JP5691539B2 - Information processing method, program, information processing apparatus, and information processing system - Google Patents

Description

  The present invention relates to an information processing method, a program, an information processing apparatus, and an information processing system for processing input information input to an information processing apparatus having a control unit.

  A method of comparing an action pattern with a pattern registered in advance in a database and detecting an abnormality is disclosed (for example, see Patent Documents 1 to 3).

JP 2000-306177 A JP 2005-96674 A JP 2006-31706 A

  However, the conventional technique simply compares the pattern registered in the database in advance with the action pattern, and has a problem that it cannot detect an abnormality according to a change in the situation.

  The present invention has been made in view of such circumstances. An object of the present invention is to provide an information processing method and the like that can appropriately detect an abnormality according to an increase or decrease in risk.

  The information processing method disclosed in the present application is an information processing method for processing input information input to an information processing apparatus having a control unit. The control unit acquires risk increase / decrease information, and the control unit acquires the risk increase / decrease information. Based on the risk increase / decrease information, the first threshold range stored in the storage unit or the second threshold range stored in the storage unit is corrected, and the control unit determines whether the value based on the input information exceeds the first threshold range. When the control unit determines that the first threshold range is exceeded, the control unit determines whether or not the number of times that the control exceeds the second threshold range or whether the time exceeds the second threshold range. When it is determined that the threshold value range is exceeded, abnormality information is output.

  According to one aspect of the present application, it is possible to appropriately detect an abnormality according to a change in state.

It is a schematic diagram which shows the outline | summary of an information processing system. It is a block diagram which shows the hardware group of a personal computer. It is a block diagram which shows the hardware group of a fingerprint authentication apparatus. It is a block diagram which shows the hardware group of a management computer. It is a block diagram which shows the hardware group of a server computer. It is explanatory drawing which shows the record layout of log | history DB. It is explanatory drawing which shows the record layout of a security policy table. It is explanatory drawing which shows the record layout of a distribution table. It is explanatory drawing which shows the record layout of a range table. It is a graph which shows the change of the 1st threshold range, the 2nd threshold range, and the number of application operation instructions. It is a graph which shows the change of the 1st threshold range, the 2nd threshold range, and application operation command accumulation number. It is an image figure at the time of outputting abnormal information. It is a flowchart which shows the procedure of a reference value calculation process. It is a flowchart which shows the determination process procedure of a 1st threshold range and a 2nd threshold range. It is a flowchart which shows the determination process procedure of a 1st threshold range and a 2nd threshold range. It is explanatory drawing which shows the record layout of an environment file. It is a flowchart which shows the correction process procedure of a 1st threshold range and a 2nd threshold range. It is a flowchart which shows the correction process procedure of a 1st threshold range and a 2nd threshold range. It is a flowchart which shows the correction process procedure of a 1st threshold range and a 2nd threshold range. It is a flowchart which shows the correction process procedure of a 1st threshold range and a 2nd threshold range. It is a flowchart which shows the correction process procedure of a 1st threshold range and a 2nd threshold range. It is a flowchart which shows the correction process procedure of a 1st threshold range and a 2nd threshold range. It is a flowchart which shows the procedure of an abnormality determination process. It is a flowchart which shows the procedure of an abnormality determination process. It is a graph which shows the time change of the change rate of the number of application operation instructions. 10 is a flowchart showing a procedure of abnormality determination processing according to the second embodiment. 10 is a flowchart showing a procedure of abnormality determination processing according to the second embodiment. FIG. 10 is a block diagram illustrating a hardware group of a server computer according to a third embodiment. It is explanatory drawing which shows the input image of correspondence information. It is explanatory drawing which shows the record layout of abnormality log | history DB. It is a flowchart which shows the memory | storage process procedure of corresponding | compatible information. It is a flowchart which shows the memory | storage process procedure of corresponding | compatible information. It is a flowchart which shows the correction process procedure of a 1st threshold range and a 2nd threshold range. It is a flowchart which shows the correction process procedure of a 1st threshold range and a 2nd threshold range. It is a flowchart which shows the correction process procedure of a 1st threshold range and a 2nd threshold range. It is explanatory drawing which shows the record layout of a 1st threshold range file. It is explanatory drawing which shows the record layout of a 2nd threshold range file. It is a flowchart which shows the calculation process procedure of change amount. It is a flowchart which shows the calculation process procedure of change amount. It is a flowchart which shows the calculation process procedure of change amount. It is a flowchart which shows the calculation process procedure of change amount. It is a flowchart which shows the procedure of the adjustment process of a 2nd threshold range. FIG. 10 is a schematic diagram illustrating an overview of an information processing system according to a sixth embodiment. It is a functional block diagram which shows operation | movement of the server computer or personal computer of the form mentioned above. FIG. 20 is a block diagram illustrating a hardware group of a server computer according to a seventh embodiment.

Embodiment 1
Hereinafter, embodiments will be described with reference to the drawings. FIG. 1 is a schematic diagram showing an outline of an information processing system. The information processing system includes a central device (information processing device) 1, terminal devices 2A to 2D (hereinafter represented by 2 in some cases), a management device 3, a notification device 4, and the like. The central device 1 is, for example, a server computer or a personal computer. Below, the central apparatus 1 is demonstrated as what is the server computer 1 as an example. The terminal devices 2A to 2C are, for example, personal computers, PDAs (Personal Digital Assistance), mobile phones, book readers, and the like. In the present embodiment, the terminal devices 2A to 2C are assumed to be personal computers as an example. Hereinafter, the terminal devices 2A to 2C are referred to as personal computers 2.

  The terminal device 2D is an entrance / exit management device provided at a facility entrance such as a room or a building where the terminal devices 2A to 2C are installed. The terminal device 2D performs authentication using an IC (integrated circuit) card, a magnetic card, or the like, or authentication using biometric information such as a fingerprint, a voiceprint, and a palm vein. When the authentication is successful, the terminal device 2D releases the lock and permits entry into the facility. An example using a fingerprint authentication device will be described as an example of the terminal device 2D. Hereinafter, the terminal device 2D is referred to as a fingerprint authentication device 2D.

  The management device 3 is, for example, a personal computer, a PDA (Personal Digital Assistance), a mobile phone, a server computer, or a book reader. In this embodiment, the management apparatus 3 is assumed to be a personal computer as an example. Hereinafter, the management device 3 is referred to as a management computer 3. The notification device 4 is, for example, a company server computer that provides information on computer viruses (hereinafter referred to as viruses), information on vaccines against viruses, and the like. The notification device 4 is a server computer of a company that provides information on OS (operating system) or browser vulnerability, or a company that provides patches for overcoming the vulnerability. In addition, the notification device 4 is an authentication server computer that provides information on safety based on the installation status of software in each personal computer 2, the presence or absence of a digital certificate, the encryption status of communication, and the implementation status of hardware. Also good. Below, the communication apparatus 4 is demonstrated as the security server 4 which provides the information regarding a virus and a vaccine.

  The server computer 1, the management computer 3, the personal computer 2, the fingerprint authentication apparatus 2D, and the security server 4 are connected to each other via a communication network N such as the Internet, a LAN (Local Area Network), or a mobile phone network. The server computer 1, the management computer 3, the personal computer 2, the fingerprint authentication device 2D, and the security server 4 transmit / receive information by using HTTP (HyperText Transfer Protocol) or the like.

  The server computer 1 monitors values based on input information transmitted from the personal computer 2 and the fingerprint authentication device 2D. The server computer 1 determines whether or not the value based on the input information exceeds the first threshold range. The server computer 1 outputs abnormality information to the management computer 3 when the number of times or time determined to exceed exceeds the second threshold range. Thus, the operator can know the abnormal behavior of the user through the personal computer 2 or the fingerprint authentication device 2D.

  The security server 4 transmits information indicating that a virus has occurred or information indicating that a vaccine has been generated to the server computer 1. The server computer 1 obtains risk increase / decrease information by receiving information indicating that a virus has occurred or information indicating that a vaccine has been generated from the security server 4. The server computer 1 corrects the first threshold range or the second threshold range to be smaller when it is determined that the risk increases based on the risk increase information indicating that a virus has occurred. Note that both the first threshold range and the second threshold range may be reduced. In the present embodiment, an example in which both are reduced will be described.

  On the other hand, when the security server 4 receives information indicating that the vaccine has been generated, the server computer 1 determines that the risk has decreased, and greatly corrects the first threshold range or the second threshold range. Note that both the first threshold range and the second threshold range may be increased. In this embodiment, an example in which both are increased will be described. The server computer 1 detects the presence / absence of an abnormality from the value based on the input information using the corrected first threshold range and second threshold range. Details will be described below.

  FIG. 2 is a block diagram showing a hardware group of the personal computer 2. The personal computer 2 includes a CPU (Central Processing Unit) 21 as a control unit, a RAM (Random Access Memory) 22, an input unit 23, a display unit 24, a storage unit 25, a communication unit 26, and the like. The CPU 21 is connected to each part of the hardware via the bus 27. CPU21 controls each part of hardware according to control program 25P memorized by storage part 25. The RAM 22 is, for example, an SRAM (Static RAM), a DRAM (Dynamic RAM), a flash memory, or the like. The RAM 22 also functions as a storage unit, and temporarily stores various data generated when the CPU 21 executes various programs.

  The input unit 23 is an input device such as a mouse, a keyboard, or a touch panel, and outputs received operation information to the CPU 21. The display unit 24 is a liquid crystal display, an organic EL (electroluminescence) display, or the like, and displays various information according to instructions from the CPU 21. The RAM 22 is, for example, SRAM, DRAM, flash memory or the like. The communication unit 26 is a wired or wireless LAN card and transmits / receives information to / from the server computer 1 or the like via the communication network N. The storage unit 25 is, for example, a hard disk or a large-capacity flash memory, and stores the control program 25P.

  FIG. 3 is a block diagram showing a hardware group of the fingerprint authentication device 2D. The fingerprint authentication device 2D includes a control unit 201, a storage unit 205, a fingerprint input unit 203, a display unit 204, a communication unit 206, a lock unit 208, and the like. The control unit 201 is, for example, a microprocessor, and controls each hardware according to a control program 205P stored in the storage unit 205. The storage unit 205 is, for example, an SRAM, a DRAM, a flash memory, a hard disk, or the like. The storage unit 205 stores a fingerprint data file 2051 that stores fingerprint data of each user and user identification information (hereinafter referred to as a user ID). Note that the fingerprint data file 2051 may be stored in another computer connected via the communication unit 206.

  The control program 205P is a program for performing fingerprint authentication. The fingerprint input unit 203 reads the fingerprint and outputs the read fingerprint data to the control unit 201. The control unit 201 determines whether the fingerprint data input according to the control program 205P matches the fingerprint data stored in the fingerprint data file 2051. The display unit 204 is a light emitting element such as an organic EL display, a liquid crystal display, or an LED (Light-Emitting Diode), for example, and displays various types of information according to instructions from the control unit 201. When the authentication is successful, the control unit 201 outputs a lock release signal to the lock unit 208. The lock unit 208 locks and unlocks a door (not shown).

  The lock unit 208 normally locks the door, and when the lock release signal is received from the control unit 201, the lock is released for a predetermined time. The lock unit 208 locks the door after a predetermined time has elapsed or when the door is closed. When the authentication is successful, the control unit 201 reads the user ID corresponding to the fingerprint data from the fingerprint data file 2051. The control unit 201 transmits to the server computer 1 an authentication success information storage command including the user ID of the user who has performed authentication and the authentication success information via the communication unit 206. If the authentication fails, the control unit 201 transmits an authentication failure information storage command to the server computer 1 via the communication unit 206.

  FIG. 4 is a block diagram showing a hardware group of the management computer 3. The management computer 3 includes a CPU 31 as a control unit, a RAM 32, an input unit 33, a display unit 34, a storage unit 35, a communication unit 36, a clock unit 38, and the like. The CPU 31 is connected to each part of the hardware via the bus 37. The CPU 31 controls each part of the hardware according to the control program 35P stored in the storage unit 35.

  The input unit 33 is an input device such as a mouse, a keyboard, or a touch panel, and outputs received operation information to the CPU 31. The display unit 34 is a liquid crystal display, an organic EL display, or the like, and displays various information according to instructions from the CPU 31. The RAM 32 is, for example, SRAM, DRAM, flash memory or the like. The RAM 32 temporarily stores various data generated when the CPU 31 executes various programs. The communication unit 36 is a wired or wireless LAN card and transmits / receives information to / from the server computer 1 or the like via the communication network N. The clock unit 38 outputs the date and time to the CPU 31. The storage unit 35 is, for example, a hard disk or a large-capacity flash memory. In the storage unit 35, a personnel file 351 storing information related to personnel of the user who uses the personal computer 2 is stored. The storage unit 35 also stores an environment file 352 that stores environment information indicating the status of hardware and software of the personal computer 2, the server computer 1, or the fingerprint authentication device 2D. Details of the personnel file 351 and the environment file 352 will be described later.

  FIG. 5 is a block diagram showing a hardware group of the server computer 1. The server computer 1 includes a CPU 11, a RAM 12, an input unit 13, a display unit 14, a storage unit 15, a clock unit 18, a communication unit 16, and the like as control units. The CPU 11 is connected to each part of the hardware via the bus 17. The CPU 11 controls each hardware and executes software functions according to the application program 15A and the control program 15P stored in the storage unit 15.

  The communication unit 16 is a gateway or the like that functions as a firewall, and transmits and receives information to and from the personal computer 2, the management computer 3, the fingerprint authentication device 2 </ b> D, the security server 4, and the like. The input unit 13 is an input device such as a mouse and a keyboard or a touch panel. The input unit 13 outputs the received operation information to the CPU 11. The display unit 14 is a liquid crystal display, an organic EL (electroluminescence) display, or the like, and displays various information according to instructions from the CPU 11. The clock unit 18 outputs time information to the CPU 11. The RAM 12 is, for example, SRAM, DRAM, flash memory or the like. The RAM 12 also functions as a storage unit, and temporarily stores various data generated when the CPU 11 executes various programs.

  The storage unit 15 is, for example, a hard disk or a large capacity memory. The storage unit 15 stores the above-described control program 15P and application program 15A. The storage unit 15 further stores a history database (hereinafter referred to as DB) 153, a first threshold range file 151, a second threshold range file 152, a security policy table 154, a distribution table 155, a range table 156, and the like. The application program 15A is, for example, a CAD (Computer Aided Design) program, a document creation program, a spreadsheet program, a mailer, a scheduler, an image editing program, or the like. The CPU 11 of the server computer 1 receives input information from the personal computer 2 via the communication unit 16.

  The CPU 11 executes the application program 15A according to the input information and transmits the execution result to the personal computer 2. The CPU 11 stores the input information transmitted from the personal computer 2 in the history DB 153.

  FIG. 6 is an explanatory diagram showing a record layout of the history DB 153. The history DB 153 stores input information in association with the date and time for each user ID. The history DB 153 includes a date / time field and an input information field. The date and time field stores the date and time when input information is transmitted from the personal computer 2 and input information is input to the server computer 1 via the communication unit 16. When the input information is input, the CPU 11 refers to the date and time output from the clock unit 18 and stores it in the date and time field. The date and time may be stored with reference to the date and time information attached to the data packet of the input information.

  The input information field stores the input command, the amount of data processed based on the command, and the number of attached files. For example, the command field stores a command transmitted from the personal computer 2 or the fingerprint authentication device 2D in association with the date and time. When fingerprint authentication is successful, the fingerprint authentication device 2D transmits an authentication success information storage command including authentication success information and a user ID to the server computer 1. When receiving the authentication success information storage command, the CPU 11 of the server computer 1 stores the command in association with the user ID and the date and time. When an authentication failure information storage command is transmitted from the fingerprint authentication device 2D, the CPU 11 stores an authentication success information storage command in the history DB 153 in association with the date and time.

  A user who uses the personal computer 2 inputs an ID and a password from the input unit 23 and logs in. The CPU 21 transmits a login request together with the ID and password to the server computer 1. When the login request is received, the login request is stored as input information in association with the user ID and the date and time. In FIG. 6, only the history of the user with the user ID “001” is displayed for easy explanation.

  Other input commands include a mailer activation request, email transmission, email reception, activation of an application program 15A (hereinafter referred to as application 15A), and the like. The application operation is an instruction for deleting / copying / pasting a file stored in the storage unit 15 using a moving image reproduction instruction in the moving image application or a file management application. In addition, there are an operation command for editing and inputting data in the CAD application, a save command for saving a file in the document creation application, and the like. Hereinafter, in order to facilitate the description, operation commands for the various applications 15A are collectively referred to as application operation commands.

  The processing data amount is, for example, a data amount when data is transmitted / received by a mailer, a data amount when data stored in the storage unit 15 is downloaded to the personal computer 2, and the like. The number of attached files is, for example, the number of attached files when transmitted / received by a mailer. In the example of FIG. 6, it is stored that three attached files of a total of 1.5 MB were transmitted at 10:10:20 on October 21 according to the mail transmission command. In the present embodiment, the year is omitted for easy explanation.

  CPU11 counts the value based on input information for every user time for every user ID. The value based on the input information is the number of instructions input to the server computer 1, the amount of data processed based on the instructions, or the number of attached files transmitted / received based on the instructions. The number of instructions is, for example, the number of authentication success information storage instructions, the number of authentication failure information storage instructions, the number of login requests, the number of mailer activation requests, the number of mail transmission / reception, the number of application operation instructions, and the like. The unit time is, for example, 10 minutes, 1 hour, 1 day, or the like. In the present embodiment, the unit time is assumed to be one hour, but the present invention is not limited to this.

  If the number of login requests counted is excessively large during one hour, the CPU 11 determines that the sign is fraudulent. Also, when the number of application operation commands is abnormally large or abnormally small, it is determined that the sign is fraudulent. The CPU 11 calculates the total value of the data amount per unit time. When the total value of the data amount per unit time is abnormally large, the CPU 11 determines that it is a sign of fraud. The CPU 11 counts the number of attached files per unit time. The CPU 11 determines that it is a sign of fraud even when the number of attached files per unit time is abnormally large. Hereinafter, for ease of explanation, the CPU 11 will be described assuming that the number of application operation commands per unit time is an example of a value based on input information.

  FIG. 7 is an explanatory diagram showing a record layout of the security policy table 154. The security policy table 154 stores points that change according to past incident situations, target confidentiality, target strength, and the like. As the types of past incident situations (a in FIG. 7), for example, for the server computer 1, a serious incident occurs (a3 in FIG. 7), a minor incident occurs (a2 in FIG. 7), and no incident occurs ( In FIG. 7, it is classified into three, a1). If a serious incident occurs, the highest score is awarded. If a minor incident occurs, the next highest score is awarded for the highest score. If no incident has occurred, the lowest score will be awarded.

  The types of confidentiality (b in FIG. 7) of the target include confidential information related to the server computer 1 (b3 in FIG. 7), confidential information (b2 in FIG. 7), and confidentiality. There are three types, none (b1 in FIG. 7). The highest score is given when handling confidential information outside the company concerned. When handling confidential information, the next highest score is given. If confidentiality is not required, the lowest score is awarded.

  As the type of countermeasure strength (c in FIG. 7), for example, no countermeasures are taken (c3 in FIG. 7) and rules are provided (c2 in FIG. 7) for the server computer 1, depending on the information processing technology. There are three types of restrictions (c1 in FIG. 7). For example, the rule is that the personal computer 2 can be operated only by authorized permanent employees. The restriction by the information processing technology means that, for example, biometric authentication is requested at the time of login of the personal computer 2, data transmitted / received between the personal computer 2 and the server computer 1 is encrypted, and the like. .

  If no measures are taken, the highest score is awarded. If a rule is provided, the next highest score is awarded. When the information processing technology is limiting, the lowest score is given. In the example of FIG. 7, a3, b3, and c3 are assigned a score of “3”, a2, b2, and c2 are assigned a score of “2”, and a1, b1, and c1 are assigned a score of “1”. The past incident status, the confidentiality of the target, and the type of the target strength may be input from the input unit 13. In addition, an operator may input from the input unit 33 of the management computer 3 and transmit it to the server computer 1 via the communication unit 36. When the CPU 11 of the server computer 1 receives the past incident situation, the confidentiality of the target, and the type of the target strength, the CPU 11 refers to the security policy table 154 and extracts the score.

  For example, when a serious incident occurs (a3 in FIG. 7), confidential information is handled (b2 in FIG. 7), and a restriction is imposed by information processing technology (c1 in FIG. 7), the score is Becomes “6”. CPU11 determines the 1st threshold range and the 2nd threshold range based on the score regarding these security policies. In the present embodiment, the higher the score, the smaller the first threshold range and the second threshold range. Note that only one of the first threshold range and the second threshold range may be determined based on the score regarding the security policy. In the present embodiment, an example in which the score is extracted using the security policy table 154 has been described, but the present invention is not limited to this. For example, the operator may manually input points according to the security policy from the input unit 13 or the input unit 33 of the management computer 3.

  If the security policy is high and strictly operated in terms of safety, a high score may be input. If the security policy is low and it is used loosely in terms of safety, a low score should be entered. The CPU 11 receives the score input from the input unit 13 or the score input through the input unit 33 of the management computer 3 and stores it in the storage unit 15.

  FIG. 8 is an explanatory diagram showing a record layout of the distribution table 155. The distribution table 155 stores points in association with the distribution. The distribution field stores the size of distribution related to the number of application operation commands per unit time. Specifically, the dispersion field is classified as large, medium, and small according to the range of the calculated dispersion value. When the variance value is large and there are many variations, it becomes large. On the other hand, when the dispersion value is small and the variation is small, the value is small. In the present embodiment, the classification is classified into three, large, medium, and small. In this embodiment, an example using variance is given as an example, but a standard deviation that is a square root of variance may be used. In the score field, a score is stored in association with the size of the variance. The stored contents of the distribution table 155 may be changed by the operator through the input unit 13 or the input unit 33 of the management computer 3.

  FIG. 9 is an explanatory diagram showing a record layout of the range table 156. The range table 156 stores the upper limit coefficient of the first threshold range, the lower limit coefficient of the first threshold range, and the second threshold range coefficient in association with the score. In the score field, points for determining the first threshold range and the second threshold range are stored. In the first threshold range upper limit field, a coefficient is stored in association with the score. The first threshold range upper limit field stores a coefficient for decreasing the range as the score increases, that is, as the safety requirement increases. For example, the average value of all users of the number of application operation commands per unit time at 2 pm is “10”. When the score is “9” and a high level of safety is required, the upper limit of the first threshold range is “13” by multiplying “10” by the coefficient “1.3”. On the other hand, when the score is “3” and high safety is not required, “10” is multiplied by the coefficient “2.5”, and the upper limit of the first threshold range is “25”.

  In the first threshold range lower limit field, a lower limit coefficient of the first threshold range is stored in association with the score. The first threshold range lower limit field stores a coefficient for decreasing the range as the score increases, that is, as the safety requirement increases. The CPU 11 adds the score read from the security policy table 154 and the score read from the distribution table 155. When the total score is “9” and high safety is required, the lower limit of the first threshold range is “8” by multiplying “10” by the coefficient “0.8”. On the other hand, when the score is “3” and high safety is not required, “10” is multiplied by the coefficient “0.2”, and the lower limit of the first threshold range is “2”. Thereby, in the case of a score “9” that requires a high degree of safety, the first threshold range is narrowed to “8 to 13”. In the case of a score “3” where high safety is not required, the first threshold range is “2 to 25” and the range becomes wide. The CPU 11 stores the calculated first threshold range in the first threshold range file 151.

  The coefficient may be input by the operator from the input unit 13 or the input unit 33 of the management computer 3 according to the security policy. The CPU 11 stores the input coefficient in the range table 156 in association with the score. In the present embodiment, the coefficient is multiplied, but may be added when calculating the first threshold range upper limit. Further, when the first threshold range lower limit is calculated, it may be subtracted. The value to be added and the value to be subtracted are merely examples, and the added value and the subtracted value may be the same value.

  In the present embodiment, the average value of all users of the number of application operation commands per unit time is used as the reference value to be multiplied by the coefficient, but the present invention is not limited to this. For example, an average value per unit time for a plurality of days of one user may be used. In addition to the average value, a mode value or a median value in the statistics of one user or a plurality of users may be used. In addition, it may be a value appropriately set by the operator. In the present embodiment, as an example, an average value of the number of application operation commands per unit time of a plurality of users will be described as a reference value. Specifically, the CPU 11 refers to the history DB 153, reads the number of application operation commands of each user for each time period, calculates an average value, and sets it as a reference value.

  In the second threshold range field, a coefficient is stored in association with the score. As the coefficient of the second threshold range, a value that increases as the score decreases, that is, as the level of safety requirement decreases, is stored. The storage unit 15 stores a reference time. The reference time is, for example, 3 hours. If the score is “9” and high safety is required, 3 hours is multiplied by the coefficient “1.0”, and the second threshold range remains 3 hours. For example, if the time exceeding the upper limit of the first threshold range exceeds 3 hours, it is determined as abnormal. On the other hand, when the score is “3” and a high degree of safety is not required, the coefficient “1.4” is multiplied by 3 hours, and the second threshold range is 4.2 hours. In this case, if the time exceeding the upper limit of the first threshold range exceeds 4.2 hours, it is determined as abnormal. The CPU 11 stores the calculated second threshold range in the second threshold range file 152. In the present embodiment, an example is given in which the reference time is multiplied by a coefficient, but the coefficient may be added or subtracted. Further, a reference number may be used in addition to the reference time. The CPU 11 may determine that an abnormality has occurred when the number of times that the upper limit of the first threshold range is exceeded exceeds a value obtained by multiplying the reference number by a coefficient. In the present embodiment, an example using the reference number will be described for ease of explanation.

  FIG. 10 is a graph showing changes in the first threshold range, the second threshold range, and the number of application operation commands. The horizontal axis in FIG. 10 is time. The vertical axis represents the number of application operation instructions. In the series indicated by black circles, the upper side shows the temporal change of the upper limit of the first threshold range, and the lower side shows the lower limit of the first threshold range. A series indicated by white circles is the number of application operation commands per unit time input to the server computer 1 through the input unit 23 of the personal computer 2 of the user to be monitored. It can be understood that the number of input application operation commands exceeds the upper limit of the first threshold range at 10 o'clock.

  The second threshold range is indicated by a horizontal arrow. An abnormality is output when the first threshold range is exceeded for more than 3 hours. The CPU 11 determines that it is abnormal because it exceeds 3 hours of the second threshold range even at 13:00. In the present embodiment, an example in which the first threshold range is set for each time zone and the number of application operation commands is monitored for each time zone has been described, but the present invention is not limited to this. The first threshold range may be set based on the cumulative number, and the cumulative number of application operation instructions may be monitored.

  FIG. 11 is a graph showing changes in the first threshold range, the second threshold range, and the cumulative number of application operation instructions. The horizontal axis in FIG. 11 is time. The vertical axis represents the cumulative number of application operation instructions. In the series indicated by black circles, the upper side shows the temporal change of the upper limit of the first threshold range, and the lower side shows the lower limit of the first threshold range. A series indicated by white circles is the cumulative number of application operation instructions input to the server computer 1 through the input unit 23 of the personal computer 2 of the user to be monitored. It can be understood that the accumulated number of input application operation commands exceeds the upper limit of the first threshold range at 12:00.

  The second threshold range is indicated by a horizontal arrow. An abnormality is output when the first threshold range is exceeded for more than 3 hours. The CPU 11 determines that it is abnormal because it exceeds 3 hours of the second threshold range even at 15:00.

  FIG. 12 is an image diagram when the abnormality information is output. When the CPU 11 determines that there is an abnormality, the CPU 11 reads the date and time from the clock unit 18 and reads the user ID related to the abnormality. The CPU 11 describes the date, time zone, and user ID in the template text stored in the storage unit 15. As shown in FIG. 12, at 10 o'clock on October 21, it is output that an abnormality has occurred regarding the user ID “001”. The CPU 11 outputs abnormality information to the display unit 14. In addition, the CPU 11 outputs abnormality information to the management computer 3 via the communication unit 16. When the CPU 31 of the management computer 3 receives the abnormality information, the CPU 31 displays the abnormality information on the display unit 34. Note that the CPU 11 may read the operator's mail address stored in the storage unit 15 and send the abnormality information to the read mail address by e-mail. In addition, the CPU 11 may output abnormality information to the personal computer 2 with the user ID “001” detected as abnormal. The output of the abnormality information is not limited to the output to the display unit 14 or the display unit 34. For example, sound output from a speaker (not shown) or light output from a light emitting element (not shown) may be used. In the present embodiment, for ease of explanation, an example in which abnormality information is output to the management computer 3 will be described.

  FIG. 13 is a flowchart showing the procedure of the reference value calculation process. The CPU 11 counts the number of application operation commands for each time period from the history DB 153 (step S31). Similarly, the CPU 11 goes back within a predetermined period and counts the number of application operation commands for each time zone. For example, the predetermined period may be one weekday. CPU11 calculates the average of the number of application operation instructions for every time slot | zone within a predetermined period (step S32). The CPU 11 performs the above processing for a predetermined number of users. Thereby, the average number of application operation commands for each time zone is calculated for each of a plurality of users.

  The CPU 11 calculates the average number of application operation commands for each time period by adding the average number of application operation commands for each time period for each user and dividing by the number of users (step S33). CPU11 memorize | stores in the memory | storage part 15 by making the average application operation command number classified by time zone into a reference value (step S34). In the present embodiment, the average number of application operation commands is calculated for each time period, but the present invention is not limited to this. The average number of application operation instructions per day may be calculated. Further, although the average number of application operation commands of a plurality of users is used as a reference value, the average number of application operation commands of one user may be used as a reference value. The above-described calculation of the reference value may be performed every predetermined period (for example, every week).

  FIG. 14 and FIG. 15 are flowcharts showing the procedure for determining the first threshold range and the second threshold range. The operator inputs the past incident situation, the confidentiality of the target, and the strength of the target from the input unit 33 of the management computer 3. Note that these levels of information may be input at a plurality of levels as described with reference to FIG. The CPU 31 transmits the past incident status, target confidentiality, and target strength input from the input unit 33 to the server computer 1 via the communication unit 36. The CPU 11 of the server computer 1 receives the past incident situation, the confidentiality of the target, and the strength of the target via the communication unit 16 (step S131).

  The CPU 11 reads, from the security policy table 154, points corresponding to the received past incident status, target confidentiality, and target strength level (step S132). The CPU 11 refers to the history DB 153 and counts the number of application operation commands for each user (step S133). Note that the CPU 11 may count the number of application operation commands in one or a plurality of time periods in addition to counting the number of application operation commands for one day. In the present embodiment, an example in which the number of application operation commands for one day is counted will be described.

  CPU11 performs the process of step S133 about a some user. The CPU 11 calculates the average value of the number of application operation commands of a plurality of users (step S134). The CPU 11 calculates the variance based on the average value and the number of application operation commands of each user (step S135). Specifically, the variance is calculated by subtracting the average value from the number of application operation commands of each user and dividing the sum of the squares of the reduced values by the number of users. In the present embodiment, the variance is calculated based on the number of application operation commands of a plurality of users, but the present invention is not limited to this. You may calculate the dispersion | distribution of one user for several days.

  The CPU 11 refers to the distribution table 155 and reads the score corresponding to the calculated distribution (step S136). The CPU 11 adds the score read in step S132 and the score read in step S136 (step S137). The CPU 11 refers to the range table 156, and reads the upper limit coefficient of the first threshold range, the lower limit coefficient of the first threshold range, and the second threshold range coefficient corresponding to the added score (step S138). CPU11 reads the reference value memorize | stored in the memory | storage part 15 (step S139).

  The CPU 11 multiplies the reference value of each time zone by the upper limit coefficient of the first threshold range, and multiplies the reference value of each time zone by the lower limit coefficient of the first threshold range to determine the first threshold range (step S141). The CPU 11 stores the first threshold range in the first threshold range file 151 (step S142). The CPU 11 reads the reference time stored in the storage unit 15 (step S143). The CPU 11 multiplies the calculated second threshold range coefficient by the reference time (step S144). The CPU 11 stores the multiplied value in the second threshold range file 152 (step S145). In this embodiment, an example using both the score based on the security policy table 154 and the score based on the distributed table has been described, but the present invention is not limited to this. Either one may be used.

  When the CPU 11 of the server computer 1 receives the risk increase / decrease information, the CPU 11 corrects the first threshold range and the second threshold range according to the risk increase / decrease. For example, when the risk increases due to the increase / decrease information, the first threshold range and the second threshold range are corrected to be small. When the risk decreases due to the increase / decrease information, the first threshold range and the second threshold range are corrected to be increased. In the present embodiment, an example in which both the first threshold range and the second threshold range are corrected according to the accepted risk increase / decrease information will be described. However, either the first threshold range or the second threshold range is described. Either one may be used.

  The change in risk may be due to an external factor or an internal factor, for example. The case where the external factor changes is when information on a new virus is received. The information regarding the virus includes, for example, information indicating that a virus as a new threat has occurred and information indicating that a vaccine for the generated virus has been generated. The former is information indicating that the risk has increased, and the latter is information indicating that the risk has decreased. The security server 4 transmits information indicating that a virus has been generated (hereinafter referred to as virus generation information) and information indicating that a vaccine has been generated (hereinafter referred to as vaccine generation information) to the server computer 1.

  The CPU 11 acquires virus generation information and vaccine generation information, which are risk increase / decrease information, via the communication unit 16. The CPU 11 reads the first correction amount (for example, the number of application operation instructions “twice”) stored in advance in the storage unit 15. When acquiring the virus occurrence information indicating that the risk has increased, the CPU 11 reads the upper and lower limits of the first threshold range stored in the first threshold range file 151 to reduce the first threshold range. The CPU 11 subtracts the first correction amount from the upper limit of the first threshold range, and adds the first correction amount to the lower limit of the first threshold range. The CPU 11 stores the corrected upper and lower limits of the first threshold range in the first threshold range file 151.

  On the other hand, when acquiring the vaccine generation information indicating that the risk has decreased, the CPU 11 reads the upper and lower limits of the first threshold range stored in the first threshold range file 151 in order to increase the first threshold range. The CPU 11 adds the first correction amount to the upper limit of the first threshold range, and subtracts the first correction amount from the lower limit of the first threshold range. The CPU 11 stores the corrected upper and lower limits of the first threshold range in the first threshold range file 151. In the present embodiment, an example in which virus generation information and vaccine generation information are transmitted from the security server 4 to the server computer 1 is shown, but the present invention is not limited to this. For example, the operator may input virus generation information and vaccine generation information from the input unit 33 of the management computer 3. The CPU 31 of the management computer 3 transmits virus occurrence information and vaccine generation information to the server computer 1 via the communication unit 36. The CPU 11 of the server computer 1 acquires virus generation information and vaccine generation information via the communication unit 16.

  The CPU 11 reads the second threshold range from the second threshold range file 152. The CPU 11 reads out a second correction amount (for example, 20 minutes) stored in advance from the storage unit 15. When acquiring the virus occurrence information indicating that the risk has increased, the CPU 11 reads the second threshold range stored in the second threshold range file 152 in order to reduce the second threshold range. The CPU 11 subtracts the second correction amount from the second threshold range. The CPU 11 stores the corrected second threshold range in the second threshold range file 152.

  Other external factors include changes in laws related to information processing systems. For example, assume that the information processing system handles personal information. Here, when the Personal Information Protection Law is revised, external factors have changed. According to the Personal Information Protection Law, stricter management of personal information handled by the server computer 1 is required. If this is violated, the risk increases when legal responsibility arises. On the other hand, if the personal information handled by the server computer 1 is no longer protected due to the revision of the Personal Information Protection Law, the risk is reduced. The operator inputs, from the input unit 33 of the management computer 3, increase / decrease information indicating that the risk has increased or the risk has decreased with the revision of the law. The CPU 31 of the management computer 3 transmits risk increase / decrease information to the server computer 1 via the communication unit 36. The CPU 11 of the server computer 1 acquires risk increase / decrease information via the communication unit 16.

  The case where the internal factor changes is, for example, a case where the use environment of the server computer 1, the management computer 3, the personal computer 2, or the fingerprint authentication device 2D changes. In the following, an example where the use environment of the personal computer 2 to be monitored has changed will be described as an example. The use environment is, for example, a hardware environment or a software environment of the personal computer 2.

  FIG. 16 is an explanatory diagram showing a record layout of the environment file 352. The environment file 352 stores a hardware environment and a software environment for each personal computer 2. The environment file 352 includes a terminal ID field, a hardware environment field, a software environment field, and the like. In the terminal ID field, identification information (hereinafter referred to as a terminal ID) for specifying the personal computer 2 is stored. The hardware environment includes, for example, an authentication method when logging in to the server computer 1 and the presence / absence of a security chip. In the authentication method field, the type of authentication device installed in each personal computer 2 is stored. When the fingerprint authentication device is mounted, fingerprint authentication is stored, and when the vein authentication device is mounted, vein authentication is stored. If a biometric authentication device is not installed, ID / password is stored.

  When the hardware environment and the software environment are changed, the CPU 31 of the management computer 3 stores the changed environment in the environment file 352 in association with the terminal ID. In addition, the operator may input the hardware environment and software environment for each terminal ID from the input unit 33 and store them in the environment file 352. In this embodiment, the strength of security increases in the order of ID / password, fingerprint authentication, and vein authentication. If the strength of security increases, the risk decreases. On the other hand, when the strength of security is lowered, the risk increases.

  For example, when changing from ID / password authentication to fingerprint authentication, the strength of security increases. Conversely, when the fingerprint authentication device is removed and changed from fingerprint authentication to ID / password authentication, the strength of security decreases. When the strength of security increases, the CPU 31 of the management computer 3 transmits information indicating that the risk is reduced to the server computer 1. On the other hand, when the strength of security is lowered, information indicating that the risk has increased is transmitted to the server computer 1.

  The security chip field stores the presence or absence of a security chip mounted on the personal computer 2. The security chip is an IC (Integrated Circuit) chip called TPM (Trusted Platform Module) based on TCG (Trusted Computing Group) specifications. The security chip has basic security functions defined by the TCG. By mounting this security chip on the personal computer 2, data is protected from attacks by software and physical attacks, and stronger security is realized as compared to the personal computer 2 that is not mounted.

  When the security chip is mounted, the CPU 31 of the management computer 3 transmits information indicating that the risk is reduced to the server computer 1. On the other hand, when the security chip is removed, information indicating that the risk has increased is transmitted to the server computer 1. Examples of the software environment field include the type and version of the OS and browser installed in the personal computer 2. Each time the browser type and version of the personal computer 2 are changed, the contents of the software environment field of the environment file 352 of the management computer 3 are also updated.

  The CPU 31 of the management computer 3 refers to the environment file 352 and transmits information indicating that the risk has been reduced to the server computer 1 when the OS or browser type or version is upgraded. On the other hand, when the type or version of the OS or browser is downgraded, the CPU 31 transmits information indicating that the risk has increased to the server computer 1. The grade information for the OS and browser type and version may be stored in advance in the storage unit 15 or acquired from an external server computer (not shown). In the present embodiment, the environment file 352 stores an example of storing hardware and software information of the personal computer 2, but the present invention is not limited to this. Similarly, hardware or software information of the server computer 1, the fingerprint authentication device 2D, or the security server 4 may be stored in the environment file 352. The CPU 31 may refer to the environment file 352 to determine whether the risk of the server computer 1, the fingerprint authentication device 2D, or the security server 4 has increased or decreased.

  In addition, there are personnel changes when internal factors fluctuate. For example, when the number of temporary employees increases, the risk increases. If the number of temporary employees decreases, the risk decreases. The contents of the personnel file 351 are updated each time a personnel change occurs. When the CPU 31 of the management computer 3 determines that the number of temporary employees has increased, the CPU 31 transmits information indicating that the risk has increased to the server computer 1. On the other hand, when the CPU 31 of the management computer 3 determines that the number of temporary employees has decreased, the CPU 31 transmits information indicating that the risk has decreased to the server computer 1.

  In the following, for ease of explanation, an increase / decrease in risk due to a change in the OS in the software environment and an increase / decrease in risk based on information on viruses will be described as examples. Note that the record layout of various DBs and files such as the history DB 153 of the server computer 1 and the environment file 352 of the management computer 3 is an example, and is not limited to this. Other storage forms may be used as long as the relationship between data is maintained. Moreover, although these DB and file gave the example memorize | stored in the memory | storage part 15 of the server computer 1, or the memory | storage part 35 of the management computer 3, although it gave the example, it does not restrict to this. Data may be stored in another DB server computer (not shown) and read and written as necessary.

  FIGS. 17 and 18 are flowcharts showing the correction processing procedure for the first threshold range and the second threshold range. When a new virus occurs as information regarding a virus, the security server 4 transmits the virus occurrence information to the server computer 1 (step S161). When the security server 4 generates a vaccine as information regarding a virus, the security server 4 transmits the vaccine generation information to the server computer 1 (step S162).

  The server computer 1 acquires (receives) risk increase / decrease information including virus generation information and vaccine generation information via the communication unit 16 (step S163). The CPU 11 of the server computer 1 determines whether or not virus occurrence information has been acquired (step S164). If the CPU 11 determines that the virus occurrence information has been acquired (YES in step S164), the CPU 11 reads the first correction amount and the second correction amount stored in advance in the storage unit 15 (step S165). The CPU 11 reads the upper and lower limits of the first threshold range from the first threshold range file 151 (step S166).

  The CPU 11 subtracts the first correction amount from the upper limit of the first threshold range (step S167). The CPU 11 adds the first correction amount to the lower limit of the first threshold range (step S168). The CPU 11 stores the corrected upper and lower limits of the first threshold range in the first threshold range file 151 (step S169). The CPU 11 reads the second threshold range from the second threshold range file 152 (step S171). The CPU 11 subtracts the second correction amount from the second threshold range (step S172). The CPU 11 stores the corrected second threshold range in the second threshold range file 152 (step S173).

  If the CPU 11 determines that no virus occurrence information has been acquired (NO in step S164), the process proceeds to step S174. The CPU 11 determines whether vaccine generation information has been acquired (step S174). When the CPU 11 determines that the vaccine generation information has been acquired (YES in step S174), the CPU 11 reads the first correction amount and the second correction amount stored in advance in the storage unit 15 (step S175). The CPU 11 reads the upper and lower limits of the first threshold range from the first threshold range file 151 (step S176).

  The CPU 11 adds the first correction amount to the upper limit of the first threshold range (step S177). The CPU 11 subtracts the first correction amount from the lower limit of the first threshold range (step S178). The CPU 11 stores the corrected upper and lower limits of the first threshold range in the first threshold range file 151 (step S179). The CPU 11 reads the second threshold range from the second threshold range file 152 (step S1710). The CPU 11 adds the second correction amount to the second threshold range (step S1711). The CPU 11 stores the corrected second threshold range in the second threshold range file 152 (step S1712). If the CPU 11 determines that the vaccine generation information has not been acquired (NO in step S174), the process ends.

  FIGS. 19 to 22 are flowcharts showing the correction processing procedure of the first threshold range and the second threshold range. The user of the personal computer 2 installs a new version of the OS. The CPU 21 of the personal computer 2 installs the OS according to the instruction (step S181). The CPU 21 transmits the terminal ID and OS version information to the management computer 3 via the communication unit 26 (step S182). The CPU 31 of the management computer 3 receives the terminal ID and the OS version (step S183).

  The CPU 31 reads out the OS version corresponding to the terminal ID from the environment file 352 (step S184). The CPU 31 compares the received OS version with the read OS version, and determines whether the OS has been upgraded (step S185). For example, the CPU 31 may refer to the storage unit 15 that stores the OS version and the version upgrade date and time, and may determine that the version has been upgraded when the version upgrade date and time is changed to a new one.

  If the CPU 31 determines that the OS has been upgraded (YES in step S185), the CPU 31 transmits information indicating a reduction in risk to the server computer 1 (step S186). If the CPU 31 determines that the OS has not been upgraded, that is, the OS has been downgraded (NO in step S185), the CPU 31 transmits information indicating an increase in risk to the server computer 1 (step S187). The server computer 1 acquires (receives) risk increase / decrease information via the communication unit 16 (step S188). The CPU 11 of the server computer 1 determines whether or not information indicating an increase in risk has been acquired (step S189). If the CPU 11 determines that information indicating an increase in risk has been acquired (YES in step S189), the CPU 11 reads the first correction amount and the second correction amount stored in advance in the storage unit 15 (step S191). The CPU 11 reads the upper and lower limits of the first threshold range from the first threshold range file 151 (step S192).

  The CPU 11 subtracts the first correction amount from the upper limit of the first threshold range (step S193). The CPU 11 adds the first correction amount to the lower limit of the first threshold range (step S194). The CPU 11 stores the corrected upper and lower limits of the first threshold range in the first threshold range file 151 (step S195). The CPU 11 reads the second threshold range from the second threshold range file 152 (step S196). The CPU 11 subtracts the second correction amount from the second threshold range (step S197). The CPU 11 stores the corrected second threshold range in the second threshold range file 152 (step S198).

  If the CPU 11 determines that information indicating an increase in risk has not been acquired (NO in step S189), the process proceeds to step S201. CPU11 judges whether the information which shows reduction of danger was acquired (Step S201). If the CPU 11 determines that information indicating a reduction in risk has been acquired (YES in step S201), the CPU 11 reads the first correction amount and the second correction amount stored in advance in the storage unit 15 (step S202). The CPU 11 reads the upper and lower limits of the first threshold range from the first threshold range file 151 (step S203).

  The CPU 11 adds the first correction amount to the upper limit of the first threshold range (step S204). The CPU 11 subtracts the first correction amount from the lower limit of the first threshold range (step S205). The CPU 11 stores the corrected upper and lower limits of the first threshold range in the first threshold range file 151 (step S206). The CPU 11 reads the second threshold range from the second threshold range file 152 (step S207). The CPU 11 adds the second correction amount to the second threshold range (step S208). The CPU 11 stores the corrected second threshold range in the second threshold range file 152 (step S209). If the CPU 11 determines that information indicating a reduction in risk has not been acquired (NO in step S201), the process ends.

  23 and 24 are flowcharts showing the procedure of the abnormality determination process. The CPU 11 of the server computer 1 performs the following processing in parallel with the processing of FIGS. The CPU 11 receives the input of the user ID and application operation command transmitted from the personal computer 2 via the communication unit 16 (step S221). The CPU 11 refers to the output from the clock unit 18 and stores the input user ID, application operation command, and date / time in the history DB 153 (step S222). The CPU 11 determines whether or not a unit time (for example, 1 hour) has elapsed (step S223).

  If the CPU 11 determines that the unit time has not elapsed (NO in step S223), the process returns to step S221. If the CPU 11 determines that the unit time has elapsed (YES in step S223), it reads the upper and lower limits of the first threshold range from the first threshold range file 151 (step S224). The CPU 11 refers to the history DB 153 and counts the number of application operation commands per unit time (step S225). The CPU 11 determines whether or not the counted number of application operation commands exceeds the upper limit or lower limit of the first threshold range (step S226). In the present embodiment, the CPU 11 determines whether the number of application operation instructions is larger than the upper limit or smaller than the lower limit of the first threshold range, but is not limited thereto. The CPU 11 may determine whether the number of application operation commands is greater than or equal to the upper limit of the first threshold range or less than the lower limit.

  If the CPU 11 determines that the upper limit or lower limit of the first threshold range is not exceeded (NO in step S226), the process returns to step S221. If the CPU 11 determines that the upper limit or lower limit of the first threshold range is exceeded (YES in step S226), the CPU 11 stores the date, time zone, and user ID exceeding the first threshold range in the storage unit 15 (step S227). Thereby, the history of the time zone exceeding the first threshold range is accumulated. The CPU 11 reads the second threshold range from the second threshold range file 152 (step S228). The CPU 11 determines whether or not the number of time zones that have continuously exceeded the first threshold range exceeds the second threshold range (step S229). In the present embodiment, the CPU 11 determines whether or not the number of time zones that have continuously exceeded the first threshold range is greater than the second threshold range, but is not limited thereto. The CPU 11 may determine whether or not the number of time zones that have continuously exceeded the first threshold range is greater than or equal to the second threshold range. In the present embodiment, the CPU 11 determines that an abnormality occurs when the time periods exceeding the first threshold range continuously exceed the second threshold range, but the present invention is not limited to this. The CPU 11 may determine that there is an abnormality when the second threshold range is exceeded within a predetermined time even if it is not continuous. For example, when the second threshold range is 4 hours and there is a time zone exceeding the first threshold range for 5 hours during 7 hours, it may be determined as abnormal.

  If the CPU 11 determines that the number of time zones does not exceed the second threshold range (NO in step S229), the process returns to step S221. If the CPU 11 determines that the number of time zones exceeds the second threshold range (YES in step S229), the CPU 11 reads out the abnormality information template from the storage unit 15 (step S231). The CPU 11 describes the user ID, date, and time zone in the read template (step S232). The CPU 11 reads the address of the management computer 3 from the storage unit 15 (step S233).

  The CPU 11 outputs abnormality information to the read address (step S234). The CPU 31 of the management computer 3 receives the abnormality information via the communication unit 36 (step S235). The CPU 31 displays the abnormality information on the display unit 34 (step S236). Thereby, the first threshold range and the second threshold range determined according to the security policy and the variance can be appropriately corrected according to the increase or decrease of the risk, and an appropriate abnormality determination according to the situation becomes possible.

Embodiment 2
The second embodiment relates to a form for detecting an abnormality based on the rate of change in the number of application operation commands. FIG. 25 is a graph showing temporal changes in the change rate of the number of application operation commands. The horizontal axis is time, and the vertical axis is the rate of change. A series indicated by a white circle is a value obtained by dividing the number of application operation commands per unit time by the number of application operation commands per unit time one hour ago and multiplying by 100 (hereinafter referred to as a change rate). If the rate of change suddenly increases or decreases, it is judged as abnormal. Instead of the rate of change, an angle or a difference may be used as a parameter.

  For example, the CPU 11 sets the reference change rate as 100% and stores it in the storage unit 15. As described in the first embodiment, the CPU 11 refers to the security policy table 154, the distribution table 155, and the range table 156 to calculate the first threshold range. For example, when a high level of safety is required, the coefficient is small and the first threshold range may be 80% to 120%. If a high degree of safety is not required, the coefficient is large and the first threshold range may be 40% to 250%. When the risk increases, as described in the first embodiment, the CPU 11 subtracts the first correction amount from the upper limit of the first threshold range, and adds the first correction amount to the lower limit. The CPU 11 subtracts the second correction amount from the second threshold range.

  On the other hand, when the risk decreases, the CPU 11 adds the first correction amount to the upper limit of the first threshold range and subtracts the first correction amount from the lower limit, as described in the first embodiment. The CPU 11 adds the second correction amount to the second threshold range.

  26 and 27 are flowcharts showing the procedure of the abnormality determination process according to the second embodiment. The CPU 11 of the server computer 1 performs the following processing in parallel with the processing of FIGS. The CPU 11 receives the input of the user ID and application operation command transmitted from the personal computer 2 via the communication unit 16 (step S261). The CPU 11 refers to the output from the clock unit 18 and stores the input user ID, application operation command, and date / time in the history DB 153 (step S262). The CPU 11 determines whether or not a unit time (for example, 1 hour) has elapsed (step S263).

  If the CPU 11 determines that the unit time has not elapsed (NO in step S263), the process returns to step S261. If the CPU 11 determines that the unit time has elapsed (YES in step S263), it reads the upper and lower limits of the first threshold range from the first threshold range file 151 (step S264). The CPU 11 refers to the history DB 153 and counts the number of application operation commands per unit time (step S265). The CPU 11 reads from the history DB 153 the number of application operation commands per unit time one unit time ago, that is, one hour ago (step S266).

  The CPU 11 calculates the rate of change by dividing the number of application operation instructions read in step S265 by the number of application operation instructions read in step S266 and multiplying by 100 (step S267). The CPU 11 determines whether or not the calculated change rate exceeds the upper limit or lower limit of the first threshold range (step S268). If the number of application operation commands per unit time one hour ago does not exist, the change rate may be set to the initial value 100%.

  If the CPU 11 determines that the upper limit or lower limit of the first threshold range is not exceeded (NO in step S268), the process returns to step S261. If the CPU 11 determines that the upper limit or lower limit of the first threshold range is exceeded (YES in step S268), the CPU 11 stores the date, time zone, and user ID exceeding the first threshold range in the storage unit 15 (step S269). Thereby, the history of the time zone exceeding the first threshold range is accumulated. The CPU 11 reads the second threshold range from the second threshold range file 152 (step S271). The CPU 11 determines whether or not the number of time zones continuously exceeding the first threshold range exceeds the second threshold range (step S272).

  If the CPU 11 determines that the number of continuous time zones does not exceed the second threshold range (NO in step S272), the process returns to step S261. When the CPU 11 determines that the number of continuous time zones exceeds the second threshold range (YES in step S272), the CPU 11 reads the abnormality information template from the storage unit 15 (step S273). Note that the CPU 11 may determine that there is an abnormality even when the number of time zones exceeding the first threshold range within a predetermined time exceeds the second threshold range, even if they are not continuous. The CPU 11 describes the user ID, date, and time zone in the read template (step S274). The CPU 11 reads the address of the management computer 3 from the storage unit 15 (step S275).

  The CPU 11 outputs abnormality information to the read address (step S276). The CPU 31 of the management computer 3 receives the abnormality information via the communication unit 36 (step S277). The CPU 31 displays abnormality information on the display unit 34 (step S278). Thereby, even when the input information changes suddenly, it is possible to make an appropriate abnormality determination according to the situation.

  The second embodiment is as described above, and the other parts are the same as those of the first embodiment. Therefore, the corresponding parts are denoted by the same reference numerals, and detailed description thereof is omitted.

Embodiment 3
The third embodiment relates to a mode in which the first threshold range and the second threshold range are corrected according to the response at the time of abnormal output. FIG. 28 is a block diagram illustrating a hardware group of the server computer 1 according to the third embodiment. The storage unit 15 is provided with an abnormality history DB 157.

  FIG. 29 is an explanatory diagram showing an input image of correspondence information. When the abnormality information described in the first and second embodiments is output, the corresponding information input items are also output. The operator responds to the abnormality when the abnormality information is output. Or it may not correspond to the abnormality because it is an accidental abnormality. The operator inputs correspondence information from the input unit 33 of the management computer 3.

  As shown in FIG. 29, a day, a time zone, and a user ID are displayed as abnormality information. In addition, input items for correspondence information are displayed. Corresponding information indicating that an abnormality has been dealt with is, for example, “I paid attention to the user”, “I upgraded the software”, “I updated the personnel file”, “I added a vaccine”, and the like. The operator takes various measures to reduce the abnormality when the abnormality occurs. Corresponding correspondence information is input through the input unit 33. Specifically, a check box 291 is displayed in association with a plurality of pieces of correspondence information, and the check box 291 is selected via the input unit 33.

  On the other hand, if it is determined that it is a mere accidental abnormality, the correspondence information is not input or non-correspondence information indicating that the abnormality has not been addressed is input. For example, the non-corresponding information is “Leave” as shown in FIG. The operator selects the check box 291 for non-corresponding information through the input unit 33. Finally, the operator clicks the OK button 292 from the input unit 33. The CPU 31 receives the type of correspondence information or non-correspondence information selected from the input unit 33 and transmits it to the server computer 1 together with the user ID, date, and time zone.

  FIG. 30 is an explanatory diagram showing a record layout of the abnormality history DB 157. The abnormality history DB 157 includes a user ID field, a date / time field, a correspondence information field, and the like. In the user ID field, the user ID of the user whose abnormality is detected is stored. In the date and time field, the date and time zone when the abnormality is detected are stored in association with the user ID. In the correspondence information field, the type of correspondence information transmitted from the management computer 3 is stored.

  For example, the user ID “001” has already coped with the abnormality that occurred at 10 o'clock on October 21, and the correspondence information of the type “software has been upgraded” is stored. . When non-corresponding information is transmitted, X is stored as shown in FIG. When the user ID, date, time zone, and type of correspondence information are transmitted, the CPU 11 stores the type of correspondence information in the abnormality history DB 157 in association with the user ID, date, time zone. On the other hand, when the user ID, the date, the time zone, and the non-corresponding information are transmitted, the CPU 11 stores the non-corresponding information in the abnormality history DB 157 in association with the user ID, the date, and the time zone. Note that the non-corresponding information may not be stored.

  The server computer 1 corrects the first threshold range and the second threshold range every predetermined period. In the present embodiment, the predetermined period is one week, but the present invention is not limited to this. Moreover, although the example which correct | amends both the 1st threshold range and the 2nd threshold range is given and demonstrated, either one may be sufficient. When the CPU 11 determines that the number of abnormal times output exceeds a first threshold (for example, 100 times) after a predetermined period has elapsed, the CPU 11 determines whether correspondence information is stored in the abnormality history DB 157. When the CPU 11 determines that the data is not stored, the first threshold range and the second threshold range are largely corrected assuming that there are many erroneous detections.

  When the CPU 11 determines that the correspondence information is stored, the CPU 11 maintains the values of the first threshold range and the second threshold range. Further, the CPU 11 determines whether or not the number of abnormalities does not exceed the first threshold value but exceeds a second threshold value (for example, twice) smaller than the first threshold value. When the CPU 11 determines that the second threshold value is not exceeded, the CPU 11 determines that the condition is too gentle and corrects the first threshold range and the second threshold range to be small. On the other hand, if the CPU 11 determines that the second threshold value is exceeded, the CPU 11 maintains the values of the first threshold range and the second threshold range as appropriate.

  31 and 32 are flowcharts showing the correspondence information storage processing procedure. If the CPU 11 of the server computer 1 is YES in step S272, it performs the following processing. The CPU 11 reads the template of abnormality information stored in the storage unit 15 (step S311). The CPU 11 describes the user ID, date, and time zone of the user determined to be abnormal in the template (step S312). The CPU 11 further describes the type of correspondence information and non-correspondence information stored in the storage unit 15 (step S313).

  The CPU 11 reads the address of the management computer 3 (step S314). The CPU 11 outputs abnormality information for which the description in the template is completed to the address (step S315). The abnormality information may be transmitted when the management computer 3 accesses the server computer 1. The CPU 31 of the management computer 3 receives the abnormality information (step S316). The CPU 31 displays abnormality information on the display unit 34 (step S317). The CPU 31 determines whether or not selection of the type of correspondence information has been accepted (step S318).

  If the CPU 31 determines that the selection of the type of correspondence information has been received (YES in step S318), it transmits the user ID, date, time zone, and type of correspondence information to the server computer 1 (step S319). The CPU 11 of the server computer 1 receives the user ID, date, time zone, and type of correspondence information (step S321). The CPU 11 stores the user ID, date, time zone, and type of correspondence information in the abnormality history DB 157 (step S322).

  If the CPU 31 of the management computer 3 does not accept the selection of the type of correspondence information (NO in step S318), it transmits the user ID, date, time zone, and non-correspondence information to the server computer 1 (step S323). The CPU 11 of the server computer 1 receives the user ID, date, time zone, and non-corresponding information (step S324). The CPU 11 stores the user ID, date, time zone, and non-corresponding information in the abnormality history DB 157 (step S325). Thereby, the correspondence information applied to the abnormality, the presence / absence of the correspondence information, and the number of abnormality are accumulated in the abnormality history DB 157.

  FIG. 33 to FIG. 35 are flowcharts showing the correction processing procedure of the first threshold range and the second threshold range. The CPU 11 of the server computer 1 determines whether or not a predetermined period has elapsed (step S331). If the CPU 11 determines that the predetermined period has not elapsed (NO in step S331), the CPU 11 waits until the predetermined period elapses. When the CPU 11 determines that the predetermined period has elapsed (YES in step S331), the CPU 11 proceeds to step S332. The CPU 11 refers to the abnormality history DB 157 and counts the number of times abnormality information is output within a predetermined period (step S332). For example, the CPU 11 may count the number of abnormal information records for one week.

  The CPU 11 reads the first threshold value stored in advance in the storage unit 15 (step S333). The CPU 11 determines whether or not the counted number of output times of abnormality information exceeds the first threshold range (step S334). If the CPU 11 determines that the counted number of output times of abnormality information exceeds the first threshold (YES in step S334), the process proceeds to step S335. The CPU 11 refers to the abnormality history DB 157 and determines whether or not correspondence information is stored in the record counted in step S332 (step S335). When the CPU 11 determines that the correspondence information is stored (YES in step S335), the CPU 11 maintains the first threshold range and the second threshold range (step S336). That is, the CPU 11 does not change the storage contents of the first threshold range file 151 and the second threshold range file 152.

  When the CPU 11 determines that the correspondence information is not stored (NO in step S335), the CPU 11 reads the upper and lower limits of the first threshold range from the first threshold range file 151 (step S337). The CPU 11 reads the first correction amount stored in the storage unit 15 (step S338). The CPU 11 adds the first correction amount to the upper limit of the first threshold range (step S339). The CPU 11 subtracts the first correction amount from the lower limit of the first threshold range (step S341). The CPU 11 reads the second correction amount from the storage unit 15 (step S342).

  The CPU 11 reads the second threshold range from the second threshold range file 152 (step S343). The CPU 11 adds the second correction amount to the second threshold range (step S344). In step S334, when the CPU 11 determines that the number of abnormal information outputs does not exceed the first threshold (NO in step S334), the process proceeds to step S345. CPU11 reads the 2nd threshold value smaller than the 1st threshold value from the memory | storage part 15 (step S345). The CPU 11 determines whether or not the number of abnormal information outputs exceeds the second threshold (step S346).

  If the CPU 11 determines that the second threshold value is exceeded (YES in step S346), the CPU 11 maintains the first threshold range and the second threshold range (step S347). That is, the CPU 11 does not change the storage contents of the first threshold range file 151 and the second threshold range file 152.

  If the CPU 11 determines that the second threshold is not exceeded (NO in step S346), it reads out the upper and lower limits of the first threshold range from the first threshold range file 151 (step S348). The CPU 11 reads the first correction amount stored in the storage unit 15 (step S349). The CPU 11 subtracts the first correction amount from the upper limit of the first threshold range (step S351). The CPU 11 adds the first correction amount to the lower limit of the first threshold range (step S352). The CPU 11 reads the second correction amount from the storage unit 15 (step S353).

  The CPU 11 reads the second threshold range from the second threshold range file 152 (step S354). The CPU 11 subtracts the second correction amount from the second threshold range (step S355). Thereby, the first threshold range and the second threshold range can be adjusted in accordance with the actual operational aspect.

  The third embodiment is as described above, and the others are the same as in the first and second embodiments. Therefore, the corresponding parts are denoted by the same reference numerals, and detailed description thereof is omitted.

Embodiment 4
The fourth embodiment relates to a mode in which the first correction amount and the second correction amount are changed. FIG. 36 is an explanatory diagram showing a record layout of the first threshold range file 151. The first threshold range file 151 includes a date / time field, a first threshold range field, a correction content field, and the like. The CPU 11 of the server computer 1 stores the corrected first threshold range, the date and time, and the correction contents when the first threshold range is corrected in accordance with the increase / decrease in risk described with reference to FIGS. In addition, the CPU 11 stores the corrected first threshold range, the date and time, and the correction contents when the first threshold range is corrected in accordance with the number of times abnormal information is output and the presence / absence of the corresponding information described in FIGS. .

  The date and time when the first threshold range is corrected is stored in the date and time field. The CPU 11 stores the date and time output from the clock unit 18 when the first threshold range is corrected in the date and time field. The CPU 11 stores the corrected first threshold range in the first threshold range field. The CPU 11 stores information on whether the first threshold range is corrected to be large or small in the correction content field. For example, when the first correction amount is added to the upper limit of the first threshold range and the first correction amount is subtracted from the lower limit of the first threshold range by the processes of steps S177 and S178, the CPU 11 determines that the correction is largely made. Further, for example, when the CPU 11 subtracts the first correction amount from the upper limit of the first threshold range by the processing of steps S167 and S168 and adds the first correction amount to the lower limit of the first threshold range, the CPU 11 determines that the correction has been made small. To do.

  FIG. 37 is an explanatory diagram showing a record layout of the second threshold range file 152. The second threshold range file 152 includes a date / time field, a second threshold range field, a correction content field, and the like. The CPU 11 of the server computer 1 stores the corrected second threshold range, the date and time, and the correction content when the second threshold range is corrected in accordance with the increase / decrease in risk described with reference to FIGS. In addition, the CPU 11 stores the corrected second threshold range, the date and time, and the correction contents when the second threshold range is corrected according to the number of times abnormal information is output and the presence or absence of the corresponding information described in FIGS. .

  The date and time field stores the date and time when the second threshold range is corrected. The CPU 11 stores the date and time output from the clock unit 18 when the second threshold range is corrected in the date and time field. The CPU 11 stores the corrected second threshold range in the second threshold range field. The CPU 11 stores information on whether the second threshold range is corrected to be large or small in the correction content field. For example, when the second correction amount is added to the second threshold range by the process of step S1711, the CPU 11 determines that the correction has been largely made. Further, for example, when the second correction amount is subtracted from the upper limit of the second threshold range in the process of step S172, the CPU 11 determines that the correction has been made small.

  38 and 39 are flowcharts showing the change amount calculation processing procedure. The CPU 11 performs the following process every time the record of the first threshold range file 151 is updated. The CPU 11 refers to the previous and current records in the correction content field of the first threshold range file 151, and determines whether or not the first threshold range has been largely corrected in the previous time (step S381). Specifically, the CPU 11 determines that the previous correction content field has been largely corrected when the current correction content field is stored as large correction and the previous correction content field is also largely corrected.

  If the CPU 11 determines that the first threshold range has been largely corrected the previous time (YES in step S381), the CPU 11 reads the first correction amount stored in the storage unit 15 (step S382). The CPU 11 reads the first change amount stored in the storage unit 15 (step S383). As will be described later, the first change amount is a value that gradually decreases, and the operator may store the initial value and the decrease width in the storage unit 15 in advance. For example, the initial value may be set to 5. The CPU 11 determines whether or not the first change amount is greater than or equal to the first correction amount (step S384). If the CPU 11 determines that the first change amount is not equal to or greater than the first correction amount (NO in step S384), the process proceeds to step S387.

  The CPU 11 subtracts the first change amount from the first correction amount (step S387). The CPU 11 stores the first correction amount after the subtraction in the storage unit 15 (step S388). Thereby, even when the first threshold range is continuously expanded, the increase rate of the expansion width is reduced. The CPU 11 decreases the first change amount (step S389). The CPU 11 may be decreased based on the decrease width stored in advance in the storage unit 15. For example, it is decreased by one. In addition, the square root and logarithm of the first change amount may be used as the first change amount after being reduced. Furthermore, the first change amount after the decrease may be calculated by storing in advance a mathematical expression for decreasing the input value and substituting the first change amount into the mathematical expression. In the present embodiment, for ease of explanation, an example will be described in which the initial value is 5 and is decreased by 1 to 0 each time the process of step S389 is performed.

  The CPU 11 stores the first change amount after the decrease in the storage unit 15 (step S391). As a result, even when the first threshold range is continuously expanded, the expansion width becomes gradual, and it is possible to prevent the abnormality detection accuracy from being lowered. If the CPU 11 determines that the first change amount is greater than or equal to the first correction amount (YES in step S384), the CPU 11 sets the first change amount to zero (step S385). The CPU 11 stores the first change amount set to zero in the storage unit 15 (step S386).

  If the CPU 11 does not determine in step S381 that the first threshold range has been greatly corrected in the previous time (NO in step S381), the process proceeds to step S392. The CPU 11 refers to the previous and current records in the correction content field of the first threshold range file 151, and determines whether or not the first threshold range has been corrected to be smaller in the previous time (step S392). Specifically, the CPU 11 determines that the previous correction content field has been corrected to be small when the current correction content field is stored as small correction and the previous correction content field is also corrected to be small.

  When the CPU 11 determines that the first threshold range has been corrected to be small again (YES in step S392), the CPU 11 reads the first correction amount stored in the storage unit 15 (step S393). The CPU 11 reads the first change amount stored in the storage unit 15 (step S394). The CPU 11 determines whether or not the first change amount is greater than or equal to the first correction amount (step S395). If the CPU 11 determines that the first change amount is not equal to or greater than the first correction amount (NO in step S395), the CPU 11 proceeds to step S398.

  The CPU 11 subtracts the first change amount from the first correction amount (step S398). CPU11 memorize | stores the 1st correction amount after subtraction in the memory | storage part 15 (step S399). The CPU 11 decreases the first change amount (step S3910). The CPU 11 stores the first change amount after the decrease in the storage unit 15 (step S3911). As a result, even when the first threshold range is continuously reduced, the reduction width becomes gradual, and it is possible to prevent the accuracy of abnormality detection from being lowered. If the CPU 11 determines that the first change amount is greater than or equal to the first correction amount (YES in step S395), the CPU 11 sets the first change amount to zero (step S396). The CPU 11 stores the first change amount set to zero in the storage unit 15 (step S397).

  If the CPU 11 does not determine that the first threshold range has been corrected to be smaller last time (NO in step S392), the CPU 11 proceeds to step S3912. The CPU 11 returns the first change amount to the initial value (step S3912). The CPU 11 stores the first change amount returned to the initial value in the storage unit 15 (step S3913).

  40 and 41 are flowcharts showing the change amount calculation processing procedure. The CPU 11 performs the following process every time the record of the second threshold range file 152 is updated. The CPU 11 refers to the previous and current records in the correction content field of the second threshold range file 152, and determines whether or not the second threshold range has been largely corrected in the previous time (step S401). Specifically, the CPU 11 determines that the previous correction content field has been largely corrected when the current correction content field is stored as large correction and the previous correction content field is also largely corrected.

  When the CPU 11 determines that the second threshold range has been greatly corrected in the previous time (YES in step S401), the CPU 11 reads the second correction amount stored in the storage unit 15 (step S402). The CPU 11 reads the second change amount stored in the storage unit 15 (step S403). The second change amount is a value that gradually decreases as will be described later, and the operator may store the initial value and the decrease width in the storage unit 15 in advance. For example, the initial value may be 10 minutes. The CPU 11 determines whether or not the second change amount is greater than or equal to the second correction amount (step S404). If the CPU 11 determines that the second change amount is not equal to or greater than the second correction amount (NO in step S404), the CPU 11 proceeds to step S407.

  The CPU 11 subtracts the second change amount from the second correction amount (step S407). CPU11 memorize | stores the 2nd correction amount after subtraction in the memory | storage part 15 (step S408). Accordingly, even when the second threshold range is continuously expanded, the increase rate of the expansion width is reduced. The CPU 11 decreases the second change amount (step S409). The CPU 11 may be decreased based on the decrease width stored in advance in the storage unit 15. For example, decrease by 1 minute. In addition, the square root and logarithm of the second change amount may be used as the second change amount after reduction. Furthermore, a mathematical expression that decreases the input value may be stored in advance, and the CPU 11 may calculate the second change amount after the decrease by substituting the second change amount into the mathematical expression. In the present embodiment, for ease of explanation, an example will be described in which the initial value is 5 and is decreased by 1 minute to 0 each time the process of step S409 is performed.

  The CPU 11 stores the second change amount after the decrease in the storage unit 15 (step S411). Thereby, even when the second threshold range is continuously expanded, the expansion width becomes gradual, and it is possible to prevent the accuracy of abnormality detection from being lowered. If the CPU 11 determines that the second change amount is greater than or equal to the second correction amount (YES in step S404), the CPU 11 sets the second change amount to zero (step S405). The CPU 11 stores the second change amount set to zero in the storage unit 15 (step S406).

  If the CPU 11 does not determine in step S401 that the second threshold range has been greatly corrected in the previous time (NO in step S401), the process proceeds to step S412. The CPU 11 refers to the previous and current records in the correction content field of the second threshold range file 152, and determines whether or not the second threshold range has been corrected to be smaller (step S412). Specifically, the CPU 11 determines that the previous correction content field has been corrected to be small when the current correction content field is stored as small correction and the previous correction content field is also corrected to be small.

  If the CPU 11 determines that the second threshold range has been corrected to be small again (YES in step S412), the CPU 11 reads the second correction amount stored in the storage unit 15 (step S413). The CPU 11 reads the second change amount stored in the storage unit 15 (step S414). The CPU 11 determines whether or not the second change amount is greater than or equal to the second correction amount (step S415). If the CPU 11 determines that the second change amount is not equal to or greater than the second correction amount (NO in step S415), the CPU 11 proceeds to step S418.

  The CPU 11 subtracts the second change amount from the second correction amount (step S418). The CPU 11 stores the second correction amount after the subtraction in the storage unit 15 (step S419). The CPU 11 decreases the second change amount (step S4110). The CPU 11 stores the second change amount after the decrease in the storage unit 15 (step S4111). As a result, even when the second threshold range is continuously reduced, the reduction width becomes gradual, and it is possible to prevent the abnormality detection accuracy from being lowered. If the CPU 11 determines that the second change amount is greater than or equal to the second correction amount (YES in step S415), the CPU 11 sets the second change amount to zero (step S416). The CPU 11 stores the second change amount set to zero in the storage unit 15 (step S417).

  If the CPU 11 does not determine that the second threshold range has been corrected to be too small (NO in step S412), the CPU 11 proceeds to step S4112. The CPU 11 returns the second change amount to the initial value (step S4112). The CPU 11 stores the second change amount returned to the initial value in the storage unit 15 (step S4113). As a result, even when the first threshold range and the second threshold range become larger or smaller due to the correction, the correction amount is appropriately changed, so that the abnormality detection accuracy associated with the correction of the first threshold range and the second threshold range can be improved. It is possible to prevent the decrease.

  The fourth embodiment is as described above, and the others are the same as in the first to third embodiments. Therefore, the corresponding parts are denoted by the same reference numerals, and detailed description thereof is omitted.

Embodiment 5
The fifth embodiment relates to a mode in which the second threshold range is appropriately reduced. In addition to or separately from the fourth embodiment, the second threshold range may be decreased every predetermined time. FIG. 42 is a flowchart showing the procedure of the adjustment process of the second threshold range. The CPU 11 determines whether or not a predetermined time (for example, 6 hours) has elapsed (step S421). If the CPU 11 determines that the predetermined time has not elapsed (NO in step S421), the CPU 11 waits until the predetermined time elapses. If the CPU 11 determines that the predetermined time has elapsed (YES in step S421), the CPU 11 reads the second threshold range stored in the second threshold range file 152 (step S422). The CPU 11 reads out the adjustment value stored in the storage unit 15 (step S423). The CPU 11 determines whether or not the adjustment value is greater than or equal to the second threshold range (step S424). If the CPU 11 determines that the adjustment value is not greater than or equal to the second threshold range (NO in step S424), the CPU 11 proceeds to step S427.

  The CPU 11 subtracts the adjustment value from the second threshold range (step S427). The CPU 11 stores the second threshold range after the subtraction in the second threshold range file 152 (step S428). The CPU 11 decreases the adjustment value (step S429). The CPU 11 stores the adjusted value after the decrease in the storage unit 15 (step S4210). The adjustment value is, for example, 10 minutes, and decreases by the process of step S429. The CPU 11 may be decreased based on the decrease width stored in advance in the storage unit 15. For example, it is decreased by one. In addition, the square root and logarithm of the second threshold range may be adjusted values after reduction. Furthermore, a mathematical expression for decreasing the input value may be stored in advance, and the CPU 11 may calculate the reduced adjustment value by substituting the second threshold range or the adjustment value into the mathematical expression. In the present embodiment, for ease of explanation, an example in which the initial value of the adjustment value is decreased to 10 every time the process of step S429 is described will be described.

  If the CPU 11 determines that the adjustment value is greater than or equal to the second threshold range (YES in step S424), the CPU 11 sets the adjustment value to zero (step S425). CPU11 memorize | stores the adjustment value made into zero in the memory | storage part 15 (step S426). As a result, it is possible to prevent the risk of security deterioration with the passage of time.

  The fifth embodiment is as described above, and the other parts are the same as those of the first to fourth embodiments. Therefore, the corresponding parts are denoted by the same reference numerals, and detailed description thereof is omitted.

Embodiment 6
The sixth embodiment relates to a form using a personal computer as a central device (information processing device). FIG. 43 is a schematic diagram showing an outline of an information processing system according to the sixth embodiment. The server computer 1 described in the first to fifth embodiments may be a personal computer 1. An application operation command as an example of input information is directly input to the personal computer 1 by the user through the input unit 13. The abnormality detection process after the application operation command is input, the correction process of the first threshold range and the second threshold range, and the like are as described in the first to fifth embodiments. As a result, it is possible to detect an abnormality in the client computer alone.

  FIG. 44 is a functional block diagram showing the operation of the server computer 1 or personal computer 1 of the above-described form. When the CPU 11 executes the control program 15P, the server computer 1 and the personal computer 1 function as follows. The first determination unit 101 determines whether or not the value based on the input information exceeds the first threshold range stored in the storage unit 15. When the second determination unit 102 determines that the first threshold range is exceeded, the second determination unit 102 determines whether or not the number of times it has been determined to exceed or the exceeded time exceeds the second threshold range stored in the storage unit 15. The acquisition unit 103 acquires risk increase / decrease information. The correction unit 104 corrects the first threshold range or the second threshold range based on the risk increase / decrease information acquired by the acquisition unit 103. The output unit 105 outputs abnormality information when the second determination unit 102 determines that the second threshold range is exceeded.

  The sixth embodiment is as described above, and the other parts are the same as those of the first to fifth embodiments. Accordingly, the corresponding parts are denoted by the same reference numerals, and detailed description thereof is omitted.

Embodiment 7
FIG. 45 is a block diagram illustrating a hardware group of the server computer 1 according to the seventh embodiment. A program for operating the server computer 1 is stored by causing a reading unit 10A such as a disk drive to read a portable recording medium 1A such as a CD-ROM, a DVD (Digital Versatile Disc) disk, or a USB (Universal Serial Bus) memory. You may memorize | store in the part 15. FIG. Further, a semiconductor memory 1B such as a flash memory storing the program may be mounted in the server computer 1. Further, the program can be downloaded from another server computer (not shown) connected via a communication network N such as the Internet. The contents will be described below.

  The server computer 1 shown in FIG. 45 reads a program for executing the above-described various software processes from the portable recording medium 1A or the semiconductor memory 1B, or from another server computer (not shown) via the communication network N. to download. The program is installed as the control program 15P, loaded into the RAM 12, and executed. Thereby, it functions as the server computer 1 described above.

  The seventh embodiment is as described above, and the other parts are the same as those of the first to sixth embodiments. Therefore, the corresponding parts are denoted by the same reference numerals, and detailed description thereof is omitted.

  The embodiments including the above first to seventh embodiments may be implemented by appropriately combining a plurality of embodiments within a range where there is no contradiction in processing. The following additional notes are further disclosed with respect to the embodiments including the first to seventh embodiments.

(Appendix 1)
In an information processing method for processing input information input to an information processing apparatus having a control unit,
The control unit obtains risk increase / decrease information,
Based on the risk increase / decrease information acquired by the control unit, the first threshold range stored in the storage unit or the second threshold range stored in the storage unit is corrected,
Determining whether or not a value based on input information exceeds the first threshold range by the control unit;
When the control unit determines that the first threshold range is exceeded, it is determined whether or not the number of times it has been determined to exceed or the time that has been exceeded exceeds the second threshold range,
An information processing method for outputting abnormality information when the control unit determines that the second threshold range is exceeded.

(Appendix 2)
When correcting the first threshold range or the second threshold range,
When the risk increases due to the acquired increase / decrease information, the control unit corrects the first threshold range or the second threshold range to be small,
The information processing method according to claim 1, wherein when the risk is reduced by the obtained increase / decrease information, the control unit corrects the first threshold range or the second threshold range largely.

(Appendix 3)
The value based on the input information is
Including the number of instructions input to the information processing apparatus or the amount of data processed based on the instructions input to the information processing apparatus,
When determining whether or not the first threshold is exceeded,
The information processing method according to claim 1 or 2, wherein the control unit determines whether the number of instructions or the amount of data exceeds a first threshold range stored in a storage unit.

(Appendix 4)
Store the correspondence information indicating the number of times of abnormality information output and the correspondence to the abnormality in the storage unit,
Determining whether or not the output number of the abnormality information exceeds the first threshold by the storage unit;
When it is determined that the first threshold value is exceeded, the control unit determines whether correspondence information is stored in the storage unit,
When the control unit determines that the correspondence information is not stored, the first threshold range or the second threshold range is greatly corrected,
The information processing method according to any one of appendices 1 to 3, wherein the control unit maintains the value of the first threshold range or the second threshold range when it is determined that the correspondence information is stored.

(Appendix 5)
When it is determined by the storage unit that the first threshold value is not exceeded, it is determined whether or not the output count of the abnormality information stored in the storage unit exceeds a second threshold value that is smaller than the first threshold value,
When it is determined that the second threshold value is not exceeded, the first threshold range or the second threshold range is corrected to be small,
The information processing method according to claim 4, wherein when the control unit determines that the second threshold value is exceeded, the value of the first threshold range or the second threshold range is maintained.

(Appendix 6)
When the first threshold range or the second threshold range is corrected by the control unit, the correction history is stored in the storage unit,
When it is determined that the first threshold range or the second threshold range is continuously reduced or increased based on the correction history stored in the storage unit, the control unit corrects the first threshold range or the second threshold range. The information processing method according to any one of appendices 2 to 5, wherein the amount is changed.

(Appendix 7)
If it is determined that the first threshold range or the second threshold range is not continuously corrected to be small and is not continuously greatly corrected based on the correction history stored in the storage unit, the control unit The information processing method according to claim 6, wherein the change amount with respect to the correction amount of the first threshold range or the second threshold range is returned to the initial value by the above.

(Appendix 8)
The information processing method according to any one of appendices 1 to 7, wherein the control unit decreases the second threshold range based on the passage of time.

(Appendix 9)
Using the value based on the input information stored in the storage unit, the variance is calculated by the control unit,
The information processing method according to any one of appendices 1 to 8, wherein the control unit determines a range of a first threshold range or a second threshold range based on the calculated variance.

(Appendix 10)
The information processing method according to claim 9, wherein the control unit determines a first threshold range or a second threshold range based on a table storing security policies and the calculated variance.

(Appendix 11)
In a program for processing input information input to a computer having a control unit,
On the computer,
The control unit obtains risk increase / decrease information,
Based on the risk increase / decrease information acquired by the control unit, the first threshold range stored in the storage unit or the second threshold range stored in the storage unit is corrected,
The control unit determines whether the value based on the input information exceeds the first threshold range,
When the control unit determines that the first threshold range is exceeded, it is determined whether or not the number of times it has been determined to exceed or the time that has been exceeded exceeds the second threshold range,
A program for executing processing for outputting abnormality information when the control unit determines that the second threshold range is exceeded.

(Appendix 12)
In an information processing apparatus that processes input information,
A first determination unit for determining whether a value based on input information exceeds a first threshold range stored in the storage unit;
A second determination unit for determining whether or not the number of times determined to exceed or the time exceeded exceeds the second threshold range stored in the storage unit when it is determined that the first threshold range is exceeded;
An acquisition unit for acquiring risk increase / decrease information;
A correction unit that corrects the first threshold range or the second threshold range based on the risk increase / decrease information acquired by the acquisition unit;
An information processing apparatus comprising: an output unit that outputs abnormality information when the second determination unit determines that the second threshold range is exceeded.

(Appendix 13)
In an information processing system in which a terminal device and a central device are connected via a communication network,
The central device is
A first determination unit that determines whether or not a value based on input information transmitted from the terminal device exceeds a first threshold range stored in a storage unit;
A second determination unit for determining whether or not the number of times determined to exceed or the time exceeded exceeds the second threshold range stored in the storage unit when it is determined that the first threshold range is exceeded;
An acquisition unit for acquiring risk increase / decrease information;
A correction unit that corrects the first threshold range or the second threshold range based on the risk increase / decrease information acquired by the acquisition unit;
An information processing system comprising: an output unit that outputs abnormality information when the second determination unit determines that the second threshold range is exceeded.

DESCRIPTION OF SYMBOLS 1 Server computer, personal computer 1A Portable recording medium 1B Semiconductor memory 2, 2A-2C Personal computer 2, 2D Fingerprint authentication apparatus 3 Management computer 4 Security server 11 CPU
12 RAM
DESCRIPTION OF SYMBOLS 13 Input part 14 Display part 15 Memory | storage part 15A Application program 15P Control program 16 Communication part 18 Clock part 21 CPU
22 RAM
23 Input unit 24 Display unit 25 Storage unit 25P Control program 26 Communication unit 31 CPU
32 RAM
33 Input unit 34 Display unit 35 Storage unit 35P Control program 36 Communication unit 38 Clock unit 101 First determination unit 102 Second determination unit 103 Acquisition unit 104 Correction unit 105 Output unit 151 First threshold range file 152 Second threshold range file 153 History DB
154 Security policy table 155 Distributed table 156 Range table 157 Abnormal history DB
201 Control Unit 203 Fingerprint Input Unit 204 Display Unit 205 Storage Unit 205P Control Program 206 Communication Unit 208 Lock Unit 351 Personnel File 352 Environment File 2051 Fingerprint Data File N Communication Network

Claims (12)

In an information processing method for processing input information input to an information processing apparatus having a control unit,
The control unit obtains risk increase / decrease information,
Based on the risk increase / decrease information acquired by the control unit, the first threshold range stored in the storage unit or the second threshold range stored in the storage unit is corrected,
Determining whether or not a value based on input information exceeds the first threshold range by the control unit;
When the control unit determines that the first threshold range is exceeded, it is determined whether or not the number of times it has been determined to exceed or the time that has been exceeded exceeds the second threshold range,
An information processing method for outputting abnormality information when the control unit determines that the second threshold range is exceeded. When correcting the first threshold range or the second threshold range,
When the risk increases due to the acquired increase / decrease information, the control unit corrects the first threshold range or the second threshold range to be small,
The information processing method according to claim 1, wherein when the risk decreases due to the acquired increase / decrease information, the control unit corrects the first threshold range or the second threshold range largely. The value based on the input information is
Including the number of instructions input to the information processing apparatus or the amount of data processed based on the instructions input to the information processing apparatus,
When judging whether to exceed the first threshold range ,
The information processing method according to claim 1 or 2, wherein the control unit determines whether or not the number of instructions or the amount of data exceeds a first threshold range stored in a storage unit. Store the correspondence information indicating the number of times of abnormality information output and the correspondence to the abnormality in the storage unit,
Determining whether or not the output number of the abnormality information exceeds the first threshold by the storage unit;
When it is determined that the first threshold value is exceeded, the control unit determines whether correspondence information is stored in the storage unit,
When the control unit determines that the correspondence information is not stored, the first threshold range or the second threshold range is greatly corrected,
The information processing method according to any one of claims 1 to 3, wherein when the control unit determines that the correspondence information is stored, the value of the first threshold range or the second threshold range is maintained. . In a program for processing input information input to a computer having a control unit,
On the computer,
The control unit obtains risk increase / decrease information,
Based on the risk increase / decrease information acquired by the control unit, the first threshold range stored in the storage unit or the second threshold range stored in the storage unit is corrected,
Determining whether or not a value based on input information exceeds the first threshold range by the control unit;
When the control unit determines that the first threshold range is exceeded, it is determined whether or not the number of times it has been determined to exceed or the time that has been exceeded exceeds the second threshold range,
A program for executing processing for outputting abnormality information when the control unit determines that the second threshold range is exceeded. In an information processing apparatus that processes input information,
A first determination unit for determining whether a value based on input information exceeds a first threshold range stored in the storage unit;
A second determination unit for determining whether or not the number of times determined to exceed or the time exceeded exceeds the second threshold range stored in the storage unit when it is determined that the first threshold range is exceeded;
An acquisition unit for acquiring risk increase / decrease information;
A correction unit that corrects the first threshold range or the second threshold range based on the risk increase / decrease information acquired by the acquisition unit;
An information processing apparatus comprising: an output unit that outputs abnormality information when the second determination unit determines that the second threshold range is exceeded. In an information processing system in which a terminal device and a central device are connected via a communication network,
The central device is
A first determination unit that determines whether or not a value based on input information transmitted from the terminal device exceeds a first threshold range stored in a storage unit;
A second determination unit for determining whether or not the number of times determined to exceed or the time exceeded exceeds the second threshold range stored in the storage unit when it is determined that the first threshold range is exceeded;
An acquisition unit for acquiring risk increase / decrease information;
A correction unit that corrects the first threshold range or the second threshold range based on the risk increase / decrease information acquired by the acquisition unit;
An information processing system comprising: an output unit that outputs abnormality information when the second determination unit determines that the second threshold range is exceeded. Information processing device
Get risk increase / decrease information,
Determining whether a value based on input information input to the information processing apparatus exceeds a first threshold range determined based on the acquired increase / decrease information;
When it is determined that the first threshold range is exceeded, it is determined whether or not the number of times or the time exceeded is determined to exceed a second threshold range determined based on the acquired increase / decrease information,
When it is determined that the second threshold range is exceeded, abnormality information is output to the display means.
An information processing method comprising: When correcting the first threshold range or the second threshold range,
When the risk increases due to the acquired increase / decrease information, the first threshold range or the second threshold range is corrected to be small,
When the risk decreases due to the acquired increase / decrease information, the first threshold range or the second threshold range is largely corrected.
The information processing method according to claim 8. The value based on the input information is
Including the number of instructions input to the information processing apparatus or the amount of data processed based on the instructions input to the information processing apparatus,
When judging whether to exceed the first threshold range,
Determine whether the number of instructions or the amount of data exceeds the first threshold range stored in the storage unit
The information processing method according to claim 8 or 9. In the information processing device,
Get risk increase / decrease information,
Determining whether a value based on input information input to the information processing apparatus exceeds a first threshold range determined based on the acquired increase / decrease information;
When it is determined that the first threshold range is exceeded, it is determined whether or not the number of times or the time exceeded is determined to exceed a second threshold range determined based on the acquired increase / decrease information,
When it is determined that the second threshold range is exceeded, abnormality information is output to the display means.
A program characterized by causing execution. An acquisition unit for acquiring risk increase / decrease information ;
Value based on the input information input to information processing apparatus, the first determination unit determines whether more than a first threshold range determined based on the acquired increased or decreased information,
A second determination unit that determines whether or not the number of times or the time that has been exceeded exceeds a second threshold range determined based on the obtained increase / decrease information when it is determined that the first threshold range is exceeded; When,
An information processing apparatus comprising: an output unit that outputs abnormality information to the display means when it is determined that the second threshold range is exceeded.

Images