JP2008165292A - Falsified web page detecting device, program, and recording medium - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a falsified Web page detecting device which reduces the possibility that a Web page is erroneously regarded a falsified page, and also provide a program and a recording medium. <P>SOLUTION: An index value computation part 11e computes index values relating to the sizes of variations in Web page information. An index value storage part 15 stores index values which are computed by the index value computation part 11e at a plurality of points of past time. A falsification detection part 11f detects whether Web pages are falsified or not based on the index values computed by the index value computation part 11e and the index values stored by the index value storage part 15. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a web page falsification detection device that detects falsification of a web page. The present invention also relates to a program for causing a computer to function as an alteration detection device for the web page, and a recording medium on which the program is recorded.

There is a web falsification detection system that periodically monitors web pages that can be viewed on a network and detects falsification of the web pages (see, for example, Patent Document 1 and Non-Patent Document 1). In this system, the web monitoring device periodically acquires the web file managed by the web server and inspects whether there is a change in the web file. If a change is detected, inspects the presence of the characteristic seen in tampering. To do. If a feature found in tampering is detected, the web monitoring device determines that the web page has been tampered with. Further, when no feature found in tampering is detected, the web monitoring device determines that the web page has been updated.
JP 2004-38272 A Keisuke Takemori, Yu Miyake, Koji Nakao, “Homepage falsification judgment in Web server remote monitoring”, Information Processing Society of Japan, 18th CSEC Study Group, July 2002

  Among web pages, there is a dynamic web page whose content (access counter, advertisement, etc.) changes every time a user accesses the web page by a CGI (Common Gateway Interface) function. In the conventional web falsification detection system, it is possible to detect falsification of a static web page whose content does not change only by user access. However, regarding the monitoring of dynamic web pages, even when the web page is regularly updated by the user's access, the alteration of the web page may be erroneously detected as in the following example.

  In the conventional web falsification detection system, for example, a change in background color or a change in title is registered in a database as a characteristic of falsification of a static web page. However, some dynamic web pages have background colors and titles that change with user access. If such dynamic web pages are monitored by a conventional web falsification detection system, regular updates are performed. In spite of this, it is erroneously determined that the web page has been tampered with.

  The present invention has been made in view of the above-described problems, and an object of the present invention is to provide a web page alteration detection device, a program, and a recording medium that can reduce false detection of alteration of a web page. .

  The present invention has been made to solve the above-described problems, and includes a web page information storage unit that stores web page information, and an index value calculation unit that calculates an index value related to the magnitude of change in the web page information. And index value storage means for storing the index values calculated at a plurality of past times by the index value calculation means, the index values calculated by the index value calculation means, and the index value storage means An alteration detection device for a web page, comprising: alteration detection means for detecting whether or not the web page has been altered based on the index value.

  Regardless of whether a static web page or a dynamic web page is used, when a web page is tampered with, the web page information changes greatly as compared to the time when a normal web page is updated. The magnitude of the change in the web page information appears in the index value. Therefore, by detecting the presence / absence of web page tampering based on the index value calculated by the index value calculating unit and the index value stored by the index value storage unit, false detection of web page tampering is reduced. can do.

  In the web page falsification detection apparatus of the present invention, the falsification detection means includes the index value calculated by the index value calculation means, and an average value of the index values stored by the index value storage means. When the magnitude of the difference exceeds a threshold value, it is determined that the web page has been tampered with.

  In the falsification detection apparatus for a web page according to the present invention, the falsification detection means may be configured such that the index value calculated by the index value calculation means is a statistical distribution of the index values stored in the index value storage means. It is determined that the web page has been tampered with when it is out of the confidence interval.

  In addition, the present invention provides a web page information storage unit that stores web page information, a detection unit that detects information that has changed between different time points, among information included in the web page information, and a plurality of past time points. The identification information storage means for storing the identification information for identifying the information in which the change is detected in association with the frequency information indicating the frequency of the change of the information, and the characteristic information indicating the characteristics of the change of the web page information due to the falsification And when the change of the information included in the web page information is detected, the detected information of the change is based on the frequency information corresponding to the detected information of the change. A means for determining whether or not to detect falsification, and information for which the change is detected when it is determined that the information in which the change is detected is to be falsified. A tampering detection apparatus of a web page, characterized in that a tampering detection means for detecting the presence or absence of falsification of the web page based on said feature information.

  In addition, the present invention provides a web page information storage unit that stores web page information, a detection unit that detects information that has changed between different time points, among information included in the web page information, and a plurality of past time points. The identification information storage means for storing the identification information for identifying the information whose change frequency satisfies the predetermined condition among the information in which the change is detected, and the feature information indicating the feature of the change of the web page information due to the alteration When the change of the information included in the feature information storage means and the web page information is detected, it is determined whether the detected information of the change matches the information indicated by the identification information A determination means for determining whether or not the information in which the change is detected is a target for falsification detection, and when it is determined that the information in which the change is detected is a target for falsification detection, A tampering detection apparatus of a web page, characterized in that a tampering detection means for detecting the presence or absence of falsification of the web page based on the detected information of said change and said feature information.

  A dynamic web page includes information with a high change frequency and information with a low change frequency. The information that changes with each user access is information with a high frequency of change. In the prior art, tampering is easily detected. Therefore, information that has a high change frequency among the information included in the web page information is determined by determining whether the information in which the change is detected is a target for falsification detection in consideration of the change frequency of the information. It becomes possible to make the information except for the target of falsification detection. Thereby, false detection of falsification of the web page can be reduced.

  Further, the present invention is a program for causing a computer to function as the above-described web page alteration detection device.

  The present invention is a computer-readable recording medium on which the above program is recorded.

  According to the present invention, it is possible to reduce the erroneous detection of web page tampering. In particular, it is possible to reduce the false detection of dynamic web page tampering.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

(First embodiment)
First, a first embodiment of the present invention will be described. FIG. 1 shows the configuration of a web monitoring device (corresponding to the web page alteration detection device of the present invention) according to the present embodiment. In FIG. 1, a web monitoring device 1 is connected to a web server 2 that manages web pages via a network 3.

  In the web monitoring device 1, the communication unit 10 communicates with the web server 2 via the network 3. The monitoring processing unit 11 periodically acquires web page information from the web server 2 and executes a monitoring process for detecting tampering of the web page. The web page information is information included in various files necessary for displaying the web page. In this embodiment, the text base having an extension such as “.html”, “.htm”, and “.txt” is used. It is assumed that the information is included in the file. Specific examples of the web page information will be described later.

  The web page information storage unit 12 stores web page information acquired from the web server 2. The difference information storage unit 13 stores difference information indicating a difference between two pieces of web page information acquired at two different times. The change amount storage unit 14 stores the change amount of the web page information calculated based on the difference information. The index value storage unit 15 stores an index value calculated based on the change amount. This index value is a value for comprehensively evaluating the amount of change in a plurality of types of information.

  In the monitoring processing unit 11, the web page information acquisition unit 11 a executes, for example, processing by a get command, accesses the web server 2 through communication processing by the communication unit 10, and transmits a file including web page information from the web server 2. get. The page change detection unit 11b detects whether there is a change in the web page information acquired by the web page information acquisition unit 11a. A change in the web page information is detected by detecting a change in the hash value of the file including the web page information.

  The difference extraction unit 11c extracts difference information from the web page information before and after the change when the change in the web page information is detected by the page change detection unit 11b. The extracted information is stored in the difference information storage unit 13 as difference information. The change amount calculation unit 11d calculates the change amount of the web page information based on the difference information extracted by the difference extraction unit 11c. The calculated change amount is stored in the change amount storage unit 14. The index value calculation unit 11e calculates an index value based on the change amount. The calculated index value is stored in the index value storage unit 15.

  In general, the change of the dynamic web page is such that the appearance of the text-based information to be transmitted does not change greatly because the appearance of the image changes, such as replacement of an image file. If such a text-based web page is falsified, the meaning of the information itself to be transmitted changes greatly, so that it is possible to detect falsification by paying attention to this amount of change.

  Regardless of whether a static web page or a dynamic web page is used, when a web page is tampered with, the web page information changes greatly as compared to the time when a normal web page is updated. The magnitude of the change in the web page information appears in the change amount calculated by the change amount calculation unit 11d and the index value calculated by the index value calculation unit 11e.

  The falsification detection unit 11f detects falsification of the web page based on the index value calculated by the index value calculation unit 11e. The alarm processing unit 11g sends alarm information to the administrator of the web server 2 to alert the administrator of the web server 2 (e-mail notifying a warning) when the falsification detection unit 11f detects falsification of the web page. Etc.).

  Next, the operation of the web monitoring device 1 according to the present embodiment will be described. The falsification detection unit 11f of the present embodiment detects the presence / absence of falsification of the web page based on the result of comparing the index value calculated by the index value calculation unit 11e with the past index value. At a plurality of times before the falsification detection process is started, the change amount of the web page information and the index value based on the change amount are calculated. Hereinafter, the procedure of the web page information change amount and index value calculation processing performed prior to the falsification detection processing will be described with reference to FIG. 2 as appropriate.

  After the start of processing, the web page information acquisition unit 11a accesses the web server 2 through communication processing by the communication unit 10 and acquires a file including web page information. The web page information acquisition unit 11a stores the acquired file in the web page information storage unit 12 (step S100). Subsequently, the web page information acquisition unit 11a determines whether the web purge information acquired in step S100 is the web page information acquired for the first time (step S101). When web page information is acquired for the first time, the process returns to step S100. If another web page information has already been acquired, the process proceeds to step S102.

  If another web page information has already been acquired, the page change detection unit 11b reads a file including the web page information from the web page information storage unit 12, and calculates a hash value of the file (step S102). The page change detection unit 11b compares the hash value calculated when the web page information was acquired last time with the hash value calculated this time (step S103), and based on the comparison result, the presence / absence of change in the web page information is determined. It detects (step S104).

  If the two hash values are the same value, the web page information has not changed. In this case, the process returns to step S100. When the two hash values are different, the web page information has changed. In this case, the process proceeds to step S105. When a change in the web page information is detected, the difference extraction unit 11c extracts information on the difference between the web page information acquired last time and the web page information acquired this time, and stores the information in the difference information storage unit 13 (step) S105).

In the present embodiment, attention is focused on the following information as information included in a text web page. That is, the following information is a specific example of web page information.
(1) Data size (Byte)
(2) Number of links (3) Number of English words or Kanji characters (4) Tags (<title> tag, <charset> tag, <body bgcolor> tag, <body text> tag included in HTML file)

  In step S105, the difference extraction unit 11c executes processing based on the diff command in order to extract difference information used to detect the change amount of the information. The diff command is a command for executing processing for comparing texts of two files and extracting portions of different texts. The information of the extracted text part (including both the text part before and after the change) is difference information.

  FIG. 3 shows the contents of data obtained by executing the diff command. FIG. 3 shows three changes in the text. Text 301 shows the text before the change, and text 302 shows the text after the change at the same location. The relationship between the texts 303 and 304 and the relationship between the texts 305 and 306 are the same as the relationship between the texts 301 and 302. That is, the texts 301, 303, and 305 indicate the text before the change, and the texts 302, 304, and 306 indicate the text after the change.

  Subsequent to step S105, the change amount calculation unit 11d reads the difference information from the difference information storage unit 13, calculates the change amount of the web page information based on the difference information, and stores it in the change amount storage unit 14 (step S106). ). The change amount of the data size is obtained as a difference between the file sizes when the text portion before the change and the text portion after the change indicated by the difference information are stored in different files. The number of links is obtained from the text portion before or after the change indicated by the difference information. The amount of change in the number of English words or the number of kanji is obtained by comparing the part of the text before the change indicated by the difference information with the part of the text after the change.

  The amount of tag change is detected as follows. The part of the text before the change indicated by the difference information is compared with the part of the text after the change to detect whether the title specified by the <title> tag has changed. Similarly, the presence / absence of a change in the language encoding specified by the <charset> tag is detected. Similarly, the presence / absence of a change in the background color specified by the <body bgcolor> tag is detected. Similarly, the presence / absence of a change in the character color specified by the <body text> tag is detected.

  When there is no change in the characters designated by these four tags, the change amount of the tag is zero. Further, when all the characters designated by each tag have changed, the amount of change of the tag is 4.

  Subsequent to step S106, the index value calculation unit 11e calculates an index value for evaluating the amount of change obtained as described above, and stores it in the index value storage unit 15 (step S107). In the present embodiment, Euclidean distance is used as the index value. The Euclidean distance is the shortest distance between two points in the Euclidean space. When the coordinates of the two points P and Q in the orthogonal coordinate system in the n-dimensional space are (Xp1, Xp2,..., Xpn) and (Xq1, Xq2,..., Xqn), respectively, The Euclidean distance d is defined by the following equation (1).

  As the coordinates of the point P, the amount of change calculated in step S106 is used. For example, Xp1 is the amount of change in data size, Xp2 is the amount of change in the number of links, Xp3 is the amount of change in the number of English words or kanji, and Xp4 is the amount of change in the tag. Further, the coordinates of the point Q are the coordinates of the origin (the point where the web page information does not change). That is, Xq1 = Xq2 =... = Xqn = 0.

  By calculating the Euclidean distance according to the equation (1), it is possible to obtain an index value for comprehensively evaluating the amount of change in a plurality of types of information. Note that if the amount of change of a specific information is usually large, the effect of the amount of change on the Euclidean distance becomes large, and the influence of the amount of change of other information is less likely to be reflected in the Euclidean distance. Therefore, the amount of change may be corrected for each information on the basis of the usual amount of change, and the influence of each information on the Euclidean distance may be made fair.

  Subsequent to step S107, the index value calculation unit 11e determines whether or not to end the index value calculation process (step S108). The determination criterion is, for example, whether or not a predetermined number of index values have been calculated, or whether or not a predetermined time has elapsed since the processing illustrated in FIG. When the index value calculation process is continued, the process returns to step S100. If the index value calculation process is to end, the process proceeds to step S109.

  When the process of step S107 is repeatedly executed, the index value storage unit 15 stores a plurality of index values calculated at a plurality of past times. When the index value calculation process is terminated, the index value calculation unit 11e reads the plurality of index values from the index value storage unit 15 and calculates an average value thereof. The calculated average value is stored in the index value storage unit 15 (step S109). The web page information change amount and index value calculation processing is thus completed.

  Next, the procedure of the web page alteration detection process will be described with reference to FIG. 4 as appropriate. Since the processes in steps S200 to S207 are the same as the processes in steps S100 to S107 in FIG. 2, the description of these processes is omitted. Subsequent to step S207, the falsification detection unit 11f reads the average value of the index values calculated at a plurality of past times from the index value storage unit 15, and compares the average value with the index value calculated in step S207. (Step S208).

  Subsequently, the falsification detection unit 11f determines whether or not the web page has been falsified based on the comparison result in step S208. If the difference between the index value and the average value exceeds a predetermined threshold, the falsification detection unit 11f determines that the web page has been falsified. When the difference between the index value and the average value is equal to or smaller than the predetermined threshold, the falsification detection unit 11f determines that the web page has not been falsified (step S209).

  If it is determined that the web page has been tampered with, the process proceeds to step S210. If it is determined that the web page has not been tampered with, the process proceeds to step S211. When it is determined that the web page has been tampered with, the alarm processing unit 11 g generates alarm information and outputs the alarm information to the communication unit 10. The communication unit 10 transmits alarm information to the web server 2 via the network 3 (step S210).

  Subsequently, the falsification detection unit 11f determines whether or not to end the falsification detection process (step S211). If it is determined to continue the falsification detection process, the process returns to step S200. If it is determined that the falsification detection process is to be terminated, the series of processes is terminated.

  In the above processing, the presence / absence of falsification is determined based on the magnitude relationship between the difference between the calculated index value and the average value of the past index values and the threshold value. You may determine the presence or absence of. In this case, it is desirable to determine a threshold value from a statistical distribution (probability distribution) of past index values. Hereinafter, a method of determining the presence / absence of falsification based on the magnitude relationship between the calculated index value and the threshold will be described.

  The processing in step S109 in FIG. 2 is changed to the following processing. The index value calculation unit 11e reads a plurality of index values calculated by repeating the process of step S107 from the index value storage unit 15. The index value calculation unit 11e calculates an average value and a standard deviation thereof, and calculates a threshold value from the average value and the standard deviation. The calculated threshold value is stored in the index value storage unit 15.

  As shown in FIG. 5, an index value that deviates from the upper confidence interval A of the statistical distribution 500 of index values due to a normal change of the web page is regarded as an abnormal value. The upper limit value of the upper confidence interval A is the above threshold value. For example, the threshold value is calculated such that the probability that the index value exists in the section B outside the upper confidence section A is 1%. The confidence interval of the statistical distribution 500 may be set arbitrarily.

  Further, the process of step S208 in FIG. 3 is changed to the following process. The falsification detecting unit 11f reads the threshold value from the index value storage unit 15 and compares the index value calculated in step S207 with the threshold value.

  Further, the process of step S209 in FIG. 3 is changed to the following process. The falsification detection unit 11f determines whether or not the web page has been falsified based on the comparison result in step S208. If the index value exceeds the threshold value, the falsification detection unit 11f determines that the web page has been falsified. When the index value is equal to or smaller than the threshold value, the falsification detection unit 11f determines that the web page has not been falsified.

  As described above, according to the present embodiment, an error in web page tampering is detected by detecting the presence or absence of web page tampering based on a newly calculated index value and a previously calculated index value. Detection can be reduced. In particular, with respect to dynamic web pages, it is possible to distinguish between changes due to normal updating and changes due to tampering, so that false detection of tampering with dynamic web pages can be reduced.

  In addition, by determining that the web page has been tampered with when the difference between the newly calculated index value and the average value of the index values calculated in the past exceeds the threshold, it is determined whether the web page has been tampered with. Can be performed on a quantitative basis, and false detection of falsification of a web page can be reduced.

  In addition, when the newly calculated index value falls outside the confidence interval of the statistical distribution of the index value calculated in the past, it is determined that the web page has been tampered with, thereby determining whether the web page has been tampered with. It is possible to carry out on an objective basis, and it is possible to reduce false detection of web page tampering.

(Second Embodiment)
Next, a second embodiment of the present invention will be described. A dynamic web page includes information with a high change frequency and information with a low change frequency. The information that changes with each user access is information with a high frequency of change. In the prior art, tampering is easily detected. Therefore, in the present embodiment, the information included in the web page information, excluding information with high frequency of change, is targeted for falsification detection. In the present embodiment, attention is particularly paid to tag information.

  FIG. 6 shows the configuration of the web monitoring apparatus according to the present embodiment. Hereinafter, a configuration not provided in the web monitoring apparatus 1 illustrated in FIG. 1 will be described. In FIG. 6, the tag information extraction unit 11 h extracts changed tag information based on the difference information extracted from the web page information before and after the change by the difference extraction unit 11 c. The tag information storage unit 16 stores extracted tag information. The falsification feature information storage unit 17 stores feature information indicating features of changes in web page information due to falsification.

  Next, the operation of the web monitoring device 1 according to the present embodiment will be described. The falsification detection unit 11f according to the present embodiment excludes tag information having a high change frequency from the changed tag information, and detects whether the web page has been falsified using the tag information having a low change frequency. . Before the falsification detection process is started, changes in tag information and the frequency of the changes are detected at a plurality of times. Hereinafter, the procedure of the tag change frequency detection process performed prior to the falsification detection process will be described with reference to FIG. 7 as appropriate.

  Since the processes in steps S300 to S305 in FIG. 7 are the same as the processes in steps S100 to S105 in FIG. 2, description of these processes is omitted. In step S306, the tag information extraction unit 11h reads the difference information from the difference information storage unit 13, and extracts the tag information whose contents have changed from the difference information. The tag information extraction unit 11h stores the extracted tag identification information (tag name and the like) in association with the number of times the change of the tag is detected (change detection count) in the tag information storage unit 16.

  More specifically, the tag information storage unit 16 is prepared in advance with an area for storing the tag identification information and the number of change detections in association with each other, and the number of change detections is 0 before the start of the processing of FIG. It has become. When there is a change in the content of the tag (text specified by the tag), 1 is added to the value of the number of change detections associated with the identification information of the tag, and the value is updated.

  Subsequent to step S306, the tag information extraction unit 11h determines whether or not to end the tag change frequency detection process (step S307). The criterion is, for example, whether or not a predetermined time has elapsed since the processing shown in FIG. 7 was started. If it is determined that the tag change frequency detection process is to be continued, the process returns to step S300. If it is determined that the tag change frequency detection process is to be terminated, the series of processes is terminated.

  The number of change detections stored in the tag information storage unit 16 by the above processing is a value corresponding to the tag change frequency. Based on the number of change detections, it is possible to distinguish between a tag with a high change frequency and a tag with a low change frequency.

  Hereinafter, the procedure of the alteration detection process of the web page will be described with reference to FIG. 8 as appropriate. Since the processing of steps S400 to S405 is the same as the processing of steps S200 to S205 of FIG. 4, description of these processing is omitted.

  Subsequent to step S405, the tag information extraction unit 11h reads the difference information from the difference information storage unit 13, and extracts the information of the tag whose contents have changed from the difference information. The tag information extraction unit 11h refers to the information stored in the tag information storage unit 16, and detects falsification of the extracted tag information based on the value of the number of change detections associated with the extracted tag identification information. It is determined whether or not to set the target. If the value of the number of change detections is less than the predetermined value, the tag information extraction unit 11h sets the extracted tag information as a target for falsification detection. If the value of the number of change detections is equal to or greater than a predetermined value, the tag information extraction unit 11h sets the extracted tag information as a non-target for falsification detection (step S406).

  Subsequently, the falsification detection unit 11f reads the feature information indicating the characteristics of the change due to falsification of the falsification detection target tag from the falsification feature information storage unit 17 and compares it with the information of the falsification detection target tag (step S407).

  The falsification detection unit 11f determines whether the web page has been falsified based on the comparison result. If the tag information and the feature information match, the falsification detection unit 11f determines that the web page has been falsified. If the tag information and the feature information do not match, the falsification detection unit 11f determines that the web page has not been falsified (step S408). For example, character strings such as “Hack” and “Fuck” are registered as feature information related to the <title> tag, and the character string specified by the <title> tag included in the text extracted in step S406 is described above. Is included, it is determined that the web page has been tampered with.

  The processing in steps S409 and S410 is the same as the processing in steps S210 and S211 in FIG.

  The processing shown in FIGS. 7 and 8 may be changed as follows. The processing in step S307 in FIG. 7 is changed to the following processing. If it is determined that the tag change frequency detection process is to be terminated, the tag information extraction unit 11h deletes information stored in the tag information storage unit 16 whose change detection count value is equal to or greater than a predetermined value. To do. As a result, the tag information storage unit 16 stores information of only tags with a low change frequency.

  The processing in step S406 in FIG. 8 changes to the following processing. The tag information extraction unit 11h determines whether or not the tag indicated by the identification information stored in the tag information storage unit 16 matches the extracted tag (whether or not both are the same tag). Thus, it is determined whether or not the extracted tag information is set as a target for falsification detection. If the two match, the tag information extraction unit 11h sets the extracted tag information as a target for falsification detection. If they do not match, the tag information extraction unit 11h sets the extracted tag information as a non-target for falsification detection.

  As described above, according to the present embodiment, it is possible to make tag information subject to tampering detection, except for tags with a high frequency of change, among tag information whose changes have been detected. Thereby, false detection of falsification of a web page (particularly a dynamic web page) can be reduced.

  As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the above-described embodiments, and includes design changes and the like without departing from the gist of the present invention. . For example, a program for realizing the operation and function of the web monitoring device described above may be recorded on a computer-readable recording medium, and the program recorded on the recording medium may be read and executed by the computer.

  Here, the “computer” includes a homepage providing environment (or display environment) if the WWW system is used. The “computer-readable recording medium” refers to a storage device such as a portable medium such as a flexible disk, a magneto-optical disk, a ROM, and a CD-ROM, and a hard disk built in the computer. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) in a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, those holding programs for a certain period of time are also included.

  The program described above may be transmitted from a computer storing the program in a storage device or the like to another computer via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line. Further, the above-described program may be for realizing a part of the above-described function. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer, what is called a difference file (difference program) may be sufficient.

It is a block diagram which shows the structure of the web monitoring apparatus by the 1st Embodiment of this invention. It is a flowchart which shows the procedure of the calculation process of the variation | change_quantity of web page information and index value in the 1st Embodiment of this invention. It is a reference figure which shows the content of the data obtained by execution of the diff command in the 1st Embodiment of this invention. It is a flowchart which shows the procedure of the alteration detection process of the web page in the 1st Embodiment of this invention. It is a reference figure for demonstrating the method of calculating | requiring a threshold value from the statistical distribution of the index value in the 1st Embodiment of this invention. It is a block diagram which shows the structure of the web monitoring apparatus by the 2nd Embodiment of this invention. It is a flowchart which shows the procedure of the detection process of the change frequency of a tag in the 2nd Embodiment of this invention. It is a flowchart which shows the procedure of the alteration detection process of the web page in the 2nd Embodiment of this invention.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Web monitoring apparatus, 2 ... Web server, 3 ... Network, 10 ... Communication part, 11 ... Monitoring process part, 11a ... Web page information acquisition part, 11b ... Page change detection unit, 11c ... difference extraction unit, 11d ... change amount calculation unit, 11e ... index value calculation unit (index value calculation unit), 11f ... falsification detection unit (tamper detection unit, determination) Means), 11g ... alarm processing section, 11h ... tag information extraction section (detection means), 12 ... web page information storage section (web page information storage means), 13 ... difference information storage section, 14 ... change amount storage unit, 15 ... index value storage unit (index value storage unit), 16 ... tag information storage unit (identification information storage unit), 17 ... falsification feature information storage unit (feature) Information storage means)

Claims (7)

Web page information storage means for storing web page information;
Index value calculating means for calculating an index value related to the magnitude of change in the web page information;
Index value storage means for storing the index values calculated at a plurality of past times by the index value calculation means;
Falsification detection means for detecting whether or not a web page has been falsified based on the index value calculated by the index value calculation means and the index value stored by the index value storage means;
A tamper detection device for web pages, comprising:   The tampering detection means, when the difference between the index value calculated by the index value calculation means and the average value of the index values stored by the index value storage means exceeds a threshold, The web page tampering detection apparatus according to claim 1, wherein the tampering detection unit determines that the web page has been tampered with.   When the index value calculated by the index value calculation unit is out of the confidence interval of the statistical distribution of the index value stored by the index value storage unit, the falsification detection unit The web page tampering detection apparatus according to claim 1, wherein it is determined that tampering has occurred. Web page information storage means for storing web page information;
A detecting means for detecting information changed between different time points out of the information included in the web page information;
Identification information storage means for storing identification information for identifying information in which a change has been detected between a plurality of past times and frequency information indicating the frequency of change of the information in association with each other;
Characteristic information storage means for storing characteristic information indicating characteristics of changes in the web page information due to tampering;
When a change in information included in the web page information is detected, based on the frequency information corresponding to the information in which the change has been detected, whether the information in which the change has been detected is subject to falsification detection Determination means for determining whether or not
Falsification detection means for detecting the presence or absence of falsification of a web page based on the detected information of the change and the feature information when it is determined that the detected information of the change is a target of falsification detection;
A tamper detection device for web pages, comprising: Web page information storage means for storing web page information;
A detecting means for detecting information changed between different time points out of the information included in the web page information;
Identification information storage means for storing identification information for identifying information for which a change frequency satisfies a predetermined condition among information in which a change is detected between a plurality of past points;
Characteristic information storage means for storing characteristic information indicating characteristics of changes in the web page information due to tampering;
When a change in information included in the web page information is detected, the change is detected by determining whether the detected information matches the information indicated by the identification information. A determination means for determining whether or not the information is subject to falsification detection;
Falsification detection means for detecting the presence or absence of falsification of a web page based on the detected information of the change and the feature information when it is determined that the detected information of the change is a target of falsification detection;
A tamper detection device for web pages, comprising:   A program for causing a computer to function as the falsification detection device for a web page according to any one of claims 1 to 5.   A computer-readable recording medium on which the program according to claim 6 is recorded.

Images