JP2018049373A - Suspicious communication control method, suspicious communication control device, and suspicious communication control system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To estimate characteristics of users from the users' responses to connection confirmation, and change a presentation method of connection confirmation by the user so that users will take appropriate connection confirmation actions.SOLUTION: A suspicious communication control device for connecting a terminal operated by a user with the Internet receives a connection request to the Internet from the terminal, acquires the user's connection confirmation pattern regarding the received connection request to conduct connection confirmation, controls connection from the terminal to the Internet on the basis of a result of the connection confirmation, calculates characteristics of the user operating the terminal on the basis of the result of the connection confirmation, and changes the user's connection confirmation pattern on the basis of the characteristics.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a technique for blocking communication by malware while estimating both user characteristics and determining a connection confirmation method during communication while ensuring both safety and convenience.

  In recent years, cyber attacks targeting private companies and national institutions have increased, and there has been an increased risk of damaging the interests and safety of society, including large-scale information leakage incidents. Furthermore, with regard to the contents of attacks, sophisticated and sophisticated attack techniques such as targeted attacks, particularly APT (Advanced Persistent Threshold) attacks, are increasingly used. This type of attack targets a specific individual or organization and uses malware customized for that organization, so it is often impossible to deal with conventional firewalls and antivirus software.

  Also, social engineering is often used to infect malware by tricking users. For such attacks, it is difficult to reliably prevent malware infection by technical measures. For this reason, it is important to take countermeasures for the purpose of ultimately preventing damage on the premise of malware infection.

  One of the countermeasures based on malware infection is communication control based on the blacklist. Many of the malware used in the above attacks can communicate with a C & C (Command and Control) server on the Internet prepared by the attacker after the target terminal is infected, and the infected terminal can be controlled by the attacker. Attacking activities such as setting status, downloading and executing new malware, and sending stolen information.

  On the other hand, by registering a URL of a known C & C server in a black list and blocking communication destined for the URL included in the list from communication from a terminal connected to the internal network to the external Internet. It is possible to prevent the malware that has entered the organization from communicating with the C & C server and to suppress the attack activity.

  However, in the communication control based on the black list, there is a problem that it is difficult to manage the black list. In other words, when configuring a blacklist based on external information related to malware, if all suspicious URLs are registered in the blacklist, communication necessary for business may be interrupted, which may adversely affect the business. There is.

  Therefore, for suspicious communication that cannot be determined as dangerous, a method for requesting the user to confirm connection is conceivable in order to confirm whether the communication is intentionally generated by the user. However, in recent years, malware that reads connection confirmation information input by the user and breaks through the connection confirmation by the proxy and communicates with the C & C server has also appeared.

  In order to deal with this type of malware, it is desirable to use HIP (Human Interaction Proof) that proves a human operation instead of conventional ID and password input. An example of the HIP is a CAPTCHA (Complete Automated Public Test Toll Computers And Humans Appart) that presents an image of a character string that is difficult to read mechanically and inputs the read character string.

  The problem with the above method is that the convenience of terminal operation is reduced because the user is required to confirm the connection each time for suspicious communication that cannot be determined as dangerous. One approach to solving this problem is to change the presence and method of connection confirmation according to the situation, and to minimize the effort of connection confirmation, as a conventional technique for realizing this, for example, A technique shown in Patent Document 1 has been proposed.

  In Patent Literature 1, information regarding a time zone and a place where a terminal is used is collected for each user, and a level of connection confirmation required for the user is determined according to the use frequency for each combination of the time zone and the place. In this technology, in a situation where the user frequently uses the terminal, the connection confirmation is simplified and the convenience is improved. In some situations, both safety and convenience are achieved, such as raising the level of connection confirmation.

JP 2003-196666 A

  The technology of Patent Literature 1 can change the level of connection confirmation based on the behavior pattern for each user, such as the terminal usage frequency of the user for each time and place, and contributes to both safety and convenience. .

  However, when the user is asked to confirm connection to suspicious communications, the response to the same connection confirmation method varies from user to user, so even if the connection confirmation method is uniformly determined based on the behavior pattern, the connection confirmation method Is not necessarily optimal for individual users.

  Individual users are considered to have differences in connection confirmation characteristics such as IT literacy, cost awareness, risk awareness, etc. Even if the same connection confirmation method is presented, there is a difference between users in response to the response. Arise.

  As an example, there are cases where a user with low risk awareness easily permits high-risk communication, and a user with high cost awareness gives up communication when a complicated connection confirmation is required. Furthermore, since the reaction differs for each user even under the same situation, the reliability of the knowledge obtained by collecting the user's reactions is also lowered. This knowledge can be used, for example, for estimating the risk of a suspicious URL, and contributes to further improvements in safety and convenience.

  The present invention has been made in view of the above circumstances, and by estimating the user characteristics from the user's response to the connection confirmation, the connection confirmation presentation method is set for each user so that the user takes an appropriate connection confirmation action. An object of the present invention is to provide a suspicious communication control system that changes to

  The present invention is a suspicious communication control apparatus for connecting a terminal operated by a user to the Internet, and a suspicious communication control method for controlling connection from the terminal to the Internet, wherein the suspicious communication control apparatus is connected from the terminal to the Internet. A first step of receiving the connection request, a second step in which the suspicious communication control device acquires a connection confirmation pattern of the user for the received connection request and performs connection confirmation, and the suspicious communication control device. A third step of controlling a connection from the terminal to the Internet based on the result of the connection confirmation, and a characteristic of the user in which the suspicious communication control device operates the terminal based on the result of the connection confirmation And the suspicious communication control device changes the connection confirmation pattern of the user based on the characteristics. That includes a fifth step.

  Therefore, according to the present invention, by determining the connection confirmation presentation pattern for each user based on the user characteristics, it is possible to prompt the user to take an appropriate action at the time of connection confirmation.

It is a block diagram which shows the Example of this invention and shows an example of a suspicious communication control system. It is an example block diagram which shows the Example of this invention and is an example of the hardware constitutions of a suspicious communication control apparatus. It is a figure which shows the Example of this invention and shows an example of a user table. It is a figure which shows the Example of this invention and shows an example of a terminal table. It is a figure which shows the Example of this invention and shows an example of a communication log table. It is a figure which shows the Example of this invention and shows an example of a gray URL table. It is a figure which shows the Example of this invention and shows an example of a black URL table. It is a figure which shows the Example of this invention and shows an example of a white URL table. It is a figure which shows the Example of this invention and shows an example of a connection confirmation system table. It is a figure which shows the Example of this invention and shows an example of a parameter table. It is a figure which shows the Example of this invention and shows an example of a connection confirmation system separate condition table. It is a figure which shows the Example of this invention and shows an example of a connection confirmation result table. It is a figure which shows the Example of this invention and shows an example of a statistics table. It is a figure which shows the Example of this invention and shows an example of a connection confirmation result statistics information table. It is a figure which shows the Example of this invention and shows an example of a user characteristic table. It is a figure which shows the Example of this invention and shows the example of a user connection confirmation system table. It is a flowchart which shows the Example of this invention and shows an example of the process at the time of communication generation | occurrence | production. It is a flowchart which shows the Example of this invention and shows an example of a periodic update process. It is a flowchart which shows the Example of this invention and shows an example of a statistical information update process. It is a flowchart which shows the Example of this invention and shows an example of a user characteristic update process. It is a flowchart which shows the Example of this invention and shows an example of a connection confirmation system update process. It is a figure which shows the Example of this invention and shows an example of the connection confirmation screen A. FIG. It is a figure which shows the Example of this invention and shows an example of the connection confirmation screen. It is a figure which shows the Example of this invention and shows an example of a connection confirmation system setting screen. It is a figure which shows the Example of this invention and shows an example of a statistic setting screen. It is a figure which shows the Example of this invention and shows an example of a parameter setting screen. It is a figure which shows the Example of this invention and shows an example of a connection confirmation system separate condition setting screen. It is a figure which shows the Example which shows the Example of this invention and is a premise of a user characteristic.

  Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings.

<System configuration and functional configuration>
FIG. 1 is a block diagram illustrating an example of a network configuration including a suspicious communication control apparatus 101 in this embodiment and an example of a functional configuration of a suspicious communication control system. The suspicious communication control apparatus 101 shown in FIG. 1 asks the user's terminal for connection confirmation for suspicious communication, estimates the user characteristics from the response by the user, and presents the connection confirmation method to the user based on the characteristics It is a computer device that changes (or a connection confirmation pattern) and prompts an appropriate action for each user.

  The suspicious communication control apparatus 101 of this embodiment illustrated in FIG. 1 is connected to the Internet 103 via the network 104 connected to the input / output device 102 and connected to the communication unit 204. The suspicious communication control apparatus 101 is connected to a plurality of managed terminals 106_1 to 106_N via the network 105. The users of the terminals 106_1 to 106_N to be managed are users 107_1 to 107_N.

  In the present embodiment, the characteristics of the users 107_1 to 107_N are collected via these managed terminals 106_1 to 106_N, and an appropriate connection confirmation screen is presented to the users 107_1 to 107_N. The system administrator 108 operates the suspicious communication control apparatus 101 via the input / output device 102. In the following, in order to indicate the entire terminal, the reference numeral 106 without “_” is used. The same applies to the reference numerals of other components.

  Next, functions of the suspicious communication control apparatus 101 of this embodiment will be described. Here, functions realized by executing predetermined programs in the suspicious communication control apparatus 101 and the input / output apparatus 102 will be described. In the suspicious communication control apparatus 101, a communication control program 121, a user connection confirmation program 122, a list update program 123, a statistical information update program 124, a user characteristic update program 125, a connection confirmation method update program 126, and a periodic update process management program 127 are provided. It is loaded into the memory 202 and executed by the CPU 201.

  In the suspicious communication control apparatus 101, the user table 300, terminal table 400, communication log table 500, gray URL table 600, black URL table 700, white URL table 800, connection confirmation method table 900, parameter table 1000, connection confirmation A method individual condition table 1100, a connection confirmation result table 1200, a statistics table 1300, a connection confirmation result statistical information table 1400, a user characteristic table 1500, and a user connection confirmation method table 1600 are held in the storage device 203.

  The communication control program 121 acquires communication from the managed terminal 106 via the suspicious communication control apparatus 101 to the Internet 103, passes the communication information to the user connection confirmation program 122, and obtains the communication from the user connection confirmation program 122. This is a program that determines whether or not communication is possible according to the connection confirmation result, and executes transfer or blocking of the communication.

  That is, when the communication control program 121 receives a connection request packet from the terminal 106 to the Internet 103, the communication control program 121 transfers the connection request packet to the user connection confirmation program 122 and performs predetermined communication control.

  Based on the communication information received from the communication control program 121, the user connection confirmation program 122 refers to the gray URL table 600, the black URL table 700, and the white URL table 800 to determine whether connection confirmation is necessary, If connection confirmation is necessary, the connection confirmation method is determined with reference to the connection confirmation method table 900 and the user connection confirmation method table 1600, and a connection confirmation request is transmitted to the managed terminal 106 that has attempted the communication. It is a program to do. The connection confirmation method is a method of confirming the intention of communication permission or disapproval for the user 107 using the terminal 106.

  The list update program 123 refers to the connection confirmation result table 1200, updates the estimated value of the URL risk based on the connection confirmation result by the user, and updates the gray URL table 600, the black URL table 700, and the white URL table 800. It is a program.

  The statistical information update program 124 refers to the gray URL table 600, the black URL table 700, the white URL table 800, and the connection confirmation result table 1200, acquires the connection confirmation result for the connection confirmation method for each user, and obtains the connection confirmation result. Is a program for calculating the statistical information defined in the statistics table 1300 and updating the connection confirmation result statistical information table 1400.

  The user characteristic update program 125 refers to the connection confirmation result statistical information table 1400 calculated by the statistical information update program 124, calculates the relationship of the statistics to the connection confirmation method for each user 107, and calculates the user characteristic table. This is a program for updating 1500.

  The connection confirmation method update program 126 is a program that refers to the user characteristic table 1500, determines an appropriate user connection confirmation method for each user from the connection confirmation method table 900, and updates the user connection confirmation method table 1600.

  The periodic update processing management program 127 is a program that periodically executes the statistical information update program 124, the user characteristic update program 125, and the connection confirmation method update program 126.

  The user table 300 is a list of the users 107_1 to 107_N.

  The terminal table 400 is a list of the management target terminals 106_1 to 106_N, information for associating the user 107 who uses the terminal 106, IP address assigned to the management target terminal 106, and MAC address information. Etc.

  The communication log table 500 acquires communication from the managed terminal 106 to the Internet 103 via the communication unit 204 by the communication control program 121, and performs a destination URL, communication time, and communication related to the communication. It records information such as users.

  The gray URL table 600 is a list of suspicious URLs that cannot be determined as dangerous.

  The black URL table 700 is a list of known dangerous URLs.

  The white URL table 800 is a list of known safe URLs.

  The connection confirmation method table 900 is a list of connection confirmation methods presented to the user 107 via the managed terminal 106 by the user connection confirmation program 122.

  The parameter table 1000 is parameter information necessary when the various programs are operated.

  The connection confirmation method individual condition table 1100 is a list of information that specifies, for each user 107, what is forcibly selected or excluded from the options for the connection confirmation method.

  The connection confirmation result table 1200 is information on a response to the connection confirmation received by the user connection confirmation program 122 from the managed terminal 106.

  The statistics table 1300 is a list of statistics that can be calculated from the connection confirmation result table 1200.

  The connection confirmation result statistical information table 1400 is statistical information for each user calculated from the connection confirmation result table 1200 based on the statistics table 1300.

  The user characteristic table 1500 is information of a relationship established between the connection confirmation method and the statistics for each user, calculated from the connection confirmation result table 1200 and the connection confirmation result statistical information table 1400.

  The user connection confirmation method table 1600 is a list of connection confirmation methods presented by the user connection confirmation program 122 for each user.

  The contents of these tables will be described later with reference to FIGS.

<Hardware configuration example>
Next, the hardware configuration of the suspicious communication control device 101 and the input / output device 102 of this embodiment will be described. FIG. 2 is a block diagram illustrating a hardware configuration example of the suspicious communication control apparatus 101 and the input / output apparatus 102 according to the present embodiment.

  A suspicious communication control apparatus 101 illustrated in FIG. 2 includes a CPU 201, a memory 202, a storage device 203, a communication unit 204, and a bus 207. The input / output device 102 includes an input device 205, an output device 206, and a bus 207. The bus 207 is shared by the suspicious communication control device 101 and the input / output device 102.

  Among these, the CPU 201 is a central processing unit, and implements necessary functions by executing a program held in the memory 202 (or the storage device 203). The memory 202 is a main storage device used when the CPU 201 executes processing, and is composed of a volatile storage element such as a RAM.

  The storage device 203 is an auxiliary storage device for complementing input data provided to the CPU 201 and output data output from the CPU 201, and is configured by a suitable non-volatile storage element such as a hard disk drive or SSD (Solid State Drive). .

  The communication unit 204 is a communication device that is used by the suspicious communication control apparatus 101 to communicate with an external device, and is configured by a network interface card (NIC: Network Interface Card).

  The communication unit 204 controls communication (packet) transfer between the networks 105 and 104 and controls the connection from the terminal 106 to the Internet 103.

  The input device 205 is an interface that receives input from an operator, and includes a keyboard, a touch panel, a card reader, a voice input device, and the like. The output device 206 is an interface that outputs data to the operator, and includes a display, a speaker, a printer, and the like. A bus 207 is a communication path that connects the CPU 201, the memory 202, the storage device 203, the communication unit 204, the input device 205, and the output device 206.

  In the present embodiment, as an example of the suspicious communication control apparatus 101, an example in which the input / output apparatus 102 is connected is illustrated, but these may be the same apparatus or may be three or more apparatuses. . Further, instead of the input / output device 102, the suspicious communication control device 101 may be controlled via a network.

<Data structure>
Next, a configuration example of data used by the suspicious communication control apparatus 101 according to the present embodiment will be described.

  FIG. 3 is a diagram illustrating a configuration example of the user table 300 in the present embodiment. In FIG. 3, a user table 300 includes a user ID 301 and user information 302 as data items in one entry. Among these, the user ID 301 is an ID uniquely assigned to the user. The user information 302 is information related to the user such as the name, affiliation, and contact information of the user corresponding to the user ID 301.

  FIG. 4 is a diagram illustrating a configuration example of the terminal table 400 in the present embodiment. In FIG. 4, the terminal table 400 includes a terminal ID 401, a user ID 402, and terminal information 403 as data items in one entry.

  Among these, the terminal ID 401 is an ID uniquely assigned to each terminal 106 to be managed. The user ID 402 is a unique ID for each user 107 using the terminal 106 to be managed, and is associated with the user ID 301 in FIG. The terminal information 403 is information related to the terminal 106 to be managed, and in this embodiment, an example in which the IP address or MAC address of the terminal 106 to be managed is used.

  FIG. 5 is a diagram illustrating a configuration example of the communication log table 500 in the present embodiment. In FIG. 5, the communication log table 500 includes a communication ID 501, a user ID 502, a time 503, and a communication destination URL 504 as data items in one entry.

  Among these, the communication ID 501 is an ID uniquely assigned to the communication transmitted from the management target terminal 106 to the Internet 103. The user ID 502 is an identifier that identifies the user 107 who has performed the communication, and is associated with the user ID 402 in FIG. Time 503 indicates the time at which the communication occurred. The communication destination URL 504 is a communication destination URL of the communication.

  FIG. 6 is a diagram illustrating a configuration example of the gray URL table 600 in the present embodiment. In FIG. 6, a gray URL table 600 includes a gray URL ID 601, an update time 602, a gray URL 603, and a risk value 604 as one data item.

  The gray URL ID 601 is an ID uniquely assigned to a URL managed by the suspicious communication control apparatus 101 as a URL having a connection risk. The update time 602 is the last update time of the record. The gray URL 603 is a URL corresponding to the gray URL ID 601. The risk value 604 is a value obtained by quantifying the risk when connected to the URL.

  The gray URL table 600 is a table preset by the system administrator 108 or the like. Note that the suspicious communication control apparatus 101 may update the gray URL table 600 as needed by receiving information from a security countermeasure company or organization.

  FIG. 7 is a diagram illustrating a configuration example of the black URL table 700 in the present embodiment. In FIG. 7, a black URL table 700 includes a black URL ID 701, an update time 702, and a black URL 703 as data items in one entry.

  The black URL ID 701 is an ID uniquely assigned to a URL managed by the suspicious communication control apparatus 101 as a URL having a connection risk. The update time 702 is the last update time of the record. The black URL 703 is a URL corresponding to the black URL ID 701.

  The black URL table 700 is a table set in advance by the system administrator 108 or the like. Note that the suspicious communication control apparatus 101 may update the black URL table 700 as needed upon receiving information from a security countermeasure company or organization.

  FIG. 8 is a diagram illustrating a configuration example of the white URL table 800 in the present embodiment. In FIG. 8, a white URL table 800 includes a white URL ID 801, an update time 802, and a white URL 803 as data items in one entry.

  The white URL ID 801 is an ID uniquely assigned to a URL managed by the suspicious communication control apparatus 101 as a URL having a connection risk. The update time 802 is the last update time of the record. The white URL 803 is a URL corresponding to the white URL ID 801.

  The white URL table 800 is a table set in advance by the system administrator 108 or the like.

  FIG. 9 is a diagram illustrating a configuration example of the connection confirmation method table 900 in the present embodiment. In FIG. 9, a connection confirmation method table 900 includes a connection confirmation method ID 901, a connection confirmation method summary 902, and an execution program file 903 as data items in one entry.

  The connection confirmation method ID 901 is an ID uniquely assigned to each means for which the suspicious communication control system 10 requests the user to confirm the connection. The connection confirmation method overview 902 is an overview of the connection confirmation method. The execution program file 903 indicates a storage location of a program file for executing the connection confirmation method.

  FIG. 10 is a diagram illustrating a configuration example of the parameter table 1000 in the present embodiment. In FIG. 10, a parameter table 1000 includes a parameter ID 1001, a parameter name 1002, and a parameter value 1003 as data items in one entry.

  The parameter ID 1001 is a unique value assigned for each parameter related to the connection confirmation method. The parameter name 1002 is a name indicating an outline of the parameter. The parameter value 1003 is the value of the parameter.

  FIG. 11 is a diagram illustrating a configuration example of the connection confirmation method individual condition table 1100 in the present embodiment. In FIG. 11, a connection confirmation method individual condition table 1100 includes a user ID 1101, a connection confirmation method 1102, and an individual condition 1103 as data items in one entry.

  The user ID 1101 is the ID of the user 107 that is the target of the record, and is associated with the user ID 301 in FIG. The connection confirmation method 1102 is an ID of a connection confirmation method that is a target of the record, and is associated with the connection confirmation method ID 901 in FIG.

  The individual condition 1103 is information set in advance as to whether or not the connection confirmation method 1102 is required for the user 107 who is the target of the record. In the figure, “Force” indicates a summary of the connection confirmation method 1102, and “Deny” indicates exclusion of the connection confirmation method 1102. In the illustrated example, the connection confirmation method = AM1 is applied to the user ID = U1, and the connection confirmation methods = AM1 and AM2 are excluded from the user ID = U2.

  FIG. 12 is a diagram illustrating a configuration example of the connection confirmation result table 1200 in the present embodiment. In FIG. 12, a connection confirmation result table 1200 includes a connection confirmation ID 1201, a communication ID 1202, a connection confirmation result 1203, a connection confirmation request 1204, and connection confirmation information 1205 as data items in one entry.

  The connection confirmation ID 1201 is an ID uniquely assigned to the result of the connection confirmation for the user 107. The communication ID 1202 is the ID of the communication that caused the connection confirmation, and is associated with the communication ID 501 of the communication log table 500.

  The connection confirmation result 1203 is a connection confirmation result determined by the suspicious communication control apparatus 101 for the connection confirmation. “Accept” of the connection confirmation result 1203 indicates a result of determining that the connection confirmation is successful, and “Deny” indicates a result of determining that the connection confirmation is unsuccessful.

  The connection confirmation request 1204 is a connection confirmation process requested by the user 107 in response to the connection confirmation. “Accept” indicates connection permission and “Cancel” indicates connection rejection.

  The connection confirmation information 1205 is information regarding a user response to the connection confirmation. In this embodiment, the response time (seconds) required for the user 107 to respond to the connection confirmation, the correct answer obtained in the connection confirmation, and the answer returned by the user 107 in the connection confirmation are used. If the answer of the user 107 matches the correct answer, the connection confirmation result 1203 is “Accept”.

  FIG. 13 is a diagram illustrating a configuration example of the statistic table 1300 in the present embodiment. In FIG. 13, a statistic table 1300 includes a statistic ID 1301, a statistic name 1302, a statistic calculation method 1303, a statistic description 1304, and an evaluation weight 1305 as data items in one entry.

  The statistic ID 1301 is an ID uniquely assigned to the statistic calculated from the communication log table 500, the gray URL table 600, the black URL table 700, the white URL table 800, and the connection confirmation result table 1200. is there.

  The statistic name 1302 is the name of the statistic. The statistic calculation method 1303 is an auxiliary program path for calculating the statistic. The statistic explanation 1304 is an explanation of the outline of the statistic. The evaluation weight 1305 is a value obtained by quantifying the security importance of the statistic.

  FIG. 14 is a diagram illustrating a configuration example of the connection confirmation result statistical information table 143 in the present embodiment. In FIG. 14, the connection confirmation result statistical information table 143 includes a statistical data ID 1401, a user ID 1402, a start time 1403, an end time 1404, a statistic 1405, and a connection confirmation method 1406 as data items in one entry. .

  The statistical data ID 1401 is an ID that is uniquely assigned to the statistical quantity obtained as a result of presenting connection confirmation by a specific connection confirmation method for a specific user to a specific user.

  The user ID 1402 is the ID of the user who is the source of the statistical data calculation source data, and is associated with the user ID 301. The start time 1403 is the acquisition start time of the statistical data calculation source data. The end time 1404 is the acquisition end time of the calculator data of the statistical data.

  A statistic 1405 is a calculated statistic. In the present embodiment, four examples of SV1, SV2, SV3, and SV4 registered in the statistics table 1300 are used as examples of statistics.

  The connection confirmation method 1406 is a connection confirmation method at the time of measuring the statistical data calculation source data. In this embodiment, four examples of AM1, AM2, AM3, and AM4 registered in the connection confirmation method table 900 are used as examples of the connection confirmation method. In the connection confirmation method 1406, among the methods registered in the connection confirmation method table 900, 1 is set in a column corresponding to all methods used in the record, and 0 is set in a column corresponding to a method not used. Store.

  FIG. 15 is a diagram illustrating a configuration example of the user characteristic table 1500 in the present embodiment. In FIG. 15, the user characteristic table 1500 includes a user ID 1501 and a user characteristic 1502 as data items in one entry.

  A user ID 1501 is a user ID corresponding to the user characteristic, and is associated with the user ID 301. The user characteristic 1502 is a characteristic of a response to the connection confirmation of the user, and is a value representing the relationship between the presented connection confirmation method and the obtained statistic for the user. Examples of user characteristics in the present embodiment are the effects of the four connection confirmation methods AM1, AM2, AM3, AM4 and other factors on each of the four statistics SV1, SV2, SV3, SV4. The size was quantified. The quantification may be set in advance by the system administrator 108 or the like.

  Specifically, the magnitude of the influence of elements other than the connection confirmation method on the statistic SV1 is UC10, the influence of the connection confirmation method AM1 on the statistic SV1 is UC11, and the connection confirmation method AM2 is the statistic SV1. The magnitude of the effect was 20 values in the form of UC12.

  FIG. 16 is a diagram illustrating a configuration example of the user connection confirmation method table 1600 in the present embodiment. In FIG. 16, a user connection confirmation method table 1600 has a user ID 1601 and a user connection confirmation method 1602 as data items.

  A user ID 1601 is an ID of the user 107 to which the connection confirmation method is assigned, and is associated with the user ID 301. The user connection confirmation method 1602 is a connection confirmation method assigned to the user 107.

  In this embodiment, four of AM1, AM2, AM3, and AM4 registered in the connection confirmation method table 900 are used. Similarly to the connection confirmation method 1406, the user connection confirmation method 1602 sets 1 in the columns corresponding to all methods assigned to the user in the record among the methods registered in the connection confirmation method table 900. 0 is stored in the column corresponding to the unassigned scheme.

<Processing when communication occurs>
An outline of the processing 1700 when communication occurs will be described with reference to FIG. FIG. 17 is a flowchart illustrating a procedure of processing 1700 when communication occurs in the present embodiment.

  The communication control program 121 running on the suspicious communication control apparatus 101 acquires the communication (packet) transmitted from the managed terminal 106 to the Internet 103 from the network 105 (1701).

  The communication control program 121 creates a new record in the communication log table 500, generates an ID for identifying a communication (packet), and stores it in the communication ID 501. In addition, the communication control program 121 stores the time when the process is executed at the time 503 of the communication log table 500.

  The communication control program 121 analyzes the packet of the communication and compares the source IP address and the terminal information 403 to identify the user 107 who uses the managed terminal 106 that has performed the communication. The identified ID is stored in the user ID 502 of the communication log table 500. Further, the communication control program 121 analyzes the communication packet, acquires the URL of the communication destination, and stores it in the communication destination URL 504 of the communication log table 500 (step 1701).

  Next, in step 1702, the user connection confirmation program 122 determines whether connection confirmation to the user 107 is necessary for the communication. Specifically, the user connection confirmation program 122 determines that connection confirmation is necessary when the communication destination URL 504 of the record corresponding to the communication in the communication log table 500 is included in the gray URL ID 601 of the gray URL table 600. .

  However, this determination method is an example in the present embodiment. For example, when the risk value 604 of the URL is equal to or greater than a certain value, the user connection confirmation program 122 determines that connection confirmation is necessary or the gray URL table 600 A method of randomly determining that connection confirmation is necessary even for URLs not included is also conceivable.

  If it is determined by the user connection confirmation program 122 that connection confirmation is necessary, the process proceeds to step 1703. If it is determined that connection confirmation is not necessary, the process proceeds to step 1705.

  In step 1703, if it is determined in step 1702 that the connection confirmation is necessary, the user connection confirmation program 122 determines a connection confirmation method (pattern). Specifically, with reference to the user connection confirmation method table 1600, the user ID 1601 selects a record that matches the user ID assigned to the user 107 associated with the managed terminal 106 that has performed the communication, and the record The ID of any one of AM1 to AM4 is obtained from the connection confirmation method 1602, and this is used as a connection confirmation method (connection confirmation pattern) to be presented to the user 107.

  Further, the user connection confirmation program 122 refers to the connection confirmation method table 900, compares the connection confirmation method ID 901 with the connection confirmation method, and obtains a corresponding record. Then, the user connection confirmation program 122 presents the connection confirmation by the selected connection confirmation method to the managed terminal 106 that has performed the communication by executing the execution program file 903 of the record. Details of the connection confirmation screen presented here will be described later.

  In step 1704, the user connection confirmation program 122 receives a response to the connection confirmation by the terminal 106 to be managed, and records the result. Specifically, after step 1703, a connection confirmation response is received from the managed terminal 106, and a new record 1201 is added to the connection confirmation result table 1200. The user connection confirmation program 122 generates a connection confirmation ID 1201, acquires the communication ID 501 from the communication log table 500, and sets it in the communication ID 1202 of the connection confirmation result table 1200.

  The user connection confirmation program 122 stores a response to the connection confirmation in the connection confirmation information 1205. “Response time” stores the time from when the suspicious communication control apparatus 101 presents a connection confirmation request to the terminal 106 until the response is received. The “correct answer” stores the correct answer to the connection confirmation question. “Answer” stores the answer of the user 107 to the connection confirmation question.

  The user connection confirmation program 122 further analyzes the response from the user to the connection confirmation, and stores “Accept” in the connection confirmation result 1203 if the “answer” matches the “correct answer”. Store “Deny”.

  In step 1705, the user connection confirmation program 122 determines whether or not to permit the communication. If yes, the process proceeds to step 1706, and if not, the process proceeds to step 1707.

  The user connection confirmation program 122 permits the communication when the connection confirmation request 1204 is “Accept” and the “correct answer” included in the connection confirmation information 1205 matches the “answer”.

  However, the above-described method for determining whether or not to permit communication is an example in the present embodiment. For example, if “correct answer” and “answer” partially match, response is permitted. A plurality of methods are conceivable, such as allowing communication if the time (1205) is within a certain range.

  The user connection confirmation program 122 determines that connection confirmation is necessary in step 1702, and when connection confirmation processing is executed in subsequent steps 1703 and 1704, refers to the connection confirmation result table 1200 and follows the connection confirmation result 1203. . If it is determined in step 1702 that connection confirmation is not necessary, the black URL table 700 and the white URL table 800 are referred to. When the destination URL of the communication is included in the black URL 703, the communication is not permitted. When the destination URL of the communication is included in the white URL 803, the communication is permitted. If the destination URL of the communication is not included in either, the communication is permitted. However, the determination criteria mentioned here are merely examples in the present embodiment, and other criteria may be provided based on organizational policies and the like.

  If the communication is not permitted in the step 1705, the communication control program 121 does not transfer the communication to the network 104, generates an error message indicating that the communication is not permitted, and manages the managed terminal. 106 (step 1707).

  If the communication is permitted in step 1705, the communication control program 121 transfers the communication to the network 104, and thereafter appropriately transfers the communication related to the communication between the network 104 and the network 105 (step 1707). .

  The list update program 123 updates the gray URL table 600, the black URL table 700, and the white URL table 800 as necessary. The response result from the user for the connection confirmation acquired in step 1704 is input, and the risk value 604 of the gray URL table 600 is updated or the gray URL table 600 and the black URL table 700 are updated based on a preset algorithm. The URL is moved between the white URL tables 800 (step 1708).

  Through the above processing, if the destination URL of communication (packet) exists in the white URL table 800, the communication is permitted, and if the destination URL exists in the black URL table 700, the communication is blocked. If the destination URL exists in the gray URL table 600, the suspicious communication control apparatus 101 can confirm the connection to the terminal 106 and determine whether or not the communication connection is possible based on a response from the user 107.

  Further, by updating the risk value 604 of the gray URL table 600 as a suspicious connection destination based on the result of the connection confirmation (response result from the user for the connection confirmation), the suspicious connection destination is suspicious according to the actual connection situation. The degree of threat at the connection destination can be updated.

<Regular update process>
Next, an outline of the periodic update process 1800 will be described based on FIG. FIG. 18 is a flowchart showing the procedure of the periodic update process 1800 in the present embodiment. In this embodiment, the periodic update process 1800 includes a statistical information update process 1801, a user characteristic update process 1802, and a connection confirmation method update process 1803. 124, the user characteristic update program 125, and the connection confirmation method update program 126 are sequentially started to be executed periodically. Note that the periodic update process 1800 may be executed at a cycle such as once a month or once a week.

  The statistical information update process 1801 is a process for updating the statistical information calculated from the response to the connection confirmation for each user 107 to the latest state. This process is performed by the statistical information update program 124 updating the connection confirmation result statistical information table 143.

  The user characteristic update process 1802 is a process of estimating the response characteristic to the connection confirmation corresponding to the connection confirmation method for each user 107 based on the result of the statistical information update process 1801 and updating it to the latest state. is there. This process is performed by the user characteristic update program 125 updating the user characteristic table 1500.

  The connection confirmation method update process 1803 is a process for estimating a connection confirmation method suitable for the characteristics of each user based on the result of the user characteristic update process 1802 and updating it to the latest state. This process is performed by the connection confirmation method update program 126 updating the user connection confirmation method table 1600. Hereinafter, details of these processes will be described with reference to FIGS. 19, 20, and 21.

<Statistical information update processing>
Next, details of the statistical information update processing 1801 will be described with reference to FIG. FIG. 19 is a flowchart illustrating a procedure of statistical information update processing in the present embodiment.

  The statistical information update program 124 creates a new record in the connection confirmation result statistical information table 143 (step 1901). A new record is generated for each user ID 301 in the user table 300, and the end time 1404 of the latest connection confirmation result statistical information table 143 of the user is set as the start time 1403 of the new record, and the end time 1404 of the new record includes A date and time is set by adding a predetermined period to the start time.

  The statistical information update program 124 executes the following processing for each new record in the connection confirmation result statistical information table 143.

  The statistical information update program 124 refers to the communication log table 500, and the user ID 502 matches the user ID 1402 of the record, and the time 503 is included between the start time 1403 of the record and the end time 1404 of the record. Select all records to be recorded and make a communication log list.

  Next, the statistical information update program 124 executes the following processing for each record in the communication log list.

  The statistical information update program 124 refers to the gray URL table 600, the black URL table 700, and the white URL table 800, and the gray URL 603, the black URL 703, and the white URL 803 match the communication destination URL 504 of the record in the communication log list. Select.

  If the communication destination URL 504 of the selected record is in the gray URL table 600, the statistical information update program 124 acquires the risk value 604 of the record as the risk value.

  The statistical information update program 124 acquires 1 as the risk value if the selected record is in the black URL table 700, and acquires 0 as the risk value if it is in the white URL table 800.

  Next, the statistical information update program 124 refers to the connection confirmation result table 1200, selects a record whose communication ID 1202 matches the communication ID 501 of the record in the communication log list, and obtains the connection confirmation result 1203 of the record. To do.

  Thereafter, the statistical information update program 124 receives the obtained risk value and the connection confirmation result 1203 as input, and stores the values of the statistics SV1 to SV4 registered in the statistics table 1300 in the path stored in the statistics calculation method 1303. It is calculated by inputting to the auxiliary program.

  The statistical information update program 124 stores the calculated statistics SV1 to SV4 in the statistics 1405 of the record in the connection confirmation result statistics information table (step 1902).

  By executing the above processing for each user 107, statistics SV1 to SV4 for each predetermined period are generated.

<User characteristic update processing>
Next, details of the user characteristic update processing 1802 will be described with reference to FIGS. FIG. 20 is a flowchart illustrating the procedure of the user characteristic update process in the present embodiment. FIG. 27 is a diagram illustrating the relationship between the user characteristics 1502, the statistic 1405, and the connection confirmation method 1406 assumed in the present embodiment.

  The user characteristic update program 125 refers to the user table 300, acquires all records, and makes a user list (step 2001).

  The user characteristic update program 125 executes the following process for each record in the user list (step 2002). Note that the user characteristic update program 125 repeats the processes in steps 2002 to 2010 for every user 107.

  The user characteristic update program 125 refers to the user characteristic table 1500, specifies a record in which the user ID 1501 matches the user ID in the user list, and stores an initial value in the user characteristic 1502 of the record. In this embodiment, the average value of the user characteristics 1502 in all records of the user characteristics table 1500 is used as the initial value (step 2003).

  The user characteristic update program 125 refers to the connection confirmation result statistical information table 143, acquires all records in which the user ID 1402 matches the ID of the user list, and sets it as a connection confirmation result list (step 2004).

  The user characteristic update program 125 executes the following processing in order from the record with the oldest start time 1403 on the acquired connection confirmation result list (step 2005). Note that the user characteristic update program 125 repeats the processing in steps 2005 to 2009 for all the records in the acquired connection confirmation result list.

  In FIG. 27, a vector whose elements are the values of the statistic 1405 (SV1 to SV4) is a statistic vector 2701, and a matrix whose elements are the values of the user characteristics 1502 (processing UC44 of UC10 to 2010) is a user characteristics matrix 2702. The product of the user characteristic matrix 2702 and the connection confirmation method vector 2703 is the statistic vector 2701 when the vector having the values (AM1 to AM4) of the connection confirmation method 1406 as the element is the connection confirmation method vector 2703. A method for updating the user characteristic 1502 assuming the relationship will be described. However, considering that there are user characteristics that affect the statistics (SV1 to SV4) regardless of the connection confirmation method, a constant term “1” is added to the connection confirmation method vector 2703.

  The user characteristic update program 125 refers to the connection confirmation method 1406 of the record in the connection confirmation result list and the user characteristic 1502 of the user, and calculates an estimated value of the statistic from these values. The calculation method in the present embodiment is as follows. For each statistic 1301 (SV1 to SV4) registered in the statistic table 1300, out of the user characteristics 1502 representing the magnitude of the influence on the statistic, a value representing the magnitude of the influence by the connection confirmation method; A value obtained by adding the products of the values of the corresponding connection confirmation methods 1406 and adding a value indicating the magnitude of the influence of elements other than the connection confirmation method is used as the estimated value of the statistic.

  As a specific example, a method of calculating the estimated value of the statistic SV1 is shown below. The user characteristic update program 125 includes the connection confirmation method 1406 for UC11, UC12, UC13, and UC14 that represent the magnitude of the influence of the connection confirmation method among the user characteristics 1502 that represents the magnitude of the influence on the statistic SV1. The product of AM1, AM2, AM3, and AM4 is calculated, and the total value is calculated.

  Further, in the user characteristic update program 125, a value obtained by adding UC10 representing the magnitude of the influence of elements other than the connection confirmation method to the total value is an estimated value of the statistic SV1. As described above, the user characteristic update program 125 calculates an estimated value for each statistic registered in the statistic table 1300.

  Next, the user characteristic update program 125 refers to the statistic 1405 of the record in the connection confirmation result list, obtains the actually observed statistic, and calculates the difference from the estimated statistic calculated above. Calculate (step 2006).

  A method in which the user characteristic update program 125 calculates the update amount of each value of the user characteristic 1502 will be described below. The user characteristic update program 125 selects a statistic that is affected by the user characteristic from among the statistics, and the difference between the statistic calculated in step 2006 and the value of the user characteristic that affects the statistic. The product of the value of the user characteristic value with respect to the sum of the values is calculated.

  Furthermore, the user characteristic update program 125 refers to the parameter table 1000, selects a record whose parameter name 1002 is “update amount coefficient”, obtains the parameter value 1003 of the record and sets it as the update amount coefficient, and The product of the value calculated for each characteristic value and the update amount coefficient is used as the update amount for each user characteristic (step 2007).

  The user characteristic update program 125 stores, in the user characteristic table 1500, as a new user characteristic 1502, a value obtained by adding the corresponding one of the update amounts calculated in step 2007 to each of the user characteristic 1502 of the user ( Step 2008).

  Through the above process, the user characteristic table 1500 is updated from the information in the connection confirmation result statistical information table 143 for each user 107.

<Connection confirmation method update processing>
Next, details of the connection confirmation method update processing 1803 will be described with reference to FIG. FIG. 21 is a flowchart showing the procedure of the user characteristic update process in the present embodiment.

  The connection confirmation method update program 126 refers to the user table 300, acquires all records, and makes a user list (step 2101).

  The connection confirmation method update program 126 executes the following processing for each record in the user list (step 2102). Note that the connection confirmation method update program 126 repeatedly executes the processing in steps 2103 to 2109 for each record in the user list.

  The connection confirmation method update program 126 refers to the connection confirmation method table 900, the parameter table 1000, and the connection confirmation method individual condition table 1100, and calculates all connection confirmation methods applicable to the user.

  Specifically, the connection confirmation method update program 126 refers to the parameter table 1000, acquires the parameter value 1003 of the record whose parameter name 1002 is “connection confirmation method essential condition”, and the conditional expression specified here A combination of connection confirmation methods is selected from the connection confirmation method table 900 so as to satisfy the above condition.

  The connection confirmation method update program 126 further selects a record in which the user ID 1101 of the connection confirmation method individual condition table 1100 matches the ID of the user, and the individual condition 1103 is set for the connection confirmation method stored in the connection confirmation method 1102. If it is “Deny”, it is excluded from the candidates, and if the individual condition 1103 is “Force”, other candidates are excluded (step 2103).

  The connection confirmation method update program 126 calculates estimated values of the statistics SV1 to SV4 for each of the connection confirmation method candidates calculated in step 2103. Specifically, in the same manner as in step 2006, for each statistic registered in the statistic table 1300, among the user characteristics 1502 representing the magnitude of the effect on the statistic, the effect of the connection confirmation method is large. Is added to the product of the corresponding value among the candidates for the connection confirmation method, and a value obtained by adding a value representing the magnitude of the influence of elements other than the connection confirmation method is added to the connection confirmation method. Assume an estimate of the statistics for the candidate. (Step 2104).

  The connection confirmation method update program 126 calculates an evaluation value for each of the estimated values of the statistics SV1 to SV4 obtained in step 2105. Specifically, the connection confirmation method update program 126 refers to the statistics table 1300, acquires the evaluation weights 1305 corresponding to the statistics SV1 to SV4, and sums the products with the estimated values of the corresponding statistics. By taking the above, it is set as an evaluation value in consideration of the weight for the estimated value of the statistic. Thereafter, the connection confirmation method update program 126 selects one of the connection confirmation method candidates from which the estimated value of the statistic for which the obtained evaluation value is maximum is calculated, and selects the optimum connection of the user. The candidate is a confirmation method candidate (step 2105).

  The connection confirmation method update program 126 refers to the parameter table 1000, acquires the parameter value 1003 of the record whose parameter name 1002 is “connection confirmation method evaluation score threshold”, and sets it as the evaluation reference value, and performs the maximum evaluation in step 2105 above. Compare with the value. The evaluation reference value is a threshold for the evaluation value of a statistic set in advance by the system administrator 108, and is calculated to adopt a connection confirmation method in which the estimated value of the estimated statistic is equal to or greater than the evaluation reference value. Is.

  If the maximum evaluation value is equal to or greater than the evaluation reference value, the connection confirmation method update program 126 determines to adopt the optimum connection confirmation method candidate. If the maximum evaluation value falls below the evaluation reference value, the optimum connection confirmation method candidate is changed. Considering the possibility that the estimated value of user characteristics has fallen to local optimization, the connection confirmation method that the estimated value of the estimated statistic is greater than or equal to the evaluation reference value by drastically changing the connection confirmation method This is a procedure for searching for a method (step 2106).

  When the maximum evaluation value is lower than the evaluation reference value, the connection confirmation method update program 126 changes the optimum connection confirmation method candidate based on a known or well-known algorithm. In the present embodiment, as an example, one of the connection confirmation method candidates calculated in step 2103 is selected at random and set as the optimum connection confirmation method candidate (step 2107).

  The connection confirmation method update program 126 refers to the user connection confirmation method table 1600, and stores the optimum connection confirmation method candidate in the connection confirmation method 1602 of the record in which the user ID 1601 matches the ID of the user (step 2108). .

  By the above process, the optimum connection confirmation method is selected based on the statistics SV1 to SV4 for each user 107.

<Connection confirmation screen>
22A and 22B are diagrams illustrating configuration examples of the connection confirmation screen A 2210 and the connection confirmation screen B 2220 in the present embodiment.

  22A includes an explanatory note 2211, a permission button 2212, a non-permission button 2213, a cancel button 2214, a CAPTCHA image 2215, an input form 2216, and a send button 2217.

  22B includes an explanatory note 2221, a question sentence 2222, and answer buttons 2223 to 2228. In this embodiment, the configuration of the connection confirmation screen is determined based on the connection confirmation method 1602 of the user connection confirmation method table 1600 associated with the target user 107 to whom the connection confirmation screen is presented.

  On the connection confirmation screen A 2210, the user 107 grasps the situation by reading the explanatory note 2211, determines whether communication is permitted, is not permitted, or is canceled, and the permission button 2212, Either the non-permission button 2213 or the cancel button 2214 is pressed. Further, by reading the character string presented in the CAPTCHA image 2215, inputting the read character string in the input form 2216, and pressing the send button 2217, a response to the obtained connection confirmation is controlled from the terminal 106 by the suspicious communication control. Send to device 101.

  On the other hand, on the connection confirmation screen B 2220, the user 107 grasps the situation by reading the explanatory note 2221, determines whether communication is permitted, not permitted, or canceled, and displays the determination result according to the problem sentence 2222. By selecting and pressing a corresponding answer button from the answer buttons 2223 to 2228, a response to the obtained connection confirmation is transmitted from the terminal 106 to the suspicious communication control apparatus 101.

  As described above, the user connection confirmation program 122 presents the connection confirmation screen 2210 according to the characteristics of each user 107, thereby prompting the user 107 to take an appropriate action when confirming the connection and avoiding suspicious communication. It becomes possible to do.

<Connection confirmation method setting screen>
Below, the example of a screen of the input / output device 102 in a present Example is demonstrated using FIGS. The system administrator 108 controls the suspicious communication control apparatus 101 via a screen described below.

  FIG. 23 is a diagram showing an example of the connection confirmation method setting screen 2300 in the present embodiment. The connection confirmation method setting screen 2300 includes a connection confirmation method list screen 2310 and a connection confirmation method editing screen 2320. The connection confirmation method editing screen 2320 includes a connection confirmation method summary input unit 2321, an execution program file input unit 2322, and a new one. A registration button 2323, an update button 2324, and a delete button 2325 are included. The connection confirmation method setting screen 2300 is controlled by a maintenance program (not shown).

  The connection confirmation method list screen 2310 is a screen for displaying a list of connection confirmation methods registered in the connection confirmation method table 900. The connection confirmation method editing screen 2320 is a screen for newly registering, updating, and deleting a connection confirmation method. When newly registering a connection confirmation method, the system administrator 108 inputs an outline of the connection confirmation method to be newly registered in the connection confirmation method summary input unit 2321, and newly registers the connection confirmation method in the execution program file input unit 2322. Is input, and a new registration button 2323 is pressed.

  Further, when updating the connection confirmation method, the system administrator 108 selects a target record from the connection confirmation method list screen 2310, inputs an outline of the updated connection confirmation method into the connection confirmation method summary input unit 2321, and The program file path for executing the updated connection confirmation method is input to the execution program file input unit 2322, and the update button 2324 is pressed. When deleting the connection confirmation method, the system administrator 108 selects a target record from the connection confirmation method list screen 2310 and presses the delete button 2325.

  Using the connection confirmation method setting screen 2300, the system administrator 108 can perform maintenance of the connection confirmation method.

<Statistics setting screen>
FIG. 24 is a diagram showing an example of a statistic setting screen 2400 in the present embodiment. The statistic setting screen 2400 includes a statistic list screen 2410 and a statistic editing screen 2420. The statistic editing screen 2420 includes a statistic name input unit 2421, a statistic calculation method input unit 2422, a statistic description input unit 2423, An evaluation weight input unit 2424, a new registration button 2425, an update button 2426, and a delete button 2427 are included.

  The statistic list screen 2410 is a screen that displays a list of statistic values (statistic ID, statistic name, statistic description, and evaluation weight) registered in the statistic table 1300. The statistics setting screen 2400 is controlled by a maintenance program (not shown).

  The statistics editing screen 2420 is a screen for newly registering, updating, and deleting statistics. When newly registering a statistic, the system administrator 108 inputs the name of the statistic to be newly registered in the statistic name input unit 2421 and calculates the statistic to be newly registered in the statistic calculation method input unit 2422. The path of the program file is input, the description of the statistic to be newly registered is input to the statistic description input unit 2423, the evaluation weight of the statistic to be newly registered is input to the evaluation weight input unit 2424, and the new registration button 2425 is input. Press.

  When updating the statistic, the system administrator 108 selects the target record from the statistic list screen 2410, inputs the updated statistic name to the statistic name input unit 2421, and calculates the statistic calculation method input unit. The path of the program file for calculating the updated statistics is input to 2422, the description of the updated statistics is input to the statistics description input unit 2423, and the evaluation weight of the updated statistics is input to the evaluation weight input unit 2424 And the update button 2426 is pressed.

  When deleting a statistic, the system administrator 108 selects a target record from the statistic list screen 2410 and presses a delete button 2427.

  The system administrator 108 can perform maintenance of statistics by using the statistics setting screen 2400.

<Parameter setting screen>
FIG. 25 is a diagram showing an example of the parameter setting screen 2500 in the present embodiment. The parameter setting screen 2500 includes a parameter list screen 2510 and a parameter editing screen 2520. The parameter editing screen 2520 includes a parameter name input unit 2521, a parameter value input unit 2522, a new registration button 2523, an update button 2524, and a deletion. Button 2525 is included.

  The parameter list screen 2510 is a screen that displays a list of parameters registered in the parameter table 1000. The parameter setting screen 2500 is controlled by a maintenance program (not shown).

  The parameter editing screen 2520 is a screen for newly registering, updating, and deleting parameters. When a parameter is newly registered in the parameter table 1000, the system administrator 108 inputs the name of the parameter to be newly registered in the parameter name input unit 2521 and inputs the value of the parameter to be newly registered in the parameter value input unit 2522. Then, a new registration button 2523 is pressed.

  When updating a parameter, the system administrator 108 selects a target record from the parameter list screen 2510, inputs the name of the updated parameter to the parameter name input unit 2521, and updates the parameter to the parameter value input unit 2522. A value is input and the update button 2524 is pressed. When deleting a parameter, the system administrator 108 selects a target record from the parameter list screen 2510 and presses a delete button 2525.

  With the parameter setting screen 2500, the system administrator 108 can maintain statistics.

<Continuous confirmation method individual condition setting screen>
FIG. 26 is a diagram showing an example of the connection confirmation method individual condition setting screen 2600 in the present embodiment. The connection confirmation method individual condition setting screen 2600 includes a connection confirmation method individual condition list screen 2610 and a connection confirmation method individual condition editing screen 2620. The connection confirmation method individual condition editing screen 2620 includes a user ID input unit 2621 and a connection confirmation method. An input unit 2622, an individual condition input unit 2623, an add button 2624, and a delete button 2625 are included.

  The connection confirmation method individual condition list screen 2610 is a screen for displaying a list of connection confirmation method individual conditions registered in the connection confirmation method individual condition table 1100. The connection confirmation method individual condition setting screen 2600 is controlled by a maintenance program (not shown).

  The connection confirmation method individual condition editing screen 2620 is a screen for adding and deleting connection confirmation method individual conditions. When adding the connection confirmation method individual condition, the system administrator 108 inputs the ID of the target user of the connection confirmation method individual condition to be added to the user ID input unit 2621, and adds the connection to the connection confirmation method input unit 2622. The ID of the connection confirmation method of the confirmation method individual condition is input, the condition of the connection confirmation method individual condition to be added is input to the individual condition input unit 2623, and the add button 2624 is pressed.

  When deleting the connection confirmation method individual condition, the system administrator 108 inputs the ID of the target user of the connection confirmation method individual condition to be deleted to the user ID input unit 2621 and the connection confirmation method to be deleted to the connection confirmation method input unit 2622. The connection confirmation method ID of the confirmation method individual condition is input, the condition of the connection confirmation method individual condition to be deleted is input to the individual condition input unit 2623, and the delete button 2625 is pressed.

  Using the connection confirmation method individual condition setting screen 2600, the system administrator 108 can perform maintenance of the connection confirmation method for each user.

  As described above, according to the present embodiment, the suspicious communication control system and the suspicious communication control apparatus 101 obtain the user characteristics from the reaction of the user 107 with respect to the connection confirmation, and present the next and subsequent connection confirmations based on the characteristics. By determining the method, it is possible to prompt the user 107 to take an appropriate action when confirming the connection.

  Therefore, it is possible to achieve both safety and convenience associated with the connection confirmation, further increase the reliability of knowledge obtained by summing up the reactions of the user 107, and use it to further improve safety and convenience.

  In addition, as a modification of the above-described embodiment, there is a form in which, based on user characteristics, the content of security education to be assigned to the user is determined or a notification regarding security awareness is sent. Thereby, not only the change of the presentation method of the connection confirmation screen to the user but also the user can be influenced by various methods, and the user can be encouraged to take an effective action for the security measure. In addition, there is a form in which user characteristics are aggregated and output as a report so that user characteristics can be grasped in organizational units and used for security measures.

  In the above embodiment, information obtained from the user's response to the connection confirmation is used for updating the user characteristics, but other information such as a questionnaire result on security awareness may also be used. .

  Further, in the above-described embodiment, the magnitude of the influence of the connection confirmation method on the statistic is set as the user characteristic, and the presence / absence of use of each connection confirmation method is represented by 1 or 0, and each connection method and the corresponding user characteristic. However, the calculation method is not limited to the product and the sum, and for example, a preset function may be used.

  Furthermore, the system administrator 108 may uniquely specify a method for calculating the statistic from the user characteristics item, the user characteristics, and the connection confirmation method. Specifically, for example, there are three user characteristics of “risk sensitivity”, “cost sensitivity”, and “IT literacy”, and these three values are determined from the result of the connection confirmation for the user.

  This method requires knowledge regarding the relationship between user characteristics, connection confirmation methods, and statistics in advance, but user characteristics can be expressed in a form that is easy for humans to interpret. This facilitates the implementation of the above-described determination of the contents of security education for the user, output of a report, update of user characteristics based on the questionnaire result, and the like.

  In the above embodiment, the process of updating the user characteristics is executed based on the assumption that a linear relationship is established among the statistics, the connection confirmation method, and the user characteristics. However, a calculation method based on another assumption is used. It may be used.

  In the above embodiment, connection confirmation is performed for communication to the URL included in the gray URL table 600. However, a URL to be a connection confirmation target may be determined based on other criteria. For example, connection estimation may be performed for URLs not included in the white URL table 136 and the black URL table 135 in order to estimate user characteristics.

  In the above embodiment, when the connection confirmation is performed, it is determined whether or not the communication is allowed to pass based on the connection confirmation result. However, the connection confirmation result and the communication control may not be linked. For example, the connection confirmation is performed also for the communication to the URL included in the black URL table 700, and the connection confirmation result is used only for updating the user characteristics, and the communication is blocked regardless of the connection confirmation result. May be.

  In the above embodiment, the suspicious communication control apparatus 101 includes the communication unit 204. However, the communication unit 204 may be an external communication apparatus such as a proxy server that transfers packets. In this case, the communication device receives a connection request from the terminal 106 to the Internet 103 and transfers it to the suspicious communication control device 101. The communication control program (communication control unit) 121 of the suspicious communication control device 101 confirms the connection confirmation result. The communication device may control the connection from the terminal 106 to the Internet 103 based on the above.

  In addition, this invention is not limited to an above-described Example, Various modifications are included. For example, the above-described embodiments are described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described. Further, a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. In addition, any of the additions, deletions, or substitutions of other configurations can be applied to a part of the configuration of each embodiment, either alone or in combination.

  Each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit. In addition, each of the above-described configurations, functions, and the like may be realized by software by the processor interpreting and executing a program that realizes each function. Information such as programs, tables, and files for realizing each function can be stored in a memory, a hard disk, a recording device such as an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.

  Further, the control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.

101 Suspicious Communication Control Device 102 Input / Output Device 121 Communication Control Program 122 User Connection Confirmation Program 123 List Update Program 124 Statistical Information Update Program 125 User Characteristic Update Program 126 Connection Confirmation Method Update Program 127 Periodic Update Processing Management Program 201 CPU
202 Memory 203 Storage device 204 Communication unit 205 Input unit 206 Output unit 207 Bus 300 User table 400 Terminal table 500 Communication log table 600 Gray URL table 700 Black URL table 800 White URL table 900 Connection confirmation method table 1000 Parameter table 1100 Connection confirmation method Individual condition table 1200 Connection confirmation result table 1300 Statistics table 1400 Connection confirmation result statistical information table 1500 User characteristic table 1600 User connection confirmation method table 1700 Processing when communication occurs 1800 Periodic update process 1900 Statistical information update process 2000 User characteristic update process 2100 Connection confirmation method update processing 2200 Connection confirmation screen 2300 Connection confirmation method setting screen 2400 Statistics setting screen 2500 Parameter setting screen 2600 Connection confirmation method individual condition setting screen

Claims (15)

A suspicious communication control apparatus for connecting a terminal operated by a user and the Internet to a suspicious communication control method for controlling connection from the terminal to the Internet,
A first step in which the suspicious communication control device receives a connection request to the Internet from the terminal;
A second step in which the suspicious communication control device acquires a connection confirmation pattern of the user for the received connection request and performs connection confirmation;
A third step in which the suspicious communication control device controls connection from the terminal to the Internet based on the result of the connection confirmation;
A fourth step in which the suspicious communication control device calculates characteristics of the user who operates the terminal based on a result of the connection confirmation;
A fifth step in which the suspicious communication control device changes the connection confirmation pattern of the user based on the characteristics;
A suspicious communication control method comprising: The suspicious communication control method according to claim 1,
The fourth step includes
A suspicious communication control method characterized in that a relationship established between the connection confirmation pattern and the result of the connection confirmation is estimated to calculate the characteristics of the user. The suspicious communication control method according to claim 1,
The fourth step includes
Estimating the relationship between the connection confirmation pattern, the result of the connection confirmation, and the risk value of the communication destination included in the preset connection request, and calculating the characteristics of the user. Suspicious communication control method. The suspicious communication control method according to claim 1,
The fifth step includes
A suspicious communication control method characterized in that, based on the characteristics, the connection confirmation pattern is changed by combining one or more connection confirmation patterns from connection confirmation pattern information in which candidates for the connection confirmation pattern are stored in advance. The suspicious communication control method according to claim 4,
The fourth step includes
Calculate a predetermined statistic from the result of the connection confirmation, calculate the characteristics of the user by taking the statistic into account,
The fifth step includes
A connection confirmation pattern or connection in which an evaluation value is calculated from a value obtained by estimating a connection confirmation result for each connection confirmation pattern based on the user characteristics and the statistic, and the evaluation value is equal to or higher than a preset evaluation criterion. A suspicious communication control method characterized by selecting a combination of confirmation patterns. The suspicious communication control method according to claim 5,
The fifth step includes
When the maximum value of the evaluation value is less than the evaluation criterion, the connection confirmation pattern of the user is changed to a predetermined connection confirmation pattern. The suspicious communication control method according to claim 1,
The second step includes
Suspicious communication control characterized in that, when a connection destination included in the connection request matches a suspicious connection destination included in preset gray information, the connection confirmation pattern of the user is acquired and connection confirmation is performed. Method. The suspicious communication control method according to claim 7,
In the gray information, a risk value is set for each suspicious connection destination,
The third step includes
The suspicious communication control method, wherein the risk value is updated based on a result of the connection confirmation. The suspicious communication control method according to claim 7,
The second step includes
Even if the connection destination included in the connection request does not match the suspicious connection destination included in the preset gray information, the connection confirmation pattern of the user is acquired and connected in order to estimate the user characteristics. A suspicious communication control method characterized by performing confirmation. A suspicious communication control device for connecting a terminal operated by a user with a processor and a memory to the Internet,
A connection confirmation unit that receives a connection request to the Internet from the terminal, obtains a connection confirmation pattern of the user for the received connection request, and confirms the connection;
A communication control unit for controlling connection from the terminal to the Internet based on the result of the connection confirmation;
A user characteristic calculating unit that calculates characteristics of the user who operates the terminal based on the result of the connection confirmation;
A connection confirmation pattern determination unit that changes the connection confirmation pattern of the user based on the characteristics;
A suspicious communication control device comprising: The suspicious communication control device according to claim 10,
The user characteristic calculator is
A suspicious communication control apparatus characterized by estimating a relationship established between the connection confirmation pattern and the result of the connection confirmation to calculate the characteristics of the user. The suspicious communication control device according to claim 10,
The user characteristic calculator is
Estimating the relationship between the connection confirmation pattern, the result of the connection confirmation, and the risk value of the communication destination included in the preset connection request, and calculating the characteristics of the user. Suspicious communication control device. The suspicious communication control device according to claim 10,
The connection confirmation pattern determination unit
The suspicious communication control apparatus, wherein the connection confirmation pattern is changed by combining one or more connection confirmation patterns from the connection confirmation pattern information in which the connection confirmation pattern candidates are stored in advance based on the characteristics. The suspicious communication control device according to claim 13,
The user characteristic calculator is
Calculate a predetermined statistic from the result of the connection confirmation, calculate the characteristics of the user by taking the statistic into account,
The connection confirmation pattern determination unit
A connection confirmation pattern or connection in which an evaluation value is calculated from a value obtained by estimating a connection confirmation result for each connection confirmation pattern based on the user characteristics and the statistic, and the evaluation value is equal to or higher than a preset evaluation criterion. A suspicious communication control device, wherein a combination of confirmation patterns is selected. A communication device connecting the terminal operated by the user and the Internet;
A suspicious communication control system including a suspicious communication control device that includes a processor and a memory to control the communication device,
The communication device
Receiving a connection request to the Internet from the terminal;
The suspicious communication control device
A connection confirmation unit that obtains a connection confirmation pattern of the user for a connection request received by the communication device and performs connection confirmation;
A communication control unit for controlling the connection from the terminal to the Internet based on the result of the connection confirmation;
A user characteristic calculating unit that calculates characteristics of the user who operates the terminal based on the result of the connection confirmation;
A connection confirmation pattern determination unit that changes the connection confirmation pattern of the user based on the characteristics;
A suspicious communication control system comprising:

Images