JP2022015396A - Information processing device, information processing method, and program - Google Patents

Abstract

To provide a technology for appropriately allowing selection of a counter measure against illegal access.SOLUTION: There is provided an information processing device including an information acquisition unit which acquires membership information of a victim member suffering from illegal access to the account among members of service managing accounts by password authentication, an analysis unit which analyzes a statistical bias in the membership information, and a counter measure selection unit which selects a counter measure against the illegal access for each of the accounts managed by the service on the basis of the result of the analysis.SELECTED DRAWING: Figure 2

Description

Embodiments of the present invention relate to information processing devices, information processing methods and programs.

With the development of communication technology, online services such as Internet banking and online shopping have become widespread. Generally, each user can log in to the system and receive the service by inputting the account identification information, which is also called a user ID, and the password for authentication.

With the spread of such online services, the act of illegally using services that have an access control function by combining a user ID and password by a third party who does not have the right to use them has become a problem. ing. Here, such an act in general is referred to as "unauthorized access" or "unauthorized login". If unauthorized access occurs, personal information may be stolen or cash or points may be used illegally.

In order to detect such unauthorized access, it is known to perform so-called risk-based authentication (see, for example, Patent Document 1).

Japanese Unexamined Patent Publication No. 2020-57439

Generally, when unauthorized access is detected, measures such as stopping the service of the account targeted for unauthorized access are taken. However, only uniform measures were taken for other accounts under control, such as stopping all services and notifying them to change their passwords. Frequent service outages can cause dissatisfaction among users (hereinafter also referred to as "members"). In addition, frequent password changes are not only complicated for users, but also make it difficult to manage passwords, which promotes the reuse of passwords among a plurality of services, which may lead to a decrease in security.

The present invention has been made by paying attention to the above circumstances, and an object of the present invention is to provide a technique for making it possible to more appropriately select countermeasures against unauthorized access.

In order to solve the above-mentioned problems, in one aspect of the present invention, among the members of the service that manages the account by password authentication, the information acquisition unit for acquiring the member information about the victim member who has received unauthorized access to the account, and the above-mentioned Provided by an information processing device equipped with an analysis unit that analyzes the statistical bias of member information and a countermeasure selection unit that selects countermeasures against unauthorized access for each account managed by the service based on the results of the analysis. Will be done.

According to one aspect of the present invention, measures are selected for each account under control based on the statistical bias of the member information of the victim member who has actually received unauthorized access among the service members. As a result, when unauthorized access occurs, it is possible to take more appropriate measures selected for each account based on the tendency of unauthorized access, instead of taking uniform measures for all accounts.

That is, according to the present invention, it is possible to provide a technique that enables more appropriate selection of countermeasures against unauthorized access.

FIG. 1 is a diagram showing an example of an overall configuration of a system including an information processing apparatus according to an embodiment of the present invention. FIG. 2 is a block diagram showing an example of the functional configuration of the information processing apparatus according to the embodiment of the present invention. FIG. 3 is a block diagram showing an example of the hardware configuration of the information processing apparatus according to the embodiment of the present invention. FIG. 4 is a flowchart showing a first example of the processing procedure and the processing content by the information processing apparatus shown in FIG. FIG. 5 is a diagram showing an example of victim data acquired by the information processing apparatus shown in FIG. FIG. 6 is a diagram showing a first example of the result of the analysis process by the information processing apparatus shown in FIG. FIG. 7 is a diagram showing a second example of the result of the analysis process by the information processing apparatus shown in FIG. FIG. 8 is a diagram showing a third example of the result of the analysis process by the information processing apparatus shown in FIG. FIG. 9 is a diagram showing a fourth example of the result of the analysis process by the information processing apparatus shown in FIG. FIG. 10 is a diagram showing a fifth example of the result of the analysis process by the information processing apparatus shown in FIG. FIG. 11 is a diagram showing an example of a correspondence table that specifies the correspondence between the deviation value and the degree of risk used by the information processing apparatus shown in FIG. FIG. 12 is a diagram showing an example of the degree of risk determined for each type by the information processing apparatus shown in FIG. FIG. 13 is a diagram showing a first example of a correspondence table that specifies the correspondence between the risk level used by the information processing apparatus shown in FIG. 2 and the countermeasure. FIG. 14 is a flowchart showing a second example of the processing procedure and the processing content by the information processing apparatus shown in FIG. FIG. 15 is a diagram showing a first example of the countermeasure selection process by the information processing apparatus shown in FIG. 2. FIG. 16 is a diagram showing a second example of a correspondence table that specifies a correspondence relationship between a risk level used by the information processing apparatus shown in FIG. 2 and a countermeasure. FIG. 17 is a flowchart showing a third example of the processing procedure and the processing content by the information processing apparatus shown in FIG. FIG. 18 is a diagram showing a second example of the countermeasure selection process by the information processing apparatus shown in FIG.

Hereinafter, embodiments according to the present invention will be described with reference to the drawings. Hereinafter, the same or similar reference numerals are given to the elements that are the same as or similar to the described elements, and the duplicated description is basically omitted. For example, when there are multiple identical or similar elements, a common code may be used to explain each element without distinction, and the common code may be used to describe each element separately. In addition, a branch number may be used.

[Outline of Embodiment]
The information processing apparatus according to the embodiment of the present invention can exchange information with a service that manages a member's account by password authentication. When there is a member who has received unauthorized access, the information processing device collects member information about the member, analyzes statistical bias based on the member information, and responds to unauthorized access based on the analysis result. Select a countermeasure.

Here, the member information collected by the information processing apparatus may include any information regarding the member who has received unauthorized access. For example, the member information includes personal information of the member, information associated with the account, activity history related to services on the network, and the like. Personal information includes, for example, name, address, gender, age, telephone number, e-mail address, occupation, annual income, family structure, preferences, and the like. The information associated with the account includes, for example, the creation date and time of the account, the elapsed time from the account creation date and time, the information of the website used for creating the account, the login history, the password change history, and the like. The activity history related to services on the network includes, for example, usage history of social networking services (SNS), posting history on SNS, browsing history of specific websites, credit card usage history, purchase history related to online shopping, and the like. It includes activity history of any service such as payment information, bank account and electronic money account balance and deposit / withdrawal history, point account balance and exchange history, insurance subscription and securities transaction results.

In the following, as an example, a point service is assumed as a service for managing a member's account by password authentication, and the information processing apparatus according to the embodiment will be described as collecting the above member information from a server that provides the point service. .. However, it should be noted that this is only an example, and the information processing apparatus according to the embodiment can perform the same processing based on the member information collected from various other information collection sources. For example, the information processing device can collect member information by requesting the member himself / herself who has received unauthorized access to input the member information. The information processing device can also collect information published on the SNS by the member himself / herself. Alternatively, the information processing device can collect information on deposits and savings and purchase history from the server of a financial institution or a credit card company with the permission of the member himself / herself. The information processing apparatus may collect member information from a plurality of information collection sources, integrate the information A from the server X, information B from the server Y, and so on, and use it for subsequent processing.

[One Embodiment]
(1) Configuration (1-1) System FIG. 1 is a diagram showing an example of an overall configuration of a system 1 provided with an information processing apparatus 10 according to an embodiment of the present invention.
The information processing apparatus 10 includes a point management server 20, a service A server 50A, a service B server 50B, ... (Hereinafter collectively referred to as a "service providing server 50"), and a user via a network NW such as the Internet. User terminal used by UT1,. .. .. , UTi (hereinafter collectively referred to as "user terminal UT") can be communicated with.

The point management server 20 is an example of a member information collection source of the information processing apparatus 10, and is a server computer managed by a business operator that provides a point service. The point service is, for example, according to the purchase price when a user who has registered as a member (hereinafter, also simply referred to as “member”) purchases a product or service (hereinafter, referred to as “product, etc.”), or at a store. Points are given to users under the conditions set by the company according to the number of visits to the store, and the accumulated points can be exchanged for products when visiting the store from the next time onward, or used as a price when purchasing products. It is a service to do. The point management server 20 manages point data such as points given, points used, and point balance for each member. Further, here, the point management server 20 will be described as providing a service of a common point that is commonly used among a plurality of services, but the present invention is not limited to this, and is used for each store or company. Individual or unique points may be managed.

The service providing server 50 is a server of a business operator that provides an affiliated service that is a member of the point service provided by the point management server 20. The service providing server 50 may be a server that provides Web services such as online shopping and Internet banking, or may be a server that manages sales at a physical store such as a convenience store or a gas station. For example, in the case of a server that provides an online shopping site, the service providing server 50 calculates the number of points granted according to the purchase amount when the user purchases a product or the like through the site, and the calculated number of points granted. Is notified to the point management server 20 together with the identification information of the user or the point account. Alternatively, when a user purchases a product or the like at a store under the control of the service providing server 50, for example, a POS terminal installed in the store calculates points according to the purchase amount and presents a point card or a point card presented by the user. Point award processing is performed for a mobile terminal having that function. Then, the service providing server 50 receives the point processing information together with the payment information from the POS terminal, and also notifies the point management server 20.

The user terminal UT is any information processing terminal that can be connected to the network NW, such as a smartphone, a tablet terminal, a notebook type or a desktop type personal computer used by the user. Members of the point service can use the user terminal UT, for example, directly from the website provided by the point management server 20 or a dedicated application program (hereinafter, also referred to as "application"), or the website provided by the service providing server 50. You can access your point account, check your balance, and use / redeem your points via a dedicated application.

Here, when each member accesses the point account, password authentication using a combination of ID and password is used. For example, each member accesses the website provided by the point management server 20 via the user terminal UT, and sends an authentication request including an ID and password related to the point account to an authentication server (not shown), and as a result, the authentication succeeds. By doing so, you can access the point account. Alternatively, each member first succeeds in the first authentication using the combination of the first ID and the first password in order to access the website (for example, the account for online shopping) provided by the service providing server 50. Then, by succeeding in the second authentication using the combination of the second ID and the second password for accessing the point account via the website, the website provided by the service providing server 50 is provided. You will be able to use points with. Alternatively, the point management server 20 and the service providing server 50 can use the authentication linkage for the convenience of the member. Here, authentication linkage refers to a mechanism that enables a user to access a plurality of services by one authentication process. When authentication linkage is used, for example, a member can seamlessly access the point account managed by the point management server 20 by logging in to his / her own account on the website provided by the service providing server 50. .. However, when authentication linkage is used, in the unlikely event of unauthorized access, multiple damages may occur between the linkage services.

The information processing apparatus 10 performs a process of selecting an appropriate countermeasure for each account when an unauthorized access occurs to the account under its control, and is composed of a server computer or a personal computer. The information processing device 10 can operate in cooperation with the point management server 20. Hereinafter, the information processing apparatus 10 is configured to operate in cooperation with the point management server 20, and is described as managing the account of the point service provided by the point management server 20, but the present invention is not limited to this. .. The password authentication process described above may be executed by an authentication server (not shown), may be executed by the information processing apparatus 10, or may be executed by the point management server 20.

(1-2) Information Processing Device (1-2-1) Functional Configuration FIG. 2 is a block diagram showing an example of the functional configuration of the information processing apparatus 10 according to the embodiment.
The information processing apparatus 10 includes a victim data acquisition unit 11, an analysis unit 12, a countermeasure selection unit 13, a victim data storage unit 14, a grade information storage unit 15, and a countermeasure policy storage unit 16. ..

As an information acquisition unit, the victim data acquisition unit 11 relates to a member who has received unauthorized access to an account among the members under the control of the point management server 20 from the point management server 20 or its database (not shown). Member information (hereinafter, also referred to as "victim data") is acquired and stored in the victim data storage unit 14. It should be noted that the terms "victim" or "victim member" are used here simply to refer to a member of an account that has been illegally accessed, regardless of whether or not financial damage has actually occurred.

The analysis unit 12 reads out the victim data stored in the victim data storage unit 14 in a fixed amount and analyzes the statistical bias of the victim data. In one embodiment, the analysis unit 12 analyzes the above statistical bias by totaling the number of victim members for each type of item included in the victim data and calculating the statistic based on the totaled result. .. Here, the "statistic" refers to all the values of the target data (for example, victim data) summarized by a statistical algorithm. In the following, as an example of statistics, the number of victims of unauthorized access that occurred in a certain period will be described using the deviation value for each type of item calculated as a population. A specific example of the calculation method will be described later. It should be noted that the bias is not limited to this, and the bias of the victim data may be calculated by using other statistics such as the mean value, the median value, the maximum value, and the minimum value.

The countermeasure selection unit 13 selects countermeasures against unauthorized access for each member account under the control of the point management server 20 based on the result of analysis by the analysis unit 12. The countermeasure selection unit 13 can output the selection result to any output destination (for example, the point management server 20, the service providing server 50, the user terminal UT, etc.). The countermeasure selection unit 13 also evaluates the effectiveness of the selected countermeasure (whether or not unauthorized access has decreased as a result of the implementation of the countermeasure) by analyzing the victim data in chronological order, and then evaluates the effectiveness of the selected countermeasure. It can also be used to select countermeasures for.

The victim data storage unit 14 stores the victim data acquired by the victim data acquisition unit 11.

The grade information storage unit 15 stores a correspondence table that specifies the relationship between the statistic representing the statistical bias of the victim data (as an example, the deviation value of the type) and the risk level of password authentication.

The countermeasure policy storage unit 16 stores a correspondence table for designating countermeasures according to the risk of password authentication.

(1-2-2) Hardware Configuration FIG. 3 is a block diagram showing an example of the hardware configuration of the information processing apparatus 10.
The information processing device 10 includes a CPU (Central Processing Unit) 101, a RAM (Random Access Memory) 102, a ROM (Read Only Memory) 103, an auxiliary storage device 104, an input device 105, an output device 106, and a communication interface (I / F). ) 107.

In the processing functions of the victim data acquisition unit 11, the analysis unit 12, and the countermeasure selection unit 13 described above in the information processing device 10, the CPU 101 expands the program stored in the ROM 103 or the auxiliary storage device 104 into the RAM 102, and deploys this program. It is realized by executing. The CPU 101 is an example of a hardware processor that controls the overall operation of the information processing device 10. The hardware processor is not limited to a general-purpose processor such as the CPU 101, and may be a dedicated processor such as an ASIC (Application Specific Integrated Circuit) or an FPGA (Field-Programmable Gate Array). Further, the CPU 101 may be a single CPU or the like, or may be a plurality of CPUs or the like.

The auxiliary storage device 104 includes a computer-readable storage medium that stores data non-volatilely, and may be, for example, an HDD (Hard Disk Drive) or an SDD (Solid State Drive). The auxiliary storage device 104 can function as a storage unit including the victim data storage unit 14, the grade information storage unit 15, and the countermeasure policy storage unit 16 described above.

The input device 105 includes, for example, a keyboard and a mouse. The output device 106 includes a display device. The input device 105 and the output device 106 may be, for example, an integrated touch panel type device in which a display device such as a liquid crystal panel and an input device such as a touch pad are combined.

The communication interface 107 is an interface for communicating with an external device. The communication interface 107 includes, for example, a LAN (Local Area Network) port, is connected to a network NW using, for example, a LAN cable, and transmits / receives data to / from an external device via the network NW. The communication interface 107 may include a wireless module such as a wireless LAN module or a Bluetooth® module.

Regarding the specific hardware configuration of the information processing apparatus 10, components can be omitted, replaced, or added as appropriate according to the embodiment.

In the conventional system, when a malicious third party attack (act) such as unauthorized access (unauthorized login) to an online service is detected, it is used as the primary protection method for protecting the registered user and the information. If you are using an ID and password
1) There is no way to logically and objectively infer and judge the attacker's intention / target from probability theory.
2) Therefore, from the viewpoint of user protection, there is a problem that it is necessary to uniformly request self-defense by changing the password.

Therefore, even users who were not the original attack target from the attacker's point of view will be required to change their passwords.
(A) The number of passwords that users must remember increases (unnecessarily), or (b) the structure (creation) of newly set passwords is complicated and diverse, and which ID for using which service. It is easily assumed that the user himself / herself will not be able to use the service because he / she will not know what kind of structure (creation) the password was created in, or (c) the password to avoid the above two problems. Reusing passwords increases the chances (separate or future risk) of an attacker's successful spoofing intrusion on another service at another time.

Therefore, for example, a method focusing on the following points is required.
(1) Do not request a wide range of unnecessary password changes such as uniform passwords for all, but request only the minimum necessary users to change them.
(2) By not changing the password of the low-risk ID implicitly, the security is maintained.
(3) When changing the password, give advice (support) on the structure (building) with high security (strength) to reduce the burden of devising each user and the risk of forgetting / confusion.
(4) Take multi-step measures according to the attacker's intention / aim and risk (risk level) characteristics as a target person (for example, stop service for everyone at the maximum, and at the top page (login screen) of the service site at the minimum. Attention, etc.),
(5) Even if the attack method / target of the attacker changes / changes according to our defense response, by grasping / following this (6) The most effective of the entire “service and its users” We will strive to establish safety (high attack resistance).

The information processing apparatus 10 according to the above embodiment analyzes the statistical bias of the member information of the victim member related to the account that received the unauthorized access when the unauthorized access is detected, and based on the result of the analysis, the information processing apparatus 10 analyzes the statistical bias. Select the appropriate measures for each managed account. This makes it possible to select appropriate measures for each account based on the actual tendency of unauthorized access, rather than uniform measures for all accounts, which is more effective for the service and its users as a whole. Can be established.

(2) Operation Next, the operation by the information processing apparatus 10 configured as described above will be described.
In the following, the operation by the information processing apparatus 10 will be described separately in the first stage, the second stage, and the third stage, but as will be described later, these do not necessarily have to be executed in order on the same time axis. , The order may be changed or combined in parallel, depending on the damage situation and the like.

Further, in the following, the description will be made on the premise that the point management server 20 has detected an unauthorized access to the account of the point service member by some method, and the point management server 20 has notified the information processing apparatus 10 to that effect. Unauthorized access detection may be based on, for example, an alert issued by a risk-based authentication system as described above, or a report that the member himself / herself has an unfamiliar login history or point consumption. It may be based on the fact that there was a problem, or that the service providing server 50 notified that a cyber attack was received.

(2-1) 1st stage The 1st stage is an operation mainly assumed as "initial response", and measures are taken at "points".
FIG. 4 is a flowchart showing an example of such a first stage operation.

First, in step S101, the information processing apparatus 10 acquires the member information (victim data) of the member related to the account that has received unauthorized access by the victim data acquisition unit 11, and stores it in the victim data storage unit 14. The victim data acquisition unit 11 may receive the victim data transmitted from the point management server 20 each time an unauthorized access occurs, or point management is performed periodically (for example, every hour or every day). Victim data may be received from the server 20. Alternatively, similarly, the victim data acquisition unit 11 may read the victim data from the database of the point management server 20 at an arbitrary timing.

FIG. 5 shows an example of victim data stored in the victim data storage unit 14. As described above, here, as a mere embodiment, the point management server 20 provides the common point service, and the point management server 20 and the service providing server 50 use the authentication linkage. The victim data in FIG. 5 may include the time of occurrence, member ID, registration route, registered mail domain, number of possessed points, number of structured password (structural PASS) updates, ID registration date, and the like related to the damage of unauthorized access.

The occurrence time includes information such as date (YYYY / MM / DD), hour, minute, second (hh: mm: ss), and may be, for example, the time when an unauthorized login occurs, or the member reports damage. It may be the time when it was received.

The member ID is identification information given to each member (account), and although a three-digit symbol is tentatively attached here, it may be managed by an arbitrary number of digits and an arbitrary character string. The member ID and the ID used for password authentication may be the same or different.

The registration route indicates which service the user went through when registering as a member to use the common point service. For example, the user can register as a member via the website provided by the point management server 20, or can register via the website provided by the service providing server 50. Alternatively, the user can either request input from an agent such as a clerk via an application form installed in a physical store, or input information by himself / herself through a terminal installed in a physical store. You can also request membership registration from that server. Knowledge of the registration route is, for example, from which route the registered information was leaked, or at what level the attack occurred (for example, whether the lower store server was the target of the attack, or the higher management server. Can be useful in guessing if was the target of an attack, etc.).

The registered e-mail domain is the domain information of the e-mail address specified by the member as the contact information related to the common point service. Knowledge of the registered mail domain can help determine the need for measures at the server level that manages the domain.

The number of points held is the balance of points held by each member. Since points have economic value, if an account of a member with a high number of points is illegally accessed, it may cause great damage not only to the individual member but also to the point service provider and affiliated business. In addition, members with a high number of points may be more likely to be targeted for unauthorized access. Therefore, the number of points held can be an indicator of possible economic damage.

The number of times of updating a structured password (structural PASS) is a parameter related to a system (not shown) that manages passwords in a structured manner for the purpose of improving security (hereinafter, also referred to as "structured password management system"). The structure PASS update count refers to the number of times the password is updated as a joint password between the member himself / herself and the system side by designating the addition or deletion of some character string to the password set by the member himself / herself. That is, when requesting a member to change the password for some reason, the system side gives advice on a structure with high security (password strength) instead of leaving it to the member. This will reduce the burden on each member in devising a new password and improve the security level of all members.

Here, the fact that the number of structural PASS updates is "0" means that the password of the member is the same as the password set by the member himself / herself. Even if the password is changed regularly, the number of updates is recorded as "0" unless it is a collaboration with the system as described above. For example, the password initially set by the member is "PASSWORD", and the system side specifies "" Add "the character string" 123 "of" 3 digits "to the" end "", and the member newly sets it accordingly. When the password "PASSWORD123" is registered, the number of updates becomes "1 time". Furthermore, when the system side (for example, after a certain period of time) specifies "" Delete "the character string of" 2 digits "from the" beginning of the word "" and the member registers a new password "SSWORD123" according to this, the number of updates Becomes "twice". On the other hand, if the member does not respond to the instruction of the system and registers the password selected by himself / herself, the number of updates remains 0 or is reset to 0. The number of structural PASS updates can be determined to be a member who has used the above system or a member who has not used the system, for example, depending on whether the number of times the structure is updated is "0 times" or "1 time or more". It can be useful for inferring information leakage routes and attack methods (eg, list attacks or brute force attacks). Alternatively, it is conceivable to collect not only the latest structure PASS update count but also the update history as time series data. For example, if the number of updates remains "1" for a certain period of time, it is presumed that the effect of using the system is exhibited. On the other hand, in the case of "twice or more", it is presumed that the member or the registered route thereof is the attack target because he / she has been attacked many times. If you repeat "0 times" and "1 time", you do not follow the system instructions and decide your own password (this makes it "0 times"), and since it was attacked, change it according to the system instructions ( As a result, the above structured password management is performed by aggregating time-series data for each pattern, such as "once") and what happened after that (for example, "twice" or something else). Measures can be selected in consideration of the effect of the system.

When the above structured password management system is used, the risk of entrusting password update to members only is reduced, and the system and members work together to improve diversity and security. It can be done at the same time. In addition, by considering the number of structural PASS in the analysis of statistical bias, it is possible to select a measure that also considers the personality and behavior pattern of the member. However, the use of the structured password management system as described above is optional, and when the structured password management system is not used, the number of structural PASS updates may not be included in the victim data.

The ID registration date represents the date when the member was registered. Not limited to the date, information on hours, minutes, and seconds may be included. Knowledge of the ID registration date can be useful for inferring the route of information leakage and the target of attack.

As mentioned above, the victim data shown in FIG. 5 is merely an example. Victim data may contain more information or less information. Victim data can include personal information other than those described above and activity history information on the network. Further, as described above, the information processing apparatus 10 can collect information about the victim from any information collection source.

Subsequently, in step S102, the analysis unit 12 reads the victim data from the victim data storage unit 14 and analyzes the statistical bias of the victim data. More specifically, the analysis unit 12 reads out the victim data for a predetermined period or amount, and the items included in the read victim data (for example, the time of occurrence, the member ID, the registration route, the registered mail domain, etc.). The number of victims is totaled for each type of possessed points, number of structural PASS updates, ID registration date, etc.), and the statistic is calculated.

6 to 10 show an example of the result of the analysis process by the analysis unit 21 focusing on different items of the victim data.

FIG. 6 is an example of the result of the analysis processing of the statistical bias of the victim data according to the type regarding the registration route as the first example. Here, as a statistic representing a statistical bias, a deviation value is calculated based on the number of victims of each type. Further, here, six types of services A to F are designated in advance as registration routes. The number of types is not limited to 6 types. The services A to F may include the common point service itself (for example, the service provided by the point management server 20) and its affiliated service (for example, the service provided by the service providing server 50).

First, the analysis unit 21 obtains the victim data (“total”) for the last 4 days (here, October 28 to October 31) as the first evaluation target group from the set of the read victim data. Extract and total the number of victims (“number”) for each type. In FIG. 6, service A has 186 cases, service B has 126 cases, service C has 51 cases, service D has 30 cases, service E has 10 cases, and service F has 0 cases, for a total of 403 cases.

式中、Ｔ_iは種別ｉの偏差値、ｘ_iは種別ｉの件数の値を表し（ここでは、ｉ＝サービスＡ，サービスＢ，サービスＣ，サービスＤ，サービスＥ，サービスＦ）、μは母集団の平均値であり、次式で表され、

ここでＮは種別ｉの個数（ここではＮ＝６）であり、σは母集団の標準偏差であり、次式で表される。

Next, the analysis unit 21 calculates the deviation value for each type by the following formula, using the above total of 403 cases as the population.

In the formula, T _i represents the deviation value of type i, x _i represents the value of the number of cases of type i (here, i = service A, service B, service C, service D, service E, service F), and μ is. It is the average value of the population, expressed by the following equation,

Here, N is the number of types i (here, N = 6), and σ is the standard deviation of the population, which is expressed by the following equation.

In the example of FIG. 6, the analysis unit 21 calculated the mean value μ ₁ and the standard deviation σ ₁ for the first evaluation target group (“total”) as follows.
μ ₁ = (186 + 126 + 51 + 30 + 10 + 0) / 6≈67.17
σ ₁ = [{(186-67.17) ² + (126-67.17) ² + (51-67.17) ² + (30-67.17) ² + (10-67.17) ² + (0-67.17) ² } / 6] ^ (1/2) ≒ 67.09

Subsequently, the analysis unit 21 calculates the deviation values of the services A to F using the mean value μ ₁ and the standard deviation σ ₁ calculated as described above. For example, in the first evaluation target group, the deviation value T _1A for service A, the deviation value T _1B for service B, the deviation value T _1C for service C, the deviation value T _1D for service D, the deviation value T _1E for service E, The deviation values T1F with respect to the service _F were calculated as follows. In FIG. 6, the highest deviation value is highlighted for each evaluation target group.
T _1A = {(186-67.17) /67.09} × 10 + 50 ≒ 67.71
T _1B = {(126-67.17) /67.09} × 10 + 50 ≒ 58.77
T _1C = {(51-67.17) /67.09} × 10 + 50 ≒ 47.59
T _1D = {(30-67.17) /67.09} × 10 + 50 ≒ 44.46
T _1E = {(10-67.17) /67.09} × 10 + 50 ≒ 41.48
T _1F = {(0-67.17) /67.09} × 10 + 50 ≒ 39.99

The analysis unit 21 also applies the daily victim data out of the data for the last 4 days as the 2nd to 5th evaluation target groups, respectively, and the total number of victims (number of cases) for each day as described above. Calculate the mean, standard deviation, and deviation values using the values as the population. For example, on October 28, there were a total of 3 damage reports, the average value was "0.50", the standard deviation was "0.50", and the deviation values for each of services A to F were "60.00". , "60.00", "60.00", "40.00", "40.00", "40.00". Similarly, on October 29, there were a total of 100 damage reports, and the highest deviation value "71.08" was obtained for service B. On October 30th and October 31st, service A had the highest deviation value.

Which viewpoint of the results obtained as described above should be focused on can be specified in advance by the administrator of the information processing apparatus 10 or the like. For example, the registration route with the maximum daily deviation value may be focused on, and measures may be taken for the account related to the registration route on a daily basis. In this case, in FIG. 6, attention is paid to services A to C on October 28, service B on October 29, service A on October 30, and service A on October 31. It will be. Similarly, measures may be taken by paying attention to the registration route having the maximum deviation value in the total of 4 days. In the example of FIG. 6, service A will be focused on and countermeasures will be taken. In addition, the daily aggregation result and the total aggregation result may be combined for judgment. Such a judgment is made in advance depending on the aggregation period and the deviation value range (for example, whether or not there is a type that exceeds the deviation value 60 in the aggregation for 4 days, and whether or not there is a type that exceeds the deviation value 70 in the daily aggregation. Etc.) can be set.

FIG. 7 is an example of the result of the analysis processing of the statistical bias of the victim data according to the type regarding the registered mail domain as the second example. In this example, for example, when focusing on the total for 4 days, since "bbbb.ne.jp" in the second row shows the highest deviation value "70.95", the domain of "bbb.ne.jp" It can be set to judge that the risk of the registered account is high.

FIG. 8 is an example of the result of the analysis processing of the statistical bias of the victim data according to the type regarding the number of possessed points as a third example. For example, when focusing on the total for 4 days, "10,001 to 30,000" in the second row shows the highest deviation value "68.59". In this case, it may be set so that it is judged that the risk of the account corresponding to the point balance "10,001 to 30,000" is high, and the deviation value of the type having the point balance "150,001" or more is 4. Since it is low throughout the day, it may be set to judge that the economic damage is low.

FIG. 9 is an example of the result of the analysis processing of the statistical bias of the victim data according to the type regarding the number of structural PASS updates as the fourth example. As described above, this item is an index of whether or not the joint password between the user and the system is used. In this example, since the deviation value of "0 times" is significantly high, it can be determined that the security of the collaborative password is high (the security of the password other than the collaborative password is low). If the deviation value in the column where the number of structural PASS updates is "1 time" or more is high, leakage from the structured password management system itself is suspected.

FIG. 10 is, as a fifth example, an example of the result of analysis processing of statistical bias of victim data according to the type regarding the ID registration time. Focusing on the total of 4 days, the deviation value of "within 361 to 720 days" is slightly higher than others, so it is possible to set it so that it is judged that the risk of the account corresponding to the same registration time is high. It is also possible to set it so that the longer the service usage period, the higher the risk of leakage.

In addition, although FIGS. 6 to 10 have been described by giving an example of totaling for the last 4 days or totaling by day, these are merely examples, and other evaluation target periods such as one week or one month are given. Any period may be set. Victim data (data for the entire past period) related to all unauthorized access generated under the control of the point management server 20 may be used as the evaluation target. Alternatively, statistics obtained from any of the most recent periods may be used in combination with statistics obtained from victim data for all past periods.

In step S103, the countermeasure selection unit 13 pays attention to any item and selects a countermeasure. For example, when paying attention to the result of FIG. 7, the countermeasure selection unit 13 is designated in advance for all accounts registered with an e-mail address having the same domain as "bbb.ne.jp" having the highest deviation value. Select a countermeasure, for example, "Display a warning message when logging in". Which item to focus on may be determined by calculating and comparing deviation values for a plurality of items (for example, an item including the type for which the maximum deviation value is obtained), or a preset priority (for example, an item including the type for which the maximum deviation value is obtained). For example, the registration route, the registration domain, the number of possessed points, the number of structural PASS updates, and the ID registration time are examined in this order).

As described above, the countermeasure selection unit 13 can focus on any of the items and select the countermeasure for the type having the highest deviation value. Alternatively, the countermeasure selection unit 13 may determine the degree of danger of the type according to the deviation value and select the countermeasure according to the degree of danger. Hereinafter, as an example of such a method, a method in which the countermeasure selection unit 13 selects a countermeasure using a correspondence table will be described.

FIG. 11 shows an example of a correspondence table that specifies the correspondence between the deviation value and the degree of risk that can be used by the countermeasure selection unit 13. According to FIG. 11, when the deviation value exceeds 70, it is defined as “grade 1” having the highest risk, and when the deviation value is less than 45, it is defined as “grade 6” having the lowest risk. Such a correspondence table may be arbitrarily set by the administrator of the information processing apparatus 10 or the like and stored in the grade information storage unit 15.

FIG. 12 shows an example of a risk level (grade) determined by the countermeasure selection unit 13 based on the correspondence table shown in FIG. FIG. 12 focuses on the registered mail domain as an item, and shows an example different from that of FIG. 7. The analysis unit 12 calculated deviation values for each of the six registered mail domain types. Then, the countermeasure selection unit 13 determines each risk level based on the above correspondence table. For example, when the registered mail domain is "abc.co.jp", the deviation value is "64.00", so that it corresponds to "grade 2" according to the correspondence table of FIG. After that, the countermeasure selection unit 13 also selects countermeasures according to each risk level using the correspondence table.

FIG. 13 shows an example of a correspondence table that specifies the correspondence relationship between the degree of risk and the countermeasure to be taken, which can be used by the countermeasure selection unit 13. According to FIG. 13, in "grade 1" having the highest risk, "account suspension" is selected for the target account. On the other hand, in the case of "grade 6", which has the lowest degree of risk, measures are selected in which no particular measures are taken. Such a correspondence table may be arbitrarily set by the administrator of the information processing apparatus 10 or the like and stored in the countermeasure policy storage unit 16.

Based on the correspondence table of FIG. 13, the countermeasure selection unit 13 selects "grade 2 = login suspension" for the account having the registered mail domain "abc.co.jp" in the example of FIG. Similarly, the countermeasure selection unit 13 selects "grade 1 = account suspension" for the account having "def.com", and "grade 3 = point use" for the account having "ghi.ne.jp". Select "Stop", select "Grade 6 = No support" for the account with "jkl.co.jp", and select "Grade 5 = Site warning" for the account with "mno.ne.jp". Select, and select "Grade 4 = Email Warning" for other accounts. The correspondence table of FIGS. 11 and 13 may be integrally set and stored.

The countermeasure selection unit 13 can output the result of the above selection to any output destination. For example, the countermeasure selection unit 13 may transmit all the results of the above selection to the point management server 20, and the point management server 20 may be configured to actually execute the selected countermeasure. For example, in the example of FIG. 12, the point management server 20 that has received the selection result extracts an account having the registered mail domain "abc.co.jp" and executes a measure of "login suspension" for the account. .. The point management server 20 can also appropriately notify the service providing server 50 as necessary for executing the countermeasures. Alternatively, the countermeasure selection unit 13 may change the output destination of the selection result according to the selected countermeasure. For example, the countermeasure selection unit 13 sends the account information for which "login stop" is selected to the point management server 20, and the account information for which "site warning" is selected is sent to the point management server 20 and the service providing server 50. You may send to both. When "email warning" is selected, the countermeasure selection unit 13 may be configured to directly send a message to the user terminal UT. Alternatively, the information processing apparatus 10 may be configured to execute the countermeasure selected by the countermeasure selection unit 13.

Although the registered mail domain has been described in FIG. 12, the countermeasure selection unit 13 can determine the risk level and select the countermeasure as described above for items other than the registered mail domain. However, with respect to the item of "structured PASS update count", the following determination may be made as an exception. As described above, "update count = 0 times" means that the password is a member who did not use the structured password management system. Therefore, when the deviation value of "0 times" is high, it is highly possible that the cause of the unauthorized access is information leakage from the affiliated service that does not use the above system. Therefore, while sending a message urging attention to such affiliated services or investigating the presence or absence of attacks or damages, the countermeasure selection unit 13 is designated in FIG. 13 for all accounts corresponding to "0 times". Measures can be selected. On the other hand, if any of the deviation values of "one or more times" is high, there is a risk of information leakage from the structured password management system, so it can be treated as an abnormal situation. This corresponds to the situation shown by "grade 0" in FIG. 13, and when "grade 0" occurs, the countermeasure selection unit 13 selects a countermeasure to stop all services, not limited to a specific account. be able to.

As described above, as the first step, it is possible to take measures at "points" based on the deviation value results for each item. The first stage assumes processing for immediate response when it occurs as "initial response". If convergence is not expected in the first stage, it is possible to proceed to the second stage. As an example, if the deviation value of the item decreases after the above measures are taken, it can be regarded as convergence. For example, if the transition of the change of the deviation value is downward, it can be determined that it has converged (or the stage of watching), and if it is horizontal or upward, it can be determined that additional measures are necessary.

(2-2) 2nd stage In the 2nd stage, the target person of the combination of the selected items having a high deviation value is determined, and measures are taken on the “face”.
FIG. 14 is a flowchart showing an example of such a second stage operation. The same processing as in FIG. 4 is designated by the same reference numerals as those in FIG. 4, and detailed description thereof will be omitted.

First, in step S101, the information processing apparatus 10 acquires the victim data by the victim data acquisition unit 11 and stores it in the victim data storage unit 14.

Next, in step S102, the analysis unit 12 reads the victim data from the victim data storage unit 14, aggregates the data for each item, and calculates the deviation value for each type.

Then, in step S203, the countermeasure selection unit 13 performs cross tabulation for any plurality of items and selects countermeasures.

FIG. 15 is a diagram showing an example of such cross tabulation. As described for the first stage, the number of victim members of each type is totaled for each item included in the victim data, and the deviation value is calculated. Then, select any two (or three or more) items. In the example of FIG. 15, the registration route and the registered mail domain are selected as items, and cross tabulation is performed for each grade. The “number of subjects” in FIG. 15 is an example of the result of cross tabulation, and represents the total value of the number of subjects of the same grade for each item. For example, for Grade 1, the sum of the number of accounts (target users) whose registration route is "Service X" and the number of accounts (target users) whose mail domain is "def.com" is calculated as "300,000". Will be done. The number of targets represents the range of risk of being attacked.

In the second stage, the countermeasure selection unit 13 may select a grade 1 response to the target person "300,000", that is, a countermeasure of account suspension. Alternatively, the countermeasure selection unit 13 can calculate the deviation value again based on the number of target persons obtained above, and select the countermeasure according to the deviation value after the cross tabulation. Here, the countermeasure selection unit 13 can also select the countermeasure based on the correspondence table of FIG. 13 as the countermeasure according to the grade of the degree of danger in the second stage.

FIG. 16 is a diagram showing another example of the correspondence table between the degree of risk and the measures to be taken. In the correspondence table of FIG. 16, each grade is further subdivided, and the upper and lower measures can be selected. As an example, the top and bottom of the countermeasure content are selected according to the scale (influence range) of the number of target persons, and the top and bottom determination can be automatically determined by setting a threshold value. Alternatively, it can be assumed that the correspondence table in FIG. 16 is used for evaluation at the stage when the number of days has passed since the occurrence of unauthorized access and the tendency of unauthorized access has become apparent to some extent. For example, if the deviation value transition of a certain monitoring cycle (for example, the average every 3 days) is horizontal, measures such as one step up when it rises and one step down when it falls may be selected as it is.

For example, regarding Grade 1, the standard measure is "1B" "Account suspension only for target accounts", but when selecting a measure one step higher, "1A" "All service suspension" is selected. When selecting the measure one step lower, "Stop logging in only for the target account" of "1C" is selected.

Similarly, regarding Grade 2, if the standard measure "2B" "login suspension" is being implemented and the damage situation does not change even after one week has passed, for example, "2A" "account suspension" If the damage situation decreases after one week has passed, it is possible to shift to "2C" "suspension of point use". Alternatively, if the damage situation is further reduced, the countermeasure itself may be canceled.

It is also possible to make adjustments across grades using the correspondence table in FIG. For example, the countermeasure selection unit 13 raises or lowers within the range if there are other options in each grade, and if the conditions for further up or down are met while the top or bottom countermeasures of each grade are being implemented. , It is possible to select the upper or lower measures of the same measures in the upper and lower grades. For example, in the example of FIG. 16, if the damage of unauthorized access escalate while the countermeasure of grade "2A" is implemented, it is upgraded to grade "1" because there is no higher option in grade "2". To. Here, in this example, since the measures of grade "2A" and the measures of grade "1B" that are being implemented are the same for "account suspension (target account only)", the measure selection unit 13 is the grade "1B". You can select "1A", which is one level above "". On the contrary, if the damage of unauthorized access is reduced in the situation where the countermeasure of grade "1C" is selected, the countermeasure (login suspension) is one lower than the grade "2B", which is the same countermeasure as the grade "1C", and the grade "2C". Can be transitioned to. The logic that straddles such grades may be constructed by comparing the value of the target of interest with a preset threshold value, such as the total number of damages, the number of damages of the item, and the total number of target persons of the item. In addition, not limited to the above example, it is possible to simply downgrade from "1C" by one and select the countermeasure of "2A", or conversely, upgrade from the countermeasure of "2A" to "1C". You may choose a countermeasure. If the damage caused by unauthorized access escalate, the grade "0" "stop all services" will eventually be selected.

Needless to say, cross tabulation using combinations other than "registration route" and "mail domain" is also possible. Which item is selected for cross tabulation may be specified in advance, for example, or the two items having the highest maximum deviation value may be selected.

Also in the second stage, the countermeasure selection unit 13 can output the selection result to any output destination.

As described above, as the second step, by using the cross tabulation from the deviation value results for each item, it is possible to take measures in terms of "face". In the second stage, in particular, as "continuous response", we evaluate what kind of user's risk of attack is high over the course of days, and upgrade / downgrade measures according to the scale (range of impact) of the number of target people. Make it possible. As an example, when an item having a high deviation value occurs separately in addition to the items corresponding to the above, the influence of the continuous correspondence may be considered to be widespread, and the process may proceed to the third stage. Alternatively, as in the case of the convergence judgment in the first stage, the judgment may be made according to the transition of the change in the deviation value.

(2-3) 3rd stage In the 3rd stage, the impact (degree of influence) is judged by adding the total points or average points of the target user to the cross tabulation of the 2nd stage. Take measures.
FIG. 17 is a flowchart showing an example of such a third stage operation. The same processing as in FIG. 4 is designated by the same reference numerals as those in FIG. 4, and detailed description thereof will be omitted.

First, in step S101, the information processing apparatus 10 acquires the victim data by the victim data acquisition unit 11 and stores it in the victim data storage unit 14.

Next, in step S102, the analysis unit 12 reads the victim data from the victim data storage unit 14, aggregates the data for each item, and calculates the deviation value for each type.

Next, in step S303, the countermeasure selection unit 13 performs cross tabulation for any plurality of items. This process is the same as that described as step S203 in the second step.

Next, in step S304, the countermeasure selection unit 13 adds yet another index, determines the impact, and selects a countermeasure.

FIG. 18 shows an example of such index addition. Here, after performing cross tabulation by the mail domain and the registration route, the total number of points (total P) and the average number of points (average P) held by the target person are further calculated. The number of target persons represents the range of attack risk, the total number of points represents the business impact, and the average number of points represents the individual impact. Here, the countermeasure selection unit 13 is configured to select countermeasures based on the number of target persons for this business impact and individual impact.

For example, grade 6 has a low risk, but since the total number of points and the average number of points are large, it is conceivable to raise the countermeasure by one step. For example, it is possible to set a threshold value for the number of points and set it so that when the threshold value is exceeded, the correspondence within the grade is raised by one level (similar to FIG. 16, the grade 6B is raised to grade 6A). can. Similarly, grade 3 is a medium risk, but since the total points and average points are small, it can be set to select measures such as lowering the correspondence within the grade by one step. The up / down determination of the countermeasure may be automatically performed by the countermeasure selection unit 13 by setting a threshold value as well. For example, when there are two grade 1 (deviation value over 70) types in a certain item, a threshold value corresponding to the number of the types may be set and the determination may be automatically performed. As an example, the number of target persons may be divided by the number of types corresponding to grade 1, a threshold value may be set by the numerical value, and an ascending / descending determination of countermeasures may be made. In the example of FIG. 18, regarding the items "registration route" and "mail domain" selected for cross tabulation, grade 3 has three items, "service Y", "service W", and "ghi.ne.jp". The number of persons can be divided by 3, and the result can be determined by a threshold value to make an ascending / descending determination.

In the above example, the number of points held is focused on as an "index" to be added to the cross tabulation, but other indexes may be used. The "structure PASS update count" and "registration time" exemplified as items with respect to FIGS. 9 and 10 may be used, or other information may be used. As an example, when purchase data that contributes to the generation of points for each member is accumulated, the cumulative purchase amount may be used as an index. Alternatively, when the member information includes purchase data for each service, purchase shop, and each company brand, the purchase amount (sales amount) for each service, purchase shop, and each company brand may be used as an index.

As described above, as the third step, by further considering the information of the possessed points in the result of the cross tabulation, it is possible to take measures in "depth". In other words, in this example, the horizontal axis is the number of subjects by attribute, and the vertical axis is weighted considering any index (for example, point damage, personal information leakage, or a combination thereof, as described above). In that case, it is possible to quickly determine that the event with a large vertical x horizontal area is a priority event and take measures. In this way, the details are evaluated and decisions are made including the suspension of services, and the spread of damage is prevented. Needless to say, the damage is not limited to economic damage, but also includes leakage of personal information and logical damage caused by leakage of personal information. That is, it is possible to select measures based on various viewpoints according to what kind of index is added to the cross tabulation as "depth".

Also in the third stage, the countermeasure selection unit 13 can output the selection result to any output destination.

In addition, although it was explained that if convergence is not seen in the initial response as the first stage, it is possible to proceed to the second stage, but depending on the scale of damage etc., it is possible to carry out the first stage and the second stage at the same time. Is. For example, the first stage treatment is implemented early in the initial response (coping therapy), and the second stage processing is responded to while observing the results of the first stage and the tendency of unauthorized access (measure implementation). Regarding the processing of the 3rd stage, there is a layer of judgment, such as responding by looking at the impact (impact on management, for example, the amount of damage and the number of damaged members has increased significantly) from the results of the 1st and 2nd stages. It can be assumed. Therefore, it is not always limited to the first stage, then the second stage, and finally the third stage, and according to different judgment axes, simultaneous parallel while considering the correspondence of the previous stage at the same time. May be carried out. In other words, the information processing apparatus 10 can execute each of the processes described above in parallel according to the accumulation of victim data, that is, according to the collection of determination materials.

(3) Effect As described in detail above, the information processing apparatus 10 according to the embodiment of the present invention is a member of a victim member who has received unauthorized access to the account among the members of the service that manages the account by password authentication. The victim data acquisition unit 11 that acquires information, the analysis unit 12 that analyzes the statistical bias of member information, and the measures to select countermeasures against unauthorized access for each account managed by the above service based on the analysis results. A selection unit 13 is provided. This makes it possible to select more appropriate countermeasures for each account based on the actual tendency of unauthorized access, instead of uniform countermeasures for all managed accounts, for the service and its users as a whole. It is possible to establish more effective safety.

(4) Other Embodiments The present invention is not limited to the above embodiment. For example, in the example of the above embodiment, the information processing apparatus 10 is mainly described as managing the account related to the common point service, but even if the same point is used, it is a general-purpose and non-general limited range such as an original point. It may be the one that manages the account related to the service limited to. In this case, some of the information contained in the victim data exemplified with respect to FIG. 5 may be omitted. Alternatively, the victim data may include other member information (for example, attribute information such as place of residence, gender, age, etc.). In this case as well, it is possible to analyze the statistical bias. For example, a deviation value may be calculated for each prefecture or municipality registered as an address, and it may be determined whether or not there is a bias in damage to members of a specific place of residence. Unauthorized access by performing cross tabulation based on the gender and age of the victim, and also performing depth tabulation according to the activity history related to services on the network (browsing history of specific websites, posting frequency on SNS, etc.). It may be possible to take measures in consideration of the purpose and target of. If the victim data includes at least three types of information, the same processing as in the first step, the second step, and the third step can be executed.

Further, in the above embodiment, the information processing apparatus 10 has been described as operating in cooperation with the point management server 20, but the present invention is not limited to this. The information processing device 10 may collect victim data from some device that manages personal information, and perform the same processing as described in the above embodiment based on the type of any item included in the victim data. can. For example, the information processing apparatus 10 includes a financial institution (bank, securities company, insurance company, etc.), a credit card company, a physical store or an online shop, a membership community service, an information management service, other online services, transportation, and an administrative agency. Information can be collected from any institution that manages personal information, such as medical institutions and educational institutions. Further, the information processing apparatus 10 may accept input of personal information from the victim himself / herself.

Each functional unit included in the information processing device 10 may be distributed and arranged in a plurality of devices, and the devices may cooperate with each other to perform processing. Further, each functional unit may be realized by using a circuit. The circuit may be a dedicated circuit that realizes a specific function, or may be a general-purpose circuit such as a processor.

Further, the flow of each process described above is not limited to the procedure described above, and the order of some steps may be changed, or some steps may be performed in parallel. .. Further, the series of processes described above need not be continuously executed in time, and each step may be executed at any timing.

The method described above is a program (software means) that can be executed by a computer (computer), for example, a magnetic disk (floppy (registered trademark) disk, hard disk, etc.), an optical disk (CD-ROM, DVD, MO, etc.). , It can be stored in a recording medium (storage medium) such as a semiconductor memory (ROM, RAM, flash memory, etc.), and can also be transmitted and distributed by a communication medium. The program stored on the medium side also includes a setting program for configuring the software means (including not only the execution program but also the table and the data structure) to be executed by the computer in the computer. A computer that realizes the above-mentioned apparatus reads a program recorded on a recording medium, constructs software means by a setting program in some cases, and executes the above-mentioned processing by controlling the operation by the software means. The recording medium referred to in the present specification is not limited to distribution, and includes storage media such as magnetic disks and semiconductor memories provided in devices connected inside a computer or via a network.

In addition, the collection timing, collection method, analysis method, etc. of each data can be variously modified and implemented without departing from the gist of the present invention.

The present invention is not limited to the above embodiment, and can be variously modified at the implementation stage without departing from the gist thereof. In addition, each embodiment may be carried out in combination as appropriate, in which case the combined effect can be obtained. Further, the above-described embodiment includes various inventions, and various inventions can be extracted by a combination selected from a plurality of disclosed constituent requirements. For example, even if some constituent elements are deleted from all the constituent elements shown in the embodiment, if the problem can be solved and the effect is obtained, the configuration in which the constituent elements are deleted can be extracted as an invention.

1 ... system, 10 ... information processing device, 11 ... victim data acquisition unit, 12 ... analysis unit, 13 ... countermeasure selection unit, 14 ... victim data storage unit, 15 ... grade information storage unit, 16 ... countermeasure policy storage unit , 20 ... Point management server, 50 ... Service provision server.

Claims (7)

Among the members of the service that manages accounts by password authentication, the member information acquisition department that acquires member information about victims who have received unauthorized access to the account, and
An analysis unit that analyzes the statistical bias of member information,
An information processing device including a countermeasure selection unit that selects countermeasures against the unauthorized access for each account managed by the service based on the result of the analysis. The analysis unit analyzes the statistical bias of the member information by calculating the deviation value of the number of damaged members for the items included in the member information.
The countermeasure selection unit determines the risk level corresponding to the statistical bias of the member information based on the correspondence relationship between the deviation value and the risk level of the password authentication, and selects the countermeasure according to the risk level. ,
The information processing apparatus according to claim 1. The analysis unit analyzes the statistical bias of the member information for each of at least two items included in the member information.
The countermeasure selection unit selects the countermeasure by combining the risk corresponding to the statistical bias of the member information for each of the at least two items.
The information processing apparatus according to claim 2. The countermeasure selection unit selects the countermeasure based on the statistical bias of the member information and the economic value of the victim member.
The information processing apparatus according to claim 2 or 3. The countermeasure selection unit determines the risk of suspending all or part of the service related to the account, suspending password authentication related to the account, or password authentication of the account for at least a part of the account managed by the service. Select at least one of the notifications of the information to be represented as the countermeasure.
The information processing apparatus according to any one of claims 1 to 4. Among the members of the service that manages accounts by password authentication, the process of acquiring member information about the victim member who received unauthorized access to the account, and
The process of analyzing the statistical bias of member information and
An information processing method comprising a process of selecting countermeasures against the unauthorized access for each account managed by the service based on the result of the analysis. A program that causes a computer to execute processing by each part of the apparatus according to any one of claims 1 to 5.

Images