JP2022045694A - Terminal management system and terminal management program - Google Patents

Abstract

To provide a terminal management system capable of blocking unauthorized access.SOLUTION: A terminal management system comprises a server, terminals, and access points. The server comprises: a fraud detection unit for detecting unauthorized access in a network; an unauthorized terminal identification unit that when the fraud detection unit detects unauthorized access, identifies a terminal performing the unauthorized access; an ID information determination unit (S30) that when the fraud detection unit detects the unauthorized access, determines new network ID information required for radio communication in the network; and an ID information transmission unit (S40) for transmitting the network ID information determined by the ID information determination unit to the access points constituting the network and terminals other than the terminal performing the unauthorized access. When receiving the network ID information transmitted by the server, the terminals and the access points set the received network ID information as network ID information to be used for performing radio communication.SELECTED DRAWING: Figure 5

Description

Related to terminal management systems and terminal management programs that block unauthorized access.

The technique disclosed in Patent Document 1 is known as a countermeasure when it is detected that one of the communication devices constituting the communication network is performing illegal communication. Patent Document 1 limits the number of hops in a communication packet when a communication device performing unauthorized communication is detected.

Japanese Unexamined Patent Publication No. 2016-51935

The technique disclosed in Patent Document 1 only limits the number of hops of a communication packet when an unauthorized communication is detected, and cannot block the unauthorized access.

The present disclosure has been made on the basis of this circumstance, and an object thereof is to provide a terminal management system and a terminal management program capable of blocking unauthorized access.

The above object is achieved by a combination of the features described in the independent claims, and the sub-claims specify further advantageous specific examples. The reference numerals in parentheses described in the claims indicate the correspondence with the specific embodiments described in the embodiments described later as one embodiment, and do not limit the disclosed technical scope.

The first disclosure relating to the terminal management system for achieving the above objectives is
A server (20), one or more terminals (10) having a wireless communication function, and one or more access points (30) connecting the terminals to each other, and the server, the terminal, and the access point are networked. A terminal management system (1,200) that constitutes a network identified by an ID.
The server is
The fraud detection unit (S11) that detects unauthorized access in the network, and
When the fraud detection unit detects unauthorized access, the unauthorized terminal identification unit (S12) that identifies the terminal that is performing unauthorized access, and the unauthorized terminal identification unit (S12).
The ID information determination unit (S30), which determines new network ID information required for wireless communication in the network when the fraud detection unit detects unauthorized access,
The network ID information determined by the ID information determination unit is provided with an access point constituting the network and an ID information transmission unit (S40) for transmitting the network ID information to a terminal other than the terminal performing unauthorized access.
When the terminal and the access point receive the network ID information transmitted by the server, the terminal and the access point set the received network ID information as the network ID information for wireless communication.

When this terminal management system detects unauthorized access in the network, it determines new network ID information and uses the new network ID information for terminals other than the access points that make up the network and terminals that are performing unauthorized access. Send to the terminal. On the other hand, the new network ID information is not transmitted to the terminal having unauthorized access.

Therefore, a new network is configured by all terminals and all access points except terminals that are performing unauthorized access, and terminals that are performing unauthorized access cannot participate in the new network. Therefore, unauthorized access can be blocked.

The second disclosure relating to the terminal management system for achieving the above objectives is
A server (20), one or more terminals (10) having a wireless communication function, and one or more access points (30) connecting the terminals to each other, and the server, the terminal, and the access point are networked. A terminal management system (1,200) that constitutes a network identified by an ID.
The server is
The fraud detection unit (S11) that detects unauthorized access in the network, and
When the fraud detection unit detects unauthorized access, the unauthorized terminal identification unit (S12) that identifies the terminal that is performing unauthorized access, and the unauthorized terminal identification unit (S12).
The initialization instruction unit (S20) that transmits an initialization instruction signal to the terminal specified by the unauthorized terminal identification unit, and
After confirming that the terminal has been initialized, it is provided with a kitting instruction unit (S60) that performs a kitting instruction process for instructing the initialized terminal to perform kitting.
The terminal is
When the initialization instruction signal is received, the initialization processing unit (18) that executes the initialization processing and
A kitting execution unit (19) that performs kitting according to a kitting instruction process is provided.

When this terminal management system detects unauthorized access in the network, the server sends an initialization instruction signal to the terminal having unauthorized access. The terminal that has received the initialization instruction signal executes the initialization process. By executing the initialization process, malware is removed from the terminal. Therefore, unauthorized access can be blocked.

In addition, the kitting instruction unit provided in the server and the kitting execution unit provided in the terminal execute kitting after the terminal that has been illegally accessed is initialized. Therefore, it is troublesome to manually execute the kitting for the terminal that has been illegally accessed. Can also be omitted.

The terminal management system according to the first disclosure can also be configured as follows. That is,
The server is
The initialization instruction unit (S20) that transmits an initialization instruction signal to the terminal specified by the unauthorized terminal identification unit,
After confirming that the terminal has been initialized, it is provided with a kitting instruction unit (S60) that performs a kitting instruction process for instructing the initialized terminal to perform kitting.
The terminal is
When the initialization instruction signal is received, the initialization processing unit (18) that executes the initialization processing and
A kitting execution unit (19) that performs kitting according to a kitting instruction process is provided.
The kitting instruction unit includes a process of transmitting network ID information determined by the ID information determination unit.
The kitting execution unit executes a process of connecting to a network determined by the network ID information transmitted from the server.

In this way, the terminal detected to have unauthorized access can be automatically joined to the new network without unauthorized access.

The terminal management system can also be configured as follows. That is,
The network ID is defined as the first network ID, and the network identified by the first network ID is defined as the first network (41).
A second network (42) identified by a second network ID, which is a network ID different from the first network ID, is provided.
The server is
Communication is also possible on the second network,
Before the initialization instruction unit transmits the initialization instruction signal, the network that transmits the network ID information for switching the network to be connected to the second network to the unauthorized terminal that is the terminal specified by the unauthorized terminal identification unit. Switching instruction unit (S13) and
It is equipped with a data acquisition unit (S14) that communicates with an unauthorized terminal connected to the second network and acquires preset types of data from the unauthorized terminal.
When the unauthorized terminal receives the network ID information transmitted by the server, the unauthorized terminal switches the network to be connected to the second network by using the received network ID information.

By doing so, even if the unauthorized terminal is initialized, the necessary data stored in the unauthorized terminal can be acquired. Further, since the server switches the unauthorized terminal to the second network before acquiring the data from the unauthorized terminal, it is possible to suppress the spread of the infection to the terminal connected to the first network.

The terminal management system can also be configured as follows. That is,
The data acquisition unit acquires communication history data from an unauthorized terminal and obtains it.
The server is
An unauthorized access identification unit (S24) that identifies an access source for unauthorized access from outside the first network based on communication history data, and
It is equipped with a communication prohibition instruction unit (S25) that transmits a communication prohibition instruction signal for prohibiting communication with an access source specified by the unauthorized access identification unit to a terminal connected to the first network.
When the terminal receives the communication prohibition instruction signal from the server, the terminal cuts off the communication with the access source indicated by the communication prohibition instruction signal.

By doing so, it is possible to prevent the terminal connected to the first network from being infected with malware.

The terminal management system can also be configured as follows. That is,
The network ID information includes a new network ID used for the network and a password corresponding to the network ID.

By updating not only the password but also the network ID, the setting can be easily changed as compared with the case where only the password is changed without changing the network ID. This is because when only the password is changed, there is a problem that communication cannot be performed if one of the communicating parties has set the old password and the other has set the new password.

The terminal management system can also be configured as follows. That is,
After transmitting the network ID information to the terminal, the ID information transmitting unit confirms whether the transmitted network ID information can communicate with the terminal, and if the transmitted network ID information cannot communicate with the terminal, the ID information transmitting unit can communicate with the terminal. The network ID information is retransmitted by the network.

If the network ID information includes a new network ID used for the network and a password corresponding to the network ID, the terminal does not need to make any changes to the existing network information. Therefore, even if the terminal executes the process of setting new network information, it is possible to communicate with the previous SSID and password. Therefore, the ID information transmitting unit transmits the new network ID information to the terminal, but if the terminal cannot communicate with the new network ID information, the new network ID information is retransmitted to the terminal by the previous network. This reduces the risk that the terminal will not be able to migrate to the network with the new network ID.

The first disclosure relating to the terminal management program for achieving the above object is the terminal management program executed by the server provided in the terminal management system according to the first disclosure. That is,
A terminal management program executed by a server that constitutes a network identified by a network ID, together with one or more terminals (10) having a wireless communication function and one or more access points to which the terminals are connected.
The server
Detecting unauthorized access in the network (S11),
When unauthorized access is detected, the terminal with unauthorized access is identified (S12), and
When unauthorized access is detected, new network ID information required for wireless communication in the network is determined (S30), and
The determined network ID information is transmitted to the access points constituting the network and terminals other than the terminal performing unauthorized access (S40).
It is a terminal management program that executes the process.

The second disclosure relating to the terminal management program for achieving the above object is the terminal management program executed by the server provided in the terminal management system according to the second disclosure. That is,
A terminal management program executed by a server that constitutes a network identified by a network ID, together with one or more terminals (10) having a wireless communication function and one or more access points to which the terminals are connected.
The server
Detecting unauthorized access in the network (S11),
When unauthorized access is detected, the terminal with unauthorized access is identified (S12), and
An initialization instruction signal is transmitted to the specified terminal (S20),
After confirming that the terminal has been initialized, a kitting instruction process for instructing the initialized terminal to perform kitting is performed (S60).
It is a terminal management program that executes the process.

The figure which shows the structure of the terminal management system 1 of 1st Embodiment. The figure explaining the communication range 31 of the access point 30. The block diagram which shows the structure of the terminal 10. The block diagram which shows the structure of a server 20. The figure which shows the process which a server 20 executes in 1st Embodiment. The figure which shows the specific process to execute in S10 of FIG. The figure which shows the specific process to execute in S20 of FIG. The figure which shows the specific process to execute in S30 of FIG. The figure which shows the specific process to execute in S40 of FIG. The figure which shows the specific process to execute in S50 of FIG. The figure which shows the specific process to execute in S60 of FIG. The figure which shows the structure of the terminal management system 200 of 2nd Embodiment. The figure which shows the process which a server 20 executes in 2nd Embodiment.

<First Embodiment>
Hereinafter, embodiments will be described with reference to the drawings. FIG. 1 is a diagram showing a configuration of the terminal management system 1 of the present embodiment. The terminal management system 1 is configured to include a terminal 10, a server 20, and an access point 30.

The terminal 10 is an optical information reading device for business use that optically reads an information code such as a bar code or a two-dimensional code. The terminal 10 is a smartphone type and includes a display unit 11. The display unit 11 displays an operation screen, information obtained by decoding an information code, and the like. Further, the terminal 10 has a wireless LAN communication function, and wirelessly communicates with the server 20 via the access point 30 by the function.

The server 20 manages one or more networks 40. The network 40 includes a server 20, an access point 30, and a terminal 10. The server 20 and the access point 30 managed by the server 20 are connected to each other so as to be able to communicate with each other by wire or wirelessly. Although three access points 30 are shown in FIG. 1, there is no limit to the number of access points 30. The number of access points 30 included in one network 40 may be one, two or four or more. Further, the cradle in which the terminal 10 is installed may be included in the network 40 by wire.

The access point 30 connects the terminal 10 and the server 20. The server 20 and the access point 30 are connected by wire, but may be connected wirelessly. The access point 30 has a communication range 31 conceptually shown in FIG. 2, and wirelessly communicates with a terminal 10 located in the communication range 31.

The plurality of terminals 10, the server 20, and the plurality of access points 30 shown in FIGS. 1 and 2 constitute one network 40. An SSID (Service Set Identifier), which is an example of a network ID, is used to distinguish the network 40 from another network 40. The ID means an identification code. The terminal 10 establishes a connection with the access point 30 by authentication using the SSID and the password. The access point 30 and the server 20 can set a plurality of SSIDs and belong to a plurality of networks 40.

[Configuration of terminal 10]
Next, the configuration of the terminal 10 will be described. FIG. 3 shows the configuration of the terminal 10 as a block diagram. The terminal 10 includes a display unit 11, a terminal communication unit 12, a camera 13, a terminal storage unit 14, an operation unit 15, and a terminal control unit 16.

As described above, the display unit 11 displays the operation screen, information obtained by decoding the information code, and the like. The terminal communication unit 12 directly communicates wirelessly with the access point 30. Further, the terminal communication unit 12 communicates with the server 20 via the access point 30. The communication between the terminal communication unit 12 and the access point 30 is short-range wireless communication. Further, the terminal 10 may be capable of wide area communication.

The camera 13 is for photographing the information code. The terminal 10 may be provided with lighting in order to facilitate shooting of the information code. The terminal storage unit 14 is a non-volatile memory such as a flash memory. The terminal storage unit 14 stores various information such as the above-mentioned SSID and the password corresponding to the SSID.

The operation unit 15 is a touch panel or the like superimposed on the display surface of the display unit 11, and is operated when the operator inputs various information to the terminal 10. A part or all of the operation unit 15 may be a mechanical key.

The terminal control unit 16 can be realized by a computer including a processor, a non-volatile memory, RAM, an I / O, a bus line connecting these configurations, and the like. The terminal control unit 16 is communicably connected to the display unit 11, the terminal communication unit 12, the camera 13, the terminal storage unit 14, and the operation unit 15 and controls them.

The non-volatile memory stores a program for operating a general-purpose computer as a terminal control unit 16. The stored program also includes the operating system. The operating system is the same as that used in smartphones. Programs other than the operating system stored in non-volatile memory are executed on the operating system.

When the processor executes the program stored in the non-volatile memory while using the temporary storage function of the RAM, the terminal control unit 16 operates as a read processing unit 17, an initialization processing unit 18, and a kitting execution unit 19. do. Performing these actions means that the method corresponding to the program is performed.

The reading processing unit 17 acquires image data representing an image taken by the camera 13, analyzes the image data, and decodes a code stored in an information code included in the image.

The initialization processing unit 18 executes a process of initializing the terminal 10. The initialization here means returning the terminal 10 to the state at the time of shipment. Since the terminal 10 is returned to the shipping state, the software installed after shipping, the setting value set after shipping, and the like are deleted by the initialization. However, if it is infected with malware, it can be deleted by initialization. In order to initialize the terminal 10, for example, a recovery area is provided in the terminal storage unit 14, and a program for initializing the terminal 10 is stored in this recovery area. The initialization process can also use standard operating system functions.

The initialization processing unit 18 executes the initialization processing when the initialization instruction signal is received from the server 20. Further, the initialization processing unit 18 transmits an initialization start signal from the terminal communication unit 12 to the server 20 in order to indicate that the initialization instruction signal has been received. When the initialization process is completed, the initialization process unit 18 transmits a signal indicating that to the server 20.

By executing the initialization process, the SSID information set in the terminal 10 before the initialization is deleted from the terminal 10. Therefore, immediately after the initialization process, it is not possible to communicate with the server 20 by the SSID information set in the terminal 10 before the initialization. Various methods can be used for communicating with the server 20 immediately after the initialization process.

There is the following method as one method. Since the access point 30 has published a new SSID, the terminal 10 attempts to communicate with the access point 30 based on the published SSID. The access point 30 or the server 20 determines whether or not the terminal 10 is a terminal 10 previously included in the network 40 based on the MAC address of the terminal 10. Then, when the access point 30 and the server 20 can recognize that the terminal 10 was previously included in the network 40, the access point 30 and the server 20 communicate with the terminal 10 temporarily or only for the distribution of kitting data.

Further, as another method, there is a method in which only the signal indicating the completion of initialization and the kitting data can be transmitted / received by the predetermined dedicated SSID information. In addition, wired communication may be performed via a cradle.

When the kitting data distributed from the server 20 is acquired after the terminal 10 is initialized, the kitting execution unit 19 kits the terminal 10 based on the acquired kitting data. The program for operating the terminal control unit 16 as the kitting execution unit 19 is installed at the time of shipment from the factory and is stored in the storage area of the terminal storage unit 14 which is not erased by the initialization process.

Kitting means making various settings so that the initialized terminal 10 can be used normally. Since the terminal 10 is for business use, the kitting here means that the terminal 10 is set so that it can be used for business use. The kitting data distributed from the server 20 includes SSID information, and the SSID information includes a new SSID of the access point 30 and a password corresponding to the SSID. The kitting execution unit 19 sets an SSID and a password for communicating with the access point 30 based on the kitting data.

Further, the kitting data can include settings different from the settings for communicating with the access point 30, such as settings for connecting to the management tool. The kitting data distributed by the server 20 may include information necessary for kitting in addition to the SSID information. In addition to the SSID information, information necessary for kitting may be stored in an area that is not erased even if the terminal storage unit 14 is initialized.

In addition to the kitting data, the server 20 may transmit an SSID and a password in order to switch the network 40 to another network 40. When the kitting execution unit 19 acquires the SSID and password from the server 20, the kitting execution unit 19 switches the communication with the access point 30 to the network 40 using the newly acquired SSID and password.

[Configuration of server 20]
Next, the configuration of the server 20 will be described. FIG. 4 shows the configuration of the server 20 as a block diagram. The server 20 includes a server communication unit 21, a display unit 22, a server storage unit 23, an operation unit 25, and a server control unit 26. The server 20 can be realized by, for example, a general personal computer.

The server communication unit 21 wirelessly communicates with the terminal communication unit 12 included in the terminal 10 via the access point 30. The display unit 22 displays an operation screen or the like when the operator operates the server 20. The server storage unit 23 includes a non-volatile storage medium. The non-volatile storage medium is a flash memory, a hard disk, or the like. A program executed by the server control unit 26 is stored in the storage medium. One of the stored programs is the terminal management program 24. In addition, the server storage unit 23 also stores a list of prohibition of use of the SSID. The use prohibition list is a list in which SSIDs and the like that have been illegally accessed are stored, and is updated sequentially. The operation unit 25 is a mechanical keyboard, a software keyboard, or the like, and is operated when the operator inputs various information to the server 20.

The server control unit 26 is configured to include a processor, a non-volatile memory, RAM, an I / O, a bus line connecting these configurations, and the like. The server control unit 26 is communicably connected to the server communication unit 21, the display unit 22, the server storage unit 23, and the operation unit 25, and controls these.

The processor included in the server control unit 26 executes the process shown in FIG. 5 by executing the terminal management program 24 stored in the server storage unit 23 while using the temporary storage function of the RAM. Next, the process shown in FIG. 5 will be described.

In FIG. 5, in step (hereinafter, step is omitted) S10, unauthorized access is monitored. Specifically, in S10, the process shown in FIG. 6 is executed. The process shown in FIG. 6 is divided into S11, which is a process as a fraud detection unit, and S12, which is a process as a fraudulent terminal identification unit. S11 includes S111 and S112.

In S111, in the network 40 managed by the server 20, it is monitored whether or not there is a terminal 10 that has been illegally accessed. A specific monitoring method monitors whether or not there is unauthorized access by comparing the data transmitted / received by each access point 30 with the data of unauthorized access registered in advance. In addition, various methods are adopted for monitoring the network 40, such as a method of storing normal packets in the network 40 and monitoring whether transmission / reception of packets different from the normal is detected. can.

In S112, it is determined whether or not unauthorized access is detected as a result of monitoring in S111. If the determination result of S112 is NO, the process returns to S111. If the determination result of S112 is YES, the process proceeds to S12.

S12 includes S121, S122 and S123. In S121, the SSIDs of the illegally accessed access point 30 and the illegally accessed network 40 are checked. The unauthorized access point 30 is known at the time when the unauthorized access is detected. The access point 30 is specified by the MAC address. The server 20 can acquire the MAC address of the access point 30 when communicating with the access point 30.

The SSID of the unauthorized access network 40 is an SSID that identifies the network 40 to which the unauthorized access point 30 belongs. Although only one network 40 is shown in FIG. 1, the server 20 may manage a plurality of networks 40. Therefore, it is also necessary to check the SSID of the network 40 that has been illegally accessed.

Further, in S122, it is investigated which terminal 10 is the terminal 10 having unauthorized access. Specifically, the data being illegally accessed is analyzed, and the MAC address of the terminal 10 included in the data is examined.

In S123, it is determined whether or not the unauthorized access route can be specified. When the access point 30 and the SSID that have been illegally accessed can be identified in S121 and the terminal 10 that has illegally accessed can be identified in S122, the determination result of S123 becomes YES. If the determination result of S123 is YES, the process of FIG. 6 is terminated. On the other hand, if the determination result of S123 is NO, the process returns to S121 and the process of specifying the unauthorized access route is continued. When the processes of S121 to S123 are repeated a certain number of times, only the fact that the unauthorized access has occurred may be displayed on the display unit 22 as the unauthorized access route cannot be specified, and the process of FIG. 6 may be terminated.

The explanation is returned to FIG. After executing S10, S20 and S30 are processed in parallel. First, S20 will be described. S20 is a process as an initialization instruction unit. In S20, the unauthorized terminal is automatically initialized. The unauthorized terminal means a terminal 10 that has been illegally accessed. The terminal 10 that has been illegally accessed is specified by S122. Specifically, in S20, the process shown in FIG. 7 is executed.

In S21, an initialization instruction signal is transmitted to the terminal 10 that has been illegally accessed specified in S12. The initialization instruction signal is a signal instructing the terminal 10 to execute the initialization process.

In S22, it is determined whether or not it can be confirmed that the terminal 10 has received the initialization instruction signal. As described above, when the terminal 10 receives the initialization instruction signal, it transmits the initialization start signal to the server 20. Therefore, when the server 20 receives the initialization start signal, the determination result of S22 is YES, and when the initialization start signal is not received, the determination result of S22 is NO. If the determination result of S22 is NO, the process returns to S21 and the initialization instruction signal is retransmitted.

On the other hand, if the determination result of S22 is YES, the process of FIG. 7 is terminated. When the processing of FIG. 7 is completed, the terminal 10 that has received the processing instruction signal is executing the processing processing.

The explanation is returned to FIG. Next, S30 executed in parallel with the above S20 will be described. S30 is a process as an ID information determination unit. Specifically, in S30, the process shown in FIG. 8 is executed.

In S31, new SSID information is determined. SSID information means a set of SSID and password. The SSID information is information necessary for wireless communication between the terminal 10 and the access point 30, and the SSID information is an example of network ID information. New SSIDs and passwords are created randomly, for example.

In the following S32, it is determined whether or not the SSID determined in S31 is the same as the SSID that has been illegally accessed. The illegally accessed SSID is the SSID specified in S121. If the determination result of S32 is YES, the process returns to S31, and new SSID information is determined again. If the determination result of S32 is NO, the process proceeds to S33.

In S33, it is determined whether or not the SSID determined in S31 is the SSID in the use prohibition list stored in the server storage unit 23. If the determination result of S33 is YES, the process returns to S31 and new SSID information is determined again. If the determination result of S33 is YES, the process proceeds to S34. In S34, the SSID information determined in S31 is determined as the SSID information to be used next.

The explanation is returned to FIG. After executing S30, S40 is executed. S40 is a process as an ID information transmission unit. In S40, the terminal 10 included in the network 40 is transferred to the new SSID other than the unauthorized terminal. Specifically, in S40, the process shown in FIG. 9 is executed.

In S41, distribution of the new SSID information determined in S30 is started to other than the unauthorized terminal. The terminal 10 that distributes the new SSID information is a terminal 10 that is not an unauthorized terminal among the terminals 10 included in the network 40 and for which communication with the new SSID information has not been confirmed. The terminal 10 that has acquired the new SSID information switches the communication with the access point 30 to the network 40 based on the new SSID information.

In S42, the connection to the new SSID is switched. Specifically, the SSID information determined in S31 is distributed to all the access points 30 included in the network 40 to which the terminal 10 having unauthorized access belongs. The access point 30 that has received the SSID information can also communicate with the received SSID information. That is, the access point 30 that has received the SSID information constitutes a new network 40 based on the received SSID information. At this point, the access point 30 has increased the number of SSIDs to communicate with by one. Further, the communication with the new SSID is confirmed with the terminal 10 to which the new SSID information is distributed in S41.

In S43, it is determined whether or not the connection switching to the new SSID is completed. Specifically, it is determined whether or not communication can be performed with the new SSID with all the terminals 10 that could communicate with the previous SSID other than the unauthorized terminal. If the determination result of S43 is NO, the process returns to S41. On the other hand, if the determination result of S43 is YES, the process shown in FIG. 9 is terminated.

The explanation is returned to FIG. After executing S40, S50 is executed. In S50, a process of prohibiting the use of the illegally accessed SSID is executed. Specifically, in S50, the process shown in FIG. 10 is executed.

In S51, the SSID used for unauthorized access is added to the prohibition list. In S52, the access point 30 in which the SSID is set is instructed to delete the SSID and password added to the use prohibition list in S51. In S53, a terminal 10 other than the unauthorized terminal is instructed to delete the SSID and password used for unauthorized access.

The explanation is returned to FIG. Next, S60 will be described. S60 is a process as a kitting instruction unit. In S60, the kitting instruction processing is executed on the terminal 10 after being initialized in S20. Specifically, in S60, the processing shown in FIG. 11 is executed.

In S61, it is determined whether or not it has been confirmed that the automatic initialization of the terminal 10 has been completed. As described above, when the automatic initialization is completed, the terminal 10 transmits a signal indicating that to the server 20. Therefore, in S61, it is determined whether or not a signal indicating that the automatic initialization has been completed has been received. If the determination result of S61 is NO, the determination of S61 is repeated. If the determination result of S61 is YES, the process proceeds to S62.

In S62, the kitting data is distributed to the terminal 10 whose initialization has been confirmed. The kitting data includes new SSID information, the IP address of the server 20, and the like. When the terminal 10 receives this kitting data, the kitting execution unit 19 connects to the network 40 by the new SSID information.

[Summary of the first embodiment]
When the terminal management system 1 of the first embodiment described above detects unauthorized access in the network 40 (S112: YES), the new SSID information is determined (S30), and the new SSID information is used in the network. Transmission is performed to a terminal 10 other than the access point 30 constituting the 40 and the terminal performing unauthorized access (S40). On the other hand, new SSID information is not transmitted to the terminal 10 that is performing unauthorized access. Therefore, a new network 40 is configured by all terminals 10 except terminals 10 that are performing unauthorized access and all access points 30, and terminals 10 that are performing unauthorized access to the new network 40 are configured. I can't participate. Therefore, unauthorized access can be blocked.

Further, when the terminal management system 1 detects an unauthorized access in the network 40 (S112: YES), the server 20 transmits an initialization instruction signal to the terminal 10 that has detected the unauthorized access (S20). The terminal 10 that has received the initialization instruction signal executes the initialization process. By executing the initialization process, malware is removed from the terminal 10. This also allows unauthorized access to be blocked.

In addition, the server 20 gives a kitting instruction to the initialized terminal 10 (S60), and the kitting execution unit 19 of the terminal 10 executes kitting in response to the kitting instruction. Therefore, it is possible to omit the trouble of manually performing kitting on the terminal 10 that has been illegally accessed.

The server 20 transmits the kitting data to the terminal 10 in the kitting instruction (S62), and the kitting data includes the newly determined SSID information. The kitting execution unit 19 of the terminal 10 that has received the SSID information connects to the network 40 determined by the SSID information. Therefore, the terminal 10 in which unauthorized access is detected can also be automatically joined to the updated network 40 without unauthorized access.

Further, when the server 20 detects an unauthorized access, the server 20 determines a new SSID and a new password as new SSID information. By updating the SSID as well, the settings can be easily changed as compared with the case where only the password is changed without changing the SSID.

When both the SSID and the password are renewed, the terminal 10 can communicate with the previous SSID and the password even if the process of setting the newly distributed SSID is executed. Therefore, when the server 20 transmits the new SSID information to the terminal 10, but cannot communicate with the terminal 10 with the new SSID (S43: NO), the server 20 retransmits the new SSID information to the terminal 10 by the previous SSID. (S41). Therefore, the possibility that the terminal 10 cannot be transferred to the network 40 with the new SSID is reduced.

<Second Embodiment>
Next, the second embodiment will be described. In the following description of the second embodiment, the element having the same number as the code used so far is the same as the element having the same code in the previous embodiments, unless otherwise specified. Further, when only a part of the configuration is described, the embodiment described above can be applied to the other parts of the configuration.

FIG. 12 shows the configuration of the terminal management system 200 of the second embodiment. The terminal management system 200 includes the network 40 included in the terminal management system 1 of the first embodiment as the first network 41, and also includes the local network 42 which is the second network.

The local network 42 is a network for connecting an unauthorized terminal when an unauthorized terminal is detected, and it is preferable that the terminal 10 other than the unauthorized terminal is not connected. The local network 42 and the first network 41 are identified by the SSID. That is, the SSID of the first network 41 is the first SSID, and the SSID of the local network 42 is the second SSID. The first SSID and the second SSID are examples of the first network ID and the second network ID, respectively.

The server 20 is connected to the first network 41 and also to the local network 42. In addition to the server 20, one access point 30 is also connected to the local network 42. The number of access points 30 connected to the local network 42 does not have to be one. However, it is preferable that the access point 30 connected to the local network 42 is not connected to the first network 41.

FIG. 13 shows a process executed by the server 20 in the second embodiment. FIG. 13 includes all the processes shown in FIG. Further, in the process shown in FIG. 13, S13, S14, S24, and S25 are added to the process shown in FIG.

Also in the second embodiment, the server 20 monitors unauthorized access in S10. When the unauthorized access route can be specified in S12, which is a partial process of S10, that is, when the terminal 10 having unauthorized access can be specified, S13 is executed. S13 corresponds to a network switching instruction unit, transmits SSID information of the local network 42 to the unauthorized terminal specified in S12, and switches the network 40 to which the unauthorized terminal is connected to the local network 42.

When the unauthorized terminal receives the SSID information of the local network 42, the unauthorized terminal switches the network 40 to be connected to the local network 42.

Subsequent S14 corresponds to a data acquisition unit, and the server 20 communicates with an unauthorized terminal using the local network 42 and acquires preset types of data from the unauthorized terminal. The user can arbitrarily set what kind of data is to be acquired. For example, since the terminal 10 is for business use, the data read when it is used in business (hereinafter referred to as business data) is often stored in the terminal storage unit 14. Therefore, the business data is set as the data to be acquired. Further, in the present embodiment, communication history data is set as the data to be acquired. After executing S14, S20 is executed to initialize the unauthorized terminal.

After executing S20, the process proceeds to S24. S24 corresponds to the unauthorized access specifying unit, and analyzes the communication history data acquired in S14 to identify the unauthorized access source. The unauthorized access source is a medium that infects the terminal 10 by transmitting malware from outside the first network 41. The unauthorized access source is specified by the IP address. An IP address that is not necessary for business, an IP address of a communication destination whose amount or frequency of data exchange is abnormal, etc. are specified as unauthorized access sources.

Subsequent S25 corresponds to a communication prohibition instruction unit, and transmits a communication prohibition instruction signal prohibiting communication with the access source specified in S24 to all terminals 10 connected to the first network 41. The terminal 10 that has received the communication prohibition instruction signal cuts off the communication with the access source indicated by the communication prohibition instruction signal. In order to block communication with the access source indicated by the communication prohibition instruction signal, the terminal 10 is set not to communicate with the access source indicated by the communication prohibition instruction signal, for example. In the second embodiment, after executing S25, S60 is executed to give a kitting instruction.

[Summary of the second embodiment]
In the second embodiment, the server 20 acquires preset types of data from the unauthorized terminal before initializing the unauthorized terminal (S14). Therefore, even if the unauthorized terminal is initialized, the necessary data stored in the unauthorized terminal can be acquired. Further, the server 20 switches the unauthorized terminal to the local network 42 before acquiring data from the unauthorized terminal (S13). This can prevent the spread of the infection.

Further, the server 20 acquires the communication history data from the unauthorized terminal (S14), and identifies the unauthorized access source based on the communication history data (S24). Then, a communication prohibition instruction signal for prohibiting communication with an unauthorized access source is transmitted to all the terminals 10 connected to the first network 41. As a result, it is possible to prevent the terminal 10 connected to the first network 41 from being infected with malware.

Although the embodiments have been described above, the disclosed technology is not limited to the above-described embodiment, and the following modifications are also included in the disclosed scope, and further, within the scope not deviating from the gist other than the following. It can be changed in various ways.

<Modification 1>
In the embodiment, the SSID and the password are included in the SID information determined when unauthorized access is detected. However, the SSID information to be determined when unauthorized access is detected may be only the password.

1: Terminal management system 10: Terminal 11: Display unit 12: Terminal communication unit 13: Camera 14: Terminal storage unit 15: Operation unit 16: Terminal control unit 17: Read processing unit 18: Initialization processing unit 19: Kitting execution unit 20: Server 21: Server communication unit 22: Display unit 23: Server storage unit 24: Terminal management program 25: Operation unit 26: Server control unit 30: Access point 31: Communication range 40: Network 41: First network 42: Local Network (second network) 200: Terminal management system S11: Fraud detection unit S12: Unauthorized terminal identification unit S13: Network switching instruction unit S14: Data acquisition unit S20: Initialization instruction unit S24: Unauthorized access identification unit S25: Communication prohibition instruction Unit S30: ID information determination unit S40: ID information transmission unit S60: Kitting instruction unit

Claims (9)

A server (20), one or more terminals (10) having a wireless communication function, and one or more access points (30) connecting the terminal and the server, the server, the terminal, and the like. A terminal management system (1,200) that constitutes a network in which the access point is identified by a network ID.
The server
The fraud detection unit (S11) that detects unauthorized access in the network, and
When the fraudulent detection unit detects unauthorized access, the unauthorized terminal identification unit (S12) that identifies the terminal that is performing unauthorized access, and the unauthorized terminal identification unit (S12).
An ID information determination unit (S30) that determines new network ID information required for wireless communication in the network when the fraud detection unit detects the unauthorized access.
The network ID information determined by the ID information determination unit is provided with the access point constituting the network and an ID information transmission unit (S40) for transmitting the network ID information to the terminal other than the terminal performing unauthorized access. ,
When the terminal and the access point receive the network ID information transmitted by the server, the terminal management system sets the received network ID information as the network ID information for wireless communication. A server (20), one or more terminals (10) having a wireless communication function, and one or more access points (30) connecting the terminal and the server, the server, the terminal, and the like. A terminal management system (1,200) that constitutes a network in which the access point is identified by a network ID.
The server
The fraud detection unit (S11) that detects unauthorized access in the network, and
When the fraudulent detection unit detects unauthorized access, the unauthorized terminal identification unit (S12) that identifies the terminal that is performing unauthorized access, and the unauthorized terminal identification unit (S12).
An initialization instruction unit (S20) that transmits an initialization instruction signal to the terminal specified by the unauthorized terminal identification unit, and an initialization instruction unit (S20).
After confirming that the terminal has been initialized, the terminal is provided with a kitting instruction unit (S60) that performs a kitting instruction process for instructing the initialized terminal to perform kitting.
The terminal is
Upon receiving the initialization instruction signal, the initialization processing unit (18) that executes the initialization processing and
A terminal management system including a kitting execution unit (19) that performs kitting in response to the kitting instruction process. The terminal management system according to claim 1.
The server
An initialization instruction unit (S20) that transmits an initialization instruction signal to the terminal specified by the unauthorized terminal identification unit,
After confirming that the terminal has been initialized, the terminal is provided with a kitting instruction unit (S60) that performs a kitting instruction process for instructing the initialized terminal to perform kitting.
The terminal is
Upon receiving the initialization instruction signal, the initialization processing unit (18) that executes the initialization processing and
A kitting execution unit (19) that performs kitting according to the kitting instruction process is provided.
The kitting instruction unit includes a process of transmitting the network ID information determined by the ID information determination unit.
The kitting execution unit is a terminal management system that executes a process of connecting to a network determined by the network ID information transmitted from the server. The terminal management system according to claim 2 or 3.
The network ID is referred to as a first network ID, and the network identified by the first network ID is referred to as a first network (41).
A second network (42) identified by a second network ID, which is a network ID different from the first network ID, is provided.
The server
Communication is also possible on the second network,
Before the initialization instruction unit transmits the initialization instruction signal, the network ID for switching the network to be connected to the unauthorized terminal, which is the terminal specified by the unauthorized terminal identification unit, to the second network. The network switching instruction unit (S13) for transmitting information and
A data acquisition unit (S14) that communicates with the unauthorized terminal connected to the second network and acquires preset types of data from the unauthorized terminal is provided.
The unauthorized terminal is a terminal management system that switches the network to be connected to the second network by using the received network ID information when the network ID information transmitted by the server is received. The terminal management system according to claim 4.
The data acquisition unit acquires communication history data from the unauthorized terminal and obtains communication history data.
The server
Based on the communication history data, the unauthorized access specifying unit (S24) that identifies the access source of the unauthorized access from the outside of the first network, and
A communication prohibition instruction unit (S25) for transmitting a communication prohibition instruction signal for prohibiting communication with an access source specified by the unauthorized access identification unit to the terminal connected to the first network is provided.
The terminal is a terminal management system that cuts off communication with the access source indicated by the communication prohibition instruction signal when the communication prohibition instruction signal is received from the server. In the terminal management system according to claim 1 or 3,
The network ID information is a terminal management system including a new network ID used for the network and a password corresponding to the network ID. In the terminal management system according to claim 6,
After transmitting the network ID information to the terminal, the ID information transmitting unit confirms whether the transmitted network ID information can communicate with the terminal, and when the transmitted network ID information cannot communicate with the terminal. , A terminal management system that retransmits the network ID information by the network that was able to communicate with the terminal. A terminal management program executed by a server constituting a network identified by a network ID together with one or more terminals (10) having a wireless communication function and one or more access points to which the terminals are connected.
The server
Unauthorized access in the network is detected (S11),
When unauthorized access is detected, the terminal that has illegally accessed is identified (S12), and
When an unauthorized access is detected, new network ID information required for wireless communication in the network is determined (S30).
The determined network ID information is transmitted to the access points constituting the network and the terminals other than the terminal performing the unauthorized access (S40).
A terminal management program that executes the process. A terminal management program executed by a server constituting a network identified by a network ID together with one or more terminals (10) having a wireless communication function and one or more access points to which the terminals are connected.
The server
Unauthorized access in the network is detected (S11),
When unauthorized access is detected, the terminal that has illegally accessed is identified (S12), and
An initialization instruction signal is transmitted to the specified terminal (S20),
After confirming that the terminal has been initialized, a kitting instruction process for instructing the initialized terminal to perform kitting is performed (S60).
A terminal management program that executes the process.

Images