JP5302149B2 - WEB access log confirmation system, method and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To enable the safe review of a virus infected site which is detected once. <P>SOLUTION: This WEB access log confirmation system 100 includes a WEB access log acquisition unit 114 that acquires browsing history information 13; a WEB page virus scan check unit 115 that detects virus infection; a virus detection information acquisition unit 116 that registers a URL or the like of a virus-infected WEB page to virus detection information 14 to the WEB access log acquisition unit; a virus detection site image information acquisition unit 117 that acquires a capture image 15 of the virus-infected WEB page; a browsing route generation processing unit 120 that extracts each WEB page browsed up to the virus-infected Web page in reference to browsing history information 13, 16 for WEB pages, generates a browsing route map in which each WEB page is displayed by an icon in the order of browsing; a virus detection site image information transmission unit 113 that returns a capture image of the virus-infected WEB page to the request source in response to a browsing request for the virus-infected WEB page. <P>COPYRIGHT: (C)2011,JPO&amp;INPIT

Description

  The present invention relates to a virus detection technique for a WEB page, and more particularly, to a technique suitable for improving the efficiency of management work for a WEB page in which a virus infection is detected.

  In recent years, the damage of virus infection on WEB pages and emails transmitted and received on the Internet has become remarkable. In order to prevent the spread of damage caused by viruses, security software such as vaccine software, WEB security software, and mail security software has been developed and spread. They detect viruses, quarantine and delete them, and prevent damage from virus infections.

  However, if a virus infection is detected while browsing the Internet using a terminal of the internal network in a configuration where the internal network established by an organization such as a company is connected to the Internet, the administrator of the internal network checks the virus infection status, Work such as confirmation of the WEB page being browsed, search key investigation when using a search site, and creation of a “virus countermeasure report” are generally required, and the following work generally occurs.

・ Receiving virus detection report from WEB security software.
-Confirmation of virus infection status by log survey.
・ Interview survey of WEB browser operations for users.
・ Understanding the virus infection route (WEB browsing route).
・ Understanding search site search keys.
・ Create “Anti-Virus Report”.

  These operations are based on the URL of the WEB page detected by the WEB security software, check the WEB access log, check the virus infection route (WEB browsing route) and search site search key, It becomes the work of putting it together in a “report”.

  Further, when the WEB browsing route is confirmed based on the WEB access log, the following work is required.

(1) Confirm URL of virus infected site.
(2) Extraction of user's WEB access log.
(3) The URL confirmation of the link source WEB page of the URL of the virus infected site from the user's WEB access log is repeated until there is no link source.
(4) The URLs extracted in (3) are arranged in chronological order, and each WEB page is opened and confirmed.

  In this work, if there is a Referrer log (URL of the link source page) in the WEB access log, it is easy to confirm the link source URL, but if there is no Referer log, it is necessary to investigate the link source URL.

  In addition, in order to confirm what kind of search the user is performing, it is necessary to extract and check the search key portion of the WEB access log.

  In this way, the administrator's work when a virus is infected involves a lot of manual work, such as checking the URL of the virus-infected site, checking the web browsing route, searching the search key, and creating a report. This is inefficient.

  In addition, the Web security server and proxy server that is provided at the connection point between the internal network and the Internet and monitors the virus infection holds the URL of the virus-infected site and the WEB access log, but grasps the WEB browsing route. However, in order to perform re-display with the WEB browser, a manual operation is required, which is very time-consuming and complicated.

  The above-described Web security server / proxy server has a function of preventing access to a virus-infected site when it is detected by an Internet connection terminal of an organization (internal network) for the purpose of preventing access to the virus-infected site. It has.

  That is, the Web security server / proxy server registers the URL of the virus-infected site in a black list, and when an access request to the Internet is made, the URL of the HTTP request is compared with the URL registered in the black list, and the matching WEB page is displayed. Since access can be prohibited, virus infection can be prevented in advance. However, since the WEB page once detected with the virus cannot be browsed, the WEB page cannot be confirmed.

  As a technique for detecting a virus-infected site on the WEB site side and preventing a virus from entering the user environment, there is one described in Patent Document 1. This technology is programmed and computer-processed to automatically circulate a vast amount of WEB sites on the Internet to check virus-infected sites, accumulate the results in a database, and store the virus-infected sites registered in the database. In addition to preventing user access, the virus infection site is notified of the virus infection, and when the virus removal at the site is completed, the notification is received and the virus infected site is deleted from the database to keep the latest state.

  Moreover, there exists a thing of patent document 2 as a technique which displays the log | history of a WEB browser. In this technology, when a user wants to browse a WEB page that has been browsed in the past, the WEB page that is considered to be the transition source or transition destination of the WEB page is recalled, the browsing date is specified by the period, and By specifying the number of links to be displayed from the recalled WEB page, the history target is narrowed down and the history is displayed in the network structure, which is very effective for finding WEB pages that have been browsed in the past. is there. In particular, there is an advantage that the browsing history can be visually grasped by displaying the network structure.

JP 2001-222425 A JP 2006-343905 A

  Details of the problems of the prior art relating to the operations (1) to (4) necessary for confirming the WEB browsing route based on the WEB access log will be described.

  First, “(1) URL confirmation of virus-infected site” will be described. Even if a virus-infected site that has been detected once is browsed again from an Internet connection terminal and a WEB access log confirmation system terminal that are connected to the internal network of the organization, it is desirable that browsing is possible without detecting the virus.

  For that purpose, it is necessary to acquire a captured image of a virus-infected site once a virus is detected, and to display this captured image in response to an access request to the virus-infected site again.

  In the prior art of Patent Document 1 described above, an automatic patrol robot detects a virus-infected page on the WEB site side while referring to a virus database in which information related to viruses is recorded, and prevents a virus from entering the user environment. If a virus is found, it is recorded in the virus infection database and notified to the WEB site. When a notification that the virus has been removed is received from the WEB site, a virus scan check is performed again. Delete information.

  However, even if the virus infection is notified, the problem is not removed unless the virus on the WEB site is removed. There is also a mechanism that prevents access to virus-infected sites. However, even if a virus is removed, it cannot be accessed without notice, and it cannot be confirmed what WEB page the virus-infected site is.

  It is necessary to solve such problems and to be able to safely browse virus-infected sites once detected with a simple mechanism.

  Next, “(2) Creation of WEB browsing route and browser redisplay” will be described.

  When a user detects a virus while browsing the Internet, it is desirable that an administrator can visually and efficiently check the WEB browsing route to the user's virus-infected site.

  For that purpose, it is desirable to visually represent the browsed WEB pages by displaying them in time series with icons and connecting the icons with lines. Further, it is necessary to provide a function of redisplaying the WEB page displayed on the WEB browsing route map with a WEB browser so that the WEB page browsed by the user can be reproduced.

  In the prior art of the above-mentioned patent document 2, the history information of the WEB browser is used, the specification of the WEB page that is considered to be the transition source or transition destination of the WEB page to be browsed or the history of a certain period is searched, and the WEB page Display in a network structure with links. As a result, the administrator can check the WEB browsing route in the network structure.

  However, when creating a WEB browsing route to a virus-infected site, it is possible to recall the WEB page that is considered to be the transition source or transition destination of the WEB page, or to specify the period of browsing date. Information that only the user who browses knows is necessary, and it is not easy for the administrator to find the target WEB page.

  Therefore, it is effective to select a target from a list of virus-infected sites, display the WEB browsing route leading to the virus-infected site as an end point. However, the WEB browsing path of the virus-infected site needs to be performed for all users, but since WEB history information is stored in each personal computer, only a specific user using the personal computer can display the WEB browsing path. There is a problem.

  Next, “(3) Warning display and image display when browsing link page of virus-infected site” will be described.

  In the above (1), the necessity of displaying the virus-infected site as an image has been described. However, there are cases where the user does not want the user to view the virus-infected site itself. For example, it may be necessary for an administrator to view the WEB site in a virus-infected site survey, but the virus-infected site itself may contain content that is undesirable for the user.

  In order to prevent the user from browsing the virus-infected site itself, when viewing a WEB page linked to the virus-infected site, the user is warned and the virus-infected site cannot be opened from the link of the WEB page itself. It is necessary to do so.

  Next, “(4) Creation of anti-virus report” will be described.

  Conventionally, the “virus infection report” has been created by using a word processor function to check various logs, user names and computer names detected by viruses, etc., and manually transferring them to the proxy server. It is necessary to improve efficiency by automatically creating an “anti-virus report” using information such as the accumulated WEB access log, virus detection information, and site analysis information.

  As described above, the problems to be solved are that, in the conventional technology, (1) the WEB page where the virus infection is detected cannot be safely browsed again without the virus infection; The browsing path from the network terminal to the Internet WEB page cannot be easily displayed, and (3) the access from the terminal in the internal network to the virus-infected WEB page cannot be prevented efficiently. (4) “Antivirus report” cannot be automatically created without human intervention.

  The object of the present invention is to solve these problems of the prior art, and to efficiently protect the terminals in the internal network from virus contamination of WEB pages on the Internet. It is possible to reduce the workload of the administrator required for protection from virus contamination.

In order to achieve the above object, in the present invention, when it is detected that a WEB page being browsed is infected with a virus, it is possible to visually grasp the browsing route to the WEB page where the virus is detected, and the WEB Re-view pages without virus infection.
In other words, using the WEB access log when browsing a WEB page that has detected a virus infection and the site analysis information of the viewed WEB page, a browsing route map to the virus-infected WEB page is created and displayed on the WEB browser To do.
Specifically, (1) the URL of the virus infected site (WEB page) is used as an end point, the link information of the WEB page accumulated in the site analysis information is used to obtain the link source URL, and the link source URL disappears. This process is repeated until the WEB browsing route is derived by reversing the obtained link source URLs.
In addition, (2) When a plurality of WEB browsing paths are conceivable, a WEB browsing path is created for each pattern.
(3) In the WEB browsing route, each WEB page is displayed as an icon, and the icons are visually displayed in a network structure by connecting with a line in the browsing order.
Further, the WEB browsing route is displayed automatically or in response to an icon pressing operation by a WEB browser.
(4) In the WEB browsing route, the virus-infected site is displayed as an icon in a different form from other sites, such as red, so that the virus-infected site can be easily identified, and further displayed on the WEB browser The currently displayed icon is surrounded by a blue dotted line, so that it is possible to easily determine which WEB page on the WEB browsing path is the WEB page displayed in the WEB browser.
Also, (5) when a virus infection of a WEB page is detected during browsing, the URL of the WEB page is registered in the virus detection information, and a captured image is acquired and stored in a storage device as virus detection site image information. If there is a request to browse the WEB page, the captured image of the WEB stored in the storage device is returned to the request source without being connected to the Internet, and the captured image of the WEB is displayed in the request source WEB browser. Thus, the user can browse the WEB page without being infected with a virus.
In addition, (6) a WEB page linked to a WEB page in which a virus infection is detected is also acquired and stored, so that even when the WEB page is viewed, the WEB page is viewed through the WEB browser. The warning message is displayed to notify the danger, and the captured image of the WEB page is displayed by the WEB browser so that the virus infected site (WEB page) cannot be opened from the link of the WEB page.
Also, (7) periodically visit each WEB page where virus infection has been detected, and perform a virus scan check to determine whether the virus has been removed. If the virus has been removed, the URL of the WEB page is By deleting from the virus detection information, the virus infection status at each WEB site is updated.
In addition, (8) WEB access log, virus detection information, site analysis information, browsing route diagram, detection date and time, access source user name and computer name, URL of the WEB page regarding the WEB site where virus infection is detected It automatically generates and outputs an anti-virus report including at least the name of the detected virus and the browsing route map.

  According to the present invention, (1) even when a virus-infected site once detected is browsed again, the image information registered in the virus-detected site image information is displayed, so that it can be safely browsed without virus infection. it can. This can be realized by both the WEB access log confirmation system terminal and the user's Internet connection terminal. (2) It is possible to automatically create a web browsing route by designating a virus-infected site and to automatically reproduce the web browsing route, and the administrator can visually and efficiently check the virus infection status. (3) When a link page of a virus-infected site once detected during browsing the Internet is browsed, a warning message is displayed so that the user can detect the danger in advance. Further, by displaying an image of the link page itself of the virus-infected site in the same manner as the virus-infected site, it is possible to prevent the virus-infected site from being opened from the link of the site. (4) By automatically creating the “anti-virus report”, it is possible to eliminate the trouble of creating a word processor and to improve the efficiency of management work.

It is a block diagram which shows the structural example of the WEB access log confirmation system which concerns on this invention. It is a flowchart which shows the 1st processing operation example (safe browsing of a virus infection site) which concerns on this invention of the WEB access log confirmation system in FIG. It is a flowchart which shows the 2nd processing operation example (WEB browsing route map creation, browser redisplay) based on this invention of the WEB access log confirmation system in FIG. It is explanatory drawing which shows the example of a screen which the browser of the internet connection terminal in FIG. 1 displayed. It is explanatory drawing which shows the example of a browser display screen (WEB browsing route diagram) which the WEB access log confirmation system in FIG. 1 produced | generated. It is explanatory drawing which shows the example of a document layout of the antivirus countermeasure report which the WEB access log confirmation system in FIG. 1 produced | generated. It is explanatory drawing which shows the structural example of the record in the database of the WEB access log confirmation system in FIG. It is a flowchart which shows the 3rd processing operation example (periodic confirmation of a virus infection site) which concerns on this invention of the WEB access log confirmation system in FIG. It is explanatory drawing which shows the 4th processing operation example (path | route selection processing routine) which concerns on this invention of the WEB access log confirmation system in FIG. It is explanatory drawing which shows the 5th process operation example which concerns on this invention of the WEB access log confirmation system in FIG. It is explanatory drawing which shows the data structural example of the antivirus countermeasure report produced | generated with the WEB access log confirmation system in FIG.

  Hereinafter, embodiments for carrying out the present invention will be described with reference to the drawings. In FIG. 1, 1 is the Internet, 10 is a user terminal device (described as “Internet connection terminal” in the figure) connected by an internal network prepared by an organization such as a company, and 11 is a WEB security server that connects the internal network and the Internet. The proxy server 12 is an administrator terminal device (described as “WEB access log confirmation system terminal” in the figure) operated by an administrator of the internal network.

  Each of the WEB security server / proxy server 11 and the user terminal device 11 and the administrator terminal device 12 includes a computer device including a CPU (Central Processing Unit), a main memory, a display device, an input device, an external storage device, and the like. A program or data recorded on a storage medium such as a CD-ROM via an optical disk drive or the like is installed in the external storage device, and then the program is read from the external storage device into the main memory and processed by the CPU. Perform computer processing.

  For example, the WEB security server / proxy server 11 includes a WEB access log confirmation system 100 according to the present invention as a function of executing programmed computer processing.

  This WEB access log confirmation system 100 includes a browsing management processing section (described as “safe browsing of virus-infected sites” in the figure) 110 and a browsing path generation processing section (in the figure, “WEB browsing path diagram creation, browser redisplay”). WEB access log 13, virus detection information 14, virus detection site image information 15, site analysis information 16, WEB browsing path pattern information 17, asset information 18, user information 19 in a storage device (not shown). Read and write the anti-virus report 20.

  The browsing management processing unit 110 includes an Internet connection request reception unit (described as “Internet connection request reception” in the figure) 111, a virus detection site confirmation unit (described as “virus detection site confirmation” in the figure) 112, and virus detection site image information. Transmission section (described as “virus detection site image information transmission” in the figure) 113, WEB access log acquisition section (described as “Internet connection, WEB access log acquisition” in the figure) 114, WEB page virus scan check section (in the figure “ WEB page virus scan check) 115, virus detection information acquisition unit (described as “virus detection information acquisition” in the figure) 116, virus detection site image information acquisition unit (described as “virus detection site image information acquisition” in the figure) ) 117, WEB page analysis information acquisition unit (“WEB page analysis information in the figure) The resulting "as described) 118 is constituted by a viral infection site periodically checking section (in the figure as" periodic confirmation of virus infection site ") 119.

  Also, the browsing route generation processing unit 120 includes a WEB browsing route pattern information creation unit (described as “WEB browsing route pattern information creation” in the figure) 121, a WEB browsing route diagram creation unit (“WEB browsing route diagram creation” in the figure), Description) 122, WEB browsing route automatic reproduction unit (described as “WEB browsing route automatic regeneration” in the figure) 123, virus countermeasure report automatic creation unit (described as “virus countermeasure report automatic creation” in the figure) 124 ing.

  In the web access log confirmation system 100 of this example having such a configuration, the browsing path generation processing unit 120 causes the WEB security server / proxy server 11 to detect virus infection by the WEB page virus scan check unit 115 of the browsing management processing unit 110. A web browsing route up to the detected web page is created, displayed on the screen via the browser of the user terminal device 10, and an icon of the web page in the displayed web browsing route by the user of the user terminal device 10 The WEB page is displayed in a browser according to the selection or automatically.

  In addition, the WEB access log confirmation system 100 acquires the captured image of the WEB page in which the virus infection is detected in this way by the virus detection site image information acquisition unit 117 in the browsing management processing unit 110, and the virus detection site image information 15 When the WEB page infected with the virus is re-browse, the virus detection site image information transmission unit 113 reads the captured image of the WEB page and displays it on the user terminal device 10 that is the browsing request source. . When displaying the virus-infected WEB page, a warning is prompted and an image is displayed.

  Further, the WEB access log confirmation system 100 automatically creates an “anti-virus report” indicating the status of such virus infection by the anti-virus report automatic creation unit 124 in the browsing route generation processing unit 120.

  Hereinafter, the WEB access log confirmation system 100 of the present example provided in the WEB security server / proxy server 11 includes (1) a safe browsing function for a virus-infected site, and (2) a WEB browsing route. The creation, browser redisplay function, (3) warning display at the time of browsing the link page of the virus infected site, image display function, and (4) automatic creation function of “antivirus report” will be described.

  (1) A safe browsing function for virus-infected sites is a function that allows a WEB page once detected by a virus to be safely browsed without expanding the virus infection. WEB access log 13, virus detection information 14, virus detection site image information 15, and site analysis information 16 are used as data necessary for realizing the above.

  The WEB access log 13 is a log when the user terminal device 10 browses a WEB page on the Internet 1, and is recorded in the WEB access log acquisition unit 114. Information related to WEB access such as a user name, date and time, and URL of an HTTP request is recorded.

  The virus detection information 14 is a log when a virus is detected by WEB, and is recorded in the virus detection information acquisition unit 116. Information regarding virus detection such as a virus name of a virus-infected site and a virus detection URL is recorded.

  The virus detection site image information 15 is recorded by the virus detection site image information acquisition unit 117, and the WEB page virus scan check unit 115 detects the virus while the user terminal device 10 is browsing the WEB page on the Internet 1. When this is done, the captured image information of the WEB page is recorded.

  The site analysis information 16 is recorded by the WEB page analysis information acquisition unit 118, and the WEB page analysis information acquisition unit 118 analyzes the HTML source of the WEB page browsed on the Internet 1 by the user terminal device 10. Information such as the obtained link information and analysis date is recorded. The site analysis information 16 is consistent with the WEB access log 13 by URL, date, time, and user name.

  The WEB security server / proxy server 11 collects the virus detection information 14 and the virus detection site image information 15 by the virus detection information acquisition unit 116 and the virus detection site image information acquisition unit 117 in the WEB access log confirmation system 100 of this example. This is done as follows.

  When the user terminal device 10 browses a WEB site on the Internet 1, the user terminal device 10 goes through the WEB security server / proxy server 11. The WEB security server / proxy server 11 browses a WEB site (WEB page) on the Internet 1 from the user terminal device 10 in the Internet connection request reception unit 111 in the browsing management processing unit 110 constituting the WEB access log confirmation system 100. After accepting the request, if the WEB page virus scan check unit 115 detects a virus infection in the WEB site that the user terminal device 10 is browsing, the virus detection information acquisition unit 116 is activated and the virus of the virus detection information is detected. Get the name, date, time, user name, computer name, file name, virus detection URL, and add virus removal information that indicates whether or not the WEB site has already been cleaned. Recorded in information 14 And start the virus detection site image information acquisition unit 117 captures image information of WEB pages virus detection, along with the information, recorded in the virus detection site image information 15.

  In order to enable safe browsing of virus-infected sites, the WEB security server / proxy server 11 uses the WEB of the user terminal device 10 in the Internet connection request reception unit 111 in the browsing management processing unit 110 of the WEB access log confirmation system 100. When a browsing request to the infected WEB page from the browser is received, the virus detection site confirmation unit 112 in the browsing management processing unit 110 is activated.

  The virus detection site confirmation unit 112 searches for the virus detection URL in the virus detection information 14 using the URL of the requested WEB page, and when the corresponding URL exists and the removal flag is “0” (the virus has been removed). Status), the WEB security server / proxy server 11 is notified to permit access to the WEB page.

  In addition, when the virus detection site confirmation unit 112 confirms that the corresponding URL is present and the virus removal flag is “1” (a state where the virus has not been removed), the WEB security server / proxy server 11 determines that the user terminal device 10, the virus detection site image information transmission unit 113 is activated without accessing the WEB page, and the virus detection site image information transmission unit 113 captures the cap of the WEB page registered in the virus detection site image information 15. The image information is read out and returned to the WEB browser of the user terminal apparatus 10 that has requested access.

  Since the WEB browser of the user terminal device 10 displays the image information of the WEB page, the user of the user terminal device 10 can safely browse the WEB page without being infected with a virus.

  The WEB security server / proxy server 11 periodically checks a virus-infected site (WEB page) by the virus-infected site periodic confirmation unit 119 in the browsing management processing unit 110 of the WEB access log confirmation system 100. That is, the information on the virus-infected site registered in the virus detection information 14 is registered as the virus-infected site if the virus detection information is not updated even if the virus is removed at the virus-infected site.

  Therefore, the WEB security server / proxy server 11 periodically reads the information on the virus-infected site registered in the virus detection information 14 by the virus-infected site periodic confirmation unit 119, is registered in the virus detection information, and the removal flag is “ A virus-infected site of 1 ″ (in a state where the virus has not been removed) is detected, the detected virus-infected site is accessed, and a virus scan check is performed by the WEB page virus scan check unit 115.

  If no virus is found as a result of the virus scan check by the WEB page virus scan check unit 115, it is determined that the WEB page is safe, and “0” (virus removal) is set in the removal flag of the corresponding record in the virus detection information. Set).

  As a result, the virus infection state of the virus infection site registered in the virus detection information is kept up-to-date. As a result, normal browsing is possible for the WEB site.

  Next, (2) the WEB browsing route diagram creation and browser re-display function creates a WEB browsing route by the user terminal device 10 up to the WEB page of the virus infected site detected by the WEB security server / proxy server 11. This is a function for displaying a WEB browser or automatically reproducing by selecting an icon of a WEB page displayed on the WEB browsing route.

  As data necessary for realizing such WEB browsing route creation and browser redisplay, there are a WEB access log 13, virus detection information 14, site analysis information 16, and WEB browsing route pattern information 17.

  The WEB browsing route pattern information 17 records pattern information necessary for creating a WEB browsing route. Based on the WEB access log and the site analysis information of the WEB security server / proxy server 11, the browsing route generation process is performed. The unit 120 creates the web browsing route pattern information creation unit 121.

  The WEB browsing route pattern information creating unit 121 creates a WEB browsing route up to a WEB page where a virus infection is detected. At this time, first, the web browsing route is grasped.

  That is, the WEB browsing route pattern information creating unit 121 designates a virus infected site (including date and time and user name) as an end point of the WEB browsing route, and uses the link information in the WEB access log 13 and the site analysis information 16, The user (user terminal device 10) derives a WEB browsing route that reaches the virus-infected site.

  The WEB browsing route derived by grasping the WEB browsing route is created based on the link information in the site analysis information 16, and a plurality of WEB browsing routes may be created depending on the user's browsing method. Therefore, the WEB browsing route pattern information creating unit 121 creates a pattern that can create a WEB browsing route when grasping the WEB browsing route, and records the pattern in the WEB browsing route pattern information 17.

  When the WEB browsing route pattern information creation unit 121 creates a pattern, it is possible to specify the number of patterns created and the link source page interval time. This functions as a technique for quickly finding a target WEB browsing route when a huge WEB access log is targeted.

  Next, the browsing route generation processing unit 120 uses the WEB browsing route diagram creation unit 122 to create a WEB browsing route. At this time, the WEB browsing route diagram creation unit 122 displays URLs registered in the WEB browsing route pattern information 17 as icons in time series, and creates a visual route by connecting the icons with lines.

  If there are a plurality of WEB browsing routes, the WEB browsing route diagram creation unit 122 creates each WEB browsing route by selecting a pattern. The icons include the title of the web page, date and time, Yahoo! In the case of a search site such as (registered trademark) or Google (registered trademark), a search key is displayed under the icon. Further, the virus infected site is displayed in red, and the WEB page displayed by the WEB browser can be identified as to which WEB page is being browsed by surrounding the corresponding icon with a blue line. Further, the icon of the WEB page may be displayed as a thumbnail image.

  Next, the browsing route generation processing unit 120 causes the WEB browsing route automatic reproduction unit 123 to redisplay the browser. At this time, the WEB browsing path automatic reproduction unit 123 displays the WEB page on the WEB browser by pressing an icon of the WEB page displayed on the WEB browsing path or by automatic reproduction.

  For example, when the user of the user terminal device 10 presses the icon of the WEB page in the displayed WEB browsing path, the WEB browsing path automatic reproduction unit 123 displays the WEB page with a WEB browser. In addition, when the WEB browsing route automatic reproduction unit 123 performs automatic reproduction, the icons drawn on the WEB browsing route are displayed in time series on the WEB browser.

  In this example, there may be a function that can specify a display time interval by the web browsing route automatic reproduction unit 123.

  Here, it is considered that the WEB browsing route can be created but cannot be displayed due to WEB page update, deletion, or inaccessibility, and the display of the search site changes from day to day. It is possible that However, since it is confirmed immediately when a virus is found, it is not considered necessary here. If the same content as the content when the WEB page is browsed is displayed, for example, it can be easily realized by using the technique described in Japanese Patent Application Laid-Open No. 2004-139215.

  Next, other processes by the browsing route generation processing unit 120 will be described.

  For example, if the web browser cannot display again (site closure, temporary access impossible, etc.), the browsing route generation processing unit 120 may display that effect.

  In addition, the browsing route generation processing unit 120 of this example displays the route leading to the WEB site in chronological order according to the user's selection of a virus-infected site (including date and user name). And it is good also as a structure which produces a WEB browsing path | route according to designation | designated of a period (start date and time, end date and time).

  Further, by sharing the function of the browsing route generation processing unit 120, a user other than the operator of the administrator terminal device 12 may perform his / her WEB browsing route display and automatic reproduction.

  Next, (3) The warning display and image display function when browsing the linked page of the virus-infected site prompts the user to warn the user when browsing the page linked to the virus-infected site while browsing the Internet. This is a function for creating a captured image of a WEB page and transmitting this image information to the requesting WEB browser.

  Data necessary for realizing such a warning display and image display function when browsing a page linked to a virus-infected site is virus detection information 14 and virus detection site image information 15.

  The WEB security server / proxy server 11 uses the WEB access log confirmation system 100 to perform warning display and image display when browsing a page linked to a virus-infected site as follows.

  When the user terminal device 10 browses information on the Internet 1, it goes through the WEB security server / proxy server 11. This WEB security server / proxy server 11 extracts the link information of the target WEB page in the WEB access log confirmation system 100 and compares it with the virus detection URL registered in the virus detection information 14.

  If there is no corresponding URL, the WEB page is accessed as usual, but if the corresponding URL is present and the virus removal flag is “1” (the virus has not been removed), for example, “This WEB page is infected with a virus. A warning that “it may contain a link to the site” is displayed on the WEB browser of the user terminal device 10.

  By this warning, the user of the user terminal device 10 can grasp that the virus-infected site is linked to the WEB page.

  Also, the WEB access log confirmation system 100 acquires the captured image information of the infected WEB page from the virus detection site image information 15 together with the warning display of the WEB browser, and returns it to the WEB browser that requested the access. Since the captured image information is displayed on the WEB browser, it is possible to prevent the virus-infected site from being opened from the link.

  Next, (4) the “antivirus report” automatic creation function refers to the WEB access log confirmation system 100 in which the anti-virus report automatic creation unit 124 of the browsing route generation processing unit 120 uses the administrator terminal device 12. This function automatically creates an “anti-virus report” for virus detection information selected in the operation.

  Data used for realizing the function of automatically creating this “antivirus report” is virus detection information 14, WEB browsing route pattern information 17, asset information 18, and user information 19. In the asset information 18, computer name, PC information, department information, etc. are recorded, and in the user information 19, user information, PC information, department information, etc. are recorded.

  Using these pieces of information, the virus detection report automatic creation unit 124 of the browsing route generation processing unit 120 selects the virus detection information selected by pressing the report button displayed on the screen of the administrator terminal device 12 or the like. The “Anti-Virus Report” is automatically created including the following items.

  In other words, the “Anti-Virus Report” includes “Date and time of occurrence” that describes the date and time of virus detection information, “User information” that describes the user name and affiliation, etc., and the computer name and affiliation as asset information. "Computer name", "virus detection site" describing the title and virus detection URL of virus detection information, "virus name" describing the virus name of virus detection information, "treatment" describing the action of virus detection information, And “WEB browsing route” and “search site, search key”.

  In the item “WEB browsing route”, the URL of the WEB browsing route pattern information is represented by an icon, and the icon is visually connected by a line. Similarly, the title of the WEB page of the WEB browsing route pattern information is described in the icon, and if it is a search page, a search key is described. In “search site, search key”, the title of the WEB page of the WEB browsing route pattern information is described, and if it is a search page, the search key is described.

  Note that the virus countermeasure report automatic creation unit 124 may have a template function that can edit the layout and output items of the “virus countermeasure report”.

  Details of the processing operation and the like of the WEB access log confirmation system 100 having the configuration shown in FIG. 1 will be described below with reference to FIGS.

  First, the processing operation of the safe browsing of the virus-infected site by the WEB access log confirmation system 100 will be described with reference to FIG.

  The processing flow for safe browsing of a virus-infected site in FIG. 2 includes the above-described (3) warning display and image display function processing when browsing the link page of the virus-infected site by the browsing management processing unit 110. In particular, this corresponds to steps S213 to S217 in FIG.

  When the user terminal device 10 browses a WEB site on the Internet 1, the WEB access log confirmation system 100 first accepts an Internet connection request by the internet connection request accepting unit 111 in the browse management processing unit 110 (step S201).

  Next, whether or not the URL of the HTTP request from the user terminal device 10 is registered in the virus detection information 14, that is, the virus detection URL item 717 of the virus detection information 710 shown in FIG. A determination is made (steps S202 and S203).

  When registered in the virus detection URL item 717, the virus detection site image information transmission unit 113 matches the content in the virus detection URL image 721 of the virus detection site image information 15, that is, the virus detection site image information 720 shown in FIG. Image data in the image information item 724 in the row (captured image information of the WEB page of the URL) is acquired (step S204), and the acquired image data is transmitted to the request source as an HTTP response (step S205).

  When the image data (capture image information) is transmitted to the user terminal device 10 in this way, the screen layout 400a illustrated in FIG. 4 is displayed on the user terminal device 10.

  The screen layout 400a includes a URL display field 401, a warning message display field 402, and an image information display field 403. The URL display field 401 includes the image data, that is, a captured image of a WEB page in which virus infection is detected. The URL of the information is displayed, a warning message display field 402 displays a warning text regarding the WEB page, and an image information display field 403 displays a captured image of the WEB page.

  In this way, once a virus page has been detected for a virus, by displaying the captured image, the user of the user terminal device 10 can safely browse the WEB page without detecting a virus.

  Next, in step S203, if the WEB site to be browsed is not registered in the virus detection information 14, that is, the virus detection URL item 717 of the virus detection information 710 shown in FIG. As usual, in accordance with the HTTP request received from the user terminal device 10, the target WEB server is accessed (step S206), WEB access log information is acquired and output to the WEB access log 13 (step S207).

  In the WEB access log 13, as shown in detail in the WEB access log 700 of FIG. 7, a date item 701, a time item 702, a user name item 703, a computer name item 704, a transmission source IP address item 705, an HTTP request URL item 706, search key item 707, and Title item 708 are provided, and information is stored in each item. In the case of a search site, the search key item 707 also stores a search key.

  Thereafter, the WEB virus scan check unit 115 performs a virus scan check on the WEB page and determines whether or not a virus is detected (steps S208 and S209).

  Here, when a virus infection is detected, the WEB virus scan check unit 115 converts the virus detection information into the virus detection information 14, that is, the virus name item 711, the date item 712, and the time in the virus detection information 710 detailed in FIG. The item 713, the user name item 714, the computer name item 715, the file name item 716, the virus detection URL item 717, the processing item 718, the removal flag item 719, and the Title item 71A are output and registered (step S210).

  In the removal flag item 719, “1” is registered when a virus is detected, and “0” is registered when virus removal is confirmed. Here, “1” is registered.

  Further, the virus detection site image information acquisition unit 117 creates a capture image of the target WEB page, and the virus detection URL item 721 in the virus detection site image information 15, that is, the virus detection site image information 720 shown in detail in FIG. The date information 722, the time item 723, and the image information item 724 are output and registered (step S211), and the captured image information output / registered in the image information item 724 is stored in the requesting user terminal device 10 as an HTTP response. Transmit (step S212)

  If it is determined in step S209 that no virus is detected, the WEB page analysis information acquisition unit 118 analyzes the target WEB page and acquires link information (step S213). 16, that is, registered in the URL item 731, branch number item 732, date item 733, time item 734, link information item 735, and user name item 736 in the site analysis information 730 detailed in FIG. 7 (step S 214). The date item 733, the time item 734, and the user name item 736 register the contents of the corresponding date item 701, time item 702, and user name item 703 in the WEB access log 700 of FIG. When the URL item 731, the date item 733, the time item 734, and the user name item 736 are the same, the branch number item 732 is added sequentially from 1.

  Thereafter, it is determined whether or not the link information in the link information item 735 of the target WEB page is included in the registered content in the virus detection URL item 717 of the virus detection information 710 (step S215).

  If it is included in the registered contents in the virus detection URL item 717 and the request source is the user terminal device 10, a capture image of the target WEB page is created and transmitted to the user terminal device 10 of the request source (step) S216)

  At this time, in the user terminal device 10, as shown in the screen layout 400b of FIG. 4, the URL information of the target WEB page is displayed in the URL display field 404, and the warning message display field 405 displays “!! The WEB page may contain a link to a virus-infected site. ”Is displayed, and a captured image of the WEB page is displayed in the image information display field 406. As described above, since the captured image is displayed, the user of the user terminal device 10 cannot open the virus-infected page from the link on the captured image.

  Even if it is included in the registered contents in the virus detection URL 717 in the determination processing in step S215, if the request source is the management terminal device 11, confirmation of the virus detection site is necessary, and thus the HTTP sent from the target EB server is required. The response is transmitted to the requesting management terminal device 11 as usual (step S217).

  Next, the processing operation by the virus infection site periodic confirmation unit 119 will be described with reference to FIG.

  In the WEB access log confirmation system 100 of this example, in order to prevent the captured image from being displayed even if the virus of the WEB page registered in the virus detection information 14, 710 is removed, the virus infection site periodic confirmation unit 119 Periodically, a virus scan check of the virus-infected site registered in the virus detection information 14,710 is performed.

  The virus infection site regular confirmation unit 119 first extracts the virus detection information 710 whose registered value is “1” in the removal flag item 719. (Step S801).

  Next, the WEB page of the URL registered in the virus detection URL item 717 of the virus detection information 710 extracted in step 801 is accessed via the WEB security server / proxy server 11 to perform a virus scan check (step S802). .

  If the check result indicates that a virus infection has been detected, nothing is done (step S804). If the check result indicates that a virus has not been detected, the registered value of the anti-disinfection flag item 719 of the virus detection information 710 is set to “0”. (Step 805).

  Next, with reference to FIG. 3, a web browsing route diagram creation process and a browser redisplay processing operation by the browsing path generation processing unit 120 will be described.

  The web browsing route map creation and browser redisplay processing by the browsing route generation processing unit 120 shown in FIG. 3 includes the above-described (4) processing by the automatic creation function of the anti-virus report. This corresponds to S320.

  The administrator terminal device 12 connects to the Web security server / proxy server 11 to start the WEB access log confirmation system 100 (step S301), and the operator of the administrator terminal device 12 displays the administrator terminal device shown in FIG. When the virus detection information 501 on the 12 operation screens is selected, the number of patterns 502, the interval time (minutes) 503 are specified, and the execution button 504 is pressed (step S302), the WEB access log confirmation system 100 performs the browsing route generation process. In section 120, subscript X (used in counting the number of WEB browsing route patterns) is set to 1 and an end flag (used in loop end conditions in steps S305 to S310 described later) is set to OFF (step S303). WEB browsing route pattern information 17, that is, the WEB browsing process shown in FIG. Pattern number field 761, URL item 762 of pattern information 760, date item 763, time item 764, carried out clear of each registration value in the search key item 765, Title item 766 (step S304).

  Then, “loop A” is repeated until the subscript X set in step S303 is equal to or more than the number of patterns or until the end flag is turned on (that is, until there is no web browsing route pattern) (steps S305 to S310). .

  In “loop A”, first, a route selection processing routine for a WEB browsing route is executed (step S306), and necessary information is registered in each item (761 to 766) of the WEB browsing route pattern information 760.

  The route selection processing routine in step S306 will be described with reference to FIG. In FIG. 9, items necessary for the explanation in FIG. 9 are extracted from the items in the virus detection information 710, the web access log 700, the site analysis information 730, and the web browsing route pattern information 760 shown in FIG. The virus detection information 900, the WEB access log 910, the site analysis information 920, and the WEB browsing route pattern information 930 are displayed.

  The virus detection information 900 is selected by the virus detection information 501 on the screen shown in FIG. 5. First, the date item 901, the time item 902, the user name item 903, and the virus detection URL item 904 of the virus detection information 900 are selected. A WEB access log 910 having a registered value that matches each registered value is obtained (procedure 1).

  The registration values of the date item 911, the time item 912, and the virus detection URL item 914 in the obtained WEB access log 910 are output / registered in the date item 933, the time item 934, and the virus detection URL item 932 of the WEB browsing route pattern information 930. (Procedure 2). Note that the X value set in step S303 or S308 of FIG. 3 is registered in the pattern information item 931 in the WEB browsing route pattern information 930.

  Thereafter, the registered value of each item in the WEB browsing route pattern information 930 is referred to, the position of the record read in the WEB access log 910 is determined so as not to create the same pattern, and the record is read (procedure 3).

  In the WEB access log 910, the following steps 4 to 7 are repeated until there are no more records with the same user name after the date and below the time.

  First, a record in the site analysis information 920 that matches the URL, date item 911, time item 912, and user name item 913 in the HTTP request item 914 of the read web access log 910 is read (procedure 4).

  The URL that matches the URL in the HTTP request item 914 of the read WEB access log 910 is obtained as a record in the site analysis information 920 registered in the link information item 925 (procedure 5).

  If there is a matched record, the information of the WEB access log 910 is input to the site analysis information 920 and output to the WEB browsing route pattern information 930 (procedure 6). It should be noted that if there is no match, the process proceeds to the next step 7.

  Thereafter, the next record corresponding to the same user name in descending order of date and time in the WEB access log 910 is read (procedure 7). The next record is a record designated within an interval time (minute) 503 in FIG. If there is no designation, a default time may be determined.

  The processes in subsequent procedures 7 to 11 are repeated when the above-described procedures 4 to 7 are repeated and there are no more records to be read from the WEB access log 910. Specifically, the same processing as in step 4 is performed in step 7, the same processing as in step 5 is performed in step 8, the same processing as in step 6 is performed in step 9, The same processing as that in step 7 is performed in step 10, and as a result, there is no record to be read, and the route selection processing routine in FIG. 9 is exited.

  FIG. 10 shows the information acquisition source in the WEB browsing route pattern information 760 in FIG. 7 output to the WEB browsing route pattern information 930 in FIG. 9 by the route selection processing routine in step S306.

  A table 1001 in FIG. 10 shows an example of an information acquisition source when output to the WEB browsing route pattern information 930 in the procedure 2 in FIG. 9, and the table 1002 is a WEB browsing route pattern in the procedure 6 in FIG. An example of an information acquisition source when output to information 930 is shown.

  Next, returning to FIG. 3, the processing after step S306 by the browsing route generation processing unit 120 will be described.

  First, it is determined whether or not there is a WEB browsing route pattern in the process of step S306 (step S307).

  When there is no WEB browsing route pattern, 1 is added to the subscript X (step S308), and when there is no WEB browsing route pattern, the end flag is set to ON (step S309). Repeat loop A above.

  When the web browsing route pattern selection 505 is pressed in FIG. 5 after the processing of the loop A, the web browsing route pattern 518 is displayed, and the target web browsing route selected from the displayed pattern is set as the web browsing route 510. It is displayed (step S311).

  Subsequent reproduction processing of the WEB browsing route is divided into automatic reproduction and manual reproduction (step S312). This branches according to the selection operation of each button of the automatic reproduction 511, the pause 512, the stop 513, the next 514, and the previous 515 on the screen of FIG.

  For example, when the next 514 button in FIG. 5 is selected and pressed, manual playback is performed. In this case, the WEB page is displayed on the WEB browser screen 516 when the WEB page icon displayed on the WEB browsing path 510 is pressed. (Step S313)

  5 is automatically reproduced when the button of automatic reproduction 511 in FIG. 5 is selected and pressed, and in this case, the WEB page displayed in the WEB browsing route diagram 510 is automatically reproduced and displayed on the WEB browser screen 516 (step S314).

  Then, it is confirmed whether or not the web page is registered in the virus detection information 14 and 710 (steps S315 and S316). If the web page is registered in the virus detection information 14 and 710, the corresponding virus is detected. The image data of the image information item 724 in the detection site image information 15 and 720 is read out and displayed on the screen of the administrator terminal device 12 (step S317).

  If it is not registered in the virus detection information 14, 710, it connects to the Internet 1, obtains the target WEB page, and displays it on the screen of the administrator terminal device 12 (step S318).

  Further, when the button of the report 508 in FIG. 5 is pressed, a virus countermeasure report in which the content displayed on the WEB browsing path 510 is described as the Web browsing path 606 shown in FIG. 6 is output (step S319). , S320).

  3 is processing by the WEB browsing route pattern information creation unit 121 in FIG. 1, and processing in step S311 is processing by the WEB browsing route diagram creation unit 122 in FIG. The processing from step S312 to S318 is processing by the web browsing path automatic reproduction unit 123 in FIG. 1, and the processing from S319 to S320 is processing by the virus countermeasure report automatic creation unit 124 in FIG.

  Next, operations on the screen layout displayed on the administrator terminal device 12 shown in FIG. 5 used during the WEB browsing route diagram and the WEB browsing route automatic reproduction described in FIG. 3 will be described.

  When the administrator operating the administrator terminal device 12 presses the virus detection information 501, a list box 517 is displayed. By selecting and pressing the list box 517, the administrator selects the target virus detection information. select.

  Along with this operation, the date and time 506 and the user name 507 corresponding to the selected virus detection information are displayed.

  When the administrator designates the number of patterns 502 and the interval time (minutes) 503 and presses the execute button 504, the processing in FIG. 3 by the browsing route generation processing unit 120 in the WEB access log confirmation system 100 is started. The number of patterns 502 and the interval time (minutes) 503 need not be specified, and default values when not specified are determined in advance.

  When the WEB browsing route pattern 505 is pressed, a selection list box 518 is displayed, and a target WEB browsing route pattern can be selected from the list box 518.

  A WEB browsing route 510 corresponding to the WEB browsing route pattern selected in the list box 518 is displayed. In the WEB browsing path 510, the date, time, and Title of the WEB page are displayed for each WEB page icon (sites 1 to 5, paying attention to viruses).

  The date, time, and Title values of the WEB page are registered values of the date item 763, the time item 764, and the Title item 766 of the WEB page in the WEB browsing route pattern information 760 in FIG. For the search site (site 2), the registration value of the search key item 707 in the WEB access log 700 of FIG. 7 is also given and displayed. If it is a virus-infected site, it is displayed in red with a different color from other icons so that it can be easily understood that the WEB site is infected with a virus.

  In addition, when the administrator presses one of the icons (sites 1 to 5, beware of viruses) on the WEB browsing path 510 or presses the automatic playback button 511, the contents of the site of each icon are changed to the WEB browser 516. Is displayed.

  For example, in the manual operation, when the administrator presses the icon of the web browsing path 510, an HTTP request is received and displayed via the user terminal device 10. Then, in response to pressing of the next button 514 or the previous button 515 by the administrator, the web browser 516 expands the screen. At this time, the URL of the WEB page is displayed at the address 509. In addition, the icon (site 5) displayed in the WEB browsing path 510 is displayed surrounded by a dotted line so that it can be seen which WEB page is displayed.

  Further, when the virus-infected site displayed on the WEB browsing path 510 is displayed on the WEB browser 516, the image data (capture image information) of the URL registered in the image information item 724 of the virus detection site image information 720 shown in FIG. ) And is displayed on the WEB browser 516. Thereby, the administrator can browse the content of the virus-infected site on the management terminal device 12 without being infected with the virus.

  Also, when the administrator presses the button for automatic playback 511, the contents in the WEB browsing path 510 are automatically expanded and displayed in time series on the WEB browser 516. At this time, when the pause 512 button is pressed, the display on the screen development 516 is paused, and when the automatic playback 511 button is pressed again, the screen development on the WEB browser 516 is continued. When the stop 513 button is pressed, the screen development of the WEB browser 516 is stopped.

  When the administrator presses the button of the report 508, the anti-virus report shown in FIG. 6 is created.

  In the table 1101 of FIG. 11, the WEB access lob 700, virus detection information 710, virus detection site image information 720, site analysis information 730, and asset information shown in FIG. 7 corresponding to the output items of the virus countermeasure report of FIG. 740, user information 750, and WEB browsing route pattern information 760 are shown.

  For example, the information acquisition source of the occurrence date 601 in the output item of the virus countermeasure report is the date item 722 and the time item 723. Similarly, the information acquisition source of the user name and the computer name 602 is the user name item 714, the affiliation Item 752, name item 753, computer name item 715, affiliation item 742, name item 743, and information acquisition source of virus detection site 603 is Title item 71A and virus detection site URL item 717, and information of virus name 604 The acquisition source is the virus name item 711, the information acquisition source of the treatment 605 is the treatment item 718, the information acquisition source of the WEB browsing route 606 is the WEB browsing route pattern information item 760, the search site, the search key The information acquisition source of 607 is a Title item 766 and a search key item 765.

  The WEB browsing path 606 is printed with the WEB browsing path displayed in the WEB browsing path 510 when the button of the report 509 in FIG. 5 is pressed. The search site / search key 607 displays a search site (“Yahoo (registered trademark)”) and a search key (“virus”) when there is a search site in the WEB browsing route 606.

  As described above with reference to FIGS. 1 to 11, the WEB access log confirmation system 100 of the present example is a means for executing programmed computer processing. The WEB access log acquisition unit 114 and the WEB page virus scan check are used as means for executing programmed computer processing. 115, virus detection information acquisition unit 116, virus detection site image information acquisition unit 117, browsing route generation processing unit 120, and virus detection site image information transmission unit 113, and the WEB access log acquisition unit 114 provides a WEB page. Browsing history information (WEB access log 13) is stored in the storage device, the WEB page virus scan check unit 115 detects virus infection of the WEB page being browsed, and the virus detection information acquisition unit 116 detects the WEB page virus scan. Check unit 115 Virus detection information 14 including at least the URL of a WEB page (virus-infected WEB page) that has detected a virus infection is generated and stored in a storage device. The virus detection site image information acquisition unit 117 causes the WEB page virus scan check unit 115 to A captured image of a WEB page (virus-infected WEB page) that has detected a virus infection is acquired and stored in a storage device as virus detection site image information 15, and browsing history information (WEB access) of the WEB page by the browsing route generation processing unit 120 By referring to the log 13 and the site analysis information 16), each WEB page browsed up to the virus-infected WEB page is extracted, and a browsing route diagram in which the extracted WEB pages are displayed in the order of viewing is generated, and a virus detection site is generated. Virus is transmitted by the image information transmission unit 113. Depending on the viewing request for the dyeing WEB page, returns the captured image of the viral infection WEB page is read from the virus detection site image information 15 to the requester.

  The WEB access log confirmation system 100 is provided in a WEB security server / proxy server 11 that controls connection between the internal network and the Internet 1, and the virus detection site image information transmission unit 113 is connected to the user terminal in the internal network. In response to a browsing request for a virus-infected WEB page from a WEB browser included in the device 10, a captured image of the virus-infected WEB page is read from the virus detection site image information 15 and returned to the requesting WEB browser to generate a browsing route. The processing unit 120 generates a browsing route diagram in response to a request from the administrator terminal device 12 connected to the WEB security server / proxy server 11 and outputs it to the requesting administrator terminal device 12.

  In addition, as a means for executing programmed computer processing, a web browsing route automatic reproduction unit 123 is provided, and the web browsing route automatic reproduction unit 123 performs a web browsing route diagram in response to a request from the administrator terminal device 12. Each WEB page displayed with the icon is output to the requesting administrator terminal device 12 and displayed on the WEB browser of the administrator terminal device 12.

  Further, the browsing route generation processing unit 120 displays the virus-infected WEB page icon in the WEB browsing route map in a form different from the icons of other WEB pages, and displays it on the WEB browser of the administrator terminal device 12. Are displayed in a different form from that of other WEB pages.

  In addition, the browsing route generation processing unit 120 refers to the link information of each WEB page included in the browsing history information (site analysis information 16) with the URL of the virus-infected WEB page as an end point, and determines the URL of the virus-infected WEB page. The process of obtaining the link source URL as the end point is repeated until there is no link source URL, and the obtained link source URLs are reversed in order to generate a WEB browsing route diagram.

  Further, as a means for executing programmed computer processing, a virus infection site periodic confirmation unit 119 is provided, and the virus infection site regular confirmation unit 119 periodically transmits virus infection WEB pages whose URLs are stored in the virus detection information 14. If the virus infection on the virus-infected WEB page is detected by detection of virus infection by the WEB page virus scan check unit 115 for every periodic browsing, the virus-infected WEB page of this virus-infected WEB page is removed. The URL is deleted from the virus detection information 14.

In addition, the virus detection site image information acquisition unit 117 acquires a captured image of the WEB page in response to a browsing request for the WEB page linked to the virus-infected WEB page.
The virus detection site image information transmission unit 113 sends a captured image of the WEB page acquired by the virus detection site image information acquisition unit 117 to the browsing request source of the WEB page linked to the virus-infected WEB page. It is returned together with message information that warns that it is linked to the WEB page.

  Further, as means for executing programmed computer processing, an anti-virus report automatic creation unit 124 is provided, and the anti-virus report automatic creation unit 124 allows browsing history information (WEB access log 13, site analysis information 16). And virus detection information 14 and a browsing route diagram, a virus including at least a detection date and time, an access source user name and a computer name, a URL of the WEB page, a name of a detected virus, and a browsing route diagram regarding a virus-infected WEB site A countermeasure report 20 is generated and output.

  More specifically, in the WEB accelerator log confirmation system 100 provided in the WEB security server / proxy server 11 of this example, the Internet connection request reception unit 111 receives an HTTP request from the user terminal device 10 and receives a virus detection site confirmation unit. At 112, it is confirmed whether the virus detection URL 717 registered in the virus detection information 710 is reached.

  If registered, access to the Internet is not performed, and the virus detection site image information transmission unit 113 causes the user terminal device 10 to store the image data (image concerned WEB) in the image information item 724 registered in the virus detection site image information 720. Page capture image information).

  The user terminal device 10 displays a message “! WARNING! This WEB page may be infected” shown in the warning message display field 402 of FIG. Image data (captured image information of the WEB page) is displayed.

  Further, when the virus detection site confirmation unit 112 determines that the HTTP request received from the user terminal device 10 is not the virus detection URL 717 registered in the virus detection information 710, the WEB access log acquisition unit 114 adds the HTTP request to the HTTP request. Accordingly, it connects to the Internet and outputs an access log to the WEB access log 13,700.

  Then, the WEB page virus scan check unit 115 performs a virus scan check on the WEB page, and when a virus is detected, the virus detection information acquisition unit 116 and the virus detection site image information acquisition unit 117 perform the WEB page virus scan check. Virus detection information and virus detection site image information (capture image information) are acquired and stored in virus detection information 14 and 710 and virus detection site image information 15 and 720, respectively.

  When a virus is detected, the captured image information of the WEB site stored in the virus detection site image information 15 and 720 is transmitted to the user terminal device 10. When no virus is detected, an HTTP response of the WEB site is transmitted to the user terminal device 10.

  Further, the WEB page analysis information acquisition unit 118 analyzes the accessed WEB page and records it as site analysis information 16 and 730. The site analysis information 16 and 730 is used to grasp the screen transition between WEB pages when creating a WEB browsing route map.

  In addition, the virus infection site periodic confirmation unit 119 periodically registers the virus detection information 14 and 710 and the value of the removal flag item 719 in the virus detection information 710 is “1” (a state where the virus has not been removed). Perform a virus scan check on the virus-infected site.

  If the virus at the site has been disinfected in this virus scan check, “0” (virus disinfected state) is output and updated in the disinfecting flag item 719 and held as the latest information.

  In addition, the browsing route generation processing unit 120 causes the WEB browsing route pattern information creation unit 121 to execute the WEB browsing route pattern information 17 and 760 according to the operation of the administrator on the screen shown in FIG. Create That is, the virus detection information 501 is selected on the operation screen of FIG. 5, the number of patterns 502, the interval time (minutes) 503 is designated, and the execution button 504 is pressed, so that each of the web browsing route pattern information 17 and 760 Information is registered.

  When the button of the WEB browsing route pattern 505 in FIG. 5 is pressed and an arbitrary pattern is selected from the WEB browsing route pattern 518, the WEB browsing route diagram creating unit 122 creates a browsing route diagram in the pattern. .

  When the button of the automatic reproduction 511 in FIG. 5 is pressed, the contents displayed on the WEB browsing path 510 are automatically reproduced and displayed on the WEB browser 516 in time series by the WEB browsing path automatic reproduction unit 123.

  When the report creation button 508 is pressed, the virus countermeasure report automatic creation unit 124 is activated to automatically create and output an “antivirus report” having the contents shown in FIG.

  Thus, in the WEB access log confirmation system 100 of this example, when it is detected that the WEB page being browsed is infected with a virus, the browsing route to the WEB page detected as a virus can be visually grasped. In addition, the WEB page can be re-viewed without being infected with a virus.

  In other words, using the WEB access log when browsing a WEB page that has detected a virus infection and the site analysis information of the viewed WEB page, a browsing route map to the virus-infected WEB page is created and displayed on the WEB browser To do.

  Specifically, the URL of the virus-infected site (WEB page) is used as an end point, the link information of the WEB page accumulated in the site analysis information is used to obtain the link source URL, and this URL is not used until the link source URL disappears. The process is repeated, and the WEB browsing route is derived by reversing the obtained link source URLs in reverse order.

  When a plurality of WEB browsing paths are conceivable, a WEB browsing path is created for each pattern.

  Further, in the WEB browsing route, each WEB page is displayed as an icon, and each icon is connected by a line in the browsing order and visually displayed in a network structure.

  Further, the WEB browsing route is displayed automatically or in response to an icon pressing operation by a WEB browser.

  In addition, in the WEB browsing route, the virus-infected site is displayed in an icon different from other sites, for example, red, so that the virus-infected site can be easily identified, and further displayed by a WEB browser. The icon is surrounded by a blue dotted line so that it is possible to easily determine which WEB page on the WEB browsing path is the WEB page displayed in the WEB browser.

  When a virus infection of a WEB page is detected during browsing, the URL of the WEB page is registered in the virus detection information, a captured image is acquired and stored in a storage device as virus detection site image information, If there is a request for browsing the WEB page, the user can connect to the Internet without connecting to the Internet and return the captured image of the WEB stored in the storage device to the request source, and display the captured image of the WEB in the WEB browser of the request source. In addition, it is possible to browse the WEB page without being infected with a virus.

  Also, with regard to a WEB page that links to a WEB page that has detected a virus infection, a captured message is acquired and stored, so that even when the WEB page is viewed, a warning message is displayed via the WEB browser. Is displayed to notify the danger, and the captured image of the WEB page is displayed by the WEB browser so that the virus infected site (WEB page) cannot be opened from the link of the WEB page.

  In addition, it periodically visits each WEB page where virus infection is detected, and performs a virus scan check to determine whether the virus has been removed. If the virus has been removed, the URL of the WEB page is detected as virus detection information. The virus infection status at each WEB site is updated.

  In addition, using the WEB access log, virus detection information, site analysis information, and browsing route map, the detection date and time, the access source user name and computer name, the URL of the WEB page, and the detection of the WEB site that detected the virus infection were detected. Automatically generates and outputs an antivirus report that includes at least the name of the virus and the browsing route map.

  As a result, (1) the image data (capture image information) registered in the virus detection site image information 15 and 720 is displayed even if the virus-infected site once detected is browsed again, the user of the user terminal device 10 Can be safely browsed without virus infection.

  Further, (2) creation of a WEB browsing route by designating a virus-infected site and automatic reproduction of the WEB browsing route are possible, and the administrator can check the virus infection status visually and efficiently.

  In addition, (3) a warning message is displayed when a link page of a virus-infected site that has been detected once while browsing the Internet, so that the user can detect danger in advance. Further, by displaying the link page itself of the virus-infected site as a captured image in the same manner as the virus-infected site, it is possible to prevent the virus-infected site from being opened from the link of the site.

  In addition, (4) by automatically creating the “anti-virus report”, there is no need to create a word processor, and the efficiency of management work can be improved.

  In addition, this invention is not limited to the example demonstrated using FIGS. 1-11, In the range which does not deviate from the summary, various changes are possible. For example, in this example, a description has been given of a configuration in which the WEB site of the Internet 1 is browsed from each user terminal device 10 connected to the internal network of an organization such as a company via the WEB security server / proxy server 11. The WEB access log confirmation system 100 may be used by an Internet provider. Virus detection information is centrally managed on the Internet provider side, and when a user views a virus-infected site, image information is transferred to a WEB browser, and a WEB access log is provided to the user to create a WEB browsing route Alternatively, a usage method such as automatic reproduction may be used.

  Further, the WEB access log confirmation system 100 of this example has been described as a configuration provided in the WEB security server / proxy server 11. However, the WEB access log confirmation system 100 is different from the WEB security server / proxy server 11. It is good also as a structure provided in.

  Also, WEB access lobes 13 and 700, virus detection information 14 and 710, virus detection site image information 15 and 720, site analysis information 16 and 730, WEB browsing route pattern information 17 and 760, asset information 18 and 740, user information 19 750, and anti-virus report 20 may be stored and managed in a database.

  In this example, a company is taken as an example of an organization. However, for example, an organization such as a government, a school, or a laboratory may constitute an internal network and be connected to the Internet.

  The computer configuration example of this example may also be a computer configuration without a keyboard or optical disk drive. In this example, an optical disk is used as a recording medium. However, an FD (Flexible Disk) or the like may be used as a recording medium. As for the program installation, the program may be downloaded and installed via a network via a communication device.

  1: Internet, 10: User terminal device (“Internet connection terminal”), 11: Web security server / proxy server, 12: Administrator terminal device (“WEB access log confirmation system terminal”), 13,700: WEB access log 14, 710: Virus detection information, 15, 720: Virus detection site image information, 16, 730: Site analysis information, 17, 760: Web browsing route pattern information, 18, 740: Asset information, 19, 750: User information 20: Anti-virus report, 100: WEB access log confirmation system, 110: Browse management processing section (“safe browsing of virus-infected sites”), 111: Internet connection request reception section, 112: Virus detection site confirmation section, 113: Virus detection site image information transmission unit, 114: W B access log acquisition unit ("Internet connection, WEB access log acquisition"), 115: WEB page virus scan check unit, 116: virus detection information acquisition unit, 117: virus detection site image information acquisition unit, 118: WEB page analysis information Acquisition unit, 119: Periodic confirmation unit for virus-infected site (“periodic confirmation of virus-infected site”), 120: Browsing route generation processing unit (“Web browsing route diagram creation, browser redisplay”), 121: WEB browsing route Pattern information creation unit, 122: WEB browsing route diagram creation unit, 123: WEB browsing route automatic reproduction unit, 124: antivirus countermeasure report automatic creation unit, 400a, 400b: screen layout, 401: URL display column, 402: warning message Display field, 403: Image information display field, 404: URL display field, 40 : Warning message display field, 406: Image information display field, 501: Virus detection information, 502: Number of patterns, 503: Interval time (minutes), 504: Execution button, 505: Web browsing route pattern selection, 506: Date and time, 507 : User name, 508: Report, 509: Address, 510: WEB browsing route, 511: Automatic playback, 512: Pause, 513: Stop, 514: Next, 515: Previous, 516: WEB browser screen, 517 : List box, 518: WEB browsing route pattern, 601: Occurrence date and time, 602: User name / computer name, 603: Virus detection site, 604: Virus name, 605: Treatment, 606: WEB browsing route, 607: Search site Search key, 701: date item, 702: time item, 703: user name item, 704: compilation Computer name item, 705: Source IP address item, 706: URL item of HTTP request, 707: Search key item, 708: Title item, 711: Virus name item, 712: Date item, 713: Time item, 714: User Name item, 715: Computer name item, 716: File name item, 717: Virus detection URL item, 718: Processing item, 719: Disinfection flag item, 71A: Title item, 721: Virus detection URL item, 722: Date item, 723: Time item, 724: Image information item, 731: URL item, 732: Branch number item, 733: Date item, 734: Time item, 735: Link information item, 736: User name item, 741: Computer name item, 742: Affiliation item, 743: Name item, 751: User name item, 752 Affiliation item, 753: Name item, 761: Pattern number item, 762: URL item, 763: Date item, 764: Time item, 765: Title key item, 766: Title item, 900: Virus detection information, 901: Date item 902: Time item 903: User name item 904: Virus detection URL item 910: WEB access log 911: Date item 912: Time item 913: User name item 914: Virus detection URL item 920: Site analysis information, 921: URL item, 922: Branch number item, 923: Date item, 924: Time item, 925: Link information item, 926: User name item, 930: WEB browsing route pattern information, 931: Pattern information item 932: Virus detection URL item, 933: Date item, 934: Time item, 001,1001,1101: table.

Claims (17)

A system for generating and displaying a browsing route diagram showing a browsing route of a WEB page,
Log acquisition means for storing browsing history information of the WEB page in a log storage device;
Virus scanning means for detecting virus infection on the web page being browsed;
Virus detection information acquisition means for generating virus detection information including at least a URL of a WEB page (virus infected WEB page) in which virus infection is detected by the virus scanning means, and storing the virus detection information in a detection information storage device;
Image information acquisition means for acquiring a captured image of a WEB page (virus-infected WEB page) in which virus infection is detected by the virus scanning means and storing the captured image in an image information storage device;
Browsing route generation means for extracting each WEB page browsed up to the virus-infected WEB page with reference to the browsing history information of the WEB page, and generating a browsing route diagram in which each extracted WEB page is displayed in the order of viewing When,
WEB access log comprising: site image information transmission means for reading a captured image of the virus-infected WEB page from the image information storage device and returning it to the request source in response to a browsing request for the virus-infected WEB page Confirmation system. The WEB access log confirmation system according to claim 1,
The WEB access log confirmation system is provided in a server computer device that controls connection between an internal network and the Internet.
The site image information transmitting means
In response to a browsing request for a virus-infected WEB page from a WEB browser provided in a terminal device connected in the internal network, a captured image of the virus-infected WEB page is read from the image information storage device and requested by the WEB browser Returned to
The browsing route generation means is
A WEB access log confirmation system, characterized in that, in response to a request from an administrator terminal device connected to the server computer device, the browsing route diagram is generated and output to the requesting administrator terminal device. The WEB access log confirmation system according to claim 2,
In response to a request from the administrator terminal device, each WEB page displayed above Ki閲 list flowsheet icons, and outputs to the requester administrator terminal device to display the WEB browser of the administrator terminal device A WEB access log confirmation system comprising browsing route automatic reproduction means. The WEB access log confirmation system according to claim 3,
The browsing route generation means is
The icon for the viral infection WEB page in the upper Ki閲 list flowsheet, displays in different forms the other WEB page icon, and the icon displayed in the WEB browser of the administrator terminal device, other A WEB access log confirmation system, characterized in that it is displayed in a form different from that on a WEB page. A WEB access log confirmation system according to any one of claims 1 to 4,
The browsing route generation means is
With the URL of the above virus-infected web page as the end point,
With reference to the link information of each WEB page included in the browsing history information, the process of obtaining the URL of the link source with the URL of the virus-infected WEB page as the end point is repeated until the URL of the link source is exhausted, WEB access log confirmation system, characterized in that to produce the above Ki閲 list route view the link source URL in the reverse order. A WEB access log confirmation system according to any one of claims 1 to 5,
Periodic browsing of the virus-infected WEB page in which the URL is stored in the virus detection information, and detection of virus infection by the virus scanning means for each periodic browsing detects the removal of the virus in the virus-infected WEB page. If so, a WEB access log confirmation system comprising an infected site periodic confirmation means for deleting the URL of the virus-infected WEB page from which the virus has been removed from the virus detection information. A WEB access log confirmation system according to any one of claims 1 to 6,
The image information acquisition means
In response to a browsing request for a WEB page linked to the virus-infected WEB page, a captured image of the WEB page is acquired.
The site image information transmitting means
A warning is sent to the browsing request source of the WEB page linked to the virus-infected WEB page, indicating that the WEB page is linked to the virus-infected WEB page with the captured image of the WEB page acquired by the image information acquisition means. A WEB access log confirmation system characterized by being returned together with message information. A WEB access log confirmation system according to any one of claims 1 to 7,
By using the browsing history information and the virus detection information and the viewing path diagram, with respect to the viral infection WEB page, detection date and time, access based on user name and computer name, URL of the WEB pages, the detected name of the virus, the above-mentioned A WEB access log confirmation system characterized by comprising anti-virus report creation means for generating and outputting an anti-virus report including at least a browsing route diagram. A method for checking a WEB access log of a system for generating and displaying a browsing route diagram showing a browsing route of a WEB page by programmed computer processing,
As a means of performing programmed computer processing,
Log acquisition means, virus scanning means, virus detection information acquisition means, image information acquisition means, browsing route generation means, and site image information transmission means,
A procedure for storing browsing history information of the WEB page in a log storage device by the log acquisition means;
A procedure for detecting virus infection of a web page being browsed by the virus scanning means;
A procedure for generating virus detection information including at least a URL of a WEB page (virus infected WEB page) in which virus infection has been detected by the virus scanning unit by the virus detection information acquiring unit and storing the virus detection information in a detection information storage device;
A procedure for acquiring a captured image of a WEB page (virus-infected WEB page) in which the virus scanning unit has detected a virus infection by the image information acquiring unit and storing the captured image in an image information storage device;
A browsing route diagram in which each browsing page up to the virus infected WEB page is extracted by referring to browsing history information of the WEB page by the browsing route generation means, and the extracted WEB pages are displayed as icons in the browsing order. The steps to generate
The site image information transmitting means includes a procedure of reading a captured image of the virus-infected WEB page from the image information storage device and returning it to the request source in response to a browsing request for the virus-infected WEB page. To check WEB access log. The WEB access log confirmation method according to claim 9,
The system is provided in a server computer device that controls connection between an internal network and the Internet,
The site image information transmitting means
In response to a browsing request for a virus-infected WEB page from a WEB browser provided in a terminal device connected in the internal network, a captured image of the virus-infected WEB page is read from the image information storage device and requested by the WEB browser Follow the steps to return to
The browsing route generation means is
WEB access log confirmation characterized in that, in response to a request from an administrator terminal device connected to the server computer device, a procedure for generating the browsing route diagram and outputting it to the requesting administrator terminal device is executed. Method. The WEB access log confirmation method according to claim 10,
As means for executing programmed computer processing, it comprises browsing route automatic reproduction means,
By the viewing path AutoPlay means, in response to a request from the administrator terminal device, each WEB page displayed above Ki閲 list flowsheet icons, and outputs to the requester administrator terminal apparatus the administrator A WEB access log confirmation method comprising a procedure of displaying on a WEB browser of a terminal device. The WEB access log confirmation method according to claim 11,
The browsing route generation means is
The icon for the viral infection WEB page in the upper Ki閲 list flowsheet, displays in different forms the other WEB page icon, and the icon displayed in the WEB browser of the administrator terminal device, other A WEB access log confirmation method characterized by executing a display procedure in a form different from that for a WEB page. A WEB access log confirmation method according to any one of claims 9 to 12,
The browsing route generation means is
With the URL of the above virus-infected web page as the end point,
With reference to the link information of each WEB page included in the browsing history information, the process of obtaining the URL of the link source with the URL of the virus-infected WEB page as the end point is repeated until the URL of the link source is exhausted, WEB access log verification method characterized by the steps of generating on Ki閲 list flowsheet the link source URL in the reverse order. A WEB access log how to check according to claim 13 claim 9,
As a means for executing programmed computer processing, an infected site periodic confirmation means is provided,
By the above means for regularly checking infected sites,
Periodic browsing of the virus-infected WEB page in which the URL is stored in the virus detection information, and detection of virus infection by the virus scanning means for each periodic browsing detects the removal of the virus in the virus-infected WEB page. If so, a WEB access log confirmation method comprising a step of deleting, from the virus detection information, the URL of the virus-infected WEB page from which the virus has been removed. A WEB access log confirmation method according to any one of claims 9 to 14,
The image information acquisition means
In response to a browsing request for a WEB page linked to the virus-infected WEB page, a procedure for acquiring a captured image of the WEB page is executed.
The site image information transmitting means
A warning is sent to the browsing request source of the WEB page linked to the virus-infected WEB page, indicating that the WEB page is linked to the virus-infected WEB page with the captured image of the WEB page acquired by the image information acquisition means. A WEB access log confirmation method characterized by executing a procedure of returning together with message information. A WEB access log confirmation method according to any one of claims 9 to 15,
As a means for executing programmed computer processing, an anti-virus report preparation means is provided,
The above antivirus report preparation means is
By using the browsing history information and the virus detection information and the viewing path diagram, with respect to the viral infection WEB page, detection date and time, access based on user name and computer name, URL of the WEB page, the detected name of the virus, the above-mentioned A WEB access log confirmation method characterized by executing a procedure for generating and outputting an anti-virus report including at least a browsing route diagram.   A program for causing a computer to execute a procedure by each means in the WEB access log confirmation method according to any one of claims 9 to 16.

Images