JP2011154413A - Information processing device and method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To decide even a phishing site wherein a URL is disguised or unknown with high reliability without impairing usability or quickness of authentication to effectively take countermeasures. <P>SOLUTION: This information processing device (a terminal T) accessing a Web page includes: a dummy transmission means 11 transmitting dummy data to the Web page for login using at least one of an ID and a password, about at least the one of the ID and the password; a falseness decision means 13 deciding success/failure of the login by the dummy data, and deciding that the Web page for the login is a false page in the case of the success; and a coping means 15 performing blocking or warning about access to the false page. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to security countermeasure technology in the Internet.

  In recent years, with the spread of web technology and the expansion of application scenes, there are concerns about damage caused by so-called phishing sites. A phishing site guides a user to a fake site with a design and URL similar to a genuine website, and steals the user by entering a user ID, a password, and the like for misuse.

  As a countermeasure against phishing sites, for example, in the middle of authentication with a user ID or the like, a unique information that only the user knows is sent from the server side to the terminal for display, and the authenticity of the server is confirmed and a password or the like is input ( For example, refer to Patent Document 1), a proposal for detecting a phishing site by comparison with a URL list and preventing the user from accessing (for example, refer to Patent Document 2), a dedicated ID without allowing the user to input an ID or password There is a proposal (for example, see Patent Document 3) in which a server or the like identifies and transmits a target website.

JP 2001-117873 A No. 2006/087908 JP 2009-048545 A

  However, in the proposal of Patent Document 1, there is room for further improvement in reliability in that it relies on the fact that the user correctly stores the unique information, and the trouble of displaying the unique information on the terminal and confirming by the user Usability and quickness of authentication were also issues in terms of time.

  In addition, the proposals in Patent Documents 2 and 3 depend on the reliability that a phishing site can be correctly identified by a known URL or the like, but as an impediment to reliability, a disguise pop-up is displayed simultaneously with the real website In addition to the diversification of phishing techniques such as tricks to trust and fake URLs, there is also the possibility of URL changes due to specification changes for authentic sites, and further reliability has been demanded.

  The object of the present invention is to counteract the above-mentioned problems effectively and counteract the phishing sites with unknown URLs with high reliability without impairing usability and speed of authentication.

  Based on the above object, according to one aspect (1) of the present invention, in an information processing apparatus that accesses a web page, dummy data for at least one of an ID or a password is used for a login web page using at least one of an ID and a password A dummy transmission means for transmitting, a false determination means for determining success or failure of login by the dummy data, and determining that the login web page is a fake page if successful, and blocking or warning about access to the fake page And corresponding means to perform.

  As another aspect (4) that captures the above aspect from the viewpoint of a method, in an information processing method for accessing a web page, a computer uses an ID or password for a login web page that uses at least one of an ID and a password. A dummy transmission step of transmitting dummy data for at least one, a computer determines whether or not login by the dummy data is successful, and if successful, a false determination step of determining that the login web page is a fake page; And a corresponding step of blocking or warning about access to the fake page.

  As another mode (5) that captures the above mode from the viewpoint of a program, in a program for controlling a computer that implements an information processing apparatus that accesses a web page, the program controls the computer to obtain an ID or password. For the login web page using at least one of the above, a dummy transmission means for transmitting dummy data for at least one of the ID and the password, and the success or failure of login by the dummy data are determined. It is characterized by realizing a false determination means for determining a false page and a corresponding means for blocking or warning about access to the false page.

  In this way, by sending a dummy ID or password to the login web page to determine the success or failure of the login, if the login is successful even for the dummy data, the web page is determined to be false, thereby preventing access, etc. Since countermeasures can be taken, it becomes possible to effectively counter and counterfeit URLs and unknown phishing sites with high reliability without impairing usability and speed of authentication.

  According to another aspect (2) of the present invention, in any one of the above aspects (information processing apparatus, method, or program), the dummy transmission includes reference storage means that stores in advance characteristics of a web page as a reference. The means is characterized in that the dummy data is transmitted as the login web page when the access web page has a predetermined commonality with the feature stored in the reference storage means.

  In this way, by making a web page similar in characteristics to a predetermined web page, such as a regular login page, as a login web page, using dummy data as a target for determination, it is possible to authenticate regardless of impersonation. Even when the design or specifications of the website are changed, it is possible to make a wide range of judgment targets for websites with an appearance close to the real thing.

  According to another aspect (3) of the present invention, in any one of the above aspects (information processing apparatus, method or program), the target storage means for storing which login web page is the target, and the target storage means The stored web page for login is provided with period control means for transmitting the dummy data at predetermined time intervals.

  In this way, the login web page that the user always uses is stored, and dummy data is periodically sent to make a judgment target, so in addition to unknown phishing techniques, some form of access Even if a route is taken over, it can be detected at an early stage that the access destination is a fake site and effective prevention of damage can be realized.

  Another aspect (6) of the present invention provides a security system in which a plurality of information processing apparatuses or programs according to any one of the above aspects and a server apparatus that communicates with the information processing apparatuses or programs are combined. The processing device or the program realizes a reporting unit that notifies the server device of the fake page determined by the fake determination unit, and the server device receives the fake page notified from the information processing device or the program. It has a delivery means to notify to the said information processing apparatus or program.

  In this way, by notifying the fake page determined by each information processing device to other information processing devices via the server device, the time lag from the appearance of the fake page to prevention and warning is reduced, and the damage is effectively prevented. Can be easily prevented.

  It should be noted that other categories (for example, a method for an apparatus, a program for a method, etc.) corresponding to each of the above aspects and more specific aspects described below are also included in the present invention.

  According to the present invention, it is possible to determine and effectively counterfeit URLs forged or unknown phishing sites with high reliability without impairing usability and speed of authentication.

The functional block diagram which shows the structure of embodiment of this invention. The figure which illustrates each information (data) in the embodiment of the present invention. The flowchart which shows the process sequence in embodiment of this invention.

  Next, modes for carrying out the present invention (referred to as “embodiments”) will be described with reference to the drawings. It should be noted that assumptions common to those already described in the background art and problems are omitted as appropriate.

[1. Constitution〕
As shown in FIG. 1 (configuration diagram), the present embodiment relates to a security system in which a plurality of terminals T and a server device 40 that communicates with the terminals T are combined. The authenticity of the web page for login or the login web page similar to the reference page is determined. Here, the login web page is a web page that accepts login to a service using authentication information represented by at least one of an ID and a password, and is hereinafter also referred to as a “login page”. The terminal T is an information processing device (for example, a PC (personal computer) or a mobile phone terminal device) that accesses a web page via the communication network N. FIG. Many are used.

  Each terminal T has, as a general computer configuration, at least an arithmetic control unit 6 such as a CPU, a storage device 7 such as an external storage device (HDD or the like) or a main memory, and a communication network (Internet or mobile phone). Communication means 8 (LAN adapter, etc.) with N). Communication between the terminal T, the access destination website, and the server device 40 (indicated by broken arrows in the figure) is performed in the communication network N.

  In the terminal T, a predetermined computer program (not shown) stored (installed) in advance in the storage device 7 (here, as a typical example, a toolbar program linked with the web browser B) controls the arithmetic control unit 6. By doing so, elements (11, 13, etc.) such as each means shown in FIG. 1 are realized. Although not shown, the server device 40 also has communication means, and a program installed in advance in the storage device causes the arithmetic control unit to realize each element (42, 44, etc.) shown in FIG.

  Among these elements, information storage means is realized in any format such as various files and databases (also referred to as “DB”), temporary storage of variables such as arrays, register values, and system setting values in the storage device 7. While the program using the storage means is not being executed, the program is saved in an external storage device or the like and restored when the program is restarted.

  Among these storage means, as shown in FIG. 2 (1), the reference storage means 21 is characterized by the characteristics of a web page (referred to as a “reference page”) as a reference for authenticating the login page. This is means for storing in advance as feature data (for example, URL or character string included in the reference page). In addition, as illustrated in FIG. 2B, the target storage unit 31 is a unit that stores information about which login page is to be determined in the form of the URL of the page. The login page to be determined is also referred to as “target page”, and the login page stored in the target storage unit 31 is referred to as “registration page”.

  Among these, regarding the registration page, the target registration unit 30 may accept registration from the user or may receive popular delivery from the server device 40 or the like in the manner of bookmark (favorite) registration in the web browser. Further, a login page other than the registration page may be temporarily set as a target page for authenticity determination based on a designation operation from the user. Further, the registration page and the reference page may or may not be the same, and the timing and opportunity for acquiring the feature data are also free.

  For example, the feature data of the reference page may be incorporated into the toolbar program from the beginning, or after the toolbar program is installed, the feature data may be downloaded and distributed from the data supply source such as the server device 40 to the popular login page. You may receive an update. In addition, for example, feature data corresponding to a registration page registered or selected by the user may be requested from a data providing source such as the server device 40, received and distributed, and stored in the reference storage unit 21. Good. Note that each means other than the storage means is a processing means that implements and executes the functions and operations of information processing described below.

[2. Action)
In the present embodiment configured as described above, a dummy ID or password is transmitted to a login page that uses an ID or password to determine whether or not the login is successful. An example of the operation of the terminal T that performs this process is shown in the flowchart of FIG.

[2-1. (Reception of fake site information)
That is, in the terminal T, the activated web browser B performs normal processing such as website display (step S1), and the reception registration unit 46 confirms whether or not the false site information is distributed from the server device 40 (step S2). ). The fake site information referred to here is one in which the distribution means 45 of the server device 40 notifies the information of the fake page determined by one of the terminals T and notified from the terminal T to the other terminals T. Is the domain name or URL of the fake site, but may be other information such as the IP address of the fake site. If there is distribution (step S2: “YES”), the received registration means 46 stores the received false site information in the false site storage means 22.

  Subsequently, the process proceeds to determination of a fake site. Here, the registration target is a registration page registered in advance (step S4), and a login page similar to a predetermined reference page (step S5).

[2-2. Regular check of registration page)
Among these, the registration page is a login page that the user wants to make an authenticity determination, for example, a portal site that is usually used, a login page of a financial institution, electronic commerce, etc. Accepts the designation of URL or the like for the login page desired by the user and stores it in advance in the target storage means 31 as a registration page.

  Then, the cycle control unit 33 determines that a confirmation cycle has arrived at a predetermined time interval (for example, every day, every week, etc.) for the registration page stored in the target storage unit 31 (step S4: “ YES ”), the dummy transmission means 11 is operated to set the transmission target of dummy data (step S9). The transmission of the dummy data and the determination of the fake site will be described later.

[2-3. (Responding to known fake sites)
Even if the registration page confirmation cycle has not yet arrived (step S4: “NO”), if a page transition of the web page occurs due to a user operation or the like (step S5: “YES”), the response means 15 for the transition destination. If the URL of the fake site is checked against fake site information (for example, URL) stored in the fake site storage means 22 (step S6: “YES”), access prevention or warning predetermined as a fake site, etc. Is implemented (step S7).

[2-4. (Similar page processing)
Even when the transition destination is not a fake site URL (step S6: “NO”), the dummy transmission unit 11 determines whether the transition destination website is similar to the reference page (step S8). Here, the page determined to be similar is referred to as a “similar page”. Specifically, the dummy transmission unit 11 is configured such that the web page related to access is stored in the reference storage unit 21. When there is a predetermined commonality with the feature data, it is determined that the page is a similar page as a login page and dummy data is transmitted.

  Here, the reference page is, for example, a popular portal site, a login page of a financial institution or electronic commerce, etc., and its characteristic data includes names of websites, financial institutions, services, etc., catchphrases and explanations, domain names Or a character image such as a URL, a matching image including all or a part of a character string, a character string, a mark, a logo, and the like, and data representing the feature amount can be considered (FIG. 2 (1)). The standard of “predetermined commonality” is specifically free. For example, if the feature data is a character string of several items and each character string is included in the content of a URL or a web page, it matches. It can be considered that if two or three items of several items match, or if even one item matches, it is considered that there is commonality.

[2-5. (Dummy data transmission)
The dummy transmission means 11 accesses the registration page (step S4) and the similar page (step S8) that are determined as described above, and transmits dummy data for at least one of ID or password (step). S9). The specific format of the dummy data is arbitrary. For example, in the case of a password, generally a character string of up to a dozen characters can be generated by randomly combining lowercase letters of 6 or 8 letters and Arabic numerals starting with a lowercase letter. Fits many login pages. However, since the actual usage differs depending on the login page, such as a login page that requires one or more other symbols to be included, or a login page that accepts only uppercase letters but not lowercase letters, the registration page, reference page, etc. It is desirable that the user ID and password are generated according to individual specifications.

[2-6. (Fake page determination)
Then, the false determination means 13 receives the result page based on the transmitted dummy data and determines whether or not the login is successful (step S10), and if successful, determines that the login web page is a false page (step S11). : "YES"). For example, if a fake password is sent as dummy data, the authentic website W1 (FIG. 1) will collide with the authentic password, and the login will be rejected due to an error display, etc. The phishing site WX (FIG. 1) does not have a genuine password and cannot be verified, and as a result, the login is successful.

  Here, the specific method for determining whether or not the login is correct is free, but as an example, the difference in the URL of the web page that transitions after each successful login and after the failure, the user ID and the welcome word after successful display, etc. are displayed. If it is displayed, if there is a red notice that the ID or password is not correct in case of failure, the character color designation tag included in the HTML description of the display page, the presence or absence of the character string of the notice sentence It is conceivable to determine whether or not the login is correct by detecting the password.

[2-7. Reporting and distribution of fake site information)
Regarding the access to the fake page determined as described above, the response unit 15 prevents or warns as a predetermined response (step S7). Specifically, for the determined fake page (step S11: “YES”), the fake determination unit 13 stores information such as URL in the fake site storage unit 22 as fake site information (step S12). Then, if the page transition is the URL of the fake site (step S6: “YES”), the handling means 15 then takes action such as access prevention or warning predetermined as the fake site. (Step S7).

  Further, the reporting means 41 of the terminal T notifies the server device 40 of the fake site information as described above regarding the fake page determined as described above (step S13). In the server device 40, a large number of false site information transmitted from each terminal T is received by the report receiving means 42 and accumulated in the false site storage means 44, and the distribution means 45 distributes it to each terminal T. By spreading the information, the fake site information is shared among a large number of terminals T and effective damage prevention is realized.

[3. effect〕
As described above, in this embodiment, a dummy ID or password is transmitted to the login page to determine the success or failure of the login, and if the login is successful for the dummy data, the web page is determined to be false. Since countermeasures such as access prevention can be taken, it becomes possible to effectively counter and counterfeit URLs and unknown phishing sites with high reliability without impairing usability and speed of authentication.

  In the present embodiment, a web page similar in characteristics to a predetermined web page such as a regular login page is used as a login web page (FIG. 3: step S8), and is determined by using dummy data. Regardless of the method, and even when the design and specifications of the real website are changed, it is possible to make a wide range of judgment targets for websites that have an appearance close to the real thing.

  Furthermore, in the present embodiment, the login web page that the user always uses is stored, and the dummy data is periodically transmitted (FIG. 3: step S4) to be the object of determination, thereby making the unknown In addition to phishing techniques, even if some form of access path hijacking occurs, it is possible to detect at an early stage that the access destination is a fake site and to effectively prevent damage.

  As another aspect that is used in combination with or substitutes for the periodical transmission means 33 to periodically transmit dummy data as described above, the user inputs or transmits authentication information (at least one of ID or password) on the login page. When processing or operation is performed, this may be detected from the contents of a web page or an input character string, and dummy data may be transmitted prior to the input or transmission. By doing so, it is possible to always check whether the site is a phishing site before logging in, and security can be further improved.

  In addition, in this embodiment, by notifying the fake page determined by each terminal T that is an information processing device to other information processing devices via the server device, from the appearance of the fake page to prevention or warning The time lag is reduced, and it is easy to effectively prevent damage.

[4. Other embodiments]
In addition, said each embodiment is only an illustration, and this invention includes what is illustrated below and other embodiment other than that. For example, “at least one of ID or password” related to login widely means identification information and authentication information for login, and is not limited to a mode in which the ID and password are different from each other. But you can. Further, the program for realizing each function of the present invention on the terminal T is not limited to the toolbar program, and the format such as a resident program is arbitrary.

  In addition, elements such as each unit described in the above embodiment may be realized by other information processing mechanisms such as an electronic circuit based on a wired logic or the like without being limited to an arithmetic control unit of a computer. Further, each configuration diagram, data diagram, flowchart diagram, and the like are merely examples, and the presence / absence of each element, its order, specific contents, and the like can be appropriately changed. Further, for example, the server device 40 may be realized by a plurality of server computers, and depending on functions, an external platform or the like may be realized by calling an API (Application Program Interface) or network computing. The configuration can be changed flexibly.

6 arithmetic control unit 7 storage device 8 communication unit 11 dummy transmission unit 13 false determination unit 15 correspondence unit 21 reference storage unit 22 fake site storage unit 30 target registration unit 31 target storage unit 33 period control unit 40 server device 41 reporting unit 42 report Reception means 44 Fake site storage means 45 Distribution means 46 Reception registration means B Web browser N Communication network T Terminal

Claims (6)

In an information processing apparatus that accesses a web page,
Dummy transmission means for transmitting dummy data for at least one of ID or password to a login web page using at least one of ID or password;
False determination means for determining success or failure of login by the dummy data, and determining that the login web page is a false page if successful,
Corresponding means for blocking or warning about access to the fake page;
An information processing apparatus comprising: Reference storage means for storing in advance the characteristics of the reference web page,
The dummy transmission unit transmits the dummy data as the login web page when a web page related to access has a predetermined commonality with the feature stored in the reference storage unit. The information processing apparatus according to claim 1. Target storage means for storing which login web page is the target;
The information processing apparatus according to claim 1, further comprising a cycle control unit configured to transmit the dummy data at predetermined time intervals for the login web page stored in the target storage unit. . In an information processing method for accessing a web page,
A dummy transmission step in which the computer transmits dummy data for at least one of the ID and the password to the login web page using at least one of the ID and the password;
A false determination step of determining whether the login by the dummy data is successful and determining that the login web page is a fake page when the computer is successful;
A corresponding step in which the computer blocks or warns about access to the fake page;
An information processing method comprising: In a program for controlling a computer that implements an information processing apparatus that accesses a web page,
The program controls the computer,
Dummy transmission means for transmitting dummy data for at least one of ID or password to a login web page using at least one of ID or password;
False determination means for determining success or failure of login by the dummy data and determining that the login web page is a fake page if successful,
Corresponding means for blocking or warning about access to the fake page;
A program characterized by realizing. In a security system combining a plurality of the information processing device according to any one of claims 1 to 3 or the program of claim 5 and a server device that communicates with the information processing device or the program,
The information processing apparatus or program realizes a report unit that notifies the server device of the fake page determined by the fake determination unit,
The said server apparatus has a delivery means to notify the said fake page notified from the said information processing apparatus or program to the said other information processing apparatus or program. The security system characterized by the above-mentioned.

Images