JP2004213476A - Injustice access detection device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To detect unauthorized access with cleared user authentication, from the content of the user's declaration. <P>SOLUTION: An authentication server 1 receives a declaration about access from a user who accesses an intracompany network 9, and stores the received declaration content. An access monitoring part 16 compares the stored declaration content with an access log 19 between a user terminal 2 and the intracompany network 9 to detect injustice access in dependence on the comparison result. <P>COPYRIGHT: (C)2004,JPO&NCIPI

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to security management of a computer system, and more particularly to a technique for detecting unauthorized access to a computer system.
[0002]
[Prior art]
In a closed system, such as an in-house system of a company, in which only a predetermined user (eg, an employee) has access authority, an authorized user may be permitted to access from outside the system.
[0003]
[Problems to be solved by the invention]
When such a system receives an access request from the outside, it is extremely important for security management to confirm whether the user is a truly authorized user.
Therefore, in such a system, when an access request or a login request is received from a user, it is usually confirmed whether or not the user is an authorized user in order to prevent unauthorized access (user authentication). As a method of the user authentication, authentication using a password, biometric authentication using a fingerprint, or the like is known.
[0004]
However, passwords can be stolen or cracked, and fingerprints can be illegally accessed once a dummy is created. And once it has been hacked, it is difficult to find out and crack down on the hackers.
[0005]
Accordingly, an object of the present invention is to provide a technique for detecting an unauthorized access that has cleared user authentication.
[0006]
Another object of the present invention is to provide a technique for detecting unauthorized access based on the content declared by a user.
[0007]
[Means for Solving the Problems]
An unauthorized access detection device according to one embodiment of the present invention includes a receiving unit that receives a report on the access from a user accessing a computer system, a storage unit for storing the received report content, and communication of the user. Acquisition means for acquiring a communication record between the device and the computer system, a declaration content stored in the storage means, a comparison means for comparing the acquired communication record, and a comparison result of the comparison means. Detecting means for detecting unauthorized access of the user.
[0008]
In a preferred embodiment, the accepting unit accepts a report for a plurality of items, the comparing unit compares the items, and the detecting unit determines, for each item, the number of inconsistencies between the declared content and the communication record. Is counted, and when the number of mismatches exceeds a predetermined number, an unauthorized access is detected.
[0009]
In a preferred embodiment, the declaration includes at least an item that can specify an access destination in the computer system, the communication record includes information indicating an actual access destination accessed by the user, and the comparison includes The means compares the actual access destination with the declared access destination to determine whether they match.
[0010]
In a preferred embodiment, when the actual access destination and the declared access destination do not match, a measure determined based on the actual access destination is executed.
[0011]
In a preferred embodiment, the apparatus further includes a determination unit configured to determine whether a user's access mode is included in a predetermined type based on the communication record, and the detection unit performs a determination based on a determination result of the determination unit. To detect unauthorized access.
[0012]
In a preferred embodiment, when the detection unit detects an unauthorized access based on the determination result of the determination unit, a countermeasure determined based on a type to which the access mode of the user belongs is executed.
[0013]
BEST MODE FOR CARRYING OUT THE INVENTION
Hereinafter, a system according to an embodiment to which the present invention is applied will be described with reference to the drawings.
[0014]
FIG. 1 shows the overall configuration of this system. The system includes an authentication server 1 for authenticating and monitoring users in order to restrict access to users other than authorized users and protect computer systems. In the present embodiment, a preferred example of a computer system to be protected will be described using an in-house network 9 of a company. Those who can access the in-house network 9 are predetermined persons such as employees of the company. When an employee or the like wants to access the in-house network 9, the user terminal 2 makes a login request to the authentication server 1 via the network 3 such as the Internet. If this login request is permitted, the user can access the company network 9.
[0015]
In addition, in order to confirm the validity of the access request to the in-house network 9, the authentication server 1 communicates with the mobile phone 5 of the administrator who manages the user who made the access request with the network 3, the wireless base station 4, and the mobile phone. Data is transmitted and received through a telephone wireless network (not shown).
[0016]
Here, the “manager” includes a person who is in a position to directly, or indirectly manage, supervise, monitor, or instruct the “user”. Typically, the “manager” and the “user” have a so-called supervisor-subordinate relationship, but are not necessarily limited to this. For example, when "user" is a subcontractor employee, "administrator" may be a subcontractor employee, or "user" and "administrator" may be in a position to monitor each other's activities. .
[0017]
Each of the authentication server 1 and the user terminal 2 is configured by, for example, a general-purpose computer system, and the individual components or functions described below are realized, for example, by executing a computer program. Further, the mobile phone 5 does not necessarily have to be a mobile phone of a type currently in practical use. For example, a mobile or desktop personal computer or a PDA (personal data assistant) having an Internet communication function by e-mail or WWW. Or, it may be replaced by another type of mobile communication device such as a mobile phone that has evolved in the future from the present one.
[0018]
The authentication server 1 stores a network interface unit 11, a login processing unit 12, a Web page 13, an administrator interface 14, an administrator table 15, an access monitoring unit 16, a user table 18, and an access log 19. Prepare.
[0019]
The network interface unit 11 controls input and output of data to and from the network 3. Further, the network interface unit 11 records, in the access log 19, a communication record (access destination and use service) of a user who is permitted to access the in-house network 9. The access log 19 includes, for example, a user ID, a use time, a capacity, identification information (address or the like) of an access destination, a transmission / reception command, a response code, a transmission / reception character string, and the like in data items.
[0020]
The user table 18 stores personal information of a user who has authority to access the in-house network 9. For example, as shown in FIG. 2A, the user table 18 has a user ID 181, a password 182, and an e-mail address 183 as data items. When receiving the access request, the login processing unit 12 performs user authentication with reference to the user table 18. The e-mail address 183 is an e-mail address in the in-house network 9 (in-house). When the user with the user ID 181 logs in from the user terminal 2, the log-in processing unit 12 sends an e-mail to the e-mail address 183 to notify the fact of the log-in.
[0021]
In the administrator table 15, information indicating the administrator of the user registered in the user table 18 is registered. For example, as shown in FIG. 2B, a user ID 151 and e-mail addresses 152 and 153 of the administrator are stored in the administrator table 15 in association with each other. Here, there are a plurality of e-mail addresses of the administrator for the following reasons. That is, as described later, the administrator interface 14 transmits an e-mail to the administrator's mobile phone 5 with reference to the administrator table 15. At this time, a priority order may be determined in advance among a plurality of e-mail addresses, and the e-mail addresses may be transmitted in order from the highest e-mail address. If transmission is not possible, the e-mail address may be transmitted to a lower e-mail address.
[0022]
The Web page 13 receives input of information from a user who has accessed the authentication server 1 or provides information to the user. An example of the Web page 13 is a login application screen 100 shown in FIG. Details of the login application screen 100 will be described later.
[0023]
When accepting an access request from the user terminal 2, the login processing unit 12 determines whether to permit the request.
[0024]
For example, when a user who wants to log in to the in-house network 9 accesses the authentication server 1 from the user terminal 2, a login application screen 100 is displayed on a display unit (not shown) of the user terminal 2. Then, the authentication server 1 receives the information input from the login application screen 100.
[0025]
Here, an example of the login application screen 100 is shown in FIG. The login application screen 100 has a user ID input area 101 and a password input area 102. The login processing unit 12 authenticates the user by comparing the user ID and the password input here with those stored in the user table 18 in advance. As a result of the user authentication, if it is confirmed that the user is a legitimate user, the login processing unit 12 may allow the login. Alternatively, in addition to authentication using a user ID and a password as described later, login may be permitted when a login permission notification is received from an administrator. Further, additional authentication as described later may be performed.
[0026]
The login application screen 100 further has an area for receiving an input of additional login information. That is, the login application screen 100 includes an input area 103 for a scheduled time (a desired access time) for continuing the logged-in state, a location to access (access destination) in the in-house network 9, or an action ( An input area 104 for selecting a service to be used and an input area 105 for logging in are provided. With some or all of the items included in the additional login information, the validity of the login request can be confirmed. Part or all of the login additional information input here is transmitted to the mobile phone 5 of the administrator of the user who logs in by e-mail or the like as described later (see FIG. 4).
[0027]
The login additional information input here is stored in a storage unit (not shown). At this time, the information input to the input area 104 is replaced with information that can uniquely identify the access destination, such as a server name or a URL (Uniform Resource Locator) of the access destination, and then stored in the storage unit. Is also good.
[0028]
Further, even when the login processing unit 12 once permits access to the in-house network 9, the login processing unit 12 cancels the access in a predetermined case such as when receiving an instruction from the access monitoring unit 16 or the administrator interface 14. Disconnect the communication.
[0029]
The administrator interface 14 transmits and receives information to and from an administrator of a user who wants to log in to the in-house network 9. For example, the administrator interface 14 has an e-mail function. Then, a text file including the login additional information input to the login application screen 100 is generated, and transmitted to the communication device 5 of the administrator of the user who made the access request via the network interface 11. At this time, as the e-mail address of the transmission destination, the administrator interface 14 acquires the e-mail addresses 152 and 153 of the administrator's mobile phone 5 corresponding to the ID of the user who made the access request with reference to the administrator table 15. I do.
[0030]
FIG. 4 is an example when the additional login information is displayed on the mobile phone 5 of the administrator who has received the e-mail. That is, the content of the received e-mail is displayed on the display unit 51 of the mobile phone 5. Here, together with the additional information, information for specifying the user who made the access request is also included. The information for specifying the user may be any information that is sufficient for the received administrator to specify the user. For example, a user ID, a user name (including a nickname, initials, and the like), or a combination of a department to which the user belongs and a user name may be used.
[0031]
The administrator interface 14 also sends an e-mail to the administrator's e-mail address when receiving an e-mail notification instruction from the access monitor 16 as described later.
[0032]
The administrator can operate the mobile phone 5 to send a reply e-mail to the received e-mail. The reply mail can be attached with information indicating whether the login is permitted or not. The administrator interface 14 receives this reply mail, and notifies the login processing unit 12 of the fact that the reply mail indicates a login permission if the reply mail indicates the permission of the login, or a disconnection instruction if the reply mail indicates that the login is not permitted.
[0033]
The access monitoring unit 16 monitors user access with reference to the access log 19. Then, when an unauthorized access is detected, for example, when an access is made to a place different from the access destination declared in advance, a disconnection instruction is issued to the login processing unit 12. Details of the processing of the access monitoring unit 16 will be described later.
[0034]
The procedure of the process performed by the authentication server 1 having the above-described configuration will be described with reference to the flowcharts in FIGS.
[0035]
As shown in FIG. 5, the processing of the authentication server 1 is performed during a login process S1 for determining whether to permit the user to log in, and while the user is accessing the corporate network 9 after the login is permitted. The process is divided into a processing during access S2.
[0036]
The authentication server 1 performs the following processing as the login processing S1. That is, when a user who wants to log in to the in-house network 9 accesses the authentication server 1 from the user terminal 2, the authentication server 1 receives the access and displays the login application screen 100 on the user terminal 2. The user inputs necessary information for each input item on the login application screen 100 and makes a login application (S11). When the login application is accepted, the login processing unit 12 collates the input user ID and password with the user ID and password registered in the user table 18 to perform user authentication (S12). If the user ID and the password match, the administrator interface 14 generates a text file including the login additional information. Then, the e-mail address 152 of the administrator corresponding to the user ID is acquired with reference to the administrator table 15. The administrator interface 14 sends the generated text file to the administrator using the e-mail function (S13). Note that the order of step S12 and step S13 may be reversed. That is, step S13 may be performed before step S12.
[0037]
As a result, the user who requests access can be made to input the additional login information, and this can be notified to the administrator of the user. The administrator who has been notified of the login additional information can check in real time what kind of additional information he / she has applied for logging in to the in-house network 9 from outside. As a result, the manager can confirm whether the application content of the subordinate does not contradict with the subordinate's work or the latest action.
[0038]
The additional login information may be information other than the items exemplified in the present embodiment, as long as the administrator can confirm the validity of the access request to the in-house network 9. Good.
[0039]
Next, the authentication server 1 performs the following process as the accessing process S2. In other words, a timing unit (not shown) measures the actual login time of the user, obtains the remaining time in comparison with the self-reported scheduled login time, and displays the remaining time on the user terminal 2 (S21). If there is a reapplication requesting the extension of the login time from the user while the login to the in-house network 9 is permitted, the login process of step S1 is repeated (S22: Yes), and the reapplied time is added to the remaining time. I do. When there is no re-application, it is monitored whether the time actually accessed by the login processing unit 12 exceeds the requested access time (S23). Then, when the actual login time exceeds the applied time, the login processing unit 12 forcibly blocks access (S24).
[0040]
Before the forced disconnection of the access, a warning may be issued when the remaining time becomes equal to or less than a predetermined time (for example, 2 minutes). Further, when there is a re-application in step S22, the repetition of the login processing S1 may be omitted.
[0041]
Next, the login processing S1 may be the following processing other than the processing shown in FIG. For example, FIG. 6 shows another aspect of the login processing S1. In this mode, login requires the approval of the administrator. That is, after the steps S11 to S13, a step S14 for permitting the login when the login permission notification is received may be added. This login permission notification is, for example, a reply mail from the mobile phone 5 of the administrator who transmitted the login additional information in step S13. In step S14, when the reply mail is not received within a predetermined time or when the electronic mail indicating that the login is not permitted is received, the login processing unit 12 does not permit the access request (S14: No).
[0042]
In this aspect, when the administrator receives the notification of the additional login information on the mobile phone 5, the content is confirmed, and the administrator determines whether to permit the login. Thereby, a suspicious login request can be rejected beforehand.
[0043]
Whether the login requires the approval of the administrator as in the mode of FIG. 6 may be determined according to the user who logs in, the access destination, or the service used. In this case, the necessity of administrator approval may be determined according to the authority given to the user, the assigned task, the level of confidentiality of the access destination, and the like.
[0044]
FIG. 7 shows still another mode of the login process S1. In this embodiment, a step S15 for performing additional authentication of the user is inserted between steps S12 and S13. The additional authentication is authentication performed in addition to the authentication using the user ID and the password in step S12, and is performed by the login processing unit 12. For example, information on the past communication record (such as the reason for the previous login) is input at the time of the login application, and the login processing unit 12 compares the information with the information recorded in the access log 19. In this case, an input area may be further provided on the login application screen 100 for inputting.
[0045]
In the user authentication in step S12, authentication using a user ID and a password can be replaced with authentication using an electronic certificate or authentication using a one-time password, or two or more of these can be used in combination.
[0046]
Next, similarly to the processing during access S2, processing other than the processing illustrated in FIG. 5 can be performed. FIG. 8 shows an example of another processing mode.
[0047]
In this processing mode, a step S25 for determining whether or not a disconnection instruction has been received is added. In step S25, it is determined whether a disconnection instruction has been received from the access monitoring unit 16 or the mobile phone 5 of the administrator. Then, when there is a disconnection instruction, the login processing unit 12 forcibly disconnects in step S24. Thus, when the access monitoring unit 16 detects, for example, unauthorized access, or when the administrator determines that the access is unauthorized, the access of the user can be forcibly cut off at that time.
[0048]
Next, details of the processing performed by the access monitoring unit 16 will be described. When a plurality of users are accessing the in-house network 9, the following processing is performed for each user using the user ID as a key.
[0049]
The access monitoring unit 16 compares the login additional information declared by the user at the time of login with the access log 19. This comparison is performed for each item of the additional login information, for example, and it is determined whether the identification information of the access destination recorded in the access log 19 matches the access destination of the additional login information. Here, if the actual access destination does not match the declared access destination, unauthorized access may be immediately performed. However, in the present embodiment, when the number of mismatches exceeds a predetermined threshold, it is detected as unauthorized access. .
[0050]
Thus, if an access different from the self-report is repeated, it is detected as an unauthorized access.
[0051]
Further, the importance may be set in advance according to the actual access destination (for example, see FIG. 9), and a threshold for detecting an unauthorized access may be determined according to the importance. In other words, an access destination with a higher importance is identified as an unauthorized access with a smaller (mismatch) detection count than an access destination with a lower importance.
[0052]
FIG. 9 shows an importance definition table 50 in which the importance and the threshold value for detecting unauthorized access are defined for each access destination. This table 50 is stored, for example, in a storage area (not shown) in the access monitoring unit 16.
[0053]
The access monitoring unit 16 further determines whether or not the type of access being performed by the user is included in the predetermined suspicious behavior type in addition to or separately from the above-described unauthorized access determination based on the access destination. judge. In this determination, the access monitoring unit 16 analyzes the contents stored in the access log 19 and specifies the access mode of the user (the action performed by the user). Then, it is determined whether or not the access mode belongs to a suspicious access type (suspicious behavior). Here, a suspicious act is, for example, an access method that is generally considered to be fraudulent, or an act that is clearly different from, or unrelated to, the purpose included in the login additional information. Includes actions that may seem. The access method generally considered to be illegal includes, for example, an act of continuously generating a password error (determining by referring to a response code) and a scanning act of accessing a predetermined number or more servers within a predetermined time ( Scanning of non-existent servers, such as tracing the end of the IP address from 1 to 100). Even among suspicious acts, the level may be set in advance according to the degree of danger.
[0054]
As a result, even if the user authentication is cleared and the user logs in, if a suspicious action is performed, it is detected as an unauthorized access.
[0055]
Here, similarly to the case where the unauthorized access destination is detected, the suspicious activity may be immediately detected when the suspicious activity is detected. Detect as unauthorized access. Further, a threshold value for detecting unauthorized access may be determined according to the risk of unauthorized acts (for example, FIG. 10). That is, when a suspicious activity with a high risk is detected, it is recognized as an unauthorized access with a smaller number of times than that with a low risk.
[0056]
FIG. 10 shows a risk definition table 60 in which the risk and the threshold value for detecting unauthorized access are defined for each suspicious activity. This table 60 is stored, for example, in a storage area (not shown) in the access monitoring unit 16.
[0057]
When determining that an unauthorized access has been detected as described above, the access monitoring unit 16 executes a predetermined process (countermeasure). For example, the access monitoring unit 16 sends an e-mail to the administrator's e-mail address (a normal e-mail address in the in-house network 9 or the e-mail address of the mobile phone 5) of the user who is performing the unauthorized access. 14 or a disconnection instruction to the login processing unit 12 to forcibly disconnect the access. The e-mail notified to the administrator includes information for specifying the detected unauthorized access user, the content of the unauthorized access, and the like.
[0058]
The measures taken by the access monitoring unit 16 may be determined based on the actual access destination or suspicious behavior, or may be determined at any time based on a predetermined rule. An example of the predetermined rule will be described with reference to FIGS. That is, FIG. 11 shows a matrix 70 for determining a countermeasure level based on the importance of the access destination and the risk of a suspicious action, and FIG. 12 shows a countermeasure table 80 corresponding to the countermeasure level for each user ID. Both the matrix 70 and the countermeasure table 80 are stored in, for example, a storage area (not shown) in the access monitoring unit 16.
[0059]
First, the access monitoring unit 16 determines a countermeasure level using the matrix 70. When the countermeasure level is determined, the countermeasure to be implemented is determined according to the user ID with reference to the countermeasure table 80.
[0060]
Next, a processing procedure for monitoring an access destination performed as the processing during access S2 will be described with reference to a flowchart shown in FIG.
[0061]
First, the access monitoring unit 16 refers to the login additional information and the access log 19 stored in the storage unit (not shown) to determine whether the access destination matches the access destination declared by the user (S31, S32).
[0062]
If the actual access destination does not match the declared one (S32: No), a counter for counting the number of times for each access destination is counted up (S33).
Then, the access monitoring unit 16 determines whether or not the count value of the counter has exceeded a predetermined threshold (S34). If the predetermined threshold is exceeded (S34: Yes), the access monitoring unit 16 performs a predetermined measure or a measure determined based on a predetermined rule (S35).
[0063]
Further, a processing procedure for determining whether or not an access act is unauthorized will be described with reference to a flowchart shown in FIG.
[0064]
First, the access monitoring unit 16 refers to the access log 19 and monitors the behavior of the user while analyzing it (S36). When detecting that the user is performing a suspicious act (S37: Yes), a counter for counting the number of times for each act is counted up (S38). The access monitoring unit 16 determines whether the count value of the counter has exceeded a predetermined threshold (S39). If it exceeds the predetermined threshold value (S39: Yes), the access monitoring unit 16 performs a predetermined measure or a measure determined based on a predetermined rule (S40).
[0065]
The above-described embodiments of the present invention are exemplifications for describing the present invention, and are not intended to limit the scope of the present invention only to those embodiments. Those skilled in the art can implement the present invention in various other modes without departing from the gist of the present invention.
[Brief description of the drawings]
FIG. 1 is a configuration diagram of a user authentication system to which the present invention is applied.
FIG. 2 is a diagram illustrating an example of data items of an administrator table and a user table.
FIG. 3 is a diagram illustrating an example of a login application screen.
FIG. 4 is a diagram showing an example when the content of an e-mail received by the mobile phone 5 is displayed.
FIG. 5 is a flowchart illustrating an example of a process performed by an authentication server.
FIG. 6 is a flowchart illustrating another aspect of the login process.
FIG. 7 is a flowchart illustrating another aspect of the login process.
FIG. 8 is a flowchart illustrating an aspect of processing during access.
FIG. 9 is a diagram illustrating an example of an importance definition table.
FIG. 10 is a diagram illustrating an example of a risk definition table.
FIG. 11 is a diagram showing an example of a matrix for determining a measure level.
FIG. 12 is a diagram illustrating an example of a countermeasure table for each user ID.
FIG. 13 is a flowchart illustrating an aspect of a process for monitoring an access destination.
FIG. 14 is a flowchart illustrating an aspect of a process for determining an unauthorized act.
[Explanation of symbols]
DESCRIPTION OF SYMBOLS 1 ... Authentication server, 2 ... User terminal, 3 ... Network, 4 ... Wireless base station, 5 ... Mobile telephone, 9 ... In-house network, 11 ... Network interface unit, 12 ... Log-in processing unit, 13 ... Web page, 14 ... Management User interface, 15: administrator table, 16: access monitoring unit, 18: user table, 19: access log. 50: Importance definition table, 60: Risk definition table, 70: Matrix for defining the countermeasure level, 80: User ID-based countermeasure table

Claims (8)

Receiving means for receiving a report on the access from a user accessing the computer system;
Storage means for storing the accepted declaration content;
Acquisition means for acquiring a communication record between the communication device of the user and the computer system,
Comparison means for comparing the declaration content stored in the storage means with the obtained communication record,
An unauthorized access detection device comprising: a detection unit configured to detect an unauthorized access of the user based on a comparison result of the comparison unit. The receiving means receives a report for a plurality of items,
The comparing means performs a comparison for each item,
2. The unauthorized access detection device according to claim 1, wherein the detection unit counts the number of mismatches between the declaration content and the communication record for each item, and detects an unauthorized access when the number of mismatches exceeds a predetermined number. . The declaration includes at least an item that can specify an access destination in the computer system,
The communication record includes information indicating an actual access destination accessed by the user,
2. The unauthorized access detection device according to claim 1, wherein the comparison unit compares the actual access destination with the declared access destination to determine whether they match. 4. The unauthorized access detection device according to claim 3, wherein when the actual access destination and the declared access destination do not match, a countermeasure determined based on the actual access destination is executed. A determination unit configured to determine whether an access mode of the user is included in a predetermined type based on the communication record;
2. The unauthorized access detection device according to claim 1, wherein the detection unit detects unauthorized access based on a result of the determination by the determination unit. 6. The unauthorized access detection according to claim 5, wherein when the detection unit detects an unauthorized access based on a determination result of the determination unit, a countermeasure determined based on a type to which the access mode of the user belongs is executed. apparatus. A method for operation of an apparatus for detecting unauthorized access,
Receiving input of a declaration regarding the access from a user accessing the computer system;
Storing the accepted declaration content in storage means;
Obtaining a communication record between the user's communication device and the computer system;
Comparing the declaration contents stored in the storage means with the obtained communication record;
Detecting an unauthorized access of the user based on the comparison result. When executed on a computer,
Receiving input of a declaration regarding the access from a user accessing the computer system;
Storing the accepted declaration content in storage means;
Obtaining a communication record between the user's communication device and the computer system;
Comparing the declaration contents stored in the storage means with the obtained communication record;
Detecting an unauthorized access of the user based on the comparison result.

Images