JP2010146160A - Communication management device, communication management method, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve the problem that it cannot be easily determined whether communication between a user terminal and a server device which provides a Web site is abnormal in a conventional manner. <P>SOLUTION: A communication management device includes: an abnormal communication determination part 104 for determining whether or not communication between a user terminal and a server device satisfies two or more abnormal determination rules for determining the abnormality of communication by using transmission/reception relevant information related with information to be transmitted/received between the user terminal 2 and the server device 3 obtained by a transmission/reception information acquisition part 100; an abnormality level information acquisition part 105 for acquiring abnormality level information showing the level of abnormality associated with an abnormality determination rule satisfying the rule; an abnormality level determination part 107 for determining whether or not the level of abnormality shown by the abnormality level information obtained by the abnormality level information acquisition part 105 exceeds a prescribed level; and an output part 108 for outputting abnormal communication information showing that abnormal communication has been performed according to the determination result of the abnormality level determination part 107. <P>COPYRIGHT: (C)2010,JPO&INPIT

Description

  The present invention relates to a communication management device for managing communication between a user terminal used by a user and a server device such as a WEB site.

Conventionally, there has been known an access log collection system that collects an access log about an access made to an external WEB server from a user terminal in an organization such as a company via a network such as the Internet (for example, , See Patent Document 1).
JP 2003-140990 A (first page, FIG. 1 etc.)

  However, in the related art, there is a problem that it is very difficult to easily determine whether or not communication performed between the user terminal and the server device is normal. For example, when a company is accessing a WEB site where a user terminal used by an employee is accessing, it cannot be easily determined whether the access should be permitted during business. There was a problem. For example, in order to determine whether or not the access from the user terminal is appropriate, an administrator who manages communication looks at the access log of the user terminal and the like to the WEB site accessed by the user terminal. There was a need to confirm whether or not the WEB site is actually suitable for access during business by actually accessing it.

  The communication management device of the present invention is a transmission / reception information acquisition unit that acquires transmission / reception related information that is information related to information transmitted / received between the user terminal and the server device, and a rule for determining an abnormality related to communication, Using an abnormality determination rule storage unit that can store two or more abnormality determination rules that are rules associated with abnormality degree information that is information indicating the degree of abnormality, and transmission / reception related information acquired by the transmission / reception information acquisition unit An abnormal communication determination unit that determines whether or not communication between the user terminal and the server device satisfies two or more abnormality determination rules stored in the abnormality determination rule storage unit, and the abnormal communication determination unit includes: The abnormality level information acquisition unit that acquires the abnormality level information corresponding to the abnormality determination rule that is determined to satisfy the rule, and the degree of abnormality indicated by the abnormality level information acquired by the abnormality level information acquisition unit , An abnormality degree determination unit that determines whether or not a predetermined degree has been exceeded, and an output that outputs abnormal communication information that is information indicating that abnormal communication has been performed according to a determination result of the abnormality degree determination unit A communication management device.

  With this configuration, it is possible to easily determine whether or not communication performed between the user terminal and the server device is abnormal.

  In the communication management device according to the present invention, in the communication management device, the abnormality range information that is information for specifying the abnormality range is associated with information that specifies one or more notification destinations of the abnormal communication information. A notification information storage unit that can store the notification destination information, wherein the output unit is a notification destination corresponding to the abnormality degree range information including the abnormality degree range indicated by the abnormality degree information acquired by the abnormality degree information acquisition unit. It is a communication management apparatus that acquires information from the notification information storage unit and notifies the abnormal communication information to a notification destination indicated by the acquired notification destination information.

  With this configuration, it is possible to notify an appropriate notification destination according to the degree of abnormality that abnormal communication has been performed.

  The communication management apparatus according to the present invention is the communication management apparatus, wherein the abnormality determination rule is a rule relating to access to the same WEB site.

  With this configuration, it is possible to easily determine whether or not communication performed between the user terminal and the WEB site is abnormal.

  In the communication management device of the present invention, in the communication management device, the abnormality determination rule stored in the abnormality determination rule storage unit is a rule that a user logs in to the same WEB site for a predetermined time or more, and This is a communication management device including a rule that data is intermittently uploaded to the same WEB site.

  With this configuration, it is possible to easily determine whether or not communication with the WEB site is abnormal by determining whether or not abnormal data is uploaded from the user terminal. Is possible. For example, in a company, etc., it is possible to detect the possibility that data not related to business has been uploaded to a specific WEB site, the possibility that information in the company has been leaked to a specific WEB site, etc. It becomes.

  In the communication management device of the present invention, in the communication management device, the abnormality determination rule stored in the abnormality determination rule storage unit is a rule that a user logs in to the same WEB site for a predetermined time or more, and It is a communication management device including a rule that data is downloaded intermittently from the same WEB site.

  With this configuration, it is possible to easily determine whether or not communication with the WEB site is abnormal by determining whether or not abnormal data is being downloaded from the user terminal. Is possible. For example, in a company or the like, it is possible to detect the possibility that a user is downloading data unrelated to business from a specific WEB site.

  Further, the communication management device of the present invention is the rule that the abnormality determination rule stored in the abnormality determination rule storage unit is logged in to the same WEB site in a predetermined time zone in the communication management device, And a communication management device including a rule that data is intermittently uploaded to the same WEB site.

  With this configuration, it is possible to easily determine whether or not communication with the WEB site is abnormal by determining whether or not abnormal data is uploaded from the user terminal. Is possible. For example, when data is uploaded many times to a specific WEB site at a time other than normal business hours, such as at night, in a company, etc. It is possible to detect that the upload is being performed.

  Further, the communication management device of the present invention is the rule that the abnormality determination rule stored in the abnormality determination rule storage unit is logged in to the same WEB site in a predetermined time zone in the communication management device, And a communication management device including a rule that data is intermittently downloaded from the same WEB site.

  With this configuration, it is possible to easily determine whether or not communication with the WEB site is abnormal by determining whether or not abnormal data is being downloaded from the user terminal. Is possible. For example, when data is downloaded many times from a specific WEB site at a time other than normal business hours, such as at night, in a company, etc., the user downloads the data for private use regardless of the business. It is possible to detect that the operation is being performed.

  In the communication management device of the present invention, in the communication management device, the abnormality determination rule stored in the abnormality determination rule storage unit is a rule that a user logs in to the same WEB site for a predetermined time or more, and It is a communication management apparatus including a rule that the update process is repeated at a predetermined timing for the same WEB site.

  With this configuration, it is possible to easily determine from the user terminal whether or not the update is performed unnecessarily and whether or not the communication performed with the WEB site is abnormal. It becomes possible. For example, since a company or the like rarely browses for a long time while repeatedly updating one WEB page, it is possible to determine an abnormality by detecting such a situation.

  In the communication management device according to the present invention, in the communication management device, the abnormality determination rule stored in the abnormality determination rule storage unit accesses the same WEB site a predetermined number of times per predetermined period. And a rule that data is uploaded when there is more access than a predetermined percentage of accesses made to the same WEB site.

  With this configuration, it is possible to determine that abnormal communication is being performed when the ratio of upload to the number of accesses is high. For example, normally, in the use of a WEB site, the number of times of uploading data is very small compared to the number of times of browsing a WEB page, and therefore, an abnormal upload is detected at such a ratio. be able to.

  In the communication management device according to the present invention, in the communication management device, the abnormality determination rule stored in the abnormality determination rule storage unit accesses the same WEB site a predetermined number of times per predetermined period. And a rule that data is downloaded when there is more access than a predetermined percentage of accesses made to the same WEB site.

  With this configuration, it is possible to determine that abnormal communication is being performed when the ratio of download to the number of accesses is high. For example, normally, in the use of the WEB site, the number of times data is downloaded is very small compared to the number of times the WEB page is browsed. Therefore, it is detected that an abnormal download is performed at such a ratio. be able to.

  The communication management apparatus according to the present invention further includes an inappropriate keyword information storage unit that can store one or more keyword information indicating keywords that can be included in an inappropriate WEB page in the communication management apparatus, and the abnormality determination rule. The abnormality determination rule stored in the storage unit is a communication management device further including a rule that the same WEB site is a site including a WEB page having a keyword indicated by the keyword information.

  With this configuration, only communication to a WEB site configured by a WEB page including a keyword specified in advance can be determined as an abnormal communication determination target.

  Further, the communication management device of the present invention includes an inappropriate page designation receiving unit that accepts inappropriate page designation information that is information for designating an inappropriate WEB page in the communication management device, and the inappropriate page designation information is designated by the inappropriate page designation information. An inappropriate page information acquisition unit that acquires information on the WEB page to be acquired, and a keyword that can be included in the inappropriate WEB page from the information on the WEB page acquired by the inappropriate page information acquisition unit, and a keyword indicating the keyword The communication management apparatus further includes an inappropriate keyword acquisition unit that accumulates information in the inappropriate keyword information storage unit.

  With this configuration, it is possible to add keyword information for determining an inappropriate WEB site.

  In the communication management device according to the present invention, in the communication management device, the keyword information is associated with the abnormality level information, and the abnormality level information acquisition unit is configured so that the abnormal communication determination unit is connected to the same WEB site. Is a communication management device that acquires abnormality level information associated with the keyword information when it is determined that the site includes a WEB page having the keyword indicated by the keyword information.

  With this configuration, when abnormal communication is performed, the degree of abnormality of the communication can be determined according to the keyword information included in the WEB page.

  Further, in the communication management apparatus of the present invention, in the communication management apparatus, the abnormal communication information output by the output unit includes information on a user terminal that has performed abnormal communication, information on a WEB site that is a communication destination of abnormal communication, The communication management device includes information on the start time of abnormal communication or information on the content of abnormal communication.

  With such a configuration, the details of the abnormality can be notified.

  According to the communication management device and the like according to the present invention, it is possible to easily determine whether or not the communication performed between the user terminal and the server device is abnormal.

  Hereinafter, embodiments of a communication management device and the like will be described with reference to the drawings. In addition, since the component which attached | subjected the same code | symbol in embodiment performs the same operation | movement, description may be abbreviate | omitted again.

(Embodiment)
FIG. 1 is a block diagram of an information processing system in the present embodiment. The information processing system 10 includes a communication management device 1, one or more user terminals 2, and one or more server devices 3.

  One or more user terminals 2 and one or more server devices 3 are connected to each other so as to be able to transmit and receive information via a communication line, a network, and the like. The network is, for example, the Internet or a network such as a wireless or wired LAN. However, the connection method between each apparatus is not ask | required. The information transmission / reception means may be a communication means or a broadcasting means. Moreover, the protocol used for communication is not ask | required.

  The communication management device 1 is arranged so that information transmitted and received between the user terminal 2 and the server device 3 via a network or the like can be acquired. For example, the communication management device 1 is connected to a concentrator or relay device such as a router or a hub to which the user terminal 2 is connected, or a firewall device, etc., and information input / output to / from these devices is acquired, for example, received You may make it do. Further, a network or communication line between the user terminal 2 and the server device 3 is connected to a so-called packet capture device or a device (not shown) having an equivalent function, such as a firewall device, IDS (Unauthorized Intrusion Detection System), IPS ( An intrusion prevention system) may be provided so that the communication management apparatus 1 can receive packets and the like acquired and output by the packet capture apparatus. Further, the communication management device 1 is interposed between the user terminal 2 and the communication line or network, and information transmitted from the user terminal 2 to the server device 3 is once input to the communication management device 1 and input. The communication management apparatus 1 may transmit the processed data to a communication line or a network. In this case, the information transmitted from the server device 3 is once received by the communication management device 1, and the received information is transmitted to the user terminal 2. It goes without saying that a so-called intranet server or the like may be provided between one or more user terminals 2 and the network. Further, the network may include other devices such as a DNS server (not shown) in addition to the server device 3 that provides information such as contents such as various WEB pages. The communication management device 1 may be provided in the user terminal 2 described later.

  The user terminal 2 is an information processing terminal used by a user who is a member of one organization, for example. The information processing terminal is, for example, a device that can be connected to a network and can output information transmitted from the server device 3. The information processing terminal is, for example, a computer, a mobile phone, a PDA, or the like. One organization is, for example, a company or an organization. When the user terminal 2 is used, login is usually performed using user identification information or the like. The user terminal 2 is capable of executing software that can be browsed by accessing information that can be provided by the server device 3 such as a WEB browser, for example, a WEB page. The WEB page is, for example, information such as a document provided by a WWW (World Wide Web) system or the like. The WEB page includes, for example, layout information based on text data and HTML (HyperText Markup Language) data, images, sounds, and moving images embedded in the document. Further, one or more WEB pages, a collection of information associated with the WEB page, and the like are referred to as a WEB site. The information associated with the WEB page is, for example, information that can be downloaded from the WEB page. When the user terminal 2 is connected to the server device 3 via the Internet, and the user gives an instruction to display predetermined information that can be provided by the predetermined server device 3 to, for example, a WEB browser of the user terminal 2, the user terminal 2 The terminal 2 transmits an instruction for requesting predetermined information to a predetermined server device 3 through a network such as the Internet. Then, in response to this request, predetermined information transmitted by the predetermined server device 3 is received and output (for example, displayed) to a WEB browser or the like. The user terminals 2 may be connected to each other by, for example, a local network. Since the configuration of the user terminal 2 is a known technique, a detailed description thereof is omitted.

  The server device 3 is a device that provides the user terminal 2 and the like with the functions and data that the device itself has. The server device 3 can be realized by a computer, for example. Specifically, the server apparatus 3 is a server apparatus that provides a WEB site. The server device 3 is specifically a so-called WEB server. In addition, if it is a server which can provide a WEB page, for example, can transmit, it is considered here as a WEB server. The server device 3 stores, for example, information for outputting a WEB page composed of HTML data, images, etc., and the Internet or the like in response to a request for software executed on the user terminal 2 such as a WEB browser. Such information is transmitted to the user terminal 2 through the network. Since the configuration of the server device 3 is a known technique, a detailed description thereof is omitted.

  FIG. 2 is a block diagram of the communication management apparatus 1 in the present embodiment.

  The communication management apparatus 1 includes a transmission / reception information acquisition unit 100, an acquisition information storage unit 101, an abnormality determination rule storage unit 102, an inappropriate keyword information storage unit 103, an abnormal communication determination unit 104, an abnormality degree information acquisition unit 105, and an abnormality degree information storage. Unit 106, abnormality degree determination unit 107, output unit 108, notification information storage unit 109, inappropriate page designation reception unit 110, inappropriate page information acquisition unit 111, and inappropriate keyword acquisition unit 112.

  The transmission / reception information acquisition unit 100 acquires transmission / reception related information that is information related to information transmitted / received between one or more user terminals 2 and one or more server devices 3. The transmission / reception related information may be, for example, information itself to be transmitted / received, for example, information requesting transmission of information, information itself such as an HTML file or an execution file transmitted / received in response to the request. Moreover, what is called header information etc. added to the information used as the object of transmission / reception may be sufficient. In addition, for example, information for identifying information of a transmitted / received WEB page such as a file name and a URL, and information for identifying a WEB site configured by the WEB page (for example, a site name, a domain name, and a subdomain) Name) and IP address and URL of the user terminal 2 and server device 3 that perform transmission / reception, and transmission / reception destination identification information that is information that can identify the transmission / reception destination of the user terminal 2 and server device 3 may be included. . The transmission / reception related information may include time-related information that is information related to time such as information indicating the start and end times of transmission / reception of information, time during transmission / reception, and information on connection time. Moreover, you may acquire the user identification information of the user who operates the user terminal 2 which transmits / receives. The user identification information is, for example, a user name or a user employee number. Moreover, you may acquire the identification information etc. of the server apparatus 3 which transmits / receives. Data attribute information indicating data attributes such as data size and data format to be transmitted and received may also be included. The transmission / reception related information may include communication attribute information that is information related to communication attributes such as information indicating a connection state such as what connection or protocol is used for transmission / reception and a port number through which data is transmitted / received. . These pieces of information can be acquired from, for example, header information constituting information to be transmitted / received, information to be transmitted / received, and the like. Further, the transmission / reception information acquisition unit 100 may acquire the information on the time when the transmission / reception information acquisition unit 100 acquired the transmission / reception related information acquired from a clock or the like (not shown) as one of the transmission / reception related information. Note that the time information is preferably accurate. For this reason, instead of acquiring time information from a clock or the like, it is preferable that a transmission / reception information acquisition unit 100, an acquisition unit (not shown) for acquiring time information of the communication management device 1 or the like be periodically accurate. The time information may be acquired from an NTP (Network Time Protocol) server (not shown) or the like. The transmission / reception related information is information including any of the information related to information transmitted / received similar to the above acquired by the user terminal 2, the server device 3, a packet capturing device or a relay device (not shown), so-called history information, etc. It may be. The history information is a concept including, for example, a so-called log file. For example, the user terminal 2 or the server device 3 has information related to information transmitted / received by each device similar to the above, for example, information for identifying transmitted information such as a file name, transmission destination information, transmission time, The connection time information or the like may be acquired as history information, and the transmission / reception information acquisition unit 100 may acquire the history information acquired by the user terminal 2 or the server device 3 as transmission / reception related information. The transmission / reception information acquisition unit 100 is connected to, for example, a network or communication line in which one or more user terminals 2 and one or more server devices 3 are connected, and the network or communication between the user terminals 2 and the server devices 3 is performed. Receives information transmitted and received via a line or the like. For example, the transmission / reception information acquisition unit 100 acquires information that is packetized and transmitted / received between one or more user terminals 2 and one or more server devices 3. Further, for example, history information created and transmitted by the user terminal 2, the server device 3, or the like may be acquired. The transmission / reception information acquisition unit 100 may be connected to a network or a communication line. In addition, the transmission / reception information acquisition unit 100 is connected to, for example, a relay device such as a router or a hub provided between one or more user terminals 2 and a communication line or the Internet, a concentrator, a branch device, a firewall device, or the like. Then, information regarding information transmitted / received between the user terminal 2 and the server apparatus 3 received by these apparatuses may be acquired. Further, it may be connected to the user terminal 2 through a local network, and may receive history information of information transmission / reception performed with the server device 3 transmitted by the user terminal 2. The processing, configuration, and the like for the transmission / reception information acquisition unit 100 to acquire information are known as techniques such as packet capturing, for example. Alternatively, the transmission / reception information acquisition unit 100 may acquire transmission / reception related information acquired by a packet capturing device (not shown) or the like. Here, as an example, a case will be described in which transmission / reception related information acquired by the transmission / reception information acquisition unit 100 is accumulated in an acquisition information storage unit 101 or the like described later. The transmission / reception information acquisition unit 100 can be realized by, for example, wired or wireless communication means. Moreover, you may have MPU, memory, etc. for performing the process for acquiring required information from the information transmitted / received between the user terminal 2 and the server apparatus 3. FIG.

  Here, the one or more WEB pages described above and a collection of information associated with the WEB page are considered as a WEB site. For example, a WEB site may be considered as a collection of information such as a plurality of WEB pages managed by one or a plurality of related domain names. Further, one WEB page may be considered as one WEB site. Also, information that can be downloaded by following a link provided in one WEB page in the WEB site may be considered as information in the same WEB site. Further, information such as a WEB page constituting the WEB site is stored in the server device 3 and provided by the server device 3. One WEB site is provided by one or a plurality of server devices 3. A plurality of WEB sites may be provided by one server device 3. One WEB site may be considered as one server device 3.

  The acquisition information storage unit 101 stores transmission / reception related information acquired by the transmission / reception information acquisition unit 100. The acquisition information storage unit 101 may be a non-volatile recording medium or a volatile recording medium.

  The abnormality determination rule storage unit 102 stores two or more abnormality determination rules that are rules for determining an abnormality relating to communication and are associated with abnormality degree information that is information indicating the degree of abnormality. obtain. For example, the abnormality determination rule storage unit 102 stores abnormality determination rules and abnormality degree information in association with each other. The degree-of-abnormality information may be information that gives the degree of abnormality as a value, for example, or a character string associated with the degree, for example, “large”, “small”, “severe”, “mild”, etc. Information to give may be sufficient. The rule described here may be considered as a condition for making a determination or information defining a condition. The abnormality determination rule is, for example, a rule for detecting an abnormality related to access to the same WEB site. The abnormal communication determination unit 104 to be described later determines, for example, whether or not abnormal communication has been performed using two or more abnormality determination rules out of a plurality of stored abnormality determination rules and transmission / reception related information. . The abnormality determination rule may be a rule that can determine an abnormality relating to communication as a result. For example, the abnormality determination rule may be a rule that determines that communication is normally performed. However, in such a case, the subsequent determination processing and the like are appropriately changed so that the same determination can be made as a result. Among the plurality of abnormality determination rules stored in the abnormality determination rule storage unit 102, two or more abnormality determination rules used by the abnormal communication determination unit 104, which will be described later, to determine whether or not abnormal communication has been performed, It may be considered that they are associated with each other to form a pair or a set. Hereinafter, a group composed of two or more abnormality determination rules is referred to as a rule set.

  The two or more abnormality determination rules stored in the abnormality determination rule storage unit 102 are, for example, the first rule that the user logs in to the same WEB site for a predetermined time or more, and intermittently for the same WEB site. A second rule that data is uploaded may be included (hereinafter, these two abnormality determination rules are referred to as a first rule set).

  In addition, two or more abnormality determination rules are, for example, the first rule that the user logs in to the same WEB site in a predetermined time zone, and the data is intermittently uploaded to the same WEB site. A second rule may be included (hereinafter, these two abnormality determination rules are referred to as a second rule set). The predetermined time zone is, for example, a time zone in which login by the user is not preferable. Specifically, it is a night or a holiday.

  In addition, two or more abnormality determination rules are, for example, the first rule that the user logs in to the same WEB site in a predetermined time zone, and the data is intermittently uploaded to the same WEB site. A second rule may be included (hereinafter, these two abnormality determination rules are referred to as a third rule set).

  The two or more abnormality determination rules include, for example, a first rule that a user logs in to a same WEB site at a predetermined time period, and a second rule that data is intermittently downloaded from the same WEB site. A rule may be included (hereinafter, these two abnormality determination rules are referred to as a fourth rule set).

  The two or more abnormality determination rules are, for example, the first rule that the user has logged in to the same WEB site for a predetermined time or more, and the update process is repeated for the same WEB site at a predetermined timing. A second rule may be included (hereinafter, these two abnormality determination rules are referred to as a fifth rule set).

  In addition, two or more abnormality determination rules include, for example, the first rule that the same WEB site is accessed a predetermined number of times per predetermined period, and the access made to the same WEB site. It is also possible to include a second rule that data is uploaded when the number of accesses exceeds a predetermined ratio (hereinafter, these two abnormality determination rules are referred to as a sixth rule set). The predetermined period indicates a period designated in advance, such as, for example, per day, per half day, or working hours. Information indicating this period is accumulated in a storage medium (not shown) or the like.

  In addition, two or more abnormality determination rules include, for example, the first rule that the same WEB site is accessed a predetermined number of times per predetermined period, and the access made to the same WEB site. It is also possible to include a second rule that data is downloaded when the number of accesses exceeds a predetermined ratio (hereinafter, these two abnormality determination rules are referred to as a seventh rule set).

  In addition to the two or more abnormality determination rules described above, the WEB page having the keyword indicated by the keyword information stored in the inappropriate keyword information storage unit 103 is the same WEB site in the two or more abnormality determination rules. You may make it further contain the abnormality determination rule limited to the site to include. This abnormality determination rule is referred to herein as a keyword abnormality rule.

  The access to the WEB site described here refers to reading / writing information on the WEB site, for example, information on the WEB page. Transmission of some information, for example, information requesting transmission of information on the WEB page, a command, or the like to the WEB site may be considered as access. Further, access may be considered when any information is received from the WEB site.

  There is no limitation on the process, timing, or the like of storing the abnormality determination rules in the abnormality determination rule storage unit 102. The degree of abnormality will be described later. The abnormality determination rule storage unit 102 is preferably a nonvolatile recording medium, but can also be realized by a volatile recording medium.

  The inappropriate keyword information storage unit 103 can store one or more pieces of keyword information indicating keywords that can be included in an inappropriate WEB page. The keyword is, for example, a character string of one or more characters. The keyword information may be associated with a degree of abnormality described later. For example, the keyword information may be stored in the keyword information in association with the abnormality degree information indicating the abnormality degree. This abnormality level information may be considered as one of the abnormality level information associated with the abnormality determination rule. There is no limitation on the process or timing of the keyword information stored in the inappropriate keyword information storage unit 103. The inappropriate keyword information storage unit 103 is preferably a non-volatile recording medium, but can also be realized by a volatile recording medium.

  The abnormal communication determination unit 104 uses the transmission / reception related information acquired by the transmission / reception information acquisition unit 100 to perform communication between the user terminal 2 and the server device 3 in two or more stored in the abnormality determination rule storage unit 102. It is determined whether or not the abnormality determination rule is satisfied. The two or more abnormality determination rules described here are two or more abnormality determination rules specified in advance by an administrator or the like out of the abnormality determination rules stored in the abnormality determination rule storage unit 102. Specifically, there are two or more abnormality determination rules that form pairs or groups. In other words, the two or more abnormality determination rules used by the abnormal communication determination unit 104 for determination are any of a set of two or more predetermined abnormality determination rules among three or more abnormality determination rules. It may be. For example, the abnormal communication determination unit 104 satisfies the rules indicated by two or more abnormality determination rules that constitute any one of the first to seventh rule sets stored in the abnormality determination rule storage unit 102 as described above. Determine whether or not. Further, it may be determined whether or not the keyword abnormality rule is satisfied. Specifically, the abnormal communication determination unit 104 determines whether or not the communication between the user terminal 2 and the server device 3 satisfies all the specified two or more abnormality determination rules. The determination of whether or not the abnormality determination rule is satisfied is a concept including determination of whether or not the abnormality determination rule is satisfied if the same determination can be made as a result. In addition, the abnormality determination rule may be a rule for determining that normal communication has been performed if the same determination can be made as a result of appropriately changing (for example, inverting) the determination process. Good.

  The timing etc. which the abnormal communication judgment part 104 makes judgment do not ask | require. For example, each time the transmission / reception information acquisition unit 100 acquires transmission / reception related information, the determination may be made, or the transmission / reception information acquisition unit 100 uses the transmission / reception related information accumulated in the abnormality determination rule storage unit 102, The determination may be made at a predetermined timing that is specified in advance or periodically.

  For example, the abnormal communication determination unit 104 uses the transmission / reception related information acquired by the transmission / reception information acquisition unit 100 to acquire determination information that is information used to determine whether or not two or more abnormality determination rules are satisfied. Then, it is determined whether or not the determination information satisfies both two or more abnormality determination rules such as the first to seventh rule sets described above. The determination information acquired here is determination information corresponding to an abnormality determination rule used when the abnormal communication determination unit 104 determines abnormal communication. For example, information indicating what kind of determination information is acquired may be stored in advance in the abnormality determination rule storage unit 102 or the like in association with the abnormality determination rule. Note that the processing that constitutes the information for determination may be considered as part of the determination processing for determining whether or not the abnormality determination rule is satisfied.

  The determination information acquired by the abnormal communication determination unit 104 is, for example, information related to the WEB site accessed by the user terminal 2. Further, this information may include information regarding the time when the access is performed. The information related to the accessed WEB site is, for example, information such as URL and domain name and identification information such as site name that can identify the WEB site accessed by the user terminal 2. The abnormal communication determination unit 104, for example, from information such as a header of information such as request information requesting transmission of a WEB page transmitted from the user terminal 2 to the WEB site, acquired by the transmission / reception information acquisition unit 100, Information related to the WEB site, such as information specifying the WEB site included in the information such as the header, for example, the URL information of the WEB site and the address information such as the IP address of the server device 3 managing the WEB site is acquired. To do. Information on the time of access is, for example, information such as a header of information acquired by the transmission / reception information acquisition unit 100, such as request information for requesting transmission of a WEB page transmitted from the user terminal 2 to the WEB site. The time information included in the header of the information such as the information on the WEB page transmitted from the server device 3 that provides the WEB site to the user terminal 2 or the like. Or the information of the time which the transmission / reception information acquisition part 100 acquired the information etc. which are transmitted to the WEB site from the user terminal 2 included in the transmission / reception related information, or the server device 3 which provides the WEB site to the user terminal 2 The information on the time of access may be acquired from the information on the time when the transmission / reception information acquisition unit 100 acquires the information transmitted in response to the information.

  The determination information acquired by the abnormal communication determination unit 104 is, for example, information indicating an access time. The access time is the time from the start of reading / writing information to the information on one WEB site to the end of reading / writing information on the same WEB site. You may make it consider the time of transmitting the last information transmitted with respect to the same WEB site as the time when reading / writing of information was complete | finished. For example, if information for requesting a WEB page is sequentially transmitted to page A, page B, and page C of the same WEB site, the access time is calculated from the transmission time of the request information for page A. It may be considered the time until the transmission time of the request information for page C. Alternatively, when the WEB site is a site that requires user authentication, the time from when the user authenticates and logs in to the WEB site until the user cancels the authentication and logs out may be considered as the access time. The access start time and the access end time are, for example, information headers acquired by the transmission / reception information acquisition unit 100 and transmitted from the user terminal 2 to the WEB site, such as request information for requesting transmission of the WEB page. It is acquired from time information included in information or the like, time information included in a header of information such as information on a WEB page transmitted from the server apparatus 3 that provides the WEB site to the user terminal 2, and the like. Or the information of the time which the transmission / reception information acquisition part 100 acquired the information etc. which are transmitted to the WEB site from the user terminal 2 included in the transmission / reception related information, or the server device 3 which provides the WEB site to the user terminal 2 The information of the access start time and the access end time is acquired from the information of the time when the transmission / reception information acquisition unit 100 acquires the information transmitted to the information, and the information indicating the access time is acquired using the information of the time You may do it.

  Moreover, the information for determination which the abnormal communication determination part 104 acquires is the information regarding the information which the user terminal 2 receives from a WEB site, for example. This information may include information regarding the time at which the user terminal 2 receives the information from the WEB site. The information received by the user terminal 2 described here may be considered as information downloaded by the user terminal 2 in particular. The downloaded information is information that cannot be displayed as it is on the WEB browsing program such as a browser on the user terminal 2 without using, for example, a program that provides an additional function such as a so-called plug-in. The downloaded information is information acquired by instructing acquisition without being displayed by a WEB browsing program. The information related to information received by the user terminal 2 is information indicating whether the user terminal 2 has downloaded information from the WEB site, for example. For example, the transmission / reception information acquisition unit 100 acquires information such as the data type of information transmitted / received as transmission / reception related information, and the transmitted / received information is information of a pre-designated attribute, for example, the user terminal 2 is a WEB page. The browser used for browsing is used to determine whether it is information that can be directly displayed without using a so-called plug-in or the like, using data type information, for example, information such as an extension. If the information is not displayable, the user terminal 2 determines that the information has been downloaded from the WEB site. Then, determination information indicating that the data has been downloaded may be acquired. Alternatively, the transmission / reception information acquisition unit 100 acquires the information itself to be transmitted / received as the transmission / reception related information between the user terminal 2 and the server device 3, and sets the data type information of the information transmitted / received from the acquired information. It may be acquired as transmission / reception related information. And the information of the data type of the information to be transmitted / received indicated by the transmission / reception related information is the information of the attribute designated in advance, for example, without using a so-called plug-in or the like in the browser used by the user terminal 2 for browsing the WEB page. Whether or not the information can be directly displayed is determined using data type information, for example, information such as an extension. If the information is not displayable, the user terminal 2 Judge that information has been downloaded from the site. And the information for judgment which shows having downloaded is acquired.

  Further, the transmission / reception information acquisition unit 100 acquires the header and the like of the information received by the user terminal 2 as transmission / reception related information, extracts the port number and the like included in the acquired transmission / reception related information, and the port number is downloaded. It is determined whether or not the port number is used for downloading FTP, streaming data, etc., and if it matches these port numbers, the information for determination indicating that it has been downloaded is acquired. May be.

  Information for determination regarding the time at which the user terminal 2 receives information from the WEB site is information on the time at which the server device 3 providing the WEB site transmits information such as information downloaded by the user terminal 2 to the user terminal 2. It may be. Moreover, the information etc. of the time when the user terminal 2 received the information transmitted from a WEB site may be sufficient. These pieces of information include, for example, information acquired by the transmission / reception information acquisition unit 100 such as a header of information transmitted from the server device 3 to the user terminal 2 or information transmitted from the user terminal 2 to the server device 3. It can be acquired from the header of information indicating that it has been received. When the transmission / reception information acquisition unit 100 acquires information on the time when the information indicating that the user terminal 2 is downloading information is acquired by the transmission / reception information acquisition unit 100 as transmission / reception related information, the transmission / reception related information is You may make it acquire the information of the time shown as the information for judgment which is the information regarding the time when the user terminal 2 receives information from a WEB site.

  Moreover, the information for determination which the abnormal communication determination part 104 acquires may be the information regarding the information which the user terminal 2 transmits to a WEB site, for example. Further, this information may include information related to the time when the information is transmitted. The information transmitted by the user terminal 2 described herein may be considered as information that the user terminal 2 uploads to a server device that provides a WEB site. The information to be uploaded may be considered, for example, information excluding information such as request information and instructions, that is, information excluding information requesting transmission of information on the WEB page to the WEB site. The information related to information transmitted by the user terminal 2 is information indicating whether the user terminal 2 has uploaded information to the WEB site, for example. For example, the transmission / reception information acquisition unit 100 acquires information such as the data type of information transmitted / received between the user terminal 2 and the server device 3 as transmission / reception related information, and the abnormal communication determination unit 104 transmits / receives information. Is the request information or command, it is determined from the information such as the data type and the content of the information. If it is not the request information or command, it is determined that the user terminal 2 has uploaded the information to the WEB site. Then, determination information indicating that the data has been uploaded may be acquired. Alternatively, the transmission / reception information acquisition unit 100 acquires the information itself to be transmitted / received as the transmission / reception related information between the user terminal 2 and the server device 3, and sets the data type information of the information transmitted / received from the acquired information. It may be acquired as transmission / reception related information. Then, it is determined whether or not the transmitted / received information is request information or a command from the information such as the data type or the content of the information. If it is not the request information or the command, the user terminal 2 uploads the information to the WEB site. It may be determined and information for determination indicating that data has been uploaded may be acquired.

  Further, the transmission / reception information acquisition unit 100 acquires the header and the like of the information transmitted by the user terminal 2 as the transmission / reception related information, extracts the port number included in the acquired transmission / reception related information, and the port number is uploaded. It is determined whether or not the port number is used for, for example, the port number used for FTP, and when the port number matches the port number, determination information indicating that uploading may be obtained.

  The determination information regarding the time at which the user terminal 2 transmits information may be information on the time at which the user terminal 2 transmits information. Further, this information may include information on the time when the server device 3 that provides the WEB site receives the information to be transmitted. Such information includes, for example, the header of information acquired by the transmission / reception information acquisition unit 100 and transmitted from the user terminal 2 to the server apparatus 3, and uploaded information transmitted from the server apparatus 3 to the user terminal 2. Can be obtained from information such as a header of information indicating that the message is received. When the transmission / reception information acquisition unit 100 acquires information indicating that the user terminal 2 is uploading information, information on the time acquired by the transmission / reception information acquisition unit 100 as transmission / reception related information, the transmission / reception related information is You may make it acquire the information of the time shown as the information for judgment which is the information regarding the time when the user terminal 2 transmits information to a WEB site.

  Further, the determination information acquired by the abnormal communication determination unit 104 may be information indicating that the user terminal 2 is logged into the WEB site, for example. Whether or not the user has logged in to the WEB site is, for example, whether or not the transmission / reception related information indicates that information including information such as ID and password for login has been transmitted from the user terminal 2, logout This is determined based on whether or not an instruction for sending is sent. Alternatively, it may be determined that the user has logged in when encrypted information is transmitted or when information is transmitted using a specific port number such as SSL used for login or the like. For example, when the transmission / reception related information is information itself transmitted from the user terminal 2, information associated with a character string such as “ID”, “user ID”, and “account” is included in the transmission / reception related information. It may be determined whether or not there is, and if so, it may be determined that the login information has been transmitted. Similarly, it may be determined that logout has been performed when information or the like instructing logout is transmitted. The above-described information indicating that the user is logged in is, for example, information indicating that it is within the time from login to logout. For example, the information includes information that can specify the login start time and the login end time. Information on the time of login and logout is, for example, information such as a header of information for login and logout, which is acquired by the transmission / reception information acquisition unit 100 and transmitted from the user terminal 2 to the WEB site. It is acquired from the information on the time included, the information on the time included in the header of the information indicating that the log-in or log-out transmitted from the server device 3 providing the WEB site to the user terminal 2 is successful, and the like. Alternatively, information included in the transmission / reception related information, the time information acquired by the transmission / reception information acquisition unit 100 for login or logout transmitted from the user terminal 2 to the WEB site, or the server device that provides the WEB site 3 from the time information acquired by the transmission / reception information acquisition unit 100, such as information indicating that the login or logout has been successful, transmitted from 3 to the user terminal 2; Also good.

The determination information acquired by the abnormal communication determination unit 104 is, for example, information related to information requesting a WEB page transmitted from the user terminal 2 to the WEB site. This information may include information regarding the time when the requested information is transmitted. Requesting a WEB page means requesting information for displaying the WEB page. Here, transmitting an instruction to update the WEB page is also considered to have transmitted information requesting the WEB page. The information related to information for requesting a WEB page is information including information for specifying a requested WEB site or WEB page, for example, WEB site identification information or WEB page identification information. For example, when the transmission / reception information acquisition unit 100 acquires information indicating what information is transmitted / received between the user terminal 2 and the server device 3 as the transmission / reception related information, the abnormal communication determination unit 104 It is determined whether the transmitted information is information for requesting transmission of a WEB page. If the transmitted information is information for requesting transmission, information related to information for requesting a WEB page using transmission / reception related information, for example, transmission is performed. Information for specifying a requested WEB page is acquired. Or the transmission / reception information acquisition part 100 acquires the information itself transmitted / received as transmission / reception related information between the user terminal 2 and the server apparatus 3, and the acquired information is information which requests a WEB page. If it is information to be requested, information relating to information requesting a WEB page such as information specifying a WEB page may be acquired. Information regarding the time at which information requesting the WEB page is transmitted is the same as that for acquiring access time information, and thus the description thereof is omitted here.
Note that the process by which the abnormal communication determination unit 104 acquires the determination information is not limited to the above process. Further, the determination information to be acquired is not limited to the determination information as described above.

  Next, a determination process performed by the abnormal communication determination unit 104 using the determination information as described above to determine whether or not both of two or more abnormality determination rules are satisfied will be described. Here, as a specific example, it is specified in advance by a user or the like that two or more abnormality determination rules included in any of the first to seventh rule groups described above are used as the abnormality determination rule used in the determination process. A case where the abnormal communication determination unit 104 determines whether or not the specified abnormality determination rule is satisfied will be described. However, the processing described here is an example, and other determinations may be made as long as the same determination is possible.

(1) When the first rule set is designated First, the abnormal communication determination unit 104 configures the first rule set stored in the abnormality determination rule storage unit 102, “for the same WEB site. A first rule “logged in for a predetermined time or more” and a second rule “data is intermittently uploaded to the same WEB site” are acquired.

  Next, the abnormal communication determination unit 104 includes information for determining the time during which the user terminal 2 is logged in to the WEB site as described above (hereinafter referred to as login time determination information), and the user terminal 2. Information for determination regarding information transmitted to the WEB site (hereinafter referred to as transmission information determination information) is acquired.

  Then, the abnormal communication determination unit 104 determines whether or not the login time determination information that satisfies the condition indicated by the first rule of the first rule set described above exists in the login time determination information. . That is, it is determined whether or not there is login time determination information indicating that the user has logged in for a predetermined time or more with respect to one WEB site. For the predetermined time of the first rule, for example, a fixed or variable value is specified in advance. The login described here may exclude, for example, login to a web site designated in advance, such as a company's WEB site, or in some cases a server such as an intranet. For example, it may be possible to exclude login to a WEB site to be excluded by matching a URL or IP address of a WEB site that is stored in advance with a URL or IP address of a communication destination. The same applies to other rules.

  If there is login time determination information indicating that the user has logged in for a predetermined time or more, the abnormal communication determination unit 104 transmits the transmission information determination information corresponding to the user terminal 2 corresponding to the login time determination information. It is determined whether or not there is login time determination information that satisfies the condition indicated by the second rule of the first rule set described above. That is, using the transmission information determination information, it is determined whether or not data is intermittently uploaded with the same WEB site as the WEB site determined to be logged in for a predetermined time or more as the data transmission destination. . Preferably, it is determined whether data is intermittently uploaded within the login time. An intermittent upload is an upload that is not continuous. It may be considered that the upload has expired or continued within a predetermined time. Intermittent upload may be considered to mean that information has been uploaded a plurality of times, for example. Whether or not it has been uploaded intermittently is determined by determining whether or not it has been transmitted from the user terminal 2 more than a predetermined number of times within a predetermined time. For example, information sent by designating a port number used for FTP as the address of a WEB site that has been determined to be logged in for a predetermined time or more is designated in advance within the time of login. It is determined using the transmission information determination information whether the user terminal 2 has transmitted the number of times or more. The number of times designated in advance may be fixed, or may be the number of times that changes in accordance with the login time. If it is sent, it is determined that it has been uploaded intermittently. Note that it may also be determined that information has been transmitted intermittently when information is transmitted at intervals within a predetermined time interval.

  Thus, when it is determined that both the first rule and the second rule of the first rule set are satisfied, as a result, it is determined that the abnormality determination rule of the first rule set is satisfied. Become.

(2) When the second rule set is specified First, the abnormal communication determination unit 104 configures the second rule set stored in the abnormality determination rule storage unit 102, “for the same WEB site. A first rule “logged in for a predetermined time or more” and a second rule “data is intermittently downloaded from the same WEB site” are acquired.

  Next, the abnormal communication determination unit 104 acquires the above-described login time determination information and determination information (hereinafter referred to as reception information determination information) that is information related to information received by the user terminal 2 from the WEB site. To do.

  Then, the abnormal communication determination unit 104 determines whether or not the login time determination information that satisfies the condition indicated by the first rule of the second rule set described above exists in the login time determination information. . Since the first rule of the second rule set is the same as the first rule of the first rule set, this determination process is the same as the case of the first rule set.

  If there is login time determination information indicating that the user has logged in for a predetermined time or more, the abnormal communication determination unit 104 transmits the transmission information determination information corresponding to the user terminal 2 corresponding to the login time determination information. It is determined whether or not there is login time determination information that satisfies the condition indicated by the second rule of the second rule set described above. That is, it is determined using the reception information determination information whether or not data is intermittently downloaded from the same WEB site that is determined to be logged in for a predetermined time or more. Preferably, it is determined whether or not data is downloaded intermittently within the login time. The intermittent download means that information has been downloaded a plurality of times, for example. Whether or not it has been downloaded intermittently is determined by determining whether or not information has been transmitted from the WEB site to the user terminal 2 within a predetermined time. For example, it is information that the address of the WEB site that has been determined to be logged in for a predetermined time or more as the transmission source, and the user terminal 2 that has been logged in to the site for a predetermined time, and the port used for FTP It is determined using the received information determination information whether or not the information transmitted by designating the number has been received more than a predetermined number of times within the time when the user terminal 2 is logged in. The number of times designated in advance may be fixed, or may be the number of times that changes in accordance with the login time. If it is received, it is determined that it has been downloaded intermittently. Note that it may also be determined that information has been transmitted intermittently when information is transmitted at intervals within a predetermined time interval.

  Thus, when it is determined that both the first rule and the second rule of the second rule set are satisfied, as a result, it is determined that the abnormality determination rule of the second rule set is satisfied. Become.

(3) When a third rule set is specified The abnormal communication determination unit 104 constitutes a third rule set stored in the abnormality determination rule storage unit 102, and “a predetermined rule is set for the same WEB site. The first rule that “logged in at a time zone” and the second rule that “data is uploaded intermittently from the same WEB site” are acquired.

  Next, the abnormal communication determination unit 104 acquires the above-described login time determination information and the above-described transmission information determination information.

  Then, the abnormal communication determination unit 104 determines whether or not the login time determination information that satisfies the condition indicated by the first rule of the third rule set described above exists in the login time determination information. . That is, it is determined whether or not there is login time determination information indicating that the logged-in time zone is a predetermined time zone. The predetermined time zone is, for example, a time zone designated in advance, and is stored in a storage medium (not shown).

  If it exists, it is determined whether or not the logged-in user has intermittently uploaded data by performing the same determination as whether or not the second rule of the first rule set described above is satisfied. . When it is determined that data is intermittently uploaded, both the first rule and the second rule of the third rule set are satisfied. As a result, it is determined that the abnormality determination rule of the third rule set is satisfied.

(4) When the fourth rule set is specified The abnormal communication determination unit 104 constitutes the fourth rule set stored in the abnormality determination rule storage unit 102, and “a predetermined rule is set for the same WEB site. A first rule “logged in at time” and a second rule “intermittently downloading data from the same WEB site” are acquired.

  Next, the abnormal communication determination unit 104 acquires the login time determination information described above and the reception information determination information described above.

  Then, the abnormal communication determination unit 104 determines whether or not the login time determination information that satisfies the condition indicated by the first rule of the fourth rule set exists in the login time determination information. This determination process is the same as in the case of the third rule set.

  If it exists, it is determined whether or not the logged-in user has intermittently downloaded data by performing the same determination as whether or not the second rule of the second rule set described above is satisfied. . If it is determined that data is downloaded intermittently, both the first rule and the second rule of the fourth rule set are satisfied. As a result, it is determined that the abnormality determination rule of the fourth rule set is satisfied.

(5) In the case where the fifth rule set is designated The abnormal communication determination unit 104 constitutes the fifth rule set stored in the abnormality determination rule storage unit 102, “predetermined for the same WEB site. A first rule that “logged in for more than an hour” and a second rule that “update processing is being performed on the same WEB site at a predetermined timing” are acquired.

  Next, the abnormal communication determination unit 104 determines information (hereinafter referred to as information related to the login time determination information described above and information requesting transmission of the WEB page transmitted from the user terminal 2 to the WEB site). , Referred to as request determination information).

  Then, the abnormal communication determination unit 104 determines whether or not the login time determination information that satisfies the condition indicated by the first rule of the fifth rule set described above exists in the login time determination information. . Since the first rule of the fifth rule set is the same as the first rule of the first rule set, this determination process is the same as the case of the first rule set.

  Next, when there is login time determination information indicating that the user has logged in for a predetermined time or more, the abnormal communication determination unit 104 determines the request information determination information corresponding to the user terminal 2 corresponding to the login time determination information. It is determined whether or not there is login time determination information that satisfies the condition indicated by the second rule of the fifth rule set described above. That is, it is determined using the reception information determination information whether or not the update processing is performed at a predetermined timing for the same WEB site as that determined to be logged in for a predetermined time or more. Preferably, it is determined whether or not the update process is performed at a predetermined timing within the login time. The predetermined timing is, for example, repeated twice or more at a predetermined time interval specified in advance. The predetermined time interval may be constant or indefinite. Whether or not the update process is performed at a predetermined timing can be determined by calculating a time interval at which the information is transmitted from information regarding a transmission time of the information requesting the WEB page. The update process is, for example, reloading a WEB page. The update process may be considered as a process of re-acquiring data of the same WEB page and redrawing the WEB page. There is no limitation on the method for determining that the update process has been performed. Whether the update process is being performed is determined by, for example, whether or not information requesting transmission of the WEB page transmitted immediately before and information requesting the same WEB page are transmitted. Specifically, when information requesting the same WEB page as that immediately before is transmitted, it is determined that the update process has been performed. Alternatively, the determination may be made based on whether or not information requesting update is transmitted.

  Thus, when it is determined that both the first rule and the second rule of the fifth rule set are satisfied, as a result, it is determined that the abnormality determination rule of the fifth rule set is satisfied. Become.

(6) In the case where the sixth rule set is specified The abnormal communication determination unit 104 constitutes the sixth rule set stored in the abnormality determination rule storage unit 102, “predetermined for the same WEB site. The first rule is “accessed more than a predetermined number of times per period” and “uploading data when more than a predetermined percentage of accesses made to the same WEB site” Get the second rule.

  Next, the abnormal communication determination unit 104 acquires information for determination (hereinafter referred to as access determination information) that is information about the WEB site that the user terminal 2 is accessing and the transmission information determination information described above. .

  The abnormal communication determination unit 104 uses the address information of the access destination WEB site indicated by the access determination information and information regarding the time of access from each user terminal 2 within a predetermined period specified in advance. , It is determined whether or not a certain number of accesses have been made to one WEB site. It is assumed that the predetermined period is specified in advance. For example, by dividing the number of accesses to the same WEB site in units of a predetermined period, it is possible to calculate the number of accesses per predetermined period. Alternatively, the number of accesses within one predetermined period may be counted. The information specifying the predetermined number of times may be considered as a so-called threshold value, and the value is accumulated in advance in a storage unit or the like (not shown), for example.

  Next, when it is determined that a predetermined number of accesses have been made to a single WEB site within a predetermined period specified in advance, the abnormal communication determination unit 104 uses the transmission information determination information, It is determined whether or not the communication of the user terminal 2 that has accessed more than a predetermined number of times satisfies the second rule of the sixth rule set. For example, similar to the number of accesses per predetermined period described above, the number of times information is uploaded per predetermined period is calculated, and the ratio of the number of uploads within a predetermined period to the number of accesses within the predetermined period described above is calculated. calculate. Then, it is determined whether the ratio is larger than a predetermined ratio. If the ratio is larger, the data is uploaded when the access is larger than the predetermined ratio of accesses made to the same WEB site. Judge that

  Thus, when it is determined that both the first rule and the second rule of the sixth rule set are satisfied, as a result, it is determined that the abnormality determination rule of the sixth rule set is satisfied. Become.

(7) When the Seventh Rule Set is Specified The abnormal communication determination unit 104 configures the seventh rule set stored in the abnormality determination rule storage unit 102, “predetermined for the same WEB site. The first rule is “accessed more than a predetermined number of times per period” and “data is downloaded when the access is greater than a predetermined percentage of accesses made to the same WEB site” Get the second rule.

  Next, the abnormal communication determination unit 104 acquires the access determination information described above and the reception information determination information described above.

  As in the case of the first rule of the sixth rule set, the abnormal communication determination unit 104 receives a predetermined number of times or more from one user terminal 2 with respect to one WEB site within a predetermined period. Determine whether access has been made.

  Next, when it is determined that a predetermined number of accesses have been made to a single WEB site within a predetermined period specified in advance, the abnormal communication determination unit 104 uses the received information determination information, It is determined whether or not the communication of the user terminal 2 that has accessed more than a predetermined number of times satisfies the second rule of the seventh rule set. For example, similar to the number of accesses per predetermined period described above, the number of times information is downloaded per predetermined period is calculated, and the ratio of the number of downloads within a predetermined period to the number of accesses within the predetermined period described above is calculated. calculate. Then, it is determined whether or not the ratio is larger than a predetermined ratio. If the ratio is larger, it is assumed that the data has been downloaded at the time of access exceeding a predetermined ratio of accesses made to the same WEB site. to decide.

  Thus, when it is determined that both the first rule and the second rule of the seventh rule set are satisfied, as a result, it is determined that the abnormality determination rule of the seventh rule set is satisfied. Become.

  Note that the processing order of the first rule and the second rule of the rules constituting the first to seventh rule sets may be changed as appropriate.

  In addition to the two or more abnormality determination rules of the first to seventh rule sets described above, the keywords stored in the inappropriate keyword information storage unit 103 are the same WEB sites in the two or more abnormality determination rules. The keyword abnormality rule limited to the site including the WEB page having the keyword indicated by the information may be further read, and the above determination process may be performed so as to further satisfy the keyword abnormality rule.

  For example, in accordance with a keyword abnormality rule, keyword information is read from the inappropriate keyword information storage unit 103, and the same WEB site detected in the determination using the first rule and the second rule of the first to seventh rule sets described above Information, for example, HTML information of the WEB site is acquired from transmission / reception related information stored in the acquisition information storage unit 101 or the like, and it is determined whether or not the keyword indicated by the keyword information is included in the information of the WEB site. If the keyword is included, it is determined that the keyword abnormality rule is satisfied. In addition, when the other first rule and the second rule are satisfied, two or more abnormality determination rules are satisfied. You may make it judge. It should be noted that information on the same WEB site, for example, HTML information on the WEB site, is received from the server device 3 by requesting information on the WEB page constituting the WEB site from the server device 3 that provides the WEB site. Anyway. The abnormal communication determination unit 104 may be provided with a transmission / reception means used for transmission / reception of such information, or a transmission / reception unit that performs such transmission / reception may be provided in the communication management device 1. Moreover, you may utilize the other transmission / reception part in the communication management apparatus 1. FIG.

  In any of the above determinations, if any one of the first to seventh rule groups and the keyword abnormality rule does not satisfy the condition, for example, two or more abnormality determination rules are not satisfied, It may be determined that the communication is not abnormal.

  For example, the abnormal communication determination unit 104 outputs a determination result as to whether or not the abnormality determination rule is satisfied to the abnormality degree information acquisition unit 105 described later. Information indicating the determination result may be output only when it is determined that two or more abnormality determination rules are satisfied. The abnormal communication determination unit 104 can usually be realized by an MPU, a memory, or the like. The processing procedure of the abnormal communication determination unit 104 is usually realized by software, and the software is recorded in a recording medium such as a ROM. However, it may be realized by hardware (dedicated circuit).

  The abnormality level information acquisition unit 105 acquires abnormality level information associated with the abnormality determination rule that the abnormal communication determination unit 104 determines to satisfy the rule. For example, the abnormality level information stored in the abnormality determination rule storage unit 102 in association with the abnormality determination rule is acquired. The abnormality determination rule here may be considered to include a keyword abnormality rule. The degree of abnormality information acquired by the degree-of-abnormality information acquisition unit 105 may be either or both of degree-of-abnormality information associated with two or more abnormality determination rules, or a group of two or more abnormality determination rules. The associated abnormality degree information may be used. Specifically, the abnormality level information acquisition unit 105 acquires the abnormality level information associated with the abnormality determination rule that matches the search key, using the abnormality determination rule used by the abnormal communication determination unit 104 as a search key. May be. When acquiring the degree of abnormality information from the degree of abnormality information associated with two or more abnormality determination rules, the degree of abnormality information indicating the degree of abnormality obtained by accumulating the degree of abnormality indicated by the degree of abnormality information may be acquired. Alternatively, only the abnormality level information indicating the highest degree of abnormality may be acquired.

  In addition, when the abnormality level information acquisition unit 105 determines that the keyword abnormality rule as described above is satisfied, the abnormality level information corresponding to the keyword information used in the keyword abnormality rule is associated with the abnormality determination rule. You may make it acquire as degree information. For example, when determining whether or not the abnormality determination rule as described above is satisfied, the abnormality level information acquisition unit 105 selects the same WEB site that is accessed by the abnormal communication determination unit 104 as an inappropriate keyword information storage unit 103. If it is determined that the site includes a WEB page having the keyword indicated by the keyword information stored in the URL, the degree of abnormality information associated with the keyword information may be acquired. The degree-of-abnormality information associated with the keyword information acquired by the degree-of-abnormality information acquisition unit 105 is abnormality degree information accumulated in association with the keyword information in the inappropriate keyword information storage unit 103, for example. Specifically, the degree-of-abnormality information acquisition unit 105 acquires the degree-of-abnormality information using the keyword information used for the determination by the abnormal communication determination unit 104 as a search key or the like. When a plurality of keyword information is included in the WEB page of the same WEB site described above, the degree of abnormality indicated by the degree of abnormality information associated with the plurality of keyword information may be accumulated or highest. Only abnormality level information indicating the degree of abnormality may be acquired.

  The degree-of-abnormality information acquisition unit 105 associates the obtained degree-of-abnormality information with a user who uses the user terminal 2 associated with the determination information determined to satisfy the rule by the abnormal communication determination unit 104, and will be described later. Accumulated in the abnormality degree information storage unit 106. Associating with a user may be considered as associating with user identification information, for example. When the abnormality degree information associated with the user has already been stored, the degree of abnormality of the stored abnormality degree information is accumulated according to the degree of the obtained abnormality degree information. When the degree of abnormality is a value, the accumulation may be considered as addition. In addition, when it is not necessary to particularly distinguish the identification information of the user terminal 2 and the identification information of the user, the abnormality degree information may be accumulated in association with the user terminal 2. Associating with the user terminal 2 may be considered as associating with the identification information of the user terminal 2, for example.

  The degree-of-abnormality information acquisition unit 105 can usually be realized by an MPU, a memory, or the like. The processing procedure of the degree-of-abnormality information acquisition unit 105 is usually realized by software, and the software is recorded on a recording medium such as a ROM. However, it may be realized by hardware (dedicated circuit).

  The abnormality degree information storage unit 106 can store abnormality degree information. The abnormality degree information storage unit 106 may store abnormality degree information for each user or each user terminal 2, for example. Specifically, the abnormality degree information is accumulated in association with the user identification information and the identification information of the user terminal 2. The abnormality degree information storage unit 106 can be realized by a non-volatile recording medium or a volatile recording medium.

  The abnormality degree determination unit 107 determines whether or not the degree of abnormality indicated by the abnormality degree information acquired by the abnormality degree information acquisition unit 105 exceeds a predetermined degree. The degree-of-abnormality determination unit 107 reads out the degree-of-abnormality information stored in the degree-of-abnormality information storage unit 106 for each user or each user terminal 2, and the degree of abnormality indicated by the degree-of-abnormality information and a predetermined prepared level The degree of abnormality is compared with the degree of abnormality, and it is determined whether or not the degree of abnormality indicated by the read abnormality degree information exceeds a predetermined degree. The predetermined degree may be considered as a threshold value. For example, the predetermined degree is stored in advance in a storage medium (not shown). The degree-of-abnormality information acquisition unit 105 can usually be realized by an MPU, a memory, or the like. The processing procedure of the abnormality degree determination unit 107 is usually realized by software, and the software is recorded on a recording medium such as a ROM. However, it may be realized by hardware (dedicated circuit).

  The output unit 108 outputs abnormal communication information, which is information indicating that abnormal communication has been performed, according to the determination result of the abnormality degree determination unit 107. For example, the output unit 108 may transmit abnormal communication information to a notification destination designated in advance, and the abnormal communication information is information that can indicate that improper access has been performed as a result. Any information may be used. The abnormal communication information may simply be information indicating that abnormal communication has been performed. The abnormal communication information is information such as a message indicating that abnormal communication has been performed. Further, the abnormal communication information may be, for example, information regarding a user who has performed abnormal communication or the user terminal 2. The information regarding the user who performed the abnormal communication or the user terminal 2 is information including, for example, user identification information, identification information of the user terminal 2, and the like. Further, the abnormal communication information may be information regarding a WEB site of a communication destination of abnormal communication. The information regarding the WEB site of the communication destination of the abnormal communication is, for example, information including information such as the URL and domain name of the WEB site, the content of one or more WEB pages included in the WEB site, and the data size. Also, the abnormal communication information may include information indicating the date and time when the abnormal communication was performed. The information on the period during which abnormal communication has been performed is, for example, information on a period in which login that satisfies the abnormality determination rule is performed, and a period in which access that satisfies the abnormality determination rule is performed. Information on the date and time when abnormal communication was performed includes, for example, information on the date and date when access that satisfies the abnormality determination rule is started, information indicating the start time of login that satisfies the abnormality determination rule, and abnormality determination rules. Information indicating the date and time when transmission / reception of satisfied information was performed. Further, the abnormal communication information may be information regarding the contents of abnormal communication. The information related to the content of abnormal communication may be, for example, information for identifying information transmitted / received in communication satisfying the abnormality determination rule, such as a file name, or the data type or data size of the transmitted / received information. It may be information indicating an attribute such as. For example, it may be a file name of downloaded or uploaded data. Moreover, you may make it include the information of the abnormality degree which the abnormality degree judgment part 107 used for determination. Moreover, you may make it include the information which shows the abnormality determination rule used for determination of abnormal communication.

  When the output unit 108 notifies, for example, transmits abnormal communication information to an external device or the like via a network or the like, the output unit 108 responds to the abnormality degree information acquired by the abnormality degree information acquisition unit 105. Notification destination information that is information indicating a notification destination may be acquired, and abnormal communication information may be notified to the notification destination indicated by the acquired notification destination information. By doing in this way, abnormal communication information can be notified to the appropriate notification destination according to the degree of abnormality. The abnormality degree information acquired by the abnormality degree information acquisition unit 105 may be considered as abnormality degree information accumulated in the abnormality degree information storage unit 106. Note that the notification destination information is, for example, address information that is information specifying a destination, such as an IP address, a MAC address, or a mail address, of another device that is a notification destination.

  In this embodiment, as an example, in the notification information storage unit 109, which will be described later, abnormality degree range information that is information that designates a range of degree of abnormality degree, and information that designates one or more notification destinations of abnormal communication information Is stored in advance, and the output unit 108 uses the abnormality degree range information for designating a range including the abnormality degree indicated by the abnormality degree information acquired by the abnormality degree information acquisition unit 105. A case will be described in which corresponding notification destination information is acquired from the notification information storage unit 109, and abnormal communication information is notified to the notification destination indicated by the acquired notification destination information, specifically, transmitted.

  In addition, the abnormality level range information can specify the upper limit and the lower limit as a result, such as information specifying the upper limit and lower limit of the abnormality degree, or a combination of the upper limit value (or lower limit value) and the information indicating the value range. Information. The range indicated by the degree-of-abnormality range information is a concept including the case of only one value. The abnormality degree range information including the abnormality degree is specifically abnormality degree range information indicating a value range including a value indicated by the abnormality degree.

  The timing at which the output unit 108 performs output is not limited. For example, the output may be performed when the abnormal communication determination unit 104 makes a determination. The output described here refers to display on a display, projection using a projector, printing on a printer, sound output, transmission to an external device, storage on a recording medium, and output to other processing devices or other programs. It is a concept including delivery of processing results. The output unit 108 may or may not include an output device such as a display or a printer. The output unit may be realized by output device driver software, or output device driver software and an output device.

  The notification information storage unit 109 stores notification destination information in which the above-described abnormality degree range information, which is information for specifying the abnormality degree range, and information for specifying one or more notification destinations of abnormal communication information are associated with each other. obtain. The abnormality degree range information may be considered as information for setting the degree of abnormality degree, for example. The notification destination information may be information that specifies a notification destination corresponding to the level of abnormality indicated by the abnormality range information. The notification information storage unit 109 is preferably a nonvolatile recording medium, but can also be realized by a volatile recording medium.

  The inappropriate page designation receiving unit 110 receives inappropriate page designation information that is information for designating one or more inappropriate WEB pages. An inappropriate WEB page is, for example, a WEB page with inappropriate access. An inappropriate WEB page may be considered as one or more of the WEB pages constituting a WEB site with inappropriate access. As a result, the inappropriate page designation information may be information that can designate one or more WEB pages that are inappropriately accessed. For example, a WEB site or server device that includes one or more WEB pages that are inappropriately accessed. Information that can specify 3 may be used. The inappropriate page designation information is, for example, an address such as a URL or an IP address indicating the location of one or more WEB pages that are inappropriately accessed, a WEB site having a WEB page, the server device 3 that provides the WEB page, and the like. Information. The inappropriate page designation receiving unit 110 may accept inappropriate page designation information by any route or means. For example, the inappropriate page designation receiving unit 110 may receive inappropriate page designation information input by a user or the like. Further, when the abnormal communication determination unit 104 determines that the abnormality determination rule is not satisfied, the WEB page designation information of the WEB page to be determined whether the abnormality determination rule is satisfied is transmitted from the abnormal communication determination unit 104 or the like. You may make it accept. The reception described here is, for example, reception from an input unit, reception of an input signal transmitted from another device, reading of information from a recording medium, or the like. The input means for the inappropriate page designation information may be anything such as a numeric keypad, keyboard, mouse or menu screen. It can be realized by a device driver for input means such as a numeric keypad and a keyboard, control software for a menu screen, and the like.

  The inappropriate page information acquisition unit 111 acquires information on the WEB page specified by the inappropriate page specification information received by the inappropriate page specification reception unit 110. For example, the inappropriate page information acquisition unit 111 acquires address information or the like indicating the location of a URL or the like of an inappropriate page specified by the inappropriate page specification information, and sends it to the server device 3 corresponding to the address information. Thus, an instruction for requesting a WEB page with inappropriate access specified by the inappropriate page specification information is transmitted, and information constituting the WEB page transmitted by the server device 3 is acquired in accordance with the instruction. The WEB page information is, for example, information such as an HTML file for displaying the WEB page. The information of the WEB page with inappropriate access acquired by the inappropriate page information acquisition unit 111 is accumulated in, for example, a storage unit (not shown) by the inappropriate page information acquisition unit 111. The inappropriate page information acquisition unit 111 can usually be realized by an MPU, a memory, or the like. The processing procedure of the inappropriate page information acquisition unit 111 is usually realized by software, and the software is recorded in a recording medium such as a ROM. However, it may be realized by hardware (dedicated circuit). The inappropriate page information acquisition unit 111 may include transmission / reception means for acquiring information on the WEB page via the Internet or the like, or a transmission / reception unit (not shown) when acquiring the information on the WEB page. Other communication means such as the above may be used.

  The inappropriate keyword acquisition unit 112 acquires a keyword that an inappropriate WEB page can include in the WEB page from the inappropriate page information that is information of the WEB page acquired by the inappropriate page information acquisition unit 111, and the keyword Is stored in the inappropriate keyword information storage unit 103 in association with previously specified abnormality degree information. Note that the abnormality level information designated in advance may be, for example, constant or may be converted according to a predetermined rule according to the appearance frequency of the keyword indicated by the keyword information. The abnormality level information may be received when the inappropriate page designation information is received. For example, the inappropriate keyword acquisition unit 112 acquires keyword information by performing natural language processing on the text or the like constituting the WEB page acquired by the inappropriate page information acquisition unit 111. For example, the part of speech or the utilization form is determined by morphological analysis for the words constituting the text of the WEB page acquired by the inappropriate page information acquisition unit 111. Then, a phrase whose part of speech is a noun or a verb is detected, and a phrase having a high appearance frequency in the WEB page, for example, a phrase having an appearance frequency equal to or higher than a threshold is indicated as an inappropriate page. Get as a keyword. Moreover, you may acquire the phrase of the noun which appears in common in the some WEB page designated beforehand as a keyword which shows an inappropriate page. Alternatively, a phrase whose part of speech is a noun among words or phrases that constitute an element to which a predetermined tag such as the <H1> tag is included in the information on the WEB page acquired by the inappropriate page information acquisition unit 111. , May be acquired as a keyword. Note that the keyword and the keyword information may be considered as the same information. In addition, a keyword used for an appropriate page is prepared in advance in a storage unit (not shown), and the predetermined part-of-speech phrase detected from the text constituting the WEB page acquired by the inappropriate page information acquisition unit 111 A phrase that excludes a keyword used for an appropriate page may be acquired as a keyword indicating an inappropriate page. Note that an inappropriate WEB page keyword may be acquired from the source code of an inappropriate WEB page. For example, information indicating a specific tag may be acquired as keyword information.

  A technique for specifying a word part of speech, a basic form of a verb, and a utilization form is known as a technique such as morphological analysis. As a morphological analysis system, in the case of Japanese, for example, “ChaSen” (http://chasen.naist.jp) developed at Nara Institute of Science and Technology is known. In the case of English, examples of software that gives parts of speech to English words include “TnT” (http://www.coli.uni-saarland.de/˜thorsen/tnt/) and “Brill Tagger” ( http://www.cs.jhu.edu/˜brill/) and the like are known. See, for example, the following document for the Brill technique. “Literature: Eric Brill,“ Transformation-Based Error-Driving Learning and Natural Language Processing: A Case Study in Part-of-Speech Tagging, Computational Ls. ” 21, no. 4, p. 543-565, 1995 ".

  The inappropriate keyword acquisition unit 112 can usually be realized by an MPU, a memory, or the like. The processing procedure of the inappropriate keyword acquisition unit 112 is usually realized by software, and the software is recorded in a recording medium such as a ROM. However, it may be realized by hardware (dedicated circuit).

  Next, the operation of the communication management apparatus according to the present embodiment will be described using the flowchart of FIG.

  (Step S301) The transmission / reception information acquisition unit 100 determines whether transmission / reception related information regarding information transmitted / received between the user terminal 2 and the server device 3 has been acquired. If acquired, the process proceeds to step S302. If not acquired, the process proceeds to step S308.

  (Step S <b> 302) The transmission / reception information acquisition unit 100 accumulates the transmission / reception related information acquired in step S <b> 301 in the acquisition information storage unit 101.

  (Step S303) The abnormal communication determination unit 104 determines whether or not the current time is a timing for determining abnormal communication. The current time information is acquired from, for example, a clock (not shown). When it is time to make a determination, the process proceeds to step S304, and when it is not time, the process returns to step S301.

  (Step S304) The communication management device 1 performs an access determination process. Details of this process will be described later.

  (Step S305) The abnormality degree determination unit 107 includes abnormality degree information indicating an abnormality degree exceeding a predetermined threshold in the abnormality degree information stored in the abnormality degree information storage unit 106 in association with the user identification information. Judge whether there is. If there is, the process proceeds to step S306, and if not, the process returns to step S2301. If not, the abnormality level information stored in the abnormality level information storage unit 106 may be deleted.

  (Step S306) The output unit 108 acquires notification destination information from the notification information storage unit 109 for each user identification information, using the abnormality level information indicating the degree of abnormality exceeding the predetermined threshold value determined in step S305. . Specifically, the abnormality degree range information indicating the range including the degree of abnormality indicated by the degree of abnormality information corresponding to each user identification information determined to exceed the threshold is detected, and the notification associated with the abnormality degree range information is detected. The destination information is acquired from the notification information storage unit 109.

  (Step S307) The output unit 108 outputs abnormal communication information using the notification destination information acquired in step S306. Then, the process returns to step S301.

  (Step S308) The inappropriate page designation receiving unit 110 determines whether or not inappropriate page designation information has been received. If accepted, the process proceeds to step S309. If not accepted, the process returns to step S301.

  (Step S309) The inappropriate page information acquisition unit 111 acquires information on the WEB page designated by the inappropriate page designation information.

  (Step S310) The inappropriate keyword acquisition unit 112 acquires keyword information using the information on the WEB page acquired in Step S309.

  (Step S311) The inappropriate keyword acquisition unit 112 stores the keyword information acquired in step S310 in the inappropriate keyword information storage unit 103 in association with the abnormality degree information. The abnormality degree information may be abnormality degree information designated in advance, or may be abnormality degree information selected according to the appearance rate of the keyword corresponding to the keyword information. Then, the process returns to step S301.

  In the flowchart of FIG. 3, the process ends when the power is turned off or the process is terminated.

  Next, details of the abnormal communication determination process described in step S304 of FIG. 3 will be described using the flowchart of FIG.

  (Step S <b> 401) The abnormal communication determination unit 104 reads from the abnormality determination rule storage unit 102 two or more abnormality determination rules designated in advance by an administrator or the like who manages the communication management apparatus 1. The two or more abnormality determination rules are, for example, any one of the first to seventh rule sets described above. In this example, the abnormality determination rule read in the step does not include a keyword abnormality rule. However, you may make it read a keyword abnormality rule at the said step.

  (Step S402) The abnormal communication determination unit 104 uses the transmission / reception information stored in the acquisition information storage unit 101 to acquire determination information corresponding to each of the two or more abnormality determination rules read in step S401. The determination information corresponding to each of the two or more abnormality determination rules is specifically information for determination used for determination using each abnormality determination rule. For example, the abnormal communication determination unit 104 may configure the determination information using one or more data to be transmitted / received included in the transmission / reception information, or may be the transmission / reception target 1 included in the transmission / reception information. The determination information may be configured from the header information added to the above data. The determination information usually includes user identification information corresponding to the user terminal 2 that is a transmission source or a transmission destination, information that can identify a WEB site that is a transmission source or a transmission destination, and the like.

  (Step S403) The abnormal communication determination unit 104 determines whether there is information for determination that satisfies the first abnormality determination rule among the abnormality determination rules read out in step S401. When it exists, it progresses to step S404, and when it does not exist, it returns to a high-order process. For example, flag information indicating that the determination has been made is added to the determination information that has been determined whether or not it exists or the determination information that has been determined to satisfy the first abnormality determination rule. To do. Then, when the process of this step is performed again, the determination information to which this flag or the like is added is not determined. A method other than the flag may be used as long as it can be excluded from the determination target. Of the two or more abnormality determination rules, the order of the first abnormality determination rule or the like may be specified in advance for each set of two or more abnormality determination rules specified in advance, and is arbitrarily determined. You may do it. For example, in the nth abnormality determination rule, when information obtained from the determination result using the n−1 abnormality determination rules is used as a condition parameter or the like, the order or the like may be designated in advance. preferable.

  (Step S404) The abnormal communication determination unit 104 assigns 2 to the counter n.

  (Step S405) The abnormal communication determination unit 104 determines that the determination information satisfying the nth abnormality determination rule read in Step S401 is the information for determination acquired according to the first abnormality determination rule acquired in Step S402. It is determined whether or not it exists. When it exists, it progresses to step S407, and when it does not exist, it returns to step S403.

  (Step S406) The abnormal communication determination unit 104 increments the counter n by 1.

  (Step S407) The abnormal communication determination unit 104 determines whether or not the abnormality determination rule read in step S401 includes the nth abnormality determination rule. If there is, the process returns to step S405, and if not, the process proceeds to step S408.

  (Step S <b> 408) The abnormal communication determination unit 104 reads the keyword abnormality rule from the abnormality determination rule storage unit 102, and acquires keyword information from the inappropriate keyword information storage unit 103.

  (Step S409) The abnormal communication determination unit 104 obtains information on the WEB page constituting the communication target web site indicated by the determination information determined to satisfy the two or more abnormality determination rules acquired in Step S401, in Step S408. It is determined whether or not at least one of the keyword information acquired in step 1 is included. It may be determined whether or not a predetermined number or more of keyword information is included. For example, the information of the WEB page transmitted from the WEB site is acquired from the acquisition information storage unit 101, and it is determined whether or not the keyword indicated by the keyword information is included in the information of the WEB page. When the keyword indicated by the keyword information is included, the process proceeds to step S409, and when not included, the process returns to step S403.

  (Step S410) The abnormality degree information acquisition unit 105 stores the abnormality degree information corresponding to the keyword information determined to be included in the WEB page in Step S409 as inappropriate degree information as abnormality degree information corresponding to the abnormality determination rule. Obtained from the unit 103.

  (Step S411) The degree-of-abnormality information acquisition unit 105 associates the acquired degree-of-abnormality information with the user identification information indicated by the determination information that is determined to satisfy two or more abnormality determination rules, and stores it in the degree-of-abnormality information storage unit 106. accumulate. Then, the process returns to step S403.

  In the flowchart of FIG. 4, the case where the abnormality degree information associated with the keyword information is used in step S410 has been described. However, the abnormality degree information associated with the abnormality determination rule may be used.

  In the flowchart of FIG. 4, the process ends when the power is turned off or the process ends.

  Hereinafter, a specific operation of the communication management apparatus 1 in the present embodiment will be described. A conceptual diagram of an information processing system including the communication management apparatus 1 is shown in FIG. Here, as an example, it is assumed that the user terminal 2 and the communication management device 1 are connected via a local network, and that the local net is connected to the Internet via a router or the like (not shown). Here, in order to simplify the description, a case where the IP address of the user terminal 2 is the same as the user identification information will be described as an example. However, the IP address of the user terminal 2 may be different from the user identification information. If they are different, for example, the IP address of the user terminal 2 and the user identification information of the user using the user terminal 2 are shown in association with the usage time of the user using the user terminal 2. It is possible to manage by using other management information that is not used, and by using this management information, it is possible to acquire user identification information according to the IP address of the user terminal 2 and the usage time. Or you may make it include user identification information in the information transmitted / received and header information.

  Here, the case where the two abnormality determination rules and the keyword abnormality rule which comprise the 1st rule group mentioned above is mainly used as an abnormality determination rule is demonstrated.

  First, the transmission / reception information acquisition unit 100 sequentially acquires transmission / reception related information via a local network or the like. The acquired transmission / reception related information is sequentially stored in the acquired information storage unit 101. Here, the transmission / reception related information acquired by the transmission / reception information acquisition unit 100 is based on information transmitted / received between one or more user terminals 2 and one or more server devices 3, and header information added to the information. It is assumed that the read information and information on the time when the transmission / reception information acquisition unit 100 acquires the information.

  FIG. 5 is a transmission / reception related information management table for managing transmission / reception related information stored in the acquired information storage unit 101. The transmission / reception related information management table has items of “ID”, “transmission source”, “transmission destination”, “time”, “port number”, and “communication information”. “ID” is information assigned to manage records. In the transmission / reception related information management table, it is assumed that each row is one record. The “transmission source” is information indicating the user terminal 2 or the server device 3 that is the transmission source of information, and is assumed to be an IP address here. Note that the English letters in the IP address are arbitrary numbers. It is assumed here that the IP address beginning with “192.168.˜” is the IP address of the user terminal 2 and the other is the IP address of the server device 3. “Time” is the time when the transmission / reception related information is acquired. The “port number” is a port number used for communication of transmitted / received information. For example, here, the port number “20” indicates that the communication is communication using FTP, and the port number “80” indicates that the communication is communication using HTTP. “Communication information” is information to be transmitted. For example, request information transmitted from the user terminal 2 to the server device 3, information uploaded to the WEB server, or transmitted from the server device 3 to the user terminal 2. Information on the WEB page and information that the user terminal 2 downloads from the server device 3.

  Here, it is assumed that it is time to determine whether or not abnormal communication specified in advance has been performed. For example, it is determined whether or not the date and day of the week to be determined in advance are specified as a schedule, and the timing specified by this schedule has come.

  The abnormality communication determination unit 104 reads two or more abnormality determination rules designated in advance among the abnormality determination rules stored in the abnormality determination rule storage unit 102. Here, it is assumed that the two abnormality determination rules constituting the first rule set as described above are read out. That is, the first rule that the user has logged in to the same WEB site for a predetermined time and the second rule that the data is intermittently uploaded to the same WEB site are read out.

  Next, the abnormal communication determination unit 104 uses the transmission / reception related information stored in the acquired information storage unit 101 to configure determination information corresponding to each of the read two abnormality determination rules. As to what kind of information for determination is configured, for example, it is stored in advance in a storage unit (not shown) or in the abnormality determination rule storage unit 102 in association with the abnormality determination rule, and in accordance with the read abnormality determination rule. Read as appropriate.

  First, as determination information corresponding to the first rule of the first rule set, login time determination information, which is determination information indicating a period during which one user is logged in to one WEB site, is shown in FIG. It is acquired using the transmission / reception related information shown in. For example, the abnormal communication determination unit 104 includes information on “communication information” among “transmission / reception related information” such as “user ID”, “account”, “password”, “login”, and “LOGIN”. Detects a record that is information other than an HTML file that includes a character string that is considered to be characteristic of the information requesting login, and sets the item values of “source”, “destination”, and “time” of the record, respectively get. Then, a record having item values of “transmission source” and “transmission destination” that match the item values of “transmission source” and “transmission destination” acquired from the record is detected in the transmission / reception related information shown in FIG. . This record is information related to transmission / reception of information transmitted / received at the start of login. Of the detected records, the information of “communication information” is information other than an HTML file that includes a character string considered to be characteristic of information requesting logout such as “logout” or “end of connection”. Is detected. Of the detected records, the value of “time” is the highest at the time indicated by “time” acquired from the record having “communication information” including the character string considered to be characteristic of the above-described information requesting login. Detect short records. This record is transmission / reception related information of information transmitted / received at the end of login. Then, the difference between the “time” of the transmission / reception related information at the end of login and the “time” of the transmission / reception related information at the start of login is calculated. This difference is information indicating the login time. Then, information indicating the acquired login time, “time” of transmission / reception related information at the end of login, “time” of transmission / reception related information at the start of login, information of “source”, and “destination” Is temporarily stored in a storage medium such as a memory (not shown). Similarly, a process for obtaining a login time is performed for other transmission / reception related information.

  For example, it is assumed that “communication information” of the record whose “ID” is “001” in FIG. 5 is information requesting login including character strings “login” and “password” transmitted from the user terminal 2. To do. In this case, the abnormal communication determination unit 104 obtains “192.168..aaa, bbb” that is information of “transmission source” of this record and “210.150.ccc.ddd” that is information of “transmission destination”. , “17AUG2010 10:20:24”, which is information of “time”, is acquired. Next, from other records of the transmission / reception related information, the information of “transmission source” is “192.168..aaa, bbb”, the information of “transmission destination” is “210.150.ccc.ddd”, and “ A record in which the information of “communication information” is information other than HTML including a character string considered to be characteristic of information requesting logout such as “logout” or “connection end”, and the value of “time” is “17AUG2010 10:20:24 "and the oldest ones are detected in order. Here, it is assumed that the record whose “ID” is “082” is the first record that meets this condition. The abnormal communication determination unit 104 calculates the difference between the “time” value “17AUG2010 10:40:24” of this record and the “time” value of the record whose “ID” is “001” as the login time. Then, “00:20:00” that is the calculated login time, “192.168..aaa, bbb” that is the information of the transmission source of the record whose “ID” is “001”, and “transmission destination” Information “210.150.ccc.ddd”, “time” information “17AUG2010 10:20:24”, and “ID” “082” record “time” information. Information associated with “17AUG2010 10:40:24” is temporarily stored in a storage medium (not shown) or the like as determination information for the first rule of the first rule set. It should be noted that determination information whose source IP address is not a local address may be excluded.

  FIG. 6 is a diagram illustrating a first determination information management table for managing determination information corresponding to the first rule of the first rule set acquired and temporarily stored by the abnormal communication determination unit 104. “ID” is identification information for managing information for determination. The “time” of the transmission / reception related information at the start of login is referred to as “login start time” here, and the “time” of the transmission / reception related information at the time of logout is referred to as “login end time” here. In the present embodiment, the time and time are expressed as “hour: minute: second”. The information for determining the first rule of the first rule set is hereinafter referred to as first determination information.

  Next, the abnormal communication determination unit 104 includes, as information for determination corresponding to the second rule of the first rule set, information of “transmission source” included in transmission / reception related information indicating a state of uploading data, Information of “transmission destination” and information of “time” are acquired from the transmission / reception related information shown in FIG. Here, it is determined that data transmission performed by FTP is data upload. For this reason, from the transmission / reception related information shown in FIG. 5, a record whose “port number” is “80” indicating that data is transmitted by FTP is detected, and the “transmission source”, “ Information on “destination” and “time” is acquired, and information associated therewith is temporarily stored in a storage medium (not shown) or the like as determination information for the second rule of the first rule set.

  FIG. 7 is a diagram showing a second determination information management table for managing determination information corresponding to the second rule of the first rule set acquired and temporarily stored by the abnormal communication determination unit 104. “ID” is identification information for managing information for determination. The information for determining the first rule of the first rule set is hereinafter referred to as second determination information.

  Next, the abnormal communication determination unit 104 detects first determination information that satisfies the first rule of the first rule set. That is, the first determination information that has logged in to the same WEB site for a predetermined time or more is detected. It is assumed that the predetermined time is set to 15 minutes in advance. Specifically, the first determination information management table shown in FIG. 6 is detected with a “login time” of 15 minutes or more. For example, in FIG. 6, it is assumed that a record having “ID” “A01” is first detected as a record having “login time” of 15 minutes or more.

  Furthermore, the abnormal communication determination unit 104 detects second determination information that satisfies the second rule of the first rule set. That is, second determination information indicating that data is intermittently uploaded to the same WEB site is detected. However, in this case, the WEB site having the same IP address as the “transmission destination” information included in the first determination information determined to satisfy the first rule of the first rule set is determined as the same WEB site. . In addition, the second indicating that the upload is made from the user terminal 2 having the same IP address as the “source” IP address included in the first determination information determined to satisfy the first rule of the first rule set Only the information for determination is determined.

  Specifically, “210.150.ccc.ddd”, which is the “destination” information, of the record whose “ID” of the first determination information detected by the abnormal communication determination unit 104 is “A01” is acquired. Then, from the second determination information management table shown in FIG. 7, a record whose IP address matches the “210.150.ccc.ddd” acquired from the first determination information is stored in the “transmission destination” information. Detect all.

  Further, from the detected records, “192.168..aaa, bbb” which is the information of “transmission source” of the record whose “ID” of the first determination information is “A01” is acquired. In the second determination information management table shown in FIG. 4, all records having IP addresses whose “source” information matches “192.168..aaa, bbb” acquired from the first determination information are detected. As a result, a device that has logged in with an IP address of “192.168..aaa, bbb”, that is, a device that accepts a login with an IP address of “210.150.ccc.ddd” from a user terminal 2, that is, a server. This means that all the second determination information indicating that data has been transmitted to the apparatus 3 by FTP, that is, that the data has been uploaded, has been detected.

  Further, among the detected records, the information of “time” indicates the time between “login start time” and “login end time” of the record whose “ID” of the first determination information is “A01”. Detect all records. Here, it is assumed that the number of detected records is “12”.

  Then, it is determined whether the value obtained by dividing the number of records finally detected by the login time is larger than a predetermined value. If the value is larger than the predetermined value, uploading is performed intermittently. Judge that it was broken. For example, if the number designated in advance is “0.5” times per minute, the value obtained by dividing the number of records “12” detected this time by the login time “20” minutes is “0.6” times. Therefore, it is determined that the upload has been performed intermittently.

  Thereby, the abnormal communication determination unit 104 determines that the first rule and the second rule of the first rule set are satisfied.

  Next, the abnormal communication determination unit 104 reads the keyword abnormality rule from the abnormality determination rule storage unit 102. Then, a process for determining whether or not the keyword abnormality rule is satisfied is performed. Specifically, the keyword information stored in the inappropriate keyword information storage unit 103 is read. Then, “210.150.ccc.ddd”, which is the IP address of the same WEB site described above, that is, the login WEB site is acquired from the second determination information and the like, and the transmission / reception related information management table shown in FIG. 1, one or more records in which the “source” information matches the acquired IP address “210.150.ccc.ddd” are detected. Then, an HTML file is acquired from the “communication information” information included in the detected record. Then, it is searched whether or not at least one of the keywords indicated by the keyword information is included in the HTML file.

  When the keyword is detected, it is determined that the keyword abnormality rule is satisfied. This indicates that the user using the user terminal 2 whose login IP address is “192.168..aaa, bbb” is determined to have performed abnormal communication. Therefore, the abnormality level information acquisition unit 105 acquires the abnormality level information associated with the detected keyword, associates the abnormality level information with the user identification information that has logged in, and stores the abnormality level information. Stored in the unit 106. Here, since the IP address of the user terminal 2 is used as the user identification information, the abnormality degree information and the IP address “192.168..aaa, bbb” at which login is performed are stored in association with each other.

  FIG. 8 is a keyword information management table for managing keyword information stored in the inappropriate keyword information storage unit 103. The keyword information management table has “keyword information” and “abnormality information” as items. “Keyword information” is keyword information. The “abnormality information” is abnormality degree information, and here is a value indicating the degree of abnormality. This value indicates that the larger the value is, the higher the degree of abnormality is.

  For example, in the transmission / reception related information management table shown in FIG. 5, the “communication information” of the record whose “ID” is “002” is “HTML” and the “ID” is “210.150.ccc.ddd”. , The abnormal communication determination unit 104 sequentially reads the keyword information managed in the keyword information management table shown in FIG. 8, and the keyword indicated by the read keyword information has “ID” “002”. It is searched whether or not “communication information” of the record is included in the HTML file. When a keyword is included, the value of the degree of abnormality information associated with the keyword information of the keyword is set as the user identification information of the user who has logged in, that is, here, the IP address “ “192.168.aaa, bbb” and the abnormality degree information storage unit 106 accumulates them. Here, since the abnormality degree information is a value, if abnormality degree information associated with the same user identification information is already stored, here, the value of the newly obtained abnormality degree information is accumulated, for example, added. I will do it.

  FIG. 9 is a diagram illustrating an example of an HTML file that is information of “communication information” of a record whose “ID” is “002”. Here, for example, if the keyword “viewing fee” and the keyword “moving image” are included in the HTML file, the user identification information “192.168..aaa, bbb” is associated with “ The abnormality level information value “3” corresponding to “viewing fee” and the abnormality level information value “1” corresponding to “moving image” are added and stored. If the keyword is not included, it is determined that the data upload destination is not an inappropriate WEB site, and the communication itself is not determined to be abnormal communication.

  The abnormal communication determination unit 104 determines whether or not two or more abnormality determination rules as described above are satisfied for other first determination information and second determination information, and the result of the determination is as follows. Similarly to the above, the abnormality level information acquisition unit 105 stores the abnormality level information in association with the user identification information.

  FIG. 10 is an abnormality degree information management table for managing the abnormality degree information stored in the abnormality degree information storage unit 106. The abnormality level information management table includes “ID” that is information for managing records, “user identification information” that is user identification information of a user who has performed communication, and “abnormality information” that indicates accumulated abnormality level information. It has the item.

  At the time when the determination processing based on two or more abnormality determination rules for the transmission / reception related information by the abnormal communication determination unit 104 is completed, the abnormality degree determination unit 107 displays the abnormality degree information management table as shown in FIG. A record in which the value of “abnormality information” is higher than a predetermined value (for example, a threshold value) is detected. For example, if the predetermined value is “8”, a record whose “ID” is “U01” is detected as a record whose “abnormality level information” value is higher than the predetermined value. The user communication indicated by the “user identification information” in the detected record is finally determined to be an abnormal communication.

  Next, the output unit 108 reads the value of “abnormality information” of the record detected by the abnormality degree determination unit 107, and uses this value to notify the notification destination information stored in the notification information storage unit 109. Read the information specifying the destination.

  FIG. 11 is a diagram illustrating an example of notification destination information stored in the notification information storage unit 109. The notification destination information includes items of “abnormality range” and “notification destination”. The “abnormality range” is abnormality degree range information indicating a range of the abnormality degree. “Notification destination” is information indicating a notification destination, and here is information indicating the name of the notification destination. An “manager” is a person in charge who manages and monitors communication by a user. “Director” is the user's department manager. In addition, here, it is assumed that a destination address corresponding to the name of the notification destination, for example, an e-mail address or the like is separately managed in a storage unit (not shown) in association with the name of the notification destination. . In particular, although the “director” that is the name of the notification destination is not shown in the figure, the user identification information of the user operating the user terminal is associated with the address of the department manager to which the user belongs, and the like. User identification information that is stored and managed in a storage unit that is not managed and that is associated with abnormality level information that indicates a value higher than a predetermined value is received from the abnormality level determination unit 107 or the like. It is assumed that the address of the “department manager” corresponding to is acquired. Note that the name of the notification destination may include information that designates a device or the like to be used for notification, such as “manager (mobile phone)”.

  The output unit 108, for example, from the notification destination information shown in FIG. 11, the value indicated by the abnormality level information that the range of the value indicated by the “abnormality range” is determined to be higher than the predetermined value by the abnormality level determination unit 107. Find the record that contains it. Then, the “notification destination” information of the detected record is acquired. Here, since the abnormality level information “12” is included in the range of “12 to 20” that is the “abnormality range” of the second record from the top in FIG. 11, the “notification destination” value of this record is used. A certain “manager” and “manager” are acquired. Then, the output unit 108 acquires an e-mail address corresponding to “manager” from a storage unit (not shown) or the like. Further, the output unit 108 acquires an e-mail address of “department manager” corresponding to the user identification information “192.168..aaa.bbb” received from the abnormality degree determination unit 107 from a storage unit or the like (not shown). The user corresponding to the user identification information “192.168..aaa.bbb” received from the abnormality determination unit 117 is performing abnormal communication with the acquired administrator and the email address of the general manager as the destination. The abnormal communication information indicating is transmitted by e-mail. Specifically, the user identification information and information such as the user name and employee number are associated with each other and stored in advance in a storage unit (not shown), and the user received from the abnormality determination unit 117 based on this information. The user name and employee number corresponding to the identification information “192.168..aaa.bbb” are acquired. Also, here, the IP address of the login WEB site is acquired from the first determination information management table shown in FIG. Then, an abnormality configured by inserting the acquired user name, employee number, etc., and the IP address of the login WEB site into a prepared text template indicating abnormal communication, etc. The communication information is transmitted by e-mail. By using the notification destination information as described above, it is possible to notify the notification destination according to the level of the abnormality level information of inappropriate page access information indicating that abnormal communication is being performed.

  FIG. 12 is a diagram illustrating a display example of abnormal communication information transmitted by the output unit 108 by e-mail or the like. By receiving such abnormal communication information, an administrator or the like can easily know which user is performing abnormal communication.

  Here, processing for adding or updating keyword information stored in the inappropriate keyword information storage unit 103 will be described.

  First, when an administrator who manages communication with a user's WEB site accesses inappropriate page designation information, which is information for designating a WEB site with inappropriate communication, and a WEB page similar to this The abnormal level information indicating the value of the abnormal level is input to the inappropriate page designation receiving unit 110. The inappropriate page designation information is, for example, a URL of a WEB page or a WEB site. However, the inappropriate page designation information may be information such as an HTML file constituting a WEB page acquired from these WEB sites.

  The inappropriate page information acquisition unit 111 is information of one or more WEB pages from a WEB site with inappropriate communication specified by an administrator or the like using the URL received by the inappropriate page designation receiving unit 110 or the like. Get inappropriate page information. Note that when the inappropriate page designation receiving unit 110 receives an HTML file or the like of an inappropriate WEB page, information such as the HTML file is acquired as it is.

  Next, the inappropriate keyword acquisition unit 112 acquires keyword information that can be included in an inappropriate WEB page from the inappropriate page information acquired by the inappropriate page information acquisition unit 111. For example, nouns are extracted by morphological analysis or the like, and nouns with high appearance frequencies are acquired as keywords. However, nouns that are not acquired in advance are specified, and nouns that match these are not acquired. For example, when the noun “music” appears in the inappropriate page information more than a predetermined number of times, the noun “music” is acquired as a keyword. On the other hand, even if the noun “article” appears more than a predetermined number of times, the “article” is not acquired as a keyword by designating it in advance as a noun that does not acquire the noun “article”.

  Then, the inappropriate keyword acquisition unit 112 stores the acquired keyword information (for example, “music”) in the inappropriate keyword information storage unit 103 as keyword information in association with the abnormality level information specified in advance. Thereby, for example, a record is added to the keyword information management table shown in FIG. As a result, the keyword information can be made into a database. Inappropriate page information is stored in a storage unit such as a storage medium (not shown) in advance by associating the appearance frequency of the keyword, for example, the number of appearances and the ratio of the information with respect to the data size, and the abnormality degree information having different values in advance The degree of abnormality information corresponding to the keyword appearance frequency acquired by the acquisition unit 111 may be acquired and stored in association with the keyword information.

  The abnormal communication determination unit 104 configures the inappropriate page specification information for specifying the WEB page that is determined to include the keyword indicated by the keyword information, and the inappropriate page specification reception unit 110 The inappropriate page designation information may be received.

  Here, an example where the second to seventh rule groups other than the first rule group are used will be briefly described.

  First, an example of using the above-described second rule set will be described. When the second rule set is used for the determination of abnormal communication, it is determined that it has been downloaded from the logged-in WEB site, unlike the first rule set. For this reason, during the login time, for example, data with the login destination IP address “210.150.ccc.ddd” as the transmission source and the login source IP address “192.168..aaa, bbb” as the transmission destination, If the second determination information indicating whether or not it is transmitted by FTP is configured, and the second determination information is used to determine whether or not the second rule of the second rule set is satisfied. Good. Other processes are the same as those in the above specific example, and thus the description thereof is omitted.

  When the third rule set described above is used, the start time and end time of the first rule time zone of the third rule set are designated in advance. Then, it is determined whether or not the specified time zone overlaps the time zone sandwiched between the “login start time” and the “login end time” of the first determination information. Judge that the first rule of the third rule set is satisfied. The determination process for determining whether or not other second rules are satisfied is the same as in the above specific example. The case where the fourth rule set is used is the same as the case where the third rule set is used. In this case, information obtained by omitting the “login time” from the first determination information as illustrated in FIG. 6 may be acquired as the first determination information.

  In addition, when the fifth rule set described above is used, instead of determining whether data is downloaded from the logged-in WEB site using the second determination information when the first rule set is used. First, it is determined whether or not information requesting a WEB page is continuously transmitted to the same page of the logged-in WEB site. Then, when transmitting, it may be determined whether or not the transmission time interval is a predetermined timing, for example, whether it is greater than or less than a predetermined time interval. Other processes are the same as those in the above specific example, and thus the description thereof is omitted. In this case, as transmission / reception related information, it is preferable to obtain address information including address information of “communication information”, for example, directory information or file names in which “communication information” in the WEB site is stored.

  In addition, when using the sixth rule set described above, the number of times information is transmitted from the same source to the same destination within a predetermined time is calculated using the first determination information and the like. Then, it is determined whether or not the number of times is greater than the number of times designated in advance, and if it is greater, it is determined that the first rule is satisfied. Furthermore, the number of uploads within the same time is counted as in the determination process in the case of the second rule of the first rule set, and the ratio of the number of times the information is uploaded to the number of times calculated in the first rule is calculated. What is necessary is just to judge that the 2nd rule is satisfy | filled when a ratio exceeds a predetermined threshold value. Since the seventh rule set is the same except that the upload is changed to the download, the description is omitted.

  It should be noted that the processing for detecting that login or logout has been performed, that the WEB page has been updated, or the like may be processing other than that described in the specific example.

  As described above, according to the present embodiment, between the user terminal and the server apparatus, the communication content between the user terminal and the server apparatus that provides the WEB site, the communication situation, and the like using two or more communication determination rules. It is possible to easily determine whether or not the communication to be performed is abnormal.

  In each of the above embodiments, each process (each function) may be realized by centralized processing by a single device (system), or by distributed processing by a plurality of devices. May be.

  Further, in each of the above embodiments, it goes without saying that two or more communication means (such as an information transmission unit) existing in one apparatus may be physically realized by one medium.

  In the above embodiment, information related to processing executed by each component, for example, information received, acquired, selected, generated, transmitted, and received by each component. In addition, information such as threshold values, mathematical formulas, addresses, etc. used by each component in processing is retained temporarily or over a long period of time on a recording medium (not shown) even when not explicitly stated in the above description. It may be. Further, the storage of information in the recording medium (not shown) may be performed by each component or a storage unit (not shown). Further, reading of information from the recording medium (not shown) may be performed by each component or a reading unit (not shown).

  Further, although cases have been described with the above embodiments where the communication management device is a stand-alone device, the communication management device may be a stand-alone device or a server device in a server / client system. In the latter case, the output unit or the reception unit receives an input or outputs a screen via a communication line.

  In each of the above embodiments, each component may be configured by dedicated hardware, or a component that can be realized by software may be realized by executing a program. For example, each component can be realized by a program execution unit such as a CPU reading and executing a software program recorded on a recording medium such as a hard disk or a semiconductor memory.

  Note that the software that implements the communication management device in each of the above embodiments is the following program. That is, this program uses a computer to obtain a transmission / reception information acquisition unit that acquires transmission / reception related information that is information related to information transmitted and received between the user terminal and the server device, And a rule for determining whether or not the communication between the user terminal and the server device is an abnormality relating to the stored communication, and is associated with abnormality degree information that is information indicating the degree of abnormality. Abnormal communication determination unit that determines whether or not two or more abnormality determination rules are satisfied, and abnormality degree information acquisition that acquires abnormality degree information corresponding to the abnormality determination rule that the abnormal communication determination unit determines to satisfy the rule A degree of abnormality indicated by the degree-of-abnormality information acquired by the degree-of-abnormality-information acquiring unit exceeds a predetermined degree; Depending on the part of the determination result, a program for functioning as an output unit for outputting an abnormal communication information which is information indicating that abnormal communication is performed.

  In the program, the functions realized by the program do not include functions that can be realized only by hardware. For example, a function that can be realized only by hardware such as a modem or an interface card in an acquisition unit that acquires information or an output unit that outputs information is not included in the function realized by the program.

  Further, the computer that executes this program may be singular or plural. That is, centralized processing may be performed, or distributed processing may be performed.

  FIG. 13 is a schematic diagram illustrating an example of an external appearance of a computer that executes the program and realizes the communication management apparatus according to the embodiment. The above-described embodiment can be realized by computer hardware and a computer program executed on the computer hardware.

  13, a computer system 900 includes an optical disk drive 905 such as a CD-RW (Compact Disk Rewritable) drive, a computer 901 including an FD (Floppy (registered trademark) Disk) drive 906, a keyboard 902, a mouse 903, and a monitor. 904.

  FIG. 14 is a diagram showing an internal configuration of the computer system 900. In FIG. 14, in addition to the optical disk drive 905 and the FD drive 906, a computer 901 is connected to an MPU (Micro Processing Unit) 911, a ROM 912 for storing a program such as a bootup program, and the MPU 911. A bus 915 that interconnects a RAM (Random Access Memory) 913 that temporarily stores instructions and a temporary storage space, a hard disk 914 that stores application programs, system programs, and data, an MPU 911, a ROM 912, and the like. With. The computer 901 may include a network card (not shown) that provides connection to the LAN.

  A program that causes the computer system 900 to execute the functions of the access management apparatus according to the above-described embodiment is stored in an optical disk 921 such as a CD-ROM, CD-RW, DVD-ROM, DVD-RW, or FD 922, and the optical disk. It may be inserted into the drive 905 or the FD drive 906 and transferred to the hard disk 914. Instead, the program may be transmitted to the computer 901 via a network (not shown) and stored in the hard disk 914. The program is loaded into the RAM 913 when executed. The program may be loaded directly from the optical disc 921, the FD 922, or the network.

  The program does not necessarily include an operating system (OS) or a third-party program that causes the computer 901 to execute the functions of the communication management apparatus according to the above-described embodiment. The program may include only a part of an instruction that calls an appropriate function (module) in a controlled manner and obtains a desired result. How the computer system 900 operates is well known and will not be described in detail.

  The present invention is not limited to the above-described embodiment, and various modifications are possible, and it goes without saying that these are also included in the scope of the present invention.

  As described above, the communication management device according to the present invention is suitable as a device for managing communication, and in particular, detects that abnormal communication is being performed with respect to a server device that provides a WEB site. It is useful as a communication management device.

1 is a schematic diagram showing a configuration of an information processing system including a communication management device according to an embodiment of the present invention. The block diagram of the communication management apparatus which concerns on embodiment of this invention A flowchart for explaining the operation of the communication management apparatus A flowchart for explaining the operation of the communication management apparatus The figure which shows the transmission / reception related information management table for demonstrating operation | movement of the communication management apparatus. The figure which shows the information management table for 1st judgment for demonstrating operation | movement of the communication management apparatus The figure which shows the information management table for 2nd judgment for demonstrating operation | movement of the communication management apparatus The figure which shows the keyword information management table for demonstrating operation | movement of the communication management apparatus The figure which shows an example of the HTML file for demonstrating operation | movement of the communication management apparatus The figure which shows the abnormal degree information management table for demonstrating operation | movement of the communication management apparatus The figure which shows the notification destination information for demonstrating operation | movement of the communication management apparatus The figure which shows the example of a display of abnormal communication information for demonstrating operation | movement of the communication management apparatus Schematic diagram showing an example of the appearance of a computer that implements the communication management device The figure which shows the internal structure of the computer which implement | achieves the communication management apparatus

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Communication management apparatus 2 User terminal 3 Server apparatus 10 Information processing system 100 Transmission / reception information acquisition part 101 Acquisition information storage part 102 Abnormality judgment rule storage part 103 Inappropriate keyword information storage part 104 Abnormal communication judgment part 105 Abnormality degree information acquisition part 106 Abnormal Degree information storage unit 107 abnormality degree determination unit 108 output unit 109 notification information storage unit 110 improper page designation receiving unit 111 improper page information acquisition unit 112 improper keyword acquisition unit

Claims (16)

A transmission / reception information acquisition unit that acquires transmission / reception related information that is information related to information transmitted / received between the user terminal and the server device;
An abnormality determination rule storage unit that can store two or more abnormality determination rules that are rules associated with abnormality level information that is information indicating the degree of abnormality, and is a rule for determining an abnormality related to communication;
Whether the communication between the user terminal and the server device satisfies two or more abnormality determination rules stored in the abnormality determination rule storage unit using the transmission / reception related information acquired by the transmission / reception information acquisition unit. An abnormal communication determination unit to determine;
The abnormality communication determination unit acquires abnormality level information corresponding to the abnormality determination rule determined to satisfy the rule,
An abnormality degree determination unit that determines whether or not the degree of abnormality indicated by the abnormality degree information acquired by the abnormality degree information acquisition unit exceeds a predetermined degree;
A communication management apparatus comprising: an output unit that outputs abnormal communication information that is information indicating that abnormal communication has been performed in accordance with a determination result of the abnormality degree determination unit. A notification information storage unit capable of storing notification destination information in which abnormality degree range information, which is information specifying the abnormality degree range, and information specifying one or more notification destinations of abnormal communication information are stored;
The output unit acquires notification destination information corresponding to abnormality degree range information including the abnormality degree range indicated by the abnormality degree information acquired by the abnormality degree information acquisition unit from the notification information storage unit, and the acquired notification The communication management apparatus according to claim 1, wherein the abnormal communication information is notified to a notification destination indicated by the destination information. The communication management device according to claim 1, wherein the abnormality determination rule is a rule relating to access to the same WEB site provided by the server device. The abnormality determination rule stored in the abnormality determination rule storage unit is a rule that a user logs in to the same WEB site for a predetermined time or more, and data is intermittently uploaded to the same WEB site. The communication management device according to any one of claims 1 to 3, including a rule. The abnormality determination rule stored in the abnormality determination rule storage unit is a rule that the user has logged in to the same WEB site for a predetermined time or more, and a rule that data is downloaded intermittently from the same WEB site. The communication management device according to claim 1, comprising: The abnormality determination rule stored in the abnormality determination rule storage unit is a rule that a user logs in to the same WEB site at a predetermined time zone, and data is intermittently uploaded to the same WEB site. The communication management device according to claim 1, wherein the communication management device includes a rule indicating that the The abnormality determination rule stored in the abnormality determination rule storage unit is that a user logs in to the same WEB site at a predetermined time zone, and that data is downloaded intermittently from the same WEB site. The communication management apparatus according to claim 1, comprising a rule. The abnormality determination rule stored in the abnormality determination rule storage unit is a rule that the user has logged in to the same WEB site for a predetermined time or more, and the update process is repeated for the same WEB site at a predetermined timing. The communication management device according to claim 1, which includes a rule of The abnormality determination rule stored in the abnormality determination rule storage unit includes a rule that the same WEB site is accessed more than a predetermined number of times per predetermined period, and an access made to the same WEB site. The communication management device according to any one of claims 1 to 8, further comprising a rule that data is uploaded when the number of accesses exceeds a predetermined ratio. The abnormality determination rule stored in the abnormality determination rule storage unit includes a rule that the same WEB site is accessed more than a predetermined number of times per predetermined period, and an access made to the same WEB site. The communication management device according to any one of claims 1 to 9, further comprising a rule that data is downloaded when access is greater than a predetermined ratio. An inappropriate keyword information storage unit capable of storing one or more pieces of keyword information indicating keywords that can be included in an inappropriate WEB page;
11. The abnormality determination rule stored in the abnormality determination rule storage unit further includes a rule that the same WEB site is a site including a WEB page having a keyword indicated by the keyword information. Any one of the communication management apparatuses. An inappropriate page designation receiving unit for receiving inappropriate page designation information, which is information for designating an inappropriate WEB page;
An inappropriate page information acquisition unit that acquires information on a WEB page specified by the inappropriate page specification information;
An inappropriate keyword that acquires a keyword that can be included in an inappropriate WEB page from information on the WEB page acquired by the inappropriate page information acquisition unit and accumulates keyword information indicating the keyword in the inappropriate keyword information storage unit The communication management device according to claim 11, further comprising an acquisition unit. The keyword information is associated with the abnormality level information,
When the abnormal communication determination unit determines that the abnormal communication determination unit is a site including the WEB page having the keyword indicated by the keyword information, the abnormal degree information associated with the keyword information The communication management device according to claim 12, which acquires The abnormal communication information output by the output unit includes information on a user terminal that has performed abnormal communication, information on a WEB site that is a communication destination of abnormal communication, information on the start time of abnormal communication, or content of abnormal communication The communication management device according to claim 1, wherein the communication management device includes information related to the information. Abnormality determination that can store two or more abnormality determination rules that are rules associated with the transmission / reception information acquisition unit and abnormality level information that is information indicating the degree of abnormality. A communication management method performed using a rule storage unit, an abnormal communication determination unit, an abnormality level information acquisition unit, an abnormality level determination unit, and an output unit,
The transmission / reception information acquisition unit acquires transmission / reception information that is information related to information transmitted / received between the user terminal and the server device; and
Two or more abnormality determination rules in which the communication between the user terminal and the server device is stored in the abnormality determination rule storage unit using the transmission / reception related information acquired by the abnormal communication determination unit in the transmission / reception information acquisition step. Abnormal communication determination step for determining whether or not the condition is satisfied;
The abnormality level information acquisition unit acquires the abnormality level information corresponding to the abnormality determination rule determined to satisfy the rule in the abnormal communication determination step;
The abnormality degree determination unit determines whether or not the degree of abnormality indicated by the abnormality degree information acquired in the abnormality degree information acquisition step exceeds a predetermined degree;
A communication management method comprising: an output step in which the output unit outputs abnormal communication information that is information indicating that abnormal communication has been performed in accordance with a determination result of the abnormality degree determination step. Computer
A transmission / reception information acquisition unit that acquires transmission / reception related information that is information related to information transmitted / received between the user terminal and the server device;
Information indicating the degree of abnormality, which is a rule for determining an abnormality related to communication stored between the user terminal and the server device, using the transmission / reception related information acquired by the transmission / reception information acquisition unit An abnormal communication determination unit that determines whether or not two or more abnormality determination rules that are rules associated with the abnormality degree information that is,
The abnormality communication determination unit acquires abnormality level information corresponding to the abnormality determination rule determined to satisfy the rule,
An abnormality degree determination unit that determines whether or not the degree of abnormality indicated by the abnormality degree information acquired by the abnormality degree information acquisition unit exceeds a predetermined degree;
A program for functioning as an output unit that outputs abnormal communication information, which is information indicating that abnormal communication has been performed, according to a determination result of the abnormality degree determination unit.

Images