JP5804883B2 - Address extraction device - Google Patents

Description

  The present invention relates to an address extracting device that extracts a predetermined address from addresses accessed by a proxy server device used by a terminal device that performs Internet communication.

  In recent years, targeted attacks targeting specific organizations have increased. A targeted attack is unauthorized access limited to a specific department of a specific organization (for example, a company). For example, an example is a case in which malware is attached to an impersonation email pretending to be a person related to company A to an employee (user) of the accounting section of company A. Malware is executed by opening an attached file (often disguised as a document etc.) to an email section employee (user), for example. Malware that has successfully entered the company by being executed by an accounting department employee (user) communicates with a web server on the Internet and performs unauthorized access such as information leakage.

Malware sent to a specific organization (for example, a company) is often manufactured so as to avoid the pattern file adopted by many anti-virus software, and can pass through detection of anti-virus software.
In other words, a pattern file corresponding to malware is required for detection by anti-virus software. However, unlike conventional malware, malware that performs targeted attacks is generally difficult to know and cannot immediately recognize its presence. Therefore, the pattern file creation of the anti-virus software vendor may be delayed. And many anti-virus software can delay the detection of malware used in targeted attacks.

  It is difficult to technically defend against targeted attacks. If a suspicious email is sent that pretends to be a stakeholder, educate employees (users) not to open attachments because of concerns about malware. There is also an idea of corresponding (for example, Non-Patent Document 1). However, although there is a certain effect, there is a problem that some employees (users) open attachments of suspicious emails and malware is executed. For example, an employee (user) has a problem that it cannot recognize whether or not the executed malware is performing unauthorized access such as information leakage.

  Also, there is a method for detecting spyware (malware) characteristics of an HTTP (Hyper Text Transfer Protocol) header to determine whether communication is performed by a browser or other programs (for example, Non-Patent Document 2). . However, there is a problem of false detection of spyware (malware).

Targeted attack countermeasures by approach of vaccination to users-2, Yamaguchi et al., 71st National Convention of Information Processing Society of Japan 6E-4 Detection and blocking method of spyware using HTTP, Otani et al., Information Processing Society of Japan Research Report 2005-CSEC-31

  As described above, for example, there is a problem that the user cannot detect the communication (unauthorized access) even if the unintended communication (for example, unauthorized access by malware) is performed.

  The main object of the present invention is to solve the above-described problems. For example, it is a main object of the present invention to realize an address extracting device that extracts an address of an access destination accessed by communication not intended by the user. And

The address extracting device according to the present invention is:
An address extraction device that extracts a predetermined address from addresses accessed by a proxy server device that accesses an address notified as an access destination from a terminal device,
An address input unit for inputting a proxy log indicating an address of an access destination for each access performed by the proxy server device, and valid address information indicating an address defined as valid in advance;
And an address extracting unit that extracts an address that is not indicated in the valid address information from the addresses indicated in the proxy log input by the address input unit.

  The address extracting device according to the present invention extracts, for example, an address other than the access destination address by the legitimate access from the access destination address recorded in the proxy log of the proxy server device. For this reason, the address extracting apparatus according to the present invention can extract the address of the access destination accessed by other than the legitimate access, that is, the unauthorized communication not intended by the user.

FIG. 3 shows the first embodiment and shows an example of the peripheral configuration of the information leakage detection system. FIG. 3 shows the first embodiment and shows an example of the configuration of an information leakage detection system. FIG. 5 shows the first embodiment and shows an example of the terminal operation log 203. FIG. 9 is a diagram illustrating the first embodiment and is a flowchart illustrating an example of processing of the terminal operation log capturing unit 103; FIG. 5 shows the first embodiment and shows an example of Web access URL information 303; The figure which shows Embodiment 1 is a figure which shows the example of the local proxy log 204. FIG. FIG. 5 shows the first embodiment and shows an example of a content entity 350. FIG. 10 is a diagram illustrating the first embodiment and is a flowchart illustrating an example of processing of the local proxy log capturing unit 104; FIG. 6 shows the first embodiment and shows an example of a local proxy log entry 304; FIG. 9 is a diagram illustrating the first embodiment and is a flowchart illustrating an example of first processing of a top page URL specifying unit 106; FIG. 6 shows the first embodiment, and shows an example of a URL list extracted by the first process of the top page URL specifying unit 106. FIG. 9 is a diagram illustrating the first embodiment and is a flowchart illustrating an example of second processing of the top page URL specifying unit 106; FIG. 5 shows the first embodiment and shows an example of top page URL information 306; FIG. 9 shows the first embodiment and is a flowchart showing an example of processing of a browser access URL specifying unit 107; FIG. 5 shows the first embodiment and shows an example of a URL 606 in the top page. FIG. 5 shows the first embodiment and shows an example of browser access URL information 307; FIG. 4 shows the first embodiment and shows an example of a proxy log 201. FIG. 10 is a diagram illustrating the first embodiment and is a flowchart illustrating an example of processing of the proxy log capturing unit 101; FIG. 4 shows the first embodiment and shows an example of a proxy log entry 301. FIG. 10 is a diagram illustrating the first embodiment, and is a flowchart illustrating an example of processing of a URL white list capturing unit 102; FIG. 5 shows the first embodiment and shows an example of a URL white list 202; FIG. 5 is a diagram illustrating the first embodiment and illustrating an example of a white URL 302; FIG. 6 shows the first embodiment, and is a flowchart showing a first example of processing of the gray URL specifying unit 105. FIG. 10 is a diagram illustrating the first embodiment, and illustrates an example of gray URL information 305 obtained by processing of the first example of the gray URL specifying unit 105; FIG. 10 is a diagram illustrating the first embodiment and is a flowchart illustrating a second example of processing of the gray URL specifying unit 105; FIG. 10 is a diagram illustrating the first embodiment, and illustrates an example of gray URL information 305 obtained by processing of the second example of the gray URL specifying unit 105; FIG. 6 is a diagram illustrating the first embodiment, and is a flowchart illustrating a first example and a second example of processing of a black URL specifying unit 108; FIG. 5 shows the first embodiment and shows an example of a black URL 208; The figure which shows Embodiment 1 and the figure which shows the example of the browser access URL information 307 when not using the local proxy log 204. FIG. 9 is a diagram illustrating the first embodiment, and is a flowchart illustrating a first example of browser access URL information 307 storage processing. FIG. 9 is a diagram illustrating the first embodiment and is a flowchart illustrating a second example of the browser access URL information 307 storage process. FIG. 5 shows the first embodiment, and shows an example of a problem of a conventional information leakage detection system 100. FIG. 10 is a diagram illustrating the second embodiment and is a flowchart illustrating an example of processing of a top page URL specifying unit 106; FIG. 10 shows the third embodiment, and is a flowchart showing an example of processing of the period specifying unit 200. FIG. 14 is a diagram illustrating the fourth embodiment and is a flowchart illustrating an example of processing of the terminal operation log capturing unit 103; FIG. 10 is a diagram illustrating the fifth embodiment and is a flowchart illustrating an example of processing of the black URL specifying unit 108; FIG. 25 is a diagram illustrating the sixth embodiment and is a flowchart illustrating an example of processing of the black URL specifying unit 108; FIG. 25 is a diagram illustrating the sixth embodiment, and illustrates an example of the number of accesses to a web page of a black URL candidate. FIG. 25 is a diagram illustrating the seventh embodiment, and is a flowchart illustrating an example of processing of the black URL specifying unit 108. FIG. 18 is a diagram illustrating the seventh embodiment, and illustrates an example of the number of accesses to a web page of a black URL candidate. FIG. 29 is a diagram illustrating the eighth embodiment and is a flowchart illustrating an example of processing of the black URL specifying unit 108. FIG. 38 shows an example of Web access URL information 303 according to the ninth embodiment. FIG. 38 shows the ninth embodiment and shows an example of a content entity 350. FIG. 29 is a diagram illustrating the ninth embodiment and illustrates an example of processing of the top page URL specifying unit 106; The figure which shows Embodiment 1-9, The figure which shows the example of the hardware resource of the information leakage detection system 100 shown to this Embodiment.

Embodiment 1 FIG.
(Peripheral configuration of information leak detection system)
FIG. 1 is a diagram illustrating an example of a peripheral configuration of an information leakage detection system.
The information leakage detection system 100 extracts a URL (Uniform Resource Locator) accessed by, for example, malware. Here, the URL is, for example, an address of an access destination accessed by the proxy server apparatus 600 (described later). That is, the information leakage detection system 100 is an address extraction device. Then, the information leakage detection system 100 extracts a predetermined address from the addresses accessed by the proxy server device 600. The predetermined address extracted by the information leakage detection system 100 will be described later.

The address extracted by the information leakage detection system 100 is not limited to a URL, and may be, for example, an IP (Internet Protocol) address or an e-mail address.
Here, for example, an address (URL) accessed by malware is hereinafter referred to as an “illegal address”.

A terminal device 500 and a proxy server device 600 are arranged around the information leakage detection system 100. The information leakage detection system 100, the terminal device 500, and the proxy server device 600 are connected by, for example, a LAN (Local Area Network).
Here, although illustration is omitted, the terminal device 500 is, for example, a personal computer for personal use used in an organization such as a company, and a plurality of terminal devices 500 are also connected by, for example, a LAN.

  Then, the information leakage detection system 100 inputs the proxy log 201 from the proxy server device 600. Further, the information leakage detection system 100 inputs the terminal operation log 203 and the local proxy log 204 from the terminal device 500. Furthermore, the information leakage detection system 100 inputs a URL white list 202 stored in a storage device of a server device installed in an organization such as a company.

  The information leakage detection system 100 according to the present embodiment uses these logs (such as the proxy log 201) to detect Web communication due to malware. Here, the Web communication is communication performed by, for example, a computer such as the terminal device 500 with a Web site on the Internet (the Web site is also referred to as a Web page). In the case of communication using HTTP, Web communication is also referred to as HTTP communication.

(Description of proxy server device 600)
For example, in an organization such as a company, when the terminal device 500 accesses a website via the network 150 (for example, the Internet), the proxy is not accessed directly from the terminal device 500 but the proxy is connected to the terminal device 500. Access the website on behalf of
In the present embodiment, for example, one proxy installed in an organization is referred to as a proxy server device 600.

The terminal device 500 transmits an HTTP request to be sent to the Web site to the proxy server device 600 together with the Web site address, and the proxy server device 600 transfers the HTTP request to the Web site.
That is, the proxy server device 600 accesses the address notified from the terminal device 500 as the access destination.

  The HTTP response from the Web site is sent to the proxy server device 600, and the proxy server device 600 transfers this response to the terminal device 500, so that the terminal device 500 accesses the Web site. Accordingly, the proxy server device 600 can record the accessed terminal device 500, the access destination Web site, and the contents of the request and response at the time of access.

(Description of proxy log 201)
As described above, for example, a terminal device 500 in an organization such as a company makes an HTTP connection to the proxy server device 600 when accessing a Web site. The proxy server device 600 connects to the Internet instead of the terminal device 500 and performs Web communication (HTTP communication). The result of Web communication (HTTP communication) is transferred from the proxy server device 600 to the terminal device 500.

A proxy log 201 is a log of the proxy server device 600 that is connected when the terminal device 500 accesses the Web site. In other words, the proxy log 201 is a log in which the proxy server device 600 records the communication status (for example, the website address) between the terminal device 500 and the website.
For example, when malware accesses the Web, it always connects to the proxy server device 600, so that a communication record remains in the proxy log 201. In addition, communication records remain in the proxy log 201 for Web accesses other than malware (communication from browsers and applications).

(Description of URL white list 202)
The URL white list 202 is a list of white URLs. The white URL is a URL that is permitted to be accessed in advance by the organization. For example, there are OS (Operating System), office application update sites, news sites, and the like.
That is, the white URL is an address defined as valid in advance. The URL white list 202 corresponds to legitimate address information indicating addresses that are defined as legitimate in advance.

(Description of terminal operation log 203)
The terminal device 500 includes a terminal operation recording application. The terminal operation log 203 is recorded by the terminal operation recording application in which the user's operation of the terminal device 500 is recorded. The terminal operation log 203 is stored in the storage device of the terminal device 500, for example.

  Here, the terminal operation recording application is software for monitoring and internally controlling what operations each user is performing on the terminal device 500. The terminal operation recording application records file operations (file creation, deletion, copying, renaming, moving, etc.), writing to an external storage medium, operated application (window title), Web access status, and the like. As the terminal operation recording application, for example, commercially available software may be used.

  When the terminal device 500 accesses the Web based on an instruction given by the user using a browser, a record of the operation (for example, a website address) is recorded in the terminal operation log 203.

Here, the terminal device 500 notifies the proxy server device 600 of the access destination address based on a user instruction (for example, an instruction performed by the user using a browser). Information indicating the address notified by the terminal device 500 based on a user instruction is referred to as user instruction information.
That is, the terminal operation log 203 corresponds to user instruction information.

(Description of local proxy 550 and local proxy log 204)
The local proxy 550 is a proxy installed in each terminal device 500. A browser on the terminal device 500 and an application that accesses the Web access the proxy server device 600 through the local proxy 550.

  Specifically, an application such as a browser in the terminal device 500 transmits an HTTP request to be sent to the Web site to the local proxy 550, and the local proxy 550 transfers the HTTP request to the proxy server device 600. Further, the proxy server device 600 transfers this HTTP request to the Web site. Then, the HTTP response from the Web site is sent to the proxy server apparatus 600, and the proxy server apparatus 600 transfers this response to the local proxy 550. The local proxy 550 transfers this response to the application. In this way, the application communicates with the Web site via the local proxy 550 and the proxy server device 600.

A local proxy log 204 is a record of Web access acquired by the local proxy 550. The local proxy log 204 records the date and time when the terminal device 500 accessed the Web, the URL (address) of the access destination, the method, the Web content, and the like based on an instruction given by the user using a browser. . That is, the local proxy log 204 corresponds to user instruction information. The local proxy log 204 is stored in the storage device of the terminal device 500, for example.
The Web content recorded in the local proxy log 204 includes content information (URL information) associated with a Web page (Web content) accessed by a browser.
The content information (URL information) associated with the Web page refers to other content that is automatically acquired or linked by the browser (or the local proxy 550 or the proxy server device 600) accessing the Web page. Information. The content information associated with the Web page includes URL information of the associated content. The URL information of the associated content corresponds to the related address information, and the local proxy log 204 also corresponds to the related address information.
Information of other content that is associated with this Web page (Web content) and that is automatically acquired or linked by a browser (or local proxy 550 or proxy server device 600) that accesses the Web page (Web content). Hereinafter, it is referred to as “content automatically acquired by Web content”.

(Configuration of information leakage detection system 100)
FIG. 2 is a diagram illustrating an example of the configuration of the information leakage detection system 100. Each element constituting the information leakage detection system 100 will be described.

(Proxy log capturing unit 101)
The proxy log capturing unit 101 receives the proxy log 201, the terminal identifier 205, and the period 206 as inputs, and extracts a proxy log entry 301 that is a log content.

Here, although not shown in FIG. 1, a plurality of terminal devices 500 are installed as described above, and the terminal identifier 205 is an identifier for identifying each terminal device 500.
For example, the user inputs the identifier of the target terminal device 500 that the user wants to investigate using the information leakage detection system 100 using an input device such as a keyboard. This input device may be provided in the information leakage detection system 100 or may be outside the information leakage detection system 100.

  The period 206 is information of a period for which the user wants to investigate an unauthorized address using the information leakage detection system 100, for example. The period 206 is input by the period specifying unit 200. The period specifying unit 200 may be an input device such as a keyboard, or may be a storage device in which information on the period 206 is stored in advance. The period specifying unit 200 may be provided in the information leakage detection system 100 or may be outside the information leakage detection system 100.

  Further, as described above, the proxy log 201 records the website address. That is, the proxy log capturing unit 101 corresponds to an address input unit.

(URL whitelist import unit 102)
The URL white list capturing unit 102 inputs the URL white list 202 and extracts the white URL 302 that is the content of the URL white list 202.

  Here, as described above, the URL white list 202 indicates addresses defined as valid in advance. That is, the URL white list capturing unit 102 corresponds to an address input unit.

  The URL white list 202 may be input by a user from an input device such as a keyboard, or may be stored in advance in a storage device. These input devices and storage devices may be provided in the information leak detection system 100 or may be external to the information leak detection system 100.

(Terminal operation log capturing unit 103)
The terminal operation log capturing unit 103 inputs the terminal operation log 203 and extracts Web access URL information 303 that is URL information of the Web site accessed by the browser.

Here, as described above, the terminal operation log 203 records the address of the Web site. That is, the terminal operation log capturing unit 103 corresponds to an address input unit.
In addition, the terminal operation log capturing unit 103 calculates a non-operation period (described later) or a non-address corresponding period (described later). That is, the terminal operation log capturing unit 103 corresponds to a period calculation unit.

(Local proxy log capturing unit 104)
The local proxy log capturing unit 104 inputs the local proxy log 204, the terminal identifier 205, and the period 206, and extracts a local proxy log entry 304 that is the content of the local proxy log 204. That is, the local proxy log entry 304 also corresponds to the user instruction information and the related address information, although not shown in FIG.

  Here, as described above, the address of the Web site is recorded in the local proxy log 204. That is, the local proxy log capturing unit 104 corresponds to an address input unit.

(Gray URL specifying unit 105)
The gray URL specifying unit 105 inputs the proxy log entry 301, the white URL 302, and the browser access URL information 307 (described later), and extracts the gray URL information 305 that is URL information that may be accessed by malware. . That is, the gray URL specifying unit 105 corresponds to an address extracting unit.

(Top page URL specifying unit 106)
The top page URL specifying unit 106 inputs the Web access URL information 303 and the local proxy log entry 304, extracts a log entry whose URL matches the Web access URL information 303 from the local proxy log entry 304, and receives the top page URL information. Output as 306. The top page URL information 306 corresponds to user instruction information.

  Here, the top page URL information 306 is information of the local proxy 550 extracted from the local proxy log entry 304, that is, local proxy information. The top page URL specifying unit 106 corresponds to a local proxy information extracting unit.

(Browser access URL specifying unit 107)
The browser access URL specifying unit 107 inputs the top page URL information 306 and the local proxy log entry 304, and to the content automatically acquired by the Web content included in the Web content of the local proxy log entry 304 or to another Web page Link information (URL) is extracted as the URL in the top page. The URL in the top page is related address information related to the Web content.

  Further, the browser access URL specifying unit 107 outputs the URL within the top page and the top page URL information 306 together as browser access URL information 307 that is URL information accessed by the browser. That is, the browser access URL information 307 includes URL information in the top page, and the browser access URL information 307 corresponds to user instruction information and related address information.

(Black URL specifying unit 108)
The black URL specifying unit 108 inputs the gray URL information 305, the browser access URL information 307, and the black determination condition 207, and extracts the black URL 208 that seems to be the site accessed by the malware. That is, the black URL specifying unit 108 corresponds to an address extracting unit.

The black determination condition 207 is information representing a condition for determining whether the URL information included in the gray URL information is accessed by malware. The black URL specifying unit 108 is a condition matching address specifying unit that specifies an address that matches the black determination condition 207.
Further, the black URL specifying unit 108 corresponds to an information input unit that inputs information from an external service 209 (described later).

  Further, although not shown in FIG. 2, the black URL specifying unit 108 can also input the proxy log 201. Then, the black URL specifying unit 108 corresponds to a traffic calculation unit that calculates the number of accesses per predetermined time using the input data of the proxy log 201 (described later).

(Log accumulation unit 109)
The log storage unit 109 takes in and stores the proxy log 201, the terminal operation log 203, and the local proxy log 204. The log storage unit 109 is a storage device such as a magnetic disk device, for example.

  The proxy log capturing unit 101 inputs the proxy log 201 accumulated by the log accumulation unit 109. In addition, the terminal operation log capturing unit 103 inputs the terminal operation log 203 accumulated by the log accumulation unit 109. Further, the local proxy log capturing unit 104 inputs the local proxy log 204 accumulated by the log accumulation unit 109.

(Description of operation of information leakage detection system 100)
The operation of the information leakage detection system 100 will be described.

(Processing of terminal operation log capturing unit 103)
FIG. 3 is a diagram illustrating an example of the terminal operation log 203.
FIG. 4 is a flowchart illustrating an example of processing of the terminal operation log capturing unit 103.
FIG. 5 is a diagram illustrating an example of the Web access URL information 303.

The terminal operation log capturing unit 103 inputs the terminal operation log 203, the period 206, and the terminal identifier 205.
The period 206 is a period specified by the user using the period specifying unit 200, for example, in order to confirm whether or not there is a web access from malware in a certain specific period. For example, when the presence / absence of Web access from malware is checked during the period “2011/06/23 09:00:00 to 2011/06/23 18:00:00”, the period specifying unit 200 sets the period 206 to “2011. / 06/23 09:00:00 to 2011/06/23 18:00:00 "is specified.

  The terminal operation log 203 is a log recorded by a terminal operation recording application installed in each terminal device 500. In the terminal operation log 203, for example, “operation date and time, terminal identifier, user identifier, operation type, and operation content” are recorded in chronological order as in the format shown in FIG.

  Here, the operation date and time is the date and time when the user operated the terminal device 500. The terminal identifier is, for example, the IP address of the terminal device 500. The user identifier is an ID (identifier, ID) such as an employee number of the employee. The operation type is, for example, an operation type such as “file generation” or “Web access”. The operation content is a record depending on the operation type.

  By the function of the terminal operation recording application, the URL entered by the user by clicking on the URL entered in the address bar of the browser or the link of the content of the website is recorded in the terminal operation log 203.

  For example, D2031 shown in FIG. 3 indicates that “the terminal device 500 identified by the IP address 192.168.1.2 at 2011/06/23 9: 00: 00: 00 is operated by the employee identified by the UserID 1234. , C: \ work \ sample.txt has been generated ".

Further, for example, D2033 shown in FIG. 3 indicates that the terminal device 500 identified by the IP address 192.168.1.2 at 2011/06/23 12:00 is the employee ID identified by the UserID 1234. This means that the GET method has been transmitted (Web access) to http: //XXX.123-sample.ΔΔΔ/ by the operation ”.
Here, the URL shown in the description of the embodiment (for example, “http: //◯◯.123-sample.ΔΔΔ/” described above) is merely an example, and the actual URL It is unrelated to the URL.

Here, a case will be described in which the terminal device 500 accesses the Web as in the operation type “Web access” indicated by D2033 in FIG. When the user accesses the Web using the terminal device 500, the user performs an address instruction operation to instruct the terminal device 500 of an access destination address. The user instructs web access to the terminal device 500 through this address instruction operation. That is, in this address instruction operation, the user instructs the terminal device 500 to specify an access destination address, and also instructs the terminal device 500 to perform Web access to the address designated by the user to the terminal device 500. . This address instruction operation is expressed as “Web access” in the terminal operation log 203 (for example, FIG. 3).
The address by this address instruction operation is shown in the terminal operation log 203 (for example, “http: //◯◯.123-sample.ΔΔΔ/” in D2033 of FIG. 3). Then, the terminal device 500 notifies the proxy server device 600 of this address as an access destination. The terminal device 500 performs Web access using the proxy server device 600 as described above.

  That is, in the terminal operation log 203, the address notified by the terminal device 500 to the proxy server device 600 as the access destination based on the address instruction operation in which the user instructs the access address to the terminal device 500 corresponds to the address instruction operation. Shown attached.

The operation of the terminal operation log capturing unit 103 will be described with reference to FIG.
Here, the period 206 is designated as “2011/06/23 09:00:00 to 2011/06/23 18:00:00”, and the terminal identifier 205 is designated as “192.168.1.2”. To do.

  First, the terminal operation log capturing unit 103 determines whether all entries of the terminal operation log 203 have been input (S401 in FIG. 4). Here, a line constituting information such as the terminal operation log 203 is hereinafter referred to as “entry”. For example, the row of D2031 in FIG. 4 is one entry.

If all entries have not been input (“NO” in S401 of FIG. 4), the terminal operation log capturing unit 103 inputs the entries of the terminal operation log 203 that have not been input, for example, in chronological order of the operation date and time (FIG. 4 S402).
Next, the terminal operation log capturing unit 103 determines whether the operation date / time of the input entry is within the range 206 (S403 in FIG. 4).
If the operation date / time is within the range 206 (“YES” in S403 of FIG. 4), the terminal operation log capturing unit 103 determines whether the terminal identifier of the input entry matches the terminal identifier 205. (S404 in FIG. 4).
If the terminal identifier matches the terminal identifier 205 (“YES” in S404 in FIG. 4), the terminal operation log capturing unit 103 determines whether the operation type of the input entry is Web access (S405 in FIG. 4). ).
If the operation type is Web access (“YES” in S405 in FIG. 4), the terminal operation log capturing unit 103 outputs the read entry as Web access URL information 303 (S406 in FIG. 4).

  Then, returning to the process of S401 in FIG. 4, the terminal operation log capturing unit 103 performs the processes from S401 to S406 in FIG. 4 until all the entries in the terminal operation log 203 are input (“YES” in S401 in FIG. 4). repeat.

  For example, each line of the Web access URL information 303a to 303d shown in FIG. 5 is one Web access URL information. For example, the web access URL information 303a to 303d constitute a set of web access URL information 303.

  That is, the terminal operation log capturing unit 103 includes an entry in the terminal operation log 203 illustrated in FIG. 3 in which the operation date / time corresponds to the period 206, the terminal identifier corresponds to the terminal identifier 205, and the operation type is Web access. Is extracted, and a set of Web access URL information 303 shown in FIG. 5 is generated.

(Processing of local proxy log capturing unit 104)
FIG. 6 is a diagram illustrating an example of the local proxy log 204.
FIG. 7 is a diagram illustrating an example of the content entity 350.
FIG. 8 is a flowchart illustrating an example of processing of the local proxy log capturing unit 104.
FIG. 9 is a diagram illustrating an example of the local proxy log entry 304.

  The local proxy log capturing unit 104 extracts a local proxy log entry 304 from the local proxy log 204, the period 206, and the terminal identifier 205.

The local proxy log 204 records the content of content obtained by Web access by an application such as a browser of the terminal device 500 using the local proxy 550 and the content of content transmitted through Web access.
The local proxy log 204 includes, for example, “access date / time, terminal identifier, URL of the accessed website, method (GET / POST, etc.), status code, communication size, content entity 350” as in the format shown in FIG. Recorded in chronological order.

  Here, when the terminal device 500 having the local proxy 550 performs Web access using the local proxy 550, the user first designates an access destination address using the input device of the terminal device 500, for example. Then, the terminal device 500 notifies the proxy server device 600 of the access destination address using the local proxy 550. Then, the terminal device 500 performs Web access using the proxy server device 600 as described above and further using the local proxy 550.

  That is, the local proxy log 204 indicates an address that the terminal device 500 having the local proxy 550 notifies to the proxy server device 600 as an access destination using the local proxy 550 based on a user instruction.

For example, the row of D3041 shown in FIG. 6 is one entry in which the terminal device 500 accesses the Web site via the local proxy 550.
In FIG. 6, the portion “(content entity)” of the content entity 350 is omitted, but actually, for example, the contents as shown in FIG. 7 are recorded.
In the example shown in FIG. 7, content obtained as a result of “http GET” is shown, but in the case of POST, the sent content is recorded.

The operation of the local proxy log capturing unit 104 will be described with reference to FIG.
Here, the period 206 is designated as “2011/06/23 09:00:00 to 2011/06/23 18:00:00”, and the terminal identifier 205 is designated as “192.168.1.2”. To do.

First, the local proxy log capturing unit 104 determines whether all entries of the local proxy log 204 have been input (S501 in FIG. 8).
If all entries have not been input (“NO” in S501 of FIG. 8), the local proxy log capturing unit 104 inputs the entries of the local proxy log 204 that have not been input, for example, in chronological order of access date and time (FIG. 8 S502).
Next, the local proxy log capturing unit 104 determines whether or not the access date / time of the input entry is within the range 206 (S503 in FIG. 8).
If the access date / time is within the range of the period 206 (“YES” in S503 in FIG. 8), the local proxy log capturing unit 104 determines whether or not the terminal identifier of the input entry matches the terminal identifier 205. (S504 in FIG. 8).
If the terminal identifier matches the terminal identifier 205 (“YES” in S504 in FIG. 8), the local proxy log capturing unit 104 outputs the read entry as the local proxy log entry 304 (S505 in FIG. 8).

  Then, returning to the processing of S501 in FIG. 8, the local proxy log capturing unit 104 performs the processing from S501 to S505 in FIG. 8 until all entries of the local proxy log 204 are input (“YES” in S501 in FIG. 8). repeat.

  For example, each local proxy log entry 304a to 304d shown in FIG. 9 is one local proxy log entry. For example, the local proxy log entries 304a to 304d constitute a set of local proxy log entries 304.

That is, the local proxy log capturing unit 104 extracts an entry whose access date / time corresponds to the period 206 and whose terminal identifier corresponds to the terminal identifier 205 from the entries of the local proxy log 204 shown in FIG. Generate a set of local proxy log entries 304.
Here, since the access date and time of D3045 shown in FIG. 6 does not correspond to the period 206, it is not included in the set of local proxy log entries 304 shown in FIG.

(Processing of the top page URL specifying unit 106)
FIG. 10 is a flowchart illustrating an example of a first process of the top page URL specifying unit 106.
FIG. 11 is a diagram illustrating an example of the URL list extracted by the first process of the top page URL specifying unit 106.
FIG. 12 is a flowchart illustrating an example of the second process of the top page URL specifying unit 106.
FIG. 13 is a diagram illustrating an example of the top page URL information 306.

  The top page URL specifying unit 106 inputs the Web access URL information 303 and the local proxy log entry 304. Then, the top page URL specifying unit 106 extracts the URL included in the Web access URL information 303 as the first process. Then, as the second process, the top page URL specifying unit 106 extracts an entry that matches the URL included in the Web access URL information 303 extracted in the first process from the local proxy log entry 304.

  The operation (first process) of the top page URL specifying unit 106 will be described with reference to FIG. First, as a first process, the top page URL specifying unit 106 extracts a URL (Web access URL) from the Web access URL information 303 to generate a list.

First, the top page URL specifying unit 106 determines whether all the Web access URL information 303 has been input (S601 in FIG. 10).
If all the Web access URL information 303 has not been input (“NO” in S601 in FIG. 10), the top page URL specifying unit 106 inputs the Web access URL information 303 that has not been input, for example, in chronological order of access date and time. (S602 in FIG. 10).
Next, the top page URL specifying unit 106 extracts the URL (Web access URL) of the input Web access URL information 303 (S603 in FIG. 10).
Next, the top page URL specifying unit 106 extracts the operation date and time of the input Web access URL information 303 (S604 in FIG. 10).
Then, the top page URL specifying unit 106 generates a list in which the extracted URL (Web access URL) and the operation date / time are one entry. An example of the list is shown in FIG.
Then, returning to the processing of S601 in FIG. 10, the top page URL specifying unit 106 performs the processing from S601 to S605 in FIG. 10 until all Web access URL information 303 is input (“YES” in S601 in FIG. 10). repeat.

A specific example will be described.
For example, in the case where the set of the Web access URL information 303 is shown in FIG. 5, the top page URL specifying unit 106 first sets the Web access URL information 303a “2011/06/23 10:00:00, 192 in FIG. .168.1.2, UserID 1234, Web access, http: //OO.abc-sample.ΔΔΔ/, GET ”(S602 in FIG. 10). Then, the top page URL specifying unit 106 extracts the URL “http: //XXX.abc-sample.ΔΔΔ/” from the Web access URL information 303a (S603 in FIG. 10), and the operation date and time “2011”. / 06/23 10:00:00 "is extracted (S604 in FIG. 10). The top page URL specifying unit 106 sets “http: //XXX.abc-sample.ΔΔΔ/, 2011/06/23 10:00:00” as one entry (D1061 in FIG. 11). Generate a list.

The operation (second process) of the top page URL specifying unit 106 will be described with reference to FIG.
As the second process, the top page URL specifying unit 106 extracts the local proxy log entry 304 that matches the URL of the entry included in the list shown in FIG. 11 generated in the first process and the operation date and time, for example.
Although the illustration of FIG. 12 is omitted, the top page URL specifying unit 106 performs the process of FIG. 12 for all entries included in the list shown in FIG. 11 generated by the first process, for example. .
Here, as an entry extracted by the top page URL specifying unit 106 in the first process, the entry “http: //XXX.abc-sample.ΔΔΔ/, 2011/06 /” shown in D1061 of FIG. “23 10:00: 00” will be described as an example.

First, the top page URL specifying unit 106 determines whether or not all the local proxy log entries 304 have been input (S101 in FIG. 12).
If all the local proxy log entries 304 have not been input (“NO” in S101 in FIG. 12), the top page URL specifying unit 106 inputs the local proxy log entries 304 that have not been input, for example, in chronological order of access date / time. (S102 in FIG. 12).
Here, for example, the top page URL specifying unit 106 determines that the local proxy log entry 304a “2011/06/23 10:00:00, 192.168.1.2, http: //◯◯◯.abc in FIG. “Sample.ΔΔΔ /, GET, 200, 1000, content entity” is input.

Then, the top page URL specifying unit 106 determines that the URL that matches the “http: //XXX.abc-sample.ΔΔΔ/” that is the Web access URL in the entry extracted in the first process is the local proxy log. It is determined whether or not it is included in the entry 304a. Further, the top page URL specifying unit 106 determines whether or not “2011/06/23 10:00: 00”, which is the operation date / time in the entry extracted in the first process, matches the access date / time of the local proxy log entry 304a. Is determined (S103 in FIG. 12).
Then, the URL in the entry extracted in the first process matches the URL included in the local proxy log entry 304a, and the operation date / time in the entry extracted in the first process matches the access date / time of the local proxy log entry 304a. Therefore (“YES” in S103 of FIG. 12), the process proceeds to S104.

Then, although not shown in FIG. 12, the top page URL specifying unit 106 generates the top page URL information 306 from the local proxy log entry 304a determined as “YES” in S103 of FIG.
In this case, the top page URL information 306a is as shown in FIG. That is, information including the URL, the access date / time in the local proxy log 204, the terminal identifier, the method, the status, and the communication size is referred to as top page URL information 306. The URL indicated in the top page URL information 306 is referred to as a top page URL.

  Then, every time the top page URL information 306 is generated, the process of S104 in FIG. 12 is performed. Since the process of S104 is performed by the browser access URL specifying unit 107, it will be described later.

  Then, returning to the processing of S101 in FIG. 12, the top page URL specifying unit 106 continues from S101 to S103 in FIG. 12 until all entries of the local proxy log entry 304 are input (“YES” in S101 in FIG. 12). Repeat the process. The browser access URL specifying unit 107 performs the process of S104 in FIG. 12 every time the top page URL information 306 is generated.

(Processing of browser access URL specifying unit 107)
FIG. 14 is a flowchart illustrating an example of processing of the browser access URL specifying unit 107. Note that the flowchart of FIG. 14 shows the details of the process of S104 of FIG.
FIG. 15 is a diagram illustrating an example of the URL 606 in the top page.
FIG. 16 is a diagram illustrating an example of the browser access URL information 307.

In the above example, the local proxy log entry 304a input by the top page URL specifying unit 106 in S102 of FIG. 12 is “2011/06/23 10:00:00, 192.168.1.2, http: /// “OO.abc-sample.ΔΔΔ /, GET, 200, 1000, content entity”.
Here, as described above, the content entity 350 is actually information as shown in FIG. That is, the content entity 350 is an html content entity obtained as a result of the terminal device 500 accessing the Web.

The operation of the browser access URL specifying unit 107 will be described with reference to FIG.
Here, the content entity 350 uses the example shown in FIG.

  As described above, when the top page URL specifying unit 106 generates the top page URL information 306, the browser access URL specifying unit 107 displays the local proxy log entry 304 and the top page URL specifying unit 106 input by the top page URL specifying unit 106. The top page URL information 306 generated by the user is input and the processing shown in FIG. 14 is performed.

First, the browser access URL specifying unit 107 inputs the contents of the content entity 350 from the first line of the content entity 350 (S201 in FIG. 14). Specifically, the browser access URL specifying unit 107 inputs “<html lang =“ ja ”>” indicated by D3501 in FIG.
Next, the browser access URL specifying unit 107 determines whether or not the input content is an <html> tag (S202 in FIG. 14). That is, by this process, the browser access URL specifying unit 107 determines whether or not the html content starts. In this case, “<html lang =“ ja ”>” is a <html> tag (“YES” in S202 of FIG. 14).

Further, the browser access URL specifying unit 107 inputs one line of the contents of the content entity 350 in the order of the lines of the content entity 350 (S203 in FIG. 14).
Then, the browser access URL specifying unit 107 determines whether or not the content of the input content entity 350 includes the sub-content URL (S204 in FIG. 14).

  Here, the sub-content is, for example, a URL following “href =” in the <a> tag, a src attribute URL in the <img src> tag, a URL in the moving image display tag, or the like. That is, the content entity 350 includes sub-content (image specified by “img src”, moving image specified by a moving image display tag, etc.) automatically acquired by html content, and linked sub-content (<a> URL specified by a tag) is described.

  If the URL of the sub-content is included in the content of the content entity 350 read in S203 of FIG. 14 (“YES” in S204 of FIG. 14), the browser access URL specifying unit 107 converts the URL of the sub-content into the URL within the top page. (S205 in FIG. 14). Then, the browser access URL specifying unit 107 performs the process of S203 in FIG. 14 again.

  Here, the URL within the top page means the URL of the content that is automatically acquired by the Web site accessed by the terminal device 500 using the top page URL or the content to be linked, and the content obtained along with the top page. URL.

  If the URL of the sub-content is not included in the content of the content entity 350 read in S203 of FIG. 14 (“NO” in S204 of FIG. 14), the browser access URL specifying unit 107 determines that the content of the read content entity 350 is It is determined whether there is a </ html> tag (S206 in FIG. 14). By this process, the browser access URL specifying unit 107 determines whether or not the end of the html content.

When the content of the read content entity 350 is a </ html> tag, the browser access URL specifying unit 107 ends the process (“YES” in S206 of FIG. 14). Then, browser access URL information 307 is generated from the top page URL information 306 input from the top page URL specifying unit 106 and the set top page URL 606.
That is, information combining the top page URL information 306 and the top page URL 606 associated with each entry (each line) of the top page URL information 306 is referred to as browser access URL information 307.
Thereafter, the top page URL specifying unit 106 continues the process of S101 in FIG.

  On the other hand, if the content of the read content entity 350 is not a </ html> tag, the browser access URL specifying unit 107 performs the process of S203 in FIG. 14 again.

  FIG. 15 shows an example of the URL 606 in the top page set from the example of the content entity 350 shown in FIG. 7 by the browser access URL specifying unit 107 executing the processing shown in FIG.

  Then, the top page URL specifying unit 106 executes the processing shown in FIG. 12 to generate top page URL information 306 from the local proxy log entry 304 shown in FIG. 6, and the browser access URL specifying unit 107 further displays the top page URL. An example of the browser access URL information 307 in which the top page URL 606 is set for each piece of information 306 is shown in FIG.

For example, each browser access URL information 307a to 307d shown in FIG. 16 is one browser access URL information. For example, the browser access URL information 307a to 307d constitutes a set of browser access URL information 307.
For example, although “(top page URL)” in the browser access URL information 307a in FIG. 16 is omitted, the contents of the top page URL 606 as shown in FIG. 15 are actually recorded. Yes.

(Processing of local proxy log capturing unit 104)
FIG. 17 is a diagram illustrating an example of the proxy log 201.
FIG. 18 is a flowchart illustrating an example of processing of the proxy log capturing unit 101.
FIG. 19 is a diagram illustrating an example of the proxy log entry 301.

  The proxy log capturing unit 101 inputs the proxy log 201, the period 206, and the terminal identifier 205.

  As in the format shown in FIG. 17, the proxy log 201 records, for example, “access date / time, terminal identifier, URL of accessed website, method (GET / POST, etc.), status code, communication size” in chronological order. .

  The proxy log 201 records all Web accesses from all terminal devices 500 connected to the proxy server device 600. However, in FIG. 17, illustration of Web access of the terminal device 500 other than the terminal identifier “192.168.1.2” is omitted. Here, all the web accesses are web accesses by, for example, a browser, an application that performs web communication, or malware that performs web communication.

The proxy log 201 indicates the address of the access destination accessed by the proxy server device 600 for each Web access.
In other words, the proxy log 201 indicates an access destination address for each access performed by the proxy server apparatus 600.

  In the proxy log 201 illustrated in FIG. 17, for example, “(http: //◯◯◯.abc-sample. Content recording automatically acquired by ΔΔΔ / content)” will be described. If the proxy server device 600 is http: // XXX. abc-sample. As a result of accessing △△△ /, if a tag for capturing an image or a moving image is recorded in the content acquired by the proxy server device 600, the proxy server device 600 downloads the image or the moving image with http. Get automatically. It means that those images and moving images are also recorded in the proxy log 201.

The operation of the proxy log capturing unit 101 will be described with reference to FIG.
Here, the period 206 is designated as “2011/06/23 09:00:00 to 2011/06/23 18:00:00”, and the terminal identifier 205 is designated as “192.168.1.2”. To do.

  First, the proxy log capturing unit 101 determines whether all entries of the proxy log 201 have been input (S701 in FIG. 18).

If all entries have not been input (“NO” in S701 of FIG. 18), the proxy log capturing unit 101 inputs the entries of the proxy log 201 that have not been input, for example, in chronological order of access date and time (FIG. 18). S702).
Next, the proxy log capturing unit 101 determines whether or not the access date and time of the input entry is within the range 206 (S703 in FIG. 18).
If the access date / time is within the range of the period 206 (“YES” in S703 in FIG. 18), the proxy log capturing unit 101 determines whether or not the terminal identifier of the input entry matches the terminal identifier 205 ( S704 in FIG. 18).
If the terminal identifier matches the terminal identifier 205 (“YES” in S704 of FIG. 18), the proxy log capturing unit 101 outputs the read entry as the proxy log entry 301 (S705 of FIG. 18).

  Then, returning to the processing of S701 in FIG. 18, the proxy log capturing unit 101 repeats the processing from S701 to S705 in FIG. 18 until all entries of the proxy log 201 are input (“YES” in S701 in FIG. 18). .

  For example, each proxy log entry 301a to 301f shown in FIG. 19 is one proxy log entry. For example, the proxy log entries 301a to 301f constitute a set of proxy log entries 301.

  That is, the proxy log capturing unit 101 extracts an entry whose access date / time corresponds to the period 206 and whose terminal identifier corresponds to the terminal identifier 205 among the entries of the proxy log 201 illustrated in FIG. 17, and the proxy log illustrated in FIG. A set of entries 301 is generated.

(Processing of URL whitelist capturing unit 102)
FIG. 20 is a flowchart illustrating an example of processing of the URL white list capturing unit 102.
FIG. 21 is a diagram illustrating an example of the URL white list 202.
FIG. 22 is a diagram illustrating an example of the white URL 302.

  The URL white list capturing unit 102 inputs the URL white list 202.

The URL white list 202 is a list of URLs permitted to be accessed by an organization such as a company, for example, and records, for example, “URL, remarks” as in the format shown in FIG.
The URL white list capturing unit 102 extracts a URL that is the first element of each entry in the URL white list 202 and outputs the URL as a white URL 302.

  The operation of the URL white list taking unit 102 will be described with reference to FIG.

  First, the URL white list capturing unit 102 determines whether all entries in the URL white list 202 have been input (S801 in FIG. 20).

If all the entries have not been input (“NO” in S801 in FIG. 20), the URL whitelist capturing unit 102 inputs an entry in the URL whitelist 202 that has not been input (S802 in FIG. 20).
Next, the URL white list capturing unit 102 extracts the URL of the input entry (S803 in FIG. 20).
Then, the URL white list capturing unit 102 outputs the extracted URL as the white URL 302 (S804 in FIG. 20).

  Then, returning to the processing of S801 in FIG. 20, the URL whitelist capturing unit 102 performs the processing from S801 to S804 in FIG. 20 until all entries in the URL whitelist 202 are input (“YES” in S801 in FIG. 20). repeat.

  For example, each white URL 302a to 302b shown in FIG. 22 is one white URL. For example, the white URLs 302a to 302b constitute a set of white URLs 302.

(Processing of the gray URL specifying unit 105)
The processing of the gray URL specifying unit 105 will be described separately for the first example and the second example.

(First example of processing of the gray URL specifying unit 105)
FIG. 23 is a flowchart illustrating a first example of processing of the gray URL specifying unit 105.
FIG. 24 is a diagram illustrating an example of the gray URL information 305 obtained by the process of the first example of the gray URL specifying unit 105.

A first example of the process of the gray URL specifying unit 105 will be described with reference to FIG.
The gray URL specifying unit 105 inputs a proxy log entry 301 (a set of proxy log entries 301) and a white URL 302 (a set of white URLs 302) (S2301 in FIG. 23).
Here, the proxy log entry 301 is the example shown in FIG. 19, and the white URL 302 is the example shown in FIG.
The proxy log entry 301 (a set of proxy log entries 301) is extracted from the proxy log 201 as described above, and a URL (address) indicated in the proxy log entry 301 (a set of proxy log entries 301) is The URL (address) indicated in the proxy log 201 as described above.
The white URL 302 is an address indicated in the URL white list 202 (legitimate address information).

Then, the gray URL specifying unit 105 deletes the proxy log entry 301 including the white URL 302 from the set of proxy log entries 301 (S2302 in FIG. 23).
Specifically, the proxy log entry 301a shown in FIG. 19 includes a white URL 302a shown in FIG. 22, and the proxy log entry 301d shown in FIG. 19 includes a white URL 302b shown in FIG. Therefore, the gray URL specifying unit 105 deletes the proxy log entry 301a and the proxy log entry 301d from the set of proxy log entries 301.

Here, to delete the proxy log entry 301 including the white URL 302 is to extract the proxy log entry 301 including a URL other than the white URL 302. That is, the gray URL specifying unit 105 substantially extracts URLs other than the white URL 302 from the set of proxy log entries 301.
That is, the gray URL specifying unit 105 extracts URLs (addresses) not shown in the URL white list 202 (legitimate address information) from the URLs (addresses) shown in the set of proxy log entries 301 (proxy log 201). To do.
In other words, the gray URL information 305 is information indicating URLs that are not indicated in the URL white list 202 (legitimate address information) among the URLs indicated in the set of proxy log entries 301 (proxy log 201).

Then, the gray URL specifying unit 105 outputs the edited set of proxy log entries 301 (that is, the set of proxy log entries 301 from which the proxy log entry 301 including the white URL 302 is deleted) as gray URL information 305 (FIG. 23). S2303).
An example of the gray URL information 305 is shown in FIG. 24 includes information other than the URL included in the proxy log entry 301 (for example, access date and time, terminal identifier, etc.), but the gray URL information 305 includes only the URL information of the website. May be.

(Second example of processing of the gray URL specifying unit 105)
FIG. 25 is a flowchart illustrating a second example of processing of the gray URL specifying unit 105.
FIG. 26 is a diagram illustrating an example of the gray URL information 305 obtained by the process of the second example of the gray URL specifying unit 105.

Next, a second example of processing of the gray URL specifying unit 105 will be described with reference to FIG.
The gray URL specifying unit 105 inputs browser access URL information 307 (a set of browser access URL information 307) in addition to a proxy log entry 301 (a set of proxy log entries 301) and a white URL 302 (a set of white URLs 302). (S2401 in FIG. 25).

Here, the proxy log entry 301 is the example shown in FIG. 19, the white URL 302 is the example shown in FIG. 22, and the browser access URL information 307 is the example shown in FIG.
Further, the top page URL 606 included in the browser access URL information 307a is an example shown in FIG. FIG. 16 shows four pieces of browser access URL information 307a to 307d, and there can be a top page URL 606 corresponding to each of them. However, here, it is assumed that there is no top page URL 606 corresponding to the browser access URL information 307b to 307d.

Then, the gray URL specifying unit 105 extracts the URL of the content automatically acquired by the website indicated by the white URL 302 and the content to be linked. That is, the gray URL specifying unit 105 extracts the URL 606 in the top page corresponding to the white URL 302 (S2402 in FIG. 25).
Specifically, the gray URL specifying unit 105 matches, for example, the white URL 302a “http: //XXX.abc-sample.ΔΔΔ/” in FIG. 22 from the set of the browser access URL information 307 that has been input. The browser access URL information 307 including the URL is selected. In this case, the gray URL specifying unit 105 selects the browser access URL information 307a illustrated in FIG. 16 including “http: //◯◯◯.abc-sample.ΔΔΔ/”. Then, the gray URL specifying unit 105 extracts the URL 606 in the top page of the browser access URL information 307a.

Then, the gray URL specifying unit 105 deletes the proxy log entry 301 including either the input white URL 302 or the top page URL 606 corresponding to each of the input white URL 302 from the set of proxy log entries 301. (S2403 in FIG. 25).
Then, the gray URL specifying unit 105 outputs the edited set of proxy log entries 301 as the gray URL information 305 (S2404 in FIG. 25).

A specific example of the gray URL information 305 is shown in FIG.
The example of gray URL information 305 (FIG. 24) obtained by the first example processing of the gray URL specifying unit 105 includes information (“http: //XXX.sample1.ΔΔΔ/” shown in D2504 of FIG. ”Is indicated).
On the other hand, the URL 606 in the top page indicated by D6061 in FIG. 15 includes “http: //◯◯◯.sample1.ΔΔΔ/”. Accordingly, the gray URL specifying unit 105 deletes the proxy log entry 301f in the set of proxy log entries 301 (FIG. 19) and outputs the gray URL information 305 in the processing of the second example. Therefore, in the example of gray URL information 305 (FIG. 26) obtained by the second example processing of the gray URL specifying unit 105, information indicating the URL of “http: //XXX.sample1.ΔΔΔ/” is shown. Is not included.

(Processing of the black URL specifying unit 108)
The processing of the black URL specifying unit 108 will be described by dividing it into first to fourth examples.

(First example of processing of the black URL specifying unit 108)
FIG. 27 is a flowchart illustrating a first example and a second example of processing of the black URL specifying unit 108.
FIG. 28 is a diagram illustrating an example of the black URL 208.

A first example of the processing of the black URL specifying unit 108 will be described with reference to FIG.
The black URL specifying unit 108 inputs gray URL information 305 and browser access URL information 307 (a set of browser access URL information 307) (S2601 in FIG. 27).
Here, the gray URL information 305 may be information processed in the first example of the gray URL specifying unit 105 described above or information processed in the second example of the gray URL specifying unit 105 described above. Here, the gray URL information 305 will be described using the specific example shown in FIG. 26 as information processed in the second example of the gray URL specifying unit 105 described above. That is, the URL shown in the gray URL information 305 is obtained by excluding the URL shown in the white URL 302 and the top page URL 606 from the URL shown in the proxy log entry 301.
The browser access URL information 307 is an example shown in FIG.

Then, the black URL specifying unit 108 deletes the entry including the URL of the browser access URL information 307 from the entry of the gray URL information 305 (S2602 in FIG. 27).
In the case of the first example of the processing of the black URL specifying unit 108, the black URL specifying unit 108 is indicated in the top page URL information 306 part of the browser access URL information 307 from the entry of the gray URL information 305. Delete the entry containing the URL.
For example, the entry of the gray URL information 305 shown in the line D2601 in FIG. 26 includes the URL shown in the top page URL information 306 portion of the browser access URL information 307b in FIG. Therefore, the black URL specifying unit 108 deletes the entry of the gray URL information 305 shown in the line D2601 in FIG. 26 from the gray URL information 305.

Here, for example, the record of the content automatically acquired by the content “(http: //XXX.123-sample.ΔΔΔ/” in the entry of the gray URL information 305 shown in the row of D2601 in FIG. ) ”And the URL indicated by“ (URL in top page) ”of the browser access URL information 307b in FIG. 16 overlap.
Therefore, the black URL specifying unit 108 indicates the URL indicated by “(http: //◯◯◯.123-sample. The record of the content automatically acquired by the content of ΔΔΔ /)” of the entry of the gray URL information 305. May also be deleted as part of the entry of the gray URL information 305.

Then, the black URL specifying unit 108 uses the edited gray URL information 305 as the black URL information 250, and extracts the black URL 208 from the black URL information 250 (S2603 in FIG. 27). A specific example of the black URL information 250 is shown in FIG.
Here, the URL information included in the black URL information 250 (for example, the example shown in FIG. 28) (for example, “http: //◯◯◯.789-sample.ΔΔΔ/”) is referred to as a black URL 208.

  In addition, URL information may also be included in “(http: //◯◯◯.789-sample.content recording automatically acquired by Δ △ Δ / content)” shown in FIG. In that case, the black URL specifying unit 108 may extract this URL as the black URL 208.

  Note that the URL indicated in the top page URL information 306 portion of the browser access URL information 307 is the URL indicated in the user instruction information such as the terminal operation log 203, for example, and the user instructs the terminal device 500 to access using the browser. URL.

As a specific example of the processing of the black URL specifying unit 108, the information processed in the second example of the gray URL specifying unit 105 shown in FIG. 26 is shown. Here, in both the first example and the second example of processing of the gray URL specifying unit 105, the gray URL information 305 excludes the URL indicated by the white URL 302 from the URL indicated by the proxy log entry 301. It is a thing. (The gray URL information 305 in the second example of the processing of the gray URL specifying unit 105 additionally excludes the URL indicated by the URL 606 in the top page.)
That is, the gray URL information 305 is information indicating URLs that are not indicated in the URL white list 202 (legitimate address information) among URLs indicated in the set of proxy log entries 301 (proxy log 201).

The black URL 208 is a URL that is not indicated in the top page URL information 306 (user instruction information) among the URLs indicated in the gray URL information 305. That is, the black URL 208 is shown in both the URL white list 202 (legitimate address information) and the top page URL information 306 (user instruction information) in the URL shown in the set of proxy log entries 301 (proxy log 201). The URL has not been set.
In other words, the black URL specifying unit 108 includes the URL white list 202 (legitimate address information) and the top page URL information 306 (user instruction information) among the URLs (addresses) indicated in the set of proxy log entries 301 (proxy log 201). ) And URL (address) not shown in any of them.

  That is, the black URL 208 is not the white URL 302 permitted for an organization such as a company, but is a URL that is not accessed from a browser by a user operation. Therefore, the black URL 208 is considered to be an access destination URL by malware communication.

(Second example of processing of the black URL specifying unit 108)
Next, a second example of processing of the black URL specifying unit 108 will be described with reference to FIG.
The black URL specifying unit 108 inputs gray URL information 305 and browser access URL information 307 (a set of browser access URL information 307) (S2601 in FIG. 27).
Here, the gray URL information 305 is information processed in the first example of the gray URL specifying unit 105 described above, and is an example shown in FIG. That is, the URL indicated by the gray URL information 305 is obtained by excluding the URL indicated by the white URL 302 from the URL indicated by the proxy log entry 301.
The browser access URL information 307 is an example shown in FIG. 16, and the top page URL 606 included in the browser access URL information 307a is an example shown in FIG.
Here, it is assumed that the top page URL 606 corresponding to the browser access URL information 307b to 307d does not exist as in the description of the processing of the gray URL specifying unit 105.

Then, the black URL specifying unit 108 deletes the entry including the URL of the browser access URL information 307 from the entry of the gray URL information 305 (S2602 in FIG. 27).
Here, as in the first example of the processing of the black URL specifying unit 108, the black URL specifying unit 108 changes the entry from the gray URL information 305 to the top page URL information 306 portion of the browser access URL information 307. Delete the entry containing the indicated URL. Further, in the case of the second example of the processing of the black URL specifying unit 108, the black URL specifying unit 108 indicates from the entry of the gray URL information 305 to the URL 606 in the top page of the browser access URL information 307. The entry including the URL to be deleted is also deleted.

For example, the entry of the gray URL information 305 shown in the line D2501 in FIG. 24 includes the URL shown in the top page URL information 306 portion of the browser access URL information 307b in FIG. Therefore, the black URL specifying unit 108 deletes the entry of the gray URL information 305 shown in the line D2501 in FIG. 24 from the gray URL information 305.
Further, the entry of the gray URL information 305 shown in the line D2504 in FIG. 24 includes the URL of the URL 606 in the top page shown in the line D6061 in FIG. Therefore, the black URL specifying unit 108 deletes the entry of the gray URL information 305 shown in the line D2504 in FIG. 24 from the gray URL information 305.

Then, the black URL specifying unit 108 uses the edited gray URL information 305 as the black URL information 250, and extracts the black URL 208 from the black URL information 250 (S2603 in FIG. 27).
As a result, the black URL 208 according to the first example and the second example of processing of the black URL specifying unit 108 has the same contents as shown in FIG.

Note that the URL indicated in the top page URL information 306 portion of the browser access URL information 307 is the URL indicated in the user instruction information as described above. The URL indicated in the URL 606 in the top page of the browser access URL information 307 is related address information indicating a URL associated with the web page of the URL indicated in the user instruction information by a link or the like.
That is, the local proxy log capturing unit 104 inputs related address information indicating an address associated with the web page at the address indicated in the user instruction information.
As described above, the gray URL information 305 is information indicating URLs that are not indicated in the URL white list 202 (legitimate address information) among the URLs indicated in the set of proxy log entries 301 (proxy log 201). is there.

The black URL 208 is a URL that is not indicated by the top page URL information 306 (user instruction information) and the top page URL 606 among the URLs indicated by the gray URL information 305. That is, the black URL 208 is the URL white list 202 (legitimate address information), the top page URL information 306 (user instruction information), and the top page URL 606 (of the URL shown in the set of proxy log entries 301 (proxy log 201)). The URL is not shown in any of the related address information.
In other words, the black URL specifying unit 108 includes the URL white list 202 (legitimate address information) and the top page URL information 306 (user instruction information) among the URLs (addresses) indicated in the set of proxy log entries 301 (proxy log 201). ) And the URL 606 (related address information) in the top page are extracted.

(Third example of processing of the black URL specifying unit 108)
FIG. 29 is a diagram illustrating an example of the browser access URL information 307 when the local proxy log 204 is not used.

A third example of the processing of the black URL specifying unit 108 will be described with reference to FIG.
In the first example of the process of the black URL specifying unit 108, the local proxy log 204 is used. However, in the second example of the process of the black URL specifying unit 108, a case where the local proxy log 204 is not used will be described.
In this case, the local proxy log capturing unit 104, the top page URL specifying unit 106, and the browser access URL specifying unit 107 are not used.
Then, the black URL specifying unit 108 inputs the Web access URL information 303 output from the terminal operation log capturing unit 103 as browser access URL information 307.

  Here, FIG. 29 shows an example of the browser access URL information 307 when the local proxy log 204 is not used. Here, the method, status, communication size, and URL in the top page being “NULL” indicate that there is no information because the local proxy log 204 is not used.

The other processes are the same as the first example of the process of the black URL specifying unit 108, and thus the description thereof is omitted.
Since the local proxy log 204 is not used, there is no information on the URL 606 in the top page, and the processing in the gray URL specifying unit 105 is the processing shown in the first example.

(Fourth example of processing of the black URL specifying unit 108)
A fourth example of the process of the black URL specifying unit 108 will be described.
A fourth example of the processing of the black URL specifying unit 108 will be described in the case where the terminal operation log 203 and the local proxy log 204 are not used.
In this case, the terminal operation log capturing unit 103, the local proxy log capturing unit 104, the top page URL specifying unit 106, and the browser access URL specifying unit 107 are not used. Accordingly, the browser access URL information 307 is not generated.

Since the local proxy log 204 is not used, there is no information on the URL 606 in the top page, and the processing in the gray URL specifying unit 105 is the processing shown in the first example.
The black URL specifying unit 108 inputs the gray URL information 305 output by the gray URL specifying unit 105 by the processing of the first example described above, and uses the input gray URL information 305 as the black URL information 250 to extract the black URL 208. .

(Storage processing of browser access URL information 307)
The storage process of the browser access URL information 307 will be described separately for the first example and the second example.

(First example of saving processing of browser access URL information 307)
FIG. 30 is a flowchart illustrating a first example of the browser access URL information 307 storage process.

A storage device (for example, a magnetic disk device) of the information leakage detection system 100 stores browser access URL information 307. Each time the information leakage detection system 100 operates, the storage device of the information leakage detection system 100 adds and stores new browser access URL information 307 to the browser access URL information 307 already stored. Accordingly, the browser access URL information 307 increases each time the information leakage detection system 100 is operated.
A first example of the processing for saving the browser access URL information 307 will be described with reference to FIG.

First, when the browser access URL specifying unit 107 generates the browser access URL information 307 by the processing shown in FIGS. 12 and 14, the browser access URL information 307 (stored in the storage device) is stored. The browser access URL information 307 is referred to as “stored browser access URL information”) (S901 in FIG. 30).
If there is stored browser access URL information (“YES” in S901 in FIG. 30), the browser access URL specifying unit 107 inputs the stored browser access URL information from the storage device (S902 in FIG. 30).
Next, the browser access URL specifying unit 107 adds the generated browser access URL information 307 to the input stored browser access URL information (S903 in FIG. 30).
Then, the browser access URL specifying unit 107 outputs the edited (added generated browser access URL information 307 to the stored browser access URL information) as browser access URL information 307 (S904 in FIG. 30). Further, the browser access URL specifying unit 107 inputs the edited information to the storage device as saved browser access URL information, and the storage device stores the new saved browser access URL information (S906 in FIG. 30).

  When the browser access URL information 307 is generated by the browser access URL specifying unit 107 even once, the stored browser access URL information exists in the storage device. However, when the stored browser access URL information does not exist in the storage device, for example, when the information leakage detection system 100 is operated for the first time (“NO” in S901 in FIG. 30), the browser access URL specifying unit 107 generates the generated browser access URL information. 307 is output as it is (S905 in FIG. 30). Then, the storage device stores the browser access URL information 307 generated by the browser access URL specifying unit 107 as saved browser access URL information (S906 in FIG. 30).

  Alternatively, the saved browser access URL information stored in the storage device may be deleted every time the information leakage detection system 100 is stopped (powered off).

(Second example of storage processing of browser access URL information 307)
FIG. 31 is a flowchart showing a second example of the browser access URL information 307 storage process.

  The stored browser access URL information may be deleted when a certain period (for example, one day) elapses, and the corresponding information may be deleted. A second example of the processing for saving the browser access URL information 307 will be described with reference to FIG.

First, the browser access URL specifying unit 107 determines whether or not there is stored browser access URL information when the browser access URL information 307 is generated by the processing shown in FIGS. 12 and 14 (S1001 in FIG. 31). ).
If there is no saved browser access URL information (“NO” in S1001 in FIG. 31), the browser access URL specifying unit 107 outputs the generated browser access URL information 307 (S1008 in FIG. 31).
Further, the browser access URL specifying unit 107 associates the generated browser access URL information 307 with a time stamp for each entry (for each row) and inputs it to the storage device as saved browser access URL information. Then, the storage device stores stored browser access URL information including each entry (each row) associated with the time stamp (S1009 in FIG. 31).

On the other hand, if there is stored browser access URL information (“YES” in S1001 in FIG. 31), the browser access URL specifying unit 107 inputs the stored browser access URL information (S1002 in FIG. 31).
Next, the browser access URL specifying unit 107 adds the generated browser access URL information 307 to the input stored browser access URL information in association with a time stamp for each entry (for each row) (S1003 in FIG. 31). . At this time, the browser access URL specifying unit 107 does not change the time stamp associated with each entry (for each row) of the input stored browser access URL information.
Then, the browser access URL specifying unit 107 outputs the edited information as browser access URL information 307 (S1004 in FIG. 31). Further, the browser access URL specifying unit 107 inputs the edited information as storage browser access URL information to the storage device, and the storage device stores new storage browser access URL information (S1005 in FIG. 31).

The browser access URL specifying unit 107 includes stored browser access URL information in the storage device, and an entry associated with a time stamp that has passed a preset storage period is included in the stored browser access URL information. It is determined whether or not (S1006 in FIG. 31). The preset retention period is also stored in the storage device of the information leakage detection system 100, for example.
For example, when the storage period is set to “1 day”, the browser access URL specifying unit 107 displays the date and time when 24 hours are added to the time stamp associated with the stored browser access URL information entry. It is determined whether or not an entry exceeding the date / time is included.
If the corresponding entry is included (“YES” in S1006 in FIG. 31), the browser access URL specifying unit 107 displays the corresponding entry and the time stamp associated with the corresponding entry from the stored browser access URL information. Erasing is performed (S1007 in FIG. 31). Then, the storage device stores the information edited by the browser access URL specifying unit 107 as new saved browser access URL information.

(Effect of Embodiment 1)
FIG. 32 is a diagram illustrating an example of a problem of the conventional information leakage detection system 100.

For example, the terminal device 500 infected with malware performs HTTP communication with a C & C (Command & Control) server on the network 150 (for example, the Internet). Therefore, conventionally, as a method for countermeasures against the target-type attack, a method for detecting HTTP communication has been considered focusing on this point. For example, communication with the Internet in an organization such as a company is mostly HTTP, and all HTTP (or HTTPS (HyperText Transfer Protocol over Secure Socket Layer) communication passes through the proxy server 600. Therefore, HTTP communication is performed. There is a method of specifying by analyzing the proxy log 201 for recording
However, the proxy log 201 is large in organization. On the other hand, there is little communication with the C & C server, and its behavior is not recognized by the user and is not conspicuous, so it is difficult to find communication with the C & C server from the proxy log 201. That is, there is a problem that it is difficult to find a small amount of malware communication from a large amount of proxy logs 201 (C101 in FIG. 32).
Further, there is a problem that it is not possible to determine whether the user has intentionally accessed or whether any program has been accessed regardless of the user's intention simply by looking at the proxy log (C102 in FIG. 32).

  Conventionally, there are a plurality of products that block malware communication using a URL filter. In general, in the URL filter, a black list of URLs that should be prohibited from access is provided, or a white list of URLs that permit access is created to control access. However, since suspicious websites that should not be allowed to appear appear one after another, it is difficult to create a blacklist completely. Accordingly, there is no complete URL filter setting, and it is set depending on the skill of the administrator. Depending on the setting of the URL filter, there is a problem that communication of malware that should be prohibited from URL access cannot be specified (the access URL of the malware leaks) (C103 in FIG. 32).

  On the other hand, the information leakage detection system 100 according to the present embodiment uses the proxy log 201, the URL white list 202, the terminal operation log 203, and the local proxy log 204 to identify HTTP communication that seems to be communication by malware that is not intended by the user. To do.

That is, the information leakage detection system 100 according to the present embodiment specifies browser access URL information 307 indicating the URL accessed by the user with the browser from the terminal operation log 203 and the local proxy log 204 in the terminal device 500 to be investigated. .
Here, the information leakage detection system 100 according to the present embodiment identifies the top page URL information 306 from the terminal operation log 203, and the top page URL 606 (the content of the top page URL is automatically acquired from the local proxy log 204. Alternatively, a linked URL) is specified. The information leakage detection system 100 according to the present embodiment uses the browser access URL information 307 together with the top page URL information 306 and the top page URL 606.
The information leakage detection system 100 according to the present embodiment records the URL related to the terminal device 500 to be investigated (the URL of the Web access from the terminal device 500) in the proxy log 201 in the proxy server device 600 common to the organization. ) Specifies the gray URL information 305 excluding the URL permitted by the URL white list 202. Furthermore, the information leakage detection system 100 of this embodiment specifies the black URL 208 by removing the URL of the browser access URL information 307 from the gray URL information 305.

That is, the information leakage detection system 100 according to the present embodiment can extract the black URL 208 that is not a URL permitted for an organization such as a company, or a URL accessed by a user from a browser. The black URL 208 is an access destination for access unintended by the user in Web communication from the terminal device 500. Therefore, the information leakage detection system 100 according to the present embodiment can detect a URL accessed by unauthorized web communication performed by malware such as information leakage.
In other words, the information leakage detection system 100 can detect an access destination URL that is not related to the user's intention, for example, without depending on the administrator's skill, from a large amount of information in the proxy log 201. .

Further, in the method shown in the third example of the processing of the black URL specifying unit 108 of the present embodiment, even when the local proxy application cannot be installed in the terminal device 500 depending on the environment (when the local proxy is not used), The black URL 208 can be specified.
Furthermore, in the method shown in the fourth example of the processing of the black URL specifying unit 108 of the present embodiment, the local proxy and the terminal operation recording application cannot be installed depending on the environment (the local proxy and the terminal operation recording application are not used). In this case, the black URL 208 can be specified.

Embodiment 2. FIG.
(Outline of Information Leakage Detection System 100 in Embodiment 2)
The information leakage detection system 100 according to the second embodiment extracts a URL that is not recorded in the local proxy log 204 and is not a white URL 302 among the URLs indicated in the proxy log entry 301 as a black URL 208.
That is, the information leakage detection system 100 according to the second embodiment extracts the URL of the access destination that is communicated with the Web without going through the local proxy.
Note that the information leakage detection system 100 according to the second embodiment does not use the terminal operation log 203. Therefore, the terminal operation log capturing unit 103 is not used.
The browser access URL specifying unit 107 inputs only the local proxy log entry 304, and outputs browser access URL information 307 by processing described later.

  The information leakage detection system 100 according to the second embodiment has the same configuration as the information leakage detection system 100 according to the first embodiment shown in FIG. 2 except that the terminal operation log capturing unit 103 is not used. Therefore, the description of the same components as in the first embodiment and the same processing contents as in the first embodiment will be omitted.

(Processing of the top page URL specifying unit 106)
FIG. 33 is a flowchart illustrating an example of processing of the top page URL specifying unit 106.
The process of the top page URL specifying unit 106 in the second embodiment will be described with reference to FIG.

First, the top page URL specifying unit 106 determines whether or not all the local proxy log entries 304 have been input as in the first embodiment (S301 in FIG. 33).
As in the first embodiment, the top page URL specifying unit 106 selects the local proxy log entries 304 that have not been input unless all the local proxy log entries 304 have been input (“NO” in S301 in FIG. 33). For example, the access date and time are input in chronological order (S302 in FIG. 33).
Here, for example, the top page URL specifying unit 106 determines that the local proxy log entry 304a “2011/06/23 10:00:00, 192.168.1.2, http: //◯◯◯.abc in FIG. “Sample.ΔΔΔ /, GET, 200, 1000, content entity” is input.

Then, the top page URL specifying unit 106 extracts the URL included in the input local proxy log entry 304 (S303 in FIG. 33).
As a specific example, the top page URL specifying unit 106 extracts the URL “http: //XXX.abc-sample.ΔΔΔ/” included in the local proxy log entry 304a of FIG. Then, the top page URL specifying unit 106 sets the extracted URL as the top page URL, and generates the top page URL information 306a shown in FIG. 13 from the input local proxy log entry 304a as in the first embodiment.

Each time the top page URL information 306 is generated, the browser access URL specifying unit 107 extracts the top page URL 606 from the local proxy log entry 304 input by the top page URL specifying unit 106 (S304 in FIG. 33). . Then, the browser access URL specifying unit 107 generates browser access URL information 307 from the top page URL information 306 and the top page URL 606.
The process of S304 in FIG. 33 is the same as the process of S104 in FIG. 12 of the first embodiment, and thus detailed description thereof is omitted.

  In the first embodiment, since the terminal operation log 203 is used, the URL accessed by the browser operation becomes the browser access URL information 307. On the other hand, the second embodiment is different from the first embodiment in that Web communication information of an application other than the browser that accesses the Web via a local proxy is also included in the browser access URL information 307.

In the second embodiment, the top page URL specifying unit 106 generates the top page URL information 306, and the browser access URL specifying unit 107 extracts the top page URL 606 to generate the browser access URL information 307. .
However, the browser access URL specifying unit 107 can input the local proxy log entry 304 and perform the same processing as that of the top page URL specifying unit 106 described above. That is, the browser access URL specifying unit 107 can input the local proxy log entry 304, generate the top page URL information 306, extract the top page URL 606, and generate the browser access URL information 307. In this case, the top page URL specifying unit 106 is not used.

(Effect of Embodiment 2)
The information leakage detection system 100 according to the second embodiment can identify the black URL 208 even when the terminal operation recording application cannot be installed depending on the environment (when the terminal operation recording application is not used).

Embodiment 3 FIG.
(Outline of Information Leakage Detection System 100 in Embodiment 3)
In the third embodiment, the terminal device 500 is provided with, for example, a web camera (the web camera is not shown). Then, the period specifying unit 200 (FIG. 2) determines whether or not the user is sitting on the terminal device 500 from the video of the Web camera, and inputs the period determined as not sitting as the period 206. Here, a technique for determining whether or not the user is sitting on the terminal device 500 from the video of the Web camera uses a known technique.
Note that the technology for determining whether or not the user is sitting on the terminal device 500 is not limited to the one using a Web camera. For example, a sensor that detects a change in temperature or a sensor that detects a change in sound is used. It may be what you do. It is also possible to determine whether the user is sitting on the terminal device 500 (the chair of the terminal device 500) by using a chair provided with a weight sensor.

  That is, the information leakage detection system 100 according to the third embodiment is configured such that the gray URL information 305 and the black URL 208 (black URL information) during a period in which the user is not sitting on the terminal device 500 (a period in which the user does not operate the terminal device 500 or the browser). 250). This period can be considered as a period during which the user is not operating the browser because the user is not sitting on the terminal device 500. The Web access that occurred during this period is considered to be access that occurred because some program automatically accessed the Web site.

  That is, the gray URL information 305 extracted by the information leakage detection system 100 of the third embodiment is narrower than the gray URL information 305 extracted in the first embodiment.

  Note that the information leakage detection system 100 of the third embodiment has the same configuration as the information leakage detection system 100 of the first embodiment shown in FIG. Therefore, the description of the same components as in the first embodiment and the same processing contents as in the first embodiment will be omitted.

(Processing of period specifying unit 200)
FIG. 34 is a flowchart illustrating an example of processing of the period specifying unit 200.
The period specifying unit 200 calculates a period when the user is not sitting at the terminal device 500 based on the flowchart of FIG.

First, the period specifying unit 200 inputs video from the video of the Web camera, and determines whether or not the user is sitting (S1601 in FIG. 34). That is, the Web camera and the period specifying unit 200 are detection devices that detect the presence of a user.
Here, the period specifying unit 200 processes video from the Web camera, determines whether the user is sitting, and determines whether the user is sitting from a video processing apparatus (not shown) that outputs the determination result. Information on whether or not may be input. And the period specific | specification part 200 can also determine whether the user is sitting based on the information of whether the user is sitting. In this case, the Web camera, the video processing device, and the period specifying unit 200 are detection devices that detect the presence of the user.

When it is determined that the user is not sitting (“NO” in S1601 in FIG. 34), the period specifying unit 200 sets the current date and time to “Start_time” (S1602 in FIG. 34).
Then, the period specifying unit 200 waits for a preset time (n minutes) (S1603 in FIG. 34), and performs the process of S1601 again.

On the other hand, when it is determined that the user is sitting (“YES” in S1601 in FIG. 34), the period specifying unit 200 determines whether “Start_time” has already been set (S1604 in FIG. 34).
If the period specifying unit 200 determines that “Start_time” has already been set (“YES” in S1604 in FIG. 34), the period specifying unit 200 sets the current date and time to “End_time” (S1605 in FIG. 34). On the other hand, when it is determined that “Start_time” is not set (“NO” in S1604 of FIG. 34), the period specifying unit 200 performs the process of S1603.

  Then, the period specifying unit 200 sets the period between the set “Start_time” and “End_time” as the period 206.

In the proxy log 201, for example, as shown in FIG. 17, each entry is associated with an access date and time (access time).
In other words, the proxy log capturing unit 101 (FIG. 2) inputs the proxy log 201 in which the access time and the access destination address that are accessed for each access performed by the proxy server apparatus 600 are associated with each other.

Then, the proxy log capturing unit 101 extracts the entry indicating the access time included in the period 206 as the proxy log entry 301 from the proxy log 201 as in the first embodiment. Here, the period 206 is a period in which it is detected that the user does not exist in front of the terminal device 500 as described above.
Further, the gray URL specifying unit 105 extracts the gray URL information 305 using the proxy log entry 301 extracted by the proxy log capturing unit 101.

  That is, the gray URL specifying unit 105 is configured such that the detection device (period specifying unit 200) that detects the presence of the user among the addresses indicated in the proxy log 201 input by the proxy log capturing unit 101 is the user of the terminal device 500. An address associated with the access time included in the period 206 detected as not existing before is extracted.

  The black URL specifying unit 108 can also extract the black URL 208 by using the gray URL information 305 extracted by the gray URL specifying unit 105 in the third embodiment as the black URL information 250 in the same manner as in the first embodiment. .

(Effect of Embodiment 3)
The information leakage detection system 100 according to Embodiment 3 can specify a period during which the user is not sitting on the terminal device 500 without using the terminal operation log 203 or the local proxy log 204. The information leakage detection system 100 according to the third embodiment extracts the gray URL that is extracted by setting the investigation target period to a period when the user is not sitting on the terminal device 500, that is, a period when the browser operation is not performed by the user. The information 305 can be narrowed down.
That is, the information leakage detection system 100 of Embodiment 3 can extract the URL of the access destination by malware with higher accuracy.

  It is possible to cause the period specifying unit 200 of the first and second embodiments to perform the process of the period specifying unit 200 in the third embodiment.

Embodiment 4 FIG.
(Outline of Information Leakage Detection System 100 in Embodiment 4)
The information leakage detection system 100 according to the fourth embodiment targets a period other than a period during which a history of user operations remains in the terminal operation log 203 as an investigation target.

  In addition, the information leakage detection system 100 of Embodiment 4 is the same structure as the information leakage detection system 100 of Embodiment 1 shown in FIG. Therefore, the description of the same components as in the first embodiment and the same processing contents as in the first embodiment will be omitted.

(Processing of terminal operation log capturing unit 103)
FIG. 35 is a flowchart illustrating an example of processing of the terminal operation log capturing unit 103.
First, the terminal operation log capturing unit 103 inputs the period 206 and the terminal operation log 203 as in the first embodiment (S3501 in FIG. 35).
Here, the period 206 is “2011/06/23 08:00:00 to 2011/01/06/23 18:00:00”. The period 206 is a predefined definition period. Then, “2011/06/23 08:00:00” is the start time of the definition period, and “2011/06/23 18:00:00” is the end time of the definition period.
The terminal operation log 203 is an example shown in FIG.

  Here, in the terminal operation log 203, as shown in FIG. 3, the operation date and time, the operation type, and the operation content are associated with each other. That is, the terminal operation log 203 shows the instruction operation that the user instructs the terminal device 500 and the operation time for each instruction operation in association with each other.

When the user performs an address instruction operation, that is, the user instructs the terminal device 500 to specify an access destination address, and the terminal device 500 performs Web access to the address specified by the user to the terminal device 500. When instructed to do so, this address instruction operation is written as “Web access” in the terminal operation log 203 (for example, FIG. 3). In this case, the operation date and time shown in FIG. 3 is the operation date and time of the address instruction operation.
In other words, the terminal operation log 203 indicates that when the user performs an address instruction operation on the terminal device 500 (when the user instructs an address of an access destination to the terminal device 500), the user performs an operation on the terminal device 500. The address notified by the terminal device 500 to the proxy server device 600 as the access destination based on the address instruction operation for instructing the address of the access destination is shown in association with the address instruction operation and the operation time of the address instruction operation.

Next, the terminal operation log capturing unit 103 resets the period (S3502 in FIG. 35).
Specifically, the terminal operation log capturing unit 103 includes the terminal operation log 203 within the period 206 “2011/06/23 08:00:00 to 2011/06/23 18:00:00” in which the operation date / time is input. The operation date and time of the first recorded entry and the last recorded entry are extracted.

In the case of the terminal operation log 203 illustrated in FIG. 3, the terminal operation log capturing unit 103 indicates “2011/06/23 09” illustrated in D2031 of FIG. 3 as the operation date and time (first operation time) of the first recorded entry. : 0:00 "is extracted. Then, the terminal operation log capturing unit 103 extracts “2011/06/23 16:00:00” indicated by D2037 in FIG. 3 as the operation date and time (last operation time) of the last recorded entry.
Then, the terminal operation log capturing unit 103 reads “2011/06/23 08:00:00 to 2011/06/06 23 08:59:59” and “2011/06/23 16:00:01 to 2011/06 / 23 18:00:00 ”is reset as the period 206. The reset period 206 corresponds to a non-operation period (described later).

Then, the terminal operation log capturing unit 103 outputs the reset period 206 (S3503 in FIG. 35).
That is, the terminal operation log capturing unit 103 corresponds to a period calculation unit that calculates the period 206.

  Here, the terminal operation log capturing unit 103 sets the first operation time and the definition period (period 206) after the start time of the period 206, which is a predefined definition period, among the operation times indicated in the terminal operation log 203. The last operation time before the end time is extracted. The terminal operation log capturing unit 103 then performs a non-operation including a period from the start time of the definition period (period 206) to the first operation time and a period from the last operation time to the end time of the definition period (period 206). The period is calculated and reset as the period 206.

Further, the terminal operation log capturing unit 103 may extract the date and time when the browser operation was recorded in the processing of S3502 in FIG.
Specifically, the terminal operation log capturing unit 103 is within the period 206 “2011/06/23 08:00:00 to 2011/06/06 23 18:00:00” in which the operation date and time is input, and the browser operation The operation date and time of the first recorded entry and the last recorded entry are extracted.

In the case of the terminal operation log 203 shown in FIG. 3, the operation type of the entry of the terminal operation log 203 indicating the operation of the browser is “Web access”, and the access destination address is associated as the operation content.
Therefore, the terminal operation log capturing unit 103 extracts “2011/06/23 10:00:00” shown in D2032 of FIG. 3 as the operation date and time (first address-corresponding operation time) of the first recorded entry. To do. Then, the terminal operation log capturing unit 103 extracts “2011/06/23 16:00:00” shown in D2037 of FIG. 3 as the operation date and time (last address-corresponding operation time) of the last recorded entry. To do.
Then, the terminal operation log capturing unit 103 reads “2011/06/23 08:00:00 to 2011/06/23 09:59:59” and “2011/06/23 16:00:01 to 2011/06 / 23 18:00:00 ”is reset as the period 206. The reset period 206 corresponds to a non-address correspondence period (described later).

  Here, the terminal operation log capturing unit 103 is the first operation time that is the operation time after the start time of the definition period (period 206) and the address is associated with among the operation times indicated in the terminal operation log 203. And the last address-corresponding operation time that is the operation time before the end time of the definition period (period 206) and the last operation time associated with the address is extracted. The terminal operation log capturing unit 103 then includes a period from the start time of the definition period (period 206) to the first address corresponding operation time and a period from the last address corresponding operation time to the end time of the definition period (period 206). The non-address correspondence period consisting of is calculated and reset as the period 206.

On the other hand, the proxy log capturing unit 101 and the local proxy log capturing unit 104 input a period 206 (either a non-operation period or a non-address correspondence period) reset by the terminal operation log capturing unit 103.
Based on the reset period 206, the proxy log capturing unit 101 extracts the proxy log entry 301 in the same manner as described in the first embodiment.
Then, the gray URL specifying unit 105 extracts the gray URL information 305 from the proxy log entry 301 based on the reset period 206.

  That is, when the non-operation period is calculated by the terminal operation log capturing unit 103, the gray URL specifying unit 105 is included in the non-operation period among the addresses indicated in the set of proxy log entries 301 (proxy log 201). An address associated with an access time is extracted. Then, when the non-address corresponding period is calculated by the terminal operation log capturing unit 103, the gray URL specifying unit 105 addresses that are associated with the access time indicated in the set of proxy log entries 301 (proxy log 201). Among these, an address associated with the access time included in the non-address correspondence period is extracted.

  Also, the terminal operation log capturing unit 103 extracts the Web access URL information 303 based on the reset period 206, and the local proxy log capturing unit 104 also stores the local proxy log entry 304 based on the reset period 206. Extract.

(Effect of Embodiment 4)
The information leakage detection system 100 according to the fourth embodiment extracts an access destination address for Web communication by malware for a period excluding a period during which the user performs a terminal operation. In addition, the information leakage detection system 100 according to the fourth embodiment extracts an access destination address of Web communication by malware for a period excluding a period during which the user performs a browser operation.
In other words, the information leakage detection system 100 according to the fourth embodiment narrows down the communication log generated during a period when the user is not operating the terminal device 500 or the browser, that is, the log having a high possibility of Web communication by malware. The Web communication access destination address is extracted.
That is, the information leak detection system 100 according to the fourth embodiment can extract the URL of the access destination by the malware with higher accuracy.

  It is possible to cause the terminal operation log capturing unit 103 according to the first to third embodiments to perform the processing of the terminal operation log capturing unit 103 according to the fourth embodiment.

Embodiment 5 FIG.
(Description of common parts of information leakage detection system 100 in Embodiments 5 to 8)
Before describing the information leakage detection system 100 according to the fifth embodiment, common parts of the information leakage detection system 100 according to the fifth to eighth embodiments will be described.
The information leakage detection system 100 in the fifth to eighth embodiments sets the black URL 208 extracted by the black URL specifying unit 108 in any of the first to fourth embodiments as a black URL candidate. Then, the black URL specifying unit 108 specifies a URL that matches a predetermined condition from among the black URL candidates as a condition matching address, and outputs the condition matching address as the black URL 208. That is, the black URL 208 corresponds to the condition matching address.

  That is, the black URL specifying unit 108 corresponds to a condition matching address specifying unit that specifies, as a condition matching address, a predetermined address that matches at least a predetermined condition among black URL candidates.

  Then, the black URL specifying unit 108 inputs the black determination condition 207. That is, the black URL specifying unit 108 corresponds to an information input unit that inputs the black determination condition 207.

Here, the black determination condition 207 is a predetermined condition for specifying the black URL 208 from the black URL candidates.
There are several types of black determination conditions 207, which are set in advance by the user, for example, and stored in the storage device of the information leakage detection system 100, for example. For example, the user selects and inputs at least one black determination condition 207 from among the several types of stored black determination conditions 207 using an input device such as a keyboard of the information leakage detection system 100. Here, the user can also input a combination of a plurality of black determination conditions 207 from among several types of stored black determination conditions 207.

Then, the black URL specifying unit 108 executes a process set in advance corresponding to the input black determination condition 207.
When the black URL specifying unit 108 inputs a plurality of (for example, two) black determination conditions 207, the black URL specifying unit 108 first selects a black URL candidate corresponding to the first black determination condition 207. A condition matching address (black URL 208) is specified. Further, the black URL specifying unit 108 corresponds to the condition matching address (black) corresponding to the second black determination condition 207 from the condition matching addresses (black URL 208) specified by the first black determination condition 207. URL 208) can be specified.

In addition, the information leak detection system 100 of Embodiment 5-8 is the same structure as the information leak detection system 100 of Embodiment 1 shown in FIG. Therefore, the description of the same components as in the first embodiment and the same processing contents as in the first embodiment will be omitted.
Hereinafter, each of the embodiments 5 to 8 will be described.

(Processing of the black URL specifying unit 108 in the fifth embodiment)
FIG. 36 is a flowchart illustrating an example of processing of the black URL specifying unit 108.
As described above, the black URL specifying unit 108 sets the black URL 208 extracted by the process according to any one of the first to fourth embodiments as a black URL candidate. Further, the black URL specifying unit 108 inputs the black determination condition 207 (S1101 in FIG. 36).

Here, the black URL specifying unit 108 sets a black determination condition 207 “whether or not the country to which the web page that is the access destination of the terminal device 500 belongs is included in the black list of countries with a lot of unauthorized access”. input.
Further, the black URL specifying unit 108 also inputs information on “black list of countries with many unauthorized accesses”.

Since countries with many unauthorized accesses are determined as trends, it is possible to define countries A, B, and C as countries with many unauthorized accesses in the “black list of countries with many unauthorized accesses”.
The “black list of countries with many unauthorized accesses” corresponds to specific country information indicating a country specified in advance.

  For example, when a URL “http: //◯◯.789-sample.ΔΔΔ/” is entered on the Internet, the country where the web page of the URL is hosted (providing the web page of the address) There is an Internet service that outputs information of the country to which the origin belongs. This service is referred to as an external service 209 (FIG. 2). Information indicating the country to which the provider of the web page at this address belongs is referred to as “providing country information”.

Then, the black URL specifying unit 108 inputs a black URL candidate to the external service 209 via the Internet. Then, the black URL specifying unit 108 inputs the providing country information from the external service 209 and specifies the host country of the black URL candidate (S1102 in FIG. 36).
That is, the black URL specifying unit 108 inputs the provided country information for each extracted black URL candidate (for each address).

Then, the black URL specifying unit 108 determines whether or not the host country of the specified black URL candidate is included in the “black list of countries with many unauthorized accesses” (S1103 in FIG. 36).
Here, for example, if the host country of the specified black URL candidate is country A, it is included in the black list (“YES” in S1103 of FIG. 36), the black URL specifying unit 108 sets the black URL candidate to black. The URL 208 is output (S1104 in FIG. 36). On the other hand, if the host country of the specified black URL candidate is country X, it is not included in the black list (“NO” in S1103 in FIG. 36), the black URL specifying unit 108 outputs the black URL candidate as the black URL 208. do not do.

  That is, the black URL specifying unit 108 provides a web provided by a country that matches one of the countries indicated in the “black list of countries with many unauthorized accesses” among the countries indicated in the input providing country information. The page address is specified as a black URL 208.

(Effect of Embodiment 5)
The C & C server that the malware communicates with may exist in a specific country where there are many unauthorized accesses. Then, the information leakage detection system 100 according to the fifth embodiment uses the black URL 208 as a black determination condition 207 based on whether or not the URL is a URL of a web page with a specific country with many unauthorized accesses as a host country. Narrow down. Therefore, the information leakage detection system 100 according to the fifth embodiment can extract the URL of the access destination by the malware with higher accuracy.

Embodiment 6 FIG.
(Outline of Information Leakage Detection System 100 in Embodiment 6)
The information leakage detection system 100 according to the sixth embodiment uses the number of accesses to a black URL candidate web page as the black determination condition 207. Specifically, the black determination condition 207 is “whether the number of accesses suddenly increases for a certain period and then decreases again in a black URL candidate whose number of accesses has been small until now”.

(Processing of the black URL specifying unit 108)
FIG. 37 is a flowchart illustrating an example of processing of the black URL specifying unit 108.
FIG. 38 is a diagram illustrating an example of the number of accesses to a web page of a black URL candidate.

Although not shown in FIG. 2, the black URL specifying unit 108 can input the proxy log 201. Here, the black URL specifying unit 108 may input the proxy log 201 input by the proxy log capturing unit 101 from the proxy log capturing unit 101.
In addition, as illustrated in FIG. 17, the proxy log 201 indicates an access destination address and a communication size (data communication amount at the time of access) in association with each access performed by the proxy server device 600.

  First, as described above, the black URL specifying unit 108 sets the black URL 208 extracted by any one of the first to fourth embodiments as a black URL candidate. Then, the black URL specifying unit 108 inputs the black determination condition 207. Further, the variable n is initialized with “0” (S1201 in FIG. 37).

  Here, as described above, the black determination condition 207 is “whether or not the number of accesses suddenly increases for a certain period and then decreases again in a black URL candidate whose number of accesses has been small until now”.

Then, the black URL specifying unit 108 counts the number of daily accesses to each black URL candidate from the input proxy log 201 during a predetermined counting period (S1202 in FIG. 37). This counting period may be stored in advance in the storage device of the information leakage detection system 100, or may be input by the user using the input device of the information leakage detection system 100.
Here, the number of accesses counted by the black URL specifying unit 108 is not limited to every day, but may be every three days or every week as long as it is a unit time. Here, the description will be made assuming that the black URL specifying unit 108 counts the number of accesses every day.
That is, the black URL specifying unit 108 corresponds to a traffic calculation unit that calculates the number of accesses per unit time for each address.

  In addition, although illustration is abbreviate | omitted in FIG. 37, the process of S1202-S1207 is performed with respect to each black URL candidate.

Then, the black URL specifying unit 108 determines whether or not the total number of accesses has been small in the past and has increased thereafter (S1203 in FIG. 37).
Here, when the number of accesses is smaller than the threshold value stored in advance in the storage device of the information leakage detection system 100 (referred to as the “first threshold value for the number of accesses”), the black URL specifying unit 108 Is less. " Then, the black URL specifying unit 108 determines that “the number of accesses has increased” when the number of accesses is equal to or greater than “the first threshold value of the number of accesses”.

  If “the number of accesses has not increased” (“NO” in S1203 in FIG. 37), the black URL specifying unit 108 ends the process for the URL to be determined, and the same for the undecided black URL candidates. Process.

  If the black URL specifying unit 108 determines that “the number of accesses has increased” (“YES” in S1203 in FIG. 37), the date on which the number of accesses is tabulated is set as the reference date.

Here, it is assumed that the reference date is current.
In this case, the black URL specifying unit 108 increments the variable n (n = n + 1) (S1204 in FIG. 37).

Then, the black URL specifying unit 108 newly inputs the proxy log 201 after n days, and totals the number of accesses after n days.
Then, the black URL specifying unit 108 determines whether the number of accesses after n days is equal to or increased with the number of accesses on the reference day (S1205 in FIG. 37). Here, if the number of accesses is equal to or greater than the “first threshold value for the number of accesses”, the black URL specifying unit 108 determines that “the number of accesses is equal to or increased with respect to the reference day”.

  When the access count is equal to or increased with the number of accesses on the reference day (“YES” in S1205 in FIG. 37), the black URL specifying unit 108 further increments the variable n (S1204 in FIG. 37). That is, the black URL specifying unit 108 further counts the number of accesses one day later.

On the other hand, when the number of accesses is smaller than the “first threshold of the number of accesses” (“NO” in S1205 in FIG. 37), the black URL specifying unit 108 determines whether the number of accesses is equal to the number of accesses before the reference date. (1206 in FIG. 37).
Here, the black URL specifying unit 108 stores, for example, an average x of access counts per day before the reference date and a standard deviation σ. If the access count is within “x ± 3σ”, for example, the reference date It is determined that the previous number of accesses is equivalent.

  If the number of accesses is equal to the number of accesses before the reference date (“YES” in S1206 in FIG. 37), although not shown, the number of accesses is “the first number of accesses” in a predetermined number of days set in advance. It is determined whether or not it is equal to or greater than the “threshold value”. Then, the black URL candidate whose number of accesses is equal to or greater than the “first threshold value of the number of accesses” in a predetermined number of days is output as the black URL 208.

  If the number of accesses is not equal to the number of accesses before the reference date (“NO” in S1206 in FIG. 37), the black URL specifying unit 108 further increments the variable n (S1204 in FIG. 37).

A specific example will be described with reference to FIG.
For example, it is assumed that the black URL specifying unit 108 tabulates the number of accesses to a certain black URL candidate from the current day to the 30th day.
As a result, the number of accesses is “0” until the 29th day, but the number of accesses increases to “12” on the 30th day (current). Here, for example, it is assumed that the “first threshold for the number of accesses” is “10”.
In the next few days, as a result of counting the number of accesses, the black URL specifying unit 108 returns to “0” on the 33rd day (three days after the present).
As shown in the example of FIG. 38, the black URL specifying unit 108 has the number of accesses to the black URL candidate to be determined increased in the past and increased for a predetermined number of days, and then decreased by the processing in FIG. It is determined whether or not to do.

Here, the predetermined number of days is stored in the storage device of the information leakage detection system 100, for example. Here, the predetermined number of days is “5 days”.
Certain malware is known to continuously communicate with C & C servers on the Internet in a short period of time. Therefore, for example, an access in which the number of accesses increases intensively within 5 days is considered to be an access by malware.

In the specific example, the case where the reference date is current has been described, but the reference date may be in the past.
That is, the black URL specifying unit 108 only needs to determine whether the number of accesses to the black URL candidate is small in the past, increases in a predetermined number of days from the reference date, and decreases thereafter.

  That is, the black URL specifying unit 108 specifies, as the black URL 208, a URL whose number of accesses per day (per unit time) is equal to or more than the first threshold value for the number of accesses only during a predetermined period defined in advance.

  The black URL specifying unit 108 may use a known method using an ARMA (AutoRegressive Moving Average) or the like in order to automatically determine a time-series change in the number of accesses. Then, the black URL specifying unit 108 may specify the black URL candidate in which the change in the number of accesses is found by ARMA as the black URL 208.

  Further, the black URL specifying unit 108 may specify the black URL 208 based on the traffic for the black URL candidate.

In this case, the black determination condition 207 is “whether or not the traffic amount suddenly increases for a certain period and then decreases again in the black URL candidate whose traffic amount has been small until now”.
As described above, since the communication size (communication amount) is indicated in the proxy log 201 (FIG. 17), the black URL specifying unit 108 adds up the daily communication amount for each black URL candidate, for example. Is possible.
That is, the black URL specifying unit 108 calculates the data communication amount per unit time for each black URL candidate from the proxy log 201.

Then, although a detailed description is omitted, the black URL specifying unit 108 specifies the black URL 208 using the traffic instead of the number of accesses in the processing of FIG.
That is, the black URL specifying unit 108 specifies, as the black URL 208, a URL whose data communication volume for each day (unit time) is equal to or more than the first threshold of the data communication volume only in a predetermined period defined in advance.

(Effect of Embodiment 6)
As described above, it is known that the number of accesses or the amount of data communication between the malware and the C & C server increases in a short time. The information leakage detection system 100 according to the sixth embodiment can extract the URL of the access destination by the malware with higher accuracy by specifying the URL of the access destination where the number of accesses or the amount of data communication increases in a short time. is there.

Embodiment 7 FIG.
(Outline of Information Leakage Detection System 100 in Embodiment 7)
The information leakage detection system 100 according to the seventh embodiment uses the number of accesses to a black URL candidate web page as the black determination condition 207. Specifically, “whether or not access is periodically generated in communication with a black URL candidate” is set as the black determination condition 207.

(Processing of the black URL specifying unit 108)
FIG. 39 is a flowchart illustrating an example of processing of the black URL specifying unit 108.
FIG. 40 is a diagram illustrating an example of the number of accesses to a web page of a black URL candidate.

  Although not shown in FIG. 2, the black URL specifying unit 108 can input the proxy log 201. Here, the black URL specifying unit 108 may input the proxy log 201 input by the proxy log capturing unit 101 from the proxy log capturing unit 101.

  First, as described above, the black URL specifying unit 108 sets the black URL 208 extracted by any one of the first to fourth embodiments as a black URL candidate. Then, the black URL specifying unit 108 inputs the black determination condition 207. (S1301 in FIG. 39).

  Here, the black determination condition 207 is “whether or not access is periodically generated in communication with the black URL candidate” as described above.

Then, the black URL specifying unit 108 counts the number of accesses per unit time for each black URL candidate from the input proxy log 201 in a predetermined counting period (S1302 in FIG. 39).
Here, it is assumed that the number of accesses per unit time is Mi (i = 1 to k). For example, if the black URL specifying unit 108 counts the number of accesses per minute, M1 is the total number of accesses for the first one minute (first minute) of the counting period k minutes, and M2 is the next number This means the total number of accesses for one minute (second minute).

  Note that although not shown in FIG. 39, the processing of S1302 to S1304 is performed for each black URL candidate.

Next, the black URL specifying unit 108 determines whether or not the total number of accesses Mi (i = 1 to k) is periodic when arranged in time series (S1303 in FIG. 39).
Here, the black URL specifying unit 108 determines that the number of accesses per unit time is equal to or greater than a threshold (referred to as a “second threshold for the number of accesses”) periodically stored in advance in the storage device of the information leakage detection system 100. It is determined whether or not. That is, the black URL specifying unit 108 determines whether or not access is periodically generated.
Alternatively, the black URL specifying unit 108 may determine whether or not the number of accesses per unit time is periodically the same value. Further, the black URL specifying unit 108 may determine whether or not the number of accesses per unit time is periodically equal to or greater than the “second threshold value for the number of accesses”.
When access occurs periodically (“YES” in S1303 in FIG. 39), the black URL candidate to be determined is specified as the black URL 208 and output (S1304 in FIG. 39).

  That is, the black URL specifying unit 108 specifies, as the black URL 208, a black URL candidate whose number of accesses per unit time is equal to or greater than a second threshold value of the number of accesses defined in advance for every predetermined period.

A specific example will be described with reference to FIG.
For example, in FIG. 40, the black URL specifying unit 108 totals the number of accesses per minute for a certain black URL candidate.
The total period is, for example, one day (24 hours × 60 minutes = 1440 minutes).
The black URL specifying unit 108 determines that one access occurs once every two minutes in the counting result shown in FIG. Here, the “second threshold for the number of accesses” is “1 access”.

  Certain malware is known to communicate periodically to confirm connectivity with a C & C server on the Internet. Therefore, for example, an access in which the number of accesses is once or more periodically is considered as an access by malware.

  The black URL specifying unit 108 may use a known algorithm that automatically determines a time-series periodic change in the number of accesses. Then, the black URL specifying unit 108 may specify the black URL candidate in which the change in the periodic access number is found by a known algorithm as the black URL 208.

  Further, the black URL specifying unit 108 may specify the black URL 208 based on the traffic for the black URL candidate.

  In this case, the black URL specifying unit 108 calculates the data communication amount per unit time for each black URL candidate from the proxy log 201.

Although not described in detail, the black URL specifying unit 108 specifies the black URL 208 using the traffic instead of the number of accesses in the processing of FIG.
In other words, the black URL specifying unit 108 specifies, as the black URL 208, a black URL candidate whose data communication amount per unit time is equal to or greater than a second threshold value of data communication amount that is defined in advance for each fixed period.

(Effect of Embodiment 7)
As described above, it is known that the malware and the C & C server are accessed periodically. The information leakage detection system 100 according to the seventh embodiment can extract the URL of the access destination by the malware with higher accuracy by specifying the URL of the access destination that is periodically accessed.

Embodiment 8 FIG.
(Outline of Information Leakage Detection System 100 in Embodiment 8)
The information leakage detection system 100 according to the eighth embodiment uses a request size and a response size in web communication between the terminal device 500 (proxy server device 600) and a black URL candidate web page as the black determination condition 207. Specifically, “whether or not the communication request size and response size are less than the threshold in the black URL candidate” is set as the black determination condition 207.

(Processing of the black URL specifying unit 108)
FIG. 41 is a flowchart illustrating an example of processing of the black URL specifying unit 108.

  Although not shown in FIG. 2, the black URL specifying unit 108 can input the proxy log 201 (FIG. 17). Here, the black URL specifying unit 108 may input the proxy log 201 input by the proxy log capturing unit 101 from the proxy log capturing unit 101.

  First, as described above, the black URL specifying unit 108 sets the black URL 208 extracted by any one of the first to fourth embodiments as a black URL candidate. Then, the black URL specifying unit 108 inputs the black determination condition 207. (S1401 in FIG. 41).

Here, as described above, the black determination condition 207 is “whether or not the communication request size and the response size are less than the threshold in the black URL candidate”.
Further, the black URL specifying unit 108 inputs, for example, a request size threshold “αKB” and a response size threshold “βKB” stored in the storage device of the information leakage detection system 100. Alternatively, for example, the user may input the request size threshold and the response size threshold using the input device of the information leakage detection system 100.

Here, when a user browses a Web site using a browser, the response to the request is a content including some character string, and thus the response size becomes a certain level or more and does not become less than “βKB”. Also, in the case of a request for browsing a Web site performed by a user using a browser, information is added to the header, and the request size does not become less than “αKB”.
Then, in advance, the user acquires statistical data of the request size and response size in accessing the Web site, and sets the values of α and β.

Then, the black URL specifying unit 108 extracts the request size and response size of each black URL candidate from the input proxy log 201 (S1402 in FIG. 41).
Here, although illustration in FIG. 17 is omitted, the proxy log 201 indicates a request size and a response size for each access.
That is, the proxy log 201 includes an access destination address, a request size that is the size of data transmitted from the proxy server device 600 to the access destination, and the proxy server device 600 access destination for each access performed by the proxy server device 600. The response size that is the size of the data received from is shown in association with it.
When there are a plurality of accesses to one black URL candidate, the black URL specifying unit 108 extracts the minimum value of the request size and the response size.

  In addition, although illustration is abbreviate | omitted in FIG. 41, the process of S1402-S1405 is performed with respect to each black URL candidate.

Next, the black URL specifying unit 108 determines whether or not the extracted request size is smaller than the threshold “αKB” (S1403 in FIG. 41).
When the request size is smaller than the threshold “αKB” (“YES” in S1403 in FIG. 41), the black URL specifying unit 108 determines whether the extracted response size is smaller than the threshold “βKB” (S1404 in FIG. 41). .
Then, when the response size is less than the threshold “βKB” (“YES” in S1404 in FIG. 41), the black URL specifying unit 108 specifies the black URL candidate to be determined as the black URL 208 and outputs it (S1405 in FIG. 41). ).
That is, the black URL specifying unit 108 specifies, as the black URL 208, a black URL candidate whose request size is less than the threshold “αKB” and whose response size is less than the threshold “βKB”.

  That is, the black URL specifying unit 108 extracts (specifies) the response size and request size associated with the black URL candidate from the proxy log 201 in units of access. Then, a black URL candidate whose extracted response size is smaller than the predefined response size threshold and whose request size is smaller than the predefined request size threshold is identified as the black URL 208.

  Here, since only the response of the Web communication by malware may be small, the black URL specifying unit 108 may perform only the determination of S1404 without performing the determination of S1403 of FIG. That is, the black URL specifying unit 108 specifies a black URL candidate whose response size is less than the threshold value “βKB” as the black URL 208.

  That is, the black URL specifying unit 108 extracts (specifies) the response size associated with the black URL candidate from the proxy log 201 in units of access. Then, a black URL candidate whose extracted response size is smaller than a predefined response size threshold is specified as the black URL 208.

(Effect of Embodiment 8)
Certain malware is known to communicate periodically to confirm connectivity with a C & C server on the Internet. As described above, the size of the communication data (request size and response size) in that case is small as compared with the case of browsing the Web site performed by the user using the browser. Therefore, the information leakage detection system 100 according to the eighth embodiment extracts the URL of the access destination by the malware with higher accuracy by specifying the URL of the access destination where the request size and the response size are smaller than the threshold. It is possible.

Embodiment 9 FIG.
(Outline of Information Leakage Detection System 100 in Embodiment 9)
In the first embodiment, the third embodiment, and the fourth embodiment, it has been described that the URL notified by the terminal device 500 to the proxy server device 600 is recorded in the terminal operation log 203 (FIG. 3).
However, depending on the terminal operation recording application, the title of the top page of the Web site accessed by the terminal device 500 (proxy server device 600) may be recorded as the window title in the terminal operation log 203 instead of the URL.
The information leakage detection system 100 according to the ninth embodiment searches the content recorded in the local proxy log 204 (FIG. 6) for a title that matches the title of the top page of the website recorded in the terminal operation log 203. Then, the information leakage detection system 100 according to the ninth embodiment specifies the URL associated with the matching title as the URL of the top page of the website in the content recorded in the local proxy log 204 (FIG. 6).

(Processing of terminal operation log capturing unit 103)
FIG. 42 is a diagram illustrating an example of the Web access URL information 303.
As an example of the terminal operation log 203, the terminal operation log capturing unit 103 inputs, for example, the terminal operation log 203 in which the operation content of the entry shown in the row D2032 in FIG. 3 is not a URL but a website title. . That is, the terminal operation log capturing unit 103 inputs “2011/06/23 10:00:00, 192.168.1.2, UserID 1234, Web access, sample site”. Here, “sample site” is the title name of the Web site (content).

  That is, the terminal operation log capturing unit 103 displays the title of the web page of the access destination accessed by the proxy server device 600 based on the address notified to the proxy server device 600 by the user device. The log 203 is input.

  Then, the terminal operation log capturing unit 103 extracts the Web access URL information 303 from the terminal operation log 203 and outputs the same as in the first embodiment. An example of the Web access URL information 303 is shown in FIG. As in the terminal operation log 203, the Web access URL information 303 shown in FIG. 42 indicates the title name of the Web site (content) instead of the URL.

(Processing of local proxy log capturing unit 104)
FIG. 43 is a diagram illustrating an example of the content entity 350.
As in the first embodiment, the local proxy log capturing unit 104 inputs the local proxy log 204 (FIG. 6), extracts the local proxy log entry 304 (FIG. 9) from the input local proxy log 204, and outputs it. .
Here, the content entity 350 included in the local proxy log entry 304 (FIG. 9) is, for example, as shown in FIG. That is, the title name of the website (content) is shown in the content entity 350.
For example, the local proxy log entry 304a in FIG. 9 includes a content entity 350 indicating the title name of the website (content) and a URL “http: //XXX.abc-sample.ΔΔΔ/ Are associated with each other.

Here, the local proxy log entry 304 in which the title of the Web site (access destination web page accessed by the proxy server apparatus 600) and the URL (access destination address) are shown in association with each other is referred to as local proxy information. .
The local proxy log 204 (FIG. 6) includes at least one local proxy information.
As described above, the proxy server device 600 accesses based on the address notified to the proxy server device 600 by the terminal device 500 using the local proxy 550.

(Processing of the top page URL specifying unit 106)
FIG. 44 is a diagram illustrating an example of processing of the top page URL specifying unit 106.

  The top page URL specifying unit 106 inputs the Web access URL information 303 (FIG. 42) and the local proxy log entry 304 (FIG. 9) as in the first embodiment. Here, the content entity 350 included in the local proxy log entry 304 (FIG. 9) is the example of FIG. 43 described above.

Then, although illustration in FIG. 44 is omitted, the top page URL specifying unit 106 performs the process of FIG. 44 on all entries included in the Web access URL information 303 (FIG. 42).
Here, description will be made by taking the entry of the Web access URL information 303 shown in D6031 of FIG. 42 as an example.

  That is, the top page URL specifying unit 106 inputs an entry of the Web access URL information 303 shown in D6031 of FIG. 42, and extracts the title “sample site abc-sample” of the Web site. Further, the top page URL specifying unit 106 extracts “2011/06/23 10:00:00” which is the operation date and time.

Then, the top page URL specifying unit 106 determines whether or not all the local proxy log entries 304 have been input (S1501 in FIG. 44).
If all the local proxy log entries 304 have not been input (“NO” in S1501 in FIG. 44), the top page URL specifying unit 106 inputs the local proxy log entries 304 that have not been input, for example, in chronological order of access date / time. (S1502 in FIG. 44).
Here, for example, the top page URL specifying unit 106 determines that the local proxy log entry 304a “2011/06/23 10:00:00, 192.168.1.2, http: //◯◯◯.abc in FIG. “Sample.ΔΔΔ /, GET, 200, 1000, content entity” is input.

Then, the top page URL specifying unit 106 determines whether the title extracted from the Web access URL information 303 is included in the content entity 350.
Specifically, in the content entity 350 shown in FIG. 43, a character string enclosed by the <title> tag and the </ title> tag is extracted, and the “sample site abc-sample” extracted from the Web access URL information 303 is extracted. "

  Further, the top page URL specifying unit 106 determines whether or not the operation date and time “2011/06/23 10:00:00” extracted from the Web access URL information 303 matches the access date and time of the local proxy log entry 304a in FIG. Is determined (S1503 in FIG. 44).

Then, the title extracted from the Web access URL information 303 is included in the content entity 350, and the operation date and time extracted from the Web access URL information 303 matches the access date and time of the local proxy log entry 304a (S1503 in FIG. 44). “YES”), the top page URL specifying unit 106 extracts the URL “http: //XXX.abc-sample.ΔΔΔ/” indicated in the local proxy log entry 304a. The URL extracted by the top page URL specifying unit 106 is referred to as a top page URL.
Then, the top page URL specifying unit 106 outputs the top page URL, the access date and time, the terminal identifier, the method, the status, and the communication amount indicated in the local proxy log entry 304 as the top page URL information 306.

  On the other hand, the title extracted from the Web access URL information 303 is not included in the content entity 350, or the operation date and time extracted from the Web access URL information 303 does not match the access date and time of the local proxy log entry 304a (FIG. 44). The top page URL specifying unit 106 performs the process of S1501 again.

  That is, the top page URL specifying unit 106 has local proxy information (in which the title matching the title shown in the terminal operation log 203 is shown among the titles shown in the content entity 350 of the local proxy information (local proxy log entry 304) ( Extract local proxy log entry 304). That is, the top page URL specifying unit 106 corresponds to a local proxy information extracting unit.

  The processing in S1504 in FIG. 44 is the same as that in the first embodiment, and a description thereof will be omitted.

Similarly to the first embodiment, the black URL specifying unit 108 is not shown in any of the URL white list 202 and the browser access URL information 307 in the URL shown in the proxy log 201 (FIG. 17). Extract the URL. Here, the browser access URL information 307 is generated from the local proxy log entry 304 (local proxy information) extracted by the top page URL specifying unit 106.
Therefore, in other words, the black URL specifying unit 108 includes the URL white list 202 and the local proxy log entry 304 (local proxy) extracted in the top page URL specifying unit 106 in the URL shown in the proxy log 201 (FIG. 17). Addresses not shown in any of (information) are extracted.

  Note that the information leakage detection system 100 according to the fifth to eighth embodiments may perform processing by using the black URL 208 extracted by the black URL specifying unit 108 according to the ninth embodiment as a black URL candidate.

(Effect of Embodiment 9)
As described above, depending on the terminal operation recording application, the URL is not recorded in the terminal operation log 203, and the title of the top page of the accessed website may be recorded as the window title. Even in such a case, the information leakage detection system 100 according to the ninth embodiment can identify the URL of the Web site accessed by the terminal device 500 from the title obtained from the terminal operation log 203.

(Hardware configuration of information leakage detection system 100 of Embodiments 1 to 9)
Finally, a hardware configuration example of the information leakage detection system 100 shown in the first to ninth embodiments will be described.
FIG. 45 is a diagram illustrating an example of hardware resources of the information leakage detection system 100 illustrated in the present embodiment.
The configuration in FIG. 45 is merely an example of the hardware configuration of the information leakage detection system 100, and the hardware configuration of the information leakage detection system 100 is not limited to the configuration illustrated in FIG. There may be.

45, the information leakage detection system 100 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, an arithmetic unit, a microprocessor, a microcomputer, and a processor) that executes a program.
The CPU 911 is connected to, for example, a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, and a magnetic disk device 920 via a bus 912. Control hardware devices.
Further, the CPU 911 may be connected to an FDD 904 (Flexible Disk Drive) or a compact disk device 905 (CDD). Further, instead of the magnetic disk device 920, a storage device such as an SSD (Solid State Drive), an optical disk device, or a memory card (registered trademark) read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device.
The storage device and log storage unit 109 of the information leakage detection system 100 described in this embodiment are realized by a magnetic disk device 920 or the like.
The communication board 915, the keyboard 902, the mouse 903, the FDD 904, and the like are examples of input devices.
The input device of the information leakage detection system 100 described in the present embodiment is realized by a keyboard 902 or a mouse 903, for example.
The communication board 915, the display device 901, and the like are examples of output devices.

The communication board 915 is connected to the network.
For example, the network may be a wide area network (WAN), a storage area network (SAN), or the like in addition to the LAN and the Internet.

The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924.
The programs in the program group 923 are executed by the CPU 911 using the operating system 921 and the window system 922.

The RAM 914 temporarily stores at least part of the operating system 921 program and application programs to be executed by the CPU 911.
The RAM 914 stores various data necessary for processing by the CPU 911.

The ROM 913 stores a BIOS (Basic Input Output System) program, and the magnetic disk device 920 stores a boot program.
When the information leakage detection system 100 is activated, the BIOS program in the ROM 913 and the boot program for the magnetic disk device 920 are executed, and the operating system 921 is activated by the BIOS program and the boot program.

  The program group 923 stores a program that executes a function described as “˜unit” (except for “˜accumulation unit”) in the description of the present embodiment. The program is read and executed by the CPU 911.

In the description of this embodiment, the file group 924 includes “determination of”, “calculation of”, “comparison of”, “collation of”, “reference of”, “search of”, “Extract”, “examine”, “generate”, “set”, “register”, “select”, “input”, “receive”, “to” Information, data, signal values, variable values, and parameters indicating the results of the processing described as “determination of”, “definition of”, “calculation of”, “update of”, etc. It is stored as each item of “Database”.
The “file” and “database” are stored in a recording medium such as a disk or a memory.
Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit.
The read information, data, signal values, variable values, and parameters are extracted, searched, referenced, compared, computed, calculated, processed, edited, output, printed, displayed, controlled, determined, identified, detected, identified. Used for CPU operations such as selection, calculation, derivation, update, generation, acquisition, notification, instruction, judgment, distinction, and deletion.
Extraction / Search / Reference / Comparison / Calculation / Processing / Edit / Output / Print / Display / Control / Judgment / Identification / Detection / Distinction / Selection / Calculation / Derivation / Update / Generation / Acquisition / Notification / Instruction / Judgment / During the operation of the CPU such as discrimination / deletion, information, data, signal values, variable values, and parameters are temporarily stored in a main memory, a register, a cache memory, a buffer memory, and the like.
In addition, the arrows in the flowchart described in this embodiment mainly indicate input / output of data and signals.
Data and signal values are recorded on a recording medium such as a memory of the RAM 914, a flexible disk of the FDD 904, a compact disk of the CDD 905, a magnetic disk of the magnetic disk device 920, other optical disks, a mini disk, and a DVD.
Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

In addition, what is described as “˜unit” in the description of the present embodiment may be “˜circuit”, “˜device”, “˜device”, and “˜step”, “˜”. “Procedure” and “˜Process” may be used.
That is, the information processing method according to the present invention can be realized by the steps, procedures, and processes shown in the flowchart described in this embodiment.
Further, what is described as “˜unit” may be realized by firmware stored in the ROM 913.
Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware.
Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD.
The program is read by the CPU 911 and executed by the CPU 911.
In other words, the program causes the computer to function as “to part” of the present embodiment. Alternatively, the procedure or method of “˜unit” in the present embodiment is executed by a computer.

As described above, the information leakage detection system 100 according to this embodiment includes a CPU as a processing device, a memory as a storage device, a magnetic disk, a keyboard as an input device, a mouse, a communication board, and a display device as an output device and a communication board. Etc. are computers provided with the above.
Then, as described above, the functions indicated as “˜units” are realized using these processing devices, storage devices, input devices, and output devices.

  DESCRIPTION OF SYMBOLS 100 Information leak detection system, 101 Proxy log acquisition part, 102 URL white list acquisition part, 103 Terminal operation log acquisition part, 104 Local proxy log acquisition part, 105 Gray URL specification part, 106 Top page URL specification part, 107 Browser access URL Identification unit, 108 Black URL identification unit, 109 Log storage unit, 150 Network, 200 Period identification unit, 201 Proxy log, 202 URL whitelist, 203 Terminal operation log, 204 Local proxy log, 205 Terminal identifier, 206 period, 207 Black Determination condition, 208 black URL, 209 external service, 250 black URL information, 301 proxy log entry, 302 white URL, 303 Web access U L information, 304 local proxy log entry, 305 gray URL information, 306 top page URL information, 307 browser access URL information, 350 content entity, 500 terminal device, 550 local proxy, 600 proxy server device, 606 top page URL, 901 Display device, 902 keyboard, 903 mouse, 904 FDD, 905 compact disk device, 911 CPU, 912 bus, 913 ROM, 914 RAM, 915 communication board, 920 magnetic disk device, 921 operating system, 922 window system, 923 program group, 924 files.

Claims (12)

An address extraction device that extracts a predetermined address from addresses accessed by a proxy server device that accesses an address notified as an access destination from a terminal device,
A proxy log indicating an access destination address for each access performed by the proxy server device, valid address information indicating an address defined as valid in advance, and the terminal device based on a user instruction, the proxy server device An address input unit for inputting user instruction information indicating an address notified as an access destination ;
An address extraction unit that extracts an address that is not indicated in either the valid address information or the user instruction information from among the addresses indicated in the proxy log input by the address input unit; Address extractor. The address input unit
A terminal operation in which an address notified by the terminal device to the proxy server device as an access destination based on an address instruction operation instructing the access destination address to the terminal device by the user is shown in association with the address instruction operation. address extracting apparatus according to claim 1, wherein the inputting the log as the user instruction information. The address input unit
A terminal device having a local proxy inputs, as the user instruction information, a local proxy log indicating an address notified to the proxy server device as an access destination using the local proxy based on the user's instruction. The address extracting device according to claim 1 . The address input unit
Input related address information indicating an address associated with the web page of the address indicated in the user instruction information,
The address extraction unit
The address that is not indicated in any of the valid address information, the user instruction information, and the related address information is extracted from the addresses indicated in the proxy log input by the address input unit. Item 2. The address extracting device according to Item 1 . An address extraction device that extracts a predetermined address from addresses accessed by a proxy server device that accesses an address notified as an access destination from a terminal device,
For each access performed by the proxy server device, a proxy log in which an access time and an access destination address are shown in association with each other and valid address information in which an address previously defined as valid is indicated Address input section to
Among the addresses indicated in the proxy log input by the address input unit, a detection device that detects the presence of a user that is not indicated in the legitimate address information exists before the terminal device. An address extracting device comprising: an address extracting unit that extracts an address associated with an access time included in a period in which it is detected that no access is made . An address extraction device that extracts a predetermined address from addresses accessed by a proxy server device that accesses an address notified as an access destination from a terminal device,
For each access performed by the proxy server device, a proxy log in which an access time and an access destination address are shown in association with each other and valid address information in which an address previously defined as valid is indicated Address input section to
An address extraction unit that extracts an address that is not indicated in the valid address information from among the addresses indicated in the proxy log input by the address input unit ;
The address input unit further includes:
When the instruction operation instructed by the user to the terminal device and the operation time for each instruction operation are shown in association with each other and the user instructs the terminal device of an access destination address, the user The address notified by the terminal device to the proxy server device as the access destination based on the address instruction operation that instructs the terminal device of the access destination address is associated with the address instruction operation and the operation time of the address instruction operation. Enter the terminal operation log shown in the
The address extracting device further includes:
The first operation time after the start time of the predefined definition period and the last operation time before the end time of the definition period are extracted from the operation times indicated in the terminal operation log, and the start of the definition period A non-operation period consisting of a period from a time to the first operation time and a period from the last operation time to the end time of the definition period, or among the operation times indicated in the terminal operation log, The first address corresponding operation time that is the operation time after the start time of the definition period and is the first operation time associated with the address corresponds to the operation time that is the operation time before the end time of the definition period And the last address-corresponding operation time that is the last operation time attached, and the period from the start time of the definition period to the first address-corresponding operation time and the last Period calculation unit for calculating a non-address correspondence period comprising a period from dress corresponding operation time to the end time of the definition period
With
The address extraction unit
When the non-operation period is calculated by the period calculation unit, it is an address not shown in the valid address information among the addresses shown in the proxy log input by the address input unit, and the non-operation period When an address associated with an access time included in the URL is extracted and a non-address correspondence period is calculated by the period calculation unit, the address is associated with the access time indicated in the proxy log input by the address input unit An address extracting apparatus that extracts an address associated with an access time included in the non-address corresponding period from among the addresses that are included . An address extraction device that extracts a predetermined address from addresses accessed by a proxy server device that accesses an address notified as an access destination from a terminal device,
An address input unit for inputting a proxy log indicating an address of an access destination for each access performed by the proxy server device, and valid address information indicating an address defined as valid in advance;
An address extraction unit that extracts an address that is not indicated in the valid address information from among the addresses indicated in the proxy log input by the address input unit ;
A condition matching address specifying unit that specifies, as a condition matching address, a predetermined address that matches at least one predetermined condition among the addresses extracted by the address extraction unit;
An information input unit for inputting provided country information indicating a country to which a web page provider of an address belongs for each address extracted by the address extracting unit, and specific country information indicating a previously specified country;
With
The condition matching address specifying unit
The address of a web page provided by a country that matches any of the countries indicated in the specific country information among the countries indicated in the providing country information input by the information input unit is specified as a condition matching address. An address extracting device characterized by the above. An address extraction device that extracts a predetermined address from addresses accessed by a proxy server device that accesses an address notified as an access destination from a terminal device,
For each access performed by the proxy server device, a proxy log in which an access destination address and a data communication amount at the time of access are associated with each other and valid address information in which an address previously defined as valid is indicated are input. An address input section;
An address extraction unit that extracts an address that is not indicated in the valid address information from among the addresses indicated in the proxy log input by the address input unit ;
A condition matching address specifying unit that specifies, as a condition matching address, a predetermined address that matches at least one predetermined condition among the addresses extracted by the address extraction unit;
Calculate the number of accesses per unit time for each address extracted by the address extraction unit from the proxy log input by the address input unit, or by the address extraction unit from the proxy log input by the address input unit A traffic calculation unit for calculating the data traffic per unit time for each extracted address;
With
The condition matching address specifying unit
When the number of accesses per unit time is calculated by the traffic calculation unit, the number of accesses per unit time calculated by the traffic calculation unit only during a predetermined period defined in advance When the address that is equal to or greater than the threshold value is specified as a condition-matching address, and the data traffic volume per unit time is calculated by the traffic volume calculation unit, the traffic volume calculation unit only during a predetermined period defined in advance. An address extracting apparatus characterized in that an address at which the calculated data communication volume per unit time is equal to or greater than a predetermined threshold of data communication volume is specified as a condition matching address . An address extraction device that extracts a predetermined address from addresses accessed by a proxy server device that accesses an address notified as an access destination from a terminal device,
For each access performed by the proxy server device, a proxy log in which an access destination address and a data communication amount at the time of access are associated with each other and valid address information in which an address previously defined as valid is indicated are input. An address input section;
An address extraction unit that extracts an address that is not indicated in the valid address information from among the addresses indicated in the proxy log input by the address input unit ;
A condition matching address specifying unit that specifies, as a condition matching address, a predetermined address that matches at least one predetermined condition among the addresses extracted by the address extraction unit;
Calculate the number of accesses per unit time for each address extracted by the address extraction unit from the proxy log input by the address input unit, or by the address extraction unit from the proxy log input by the address input unit A traffic calculation unit for calculating the data traffic per unit time for each extracted address;
With
The condition matching address specifying unit
When the number of accesses per unit time is calculated by the communication amount calculation unit, an address where the number of accesses per unit time is equal to or greater than a threshold value of the number of accesses defined in advance for each fixed period is specified as a condition-matching address. When the amount of data communication per unit time is calculated by the communication amount calculation unit, an address where the data communication amount per unit time is equal to or greater than the threshold of the data communication amount defined in advance for every predetermined period is met. An address extracting apparatus characterized by being specified as an address. An address extraction device that extracts a predetermined address from addresses accessed by a proxy server device that accesses an address notified as an access destination from a terminal device,
For each access performed by the proxy server device, an access destination address , a request size which is the size of data transmitted from the proxy server device to the access destination, and a size of data received from the access destination by the proxy server device An address input unit for inputting a proxy log associated with a certain response size and valid address information indicating an address defined as valid in advance;
An address extraction unit that extracts an address that is not indicated in the valid address information from among the addresses indicated in the proxy log input by the address input unit ;
The response size associated with each address extracted by the address extraction unit from the proxy log input by the address input unit is specified in an access unit, and the specified response size is less than a predefined response size threshold value An address extracting apparatus comprising: a condition matching address specifying unit that specifies a specific address as a condition matching address . The condition matching address specifying unit
The response size and the request size associated with each address extracted by the address extraction unit from the proxy log input by the address input unit are specified in access units,
11. The address extraction according to claim 10, wherein the identified response size is less than a predefined response size threshold value, and an address having a request size less than the predefined request size threshold value is identified as a condition matching address. apparatus. An address extraction device that extracts a predetermined address from addresses accessed by a proxy server device that accesses an address notified as an access destination from a terminal device,
An address input unit for inputting a proxy log indicating an address of an access destination for each access performed by the proxy server device, and valid address information indicating an address defined as valid in advance;
An address extraction unit that extracts an address that is not indicated in the valid address information from among the addresses indicated in the proxy log input by the address input unit ;
The address input unit further includes:
A terminal operation log indicating a title of an access destination web page accessed by the proxy server based on an address notified to the proxy server by the user's operation;
Based on the address notified to the proxy server device by the terminal device using a local proxy, the title of the web page of the access destination accessed by the proxy server device and the access destination address are shown in association with each other. Enter a local proxy log containing at least one local proxy information,
The address extracting device further includes:
A local proxy information extraction unit that extracts local proxy information indicating a title that matches a title indicated in the terminal operation log from among the titles indicated in the local proxy information included in the local proxy log input by the address input unit
With
The address extraction unit
Of the addresses indicated in the proxy log input by the address input unit, an address that is not indicated in either the valid address information or the local proxy information extracted by the local proxy information extraction unit is extracted. An address extracting device characterized by the above.

Images