JP2012133407A - Unauthorized access detection apparatus, unauthorized access detection system, unauthorized access detection method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect unauthorized access while also considering a purpose, without requiring the management of unauthorized access patterns.SOLUTION: A work application server 6 stores application work content information indicating approved work contents. When performing job processing, a worker performs logon account on a work terminal 3 and inputs a work ID and a job server 4 of a work object. When there is application work content information containing the inputted work ID, the work terminal 3 cancels utilization restriction, accesses the job server 4 and performs job processing. The work terminal 3 produces terminal utilization information to which information inputted by the worker and a utilization time have been set, and the job server 4 produces log data to which a time of connection with the work terminal 3 has been set. A collation terminal 8 collates the terminal utilization information and the log data to detect unauthorized access from log data without matched terminal utilization information, and collates the terminal utilization information and the application work content information to detect unauthorized access from the terminal utilization information without matched application work content information.

Description

  The present invention relates to an unauthorized access detection device, an unauthorized access detection system, an unauthorized access detection method, and a program.

  In recent years, unauthorized access to computer devices connected to a network has become a problem. Therefore, an unauthorized access pattern is stored in advance in a database, and unauthorized access performed via the network is detected based on whether or not the pattern matches this pattern (see, for example, Patent Document 1).

JP 2006-67279 A

In the above-described conventional technique, pattern data describing a characteristic pattern of a packet used for unauthorized access must be registered in a database in advance. Therefore, every time a new unauthorized access pattern is found, new pattern data has to be registered in the database. Unauthorized access cannot be detected if pattern data registration is forgotten.
Even if the pattern does not match the unauthorized access pattern, the access purpose is not always permitted. That is, in the unauthorized access detection using the pattern data, it is impossible to determine the purpose of the access, and it is not possible to detect the unauthorized access.

  The present invention has been made in view of the above circumstances, and does not require management of an unauthorized access pattern, and can also detect unauthorized access, an unauthorized access detection system, an unauthorized access detection system, and an unauthorized access detection method. And provide programs.

The present invention has been made to solve the above-described problem, and shows application work content information indicating information related to permitted work, and information generated on the business processing device and executed on the business processing device. Information for acquiring log data and information on work generated by the work terminal and input to the work terminal by the worker and terminal usage information indicating information on the work instructed to the business processing device at the work terminal The acquisition unit, the log data acquired by the information acquisition unit and the terminal usage information are matched, and the information related to the work indicated by the log data matches the information related to the work indicated by the terminal usage information. And unauthorized access based on the log data determined to have no matching terminal usage information. A log data matching unit that detects the information, the terminal usage information acquired by the information acquisition unit and the application work content information, and information related to the input work indicated by the terminal usage information, and the application work content An application work content matching unit that determines whether the information on the permitted work indicated by the information matches, and detects unauthorized access based on the terminal usage information determined that there is no matching application work content information; An unauthorized access detection device comprising:
In the unauthorized access detection device, the application work content matching unit includes the terminal usage information determined by the log data matching unit to match the log data and the application work content information acquired by the information acquisition unit. The information on the input work indicated by the terminal usage information is matched with the information on the permitted work indicated by the application work content information, and the application work content that matches is determined. An unauthorized access may be detected based on the terminal usage information determined to have no information.
In the unauthorized access detection device, the log data matching unit includes the terminal usage information determined by the application work content matching unit to match the application work content information and the log data acquired by the information acquisition unit. The log data that is determined to match whether the information related to the work indicated by the log data matches the information related to the work indicated by the terminal usage information, and the terminal usage information does not match. It may be characterized in that unauthorized access is detected by.

  Further, the present invention is an unauthorized access detection system comprising an unauthorized access detection device, a work terminal for instructing work, and a business processing device for receiving work instructions from the work terminal and executing work business processing, The unauthorized access detection device includes an application work content storage unit for storing application work content information indicating information related to permitted work, and log data indicating information related to work executed in the business processing device from the business processing device. An information acquisition unit that acquires terminal usage information indicating information related to work input to the work terminal by an operator from the work terminal and information related to work directed to the business processing device in the work terminal; The log data acquired by the information acquisition unit and the terminal usage information are collated and indicated by the log data. Log data matching for determining whether the information related to the work and the information related to the work indicated by the terminal usage information match, and detecting unauthorized access based on the log data determined to have no matching terminal usage information The terminal usage information acquired by the information acquisition unit and the application work content information read from the application work content storage unit, information on the input work indicated by the terminal usage information, Application work content for determining whether the information on the permitted work indicated by the application work content information matches, and detecting unauthorized access based on the terminal usage information determined that there is no matching application work content information An unauthorized access detection system comprising: an abutting portion.

  Further, the present invention is the above-described unauthorized access detection system, wherein the application work content information includes identification information of the business processing device to be worked and identification information of the worker, and the log data includes the business processing Identification information of the work terminal that instructed the work to the device, a time when the access from the work terminal to the business processing device is started and a work time indicating the time when the access is finished, the work terminal, The identification information of the work processing device to be worked and the identification information of the worker inputted to the work terminal by the worker, the time when the worker starts using the work terminal, and the time when the use ends A terminal usage information transfer unit that generates terminal usage information including the terminal usage time indicated and the identification information of the work terminal and transmits the generated terminal usage information to the unauthorized access detection device. The data matching unit includes the work terminal indicated by the log data of the business processing device specified by the identification information of the work terminal indicated by the terminal usage information and the identification information of the business processing device in the terminal usage information The time period from the start to the end of the use of the work terminal indicated by the terminal use time in the terminal use information and the work terminal indicated by the work time in the log data. The application work content matching unit determines that the application processing content matching unit includes the identification information of the business processing device and the identification of the worker indicated by the terminal usage information. Determining that the information matches the identification information of the business processing device indicated by the application work content information and the identification information of the worker. And butterflies.

  Further, the present invention is the above-described unauthorized access detection system, wherein the work terminal transmits information related to the work input by an operator to the unauthorized access detection device, and the verification request unit transmits the information. A deregulation unit that permits business processing when a successful collation is received in response to the information related to the work, and the unauthorized access detection device includes the application work that includes information related to the work received from the work terminal. When content information is memorize | stored in the said application work content storage part, the collation process part which notifies collation success to the said work terminal is further provided, It is characterized by the above-mentioned.

  Further, the present invention is the above-described unauthorized access detection system, wherein the work terminal displays a screen for inputting information related to the work on a full screen and receives the information related to the input work. An information receiving unit is further provided, and the restriction canceling unit cancels the full-screen display when the collation success is received in response to the information related to the work transmitted by the collation requesting unit.

  The present invention is also an unauthorized access detection method executed in an unauthorized access detection device, wherein the information acquisition unit generates application work content information indicating information related to permitted work, and the business processing device Log data indicating information relating to work executed in the apparatus, information relating to work generated in the work terminal and input to the work terminal by the worker, and information relating to work instructed to the business processing apparatus in the work terminal An information acquisition process for acquiring terminal usage information indicating, and a log data matching unit that matches the log data acquired in the information acquisition process and the terminal usage information, and information related to the work indicated by the log data; Determining whether the information related to the work indicated by the terminal usage information matches A log data matching process for detecting unauthorized access based on the log data determined to have no matching terminal usage information, and an application work content match, the terminal usage information and the application work content acquired in the information acquisition process. Collating information, determining whether the information on the input work indicated by the terminal usage information matches the information on the permitted work indicated by the application work content information, and the matching application And an application work content matching process for detecting unauthorized access based on the terminal usage information determined to have no work content information.

  In addition, the present invention provides a computer used as an unauthorized access detection device, application work content information indicating information related to permitted work, and a log indicating information related to the work generated in the business processing device and executed in the business processing device. Information acquisition that acquires data and information on work generated by the work terminal and input to the work terminal by the worker and terminal usage information indicating information on the work instructed to the business processing device at the work terminal The log data and the terminal usage information acquired by the information acquisition unit, and whether the information related to the work indicated by the log data matches the information related to the work indicated by the terminal usage information. To the log data determined to have no matching terminal usage information. Log data matching unit for detecting unauthorized access, the terminal acquisition information acquired by the information acquisition unit and the application work content information, information about the input work indicated by the terminal usage information, Application work content for determining whether the information on the permitted work indicated by the application work content information matches, and detecting unauthorized access based on the terminal usage information determined that there is no matching application work content information It is a program characterized by functioning as a butt section.

  According to the present invention, it is not necessary to manage unauthorized access patterns, and unauthorized access can be detected in consideration of the purpose of access.

1 is a diagram illustrating an overall configuration of an unauthorized access detection system according to an embodiment of the present invention. It is a functional block diagram which shows the internal structure of the application terminal by the embodiment. It is a functional block diagram which shows the internal structure of the approval terminal by the embodiment. It is a functional block diagram which shows the internal structure of the work terminal by the embodiment. It is a functional block diagram which shows the internal structure of the business server by the embodiment. It is a functional block diagram which shows the internal structure of the work application server by the embodiment. It is a functional block diagram which shows the internal structure of the terminal usage information storage server by the same embodiment. It is a functional block diagram which shows the internal structure of the meeting terminal by the embodiment. It is a figure which shows the data structural example of the work application content information by the same embodiment. It is a figure which shows the data structural example of the log data by the embodiment. It is a figure which shows the data structural example of the terminal usage information by the embodiment. It is a figure which shows the full screen display image of the work terminal by the embodiment. It is a sequence diagram of the unauthorized access detection system by the embodiment. It is a figure which shows the data matching range by the embodiment. It is a figure which shows the example of a match of log data and terminal utilization information by the embodiment. It is a figure which shows the example of a match with terminal utilization information and application work content information by the embodiment. It is a figure which shows the unauthorized access detection processing flow of the matching terminal by the embodiment.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a diagram showing an overall configuration of an unauthorized access detection system according to an embodiment of the present invention. As shown in the figure, the unauthorized access detection system includes an application terminal 1, an approval terminal 2, a work terminal 3, a business server 4, and an unauthorized access detection device 5 connected to a network 9 that is an IP (Internet Protocol) communication network. Composed. In the figure, only one application terminal 1, approval terminal 2, work terminal 3, and business server 4 are shown, but a plurality of application terminals may be provided. The unauthorized access detection device 5 includes a work application server 6, a terminal usage information storage server 7, and a match terminal 8.

  The application terminal 1 is a computer terminal that applies for work to be performed on the business server 4 to be maintained. The approval terminal 2 is a computer terminal that approves the work applied by the application terminal 1. The work application server 6 is a server that accumulates application work content information indicating the application content of work approved by the approval terminal 2. The work terminal 3 is a computer terminal that accesses the work server 4 and instructs work processing for the approved work. Information related to work input by the worker before the work, or work designated by the work terminal 3. Generate terminal usage information indicating the information. The business server 4 is a server that executes business processing in accordance with instructions received from the work terminal 3, and records log data indicating information related to work performed in the business server 4. The terminal usage information storage server 7 is a server that receives and stores terminal usage information from the work terminal 3. The matching terminal 8 collates the log data recorded by the business server 4 with the terminal usage information stored in the terminal usage information storage server 7, and the application work stored in the terminal usage information and the work application server 6 It is a computer terminal that detects unauthorized access by matching content information.

  With the above configuration, the unauthorized access detection system according to the present embodiment enables post-tracking on whether or not access from the work terminal 3 to the business server 4 has been performed based on a correct work application, that is, for a legitimate purpose. .

  FIG. 2 is a functional block diagram showing an internal configuration of the application terminal 1, and only functional blocks related to the present embodiment are extracted and shown. The application terminal 1 includes a communication unit 11, a browser processing unit 12, a display unit 13, and an input unit 14. The communication unit 11 transmits / receives data to / from other devices via the network 9. The display unit 13 is a display such as an LCD (Liquid Crystal Display). The input unit 14 is a keyboard, a mouse, or the like, and receives information input by a user operation. The browser processing unit 12 displays a screen on the display unit 13 based on screen data received from another device via the communication unit 11, and is input by the input unit 14 on the screen displayed on the display unit 13. The information is transmitted to the access destination computer device via the communication unit 11.

  FIG. 3 is a functional block diagram showing an internal configuration of the approval terminal 2, and only functional blocks related to the present embodiment are extracted and shown. The approval terminal 2 includes a communication unit 21, a browser processing unit 22, a display unit 23, and an input unit 24. The communication unit 21 transmits and receives data to and from other devices via the network 9. The display unit 23 is a display such as an LCD. The input unit 24 is a keyboard, a mouse, or the like, and receives information input by a user operation. The browser processing unit 22 displays a screen on the display unit 23 based on screen data received from another device via the communication unit 21, and is input by the input unit 24 on the screen displayed on the display unit 23. The information is transmitted to the access destination computer device via the communication unit 21.

  FIG. 4 is a functional block diagram showing an internal configuration of the work terminal 3, and only functional blocks related to the present embodiment are extracted and shown. The work terminal 3 includes an input unit 31, a display unit 32, a communication unit 33, a terminal management unit 34, and a business process instruction unit 39. The input unit 31 is a keyboard, a mouse, or the like, and receives information input by a user operation. The display unit 32 is a display such as an LCD. The communication unit 33 transmits and receives data to and from other devices via the network 9.

  The terminal management unit 34 is generated by a CPU (central processing unit) reading and executing application software of a terminal management tool from a memory at the time of logon. The terminal management unit 34 includes an input information reception unit 35, a verification request unit 36, a screen lock release unit 37, and a terminal usage information transfer unit 38. The input information receiving unit 35 first displays a full screen of the information input screen on the display unit 32 after logon, and receives information input by the input unit 31 on the information input screen. The input information receiving unit 35 continues to display the information input screen on the display unit 32 until all necessary information is received. The verification request unit 36 transmits a verification request in which a part of the application work content information included in the information received by the input information reception unit 35 is set to the work application server 6 via the communication unit 33. When the collation result received from the work application server 6 in response to the collation request indicates that collation is successful, the screen lock release unit 37 releases the screen lock by the full screen display and permits the screen transition of the display unit 32. To do. After the work is completed, the terminal usage information transfer unit 38 generates terminal usage information and transmits it to the terminal usage information storage server 7 via the communication unit 33.

  The business process instruction unit 39 transmits the business process instruction input by the input unit 31 to the business server 4 via the communication unit 33, and displays the business process result received from the business server 4 in response to the transmitted instruction. This is displayed on the unit 32.

  FIG. 5 is a functional block diagram showing an internal configuration of the business server 4, and only functional blocks related to the present embodiment are extracted and shown. The business server 4 includes a communication unit 41, a business processing unit 42, a log data recording unit 43, a log data storage unit 44, and a log data transmission unit 45. The communication unit 41 transmits and receives data to and from other devices via the network 9. The business processing unit 42 executes the business processing in accordance with the business processing instruction received from the work terminal 3 and returns the result of the business processing via the communication unit 41. The log data recording unit 43 generates log data that is data indicating a log related to access from the work terminal 3 and writes the log data in the log data storage unit 44. The log data transmission unit 45 reads the log data from the log data storage unit 44 and transmits the log data to the matching terminal 8 via the communication unit 41.

  FIG. 6 is a functional block diagram showing an internal configuration of the work application server 6, and only functional blocks related to the present embodiment are extracted and shown. The work application server 6 includes a communication unit 61, an application receiving unit 62, an approval processing unit 63, a work ID issuing unit 64, an application work content storage unit 65, a verification unit 66, and an application work content information transmission unit 67. Is done. The communication unit 61 transmits and receives data to and from other devices via the network 9. The application reception unit 62 receives the application details of the work transmitted by the application terminal 1. The approval processing unit 63 transmits the application content to the approval terminal 2 via the communication unit 61. When the work ID issuing unit 64 receives information indicating approval from the approval terminal 2 in response to the transmitted application content, the work ID issuing unit 64 issues a work ID that is identification information for uniquely identifying the work, and the issued work ID and work The application work content information in which the application content is set is written in the application work content storage unit 65. The collation unit 66 collates the collation request received from the work terminal 3 with the application work content information stored in the application work content storage unit 65, and returns the collation result via the communication unit 61. The application work content information transmission unit 67 reads the application work content information from the application work content storage unit 65 and transmits it to the matching terminal 8 via the communication unit 61.

  FIG. 7 is a functional block diagram showing an internal configuration of the terminal usage information storage server 7, and only functional blocks related to the present embodiment are extracted and shown. The terminal usage information storage server 7 includes a communication unit 71, a terminal usage information reception unit 72, a terminal usage information storage unit 73, and a terminal usage information transmission unit 74. The communication unit 71 transmits and receives data to and from other devices via the network 9. The terminal usage information receiving unit 72 writes the terminal usage information received from the work terminal 3 in the terminal usage information storage unit 73. The terminal usage information transmission unit 74 reads the terminal usage information from the terminal usage information storage unit 73 and transmits it to the matching terminal 8 via the communication unit 71.

  FIG. 8 is a functional block diagram showing an internal configuration of the matching terminal 8, and only functional blocks related to the present embodiment are extracted and shown. The match terminal 8 includes a communication unit 81, an information acquisition unit 82, an information storage unit 83, an input unit 84, a match processing unit 85, and an output unit 88. The communication unit 81 transmits and receives data to and from other devices via the network 9. The input unit 84 is a keyboard, a mouse, or the like, and receives information input by a user operation. The output unit 88 outputs information. In the present embodiment, the output unit 88 is described as a display that displays information. However, the output unit 88 may be a printer that prints information or a writing device that writes information to an information recording medium.

  The information acquisition unit 82 writes the log data received from the business server 4, the application work content information received from the work application server 6, and the terminal usage information received from the terminal usage information storage server 7 in the information storage unit 83. The matching processing unit 85 includes a log data matching unit 86 and an application work content matching unit 87. The log data matching unit 86 performs a matching process between the terminal usage information stored in the information storage unit 83 and the log data, and causes the output unit 88 to output a matching result. The application work content matching unit 87 performs a match between the terminal usage information stored in the information storage unit 83 and the application work content information, and causes the output unit 88 to output a match result.

  Next, data configuration examples of various data according to the present embodiment will be shown.

  FIG. 9 is a diagram illustrating a data configuration example of work application content information. As shown in the figure, the application work content information includes information such as a work ID, an access destination server name, and a logon account as information related to the permitted work. The access destination server name is the name of the business server 4 that is the work target, and is identification information that uniquely identifies the business server 4. The logon account is an account used when a worker logs on to the work terminal 3 and is identification information that uniquely identifies the worker.

  FIG. 10 is a diagram illustrating a data configuration example of log data. As shown in the figure, the log data includes information such as a PC host name, a server use start date and time, a server use end date and time as information related to the work executed in the business server 4. The PC host name is the name of the work terminal 3 that has been accessed by the business server 4, that is, the work terminal 3 that has instructed the work, and is identification information that uniquely identifies the work terminal 3. The server use start date and time indicates the date and time when the work according to the instruction from the work terminal 3 is started, and the server use end date and time indicates the date and time when the work according to the instruction from the work terminal 3 is ended. Specifically, the server usage start date and time indicates the time when access from the work terminal 3 to the business server 4 is started, that is, the date and time when the business server 4 establishes the connection state with the work terminal 3, and the server usage end The date and time indicate the time when the access to the business server 4 from the work terminal 3 is completed, that is, the date and time when the business server 4 ends the connection state with the work terminal 3.

FIG. 11 is a diagram illustrating a data configuration example of terminal usage information. The terminal usage information includes information such as work ID, access destination server name, logon account, PC host name, terminal usage start date and time, terminal usage end date and time. The work ID is a work ID input to the work terminal 3 by the worker. The access destination server name is the name of the access destination business server 4 input to the work terminal 3 by the worker. The logon account is an account of a worker who has logged on to the work terminal 3. The PC host name is the name of the work terminal 3 that generated the terminal usage information. The terminal use start date / time indicates the date / time when the worker started using the work terminal 3, and the terminal use end date / time indicates the date / time when the worker finished using the work terminal 3. Specifically, the terminal use start date and time is the date and time when the operator logs on, and the terminal use end date and time is the date and time when the worker logs off.
That is, the work ID, the access destination server name, and the logon account are information related to the work input by the worker to the work terminal 3, and the PC host name, the terminal use start date and time, and the terminal use end date and time are executed in the work terminal 3. It is information about the work that was done

  FIG. 12 is a diagram illustrating a display image of the information input screen displayed on the display unit 32 of the work terminal 3. As shown in the figure, the information input screen is displayed in full screen, and the start date and time indicating the date and time when the operator logged on in step S21, the logon account entered when logging on, and the host name of the work terminal 3 are displayed. Is done. In addition, the information input screen includes the user name, the work in charge, the server name (connection destination) of the work server 4 to be worked on, the work ID (processing application number or work request number), the work request source, and the work processing performed as work. Are displayed as fields and check boxes for inputting data (operation table name), data operations (using SQL), work contents, and the like. After all fields and check boxes have been entered, a click on the OK button can be accepted.

  Next, the operation of the unauthorized access detection system will be described.

FIG. 13 is a sequence diagram of the unauthorized access detection system.
First, the applicant accesses the work application server 6 from the application terminal 1. The communication unit 11 of the application terminal 1 receives application input screen data for inputting work application information from the work application server 6, and the browser processing unit 12 causes the display unit 13 to display the received application input screen data. The worker inputs work application information through the input unit 14 on the application input screen. The work application information includes the access destination server name that is the server name of the business server 4 that is the work target, the logon account that is the account of the worker performing the work, the application date and time, the work subject, the work content, the work date and time, and information about the applicant (Name, person in charge, contact, department), information on the administrator (name, person in charge, contact, department), information on the worker (name, person in charge, contact, department), documents related to the work Contains information such as numbers. The browser processing unit 12 instructs the communication unit 11 to transmit the input work application information, and the communication unit 11 transmits the work application information to the work application server 6 (step S11).

  The communication unit 61 of the work application server 6 receives the work application information from the application terminal 1 and outputs it to the application reception unit 62. Upon receiving the work application information, the application receiving unit 62 instructs the approval processing unit 63 to execute the approval process. The approval processing unit 63 instructs the communication unit 61 to transmit the approval request screen data for displaying the received work application information to the approval terminal 2, and the communication unit 61 transmits the approval request screen data to the approval terminal 2 (step) S12). The browser processing unit 22 of the approval terminal 2 displays the approval request screen data received by the communication unit 21 on the display unit 23. The approver confirms the work application information displayed on the display unit 23 and inputs the approval through the input unit 24. The browser processing unit 22 instructs the communication unit 21 to return approval result information indicating approval, and the communication unit 21 transmits the approval result information to the work application server 6 (step S13).

  The communication unit 61 of the work application server 6 receives the approval result information and outputs it to the approval processing unit 63. Upon receiving the approval result information indicating approval, the approval processing unit 63 instructs the work ID issuing unit 64 to issue a work ID. The work ID issuing unit 64 generates a new work ID (step S14), and writes the application work content information in which the generated work ID and the work application information received in step S11 are set to the application work content storage unit 65. (Step S15). The work ID issuing unit 64 instructs the communication unit 61 to transmit application result notification screen data for displaying the approval and the work ID to the application terminal 1, and the communication unit 61 transmits the application result notification screen data to the application terminal. 1 (step S16). The browser processing unit 12 of the application terminal 1 causes the display unit 13 to display application result notification screen data received by the communication unit 11. Thereby, the applicant confirms that the requested work is approved and the work ID.

  After approval of the work application, the worker inputs a logon account and a password through the input unit 31 of the work terminal 3 (step S21). When the work terminal 3 confirms the validity with the logon account and the password, the input information receiving unit 35 displays the information input screen shown in FIG. 12 on the display unit 32 by full screen display, and locks the screen. The operator uses the input unit 31 to display on the information input screen the user name, the task in charge, the server name of the access destination business server 4 to be worked, the work ID, the work request source, the operation table name, the SQL usage, Enter your work. If the input information receiving unit 35 determines that all of the information has been input, the input information receiving unit 35 can use the OK button on the information input screen. When the OK button is clicked, the input information reception unit 35 instructs the verification request unit 36 to execute verification.

  The collation request unit 36 instructs the communication unit 33 to transmit a collation request in which the input work ID is set, and the communication unit 33 transmits the collation request to the work application server 6 (step S23). When the collation unit 66 of the work application server 6 receives the collation request via the communication unit 61, the collation unit 66 searches the application work content storage unit 65, sets the same work ID as the received collation request, and indicates that it has been used. It is determined whether there is application work content information that is not associated with the indicated information (step S24). The collation unit 66 determines that the collation is successful when the application work content information is detected as a result of the search. The collation unit 66 writes information indicating used in association with the detected application work content information to the application work content storage unit 65, and instructs the communication unit 61 to return a collation result indicating a successful collation. The communication part 61 transmits a collation result to the work terminal 3 (step S25). When the collation result received via the communication unit 33 indicates that the collation is successful, the screen lock release unit 37 of the work terminal 3 releases the screen lock based on the full screen display and permits the screen transition, thereby enabling business processing. An operation screen is displayed on the display unit 32 (step S26).

  When the worker inputs a connection instruction to the business server 4 through the input unit 31 of the work terminal 3, the communication unit 33 transmits a connection request to the business server 4. The name of the work terminal 3 is set in the connection request. The communication unit 41 of the business server 4 receives a connection request from the work terminal 3 and establishes a connection state (session) with the communication unit 33 of the work terminal 3. After establishing the connection state, business processing is executed between the work terminal 3 and the business server 4 (step S27). Specifically, when a worker inputs a business process instruction using the input unit 31 of the work terminal 3, the business process instruction unit 39 transmits the business process instruction to the business server 4 via the communication unit 33. The business process instruction includes, for example, registration, update, reading, and deletion of various data related to the business. The business processing unit 42 of the business server 4 executes the business processing according to the business processing instruction received by the communication unit 41, and transmits the execution result of the business processing to the work terminal 3 via the communication unit 41. The business process instruction unit 39 of the work terminal 3 causes the display unit 32 to display the business process result received by the communication unit 33 from the business server 4.

  When the worker inputs a disconnection instruction to the business server 4 through the input unit 31 of the work terminal 3 after the business process is completed, the communication unit 33 transmits a connection disconnection request to the business server 4. The communication unit 41 of the business server 4 receives the connection disconnection request from the work terminal 3 and ends the connection state (session) with the communication unit 33 of the work terminal 3. The log data recording unit 43 sets the name of the work terminal 3 acquired from the connection request, the PC host name in which the work terminal 3 is set, the server use start date and time indicating the time when the connection state is established with the work terminal 3, and the connection state with the work terminal 3 is terminated. Log data in which information such as the server use end date and time indicating the date and time set is set is generated and written to the log data storage unit 44 (step S28).

  When business processing is performed on a plurality of business servers 4, the processes of steps S 27 and S 28 are repeated between the work terminal 3 and the other business servers 4. It is also possible to simultaneously establish a connection state between the work terminal 3 and the plurality of business servers 4 to perform business processing.

  When the work is finished, the worker inputs a logoff instruction through the input unit 31 of the work terminal 3 (step S29). The terminal usage information transfer unit 38 includes the logon account input in step S21, the PC host name indicating the name of the user's own work terminal 3, and the information input on the information input screen in step S22 (user name, assigned task, task). Server 4 server name, work ID, work request source, operation table name, SQL usage, work content), terminal use start date and time indicating the date and time when the work terminal 3 was logged on, and terminal use end date and time indicating the log off date and time, etc. Generate the set terminal usage information. The communication unit 33 transmits the terminal usage information generated by the terminal usage information transfer unit 38 to the terminal usage information storage server 7 (step S30). The terminal usage information receiving unit 72 of the terminal usage information storage server 7 writes the terminal usage information received by the communication unit 71 into the terminal usage information storage unit 73 (step S31).

  The information acquisition unit 82 of the matching terminal 8 transmits a terminal usage information acquisition request to the terminal usage information storage server 7 via the communication unit 81 periodically or when an instruction is input from the input unit 84 ( Step S41). When the terminal usage information transmission unit 74 of the terminal usage information storage server 7 receives the terminal usage information acquisition request via the communication unit 71, the terminal usage information storage unit 74 reads out terminal transmission information that has not been transmitted from the terminal usage information storage unit 73 to the matching terminal 8. The communication unit 71 returns the terminal usage information read by the terminal usage information transmission unit 74 to the matching terminal 8 (step S42). The information acquisition unit 82 of the matching terminal 8 writes the terminal usage information received by the communication unit 81 in the information storage unit 83.

  Next, the information acquisition unit 82 of the matching terminal 8 transmits a log data acquisition request to the business server 4 via the communication unit 81 (step S43). When the log data transmission unit 45 of the business server 4 receives the log data acquisition request via the communication unit 41, the log data transmission unit 45 reads log data that has not been transmitted from the log data storage unit 44 to the matching terminal 8. The communication unit 41 returns the terminal usage information read by the log data storage unit 44 to the matching terminal 8 (step S44). The information acquisition unit 82 of the matching terminal 8 associates the log data received by the communication unit 81 with the information (for example, server name) that identifies the business server 4 that is the transmission source of the log data, and writes it in the information storage unit 83. .

  Subsequently, the information acquisition unit 82 of the matching terminal 8 transmits an application work content information acquisition request to the work application server 6 via the communication unit 81 (step S45). When the application work content information transmission unit 67 of the work application server 6 receives the application work content information acquisition request via the communication unit 61, it reads untransmitted application work content information from the application work content storage unit 65. The communication unit 61 returns the application work content information read by the application work content information transmission unit 67 to the matching terminal 8 (step S46). The information acquisition unit 82 of the matching terminal 8 writes the application work content information received by the communication unit 81 in the information storage unit 83.

  The matching processing unit 85 of the matching terminal 8 performs a matching process using the application work content information, log data, and terminal usage information stored in the information storage unit 83, determines whether there is unauthorized access, and outputs the determination result. The data is displayed on the part 88 (step S47).

  If there is log data that does not match any of the terminal usage information as a result of matching the terminal usage information with the log data, the log data indicates that the business server 4 has been accessed from other than the work terminal 3. That is, it indicates the occurrence of unauthorized access. On the other hand, if there is terminal usage information that does not match any of the log data, the terminal usage information indicates that the log-off was performed without accessing the business server 4 although the work terminal 3 was logged on. Show. That is, since the business server 4 is not accessed, it does not indicate the occurrence of unauthorized access.

If there is terminal usage information that does not match any of the application work content information as a result of matching the terminal usage information and the application work content information, the work terminal 3 has accessed the business server 4 that has not applied for it. Show. That is, it indicates the occurrence of unauthorized access. On the other hand, if there is application work content information that does not match any of the terminal usage information, it indicates that the worker has applied for the application terminal 1 but has not yet performed the requested business process. That is, it does not indicate the occurrence of unauthorized access.
Therefore, in the matching process, the matching processing unit 85 of the matching terminal 8 detects whether there is any log data that does not match any of the terminal usage information, and determines which of the terminal usage information that matches the log data. Detect whether there is anything that does not match the application work content information.

  FIG. 14 is a diagram illustrating a data matching range. In the figure, only a part of information used for the matching process is shown. In the matching process of step S47, the log data matching unit 86 of the matching terminal 8 includes the PC host name, the terminal usage start date / time and the terminal usage end date / time of the terminal usage information acquired from the terminal usage information storage server 7, and the terminal usage information It is determined whether the log data acquired from the business server 4 identified by the access destination server name matches the PC host name, server use start date and server use end date and time. The matching processing unit 85 has the same PC host name set in the terminal usage information and the log data, and the time zone indicated by the terminal usage start date and time and the terminal usage end date and time of the terminal usage information is a log data server. When the time zone indicated by the use start date and time and the server use end date and time is included, it is determined that the terminal use information and the log data match.

  The application work content matching unit 87 matches the terminal usage information acquired from the terminal usage information storage server 7 with the work ID of the application work content information acquired from the work application server 6, the access destination server name, and the logon account. Judging. In the matching processing unit 85, the same work ID and logon account are set in the terminal usage information and the application work content information, and the access destination server name set in the terminal usage information is set in the application work content information. If the access destination server name is included, it is determined that the terminal usage information matches the application work content information.

  FIG. 15 is a diagram illustrating an example of a match between log data and terminal usage information. FIG. 15A shows a part of the setting contents of the terminal usage information and log data used for matching, and FIG. 15B shows the time indicated by the terminal usage start date and time and the terminal usage end date and time of the terminal usage information. The time zone indicated by the zone, the server use start date and time and the server use end date and time of the log data is shown. The unauthorized access detection system includes a plurality of business servers 4, and each business server 4 is described as business servers 4a, 4b, 4c,.

  As shown in FIG. 15A, in the terminal usage information in which the server names of the business servers 4a, 4b, and 4c are set as the access destination server name, the PC host name “TerminalA”, the terminal usage start date and time “20101018,10 : 00 "and terminal use end date and time" 20101018, 16:00 "are set. This is because, as shown in FIG. 15 (b), the worker used the work terminal 3 with the PC host name “Terminal A” from 10:00 to 16:00 on October 18, 2010. Show.

  On the other hand, in the log data of the business server 4a, as shown in FIG. 15A, the PC host name “Terminal A”, the server use start date and time “20101018, 11:15”, and the server use end date and time “20101018, 13:20” "Is set. Accordingly, as shown in FIG. 15B, the business server 4a has been accessed from the work terminal 3 having the PC host name “Terminal A” from 11:15 to 13:20 on October 18, 2010. Show. Since the time zone indicated by the log data of the business server 4a is included in the time zone indicated by the terminal usage information of the work terminal 3, it is determined that the terminal usage information and the log data of the business server 4a match.

  Similarly, the log data of the business server 4b indicates that the work terminal 3 having the PC host name “Terminal A” was accessed from 13:25 to 15:05 on October 18, 2010. Since this time zone is included in the time zone indicated by the terminal usage information recorded in the work terminal 3 with the PC host name “Terminal A”, it is determined that the terminal usage information matches the log data of the business server 4b. The

  On the other hand, the log data of the business server 4c indicates that the work terminal 3 having the PC host name “TerminalA” was accessed from 15:25 to 16:25 on October 18, 2010. This time zone is not included in the time zone indicated by the terminal usage information recorded in the work terminal 3 with the PC host name “Terminal A”. Therefore, it is determined that the terminal usage information and the log data of the business server 4c do not match.

FIG. 16 is a diagram illustrating an example of a match between terminal usage information and application work content information.
As shown in FIG. 16 (a), the same work ID “NB0G372” and logon account “SUGIYAMA” are set in both the terminal usage information and the application work content information, and the terminal usage information access destination server The name “ServerA” is included in the access server names “ServerA, ServerB” of the application work content information. In this case, the terminal usage information and the application work content information are determined to match each other in order to indicate that the work has actually been performed on some of the business servers 4 that have been applied.
On the other hand, as shown in FIG. 16B, the work ID “NB0G372” and the access destination server names “ServerA, ServerB” are set in both the terminal usage information and the application work content information. However, since “S.SATO” is set for the logon account of the terminal usage information and “SUGIYAMA” is set for the logon account of the terminal usage information, the logon accounts do not match. In this case, it is determined that the terminal usage information and the application work content information do not match.

FIG. 17 is a diagram showing an unauthorized access detection process flow executed by the matching terminal 8 in the matching process of step S47 of FIG.
First, the administrator inputs the business server 4 to be designated as a target for the unauthorized access determination process by using the input unit 84 of the matching terminal 8 (step S51). The log data matching unit 86 determines whether the unauthorized access determination process for all designated business servers 4 has been completed (step S52). If there is a business server 4 that has not yet been subject to unauthorized access determination processing (step S52: NO), the log data matching unit 86 is not yet subject to unauthorized access determination processing among the designated business servers 4. One non-business server 4 is selected (step S53). Hereinafter, the selected business server is referred to as “selected business server”.

  The log data matching unit 86 completes the unauthorized access determination process for all the log data recorded in the selected business server, that is, all the log data stored in the information storage unit 83 in association with the information specifying the selected business server. It is determined whether or not (step S54). If there is log data that has not yet been subject to unauthorized access determination processing (step S54: NO), the log data matching unit 86 is stored in the information storage unit 83 in association with information that identifies the selected business server. Among the log data, one log data that has not yet been subject to unauthorized access determination processing is selected (step S55). Hereinafter, the selected log data is referred to as “selected log data”.

  The log data matching unit 86 searches the terminal usage information stored in the information storage unit 83 using the access destination server name in which the server name of the selected business server is set and the PC host name in the selected log data as search conditions. (Step S56). When the terminal usage information in which the access destination server name and the PC host name indicated by the search condition are not detected (step S57: NO), the log data matching unit 86 determines that the access is unauthorized (step S58). . The log data matching unit 86 displays that it is unauthorized access and the selected log data on the output unit 88 (step S59), and the matching processing unit 85 repeats the processing from step S54.

  In step S57, when terminal usage information in which the access destination server name and the PC host name indicated in the search condition are set is detected (step S57: YES), the application work content matching unit 87 detects the detected terminal usage. Among the information, terminal usage information in which the terminal usage start date and time and the terminal usage end date and time including the time zone obtained from the selected log data are searched (step S60). That is, the time zone indicated by the terminal usage start date and time and the terminal usage end date and time set in the terminal usage information includes the time zone indicated by the server usage start date and time and the server usage end date and time set in the selected log data. Find what you are doing.

  When the terminal usage information including the terminal usage start date and time and the terminal usage end date and time including the time zone obtained from the selection log data is detected (step S61: YES), the application work content matching unit 87 is detected. The application work content information stored in the information storage unit 83 is searched using the work ID, access server name, and logon account set in the terminal usage information as search conditions (step S62). When the application work content information in which the work ID, the access destination server name, and the logon account indicated in the search condition are set is detected (step S63: YES), the log data matching unit 86 determines that the access is normal (step). S64). The application work content matching unit 87 displays that the access is normal, selection log data, and terminal usage information detected in step S60 on the output unit 88 (step S65), and the matching processing unit 85 starts from step S54. Repeat the process.

  On the other hand, in step S61, when the terminal usage information including the terminal usage start date and time and the terminal usage end date and time including the time zone obtained from the selected log data is not detected (step S61: NO), the application work content The matching unit 87 determines that the access is unauthorized (step S58). The application work content matching unit 87 displays on the output unit 88 the unauthorized access, selection log data, and terminal usage information detected as a result of the search in step S56 (step S59). The processing from step S54 is repeated.

  In step S63, if the application work content information in which all of the work ID, the access destination server name, and the logon account indicated by the search condition are not detected (step S61: NO), the application work content matching unit 87 is determined to be unauthorized access (step S58). The application work content matching unit 87 displays on the output unit 88 the unauthorized access, selection log data, and terminal usage information detected as a result of the search in step S56 (step S59). The processing from step S54 is repeated.

In step S54, when the application work content matching unit 87 determines that the unauthorized access determination process for all log data recorded in the selected business server has been completed (step S54: YES), the process from step S52 is repeated.
In step S52, when the log data matching unit 86 determines that the unauthorized access determination process for all the designated business servers 4 has been completed (step S52: YES), the matching processing unit 85 ends the matching process. .

In the above embodiment, in step S23 of FIG. 13, the collation request unit 36 of the work terminal 3 sets only the work ID as information related to the work in the collation request, but in addition to the work ID or in the work ID Instead, other information included in the application work content information, such as access destination server name, logon account, application date / time, work subject, work content, work date / time, applicant name, applicant's charge, applicant's contact Destination, applicant's department, administrator's name, administrator's responsibility, administrator's contact information, administrator's department, worker's name, worker's responsibility, worker's contact information, worker's belonging One or more of the numbers of the documents related to the department and work may be set in the verification request. In this case, the input information receiving unit 35 of the work terminal 3 displays an information input screen including a field for inputting information to be set in the collation request. However, the logon account is the information entered at logon. Further, by including the operation table name and SQL usage information in the application information input in step S11, the operation table name and SQL usage information input on the information input screen may be set in the verification request. .
In step S24 of FIG. 13, the collation unit 66 of the work application server 6 sets the same information as the information set in the collation request, and the application work content information that is not associated with the information indicating used. Is detected, it is determined that the verification is successful.

Also, business process information may be set in the terminal usage information, application work content information, and log data, and these may be collated. For example, the work application server 6 receives, from the application terminal 1, application information further including operation table names and business process information indicating SQL operations performed on the operation table, and the work ID and the received application information Generate application work content information that has been set. In addition, the log data recording unit 43 of the business server 4 stores the name of the operation table operated by the business processing unit 42 in accordance with the business processing instruction received from the work terminal 3 and the business processing information indicating the SQL operation performed on the operation table. Log data further including
In step S60 of FIG. 17, the application work content matching unit 87 includes the terminal use start date and time including the time zone indicated by the server use start date and time and the server use end date and time of the selected log data among the detected terminal use information. The terminal usage information in which the terminal usage end date and time and the business process information of the selected log data are set is searched. Further, in step S62 in FIG. 17, the application work content matching unit 87 uses the work ID, access destination server name, logon account, and business process information set in the detected terminal usage information as the search conditions, as the information storage unit 83. The application work content information stored in is searched.

  In the above embodiment, the log data matching unit 86 of the matching terminal 8 determines whether each log data matches any terminal usage information, and then matches the log data in the application work content matching unit 87. Although it is determined whether the terminal usage information matches any application work content information, the unauthorized access detection process of the application work content matching unit 87 may be performed first. That is, the application work content matching unit 87 of the matching terminal 8 determines whether or not each terminal usage information matches any of the application work content information. If the application work content matching unit 87 detects terminal usage information that does not match any of the application work content information, the application work content matching unit 87 determines that the access is unauthorized, and that the terminal does not match any of the application work content information. The usage information is displayed on the output unit 88. Subsequently, the log data matching unit 86 determines whether or not each log data matches any of the terminal usage information determined by the application work content matching unit 87 to match any of the application work content information. . If they match, the log data matching unit 86 determines normal access, and if they do not match, determines that the access is unauthorized. When the log data matching unit 86 determines that the access is normal, the log data matching unit 86 displays the fact that the access is normal, the log data, and the terminal usage information that matches the log data on the output unit 88. The output unit 88 displays the access and log data that does not match any terminal usage information.

  In the above-described embodiment, the unauthorized access detection device 5 is configured by the work application server 6, the terminal usage information storage server 7, and the matching terminal 8. However, any two of these are configured by one computer device. All of these may be realized by a single computer device.

  Further, the connection from the application terminal 1 and the approval terminal 2 to the business server 4 may be regulated by an existing arbitrary technique. For example, a network that connects the application terminal 1, the approval terminal 2, and the work application server 6, and a network that connects the work terminal 3, the business server 4, the work application server 6, the terminal usage information storage server 7, and the matching terminal 8. The business server 4 may restrict access from the application terminal 1 and the approval terminal 2.

According to this embodiment described above, unauthorized use of the work terminal 3 can be suppressed, and it is possible to follow up whether or not the access from the work terminal 3 to the business server 4 is performed based on a correct work application. Become.
In the above-described embodiment, the work content is approved before the work is performed, and application work content information indicating the approved work content is held in the work application server 6. When using the work terminal 3, the worker inputs a part of the application work content information so that the input information does not match the application work content information held in the work application server 6 so that it cannot be used. There are restrictions. That is, every time access to the business server 4 is required, the use restriction of the work terminal 3 is released. As a result, an unauthorized access can be detected without the administrator having to perform access permission management for the work terminal 3 or the business server 4 or managing an unauthorized access pattern. Therefore, it is possible to prevent the occurrence of a security problem that a legitimate access is erroneously determined to be illegal or an unauthorized access is not detected due to an access permission or an illegal access pattern registration omission or omission.

Further, in the present embodiment, when logging on to the work terminal 3, screen transition is suppressed by performing full screen display and locking the screen, thereby restricting use. In order to release the screen lock, the worker must input all necessary information, and since the input information is compared with the application work content information, improper access by impersonation can be effectively suppressed. it can. In addition, since all necessary information can be entered by the operator, not only information to be collated to determine permission to use, but also information to be used as analysis information when unauthorized access is detected is entered and recorded. I can keep it. Therefore, it is possible to electronically record the contents related to the work that has been managed by the paper document.
In addition, by matching the terminal usage information recorded when the work terminal 3 is used after the work is performed with the application work content information registered at the time of the work application, the actual work content matches the requested work content. Therefore, it is possible to detect an unauthorized access and to improve the accuracy of unauthorized access determination.

As described above, according to this embodiment, it is not necessary to register an unauthorized access pattern, and unauthorized access can be detected in consideration of the purpose, so that security is improved.
Also, application work content information recorded in the work application server 6 before work, terminal usage information recorded in the work terminal 3 when the work is performed, and log data 3 recorded when the business server 4 receives access. Unauthorized access can be traced reliably by checking points.
Further, in the present embodiment, decision making and work trail record confirmation procedures necessary for the response to the SOX (Surface Oxley method) can be digitized, and the burden of human resources is reduced.

  The application terminal 1, the approval terminal 2, the work terminal 3, the business server 4, the work application server 6, the terminal usage information storage server 7, and the matching terminal 8 described above have a computer system therein. The browser processing unit 12 of the application terminal 1, the browser processing unit 22 of the approval terminal 2, the terminal management unit 34 and the business process instruction unit 39 of the work terminal 3, the business processing unit 42 of the business server 4, the log data recording unit 43, and Log data transmission unit 45, application acceptance unit 62 of work application server 6, approval processing unit 63, work ID issuing unit 64 application work content storage unit 65 and application work content information transmission unit 67, terminal use of terminal usage information storage server 7 The operations of the information receiving unit 72, the terminal usage information storage unit 73, and the information acquisition unit 82 and the matching processing unit 85 of the matching terminal 8 are stored in a computer-readable recording medium in the form of a program. The above processing is performed by the computer system reading and executing the program. The computer system here includes a CPU, various memories, an OS, and hardware such as peripheral devices.

Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW system is used.
The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Furthermore, the “computer-readable recording medium” dynamically holds a program for a short time like a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line. In this case, a volatile memory in a computer system serving as a server or a client in that case, and a program that holds a program for a certain period of time are also included. The program may be a program for realizing a part of the functions described above, and may be a program capable of realizing the functions described above in combination with a program already recorded in a computer system.

DESCRIPTION OF SYMBOLS 1 ... Application terminal 11, 21, 33, 41, 61, 71, 81 ... Communication part 12, 22 ... Browser process part 13, 23, 32 ... Display part 14, 24, 31, 84 ... Input part 2 ... Approval terminal 3 ... Work terminal 34 ... Terminal management unit 35 ... Input information receiving unit 36 ... Verification request unit 37 ... Screen lock release unit (regulation release unit)
38 ... Terminal usage information transfer unit 39 ... Business processing instruction unit 4 ... Business server (business processing device)
42 ... business processing unit 43 ... log data recording unit 44 ... log data storage unit 45 ... log data transmission unit 5 ... unauthorized access detection device 6 ... work application server 62 ... application acceptance unit 63 ... approval processing unit 64 ... work ID issuing unit 65 ... Application work content storage unit 66 ... Verification unit 67 ... Application work content information transmission unit 7 ... Terminal usage information storage server 72 ... Terminal usage information reception unit 73 ... Terminal usage information storage unit 74 ... Terminal usage information transmission unit 8 ... Collision Terminal 82 ... Information acquisition unit 83 ... Information storage unit 85 ... Matching processing unit 86 ... Log data matching unit 87 ... Application work content matching unit 88 ... Output unit 9 ... Network

Claims (7)

Application work content information indicating information related to permitted work, log data indicating information related to work generated in the business processing device and executed in the business processing device, generated in the work terminal, and the work terminal by the worker An information acquisition unit that acquires information about work input to the terminal and terminal usage information indicating information about work instructed to the business processing device at the work terminal;
The log data acquired by the information acquisition unit and the terminal usage information are collated to determine whether the information related to the work indicated by the log data matches the information related to the work indicated by the terminal usage information. A log data matching unit that detects unauthorized access based on the log data determined to have no matching terminal usage information;
The terminal usage information and the application work content information acquired by the information acquisition unit are collated, information on the input work indicated by the terminal usage information, and the permitted work indicated by the application work content information An application work content matching unit that detects unauthorized access based on the terminal usage information determined that there is no matching application work content information;
An unauthorized access detection device comprising: An unauthorized access detection system comprising an unauthorized access detection device, a work terminal that instructs work, and a business processing device that receives work instructions from the work terminal and executes work business processing,
The unauthorized access detection device includes:
An application work content storage unit for storing application work content information indicating information related to permitted work;
Log data indicating information related to work executed in the business processing device is acquired from the business processing device, information related to work input to the work terminal by the worker from the work terminal, and the business processing in the work terminal An information acquisition unit that acquires terminal usage information indicating information related to work instructed to the device;
The log data acquired by the information acquisition unit and the terminal usage information are collated to determine whether the information related to the work indicated by the log data matches the information related to the work indicated by the terminal usage information. A log data matching unit that detects unauthorized access based on the log data determined to have no matching terminal usage information;
The terminal usage information acquired by the information acquisition unit and the application work content information read from the application work content storage unit are collated, information on the input work indicated by the terminal usage information, and the application work content An application work content matching unit that determines whether the information on the permitted work indicated by the information matches, and detects unauthorized access based on the terminal usage information determined that there is no matching application work content information; ,
Comprising
An unauthorized access detection system characterized by that. The application work content information includes the identification information of the business processing device to be worked and the identification information of the worker,
The log data includes identification information of the work terminal that has instructed the work processing apparatus to perform work, a time when the access from the work terminal to the work processing apparatus is started, and a work time indicating the time when the access is completed. Including
The work terminal is
The identification information of the work processing device to be worked and the identification information of the worker inputted to the work terminal by the worker, the time when the worker starts using the work terminal, and the time when the use ends A terminal usage information transfer unit that generates terminal usage information including terminal usage time and identification information of the work terminal and transmits the generated terminal usage information to the unauthorized access detection device;
The log data matching unit is indicated by the log data of the business processing device specified by the identification information of the work terminal indicated by the terminal usage information and the identification information of the business processing device in the terminal usage information The work whose identification information of the work terminal matches and the time period from the start to the end of use of the work terminal indicated by the terminal use time in the terminal use information indicates the work time in the log data If it includes the time period from the start to the end of access from the terminal, it is determined to match,
The application work content matching unit includes the business processing device identification information and the worker identification information indicated by the terminal usage information, and the business processing device identification information and the worker indicated by the application work content information. If it matches the identification information of
The unauthorized access detection system according to claim 2. The work terminal is
A collation request unit that transmits information on the work input by the worker to the unauthorized access detection device;
When a collation success is received in response to information related to the work transmitted by the collation request unit, a regulation release unit that permits business processing, and
The unauthorized access detection device includes:
When the application work content information including information related to the work received from the work terminal is stored in the application work content storage unit, the information processing apparatus further includes a verification processing unit that notifies the work terminal of successful verification.
The unauthorized access detection system according to claim 2 or claim 3, wherein The work terminal is
A screen for inputting information related to the work is displayed on a full screen on a display unit, and further includes an input information receiving unit that receives the information related to the input work.
The restriction cancellation unit cancels the full screen display when the verification success is received in response to the information related to the work transmitted by the verification request unit.
The unauthorized access detection system according to claim 4. An unauthorized access detection method executed in an unauthorized access detection device,
The information acquisition unit generates application work content information indicating information related to permitted work, log data generated in the business processing apparatus and executed on the business processing apparatus, and generated in the work terminal. An information acquisition process for acquiring information about work input to the work terminal by a person and terminal usage information indicating information about work instructed to the business processing device at the work terminal;
A log data matching unit matches the log data acquired in the information acquisition process and the terminal usage information, and the information related to the work indicated by the log data and the information related to the work indicated by the terminal usage information are combined. A log data matching process for detecting unauthorized access based on the log data determined to determine whether there is no matching terminal usage information;
The application work content match is indicated by the application work content information and the input work content information indicated by the terminal usage information by matching the terminal usage information and the application work content information acquired in the information acquisition process. Application information matching process for detecting unauthorized access based on the terminal usage information determined that there is no matching application work content information;
An unauthorized access detection method comprising: A computer used as an unauthorized access detection device
Application work content information indicating information related to permitted work, log data indicating information related to work generated in the business processing device and executed in the business processing device, generated in the work terminal, and the work terminal by the worker An information acquisition unit that acquires information related to work input to the terminal and terminal usage information indicating information related to the work instructed to the business processing device in the work terminal;
The log data acquired by the information acquisition unit and the terminal usage information are collated to determine whether the information related to the work indicated by the log data matches the information related to the work indicated by the terminal usage information. A log data matching unit for detecting unauthorized access based on the log data determined to have no matching terminal usage information;
The terminal usage information and the application work content information acquired by the information acquisition unit are collated, information on the input work indicated by the terminal usage information, and the permitted work indicated by the application work content information Application work content matching unit that detects unauthorized access based on the terminal usage information determined that there is no matching application work content information,
A program characterized by functioning as

Images