JP2016162000A - User monitoring system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a user monitoring system capable of detecting even in the case that an unauthorized user operates a terminal except when a user is authenticated in a predetermined cycle.SOLUTION: A user monitoring system for monitoring a user who operates a terminal is configured to acquire the authentication information of the user from the user in a fixed cycle in at least a partial period in which the user operates a terminal 10, and to determine whether or not the acquired authentication information of the user is the authentication information of an authorized user each time the authentication information of the user is acquired in the fixed cycle, and to change a cycle for acquiring the authentication information of the user when detecting a change in the state of the input operation of the user in the terminal 10.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a user monitoring system for monitoring a user who operates a computer terminal.

  Conventionally, as a method for confirming whether a user operating a computer terminal such as a personal computer has changed to an unauthorized person during the operation, there is a method as disclosed in Patent Document 1, for example. In the method disclosed in Patent Document 1, first, (legitimate) user face image data is registered before using a computer terminal. Then, the registered face image data is compared with the user's face image data captured by the camera every predetermined period while the user is using the terminal. If it is determined that these face image data are different, the terminal is locked so that the terminal cannot be used.

JP 2008-97647 A

  However, the method disclosed in Patent Document 1 cannot detect fraud in the following cases. That is, for example, when the N-th imaging is performed, the legitimate user A operates the terminal, but before the N + 1th imaging is performed, the unauthorized user B operates the terminal until the legitimate user A operates the terminal. This is a case where the user A returns and operates the terminal. That is, as long as a legitimate user A operates the terminal at the time when the N-th and (N + 1) -th imaging is performed, even if an unauthorized user performs an operation during that time, it cannot be detected.

  The present invention has been made in view of the above problems, and provides a user monitoring system that can detect even when an unauthorized user operates a terminal other than during a period of user authentication. For the purpose.

  In order to solve the above-described problem, an aspect of the present invention is a user monitoring system that monitors a user who operates a terminal, wherein the user operates at a constant cycle in at least a part of a period in which the user operates the terminal. The authentication information acquisition unit that acquires the user authentication information from the authentication information acquisition unit, and the authentication information acquisition unit acquires the user authentication information at regular intervals, so that the user authentication information is valid user authentication information. When the authentication unit that determines whether the input device monitoring unit detects a change in the state of the user's input operation in the terminal, and the input device monitoring unit detects a change in the state of the user's input operation, A timing change unit that changes the period for acquiring the authentication information in the authentication information acquisition unit.

  Another aspect of the present invention is a method executed by a user monitoring system that includes an authentication information acquisition unit, an authentication unit, an input device monitoring unit, and a timing changing unit, and monitors a user who operates a terminal. The authentication information acquisition unit acquires the user authentication information from the user at a constant period in at least a part of the period during which the user operates the terminal; and the authentication unit includes the authentication information. Each time the acquisition unit acquires the user authentication information at the certain period, the step of determining whether the user authentication information is valid user authentication information, and the input device monitoring unit in the terminal A step of detecting a change in the state of the user's input operation; and the timing changing unit detects a change in the state of the input operation of the user by the input device monitoring unit. The case, the method comprising, a step of changing the period for acquiring the authentication information in the authentication information acquiring unit.

  Moreover, the other aspect of this invention is a computer program for making the said user monitoring system perform said method.

  According to the said aspect of this invention, even if it is a case where an unauthorized user performed operation during the basic period which performs a user's authentication, this can be detected.

It is a figure which shows an example of a structure of the user monitoring system which concerns on one Embodiment of this invention. It is a figure which shows an example of a "process management log" file. It is a figure which shows an example of a "work content log" file. It is a figure which shows an example of an "input information log" file. It is a figure which shows an example of a "user ID corresponding table". It is a main flowchart which shows an example of the process in the user monitoring system which concerns on one Embodiment of this invention. It is a flowchart which shows an example of an input device monitoring process. It is a flowchart which shows an example of the data acquisition process for operation content restoration. It is a flowchart which shows an example of a related work log extraction process. It is a figure which shows an example of the judgment method of the relationship of each log. It is a flowchart which shows an example of a recovery process. It is a figure which shows an example of the hardware constitutions of the terminal and management apparatus which concern on one Embodiment of this invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. In each drawing referred to in the following description, parts equivalent to those in other drawings are denoted by the same reference numerals.

(User monitoring system configuration)
FIG. 1 is a diagram illustrating a configuration example of a user monitoring system according to the present embodiment. A user monitoring system 1 illustrated in FIG. 1 includes a terminal 10 operated by a user and an administrator device 20 operated by a system administrator.

  The terminal 10 includes an imaging unit 102, an input reception unit (input device) 104, an authentication unit 106, a storage unit 108, an input device monitoring unit 110, an imaging timing change unit 112, and a related work log extraction unit 114. , A transmission unit 116, a reception unit 118, and a recovery processing unit 120. The management apparatus 20 includes a receiving unit 202, a display unit 204, a recovery process necessity determination unit 206, and a transmission unit 208.

(Terminal)
The imaging unit 102 captures the user's face (a part or the whole) in a certain cycle during at least a part of the period when the user operates the terminal 10, and acquires the user's face image data (biological features). . The imaging unit 102 acquires the user's biological information when the input device monitoring unit 110 (to be described later) detects a change in the state of the user's input operation, in addition to performing imaging in a certain period. It may be.

  The input receiving unit (input device) 104 receives a user operation input to the terminal 10. Specifically, the input receiving unit 104 may be various input devices such as a keyboard, a mouse, a touch panel, and a touch pen. Moreover, the input reception part 104 may receive the input by an audio | voice.

  The authentication unit 106 determines whether or not the acquired user face image data is valid user face image data each time the imaging unit 102 acquires user face image data in a certain cycle. If it is determined that the acquired face image data is not valid user face image data, it is determined as authentication NG. Further, in the present embodiment, when the authentication unit 106 determines that the face image data acquired by the imaging unit 102 is not valid user face image data, the user's input operation is restricted. To do. As a method for restricting user input operations, only some input operations may be restricted and other input operations may be permitted.

  Various methods are conceivable for the authentication unit 106 to determine whether the face image data acquired by the imaging unit 102 is valid user's face image data. For example, only a part of the entire face image may be the target of collation, or a plurality of locations (multiple conditions) may be the target of collation. Moreover, you may determine a collation result combining these results. Moreover, it is good also as setting it as certification | authentication NG etc., when the matching rate of the collation object location is less than a predetermined threshold value.

  The storage unit 108 has a function of storing various data. In this embodiment, at least a “process management log” file, a “work content log” file, an “input information log” file, a “user ID correspondence table”, and a “process relevance log” file described below are stored in the storage unit. 108 stored.

  FIG. 2 is a diagram illustrating an example of a “process management log” file. The process management log shown in FIG. 2 is a file for recording processes started on the terminal 10 including processes executed by each user based on operation inputs to the terminal 10. In the process management log, for example, an execution user, a process ID for specifying a process executed by the user, a parent process ID for specifying a parent process, a process name, a process start time and an end time, and the like are recorded. The

  FIG. 3 is a diagram illustrating an example of a “work content log” file. The “work content log” file is linked to the “process management log” file by the “process ID”, and more detailed content about the process specified by the process ID of the process management log is recorded. FIG. 4 is a diagram illustrating an example of an “input information log” file. Details of the input device of the terminal 10 operated by the user are recorded in the “input information log” file. FIG. 5 is a diagram illustrating an example of a “user ID correspondence table”. The user ID correspondence table is for each user when the user performs some processing on another device operating in conjunction with the terminal 10 (for example, when accessing another device via the terminal 10). This is a table for storing the user ID of

  Returning to FIG. 1, the input device monitoring unit 110 detects a change in the state of a user input operation on the terminal 10. The input device monitoring unit 110 may detect a change in the state of the user's input operation by statistically processing information related to the input device of the terminal 10 operated by the user. Further, when the input receiving unit 104 receives a user operation input, the input device monitoring unit 110 stores information on the input device operated by the user in an “input information log” file or the like of the storage unit 108.

  When the input device monitoring unit 110 detects a change in the state of the user's input operation, the imaging timing changing unit 112 changes the period for acquiring the face image data in the imaging unit 102 (makes the period shorter). Here, a plurality of methods for changing the imaging timing can be considered. For example, an imaging cycle is started when a change in an operation input is detected, and a face image is captured at a time point that is shortened from an imaging cycle that starts after an imaging process that arrives after the input device monitoring unit 110 detects a change in the operation input. The imaging cycle itself including the time point when the change in the operation input is detected is shortened (the imaging timing that comes after the change in the operation input is detected).

  In addition, the imaging timing changing unit 112 may change the imaging cycle back to the original length using a predetermined condition as a trigger after changing the imaging timing short. For example, it may be configured to detect that the user has logged off from the terminal 10 and return the imaging cycle to the original length. Further, at that time, the imaging period may be lengthened stepwise and returned to the original length.

  If it is determined that the face image data acquired by the imaging unit 102 is not valid user face image data as a result of the determination by the authentication unit 106, the related work log extraction unit 114 determines this determination from the storage unit 108. A part or all of the user's input operation with respect to the terminal 10 executed between the point in time and a certain period before is extracted.

  The transmission unit 116 has a function of transmitting various data to the management apparatus 20.

  The receiving unit 118 has a function of receiving various data from the management device 20. Communication between the terminal 10 and the management apparatus 20 may be wired communication or wireless communication.

  When it is determined that the face image data acquired by the imaging unit 102 is not a valid user's face image data as a result of the determination by the authentication unit 106, the recovery processing unit 120 performs a certain period of time from this determination. A part or all of the user's input operation on the terminal 10 executed so far is returned to the state before the input operation (rolled back).

(Processing flow of user monitoring system)
Hereinafter, a processing example in the user monitoring system according to the present embodiment will be described. FIG. 6 is a main flowchart showing processing in the user monitoring system 1 according to the present embodiment.

  First, when a user starts operating the terminal 10, a login operation such as inputting a user ID and a password is performed in response to a login request from the user monitoring system 1 (user input is received by the input receiving unit 104). . At this time, the terminal 10 acquires the face image data by capturing the face of the user who is operating the terminal with the image capturing unit 102, and stores and registers the face image data in the storage unit 108 as the user's valid face image data. (Step S101).

  Thereafter, when a predetermined time (imaging cycle) elapses while the user operates the terminal 10 (step S103: Yes), the process proceeds to step S109, and the imaging unit 102 captures the face image data by capturing the user's face. get. The user monitoring system 1 compares the face image data with the face image data stored in the storage unit 108 in step S101, and the user operating the terminal 10 at this time is a valid user (login It is checked whether it is the same as the user at the time (step S109). And while an authentication result is OK (the user who is operating is a valid user), it returns to step S103.

  Further, even when the predetermined time (imaging cycle) has not elapsed (step S103: No), when it is determined that the operator of the terminal 10 may have changed due to the input device monitoring process (step S105: Yes). ) The face image capturing period is changed to a shorter period (step S107). Here, the input device monitoring process is a process executed in a process different from the main flow, and the person operating the terminal 10 may have changed based on the input from the operator at the terminal 10. This is a process for detecting the presence (the input device monitoring process will be described in detail later).

  When it is determined that there is a possibility that the operator has changed (step S105: Yes), the face image of the person who is operating the terminal 10 at that time is acquired by the imaging unit 102 and the face image is verified. Is performed (step S109).

  If the result of the authentication process in step S109 is a result that the face image of the user stored in the storage unit 108 is different from the face image of the user operating at this time (authentication NG), The terminal 10 is locked so that the user cannot operate it (step S111). Then, related work log extraction processing is executed (step S113). In the “related work log extraction process”, when it is detected that the operator of the terminal 10 may have changed, the operation that may have been performed by the operator is canceled and returned to the state before the operation ( This is a process for extracting an operation performed by the operator (details will be described later).

  Then, the log extracted in step S113 is displayed on the display unit 204 of the management apparatus 20. An administrator using the management apparatus 20 checks the log displayed on the display unit 204, determines whether or not to perform recovery processing on the terminal 10, and inputs the determination result to the management apparatus 20. (Step S115). The determination result is transmitted to the terminal 10. When the terminal 10 receives a determination result indicating that the recovery process is necessary from the management apparatus 20, the terminal 10 executes the recovery process (step S117).

  In the above description, the user image captured at the time of login (step S101) is registered in the storage unit 108 as a legitimate user face image. However, before the operation of the terminal 10 is started, the user face image is stored in advance. It may be registered in 108, and this may be used as valid face image data of the user. Then, when the operation is started (step S101) and when the face image is collated (step S109), the face image registered before the start of the operation is compared with the face image captured by the imaging unit 102. Also good. As for the processes in steps S103 to S107, the processes after step S107 may be performed by receiving a notification result from the input device monitoring process as an event (until the event waits until that time). .

(Input device monitoring process)
FIG. 7 is a flowchart showing an example of the input device monitoring process (step S105 in FIG. 6).

  When a user operation input is detected from the input waiting state (step S1051) via the input receiving unit (input device) 104 of the terminal 10, an operation content restoration data acquisition process is executed (step S1053). Here, FIG. 8 is a flowchart illustrating an example of the operation content restoration data acquisition processing in step S1053.

  When a user operation input is detected, the operation content is recorded in a “work content log” file (FIG. 3) held in the storage unit 108 before the user operation content is reflected in the data. In the work content log, at time YYYY / MM / DD hh: mm: ss, process A creates (creates) / Read (reads) / Delete (deletes) data x, and process A updates (writes data x to data y) Update), and the like are recorded (step S201).

  Next, when the operation type of the detected user operation is Update (update) or Delete (deletion) (step S203), a backup of the original data is acquired (step S205), and the operation is performed according to the detected user operation. The process is executed (step S207).

  Returning to FIG. 7, after executing the operation content restoration data acquisition process (step S1053), the input information recording process is executed (step S1055). In the input information recording process, details of the input device operated by the user are recorded in an “input information log” file (FIG. 4) held in the storage unit 108. Specifically, for example, information such as input time, input device type (keyboard, mouse, etc.), input content (pressed key type), kana input / romaji input, and the like are recorded in the input information log.

Further, when a certain period of time has elapsed from the state of waiting for input (step S1051), statistical processing of the user operation is executed (step S1057) (Note that this “constant time” may be independent of the imaging cycle). For example, the following calculation is performed based on the record of the input information log from the current time (the time when the statistical process is executed) to a certain time before.
・ Number of inputs ・ Average and / or median of input intervals ・ Percentage of operations for each input device (xx% input with keyboard, yy% input with mouse, etc.)
-Number and / or percentage of specific operation keys (backspace, delete, tab, alt, cursor keys, home, end, etc. operation keys)
・ Ratio of operation time by Roman input and operation time by Kana input

  For example, in the example of the input information shown in FIG. 4, each of the above data can be calculated as follows. That is, the “number of inputs” is “13”. The “average input interval” is the time difference between the input IDs “1” and “2”, the time difference between the input IDs “2” and “3”,..., And the time difference between the input IDs “12” and “13”. Average. The “median value of input intervals” is the median of these values. In addition, the “operation ratio for each input device” can be calculated as keyboard: 12/13, mouse: 1/13, and the like. The “number of specific operation keys” is backspace: 1. The “ratio of specific operation keys” is backspace: 1/13. In addition, the ratio of the operation time for Roman character input to the operation time for Kana input indicates that the ratio of Roman character input is (time of input ID “6” −time of input ID “1”) / (input ID “13”). The time-input ID “1”) and the kana input ratio are (input ID “12” time-input ID “8” time) / (input ID “13” time-input ID “1”) Time). Note that each of the data and the calculation method described above are merely examples, and other data may be used as long as they can indicate the characteristics of the input operation of the user of the terminal 10. In step S1057, statistical processing of user operations is executed after a certain period of time has elapsed from the input waiting state (step S1051), but the present invention is not limited to this. If data related to user operations sufficient to perform statistical processing is accumulated, statistical processing can be performed. For example, each time an input of one character is received by the input receiving unit (input device) 104, statistical processing may be performed.

  Returning to FIG. 7, the statistical information calculated in step S1057 is stored in the storage unit 108 (step S1059). The previous statistical processing value is compared with the current statistical processing value (step S1061). When the difference is less than a predetermined threshold (that is, when it is determined that the operator of the terminal 10 has not changed), the process returns to step S1051 to continue the processing. If the difference is greater than or equal to a predetermined threshold (that is, if it is determined that the operator of the terminal 10 has changed), a notification to that effect is sent (step S1063), and steps S107 and S109 in FIG. Transition is made to change the imaging cycle and perform authentication processing. It should be noted that the operator of the terminal 10 is provided with a plurality of thresholds for determining whether or not the terminal 10 has changed, and the difference between the previous statistical processing value and the current statistical processing value is between which threshold value. The imaging cycle may be shortened or lengthened (returned) step by step based on whether the image is located in the position.

(Related work log extraction process)
Next, the related work log extraction process (step S113 in FIG. 6) will be described in detail. FIG. 9 is a flowchart showing an example of related work log extraction processing.

  First, the process ID of the user who is the target of the related work log extraction is acquired (step S1131). Here, in this embodiment, the user who is the target of the related work log extraction is specified by the user who logged in in step S101 of FIG. 6 (user ID. In this description, the target user or the target user. ID.) The process ID is acquired, for example, by searching for a process ID where “execution user” = “target user ID” with reference to the “process management log” file (FIG. 2) held in the storage unit 108. be able to.

  Next, the time when the authentication by the collation of the face image is NG and the time when the authentication was OK in the past (the time between the two is hereinafter referred to as the fraud processing time) are acquired (step S1133).

  Next, an operation log in another device that operates in conjunction with the terminal 10 is specified by the target user ID (step S1135). Specifically, for example, referring to the “user ID correspondence table” (FIG. 5), “user ID” = “target user ID”, user ID on device A, user ID on device B, .. (User ID at device XX)... Each device retrieved from the “user ID correspondence table” with reference to the process management log (same as FIG. 2) for each of the devices A, B,... (Device XX). The process ID is extracted using the user ID (user name) at the search key. Thereby, the operation log in the other apparatus operated via the terminal 10 can be specified.

  Next, the process is recursively searched based on the user process ID, and the operation log of the target user is extracted (step S1137). FIG. 10 is a diagram illustrating an example of a method for determining the relevance of each log. In the example illustrated in FIG. 10, in “Log A”, for example, the IP address associated with the user ID = “logA_user1” is “192.168.1.1”. Next, referring to “Log B”, the node name associated with this IP address “192.168.1.1” is “SV01”. In “Log C”, the process ID associated with the node “SV01” is “1111”. By tracing in this way, it is possible to extract processes related to a certain user. Returning to FIG. 9, processing corresponding to the unauthorized processing time is extracted from the log extracted in step S1137 (step S1139).

  Next, referring to the “work content log” file (FIG. 3), the process executed during the unauthorized processing time is extracted using the process ID of the log extracted by the processes of steps S1131 to S1139 as a key (step S1141). ).

  Through the processing as described above, it is possible to extract processing executed on the terminal 10 during the illegal processing time. The extracted log is transmitted to the management apparatus 20 operated by the administrator, and the administrator can confirm this on the display unit 204 (step S115 in FIG. 6).

(Recovery processing)
Next, the recovery process (step S117 in FIG. 6) will be described in detail. FIG. 11 is a flowchart illustrating an example of the recovery process. The process shown in this flowchart is executed when a determination result indicating that a recovery process is necessary is received from the management apparatus 20.

  When the log extracted by the related work log extraction process of step S113 in FIG. 6 has not been read (step S1171: No), one log extracted by the related work log extraction process is acquired (step S1173).

  When the operation type of the acquired log is Create (creation) (step S1175: Yes), the creation target data is deleted (step S1177). On the other hand, when the operation type of the acquired log is not Create (creation) (step S1175: No) but Update (update) or Delete (deletion) (step S1179: Yes), the data to be operated is changed. Restore from the backup data (step S1181). If none of the above applies (step S1179: No), the operation type is Read (read), so nothing is done here.

  The processing in steps S1173 to S1181 described above is repeatedly executed until the log extracted by the related work log extraction processing in step S113 in FIG. 6 is completely read (step S1171: Yes).

(Hardware configuration example)
The terminal 10 and the management device 20 can be realized by the same hardware configuration as a general computer device. FIG. 12 is a diagram illustrating an example of a hardware configuration of the terminal 10 and the management device 20. A computer apparatus 30 shown in FIG. 12 includes, for example, a processor 301, a RAM 302, a ROM 303, a hard disk device 304, a removable memory 305, a communication interface 306, a display / touch panel 307, a speaker 308, and an input device. (Keyboard / mouse etc.) 309. Each function of the terminal 10 and the management apparatus 20 described above can be realized by, for example, the processor 301 reading a program stored in advance in the hard disk device 304 into a memory and executing it. However, the configuration shown in FIG. 12 is merely an example, and the present invention is not limited to this.

(Summary)
As described above, according to the user monitoring system according to the present embodiment, according to the present invention, even when an unauthorized user performs an operation during a basic cycle of executing user authentication. It is possible to detect this. Further, for example, Patent Document 1 discloses changing the period of user authentication depending on the importance of data (application). However, since the prior document 1 changes the period of user authentication according to the importance of data (which is unrelated to the state of user input), it detects an illegal act in which the user changes to another person during the operation. It is difficult to do and does not contribute to the detection of such fraud. On the other hand, according to the user monitoring system according to the present embodiment, by determining that the user has changed to another person when the user's operation input has changed, for example, Can be detected even if the user tries to cheat by conspiring, or when another user tries to cheat when the user at the start of the operation is temporarily absent.

  In the above-described embodiment, user authentication is performed using the user's face image, but user authentication may be performed using other biological features. For example, user authentication may be performed based on physical features such as fingerprints and irises. Further, if the user's input operation is by voice such as voice, user authentication may be performed using a voice tone or voiceprint. Furthermore, user authentication may be performed using other authentication information that can authenticate the user other than the biometric feature. For example, instead of imaging the user by the imaging unit 102 of the above-described embodiment, the user may input a password at regular intervals. If the authentication information is a biometric feature, it is difficult for the user to arbitrarily change or make the authentication information arbitrary (for example, the user A resembles the user B with the same user It is difficult to impersonate, and fingerprints, irises, etc. cannot be shared by each user). In addition, when the user is authenticated by imaging the user's face as described above, the user who operates the terminal 10 is a valid user, but the information is stolen by being looked into from behind. In such a case (shoulder hacking) or the like is detected (detected by the number of faces recognized in the captured image), the operation can be temporarily stopped or rolled back.

  In the above-described embodiment, the user monitoring system 1 includes the terminal 10 and the management device 20, but the configuration is not limited to such a configuration. Each function provided in the terminal 10 and the management device 20 described above may be distributedly processed by a plurality of devices according to other modes. Conversely, if the terminal 10 includes an administrator application that allows only the administrator to log in, the management terminal 20 may not be provided separately, and the terminal 10 may be provided with the function of the management device 20.

  In the above-described embodiment, the imaging timing changing unit 112 is configured to perform imaging at random time intervals, although the imaging unit 102 is configured to capture images at a constant period. As a result, it becomes difficult for the operator of the terminal 10 to predict when the imaging is performed, so that it is difficult for an unauthorized user to operate the terminal 10 with a gap.

  Up to this point, one embodiment of the present invention has been described. However, the present invention is not limited to the above-described embodiment, and it is needless to say that the present invention may be implemented in various forms within the scope of the technical idea.

  The scope of the present invention is not limited to the illustrated and described exemplary embodiments, but includes all embodiments that provide the same effects as those intended by the present invention. Further, the scope of the invention is not limited to the combinations of features of the invention defined by the claims, but may be defined by any desired combination of particular features among all the disclosed features. .

DESCRIPTION OF SYMBOLS 10 Computer terminal 20 Management apparatus 102 Imaging part 104 Input reception part (input device)
106 Authentication Unit 108 Storage Unit 110 Input Device Monitoring Unit 112 Imaging Timing Change Unit 114 Related Work Log Extraction Unit 116 Transmission Unit 118 Reception Unit 120 Recovery Processing Unit 202 Reception Unit 204 Display Unit 206 Recovery Processing Necessity Determination Unit 208 Transmission Unit

Claims (7)

A user monitoring system for monitoring a user operating a terminal,
An authentication information acquisition unit that acquires the authentication information of the user from the user at a constant period in at least a part of the period in which the user operates the terminal;
An authentication unit that determines whether the user authentication information is valid user authentication information each time the authentication information acquisition unit acquires the user authentication information at the predetermined period;
An input device monitoring unit that detects a change in the state of a user input operation in the terminal;
A timing changing unit that changes the period for acquiring the authentication information in the authentication information acquiring unit when the input device monitoring unit detects a change in the state of the input operation of the user;
A user monitoring system comprising:   The user monitoring system according to claim 1, wherein the authentication information acquisition unit acquires the user authentication information when the input device monitoring unit detects a change in the state of the input operation of the user. .   3. The user according to claim 1, wherein the input device monitoring unit detects a change in a state of the input operation of the user by statistically processing information on the input device operated by the user. 4. Monitoring system.   The input operation of the user is limited when it is determined that the authentication information of the user acquired by the authentication information acquisition unit is not valid user authentication information as a result of the determination in the authentication unit. The user monitoring system according to any one of 1 to 3.   As a result of the determination in the authentication unit, when it is determined that the user authentication information acquired by the authentication information acquisition unit is not valid user authentication information, from the determined time to a certain period before 5. The user monitoring according to claim 1, wherein a part or all of the user input operation performed on the terminal during the period is returned to a state before the input operation. system. An authentication information acquisition unit, an authentication unit, an input device monitoring unit, a timing changing unit, and a method executed by a user monitoring system that monitors a user who operates a terminal,
The authentication information acquisition unit acquires the user authentication information from the user at a constant period in at least a part of the period in which the user operates the terminal;
The authentication unit determining whether the user authentication information is valid user authentication information each time the authentication information acquisition unit acquires the user authentication information at the predetermined period;
The input device monitoring unit detecting a change in a state of a user input operation in the terminal;
The timing changing unit changing the period for acquiring the authentication information in the authentication information acquiring unit when the input device monitoring unit detects a change in the state of the input operation of the user;
Including methods.   A computer program for causing the user monitoring system to execute the method according to claim 6.

Images