JP4400787B2 - Web access monitoring system and administrator client computer - Google Patents

Description

  According to the present invention, in an environment in which a Web page on the Internet is accessed via a proxy server or the like, the administrator monitors the Web page data accessed by each user in real time and immediately determines that it is inappropriate. The present invention relates to a configuration for realizing Web access monitoring for which access prohibition can be set.

In recent years, with the widespread use of the Internet, browsing web pages using a web browser has been actively performed. In companies, schools, etc., web pages can be viewed from individual user client computers connected to an in-house network. As possible, it collects information related to its own business and conducts online lectures using a Web system. In this case, there are cases where inappropriate web page browsing, personal stock transactions, auctions, etc., which are not related to business or lectures, are carried out during business hours or lecture hours. .
As a configuration for prohibiting access to such an inappropriate Web page, for example, there is URL filtering software. The URL filtering software is applied to the classification of whether the content is criminal or sexual after the Web page data corresponding to each URL is actually viewed in advance by the company providing the software. It is possible to restrict access to Conventional URL filtering software includes, for example, software that operates on a firewall that is a contact point between an organization network such as a company and the Internet, and software that is provided as an original service by an Internet connection service provider.
On the other hand, as a configuration for monitoring the content displayed in the user's browser in real time, it has been provided separately by acquiring browser activity information in a user terminal equipped with a browser that can access the Internet. The structure provided with the means to transmit to the monitoring unit provided is well-known (for example, refer patent document 1).
JP 2000-222314 A

However, since the URL filtering software is capable of restricting access for each category, it has not been possible to restrict access to Web pages that are not applied to each category. In general, since the software providing company sets the classification, the classification may not match the policy of the user company. In addition, it takes some time to update URLs included in the classification, and not all Web pages on the Internet can be targeted.
In this case, it may be possible for the administrator of the user company to set the filtering target independently, but it is practically impossible to check a huge number of Web pages, and a specific domain is specified. In such a case, since all Web pages under the domain are subject to access prohibition, there is a possibility that Web pages that need to be browsed may be restricted.
On the other hand, in the configuration described in Patent Document 1, it is necessary to install the plug-in program in the browsers of all user terminals that constitute the network in the organization. Therefore, there is a problem in terms of cost for installation in all user terminals in the company, and there is a problem that it cannot be handled when a browser that cannot install the plug-in program is used.

  The present invention is for solving the above-mentioned problems, and enables web access monitoring that enables real-time access monitoring of each user terminal and facilitates setting of access restrictions that match the policies of each company. The purpose is to provide a system.

In order to solve the above-mentioned problems, the present invention accepts an access request to an arbitrary URL from a user client computer authenticated in advance, accesses the requested URL, obtains Web page data, and acquires the user client. In the access management system including an access management server that transmits to a computer, the access management server includes an access information transmission / reception unit that transmits the acquired Web page data and the URL to an administrator client computer. And
The access information transmitting / receiving means includes means for transmitting a user ID included in authentication information of the user client computer together with the Web page data and the URL to the administrator client computer. .
The access management server includes an access control management unit that receives an arbitrarily designated URL from the administrator client computer and stores the received URL in an access control management table.
Further, the access control management means receives a user ID arbitrarily designated from the administrator client computer together with the URL, and stores it in the access control management table.
The access management server includes a use history storage unit that stores a URL requested to be accessed and a user ID of a user who has requested access to the URL, and the access information transmitting / receiving unit includes: In response to the URL and user list request received from the administrator client computer, a list of user IDs stored in the usage history storage means is transmitted to the administrator client computer.
The access management server includes means for deleting privacy information from the acquired Web page data and generating Web page data for transmission to the client computer for administrator.

The administrator client computer according to the present invention accesses the URL requested by the user client computer, acquires Web page data, and transmits the Web page data from the access management server that transmits the Web page data to the user client computer. A management browser program for displaying a list of the Web pages on a display screen based on the received Web page data.
Further, the management browser program transmits a URL of a Web page arbitrarily designated as an access prohibition target from the displayed list of Web pages to the access management server.
The management browser program displays a list of user IDs to be managed together with the list of Web pages, and displays one or more user IDs arbitrarily specified together with the Web page. The URL is transmitted to the access management server together with the URL.

With the above configuration, according to the present invention, the access management server is provided with means for transmitting the data of the Web page accessed by each user client computer to the administrator client computer. Access monitoring in the management client computer can be performed in real time without providing new software and hardware.
In addition, since the access restriction is set based on the URL and user ID received from the administrator client computer, it is easy and quick to set the appropriate access restriction according to the policy of each organization such as a company or school. Can be performed.
In addition, since the private information is deleted from the Web page data to be monitored, it is possible to realize an appropriate monitoring system that prevents leakage of personal information.
In addition, since the administrator client computer displays a list of Web pages currently accessed by the user client computer in a small window, it is possible to visually grasp the Web pages being accessed. Become.
In addition, since it is possible to specify a Web page for setting access restrictions from the displayed Web pages, it is possible to easily and quickly set access restrictions.
Furthermore, since it is possible to specify a part or all of the users for the access restriction of the Web page, it is possible to easily set the access restriction for a specific user.

BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a diagram showing an example of a connection relationship of an intra-organization network including a Web access monitoring system according to an embodiment of the present invention.
As shown in FIG. 1, the Web access monitoring system according to the present embodiment includes an administrator client computer 102 and a proxy server connected to a plurality of user client computers 101 via a network 110. The access management server 103 is provided. The user client computer 101 can be connected to the Internet 104 via the access management server 103.
The access management server 103 receives an access request to an arbitrary URL from the user client computer 101, accesses the specified URL to acquire Web page data, and acquires the user client computer 101 and the administrator client computer. 102.
The administrator client computer 102 displays the Web page accessed by each user client computer 101 based on the received Web page data.

FIG. 2 is a block diagram showing a schematic configuration of each computer constituting the Web access monitoring system according to the present embodiment.
The user client computer 101 includes a terminal device 211 including a CPU 211A and a memory 211B, an external storage device 212 storing a Web browser program 212A, a communication port 213 for network connection, and an external device such as a keyboard and a mouse. It comprises an input device 214 and an external output device 215 such as a display or a printer.
Similarly, the administrator client computer 102 includes a terminal device 221 including a CPU 221A and a memory 221B, an external storage device 222 storing a management browser program 222A, a communication port 223, an external input device 224, and an external output. Device 225.
The access management server 103 includes a terminal device 231 including a CPU 231A and a memory 231B, a proxy program 232A, an access information transmission / reception program 232B, an access control management program 232C, an access control management table 232D, a user authentication information table 232E, and a Web page usage history list. The external storage device 232 in which 232F is stored and a communication port 233 for network connection are configured.
In the present embodiment, the access information transmission / reception program 232B transmits the Web page data acquired by the proxy program 232A to the administrator client computer 102, and the URL and usage specified by the administrator client computer 102 are used. The access control management program 232C sets the access restriction based on the user ID.

FIG. 3 is a diagram showing an example of the data structure of the access control management table 232D stored in the external storage device 232 in the access management server 103.
The access control management table 232D is composed of a set of a URL 301 and a pointer 302 to the access prohibited user list 310. The access-prohibited user list 310 includes a set of a pointer 311 to the next access-prohibited user list and a user ID 312.
When access prohibition is set for all users, NULL is set in the pointer to the access prohibition user list.

FIG. 4 is a diagram illustrating an example of a data structure of the user authentication information table 232E stored in the external storage device 232 of the access management server 103.
The user authentication information table 232E includes a user ID 401 and password 402 as authentication information and session information 403.

FIG. 5 is a diagram illustrating an example of a data structure of the Web page usage history list 232F stored in the external storage device 232 of the access management server 103.
The Web page usage history list 232F is composed of a set of a URL 501 and a pointer 502 to the user ID list 510.
The user ID list 510 includes a set of a pointer 511 to the next user ID list and a user ID 512.
The access date and time may be stored together with each user ID.

With the above configuration, the Web access monitoring system according to the present embodiment acquires a Web page accessed by each user client computer 101 and sets access restrictions for an arbitrary Web page.
Hereinafter, a Web page access monitoring method performed by the Web access monitoring system according to the present embodiment will be described.

FIG. 6 is a flowchart showing processing performed by the proxy program 232A operating on the access management server 103.
The proxy program 232A receives a connection from the Web browser program 212A on the user client computer 101 (step 601), and receives the URL and authentication information (step 602). Based on the user ID included in the received authentication information, the user authentication information table is referred to and the presence / absence of user registration is determined (step 603).
If the result of determination is that user registration has not been made, a user registration information acquisition request is returned to the Web browser program 212A (step 604).
On the other hand, if the user is registered as a result of the determination, the presence / absence of session information is determined (step 605), and if there is no session information, authentication processing is performed (step 606).
On the other hand, if there is session information, the URL and user ID are passed to the access control program 232C (step 607), access permission / impossibility information is acquired (step 608), and it is determined whether access is possible (step 608). 609).
If the access is impossible as a result of the determination, an access prohibition message is returned to the Web browser program 212A (step 610), and the process is repeated from step 601.
On the other hand, if it is accessible, the specified URL is accessed to acquire Web page data (step 611). The acquired Web page data, user ID, and URL are passed to the access information transmission / reception program 232B (step 612), the user ID and URL are added to the Web page usage history list 232F (step 613), and the Web page data is transferred to the Web browser. It returns to the program 212A (step 614) and repeats from step 601.

FIG. 7 is a flowchart showing processing performed by the access information transmission / reception program 232B operating on the access management server 102.
The access information transmission / reception program 232B receives a connection from the proxy program or the management browser program 222A (step 701), and determines whether the connection is from the proxy program 232A (step 702).
As a result of the determination, if the connection is from the proxy program 232A, the Web page data, URL, and user ID are received (step 703), and the received Web page data, URL, and user ID are transmitted to the management browser program 222A. (Step 704) and Step 701 are repeated. In this case, the Web page data transmitted to the management browser program 222A is obtained by deleting the user's private information. Here, the private information is a credit number, a personal identification number, or the like. For example, information arbitrarily input on the Web page is deleted. Specifically, the inside of the HTML document is analyzed, and if a character string “password” is present, a process of deleting all the characters in the tag including the character string is performed. The deletion of private information may be performed by the proxy program 232A.
On the other hand, if the connection is from the management browser program 222A, a command is received (step 705), and it is determined whether the command is “user list” or “access prohibited” (step 706).
If the command is “user list”, the URL is acquired (step 707), the user ID corresponding to the URL is extracted from the web page usage history list 232F (step 708), and returned to the management browser program 222A ( Steps 709) and 701 are repeated.
On the other hand, if the command is “access prohibited”, a list of URLs and user IDs is acquired (step 710), the URL and user ID are passed to the access control management program 232C (step 711), and the management browser program The registered message is transmitted to 222A (step 712), and the process is repeated from step 701.

FIG. 8 is a flowchart showing processing performed by the access control management program 232C operating on the access management server 102.
The access control management program 232C receives a connection from the proxy program 232A or the access information transmission / reception program 232B (step 801), and determines whether the connection is from the proxy program 232A (step 802).
As a result of the determination, in the case of connection from the proxy program 232A, the URL and user ID are acquired (step 803), and the access prohibited user list 310 corresponding to the acquired URL is acquired from the access control management table 232D (step 804). ).
With reference to the acquired access-prohibited user list 310, it is determined whether or not the user ID acquired from the proxy program 232A is registered (step 805).
As a result of the determination, if the user ID is registered in the access-prohibited user list 310, the inaccessible information is returned to the proxy program 232A (step 806), and the process is repeated from step 801.
On the other hand, if the user ID is not registered in the access-prohibited user list 310, accessible information is returned to the proxy program 232A (step 807), and the process is repeated from step 801.
If it is determined in step 802 that the connection is from the access information transmission / reception program 232B, the URL and user ID are acquired (step 808), registered in the access control management table 232D (step 809), and repeated from step 801. .

  Through the above processes, the proxy server can acquire the Web page accessed by the user client computer 101 and monitor it on the administrator client computer, and the access restriction set on the administrator client computer 102. Based on the above, it becomes possible to restrict access from the user client computer 101 to a predetermined Web page.

FIG. 9 is a diagram showing an example of a management screen displayed by the management browser program 222A running on the administrator client computer 102.
As shown in FIG. 9, the management screen 900 includes a user list display unit 910 and a web page display unit 920.
The user list display unit 910 displays a user ID list of users registered in the user authentication information table 232E. When a plurality of arbitrary user IDs are designated by a mouse operation or the like, the management browser program 222A displays only the web page displayed on the user client computer 101 of the designated user on the web page display unit 920. To do. In addition, by specifying only one user ID, a history of WEB accessed by the specified user in the past is displayed on the WEB page display unit 920.
Web page display unit 920 displays the Web page received from access information transmission / reception program 232B in small windows 920A-C. In this case, the Web page displayed in the small windows 920A to 920C is displayed on the user client computer 101, and the management browser program 222A changes the display of the Web page on the user client computer 101. If a certain time has passed without being changed, the background color of the small window is changed or blinked.
The management browser program 222A displays a prohibition setting pop-up 930 when the small windows 921A to 921C displayed on the Web page display unit 920 are designated by a mouse operation or the like.
In the prohibition setting pop-up 930, all user prohibition settings or prohibition settings for users corresponding to designated small windows can be selected. In addition to specifying a small window, it is possible to restrict access to a specific user by specifying one or more user IDs displayed in the user ID list.
When the management browser program 222A receives designation of an arbitrary URL, the management browser program 222A displays a list of user IDs of users who have accessed the Web page indicated by the URL.

As described above, in the Web access monitoring system according to the present embodiment, the Web page accessed by each user client computer without providing new software and hardware in each user client computer. Data can be monitored in real time by an administrator, and access restriction can be set for a Web page to be monitored. Accordingly, it is possible to immediately prohibit access to a Web page that is not related to business or lectures. In addition, it is possible to easily and quickly set unique access restrictions according to the policies of each organization such as a company or a school.
In this case, by using a proxy server as an access management server constituting the Web access monitoring system, the present invention can be realized using an existing network configuration.
In addition, since the private information is deleted from the Web page data to be monitored, it is possible to realize an appropriate monitoring system that prevents leakage of personal information.
In addition, the Web page accessed by each user client computer is displayed in a list on the administrator client computer in a small window, and the Web page for which access is prohibited can be specified from the Web page. It is possible to set access restrictions by simple operations. Furthermore, since it is possible to specify one or a plurality of user IDs for the specified Web page, it is possible to easily set access restrictions for a specific user.
Further, since the background color of the small window is changed or blinked for the Web page whose display is not changed for a certain period of time, the display state on the user client computer can be easily grasped.

The present invention is not limited to the configuration shown in the above embodiment, and the configuration of each processing unit and the data structure of each table may be changed as long as the same processing is possible.
Therefore, in the above embodiment, the access prohibition setting is enabled for all users or users corresponding to small windows on the management screen. However, the present invention is not limited to this, and the user ID displayed on the user list display unit is not limited to this. The access prohibition setting may be enabled for a plurality of users by arbitrarily selecting. In this case, users may be grouped in advance according to attribute information such as job title and affiliation, and access prohibition setting may be enabled for each group.

It is a figure which shows an example of the connection relation of the network in an organization provided with the web access monitoring system which concerns on one embodiment of this invention. It is a block diagram which shows schematic structure of each computer which comprises the web access monitoring system which concerns on one embodiment of this invention. It is a figure which shows an example of the data structure of an access control management table. It is a figure which shows an example of the data structure of a user authentication information table. It is a figure which shows an example of the data structure of a web page utilization log | history list. It is a flowchart which shows the process which the proxy program which operate | moves on an access management server performs. It is a flowchart which shows the process which the access information transmission / reception program which operate | moves on an access management server performs. It is a flowchart which shows the process which the access control management program which operate | moves on an access management server performs. It is a figure which shows an example of the management screen which the management browser program which operate | moves on the client computer for administrators displays.

Explanation of symbols

101 User Client Computer, 102 Administrator Client Computer, 103 Access Management Server, 104 Internet, 110 Network, 212A Web Browser Program, 222A Management Browser Program, 232A Proxy Program, 232B Access Information Transmission / Reception Program, 232C Access Control Management Program, 232D access control management table, 232E user authentication information table, 232F Web page usage history list.

Claims (1)

An administrator client computer that receives the Web page data from an access management server that accesses a URL requested by the user client computer, acquires Web page data, and transmits the Web page data to the user client computer,
The web page data requested by the user client computer and the user ID included in the authentication information of the user client computer are received from the access management server, and based on the web page data and the user ID, A list of the Web page and a list of user IDs are displayed on a display screen in a small window, and the URL of the Web page arbitrarily designated as an access-prohibited object from the displayed list of Web pages and the Web page are displayed. An administrator client computer comprising means for transmitting one or a plurality of user IDs that prohibit access to the access management server .

Images