JP5178219B2 - Access analysis device, access analysis method, and access analysis program - Google Patents

Description

  The present invention relates to an access analysis device, an access analysis method, and an access analysis program. The present invention particularly relates to a packet capture type website access analysis device, a website access analysis method, and a website access analysis program.

The number of companies (business owners) that sell products using the Internet is increasing year by year, and the scale of product sales via the Internet is also increasing. Along with this, it has become indispensable for each company to analyze the behavior of users who shop on their Web site and grasp their trends in order to expand the sales scale. The behavioral analysis here is
(1) How the user came to the company's website ・ Enter the keyword on the search site, came from the hit link ・ Did it come from a link in some blog (2) Which web pages (contents) are interested and which products are purchased (whether they lead to purchases)
・ Which web page is popular ・ Which web page has a long stay time (3) The user did not purchase the product (does not lead to purchase), and from which web page he / she went outside his / her own website The analysis of the user's behavior in the Web site, such as which Web page is no longer accessed (leaved), ie, access analysis to the Web page. From the results of access analysis, companies are trying to expand the sales scale by improving Web pages so that the withdrawal rate decreases and the number of accesses, purchase rates, and sales increases.

There are mainly the following three types of conventional access analysis methods.
(1) Access log type: Each time a Web server accesses a Web page, an HTTP (Hypertext Transfer Protocol) request or a part of an HTTP response is recorded in an access log in a predetermined format. The access analysis is performed by analyzing the access log (see, for example, Patent Documents 1 to 5).
(2) Beacon (tag) type: A small program (tag) is affixed to each Web page, and when a user's Web browser reads the Web page, the information acquired by the program is an analysis server separate from the Web server. Sent to. The analysis server records this information in a database. Access analysis is performed by analyzing information on this database.
(3) Packet capture type: A packet capture device captures all packets (packets including an HTTP request or an HTTP response) that flow on a network connecting a Web server to the outside. The access analysis is performed by restoring the HTTP communication from the captured packet and analyzing the HTTP communication.
JP 2002-24127 A JP 2002-63102 A JP 2004-152209 A JP 2004-280240 A JP 2004-280501 A

  In the case of the access log type and the beacon type, there is a problem that a work for implementing an access analysis for each website is required. Specifically, in the case of the access log type, it is necessary to put a hand in the Web server. For example, since the referrer (URL of the web page accessed immediately before), cookie, etc. are not normally output to the log in the default setting of the web server, the web server setting is changed to record such information in the access log. It was necessary to work. Further, it is necessary to implement a process of recording a user ID (identifier) for identifying a logged-in user in an access log in accordance with a login authentication method that is different for each Web site. In the case of the beacon type, it is necessary to embed a beacon (tag) in each Web page.

  In the case of the conventional packet capture type, there is no need to implement a mechanism for performing access analysis for each website, but there is a problem that it is impossible to grasp the behavior of each user in the website. In the case of the access log type, by referring to the user ID or the like recorded in the access log, it is possible to analyze each user's behavior (for example, in what order and which web page was accessed). In the case of the beacon type, since information is transmitted from a beacon that operates for each user, the behavior of each user can be analyzed by specifying the beacon that is the transmission source of the information. On the other hand, in the case of the conventional packet capture type, it is not known which Web page was browsed by a single user two or more times before that Web page as a starting point ( The previous web page can be seen by referring to the Referer), and the behavior of each user cannot be analyzed sufficiently (however, if the user accesses using a mobile phone, the terminal ID If the terminal ID is transmitted from the mobile phone, the behavior of each user can be analyzed by specifying the individual mobile phone).

  For example, an object of the present invention is to make it possible to grasp an action for each user in a website without mounting a mechanism for performing access analysis for each website.

An access analysis device according to one aspect of the present invention includes:
A packet acquisition unit that acquires a plurality of packets from a packet capture device that collects a packet including a response including page data of a Web page and individual setting data individually set for a user and stores the packets in a storage device; ,
Analyzing a plurality of packets stored by the packet acquisition unit, and restoring a plurality of responses transmitted on the plurality of packets by a processing device;
An individual setting data extraction unit for extracting individual setting data from each of a plurality of responses restored by the response restoration unit by a processing device;
A response identifying unit that identifies a response common to the individual setting data extracted by the individual setting data extraction unit as a single response group among a plurality of responses restored by the response restoration unit;
It is estimated that the same user has accessed a web page including page data in each response of the response group identified by the response identifying unit, and access history data indicating that the same user has accessed the web page And an access history data generation unit generated by the processing device.

The packet capture device is a response returned by the Web server in response to a request from the user, and is added to the page data of the Web page to which the logged-in user requests access by the Web server Collecting packets with responses containing attribute data of
The individual setting data extraction unit extracts attribute data as individual setting data from each of a plurality of responses restored by the response restoration unit by a processing device,
The response identifying unit identifies, as a response group, a response having a common attribute data extracted by the individual setting data extraction unit among a plurality of responses restored by the response restoration unit, as a response group. And

  The individual setting data extraction unit compares the page data of the web page in which the user is logged in with the page data of the web page in which the user is not logged in or the web page in which another user is logged in. The processing device estimates that the data is attribute data.

The packet capture device has, as attribute data, a specific relative position from a specific display data on a Web page to which a logged-in user requests access, or a range having two specific display data as a starting point and an ending point, respectively. It collects packets with responses containing attribute data to be displayed.
The individual setting data extraction unit extracts the specific display data from each of a plurality of responses restored by the response restoration unit, and displays the specific display data at the predetermined relative position or the range from the specific display data. The processing device estimates that the portion of the data is attribute data.

The packet capture device collects a packet containing a response including name data of the user displayed on a web page that the logged-in user requests access as attribute data,
The storage device stores personal name dictionary data in advance,
The individual setting data extraction unit uses the dictionary data stored in the storage device to extract data of a part that displays a person's name on a Web page from each of a plurality of responses restored by the response restoration unit, The processing device estimates that the data of the part is name data.

The packet capture device is a response returned by a Web server in response to a request from a user, and is added by the Web server to page data of a Web page for which a logged-in user requests access. Collecting packets with responses including layout setting data indicating layouts commonly set by a user on a plurality of Web pages;
The individual setting data extraction unit extracts layout setting data as individual setting data from each of a plurality of responses restored by the response restoration unit by a processing device,
The response specifying unit specifies, by a processing device, a response having a common layout setting data extracted by the individual setting data extracting unit among a plurality of responses restored by the response restoring unit as one response group. Features.

  The response specifying unit includes a response having a common response of the individual setting data extracted by the individual setting data extracting unit among a plurality of responses restored from a packet having the same source address by the response restoring unit. A group is specified by a processing device.

An access analysis method according to one aspect of the present invention includes:
A packet capture device collects a packet with a response including page data of a web page and individual setting data individually set for a user,
The packet acquisition unit of the access analysis device acquires a plurality of packets collected by the packet capture device and stores them in a storage device,
The response restoration unit of the access analysis device analyzes a plurality of packets stored by the packet acquisition unit, and restores a plurality of responses transmitted on the plurality of packets by a processing device,
The individual setting data extraction unit of the access analysis device extracts individual setting data from each of a plurality of responses restored by the response restoration unit by a processing device,
The response identifying unit of the access analysis device uses the processing device as a response group with a response shared by the individual setting data extracted by the individual setting data extraction unit among a plurality of responses restored by the response restoration unit. Identify,
The access history data generation unit of the access analysis device estimates that the same user has accessed a Web page including page data in each response of the response group specified by the response specifying unit, and the same to the Web page The access history data indicating that the user has accessed is generated by the processing device.

An access analysis program according to one aspect of the present invention includes:
A packet acquisition process for acquiring a plurality of packets from a packet capture device that collects a packet containing a response including page data of a Web page and individual setting data individually set for a user and storing the packets in a storage device; ,
Analyzing a plurality of packets stored by the packet acquisition processing, and restoring a plurality of responses sent on the plurality of packets by a processing device; and
Individual setting data extraction processing for extracting individual setting data from each of a plurality of responses restored by the response restoration processing by a processing device;
A response specifying process for specifying, by one processing group, a response having a common response to the individual setting data extracted by the individual setting data extraction process among a plurality of responses restored by the response restoration process;
It is estimated that the same user has accessed a Web page including page data in each response of the response group specified by the response specifying process, and access history data indicating that the same user has accessed the Web page is stored. An access history data generation process generated by a processing device is executed by a computer.

The packet capture device is a response returned by the Web server in response to a request from the user, and is added to the page data of the Web page to which the logged-in user requests access by the Web server Collecting packets with responses containing attribute data of
In the individual setting data extraction process, the attribute data is extracted by the processing device as individual setting data from each of the plurality of responses restored by the response restoration process,
The response specifying process specifies a response having a common attribute data extracted by the individual setting data extraction process among a plurality of responses restored by the response restoration process as one response group by a processing device. And

  The individual setting data extraction process compares the page data of the web page where the user is logged in with the page data of the web page where the user is not logged in or the web page where the other user is logged in. The processing device estimates that the data is attribute data.

The packet capture device has, as attribute data, a specific relative position from a specific display data on a Web page to which a logged-in user requests access, or a range having two specific display data as a starting point and an ending point, respectively. It collects packets with responses containing attribute data to be displayed.
The individual setting data extraction process extracts the specific display data from each of a plurality of responses restored by the response restoration process, and displays the specific display data at the predetermined relative position or the range from the specific display data. The processing device estimates that the portion of the data is attribute data.

The packet capture device collects a packet containing a response including name data of the user displayed on a web page that the logged-in user requests access as attribute data,
The storage device stores personal name dictionary data in advance,
The individual setting data extraction process uses the dictionary data stored in the storage device to extract data of a part that displays a person's name on a Web page from each of a plurality of responses restored by the response restoration process. The processing device estimates that the data of the part is name data.

The packet capture device is a response returned by a Web server in response to a request from a user, and is added by the Web server to page data of a Web page for which a logged-in user requests access. Collecting packets with responses including layout setting data indicating layouts commonly set by a user on a plurality of Web pages;
In the individual setting data extraction process, the layout setting data is extracted by the processing device as individual setting data from each of the plurality of responses restored by the response restoration process,
In the response specifying process, a response having a common layout setting data extracted by the individual setting data extraction process is specified by the processing device as one response group among a plurality of responses restored by the response restoring process. Features.

  The response specifying process is a response including a response having a common individual setting data extracted by the individual setting data extraction process among a plurality of responses restored from a packet having the same source address by the response restoration process. A group is specified by a processing device.

  According to one aspect of the present invention, in the access analysis device, the response restoration unit analyzes a plurality of packets acquired from the packet capture device, restores a plurality of responses, and the individual setting data extraction unit performs restoration. The individual setting data individually set for the user is extracted from each of the plurality of responses, and the response specifying unit generates a response having the same extracted individual setting data among the restored responses. For example, the access history data generation unit performs an access analysis by estimating that the same user has accessed a Web page in which page data is included in each response of the specified response group. Behavior for each user on a website without implementing a mechanism for each website It will be able to grasp.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

Embodiment 1 FIG.
FIG. 1 is a diagram illustrating an example of a usage pattern of an access analysis device 100 according to the present embodiment.

  In FIG. 1, a user terminal 201 is a computer used by a user, and operates a Web browser for the user to browse a Web page. The user terminal 201 is, for example, a PC (personal computer).

  The Web server 202 is a server computer that implements a Web site composed of a plurality of Web pages. In the following, for the sake of simplicity, it is assumed that a single Web site can be realized as a single Web server 202 even if there are two or more server computers, as long as one Web site is realized. In addition to an HTTP (Hypertext Transfer Protocol) server that simply provides an HTML (Hypertext Markup Language) file, it also has a login authentication function and a database processing function necessary for providing an electronic commerce service on a Web site. Web application servers and the like are collectively considered as one Web server 202. Here, a server computer that is a combination of hardware and software and a server program that is only software are not strictly distinguished (in either case, the Web server 202 is referred to).

  The user terminal 201 and the Web server 202 perform IP (Internet Protocol) communication via the Internet 203. In IP communication, the user terminal 201 transmits an IP packet 211 to the Web server 202 via the Internet 203. Similarly, the Web server 202 transmits an IP packet 212 to the user terminal 201 via the Internet 203. A Web browser operating on the user terminal 201 and the Web server 202 perform HTTP communication using IP communication.

  Here, FIG. 2 shows an example of a web page 311 displayed on the web browser screen 301 of the user terminal 201 when the user is not logged in. FIG. 3 shows an example of HTTP communication for acquiring the Web page 311 by a Web browser operating on the user terminal 201. In HTTP communication, the Web browser transmits an HTTP request 401 to the Web server 202. The Web server 202 returns an HTTP response 402 to the user terminal 201 in response to the HTTP request 401.

  In FIG. 3, the user inputs the URL 321 (Uniform / Resource / Locator) of the Web page 311 on the Web browser screen 301 (clicks a link in another Web page being browsed on the Web browser screen 301, etc.) When an access to the web page 311 is requested, the web browser generates an HTTP request 401 including the URL data 411 of the web page 311. The user terminal 201 transmits an HTTP request 401 on the IP packet 211 to the Web server 202.

  When the Web server 202 receives the IP packet 211 carrying the HTTP request 401 from the user terminal 201, the Web server 202 specifies the Web page 311 requested by the user to access based on the URL data 411 included in the HTTP request 401, and the Web server An HTTP response 402 including page data 412 of the page 311 is generated. At this time, the Web server 202 adds specific display data 413 to the page data 412. The Web server 202 returns an HTTP response 402 including the page data 412 to which the specific display data 413 is added on the IP packet 212 to the user terminal 201.

  When the user terminal 201 receives the IP packet 212 carrying the HTTP response 402 from the Web server 202, the Web browser operating on the user terminal 201 changes the Web page 311 to the Web based on the page data 412 included in the HTTP response 402. It is displayed on the browser screen 301. As shown in FIG. 2, for example, Web browser, the particular display data 413 added to the page data 412 is displayed on a part of the Web page 311 as a specific character string 322 of "hello.". Further, the Web browser displays a menu 323 of the product category handled on the Web site on a part of the Web page 311. The Web browser displays a link 324 to a Web page for product sales in each product category in the menu 323.

  FIG. 4 shows an example of a web page 312 displayed on the web browser screen 301 of the user terminal 201 immediately after the user logs in. FIG. 5 shows an example of HTTP communication for acquiring a Web page 312 by a Web browser operating on the user terminal 201.

  In FIG. 5, the user inputs a combination of a user ID (identifier) and a password set in advance on the website into a form in the login authentication web page being browsed on the web browser screen 301. When requesting login to, the Web browser generates an HTTP request 401 including authentication data 414. The user terminal 201 transmits an HTTP request 401 on the IP packet 211 to the Web server 202.

  When receiving the IP packet 211 carrying the HTTP request 401 from the user terminal 201, the Web server 202 authenticates the user based on the authentication data 414 included in the HTTP request 401. When the user authentication is successful (which means that the user has logged in), the Web server 202 generates an HTTP response 402 including the page data 412 of the Web page 312 displayed by default for the logged-in user. At this time, the Web server 202 adds individual setting data of the logged-in user to the page data 412. The individual setting data is individually set for the user (that is, information that can distinguish the user), and is, for example, user attribute data. Here, it is assumed that the Web server 202 adds user name data 415 to the page data 412 as attribute data of the logged-in user. In addition to the attribute data, the Web server 202 also includes a user ID, user point data (data recording points given to a user who purchased a product on the website, etc.), user purchase history data (users on the website) Page, etc.), user preference data (link 324 to a web page dynamically generated according to the user's preference estimated by the product purchased by the user on the website), etc. It may be added to the data 412. The Web server 202 returns an HTTP response 402 including page data 412 to which the attribute data of the logged-in user is added to the IP packet 212 and returns it to the user terminal 201.

  When the user terminal 201 receives the IP packet 212 carrying the HTTP response 402 from the Web server 202, the Web browser operating on the user terminal 201 changes the Web page 312 to the Web page 312 based on the page data 412 included in the HTTP response 402. It is displayed on the browser screen 301. As shown in FIG. 4, for example, Web browser, the particular display data 413 added to the page data 412 is displayed on a part of the Web page 312 as a specific character string 322 of "hello,". Further, the Web browser displays the specific display data 416 added to the page data 412 as a specific character string 326 “san” on a part of the Web page 312. Furthermore, the Web browser changes the name 325 of the user “Taro Yamada” after a specific character string 322 (an example of a predetermined relative position) based on the user name data 415 added to the page data 412, or It is displayed between the specific character string 322 and the specific character string 326 (a range starting from the specific character string 322 and ending with the specific character string 326). Further, the web browser displays the web page 312 in which the user ID and the purchase history data of the user are embedded (as a hidden parameter or the like) based on other attribute data added to the page data 412. Alternatively, the Web browser displays the user point data on a part of the Web page 312. Alternatively, the Web browser displays a menu 323 including a link 324 that is user preference data on a part of the Web page 312.

  FIG. 6 shows an example of a web page 313 displayed on the web browser screen 301 of the user terminal 201 while the user is logged in.

  Although not shown, when a logged-in user requests access to the Web page 313 using the method described above, such as inputting the URL 321 of the Web page 313 on the Web browser screen 301, the Web browser displays the Web page 313. An HTTP request 401 including the URL data 411 of the page 313 is generated. At this time, the Web browser adds data (such as a user ID and data indicating that the user is logged in) written in the cookie when the user logs in to the Web site to the HTTP request 401. The user terminal 201 transmits an HTTP request 401 on the IP packet 211 to the Web server 202.

  When receiving the IP packet 211 carrying the HTTP request 401 from the user terminal 201, the Web server 202 identifies the Web page 313 requested by the user for access based on the URL data 411 included in the HTTP request 401, An HTTP response 402 including page data 412 of the page 313 is generated. At this time, the Web server 202 adds specific display data 413 and 416 and user name data 415 to the page data 412. The Web server 202 may further add other attribute data to the page data 412. The Web server 202 returns an HTTP response 402 on the IP packet 212 and returns it to the user terminal 201.

  When the user terminal 201 receives the IP packet 212 carrying the HTTP response 402 from the Web server 202, the Web browser operating on the user terminal 201 changes the Web page 313 to the Web based on the page data 412 included in the HTTP response 402. It is displayed on the browser screen 301.

  When the Web page 311 shown in FIG. 2 is compared with the Web page 312 shown in FIG. 4, the URL 321 and the displayed content are the same, but the upper part of the Web page 311 shown in FIG. While only the specific character string 322 is displayed, in addition to the specific character string 322, the name 325 of the currently logged-in user is displayed at the top of the Web page 312 shown in FIG. ing. Further, when the Web page 312 shown in FIG. 4 and the Web page 313 shown in FIG. 6 are compared, the URL 321 and the displayed content are different, but the upper part of each of the Web pages 312 and 313 is specified. In addition to the character string 322, the name 325 of the currently logged-in user is displayed. Thus, in the Web site in the above example, when the user logs in, the user name 325 is displayed in a common format at the top of each Web page.

  In FIG. 1, a network device 204 is a communication device connected between the Web server 202 and the Internet 203. The IP packet 211 transmitted from the user terminal 201 to the Web server 202 via the Internet 203, and the Web server The IP packet 212 transmitted from the user 202 to the user terminal 201 via the Internet 203 is relayed. The network device 204 also outputs all IP packets 211 and 212 to be relayed from the mirror port. The network device 204 is, for example, a switching hub or a router.

  The packet capture device 205 is a computer connected to the mirror port of the network device 204. The packet capture device 205 collects a plurality of IP packets 211 and 212 output from the mirror port of the network device 204 and stores them in a recording medium such as a hard disk.

  The access analysis device 100 is a computer connected to the packet capture device 205. The access analysis device 100 analyzes a plurality of IP packets 211 and 212 stored in a recording medium by the packet capture device 205, thereby analyzing an action for each user in the Web site. The access analysis device 100 may incorporate a packet capture device 205. Specifically, the access analysis device 100 may be a computer that executes a program having the function of the packet capture device 205.

  FIG. 7 is a block diagram illustrating a configuration of the access analysis device 100.

  In FIG. 7, the access analysis device 100 includes a packet acquisition unit 101, a request / response restoration unit 102 (an example of a response restoration unit), an individual setting data extraction unit 103, a response identification unit 104, an access history data generation unit 105, an access analysis. Part 106 is provided. Further, the access analysis device 100 includes hardware such as a storage device 151, a processing device 152, an input device 153, and an output device 154 (or these hardware are connected to the access analysis device 100). The hardware is used by each unit of the access analysis device 100. For example, the processing device 152 is used to perform calculation, processing, reading, writing, and the like of data and information in each unit of the access analysis device 100. The storage device 151 is used to store the data and information. The input device 153 is used to input the data and information, and the output device 154 is used to output the data and information.

  The packet acquisition unit 101 acquires all IP packets 211 and 212 from the packet capture device 205. Then, the packet acquisition unit 101 stores the acquired IP packets 211 and 212 in the storage device 151.

  The request / response restoration unit 102 uses the processing device 152 to analyze a plurality of IP packets 212 carrying a plurality of HTTP responses 402 out of the IP packets 211 and 212 stored by the packet acquisition unit 101. Then, the request / response restoration unit 102 restores the plurality of HTTP responses 402 transmitted on the plurality of IP packets 212 by the processing device 152. Here, it is assumed that the request / response restoration unit 102 also analyzes the plurality of IP packets 211 and restores the plurality of HTTP requests 401 transmitted in the plurality of IP packets 211 by the processing device 152.

  The individual setting data extraction unit 103 uses the processing device 152 to extract individual setting data from each of the plurality of HTTP responses 402 restored by the request / response restoration unit 102. The individual setting data extraction unit 103 may further extract individual setting data (if any) from each of the plurality of HTTP requests 401 restored by the request / response restoration unit 102.

  The response identifying unit 104 processes, as one response group, the HTTP response 402 having the same individual setting data extracted by the individual setting data extracting unit 103 among the plurality of HTTP responses 402 restored by the request / response restoring unit 102. It is specified by the device 152. At this time, the response specifying unit 104 uses the processing device 152 to specify the HTTP request 401 corresponding to each HTTP response 402 of the response group among the plurality of HTTP requests 401 restored by the request / response restoring unit 102. . The response specifying unit 104 further includes an HTTP request 401 (if any) in which the individual setting data extracted by the individual setting data extracting unit 103 among the plurality of HTTP requests 401 restored by the request / response restoring unit 102 is common. May be specified by the processing device 152 as one request group.

  The access history data generation unit 105 estimates that the same user has accessed the Web page in which the page data 412 is included in each HTTP response 402 of the response group specified by the response specifying unit 104. Then, the access history data generation unit 105 uses the processing device 152 to generate access history data indicating that the same user has accessed the Web page. At this time, the access history data generation unit 105 extracts the URL from each HTTP request 401 specified by the response specifying unit 104 as corresponding to each HTTP response 402 in the response group, and identifies each Web page. Can be used. Alternatively, the access history data generation unit 105 uses only data included in each HTTP response 402 (for example, data displayed on a web page for navigation of the website) to identify each web page. Also good. The access history data generation unit 105 stores the generated access history data in the storage device 151.

  Based on the access history data stored by the access history data generation unit 105, the access analysis unit 106 analyzes the actions of individual users by the processing device 152.

  FIG. 8 is a diagram illustrating an example of hardware resources of the access analysis device 100.

  In FIG. 8, the access analysis apparatus 100 includes a display device 901 having a display screen of a CRT (Cathode Ray Tube) or LCD (Liquid Crystal Display), a keyboard 902 (K / B), a mouse 903, an FDD 904 (Flexible Disk, (Drive), CDD 905 (Compact Disc Drive), and printer device 906, etc., which are connected by cables and signal lines.

  The access analysis apparatus 100 includes a CPU 911 (Central Processing Unit) that executes a program. The CPU 911 is an example of the processing device 152. The CPU 911 includes a ROM 913 (Read / Only / Memory), a RAM 914 (Random / Access / Memory), a communication board 915, a display device 901, a keyboard 902, a mouse 903, an FDD904, a CDD905, a printer device 906, and a magnetic disk. It is connected to the device 920 and controls these hardware devices. Instead of the magnetic disk device 920, a storage medium such as an optical disk device or a memory card reader / writer, or a network storage such as NAS (Network / Attached / Storage) may be used.

  The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device 151. The communication board 915, the keyboard 902, the mouse 903, the FDD 904, the CDD 905, and the like are examples of the input device 153. The communication board 915, the display device 901, the printer device 906, and the like are examples of the output device 154.

  The communication board 915 is connected to a LAN (local area network) or the like. The communication board 915 is not limited to a LAN, but is the Internet, or an IP-VPN (Internet, Protocol, Private, Network), a wide area LAN, a WAN (Wide Area Network) such as an ATM (Asynchronous, Transfer, Mode) network, or the like. It does not matter if it is connected to. LAN, the Internet, and WAN are examples of networks.

  The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924. The programs in the program group 923 are executed by the CPU 911, the operating system 921, and the window system 922. The program group 923 stores a program for executing a function described as “˜unit” in the description of the present embodiment. The program is read and executed by the CPU 911. The file group 924 includes data and information described as “˜data”, “˜information”, “˜ID (identifier)”, “˜flag”, and “˜result” in the description of this embodiment. Signal values, variable values, and parameters are stored as items of “˜file”, “˜database”, and “˜table”. The “˜file”, “˜database”, and “˜table” are stored in a storage medium such as a disk or a memory. Data, information, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for processing (operation) of the CPU 911 such as calculation / control / output / printing / display. Data, information, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory during processing of the CPU 911 such as extraction, search, reference, comparison, calculation, control, output, printing, and display. Is remembered.

  In addition, the arrows in the block diagrams and flowcharts used in the description of this embodiment mainly indicate input / output of data and signals, and the data and signals are the memory such as the RAM 914, the flexible disk (FD) of the FDD 904, and the compact of the CDD 905. Recording is performed on a recording medium such as a disk (CD), a magnetic disk of the magnetic disk device 920, another optical disk, a mini disk (MD), or a DVD (Digital Versatile Disc). Data and signals are transmitted by a bus 912, a signal line, a cable, and other transmission media.

  In addition, what is described as “˜unit” in the description of this embodiment may be “˜circuit”, “˜device”, “˜device”, and “˜step”, “˜process”. , “˜procedure”, and “˜processing”. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be realized only by software, or only by hardware such as an element, a device, a board, and wiring, or a combination of software and hardware, and further by a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, flexible disk, optical disk, compact disk, minidisk, or DVD. This program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” described in the description of the present embodiment. Alternatively, it causes the computer to execute the procedures and methods described in the description of the present embodiment.

  FIG. 9 is a flowchart showing an access analysis method according to the present embodiment.

  The flow shown in the flowchart of FIG. 9 corresponds to a processing procedure of a program (access analysis program) executed on a computer that implements the access analysis apparatus 100. Hereinafter, the access analysis method according to the present embodiment will be described assuming that the access analysis apparatus 100 is realized by the computer and hardware resources illustrated in FIG.

  The packet acquisition unit 101 acquires all IP packets 211 and 212 from the packet capture device 205. The packet acquisition unit 101 stores the acquired IP packets 211 and 212 in the magnetic disk device 920 (an example of the storage device 151) (step S101: packet acquisition processing).

  The request / response restoration unit 102 analyzes the IP packets 211 and 212 stored in step S101 by the CPU 911 (an example of the processing device 152). Then, the request / response restoration unit 102 restores the plurality of HTTP requests 401 transmitted in the plurality of IP packets 211 and the plurality of HTTP responses 402 transmitted in the plurality of IP packets 212 by the CPU 911. (Step S102: Response restoration process). Here, it is assumed that the request / response restoration unit 102 restores the HTTP request 401 and the HTTP response 402 in the examples of FIGS.

  The individual setting data extraction unit 103 extracts the user name data 415 as individual setting data from each of the plurality of HTTP responses 402 restored in step S102 (step S103: individual setting data extraction processing). Specifically, first, the individual setting data extraction unit 103 extracts the URL data 411 by the CPU 911 from each of the plurality of HTTP responses 402 restored in step S102. Next, the individual setting data extraction unit 103 has the same Web page or the same type of URL 321 indicated by the URL data 411 extracted from the corresponding HTTP response 402 out of the plurality of HTTP responses 402 restored in step S102. At least two items (for example, Web pages 311 and 312) corresponding to the Web page (for example, the top page) are selected. Then, the individual setting data extraction unit 103 selects, for example, the HTTP response 402 including the page data 412 of the Web page 312 where the user is logged in and the HTTP response 402 including the page data 412 of the Web page 311 where the user is not logged in. To do. Alternatively, the individual setting data extraction unit 103 selects the HTTP response 402 including the page data 412 of the web page 312 in which the user is logged in and the HTTP response 402 including the page data 412 of the web page in which another user is logged in. . Then, the individual setting data extraction unit 103 compares the page data 412 included in each of the selected HTTP responses 402, and finds a portion with a difference (“Taro Yamada” in the examples of FIGS. 3 and 5). The CPU 911 estimates that the data is user name data 415.

  The response specifying unit 104 includes the HTTP response 402 (for example, the HTTP data 402 including the page data 412 of the Web pages 312 and 313) that is common to the name data 415 extracted in Step S <b> 103 among the plurality of HTTP responses 402 restored in Step S <b> 102. The CPU 911 identifies the response 402) as one response group (step S104: response identifying process). At this time, the response specifying unit 104 may target only a plurality of HTTP responses 402 restored from the IP packet 212 having the same transmission source IP address in step S102. That is, the response specifying unit 104 converts the HTTP response 402 that is the HTTP response 402 included in the IP packet 212 having the same source IP address and that has the same name data 415 extracted in step S103 into one response group. May be specified by the CPU 911. This improves the accuracy when the access history data generation unit 105 estimates that the same user has accessed. In step S104, the response specifying unit 104 uses the CPU 911 to specify the HTTP request 401 corresponding to each HTTP response 402 in the response group among the plurality of HTTP requests 401 restored in step S102.

  The access history data generation unit 105 estimates that the same user has accessed a Web page in which the page data 412 is included in each HTTP response 402 of the response group specified in step S104. Then, the access history data generation unit 105 causes the CPU 911 to generate access history data indicating that the same user has accessed the Web page. For example, first, the access history data generation unit 105 extracts the URL data 411 from each HTTP request 401 similarly specified in step S104 as corresponding to each HTTP response 402 of the response group specified in step S104. Next, the access history data generation unit 105 extracts the Web page URL data 411 extracted from each HTTP request 401 as the Web page URL data 411 in which the page data 412 is included in each HTTP response 402 of the response group specified in step S104. A combination with access time data is generated as access history data. Then, the access history data generation unit 105 stores the generated access history data in the magnetic disk device 920 (step S105: access history data generation process).

  Based on the access history data stored in step S105, the access analysis unit 106 analyzes the actions of individual users by the CPU 911 (step S106: access analysis processing). For example, if the access history data is a combination of URL data 411 of a web page and time data of access to the web page, the access analysis unit 106 accesses which web page in what order for each user. Analyze what has been done. Further, the access analysis unit 106 indicates which Web page the user is interested in, which product is purchased, or which Web page the user has gone out of the website without purchasing the product. And the analysis result is displayed on the screen of the display device 901.

  Thus, in this embodiment, in the access analysis device 100, the request / response restoration unit 102 analyzes the plurality of IP packets 212 acquired from the packet capture device 205 and restores the plurality of HTTP responses 402. The individual setting data extracting unit 103 sets individual setting data individually set for the user from each of the plurality of restored HTTP responses 402 (for example, login to the Web page with the same URL is not logged in) Extracted by referring to the difference of pages, attribute data displayed at a predetermined relative position, attribute data displayed in the range starting from two specific character strings and the end point, or personal name dictionary data Layout setting data common to multiple people's name or the same user's Web pages The response identification unit 104 identifies the HTTP response 402 having the same extracted individual setting data as one response group among the restored HTTP responses 402, and the access history data generation unit 105 However, by estimating that the same user has accessed the Web page including the page data 412 in each HTTP response 402 of the identified response group, for example, a mechanism for performing access analysis is implemented for each Web site. Even without it, it becomes possible to grasp the behavior of each user in the website.

  In the conventional access log type access analysis, since a part of the HTTP request 401 and the HTTP response 402 must be converted into a predetermined format and then output to the access log, the output process takes time. In addition, there is a possibility that the data required for performing the access analysis is a part of the HTTP request 401 or the HTTP response 402 that is not output to the access log. On the other hand, in the packet capture type access analysis, since the packet capture device 205 only needs to store all the IP packets 211 and 212 as they are, the processing speed is high. Also, all HTTP packets 211 and 212 can be analyzed to restore all HTTP communications. In the present embodiment, it is possible to grasp the user's behavior in more detail than before by analyzing the behavior for each user by making use of such a packet capture type feature.

Embodiment 2. FIG.
In the present embodiment, differences from the first embodiment will be mainly described.

  Hereinafter, as in the first embodiment, the access analysis method according to the present embodiment will be described with reference to FIG.

  Steps S101 and S102 and steps S104 to S106 are the same as in the first embodiment.

  In step S103, the individual setting data extraction unit 103 extracts specific display data 413 from each of the plurality of HTTP responses 402 restored in step S102 by the CPU 911 (an example of the processing device 152). Then, the individual setting data extraction unit 103 estimates by the CPU 911 that the data of the portion displayed at a predetermined relative position from the extracted specific display data 413 is attribute data. Specifically, the individual setting data extraction unit 103 extracts a specific display data 413 (in the example of FIG. 3 and FIG. 5, if it is assumed to ignore punctuation portion "Hello") appears continuously after It is estimated that the data of the part (in the example of FIGS. 3 and 5, the part of “Taro Yamada” if “san” added after the punctuation mark and the name is ignored) is the user name data 415.

  In step S103, the individual setting data extraction unit 103 can extract not only the specific display data 413 but also the specific display data 416 from each of the plurality of HTTP responses 402 restored in step S102. In this case, the individual setting data extraction unit 103 uses the CPU 911 to infer that the portion of data displayed in the range having the extracted specific display data 413 and 416 as the start point and the end point is attribute data. Specifically, the individual setting data extraction unit 103, the extracted specific display data 413 and 416 (in the example of FIG. 3 and FIG. 5, if it is assumed to ignore punctuation as "hello" part of "Mr.") of It is estimated that the data of the portion displayed in between (the portion of “Taro Yamada” in the examples of FIGS. 3 and 5) is the user name data 415.

  As described above, according to the present embodiment, it is possible to easily find where in each HTTP response 402 the user attribute data is included.

Embodiment 3 FIG.
In the present embodiment, differences from the first embodiment will be mainly described.

  Hereinafter, as in the first embodiment, the access analysis method according to the present embodiment will be described with reference to FIG.

  Steps S101 and S102 and steps S104 to S106 are the same as in the first embodiment.

  It is assumed that personal name dictionary data is stored in advance in the magnetic disk device 920 (an example of the storage device 151).

  In step S103, the individual setting data extraction unit 103 uses the dictionary data stored in the magnetic disk device 920 to display a personal name on a Web page from each of the plurality of HTTP responses 402 restored in step S102 ( 3 and 5, the data of “Taro Yamada”) is extracted by the CPU 911 (an example of the processing device 152). Then, the individual setting data extraction unit 103 estimates by the CPU 911 that the data of the part is the user name data 415.

  Thus, according to the present embodiment, it is possible to easily find the user name data 415 included in each HTTP response 402.

Embodiment 4 FIG.
In the present embodiment, differences from the first embodiment will be mainly described.

  Similar to the first embodiment, FIG. 2 shows an example of a web page 311 displayed on the web browser screen 301 of the user terminal 201 when the user is not logged in.

  Although not shown, the Web server 202 receives the IP packet 211 containing the HTTP request 401 including the URL data 411 of the Web page 311 shown in FIG. An HTTP response 402 including the page data 412 of the Web page 311 is generated. At this time, the Web server 202 adds layout setting data indicating a layout set by default to the page data 412. The Web server 202 returns an HTTP response 402 including the page data 412 with the layout setting data added thereto to the user terminal 201 with the IP packet 212.

  When the user terminal 201 receives the IP packet 212 carrying the HTTP response 402 from the Web server 202, the Web browser operating on the user terminal 201 changes the Web page 311 to the Web based on the page data 412 included in the HTTP response 402. It is displayed on the browser screen 301. As shown in FIG. 2, for example, the Web browser links to a Web page for product sales of a product category set by default in the menu 323 based on the layout setting data added to the page data 412. 324 are displayed in a preset order.

  FIG. 10 shows an example of a web page 312 displayed on the web browser screen 301 of the user terminal 201 immediately after the user logs in.

  Although not shown, when the Web server 202 receives from the user terminal 201 the IP packet 211 carrying the HTTP request 401 including the authentication data 414 when the user is not logged in, the authentication data 414 included in the HTTP request 401 is received. Authenticate the user based on When the user authentication is successful, the Web server 202 generates an HTTP response 402 including the page data 412 of the Web page 312 shown in FIG. At this time, the Web server 202 adds, to the page data 412, layout setting data indicating the layout set by the user in common for a plurality of Web pages in the same Web site as individual setting data of the logged-in user. . The Web server 202 returns an HTTP response 402 including the page data 412 with the layout setting data added thereto to the user terminal 201 with the IP packet 212.

  When the user terminal 201 receives the IP packet 212 carrying the HTTP response 402 from the Web server 202, the Web browser operating on the user terminal 201 changes the Web page 312 to the Web page 312 based on the page data 412 included in the HTTP response 402. It is displayed on the browser screen 301. As shown in FIG. 10, for example, the Web browser uses the menu setting 323 based on the layout setting data added to the page data 412 to display a Web page for selling products in the product category previously selected by the logged-in user. Links 324 to are displayed in the order preset by the user.

  FIG. 11 shows an example of a web page 313 displayed on the web browser screen 301 of the user terminal 201 while the user is logged in.

  Although not shown, the Web server 202 receives the IP packet 211 containing the HTTP request 401 including the URL data 411 of the Web page 313 shown in FIG. An HTTP response 402 including the page data 412 of 313 is generated. At this time, the Web server 202 adds, to the page data 412, layout setting data indicating the layout set by the user in common for a plurality of Web pages in the same Web site as individual setting data of the logged-in user. . The Web server 202 returns an HTTP response 402 including the page data 412 with the layout setting data added thereto to the user terminal 201 with the IP packet 212.

  When the user terminal 201 receives the IP packet 212 carrying the HTTP response 402 from the Web server 202, the Web browser operating on the user terminal 201 changes the Web page 313 to the Web based on the page data 412 included in the HTTP response 402. It is displayed on the browser screen 301. As shown in FIG. 11, for example, the Web browser uses the menu setting 323 based on the layout setting data added to the page data 412 to display a Web page for selling products in the product category selected in advance by the logged-in user. Links 324 to are displayed in the order preset by the user.

  When the Web page 311 shown in FIG. 2 is compared with the Web page 312 shown in FIG. 10, the URL 321 and the contents displayed on the right side and the center are the same, but the Web page 311 shown in FIG. The type, number, and order of the items (link 324) of the menu 323 displayed on the left side and the menu 323 displayed on the left side of the Web page 312 shown in FIG. Further, when the Web page 312 shown in FIG. 10 and the Web page 313 shown in FIG. 11 are compared, the URL 321 and the contents displayed on the right side and the center are different, but displayed on the left side of the Web pages 312 and 313. The type, number, and order of items in the menu 323 are the same. As described above, in the website in the above example, when the user logs in, the type, number, and order of items of the menu 323 displayed on the left side of each web page are displayed as set by the logged-in user. It has become.

  Hereinafter, as in the first embodiment, the access analysis method according to the present embodiment will be described with reference to FIG.

  Steps S101, S102, S105, and S106 are the same as those in the first embodiment.

  In step S103, the individual setting data extraction unit 103 extracts layout setting data as individual setting data from each of the plurality of HTTP responses 402 restored in step S102 by the CPU 911 (an example of the processing device 152).

  In step S104, the response identifying unit 104 identifies the HTTP response 402 having the same layout setting data extracted in step S103 among the plurality of HTTP responses 402 restored in step S102 as one response group by the CPU 911. At this time, the response specifying unit 104 may target only a plurality of HTTP responses 402 restored from the IP packet 212 having the same transmission source IP address in step S102. That is, the response specifying unit 104 converts the HTTP response 402 that is the HTTP response 402 included in the IP packet 212 having the same transmission source IP address and has the same layout setting data extracted in step S103 into one response group. May be specified by the CPU 911. This improves the accuracy when the access history data generation unit 105 estimates that the same user has accessed.

  As mentioned above, although embodiment of this invention was described, you may implement combining 2 or more embodiment among these. Alternatively, one of these embodiments may be partially implemented. Or you may implement combining two or more embodiment among these partially.

6 is a diagram illustrating an example of a usage pattern of an access analysis device according to Embodiment 1. FIG. 3 is a diagram illustrating an example of a Web page displayed on a Web browser screen in Embodiment 1. FIG. 3 is a diagram illustrating an example of HTTP communication according to Embodiment 1. FIG. 3 is a diagram illustrating an example of a Web page displayed on a Web browser screen in Embodiment 1. FIG. 3 is a diagram illustrating an example of HTTP communication according to Embodiment 1. FIG. 3 is a diagram illustrating an example of a Web page displayed on a Web browser screen in Embodiment 1. FIG. 1 is a block diagram illustrating a configuration of an access analysis device according to a first embodiment. 3 is a diagram illustrating an example of hardware resources of the access analysis apparatus according to Embodiment 1. FIG. 3 is a flowchart illustrating an access analysis method according to the first embodiment. FIG. 20 is a diagram illustrating an example of a web page displayed on a web browser screen in the fourth embodiment. FIG. 20 is a diagram illustrating an example of a web page displayed on a web browser screen in the fourth embodiment.

Explanation of symbols

  100 Access Analysis Device, 101 Packet Acquisition Unit, 102 Request / Response Restoration Unit, 103 Individual Setting Data Extraction Unit, 104 Response Identification Unit, 105 Access History Data Generation Unit, 106 Access Analysis Unit, 151 Storage Device, 152 Processing Device, 153 Input device, 154 Output device, 201 User terminal, 202 Web server, 203 Internet, 204 Network device, 205 Packet capture device, 211, 212 IP packet, 301 Web browser screen, 311, 312, 313 Web page, 321 URL, 322 , 326 Specific character string, 323 menu, 324 link, 325 name, 401 HTTP request, 402 HTTP response, 411 URL data, 412 page data 413, 416 Specific display data, 414 Authentication data, 415 Name data, 901 Display device, 902 Keyboard, 903 Mouse, 904 FDD, 905 CDD, 906 Printer device, 911 CPU, 912 bus, 913 ROM, 914 RAM, 915 Communication board, 920 magnetic disk unit, 921 operating system, 922 window system, 923 program group, 924 file group.

Claims (14)

A response is returned by the Web server in response to a request from the user, the user the user in the page data and login Web page is added by the Web server to the page data of the Web page to request access A packet acquisition unit that acquires a plurality of packets and stores them in a storage device from a packet capture device that collects a packet including a response including the attribute data of
Analyzing a plurality of packets stored by the packet acquisition unit, and restoring a plurality of responses transmitted on the plurality of packets by a processing device;
From each of a plurality of responses restored by the response restoration unit, an individual setting data extraction unit for extracting attribute data by a processing device,
A response identifying unit that identifies, as a response group, a response having a common attribute data extracted by the individual setting data extraction unit among a plurality of responses restored by the response restoration unit;
It is estimated that the same user has accessed a web page including page data in each response of the response group identified by the response identifying unit, and access history data indicating that the same user has accessed the web page An access history data generation unit that is generated by a processing device. The individual setting data extraction unit compares the page data of the web page in which the user is logged in with the page data of the web page in which the user is not logged in or the web page in which another user is logged in. The access analysis apparatus according to claim 1 , wherein the processing apparatus estimates that the data is attribute data. The packet capture device has, as attribute data, a specific relative position from a specific display data on a Web page to which a logged-in user requests access, or a range having two specific display data as a starting point and an ending point, respectively. It collects packets with responses containing attribute data to be displayed.
The individual setting data extraction unit extracts the specific display data from each of a plurality of responses restored by the response restoration unit, and displays the specific display data at the predetermined relative position or the range from the specific display data. access analysis apparatus according to claim 1 or 2 data portions that are and estimates by the processor as an attribute data. The packet capture device collects a packet containing a response including name data of the user displayed on a web page that the logged-in user requests access as attribute data,
The storage device stores personal name dictionary data in advance,
The individual setting data extraction unit uses the dictionary data stored in the storage device to extract data of a part that displays a person's name on a Web page from each of a plurality of responses restored by the response restoration unit, access analysis apparatus according to claim 1 in which the data of the portion and estimating the processing device and the name data until 3. A response is returned by the Web server in response to a request from the user, the user in the page data and login Web page is added by the Web server to the page data of the Web page requesting access, the A packet acquisition unit that acquires a plurality of packets and stores them in a storage device from a packet capture device that collects a packet including a response including layout setting data indicating a layout commonly set by a user on a plurality of Web pages ;
Analyzing a plurality of packets stored by the packet acquisition unit, and restoring a plurality of responses transmitted on the plurality of packets by a processing device;
An individual setting data extraction unit that extracts layout setting data from each of a plurality of responses restored by the response restoration unit by a processing device;
A response specifying unit for specifying a response having a common layout setting data extracted by the individual setting data extracting unit as a single response group among a plurality of responses restored by the response restoring unit;
It is estimated that the same user has accessed a web page including page data in each response of the response group identified by the response identifying unit, and access history data indicating that the same user has accessed the web page An access history data generation unit that is generated by a processing device. The response specifying unit, the plurality of responses that have been restored from the packet having the same source address by the response restoring unit, wherein one response data extracted by the individual setting data extraction unit is common response access analysis apparatus according to claim 1, wherein the identifying the processing unit as a group to 5. Packet capture device, a response that is returned by the Web server in response to a request from the user, by the Web server to the page data of the Web page the user in the page data and login Web page requests access Collect a packet with a response including the attribute data of the user to be added ,
The packet acquisition unit of the access analysis device acquires a plurality of packets collected by the packet capture device and stores them in a storage device,
The response restoration unit of the access analysis device analyzes a plurality of packets stored by the packet acquisition unit, and restores a plurality of responses transmitted on the plurality of packets by a processing device,
The individual setting data extraction unit of the access analysis device extracts attribute data from each of a plurality of responses restored by the response restoration unit by a processing device,
The response identifying unit of the access analysis device identifies, as a response group, a response having a common attribute data extracted by the individual setting data extracting unit from among a plurality of responses restored by the response restoring unit. And
The access history data generation unit of the access analysis device estimates that the same user has accessed a Web page including page data in each response of the response group specified by the response specifying unit, and the same to the Web page The access analysis method is characterized in that the access history data indicating that the user has accessed is generated by the processing device. Packet capture device, a response that is returned by the Web server in response to a request from the user, by the Web server to the page data of the Web page the user in the page data and login Web page requests access Collecting a packet with a response including layout setting data added and layout setting data indicating a layout commonly set by the user on a plurality of Web pages ;
The packet acquisition unit of the access analysis device acquires a plurality of packets collected by the packet capture device and stores them in a storage device,
The response restoration unit of the access analysis device analyzes a plurality of packets stored by the packet acquisition unit, and restores a plurality of responses transmitted on the plurality of packets by a processing device,
The individual setting data extraction unit of the access analysis device extracts layout setting data from each of a plurality of responses restored by the response restoration unit by a processing device,
The response specifying unit of the access analysis device uses the processing device as a response group with a response having a common layout setting data extracted by the individual setting data extracting unit among a plurality of responses restored by the response restoring unit. Identify,
The access history data generation unit of the access analysis device estimates that the same user has accessed a Web page including page data in each response of the response group specified by the response specifying unit, and the same to the Web page The access analysis method is characterized in that the access history data indicating that the user has accessed is generated by the processing device. A response is returned by the Web server in response to a request from the user, the user the user in the page data and login Web page is added by the Web server to the page data of the Web page to request access A packet acquisition process for acquiring a plurality of packets and storing them in a storage device from a packet capture device that collects a packet including a response including the attribute data of
Analyzing a plurality of packets stored by the packet acquisition processing, and restoring a plurality of responses sent on the plurality of packets by a processing device; and
Individual setting data extraction processing for extracting attribute data by a processing device from each of a plurality of responses restored by the response restoration processing;
A response specifying process for specifying a response having a common attribute data extracted by the individual setting data extraction process as a single response group among a plurality of responses restored by the response restoration process;
It is estimated that the same user has accessed a Web page including page data in each response of the response group specified by the response specifying process, and access history data indicating that the same user has accessed the Web page is stored. An access analysis program for causing a computer to execute access history data generation processing generated by a processing device. The individual setting data extraction process compares the page data of the web page where the user is logged in with the page data of the web page where the user is not logged in or the web page where the other user is logged in. The access analysis program according to claim 9 , wherein the processing device estimates that the data is attribute data. The packet capture device has, as attribute data, a specific relative position from a specific display data on a Web page to which a logged-in user requests access, or a range having two specific display data as a starting point and an ending point, respectively. It collects packets with responses containing attribute data to be displayed.
The individual setting data extraction process extracts the specific display data from each of a plurality of responses restored by the response restoration process, and displays the specific display data at the predetermined relative position or the range from the specific display data. The access analysis program according to claim 9 or 10 , wherein the processing device estimates that the portion of the data is attribute data. The packet capture device collects a packet containing a response including name data of the user displayed on a web page that the logged-in user requests access as attribute data,
The storage device stores personal name dictionary data in advance,
The individual setting data extraction process uses the dictionary data stored in the storage device to extract data of a part that displays a person's name on a Web page from each of a plurality of responses restored by the response restoration process. The access analysis program according to any one of claims 9 to 11 , wherein the processing device estimates that the data of the part is name data. A response is returned by the Web server in response to a request from the user, the user in the page data and login Web page is added by the Web server to the page data of the Web page requesting access, the A packet acquisition process for acquiring a plurality of packets and storing them in a storage device from a packet capture device that collects a packet including a response including layout setting data indicating a layout commonly set by a user on a plurality of Web pages ;
Analyzing a plurality of packets stored by the packet acquisition processing, and restoring a plurality of responses sent on the plurality of packets by a processing device; and
From each of a plurality of responses restored by the response restoration processing, individual setting data extraction processing for extracting layout setting data by a processing device;
A response specifying process for specifying a response having a common layout setting data extracted by the individual setting data extraction process as a single response group among a plurality of responses restored by the response restoration process;
It is estimated that the same user has accessed a Web page including page data in each response of the response group specified by the response specifying process, and access history data indicating that the same user has accessed the Web page is stored. An access analysis program for causing a computer to execute access history data generation processing generated by a processing device. The response specifying process, said one of the plurality of responses that have been restored from the packet having the same source address by the response recovery processing, the single response data extracted by individual setting data extraction processing is common response access analysis program according to any of claims 9 to 13, characterized in that identifying the processing unit as a group.

Images