, an evaluation experiment was performed for about two months according to the following procedure. Experiment 1: Threshold Th based on data of 9 valid users
To determine. Experiment 2: Using the threshold Th obtained in Experiment 1, the user at the time when the impersonated user logs in is determined.

The performance of the unauthorized intruder detection server and the arrangement conditions on the computer network used in this embodiment are the same as those in the first to third embodiments.

The determination of the threshold value Th was performed as follows. -A correlation coefficient is obtained by several logins of nine users. -Find the distribution of correlation coefficients for all nine people. From the large value of the correlation coefficient, a lower limit including 75% of the whole is obtained, and the value is set as the threshold Th.

When a system including an unauthorized intruder detection server of the present invention is actually used, the number of authorized user logs is larger than the number of impersonated user logs. In addition, one threshold is determined from the data of all nine persons, but it is also possible to determine the threshold separately for each user.
The average and standard deviation of all the correlation coefficients obtained in several logins of nine users (user1, user2,..., User9) were obtained for each user. Table 2 shows the results.

[0086]

[Table 2]

In the experiment, every time the user entered 40 characters after logging in, the correlation coefficient was obtained based on the characters entered after logging in. For example, in the case of logging in five times, if 400 characters were previously input, 50 correlation coefficients would be obtained. Then, using all the correlation coefficients obtained for each user, the average and standard deviation for all nine users were obtained. The number of data in Table 2 is the number of correlation coefficients obtained for each user.

From the correlation coefficient of nine persons, the average u ′ = 0.45
14. Standard deviation S ₂ = 0.3104 was obtained (in Table 2,
"All" row value). Further, if α = 0.675, the threshold value Th = 0.24 from Th = average u′−αS _2.
22 is obtained.

Next, in Experiment 2, the threshold Th was verified. That is, Table 3 shows the determination result when a certain unauthorized user (user11) impersonates one user in Experiment 1 and logs in. In this case, the impersonated user input about 360 same characters regardless of the impersonated user.

[0090]

[Table 3]

As shown in Table 3, out of the nine users, user8 and user9 made erroneous judgments, and thus the judgment success rate was 77.8%.

In the method 4, a command list that can be executed by a server to be logged in is created in advance and compared with an input character string as a means for determining a command when creating feature data. Can be adopted. However, it is preferable not to compare one command as a whole, but to compare only n characters (for example, 2 ≦ n ≦ 4) from the beginning.

Also, there is a great difference between the audit data generated from 100 or more characters input at login and the user data created at the time when about 10 to several tens of characters are input after login. There may be. Therefore, it is more preferable that a plurality of pieces of audit data are set for each number of input characters, and the audit data is compared with the audit data corresponding to the number of input characters.

5. Method 5 (1) Means for Creating Feature Data Since each packet of rlogin and telnet normally contains one character in one packet, the difference in character input time can be regarded as the difference in packet arrival time. it can. Therefore,
The feature data used as the user data can be created by measuring a typing interval during login, that is, a difference between arrival times of packets. The feature data used as the audit data can be created by recording all the typing intervals of the authorized user in the past at the time of login.

[0095] (2) user data calculation in the determining unit approaches n packets _{p 1, p 2, ···,} arrival time of the _{p n} is _{t 1, t 2, ···,} When _{t n,} typing interval _{is, t 2 -t 1, t 3} -t 2, can be calculated by ··· _{t n -t} n _-1. Then, the difference between the average value of the typing interval during login and the average value stored in the audit data is obtained, and the significance is examined by a t-test. Is determined.

First, an average value and a variance required for the t-test are obtained from the user data of the currently logged-in user as follows. In order to know the true typing interval of the user, it is necessary to exclude typing intervals other than when a command sequence is input. Therefore, the following conditions are provided. Condition 1: The time from pressing the Enter key to the first character of the next command is not considered. Condition 2: A time longer than 10 seconds is not considered. Condition 1 is for eliminating the user's thinking time until the next command is input, and Condition 2 is for eliminating the time when the input is temporarily interrupted during login.

Further, in order to exclude typing intervals other than those at the time of command input, the typing intervals satisfying the conditions 1 and 2

(Equation 29) And a 99% confidence limit is determined.

Then, condition 3 is further added. Condition 3: A typing interval larger than the upper limit of the 99% confidence limit of the typing interval satisfying the conditions 1 and 2 is not considered.

[0099] _n is extracted from log start until the N character input _y-number of typing interval _{t y, i (1 ≦ i} ≦
n _y )

[Equation 30] Is calculated by the following equations (29) and (30), respectively.

(Equation 31)

(Equation 32)

Then, the upper limit w of the 99% confidence limit is obtained by the following equation (31).

[Equation 33] Based on the condition 3, the number of typing intervals less than or equal to w and the number thereof are obtained, and the average and the variance are obtained again.

This will be described with reference to FIG. 6, which is a graph of typing intervals satisfying conditions 1 and 2 for a certain user, for example. The average obtained first for this user is 0.5624 sec, and the standard deviation is 1. At 0699 sec, the 99% confidence upper limit obtained therefrom is 3.3185.
sec. The value indicated by the arrow in FIG. 6 is a value larger than this time. The average obtained again excluding the typing interval exceeding the upper limit value from the condition 3 was 0.4093 sec, and the standard deviation was 0.5877 sec.

Next, a description will be given of a determination method using the t-test. For the audit data, the average and variance calculated in the same way as above are already calculated, and can be obtained from the audit data.

(Equation 34) The number of data typing interval is n _x, determined from the user data which is data in the log

(Equation 35) The number of data typing interval is n _y. The t value t _{xy is obtained} by the following equation (32).

[Equation 36]

Here, the null hypothesis (H
0) and the alternative hypothesis (H1) are set as follows.

Null hypothesis (H0): The relationship between audit data and user data

(37) , There is no significant difference, and the user of both data is the same user (determined as a regular user).

Alternative Hypothesis (H1): Audit Data and User Data

(38) , And the users of both data are different users (determined as impersonating user (intruder)). That is, H
If "0" is supported, it can be determined that the logged-in user is a legitimate user, and if rejected, it is a spoofed user.

(Embodiment 5) Using the above-described method 5, for the same nine users (user1, user2,..., User9) as in Experiments 1 and 2 in Embodiment 4 for about two months, An evaluation experiment was performed according to the following procedure.

Experiment 3: Characters entered by each user for six logins are stored in advance, and the L-th time (L> 2)
Judge the case where the impersonated user has logged in. However, the audit data is updated with the data of the L-th login of the authorized user stored in advance.

As the impersonating user, data of a user (userX) whose typing interval is short and which seems to be performing a blind touch was used. In addition, significance level 5%
T-test was performed. The performance of the unauthorized intruder detection server and the arrangement conditions on the computer network used in this embodiment are the same as those in the above-described first to fourth embodiments.

Table 4 shows the results of Experiment 3. In the table, "wrong"
Is a case where the user is determined to be a legitimate user, and “correct” is a case where the user is determined to be a spoofing user.

[0110]

[Table 4]

In Table 4, for example, "correct" at the sixth place of user2 is configured when userX logs in five times in a row, assuming that userX impersonated user6 for the sixth time. As a result of judging the audit data and the data of one login with userX as the user data of the sixth login, userX is determined to be an impersonated user.

Based on the above Table 4, when the determination results are totaled, the number of times that the user is determined to be a legitimate user is seven, the number of times that the user is determined to be a spoofed user is 38 times, The probability was 7/45 = about 16%. Therefore, the present embodiment has a high determination success rate, and as is apparent from Table 4 above, depending on the user,
A determination success rate of 00% is obtained.

Table 5 below shows the audit data of each user and the user data of userX when the last login was determined in Experiment 3.

[0114]

[Table 5]

Here, looking at Table 4, for example, in the column of user1, the impersonated user is erroneously determined to be a legitimate user. This depends on the network environment and line conditions.
It is considered that the cause is that an accurate typing interval cannot be known when the arrival of each packet is delayed and a plurality of packets are simultaneously received. However, as is apparent from Table 3 shown in Example 4 above, 2
When the method of determining the occurrence probability between characters by the correlation coefficient is adopted, the determination of the impersonating user in user1 is accurate. The method of determining with a correlation coefficient according to method 4 and the method of determining with a typing interval according to method 5 are independent data. Therefore, it is preferable that the user determination means 22 be set so that these two methods are used in combination, and that if it is determined that the user is an impersonator (intruder) by any of the methods, the user is recognized as an unauthorized access. .

This is the same for the methods 1 to 3, and it is not necessary to set only one of the methods, but to use each of them in combination with the method 5 or depending on the performance of the server. The determination success rate can be increased by arbitrarily combining methods 1 to 5.

Further, in order to increase the success rate of the determination in the method 5, the obtained typing intervals are classified and stored for each specific combination of two keys, and an average value and a standard deviation are obtained for each combination. It is preferable to make a comparison. In this case, it is more preferable that the target key be 94 characters of ASCII codes 33 to 126. In the case of 94 characters, there are 8836 combinations of the two keys. Among these combinations, there are values having a significant meaning in which the characteristics of a certain user are remarkably exhibited, and values not having such a meaning. Therefore, it is effective to remove the insignificant data for comparison and reduce the amount of calculation.

[0118]

According to the present invention, in addition to an intruder trying to invade a specific network, the existence of an intruder impersonating a legitimate user once invading the specific network can be detected at an early stage. Can be. Therefore, it is effective to minimize the damage caused by the unauthorized access by the intruder.

[Brief description of the drawings]

FIG. 1 is a configuration diagram of a main part of an unauthorized intruder detection server showing one embodiment of the present invention.

FIG. 2 is a diagram illustrating an example of an arrangement of a network of the unauthorized intruder detection server according to the embodiment;

FIG. 3 is a graph showing experimental results obtained by a method 1 (Example 1).

FIG. 4 is a graph showing experimental results obtained by a method 2 (Example 2).

FIG. 5 is a graph showing experimental results obtained by a method 3 (Example 3).

FIG. 6 is a graph of typing intervals satisfying conditions 1 and 2 in method 5;

[Explanation of symbols]

 DESCRIPTION OF SYMBOLS 1 Intrusion detection server 10 Packet acquisition / selection unit 20 User acquisition unit 21 User data creation unit 22 User determination unit 30 Audit data storage unit

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Yoshiaki Shiraishi 40-1 Kanaoka, Kawauchi-cho, Tokushima City, Tokushima Prefecture 3-208 (72) Inventor Takahiro Oya 232-1 Otsubo, Hachiman-cho, Tokushima City, Tokushima Prefecture Otsubo Housing 4-16 F term (reference) 5B017 AA01 BA02 BA09 BB02 BB09 CA16 5B085 AE02 BG07 5B089 GA11 KA17 KB13 KC15 KC21

Claims (23)

[Claims] 1. A user data generating means for obtaining predetermined information flowing through a specific computer network, and generating, as user data, characteristic data obtained by digitizing personal characteristics of a user who transmitted the information based on the information. An audit data storage unit in which characteristic data obtained by quantifying personal characteristics of an authorized user in the specific computer network is created based on information transmitted by the authorized user in the past, and is recorded as audit data; The user data created by the user data creation unit is compared with the audit data recorded in the audit data storage unit, and whether the user corresponding to the user data is a regular user in the specific computer network is determined. The specific computer network. An unauthorized intruder detection server, which is arranged on a network. 2. A packet acquisition / selection unit that acquires a predetermined packet flowing through a specific computer network and selects a predetermined packet from the acquired packets, and a predetermined packet selected by the packet acquisition / selection unit. User data creating means for creating, as user data, feature data obtained by digitizing personal characteristics of the user who transmitted the packet based on information obtained from the user; and digitizing personal characteristics of an authorized user in the specific computer network The characteristic data is created based on the information obtained from the packet transmitted by the legitimate user in the past, the audit data storage unit recorded as audit data, and the user data created by the user data creating unit Comparing with the audit data recorded in the audit data storage unit. User determination means for determining whether a user corresponding to the user data is a legitimate user in the specific computer network, wherein the user data is arranged on the specific computer network. Intrusion detection server. 3. The unauthorized intruder detection server according to claim 1, wherein the audit data recorded in the audit data storage unit when the user determination unit determines that the user data is related to an authorized user. Is sequentially updated with the latest user data and recorded. 4. The unauthorized intruder detection server according to claim 1, wherein the information acquired to create the characteristic data includes an arrival time of the information or the packet and the information. Alternatively, the intruder detection server is at least one of key information input by a user who transmitted the packet. 5. The unauthorized intruder detection server according to claim 4, wherein the key information is obtained each time the user performs an input operation while logging in to the specific network,
An unauthorized intruder detection server characterized in that user data created by the user data creation means is sequentially updated based on the key information. 6. The unauthorized intruder detection server according to claim 1, wherein the characteristic data used as the user data and the audit data includes an occurrence probability of an input character. A table created in descending order is included.
An intruder detection server having a function of determining whether a user is a legitimate user by determining a difference between the two tables. 7. The unauthorized intruder detection server according to claim 1, wherein the characteristic data used as the user data and the audit data includes two consecutively input two data. For the characters, the table includes a two-dimensional array table in which the ASCII code of the previously input character is set as a row and the ASCII code of the character input later is set as a column. An intruder detection server having a function of determining whether or not a user is a legitimate user based on a difference in occurrence probabilities of two characters consecutively input from two tables. 8. The unauthorized intruder detection server according to claim 1, wherein the characteristic data used as the user data and the audit data includes two consecutively input two data. For each character, the ASCII code of the previously input character is lined, and the ASCII code of the second input character is created as a column. For two consecutive characters, the transition probability from one character to the next occurring character is calculated. A stored two-dimensional array table is included, and the user determination unit determines whether the user is a regular user based on a difference in transition probabilities of two characters continuously input from the two created tables. An unauthorized intruder detection server characterized by having a function of determining whether or not the intruder is detected. 9. The unauthorized intruder detection server according to claim 1, wherein the characteristic data used as the user data and the audit data includes a command among input characters. And a two-dimensional array table created with the ASCII code of the previously input character as a line and the ASCII code of the later input character as a row for two characters consecutively input in the argument The user determination means has a function of determining whether or not the user is a legitimate user based on a difference in the occurrence probabilities of the two consecutively input characters from the two created tables. An unauthorized intruder detection server characterized by the following. 10. The unauthorized intruder detection server according to claim 1, wherein the characteristic data used as the user data and the audit data includes a command from among the input characters. And for the two characters consecutively entered in the argument, the ASCII code of the previously entered character is created as a line, and the ASCII code of the later entered character is created as a column. , A table of a two-dimensional array in which transition probabilities from a certain character to a next character are stored, and the user determination means determines whether the consecutively input two An intruder detection server having a function of determining whether a user is a legitimate user based on a difference in transition probabilities of two characters. 11. The unauthorized intruder detection server according to claim 6, wherein the user determination unit determines a difference between each occurrence probability or each transition probability in the user data and the audit data. An intruder detection server, comprising: a calculation method for calculating a distance value; and a determination method for determining whether or not the user is an authorized user by using the distance value. 12. The unauthorized intruder detection server according to any one of claims 6 to 10, wherein the user determining means determines a correlation between each occurrence probability or each transition probability in user data and audit data. An unauthorized intruder detection server, comprising: a calculation method for calculating the number; and a determination method for determining whether the user is an authorized user by comparing the correlation coefficient with a predetermined threshold. 13. The unauthorized intruder detection server according to claim 1, wherein the characteristic data used as the user data and the audit data includes a typing interval of an input character. Wherein the user determining means has a function of determining whether or not the user is a legitimate user based on a typing interval in user data and a typing interval in audit data. Detection server. 14. A user data generating step of obtaining predetermined information flowing through a specific computer network, and generating, based on the information, personalized characteristics of a user who transmitted the information as numerical data as user data. An audit data storage step of creating feature data obtained by quantifying personal characteristics of a legitimate user in the specific computer network based on information transmitted by the legitimate user in the past and recording the audit data in the audit data storage unit And comparing the user data created in the user data creation step with the audit data recorded in the audit data storage unit, and determines whether the user corresponding to the user data is a regular user in the specific computer network. User determination step of determining whether or not, A computer-readable recording medium which records a program for determining whether an unauthorized intruder has entered by a computer arranged on the specific computer network. 15. A packet selecting step of obtaining a predetermined packet flowing through a specific computer network and selecting a predetermined packet from the obtained packets, and information obtained from the predetermined packet selected in the packet selecting step. A user data creation step of creating, as user data, feature data obtained by digitizing personal characteristics of a user who transmitted the packet, and feature data obtained by digitizing personal features of an authorized user in the specific computer network. An audit data storage step of creating based on information obtained from a packet transmitted by the legitimate user in the past and recording the audit data in an audit data storage unit, and user data created by the user data creation step, Recorded in the audit data storage unit. Comparing with the audit data obtained, and determining whether a user corresponding to the user data is an authorized user in the specific computer network. And a computer-readable recording medium on which a program for determining whether an unauthorized intruder has entered by a computer. 16. The computer-readable recording medium according to claim 14, wherein the characteristic data used as the user data and the audit data includes:
A step of arranging the occurrence probabilities of the input characters in descending order and creating a table, wherein the user determining step includes a function of determining a difference between the two created tables to determine whether the user is a legitimate user. Recording medium characterized by the following. 17. The computer-readable recording medium according to claim 14, wherein the characteristic data used as the user data and the audit data are two consecutively input. For the character, the method includes a step of creating a two-dimensional array table in which the ASCII code of the previously input character is lined and the ASCII code of the character input later is a column, and in the user determination step, A recording medium having a function of determining whether or not a user is a legitimate user based on a difference in occurrence probabilities of two characters continuously input from two tables. 18. The computer-readable recording medium according to claim 14, wherein the characteristic data used as the user data and the audit data is input to two consecutively input characteristic data. For a character, the ASCII code of the previously input character is set as a line, the ASCII code of the character input later is set as a column, and the transition probability from one character to the next occurring character is stored for two consecutive characters. Creating a two-dimensional array table. The user determining step includes determining whether the user is a regular user based on a difference in transition probabilities of two characters continuously input from the two created tables. A recording medium characterized by having a function of determining whether or not a recording medium is in the recording medium. 19. The computer-readable recording medium according to claim 14, wherein the characteristic data used as the user data and the audit data is converted into a command from the input characters. Creating a two-dimensional array table in which the ASCII code of the previously input character is lined and the ASCII code of the character input later is a column for two characters consecutively input in the and its arguments The user determining step includes a function of determining whether or not the user is a legitimate user based on a difference in occurrence probability of the two consecutively input characters from the two created tables. A recording medium characterized by the above-mentioned. 20. The computer-readable recording medium according to claim 14, wherein the characteristic data used as the user data and the audit data is converted into a command among input characters. For two consecutively entered characters in the argument and its argument, the ASCII code of the previously entered character is lined, the ASCII code of the later entered character is a column, and for two consecutive characters, A step of creating a two-dimensional array table in which transition probabilities from a character to a next occurring character are stored. In the user determination step, two consecutively inputted two tables are created from the two created tables. A recording medium having a function of determining whether or not a user is a legitimate user based on a difference in transition probability between two characters. 21. The computer-readable recording medium according to claim 16, wherein said user judging step comprises a step of determining a difference between each occurrence probability or each transition probability between user data and audit data. And a determination method for determining whether or not the user is an authorized user by using the distance value. 22. The computer-readable recording medium according to claim 16, wherein said user judging step is performed by comparing each occurrence probability or each transition probability between user data and audit data. A recording medium comprising: a calculation method for calculating the number of relations; and a determination method for determining whether the user is an authorized user by comparing the correlation coefficient with a predetermined threshold. 23. The computer-readable recording medium according to claim 14, wherein the characteristic data used as the user data and the audit data is used to determine a typing interval of an input character. The method includes a step of creating from a time, and the user determining step includes a function of determining whether or not the user is a legitimate user based on a typing interval in user data and a typing interval in audit data. recoding media.