JP2016071384A - Unauthorized access detection system, unauthorized access detection apparatus, unauthorized access detection method, and unauthorized access detection program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To reliably detect an unauthorized access by remote control.SOLUTION: An unauthorized access detection system includes: a machine-operation inspection apparatus which presents inspection data for inspecting a non-machine operation and having predetermined characteristics, to a terminal; and a characteristic observation apparatus which detects an unauthorized access from a remote-controlled terminal by detecting characteristics from network statistical information after presenting the inspection data to the terminal.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an unauthorized access detection system, an unauthorized access detection device, an unauthorized access detection method, and an unauthorized access detection program for detecting unauthorized access, particularly unauthorized access by remote operation.

  Targeted attacks that attack specific targets are known. Targeted attack means that the terminal is infected with a malicious program by setting the URL (Uniform Resource Locator) of a website infected with malware to the target, or by sending malware to the target and executing it. Refers to an attack that is ultimately placed under control. An attacker performs an attack such as theft or destruction of information by attacking the inside of an organization from a terminal under control. Therefore, various measures are taken to prevent such attacks.

  For example, Patent Document 1 describes a technique for detecting unauthorized access by a machine by using a white list and CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) authentication in combination. When an access request is made to an unregistered URL, humans can respond easily, but CAPTCHA authentication, which is difficult for a machine to answer, allows machine access (actually access performed by an attacker) Can be distinguished from human access. If it is determined that the access request has been made by a human, the URL for which the access request has been made is registered in the white list.

  In Patent Document 2, feature data is calculated based on access data, the feature data is compared with statistical model data to determine whether the access data is unknown abnormal data. A technique for passing the access data when it is not data is described.

JP2013-092998A (Page No. 9) Japanese Patent Laying-Open No. 2005-250802 (Page No. 9)

  However, with regard to the technology of Patent Document 1, in a situation where the terminal itself is already infected with malware, the attacker registers using the communication path infected with malware to enter the white list by inputting CAPTCHA It is not difficult in itself.

  In the case of Patent Document 1, CAPTCHA is presented to the user for access requests to all unregistered URLs without distinction between access requests by malware and access requests by human operations. Therefore, in order to actually restrict communication by malware, it is necessary for the user to understand that it is a CAPTCHA input request by malware when CAPTCHA is presented, and to determine that CAPTCHA is not input. However, there is an operational problem that it is very difficult to make this determination only with communication information.

  That is, with the technique of Patent Document 1, it is difficult to reliably detect unauthorized access by a remote operation such as a targeted attack.

  In addition, unauthorized access by remote control is characterized by avoiding unauthorized access detection by a security appliance such as IDS / IPS by behaving in the same manner as general traffic. In the above, IDS is an abbreviation for Intrusion Detection System, and IPS is an abbreviation for Intrusion Prevention System. For this, a technique such as performing communication by unauthorized access at an extremely low rate or sporadically, or causing communication by unauthorized access to be included in normal communication is used. Therefore, in the case of the technique of Patent Document 2, unknown abnormal data can be detected from the access data, but it is difficult to reliably detect the unauthorized access by remote operation because general access data remains.

  The present invention has been made in order to solve the above-described problem, and an unauthorized access detection system, an unauthorized access detection device, an unauthorized access detection method, and unauthorized access detection capable of reliably detecting unauthorized access by remote operation. The purpose is to provide a program.

  The unauthorized access detection system of the present invention is a machine operation inspection device that presents inspection data that is data for performing an inspection that is not an operation by a machine and has a predetermined characteristic to a terminal, and the inspection data to the terminal. A feature observation device for detecting unauthorized access by remote operation of the terminal by detecting the feature from the network statistical information after the presentation.

  The unauthorized access detection apparatus of the present invention is a machine operation inspection means for presenting inspection data having a predetermined characteristic to a terminal, which is data for performing inspection that is not an operation by a machine, and the inspection data to the terminal. And feature observing means for detecting unauthorized access by remote operation of the terminal by detecting the feature from the presented network statistical information.

  The unauthorized access detection method of the present invention is a network after presenting inspection data to a terminal, which is data for inspecting that it is not an operation by a machine and having a predetermined characteristic, and presenting the inspection data to the terminal By detecting the feature from statistical information, unauthorized access by remote operation of the terminal is detected.

  The unauthorized access detection program of the present invention is a machine operation inspection function for presenting to a terminal inspection data having predetermined characteristics, which is data for inspecting that the computer of the unauthorized access detection apparatus is not a machine operation. A program for executing a feature observation function for detecting unauthorized access by remote operation of the terminal by detecting the feature from network statistical information after the inspection data is presented to the terminal.

  According to the present invention, it is possible to reliably detect unauthorized access by remote operation.

It is a block diagram which shows the structural example of the unauthorized access detection system which concerns on the 1st Embodiment of this invention. It is a block diagram which shows the structural example of the switch shown by FIG. It is a block diagram which shows the structural example of the CAPTCHA presentation apparatus shown by FIG. It is a block diagram which shows the structural example of the characteristic observation apparatus shown by FIG. It is a flowchart which shows the operation example of the unauthorized access detection system shown by FIG. It is a 1st example of a picture of CAPTCHA displayed with the terminal shown in FIG. It is a 2nd example of a CAPTCHA image displayed with the terminal shown by FIG. It is a 3rd example of a CAPTCHA image displayed with the terminal shown by FIG. It is a block diagram which shows the structural example of the unauthorized access detection system which concerns on the 2nd Embodiment of this invention. It is a block diagram which shows the structural example of the mail transmission server shown by FIG. It is a flowchart which shows the operation example of the unauthorized access detection system shown by FIG.

[First Embodiment]
(Description of configuration)
FIG. 1 is a block diagram showing a configuration example of an unauthorized access detection system 10 according to the first embodiment of the present invention. The unauthorized access detection system 10 includes a local network 20 and an external network 30. The local network 20 is a network in an organization such as an intranet. The external network 30 is a network outside the organization such as the Internet, for example.

  The local network 20 includes a switch 100, a terminal 200, a CAPTCHA presentation device 300 (machine operation inspection device), a feature observation device 400, and a server 500.

  The switch 100 processes the packet. Terminal 200 is connected to switch 100. The CAPTCHA presenting apparatus 300 presents a CAPTCHA problem for judging the machine and the human to the terminal 200 in response to the access from the terminal 200, and determines whether or not the access is performed by a human operation. To do. The feature observation device 400 detects the feature of CAPTCHA presented by the CAPTCHA presentation device 300 (in other words, the feature of remote operation). Server 500 is accessed from terminal 200.

  FIG. 2 is a block diagram illustrating a configuration example of the switch 100. The switch 100 includes a packet receiving unit 110, a packet transfer unit 120, a communication rule storage unit 101, and a network statistical information storage unit 102.

  The packet receiving unit 110 receives a packet. The packet transfer unit 120 transfers the packet. The communication rule storage unit 101 stores packet communication rules. The network statistical information storage unit 102 stores network statistical information about packets processed by the switch 100. The network statistics information includes packet communication logs (for example, the number of received or transmitted packets, the number of received or transmitted bytes, the number of discarded packets, the number of errors, etc.).

  The switch 100 may be a general switch, or may be an OpenFlow switch or the like. The switch 100 can also be configured by other devices that can execute packet processing, for example, a network appliance such as a proxy or a firewall.

  The terminal 200 is, for example, a client PC (Personal Computer). The user operates the terminal 200 to input an answer to CAPTCHA presented from the CAPTCHA presentation device 300. The terminal 200 can communicate with the server. 1 shows a state in which the terminal 200 is directly connected to the switch 100, the switch 100 and the terminal 200 may be connected via one or more other switches.

  FIG. 3 is a block diagram illustrating a configuration example of the CAPTCHA presentation device 300. The CAPTCHA presentation device 300 includes a CAPTCHA generation unit 310, a CAPTCHA transmission unit 320, a CAPTCHA reception unit 330, and a CAPTCHA determination unit 340.

  The CAPTCHA generation unit 310 generates CAPTCHA. The CAPTCHA transmission unit 320 transmits the generated CAPTCHA to the terminal 200. The CAPTCHA receiving unit 330 receives a CAPTCHA answer transmitted from the terminal 200. The CAPTCHA determination unit 340 determines the received CAPTCHA answer.

  The CAPTCHA presented in the present embodiment is composed of characters, images, animations by moving images and rendering by program codes, audio files, and the like.

  When the user of terminal 200 makes a reply to CAPTCHA, since the reply is made to the received data, another new communication does not occur due to the presentation of CAPTCHA. On the other hand, when replying to CAPTCHA by remote operation from the external network 30, it is necessary to transfer data such as video and audio from the terminal 200 to the remote operation source or to transfer the screen of the terminal 200. There is a feature that communication is required.

  Therefore, CAPTCHA presented in the present embodiment is, for example, CAPTCHA characterized by requesting key input or click operation in accordance with the timing displayed on the screen, or after shortening the input time limit, CAPTCHA or the like that requests input of characters to be displayed by presenting a huge image, sound, moving image, or the like.

  FIG. 4 is a block diagram illustrating a configuration example of the feature observation apparatus 400. The feature observation apparatus 400 includes an acquisition unit 410, a feature detection unit 420, and a notification unit 430.

  The acquisition unit 410 acquires network statistical information from the network statistical information storage unit 102 of the switch 100.

  The feature detection unit 420 detects the CAPTCHA feature from the communication log of the packet transmitted from the terminal 200 to the external network 30 included in the acquired network statistical information.

  Here, the features of CAPTCHA include an increase in packet transmission rate and traffic volume. When the CAPTCHA feature is detected, the feature detection unit 420 determines that the terminal 200 is remotely operated. When replying to CAPTCHA by remote operation, CAPTCHA is transmitted to the external network 30. Therefore, the feature detection unit 420 captures, for example, the number of transmission packets in the network statistical information and an increase in traffic as CAPTCHA features.

  By the way, there is a case where a communication service by regular remote access such as VPN (Virtual Private Network) is provided from the organization to the user. Even in the case of such a regular communication service, communication from the local network 20 to the external network 30 occurs. Therefore, for example, by adding communication via the regular communication service to the white list, it is possible to distinguish between communication by the regular communication service and remote operation.

  When the feature detection unit 420 detects a CAPTCHA feature, the notification unit 430 notifies unauthorized communication detection to a predetermined communication partner (for example, the switch 100, the controller, or the network management system).

The server 500 provides a predetermined service to the terminal 200 through the local network 20.
(Description of operation)
FIG. 5 is a flowchart showing an operation example of the unauthorized access detection system 10 (unauthorized access detection processing procedure executed in the unauthorized access detection system 10). In the following, a case will be described in which the terminal 200 starts communication with the server 500 by remote operation, CAPTCHA is presented by the CAPTCHA presentation device 300, and remote operation is detected by the feature observation device 400. .

  The switch 100 receives a communication packet generated by the terminal 200 via the packet receiving unit 110 (step S1).

  The switch 100 determines whether the communication rule of the received packet matches the communication rule stored in the communication rule storage unit 101 (step S2).

  When the communication rule matches (Yes in step S2), the switch 100 processes the packet based on the action described in the matched communication rule (step S3).

  On the other hand, when the communication rules do not match (No in step S2), CAPTCHA presentation apparatus 300 presents CAPTCHA generated by CAPTCHA generation unit 310 to terminal 200 via CAPTCHA transmission unit 320 (step S4). ).

  Here, CAPTCHA generated by the CAPTCHA generation unit 310 will be described. CAPTCHA preferably has a mark that allows observation in the network. Here, the mark is, for example, the number of packets per unit time, traffic volume, or data size. The mark may be a specific character string or pattern embedded in the data.

  For example, the CAPTCHA is preferably CAPTCHA that requires a short response time such as 1 second or less, or CAPTCHA that requires a large communication band such as 10 Mbps (bits per second) or more. The reason is that the remote operation has a feature that a communication delay is larger than that of the normal operation and a communication band is smaller than that of the normal operation, and the response to the CAPTCHA having the above-mentioned features is remotely operated. This is because it is difficult to do this.

  In addition, for example, the CAPTCHA may be a CAPTCHA that requests that an operation that is timed in accordance with an instruction by an animation displayed on the screen be performed at a response speed of, for example, 50 ms or less. Alternatively, the CAPTCHA may be a CAPTCHA that requires a large communication band constituted by large data such as a huge still image or moving image.

  First, CAPTCHA composed of large data will be described with reference to FIG. The image example shown in FIG. 6 is a general CAPTCHA image example in which it is difficult for the machine to read automatically by distorting characters and numbers and further obscuring a part thereof.

  In this embodiment, CAPTCHA having a large data size is created by embedding unnecessary data in the non-display area or increasing the vertical and horizontal widths of the image in the file of the image example. Alternatively, the CAPTCHA having a large data size is created by converting the file format to a moving image file format or by embedding the file of FIG. 6 in a part of another moving image file. Here, the “file having a large data size” refers to a file that requires a sufficient time for transfer with respect to the throughput of the external network 30. For example, a file with a large data size has a throughput of 100 Mbps within the local network 20 and is within 30 seconds for CAPTCHA in an environment where the throughput between the external network 30 and the local network 20 is 10 Mbps. This is a CAPTCHA of a file volume of 100 Mbytes or more that requires a time of 1 minute or more for transfer when making a response. The image file or moving image file subjected to any of the above-described data size expansion processing is presented to the user. CAPTCHA requests the user to read characters and numbers displayed in the files and input the same character string. The feature observation apparatus 400 determines the correct answer. In the example illustrated in FIG. 6, the feature observation apparatus 400 determines that the answer is correct by receiving a character string “key time pie” as a response.

  Next, CAPTCHA that requests an operation that is timed according to an instruction displayed on the screen will be described with reference to FIGS. In the example shown in FIG. 7 and FIG. 8, an image of a character string that is difficult to be automatically read by a machine is presented, and characters and timing to be input are represented by a frame, and the frame is displayed at the timing when the character and the frame overlap. Enter the characters inside. Specifically, no input is performed at the timing when the character string image is simply displayed (see FIG. 7), and the character “p” at the timing when the character example image is displayed and at the position overlapping the frame in the character string. In addition, it is determined that the answer is correct only if it is returned within a prescribed time. The specified time allowing an input timing error is preferably smaller than a low-latency response (that is, an access delay from the external network 30 to the local network 20). For example, when the communication delay in the local network 20 is 10 ms and the communication delay between the external network 30 and the local network 20 is 100 ms or more, the specified time allowing the input timing error is from the external network 30. 50 ms, which is shorter than the communication delay. In the above description, the case where the input timing is expressed by a frame is exemplified, but the method of instructing the timing of each character is not limited to the above. For example, a method of changing the color of a character requesting input Or a highlighted display method.

  By presenting CAPTCHA having the characteristics as described above, input by a machine and input by remote operation become difficult.

  The description of FIG. 5 is resumed. In terminal 200, the user inputs an answer to the displayed CAPTCHA (step S5). The terminal 200 transmits the CAPTCHA answer input by the user to the CAPTCHA presentation device 300.

  In the CAPTCHA presentation device 300, the CAPTCHA determination unit 340 determines the CAPTCHA answer (step S6). If it is determined that the CAPTCHA answer is incorrect (NG in step S6), the process in step S4 is executed again.

  On the other hand, when it is determined that the CAPTCHA answer is correct (OK in step S6), the feature observation device 400 performs CAPTCHA feature detection (step S7). Specifically, the acquisition unit 410 of the feature observation device 400 acquires network statistical information from the network statistical information storage unit 102 of the switch 100. Next, the feature detection unit 420 of the feature observation apparatus 400 detects the feature of CAPTCHA from the communication log of the packet transmitted from the terminal 200 to the external network 30 included in the acquired network statistical information.

  Here, the characteristics of CAPTCHA are, for example, characteristic packets and traffic. The feature detection unit 420 of the feature observation apparatus 400 increases the number of packets per unit time and the traffic amount to the external network 30 after presentation of CAPTCHA from the network statistical information describing the amount, rate, size, and the like of packets. Detect as a feature.

  For example, if the presented CAPTCHA is a CAPTCHA that is displayed on the screen and performs operations in accordance with the instructions, the feature detection unit 420 performs 10 packets (10 pps) or more per second from the terminal 200 to the external network 30. If there is transmission, it is detected as a feature of CAPTCHA. In the above, pps is an abbreviation for Packet Per Second.

  On the other hand, when the presented CAPTCHA is a moving image CAPTCHA, the feature detection unit 420 transmits traffic with a throughput of 1 Mbps or more for communication from the terminal to the external network 30 in communication between the terminal 200 and the terminal on the external network 30. When it flows, it is detected as a feature of CAPTCHA.

If the CAPTCHA feature is not detected (No in step S7), the communication is permitted and the packet is transferred (step S9). On the other hand, when the CAPTCHA feature is detected (Yes in step S7), the communication is blocked (step S8). Specifically, the notification unit 430 of the feature observation device 400 notifies unauthorized access detection to a predetermined communication partner (for example, a network management system). The communication partner receiving the notification determines that the terminal 200 is remotely operated from the external network 30 and blocks unauthorized access by performing unauthorized access block processing such as communication block processing of the terminal 200 on the switch 100. I do.
(Explanation of effect)
Unauthorized access by remote operation is characterized in that communication from the external network 30 to the terminal 200 in the local network 20 causes the external network 30 having a bandwidth smaller than that of the local network 20 to become a bottleneck, resulting in no throughput. Further, unauthorized access by remote operation has a feature that a large communication delay occurs because communication is performed via a remotely operated terminal.

  Therefore, the present embodiment presents CAPTCHA having a feature that requires high throughput and low latency as a response to access authentication within the local network 20. By presenting such CAPTCHA, there is a feature that no packet loss or delay occurs in the reply within the local network 20 but packet loss or delay occurs when replying from the external network 30. In the present embodiment, it is possible to determine that the terminal 200 is remotely operated from the external network 30 by capturing the above characteristics from the network statistical information.

  That is, according to the first embodiment described above, it is possible to reliably detect unauthorized access by remote operation.

  Furthermore, since the above feature can detect unauthorized access only from external information such as network statistical information, that is, packet quantity and rate, a complicated configuration for confirming the contents of the packet is not required. is there. Therefore, according to the first embodiment described above, it is possible to reliably detect unauthorized access by remote operation with a simple and low-cost configuration.

  In the unauthorized access detection system 10 shown in FIG. 1, the constituent elements other than the constituent elements (CAPTCHA presentation device 300 and the feature observation device 400) surrounded by a thick line are not essential constituent elements. That is, even when the unauthorized access detection system 10 includes only the CAPTCHA presentation device 300 and the feature observation device 400, the same effect as described above can be obtained.

Further, each of the CAPTCHA presentation device 300 and the feature observation device 400 is not handled as an individual device, but is treated as an individual processing unit (for example, a CAPTCHA presentation unit and a feature observation) in one device (for example, an unauthorized access detection device). Means).
[Second Embodiment]
In the first embodiment, an example of detecting unauthorized access to a communication packet has been described as an example. However, as described below, it is also possible to detect unauthorized access with respect to transmission of mail. is there.
(Description of configuration)
FIG. 9 is a block diagram showing a configuration example of an unauthorized access detection system 700 according to the second embodiment of the present invention. The only difference in configuration of the unauthorized access detection system 700 from the unauthorized access detection system 10 of the first embodiment shown in FIG. 1 is that the server 500 is changed to the mail transmission server 600. Other configurations of the unauthorized access detection system 700 are the same as those of the unauthorized access detection system 10.

FIG. 10 is a block diagram illustrating a configuration example of the mail transmission server 600. The mail transmission server 600 includes a mail transmission rule storage unit 601, a terminal connection unit 610, a CAPTCHA presentation device connection unit 620, a feature observation device connection unit 630, and a mail transmission unit 640.
(Description of operation)
FIG. 11 is a flowchart illustrating an operation example of the unauthorized access detection system 700 when the terminal 200 transmits an email.

  The switch 100 receives the mail transmitted from the terminal 200 (step S21). The mail received by the switch 100 is transferred to the mail transmission server 600.

  The mail transmission server 600 determines whether or not the rule for the received mail destination matches the rule stored in the mail transmission rule storage unit 501 (step S22). If the rules match (Yes in step S22), the mail transmission unit 540 processes the mail based on the action described in the rule (step S23). On the other hand, if the rules do not match (No in step S22), the CAPTCHA presentation device 300 presents the CAPTCHA generated by the CAPTCHA generation unit 310 to the terminal 200 via the CAPTCHA transmission unit 320 (step S24). . Here, the CAPTCHA presented to the terminal 200 is equivalent to the first embodiment.

  In terminal 200, the user inputs an answer to the displayed CAPTCHA (step S25). The terminal 200 transmits the CAPTCHA answer input by the user to the CAPTCHA presentation device 300.

  In the CAPTCHA presentation device 300, the CAPTCHA determination unit 340 determines the CAPTCHA answer (step S26). When it is determined that the CAPTCHA answer is incorrect (NG in step S26), the process of step S24 is executed again.

  On the other hand, when it is determined that the CAPTCHA answer is correct (OK in step S26), the feature observation device 400 performs CAPTCHA feature detection (step S27). Specifically, the acquisition unit 410 of the feature observation device 400 acquires network statistical information from the network statistical information storage unit 102 of the switch 100. Next, the feature detection unit 420 of the feature observation apparatus 400 detects the feature of CAPTCHA from the communication log of the packet transmitted from the terminal 200 to the external network 30 included in the acquired network statistical information.

  If the CAPTCHA feature is not detected (No in step S27), the mail is transferred (step S29). Specifically, the notification unit 430 of the feature observation device 400 notifies the feature observation device connection unit 530 of the mail transmission server 600 of “mail transmission permission information”. The feature observation device connection unit 630 adds a mail destination permission rule to the mail transmission rule storage unit 601. The mail transmission unit 640 performs mail transmission processing.

On the other hand, when the CAPTCHA feature is detected (Yes in step S27), the mail is blocked (step S28). Specifically, the notification unit 430 notifies the feature observation apparatus connection unit 630 of “mail transmission blocking information”. The feature observation device connection unit 630 adds a mail destination block rule to the mail transmission rule storage unit 601. As a result, it is possible to block unauthorized mail transmission processing by remote control.
(Explanation of effect)
In the mail transmission server 600 according to the second embodiment described above, the remote operation detection process similar to that of the first embodiment is performed at the time of mail transmission. It becomes possible to detect.

  In the second embodiment described above, the case where the remote operation detection process is executed at the time of mail transmission is exemplified, but the remote operation detection process is not limited to the time of mail transmission. For example, a file server or a web server can be connected to the switch 100 shown in FIG. And it is possible to detect remote operation by presenting CAPTCHA and detecting features for operations when sending files to the file server or when sending information from web server forms, etc. It is.

  A program for realizing all or part of the functions of the embodiments described above is recorded on a computer-readable recording medium. The program recorded on the recording medium is read and executed by the computer system.

  As an example of the “computer system”, for example, a CPU (Central Processing Unit) can be cited.

  The “computer-readable recording medium” is, for example, a non-transitory storage device. Examples of non-temporary storage devices include a magneto-optical disk, a ROM (Read Only Memory), a portable medium such as a nonvolatile semiconductor memory, and a hard disk built in a computer system. The “computer-readable recording medium” may be a temporary storage device. As an example of a temporary storage device, for example, a communication line in the case of transmitting a program via a network such as the Internet or a communication line such as a telephone line, or a volatile memory inside a computer system can be cited.

  Further, the program may be for realizing a part of the above-described functions, and may be capable of realizing the above-described functions in combination with a program already recorded in the computer system. .

  As mentioned above, although this invention was demonstrated using each embodiment, the technical scope of this invention is not limited to description of said each embodiment. It is obvious to those skilled in the art that various modifications or improvements can be added to the above embodiments. Therefore, it is needless to say that embodiments with such changes or improvements are also included in the technical scope of the present invention. The numerical values and names of the components used in the embodiments described above are illustrative and can be changed as appropriate.

DESCRIPTION OF SYMBOLS 10 Unauthorized access detection system 20 Local network 30 External network 100 Switch 101 Communication rule memory | storage part 102 Network statistical information memory | storage part 110 Packet receiving part 120 Packet transfer part 200 Terminal 300 CAPTCHA presentation apparatus 310 CAPTCHA production | generation part 320 CAPTCHA transmission part 330 CAPTCHA receiving part 340 CAPTCHA determination unit 400 feature observation device 410 acquisition unit 420 feature detection unit 430 notification unit 500 server 600 mail transmission server 601 mail transmission rule storage unit 610 terminal connection unit 620 CAPTCHA presentation device connection unit 630 feature observation device connection unit 640 mail transmission unit 700 Unauthorized access detection system

Claims (10)

A machine operation inspection device that presents inspection data that is data for performing inspections that are not operations by the machine and that have predetermined characteristics to the terminal;
An unauthorized access detection system comprising: a feature observation device that detects unauthorized access by remote operation of the terminal by detecting the feature from network statistical information after the inspection data is presented to the terminal.   The unauthorized access detection system according to claim 1, wherein the feature observation device detects at least one change among a packet communication amount, a communication rate, and a data size as the feature.   The unauthorized access detection system according to claim 1, wherein the machine operation inspection device adds a mark for observing the feature to the inspection data.   The machine operation inspection device generates the inspection data in which the mark is the number of packets per unit time, and the feature observation device detects an increase in the number of packets per unit time as the feature. The unauthorized access detection system according to claim 3.   4. The unauthorized access detection according to claim 3, wherein the machine operation inspection device generates the inspection data in which the mark is a traffic amount, and the feature observation device detects an increase in traffic amount as the feature. system. The machine operation inspection device presents the inspection data to the terminal before mail transmission,
6. The unauthorized access detection system according to claim 1, wherein, when the feature observation device detects the feature, the feature observation device blocks unauthorized mail transmission by remote operation of the terminal. The machine operation inspection device presents the inspection data to the terminal before file transmission,
The unauthorized access detection system according to any one of claims 1 to 5, wherein when the feature is detected, the feature observation device blocks unauthorized file transmission by remote operation of the terminal. Machine operation inspection means for presenting to the terminal inspection data having predetermined characteristics, which is data for inspecting that the operation is not performed by a machine;
An unauthorized access detection device comprising: feature observing means for detecting unauthorized access by remote operation of the terminal by detecting the feature from network statistical information after the inspection data is presented to the terminal. It is data for inspecting that it is not an operation by a machine, and presents inspection data having predetermined characteristics to the terminal,
An unauthorized access detection method, wherein unauthorized access by remote operation of the terminal is detected by detecting the feature from network statistical information after the inspection data is presented to the terminal. In the computer of the unauthorized access detection device,
A machine operation inspection function for presenting inspection data to a terminal, which is data for inspecting that the operation is not performed by a machine and having predetermined characteristics;
An unauthorized access detection program for executing a feature observation function for detecting unauthorized access by remote operation of the terminal by detecting the feature from network statistical information after presenting the inspection data to the terminal.

Images