JP2013084051A - Information processing device, method for referring to account information of external service, information processing system, control method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To monitor employees' use situations of external services by analyzing communication data for the external services to reduce a risk such as information leakage.SOLUTION: An information processing device is configured to: analyze request data requested by a user from an external service by request analysis means 342; further, extract an account used for the external service as account information on the basis of a request definition information table 332 storing extraction condition from HTTP data, for analyzing response data to the external service by response analysis means 343; and after storing the account information in an account information table 334, refer to use situation information of a user using the external service by the account information search and display means 321 by using the account information and information such as a user name stored in a name table 335.

Description

  The present invention relates to a communication control method for centrally managing user account information registered in an external web service.

  In recent years, the use of WEB mail, SNS, etc. deployed on the Internet has expanded. Conventionally, there are many cases where uniform use is prohibited from the viewpoint of preventing information leakage, but there are many cases where the use is recommended after a certain use rule is defined.

  In order to use these services, there is usually a mechanism that allows only specific users to use the service by issuing and operating accounts for each service. It is cumbersome, especially when the services to be used are provided by different systems, it is also necessary to issue an account for each system, so the account registration work and management burden on the user side (or administrator side) In addition, there is a problem that an administrator who manages the usage status of a user's service requires a great deal of labor to manage which account the user uses the service.

Therefore, there is a method for solving this problem by constructing an ID management system for managing account information in an integrated manner and distributing the account information to the cooperation destination system. A technique for incorporating account information from an ID management system into an account information update screen and updating the account information to a cooperation destination system is disclosed. (For example, see Patent Document 1)
JP 2010-231721 A

  However, in the ID management system described in Patent Document 1, the workload is reduced as compared with the conventional method of starting the account information update screen provided in each of the linked systems and inputting the account information. Although it is possible to reduce the workload, to manage accounts using the ID management system, even for services that are free and privately used by the user, it may also lead to a sufficient reduction in workload. Absent.

  In particular, since the user is sufficiently assumed to be using many external services, the registration of account information each time may increase the workload as the registration amount increases. There are many problems that are difficult to achieve in order to manage users with obligations to report usage, such as omission of reports, concealment of reports, and troublesomeness of reporting work.

  However, employees can use the company's network to understand the actual activities such as what kind of activities they are doing on social network services such as external SNS, whether they are being used illegally, or there are any obstacles If this happens, it is necessary to grasp the account used to use the service (especially external service) of the user (employee, etc.) and monitor the usage status from the viewpoint of risk management, such as securing contact information for the user. It is done.

  The present invention has been made in order to solve the above-mentioned problems, and by analyzing communication data for external services, it is possible to monitor the use status of the external services of employees, so information leakage, etc. An object of the present invention is to provide an information processing apparatus, an external service account information reference method, an information processing system, a control method, and a program that can reduce risk.

  A first invention for achieving the above object relates to a storage means for storing conditions for extracting account information from communication data for an external service, and user identification information for uniquely identifying the user. User information storage means for storing and managing user information, request acquisition means for acquiring communication data of a request for the external service, and extraction stored in the storage means for communication data of a request acquired by the request acquisition means When the account information corresponding to the condition is acquired and the user information is included by the request analysis means for determining whether or not the account information is included in the user information stored in the user information storage means, and the request analysis means If it is determined, the user identification information and the account information are displayed. And account information display means for an information processing apparatus, characterized in that it comprises a.

  A second invention for achieving the above object is the information in which a client terminal that makes a request for an external service and an information processing apparatus that relays a request from the client terminal to the external service are connected via a network. In the processing system, the information processing apparatus relates to a user in association with storage means for storing conditions for extracting account information from communication data for the external service and user identification information for uniquely identifying the user. User information storage means for storing and managing user information, request acquisition means for acquiring communication data for requests of the external service, and extraction conditions stored in the storage means for communication data of requests acquired by the request acquisition means Acquired account information corresponding to the Request analysis means for determining whether the user information is stored in the user information stored in the user information storage means, and when the client terminal determines that the user information is included by the request analysis means, the user terminal An information processing system comprising: account information display means for displaying identification information and the account information.

  A third invention for achieving the above object is a method of referring to account information of an external service in an information processing apparatus, wherein the request acquisition means of the information processing apparatus acquires communication data of a request of the external service A storage means for storing a condition for extracting account information from communication data for an external service with respect to communication data for a response to a request for the external service with respect to communication data for a request acquired by the request acquisition step; A user stored in user information storage means for acquiring account information corresponding to the stored extraction condition and storing and managing user information related to the user in association with user identification information that uniquely identifies the user. Determine if it is included in the information An account information display step for displaying the user identification information and the account information when the request analysis step determines that the user information is included in the request analysis step. This is the reference method.

  A fourth invention for achieving the above object is a program readable and executable in an information processing apparatus, wherein the information processing apparatus includes a request acquisition means for acquiring communication data of a request for the external service. The account information corresponding to the extraction condition stored in the storage means for storing the condition for extracting the account information from the communication data for the external service is acquired for the communication data of the request acquired by the request acquisition means, and the account information is Request analysis means for determining whether or not user information stored in user information storage means for storing and managing user information related to the user in correspondence with user identification information for uniquely identifying the user, and the request If it is determined by the analysis means that the user information is included, Is a program for causing to function and account information display means for displaying the information and the account information.

  According to a fifth aspect of the invention for achieving the above object, there is provided information in which a client terminal that makes a request for an external service and an information processing device that relays a request from the client terminal to the external service are connected via a network. A processing system control method, wherein the information processing apparatus acquires a communication data of a request for the external service, and communicates with the external service with respect to the communication data of the request acquired by the request acquisition step. A user related to the user who acquires account information corresponding to the extraction condition stored in the storage means for storing the condition for extracting the account information from the data and corresponds to the user identification information that uniquely identifies the user. Stored in user information storage means for storing and managing information. A request analysis step for determining whether or not the user information is included in the received user information, and when the client terminal determines that the user information is included in the request analysis step, the user identification information and the account An information processing system control method characterized by executing an account information display step for displaying information.

  According to a sixth aspect of the invention for achieving the above object, there is provided information in which a client terminal that makes a request for an external service and an information processing apparatus that relays a request from the client terminal to the external service are connected via a network. A program executed in a processing system, wherein the information processing device is configured to acquire request communication data for a request for the external service, and the external service for the request communication data acquired by the request acquisition unit. The account information corresponding to the extraction condition stored in the storage means for storing the condition for extracting the account information from the communication data is acquired, and the account information is related to the user corresponding to the user identification information that uniquely identifies the user. User information storage for storing and managing user information Request analysis means for determining whether or not the user information stored in the means is included, and when the client terminal determines that the user information is included by the request analysis means, the user identification information And an account information display means for displaying the account information.

  According to the present invention, the user account of the external service is extracted from the communication data when requesting the service to the external service, and the user account and the internal user information are stored and managed in association with each other. By monitoring the usage status of external services, it is possible to reduce the risk of information leakage and the like.

It is a lineblock diagram showing a schematic structure of an information processing system concerning an embodiment of the present invention. It is a block diagram which shows schematic structure of the hardware of the various terminals which concern on embodiment of this invention. It is a block diagram which shows the function structure in the information processing system which concerns on embodiment of this invention. It is a block diagram of the screen in the external service according to the embodiment of the present invention. It is a flowchart which shows the WEB access analysis process in the information processing system which concerns on embodiment of this invention. It is a flowchart which shows the transmission data analysis process in the information processing system which concerns on embodiment of this invention. It is a flowchart which shows the reception data analysis process in the information processing system which concerns on embodiment of this invention. It is a flowchart which shows the email analysis process in the information processing system which concerns on embodiment of this invention. It is a block diagram which shows the structure of the input screen of WEB service definition information in embodiment of this invention. It is a block diagram which shows the structure of the input screen of request definition information in embodiment of this invention. It is a block diagram which shows the table structure of the WEB service definition information table in embodiment of this invention. It is a block diagram which shows the table structure of the request definition information table in embodiment of this invention. It is a block diagram which shows the structure of the input screen of notification mail analysis condition information in embodiment of this invention. It is a block diagram which shows the table structure of the notification mail definition information table in embodiment of this invention. It is a block diagram which shows the structure of the input screen of the conditions for searching the information regarding the account in embodiment of this invention. It is explanatory drawing for demonstrating an example of the email in embodiment of this invention. It is a block diagram which shows the table structure of the account definition information table in embodiment of this invention. It is a block diagram which shows the table structure of the name table in embodiment of this invention. It is a flowchart which shows the process which searches the information regarding the account in the information processing system which concerns on embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a diagram illustrating an example of a system configuration according to an embodiment of the present invention. Note that the configurations of the various terminals shown in FIG. 1 are merely examples, and it goes without saying that there are various configuration examples depending on the purpose and application.

  As shown in FIG. 1, the information processing system 100 according to the present embodiment includes a client device 101, an administrator client device 102 used by a system administrator, an internal proxy server 104, and an internal mail server 105. These terminals are connected to each other via a local area network (LAN) 103 so as to communicate with each other, and are constructed as an internal system.

  Further, the client apparatus 101 is connected to at least one or more external services 107 via the wide area network 106 so as to communicate with each other. A firewall device (not shown) is installed between the LAN 103 and the wide area network 106, and communication control processing is performed according to a predetermined rule.

  The internal proxy server 104 is a relay server for using the external service 107 by the client apparatus 101, specifies HTTP communication contents between the client apparatus 101 and the external service 107, and various types described later according to the communication contents. Will be processed.

  The internal mail server 105 is a server device for relaying electronic mail by the client device 101, specifies the SMTP communication content of the client device 101, and performs various processes described later according to the communication content.

  The administrator client device 102 sets and manages the internal proxy server 104 and the internal mail server 105.

  Next, hardware configurations of various terminals of the client device 101, the administrator client device 102, the internal proxy server 104, and the internal mail server 105 in FIG. 1 will be described with reference to FIG.

  The CPU 201 comprehensively controls each device and controller connected to the system bus 204. In addition, the ROM 202 or the external memory 211 is provided with a BIOS (Basic Input / Output System) or an operating system program (hereinafter referred to as an OS), which is a control program for the CPU 201, or a function executed by each server or each client device. Various necessary programs to be described later are stored.

  The RAM 203 functions as a main memory, work area, and the like for the CPU 201. The CPU 201 implements various operations by loading a program necessary for execution of processing into the RAM 203 and executing the program.

  An input controller (input C) 205 controls input from a pointing device such as a keyboard 209 or a mouse (not shown). A video controller (VC) 206 controls display on a display device such as a CRT display (CRT) 210. The display device may be a liquid crystal display as well as a CRT.

  A memory controller (MC) 207 is a hard disk (HD), floppy disk (registered trademark FD) or PCMCIA card slot for storing boot programs, browser software, various applications, font data, user files, editing files, various data, and the like. Controls access to an external memory 211 such as a CompactFlash (registered trademark) memory connected via an adapter.

  A communication I / F controller (communication I / FC) 208 is connected to and communicates with an external device via a network, and executes communication control processing in the network. For example, Internet communication using TCP / IP is possible.

  Note that the CPU 201 enables display on the display device 210 by executing outline font rasterization processing on a display information area in the RAM 203, for example. Further, the CPU 201 enables a user instruction with a mouse cursor (not shown) on the display device 210.

  A program for executing the WEB access analysis process 112 and the e-mail analysis process 113 for realizing the present invention is stored in the external memory 211 and is executed by the CPU 201 by being loaded into the RAM 203 as necessary. Is done.

  Definition information and various information tables used by the WEB access analysis process 112 and the e-mail analysis process 113 according to the present invention are also stored in the external memory 211. Detailed description thereof will be described later.

  FIG. 3 is a schematic diagram showing functional configurations of the internal proxy server 104 and the internal mail server 105. As shown in FIG. 3, the internal proxy server 104 includes a setting information management unit 310 including a WEB service definition information setting unit 311, a request definition information setting unit 312, and a notification mail analysis condition setting unit 313.

  The WEB service definition information setting unit 311 is connected to the WEB service definition information table 331 of the storage unit 330 that includes definition information and various information tables used by the WEB access analysis process 112 and the e-mail analysis process 113.

  The WEB service definition information setting unit 311 receives input of WEB service definition information such as access destination information (explained in detail later) of the external web service, and sets (registers, modifies, deletes, etc.) the WEB service definition information in the WEB service definition information table 331.

  For example, the WEB service definition information setting unit 311 displays the WEB service definition information input screen 900 as shown in FIG. 9 on the display device 210 of the administrator client device 102 in order to accept the input of the WEB service definition information.

  FIG. 9 is a diagram illustrating an example of a web service definition information input screen displayed on the display device 210 of the administrator client device 102.

  In the input screen 900 shown in FIG. 9, controls for accepting input of items such as a name and URL indicating an access destination service are prepared as WEB service definition information. Various types of data input via the screen 900 are accepted as WEB service definition information.

  Reference numeral 901 denotes a WEB service selection field which is set so that an already registered WEB service can be selected. When the user corrects or deletes an already registered WEB service definition information, The WEB service to be deleted is selected in this selection field.

  Reference numeral 902 denotes a control for inputting or displaying the name of the WEB service, and reference numeral 903 is a control for inputting or displaying a URL indicating an access destination of an HTTP server that provides the WEB service.

  An add button 904 is used to add a new WEB service, an edit button 905 is used to modify the contents of an already registered WEB service, and a delete button 906 is used to delete a registered WEB service. It is a button used for.

  The WEB service definition information received from the user via the input screen 900 is registered in the WEB service definition information table 331 shown in FIG.

  FIG. 11 is a diagram showing an example of the configuration of the WEB service definition information table 331 used in the present invention. As shown in FIG. 11, the WEB service definition information table 331 stores a service ID 1101 for uniquely identifying a WEB service, a service name 1102 corresponding to the WEB service specified by the ID, and a URL 1103 for providing the service. ing.

  For example, it can be understood that the WEB service with the service ID 1101 is set to “Facebook” as the service name 1102 and “http://www.facebook.com/” as the URL 1103.

  The WEB service selection field 901 and the name 902 of the input screen 900 correspond to the service name 1102, and the URL 903 corresponds to the URL 1103.

  Returning to the description of FIG. The request definition information setting unit 312 illustrated in FIG. 3 is connected to the request definition information table 332 in the storage unit 330.

  The request definition information setting unit 312 specifies, for each WEB service, the structure of HTTP request data (hereinafter, request data), parameter information (details will be described later), HTTP, to specify an account to be used in the WEB service. The input of account information extraction conditions and the like is received from the response data type and HTTP response data (hereinafter referred to as response data), and the received information is registered in the request definition information table 332.

  In the present invention, an account used in the service is acquired, but if the information related to the account is displayed on the screen for the screen used when logging in to the service, the account is obtained from the request data. Get the.

  On the other hand, in the case of not using a screen at the time of login, it is difficult to acquire information related to the account from the request data. Therefore, information related to the account is acquired from the response data.

  In the latter case, for example, when the login state is stored in a cookie or the like, it becomes possible to start using the service without performing the login process. In this case, it is difficult to obtain information about the account from the request data. Therefore, information about the account is acquired from the response data.

  In addition, even in a mode in which information related to an account is displayed on the screen using a screen at the time of login, it is assumed that the information related to the account is encrypted and transmitted to each service as request data. In such an aspect, since it is difficult to acquire an account from request data, information about the account is acquired also from response data.

  Therefore, the present invention has a mode in which information related to an account is acquired from both request data and response data.

  In order to receive the request definition information, the request definition information setting unit 312 displays a request definition information input screen 1000 as shown in FIG. 10 on the display device 210 of the administrator client device 102, for example.

  FIG. 10 is a diagram illustrating an example of an input screen for request definition information displayed on the display device 210 of the administrator client device 102.

  The input screen 1000 shown in FIG. 10 includes, as request definition information, a service name indicating a service defined by the WEB service definition information setting unit 311, a URL, a type indicating a transmission data condition, an account information extraction condition, and received data. Controls for accepting input of items such as types representing conditions and account information extraction conditions are set.

  The request definition information input via this input screen 1000 is registered in the request definition information table 332 shown in FIG.

  Reference numeral 1001 denotes a control for selecting a WEB service for setting request definition information, and reference numeral 1002 denotes a URL display field, which provides individual functions of an HTTP server that provides the WEB service selected by the service name 1001. This is a field for inputting a URL to be entered.

  Reference numeral 1003 denotes a transmission data condition designation field, which is a control for designating data operations and conditions for the WEB service, and 1031 for transmitting account information to the WEB service designated by the service name 1001. This is a control for inputting or displaying a condition for specifying the requested data. When a request specified by the type 1031 is transmitted to the URL 1002, the request is acquired from the parameter specified by the extraction condition 1032. It is a control for performing input to specify information.

  For example, when the account information is extracted from the login operation for the WEB service, the account is entered in the URL 1002 for designating the URL for login, the type 1031 in order to designate the type of request to be transmitted such as POST or GET. In order to designate the extraction condition of the parameter name to which the information is given, it is input to the extraction condition 1032 respectively.

  Reference numeral 1004 denotes a received data condition designation field, which is a control for designating data acquired from the WEB service and its conditions. Reference numeral 1041 denotes a control for inputting or displaying the WEB service specified by the service name 1001 in order to specify a condition for receiving account information. In other words, a response obtained as a result of a request for the URL 1002 Type.

  Reference numeral 1042 denotes a control for inputting or displaying a condition for extracting account information from the response data.

  For example, when the account information is extracted from the page displaying the account information of the WEB service, the URL 1002 is specified to specify the URL of the page, and the type 1041 is specified to specify the type of received data such as HTML or JSON. Each is input to an extraction condition 1042 that specifies an extraction condition for extracting account information from the received data.

  An add button 1005 is used to add new request definition information, an edit button 1006 is used to modify the contents of registered request definition information, and a delete button 1007 is used to delete already registered request definition information. It is a button used at the time.

  FIG. 12 is a diagram showing an example of the configuration of the request definition information table used in the present invention. As shown in FIG. 12, the request definition information table 332 includes a service ID 1202, a URL 1203, a transmission condition data type 1204, a transmission data extraction condition 1205, a reception data type 1206, and a reception data extraction condition corresponding to each request ID 1201. 1207 is set.

  The service name 1102 of the input screen 1000 corresponds to the service name 1102 obtained by associating the service ID 1202 and the service ID 1101. The URL 1002, the type 1031, the extraction condition 1032, the type 1041, and the extraction condition 1042 are in this order. , URL 1203, transmission data type 1204, transmission data extraction condition 1205, reception data type 1206, and reception data extraction condition 1207, respectively.

  Returning to the description of FIG. The notification mail analysis condition setting means 313 shown in FIG. 3 is connected to the notification mail definition information table 333 in the storage unit 330.

  For each WEB service, the notification mail analysis condition setting unit 313 accepts input such as a notification mail condition and an account information extraction condition from the notification mail in order to specify an account from various notification mails transmitted from the WEB service. The received information is registered in the notification mail definition information table 333.

  In order to accept the notification mail analysis condition, the notification mail analysis condition setting unit 313 displays, for example, a notification mail analysis condition information input screen 1300 as shown in FIG. 13 on the display device 210 of the administrator client device 102.

  FIG. 13 is a diagram illustrating an example of a notification mail analysis condition information input screen displayed on the display device 210 of the administrator client device 102.

  In the input screen 1300 shown in FIG. 13, as the notification mail analysis condition information, the service name indicating the service defined by the WEB service definition information setting unit 311, the From address of the notification mail, the subject or the text of the notification mail, etc. Controls for accepting input of items such as an extraction target indicating where account information is extracted from, a condition format for extracting account conditions from the target character string, and extraction conditions are set.

  Then, the request definition information input through the input screen 1300 is registered in the notification mail definition information table 333 shown in FIG.

  1301 is a control for selecting a WEB service for setting notification mail analysis condition information, and 1302 is a sender condition designation field for notification mail, which specifies the From address of the notification mail transmitted from the WEB service. It is a control to do.

  Reference numeral 1303 denotes a notification mail subject condition designation field, which is a control for designating the subject of the notification mail transmitted from the WEB service.

  1304 is for designating which part the account information described in the notification mail that matches the conditions of the From address specified by the From address 1302 and the subject specified by the notification mail subject 1303 is the target. Control.

  Reference numeral 1305 denotes an extraction condition for extracting account information from the target character string designated by the extraction target 1304.

  For example, when a notification mail as shown in FIG. 16 is transmitted from the WEB service, “From Notification@sns.example.jp”, a notification mail subject 1303 is included in the From address 1302 as a condition for extracting account information. the "new messages", to the extraction target 1304, "body", "regular expression" to the format, the regular expression to extract a string of characters between the extraction conditions notification from the mail text "Hello" in the description of "Mr." "(? = Hello \ s *) [^ \ s] + (? = \ s * 's)" conditions, such as is specified in the regular expression 1305 as a condition by.

  An add button 1306 is used to add new notification mail analysis condition information, an edit button 1307 is used to modify the contents of registered notification mail analysis condition information, and a delete button 1308 is already registered. This button is used when deleting notification mail analysis condition information.

  FIG. 14 is a diagram showing an example of the notification mail definition information table used in the present invention. As shown in FIG. 14, in the notification mail definition information table 333, a service ID 1402, a FROM 1403, a subject 1404, a target 1405, and an extraction condition 1406 corresponding to each ID 1401 are set.

  The service name 1301 on the input screen 1300 corresponds to the service name 1102 obtained by associating the service ID 1402 and the service ID 1101, and includes a From address 1302, a notification mail subject 1303, an extraction target 1304, and a regular expression 1305. The FROM 1403, the subject 1404, the target 1405, and the extraction condition 1406 correspond in this order.

  Returning to the description of FIG. The account information search / display unit 321 shown in FIG. 3 is connected to the account information table 334 and the name table 335 of the storage unit 330.

  The account information search and display means 321 is stored in the request definition information table 332 and the notification mail definition information table 333 described above by the WEB access analysis processing unit 340 (detailed later) and the email analysis processing unit 350 (detailed later) of the present invention. According to the specified conditions, the result of extracting the account used for the WEB service is stored in the account information table 334, and the result that matches the condition specified by the administrator is extracted or displayed, or all cases are displayed.

  The account information search display means 321 displays an account information search condition information input screen 1500 as shown in FIG. 15, for example, on the display device 210 of the administrator client device 102 in order to accept account information search conditions.

  FIG. 15 is a diagram illustrating an example of a condition input screen for searching for account information displayed on the display device 210 of the administrator client device 102.

  The input screen 1500 shown in FIG. 15 shows the service defined by the WEB service definition information setting means as the WEB service user name, IP address, WEB service name, and WEB service account name mail notification mail analysis condition information. The service name is displayed.

  Reference numeral 1501 denotes a control for setting a search condition for narrowing account information to be displayed, and a search button 1502 is a button used when searching according to the condition set in the search condition 1501.

  Reference numeral 1508 denotes a display column that displays account information that matches the search condition specified by the search condition 1501.

  Each row of the display column 1508 represents one account information, a column 1503 is the name of the user who uses the WEB service, a column 1504 is the IP address of the client device 101 of the WEB service user, and a column 1505 is the mail of the WEB service user. An address display column, column 1506 is a WEB service name, and column 1507 is a column for displaying an account name used on the WEB service.

  Further, the internal proxy server 104 includes a request acquisition unit 341 that acquires request data for a WEB service, a request analysis unit 342 that analyzes the request data, and a response analysis unit 343 that analyzes response data for the request. A processing unit 340 is provided, and a WEB access analysis process 112 described later is executed.

  Furthermore, the internal mail server 105 includes an email analysis processing unit 350 including an email acquisition unit 351 that acquires an email to be referred to, and an email analysis unit 352 that analyzes the acquired email. An e-mail analysis process 113 described later is executed.

  Next, an example of the procedure of the WEB access analysis process 112 performed by the CPU 201 of the internal proxy server 104 will be described using the flowchart shown in FIG.

  At the time when the processing according to FIG. 5 is started, the client apparatus 101 is in a state where the web page provided by the external service 107 is accessible.

  First, in step S501, the request acquisition unit 341 supplements request data generated by the client apparatus 101 and transmitted to the external service 107. As a supplementary method, the URL 1103 of the WEB service definition information table 331 corresponding to the request URL of the connection destination included in the request data is acquired, and the service ID 1101 and the service name 1102 corresponding to the acquired URL 1103 are acquired.

  In step S502, when the request data is supplemented in step S501, the request analysis unit 342 further decomposes the request data into constituent elements (elements to be referred to in the subsequent processing).

  For example, a request parameter value is decomposed into tokens using an ampersand symbol as a delimiter, and each token is further decomposed into name-value pairs using = as a delimiter.

  Also, based on the content of the Content-Type header, Content-Length, or Transfer-Encoding header, the request body content is also analyzed and broken down into components.

  Next, in step S503, the request analysis unit 342 searches the request definition information table 332, the request URL set in the request data corresponds to the URL 1203 of any request definition information, and the transmission data type 1204 is one. Then, by determining whether or not the received data type 1206 is undefined, it is determined whether or not it is a transmission data analysis target.

  In step S504, if the request analysis unit 342 determines that it is a transmission data analysis target, the request analysis unit 342 proceeds to step S506, performs a transmission data analysis process (details will be described later), and determines that it is not a transmission data analysis target. In that case, the process proceeds to step S505.

  In step S505, the response analysis unit 343 determines whether the request URL set in the request data corresponds to the URL 1203 of any request definition information and matches the transmission data type 1204 and the reception data type 1206. Then, it is determined whether or not it is a received data analysis target.

  If the response analysis unit 343 determines that the received data is to be analyzed, the process proceeds to step S507 to perform a received data analysis process (described later in detail). The process proceeds to step S508.

  The above process is repeated until it is determined that the WEB access analysis process 112 has been completed (YES in step S508).

  The above is an example of the procedure of the WEB access analysis process performed by the CPU 201 of the internal proxy server 104.

  Next, the details of the transmission data analysis processing in step S506 in FIG. 5 will be described with reference to the flowchart shown in FIG. This process is performed by the CPU 201 of the internal proxy server 104.

  First, in step S601, the request analysis unit 342 extracts request data from the constituent elements of the request data obtained as a result of the request data analysis process in step S502 of FIG. 5, and then advances the process to step S602.

  In step S602, the request analysis unit 342 extracts from the request definition information table 332 the transmission data extraction condition 1205 of the request definition information that matches in step S503 in FIG.

  Next, in step S603, the request analysis unit 342 proceeds to step S604 if the account name can be extracted from the request data extracted in step S601 according to the transmission data extraction condition 1205 extracted in step S602. If the account name could not be extracted, this process ends.

  In the above description, the account name is extracted from the request data. As shown in the upper part of FIG. 4, the request data from the client device 101 includes information related to the screen used when logging in to the service. “User name” displayed on the screen is extracted as an example of the account name.

  In step S604, the request analysis unit 342 records the service ID 1701 and account name 1702 in the account information table 334 corresponding to the account name extracted in step S603 and the service ID 1202 of the request definition information matched in step S503 in FIG. In step S605, the request analysis unit 342 determines that it is a new account if there is no match.

  If it is determined that the account is a new account, the process proceeds to step S606, the detected account information is added to the account information table 334, and the process ends.

  The account information referred to in this step is the service ID 1202 of the request definition information matched in step S503 of FIG. 5 in step S604, the account name extracted in step S603, and the IP address of the client apparatus 101 that transmitted the request data (that is, step S603). And the authentication name of the client apparatus 101 that transmitted the request data (that is, the authentication name included in the request data in step S603), and the account information is account information in the order of description. The service ID 1701, the account name 1702, the IP address 1703, and the authentication name 1704 are stored in this order in the table 334.

  The authentication name is an authentication name used when the internal proxy server 104 authenticates the client apparatus 101. If the authentication is not performed, the authentication name is not included in the account information. Is not memorized.

  If it is determined in step S605 that there is a service ID and account name that match the service ID 1701 and account name 1702 in the account information table 334 and it is not determined that the account is a new account, this processing ends.

  FIG. 17 is a diagram showing an example of the account information table 334 used in the present invention. As shown in FIG. 17, the account information table 334 includes the service ID 1701 of the request definition information matched in step S503 of FIG. 5, the extracted account name 1702, the IP address 1703 of the client apparatus 101 that transmitted the request, and the internal proxy server 104. An authentication name 1704 and an e-mail address (details of acquisition method described later) 1705 obtained when the user is authenticated are set.

  The above is the detailed description of the transmission data analysis processing in step S506 in FIG.

  Next, details of the received data analysis processing in step S507 in FIG. 5 will be described with reference to the flowchart shown in FIG. FIG. 7 is performed by the CPU 201 of the internal proxy server 104.

  First, in step S701, the response analysis unit 343 extracts request data from the constituent elements of the request data obtained as a result of the request data analysis process in step S502 of FIG. 5, and then moves the process to step S702. .

  Thereafter, in step S702, the response analysis unit 343 continues to wait for response data until it determines that the response data for the request data extracted in step S701 has been received.

  In step S703, the response analysis unit 343 receives the response data from the external service 107. In step S704, the response analysis unit 343 receives the request definition information matched in step S503 in FIG. 5 from the request definition information table 332. The data extraction condition 1207 is taken out.

  Next, in step S705, the response analysis unit 343 proceeds to step S706 when the account name can be extracted from the response data received in step S703 in accordance with the reception data extraction condition 1207 extracted in step S704. If the account name could not be extracted, this process ends.

  In the above description, the account name is extracted from the response data. As shown in the lower part of FIG. 4, the response data from the service includes information about the screen for providing the service. As an example, “Taro Yamada” displayed on the screen is extracted.

  In step S706, the response analysis unit 343 searches the service ID 1701 and account name 1702 records in the account information table 334 corresponding to the account name extracted in step S705 and the request ID 1201 matched in step S503 in FIG. In S707, the response analysis unit 343 determines that it is a new account if there is no match.

  If it is determined that the account is a new account, the process proceeds to step S708. In step S708, the response analysis unit 343 adds the detected account information to the account information table 334, and ends the process.

  The account information in this step is the service ID 1202 of the request definition information matched in step S503 of FIG. 5 in step S706, the account name extracted in step S703, and the request data (or the destination of response data). The client apparatus 101 includes the IP address (that is, the IP address included in the response data in step S703). The account information includes, in the order of description, the service ID 1701, the account name 1702, and the IP address 1703 in the account information table 334. Are stored in this order.

  If there is a service ID and account name that match the account information table 334 in step S707 and it is not determined that the account is a new account (NO in step S707), the process ends.

  The above is the detailed description of the received data analysis processing in step S507 in FIG.

  Next, an example of the procedure of the e-mail analysis process 113 performed by the internal mail server 105 will be described with reference to the flowchart shown in FIG. This process is performed by the CPU 201 of the internal mail server 105.

  At the time when the processing according to FIG. 8 is started, the internal mail server 105 is in a state where the electronic mail transmitted by the external service 107 can be relayed or recorded.

  First, in step S <b> 801, the e-mail acquisition unit 351 acquires an e-mail transmitted by the external service 107. The income of the e-mail may be performed in real time when the relay process is performed, or the e-mail to be relayed may be recorded or stored, and the search or analysis process may be repeatedly executed afterwards.

  Next, in step S802, the e-mail analysis unit 352 determines whether the FROM address and subject of the e-mail acquired in step S801 match all or part of the FROM 1403 and subject 1404 of the notification mail definition information table 333. Search for.

  In step S803, if the e-mail analyzing unit 352 determines that the e-mail is a notification mail, the process proceeds to step S804. If it is determined that the e-mail analysis unit 352 is not a notification mail, the process proceeds to step S809.

  In step S804, the e-mail analysis unit 352 extracts the notification mail definition information extraction condition 1406 matched in step S803 from the notification mail definition information table 333, and advances the process to step S805.

  Next, in step S805, if the e-mail analyzing unit 352 can extract the account name from the e-mail acquired in step S801 in accordance with the extraction condition 1406 extracted in step S803, the e-mail analyzing unit 352 advances the process to step S806, If the name cannot be extracted, the process proceeds to step S809.

  In step S806, the e-mail analysis unit 352 searches for the record of the service ID 1701 and the account name 1702 in the account information table 334 corresponding to the account name extracted in step S805 and the service ID 1402 of the notification mail definition information matched in step S803. In step S807, if there is no match, the e-mail analysis unit 352 determines that the account is a new account.

  If it is determined that the account is a new account, the process proceeds to step S808, the detected account information is added to the account information table 334, and the process proceeds to step S809.

  The account information used in this step refers to the service ID 1402 of the matching notification mail definition information in step S803, the account name extracted in step S805, the mail address of the destination set in the e-mail acquired in step S801 (owned by each service) The account information is stored in the order of description in the order of service ID 1701, account name 1702, and mail address 1705 in the account information table 334.

  In step S807, if the service ID and the account name that match the account information table 334 exist in the e-mail analysis unit 352 and the new account is not determined, the e-mail analysis unit 352 advances the process to step S809.

  The above processing is repeated until it is determined that the e-mail analysis processing 113 has been completed.

  The above is an example of the procedure of the e-mail analysis process of the internal mail server 105.

  The WEB access analysis process 112 is processed by the CPU 201 of the internal proxy server 104, and the e-mail analysis process 113 is processed by the CPU 201 of the internal mail server 105.

  However, the WEB service definition information setting unit 311, the request definition information setting unit 312, and the notification mail analysis condition setting unit may be processed by any of the internal proxy server 104 and the internal mail server 105.

  Further, the WEB service definition information table 331, the request definition information table 332, and the notification mail definition information table 333 registered by these setting means only need to be accessible from the internal proxy server 104 and the internal mail server 105. It may be recorded in either the external memory 211 or the external memory 211 of the internal mail server 105.

  Further, the account information table 334 searched and registered from the WEB access analysis processing unit 340 and the e-mail analysis processing unit 350 may be accessible from the internal proxy server 104 and the internal mail server 105, and the external memory 211 of the internal proxy server 104, or It may be recorded in any of the external memories 211 of the internal mail server 105.

  Returning to FIG. 3, an example of the procedure in the account information search / display unit 321 will be described. The account information search / display unit 321 may be processed by the CPU 201 of either the internal proxy server 104 or the internal mail server 105.

  FIG. 19 is a flowchart illustrating an example of a processing procedure in the account information search / display unit 321.

  First, in step S1901, an initial search screen 1509 as shown in the lower part of FIG. 15 is displayed on the administrator client device 102. In step S1902, the search condition input from the administrator and search execution support are accepted. The search initial screen 1509 has the same function as that of the input screen 1500, and a description thereof will be omitted.

  In step S1903, the search instruction is accepted until a search execution instruction from the administrator is received (until the search button 1502 is pressed). If a search execution instruction is received from the administrator, the process proceeds to step S1904.

  In step S 1904, account information that matches the search condition input in the search condition 1501 is acquired from the account information table 334. If the search button 1502 is pressed and a search execution instruction is received without inputting the search condition, all account information in the account information table 334 is acquired.

  Steps S1905 to S1909 are repeated for each searched account information.

  In step S1906, if there is a record in the user name table 335 corresponding to the IP address, authentication name, and mail address included in each account information, the name information is acquired.

  FIG. 18 is a configuration diagram illustrating an example of the name table 335.

  As shown in FIG. 18, an employee CD 1801 for uniquely identifying a user in the internal system, a member CD 1802 for identifying the organization to which the user belongs, a name 1803 indicating the name of the user, and used for access authentication to the internal system. An authentication name 1804 indicating a user name, an IP address 1805 of the client apparatus 101 used in the internal system, and a mail address 1806 indicating a mail address used by the user are set.

  This is merely an example of the name table 335, and there may be information that associates user information related to the user such as an IP address or a mail address and user identification information such as the name of the user that can identify the user.

  If a record matching the IP address, authentication name, mail address, etc. cannot be retrieved from the name table 335, the process advances to step S1908.

  If there is account information and user identification information searched in step S1907 in step S1908, these are also displayed on the administrator client device 102 of the administrator.

  The above is repeated until there is no account information matching the search condition in step S1904.

  As described above, according to the present invention, the account information of the user of the external service is extracted from the communication data when requesting the service to the external service, and the account information of the user is associated with the internal user information. By managing the storage, it is possible to reduce the risk of information leakage, etc. by monitoring the usage status of the user's external service.

  In addition, the present invention can take the form of, for example, a system, apparatus, method, program, storage medium, or the like. Specifically, the present invention may be applied to a system including a plurality of devices. In addition, the present invention may be applied to an apparatus composed of a single device.

  In this case, the program itself read from the recording medium realizes the novel function of the present invention, and the recording medium storing the program constitutes the present invention. As a recording medium for supplying the program, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, DVD-ROM, magnetic tape, nonvolatile memory card, ROM, EEPROM, silicon A disk or the like can be used.

  Further, by executing the program read by the computer, not only the functions of the above-described embodiments are realized, but also an OS or the like operating on the computer based on an instruction of the program is a part of the actual processing or It goes without saying that the case where the functions of the above-described embodiments are realized by performing all of the above processing is also included.

  Furthermore, after the program read from the recording medium is written to the memory provided in the function expansion board inserted into the computer or the function expansion unit connected to the computer, the function expansion board is based on the instructions of the program code. It goes without saying that the case where the CPU or the like provided in the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

  Needless to say, the present invention can be applied to a case where the present invention is achieved by supplying a program to a system or apparatus. In this case, by reading a recording medium storing a program for achieving the present invention into the system or apparatus, the system or apparatus can enjoy the effects of the present invention.

  Furthermore, by downloading and reading a program for achieving the present invention from a server, database, etc. on a network using a communication program, the system or apparatus can enjoy the effects of the present invention. In addition, all the structures which combined each embodiment mentioned above and its modification are also included in this invention.

100 Information Processing System 101 Client Device 102 Client Device 103 Local Area Network (LAN)
104 internal proxy server 105 internal mail server 106 wide area network 107 external service 201 CPU
202 RAM
203 ROM
204 System Bus 205 Input Controller 206 Video Controller 207 Memory Controller 208 Communication I / F (Interface) Controller 209 Keyboard 210 Display Device 211 External Memory

Claims (11)

Storage means for storing conditions for extracting account information from communication data for an external service;
User information storage means for storing and managing user information related to the user in association with user identification information for uniquely identifying the user;
Request acquisition means for acquiring communication data of the request of the external service;
Whether the account information corresponding to the extraction condition stored in the storage unit is acquired for the communication data of the request acquired by the request acquisition unit, and is the account information included in the user information stored in the user information storage unit? Request analysis means for determining whether or not,
If it is determined by the request analysis means that user information is included, an account information display means for displaying the user identification information and the account information;
An information processing apparatus comprising:   Acquire account information corresponding to the extraction condition stored in the storage means for communication data of a response to the external service request, and whether the account information is included in the user information stored in the user information storage means The information processing apparatus according to claim 1, further comprising:   The information processing apparatus according to claim 1, wherein the communication data is HTTP data. The account information includes an IP address of a terminal making a request for the external service, and a user name used when authenticating access to the external service,
4. The user information storage unit stores the user information including an IP address of the terminal and an authentication name used when authenticating access to an internal system as the user information. The information processing apparatus described in 1.   The information processing apparatus according to claim 1, wherein the communication data is an e-mail. The account information includes an e-mail address used for e-mail,
The information processing apparatus according to claim 5, wherein the user information storage unit stores, as the user information, an email address used by a user included in the user information. An information processing system in which a client terminal that makes a request for an external service and an information processing apparatus that relays a request from the client terminal to the external service are connected via a network,
The information processing apparatus includes:
Storage means for storing conditions for extracting account information from communication data for the external service;
User information storage means for storing and managing user information related to the user in association with user identification information for uniquely identifying the user;
Request acquisition means for acquiring communication data of the request of the external service;
Whether the account information corresponding to the extraction condition stored in the storage unit is acquired for the communication data of the request acquired by the request acquisition unit, and is the account information included in the user information stored in the user information storage unit? Request analysis means for determining whether or not,
With
The client terminal is
If the request analysis means determines that user information is included, an account information display means for displaying the user identification information and the account information;
An information processing system comprising: A method of referring to account information of an external service in an information processing device,
The request acquisition unit of the information processing apparatus is a request acquisition step of acquiring communication data of the request for the external service,
The extraction condition stored in the storage means for storing the condition for extracting the account information from the communication data for the external service for the communication data of the response to the request for the external service for the communication data of the request acquired by the request acquisition step Whether the account information is included in the user information stored in the user information storage means for storing and managing the user information related to the user in correspondence with the user identification information for uniquely identifying the user by acquiring the corresponding account information Request analysis step for determining whether or not,
If the request analysis step determines that user information is included, an account information display step for displaying the user identification information and the account information;
A method for referring to account information of an external service, comprising: A program that can be read and executed in the information processing apparatus,
The information processing apparatus;
Request acquisition means for acquiring communication data of the request of the external service;
Acquire account information corresponding to the extraction condition stored in the storage means for storing the condition for extracting the account information from the communication data for the external service for the communication data of the request acquired by the request acquisition means, and the account information is the user Request analysis means for determining whether or not it is included in the user information stored in the user information storage means for storing and managing user information related to the user in association with user identification information for uniquely identifying
If it is determined by the request analysis means that user information is included, an account information display means for displaying the user identification information and the account information;
A program characterized by functioning. A control method of an information processing system in which a client terminal that makes a request for an external service and an information processing device that relays a request from the client terminal to the external service are connected via a network,
The information processing apparatus includes:
A request acquisition step of acquiring communication data of the external service request;
Acquire account information corresponding to the extraction condition stored in the storage means for storing the condition for extracting the account information from the communication data for the external service for the communication data of the request acquired by the request acquisition step, and the account information is A request analysis step for determining whether or not the user information stored in the user information storage means for storing and managing the user information related to the user in correspondence with the user identification information for uniquely identifying the user;
Run
The client terminal is
If the request analysis step determines that user information is included, an account information display step for displaying the user identification information and the account information;
The control method of the information processing system characterized by performing this. A program that is executed in an information processing system in which a client terminal that makes a request for an external service and an information processing device that relays a request from the client terminal to the external service are connected via a network,
The information processing apparatus;
Request acquisition means for acquiring communication data of the request of the external service;
Acquire account information corresponding to the extraction condition stored in the storage means for storing the condition for extracting the account information from the communication data for the external service with respect to the communication data of the request acquired by the request acquisition means, and the account information is A request analysis unit that determines whether or not the user information stored in the user information storage unit stores and manages user information related to the user in association with user identification information that uniquely identifies the user;
Function
The client terminal is
If the request analysis means determines that user information is included, an account information display means for displaying the user identification information and the account information;
A program characterized by functioning.

Images