JP6504300B1 - INFORMATION PROCESSING APPARATUS, INFORMATION PROCESSING SYSTEM, CONTROL METHOD, AND PROGRAM - Google Patents

Abstract

An object of the present invention is to improve security by controlling access to an inappropriate connection destination given to an electronic mail.
A mail relay apparatus acquires an electronic mail received by a mail reception unit by a mail acquisition unit, and there is a suspicion of attack mail from outside S102 (Y), and when threat information cooperation is ON S104 (Y ), To calculate the degree of threat regarding the URL attached to the e-mail (S108). Then, the mail relay device transmits the URL list in which the threat information is stored to the access relay device (S112). The access relay apparatus controls access from the client terminal by determining an action according to the degree of threat.
[Selected figure] Figure 4

Description

  The present invention relates to relay control of communication with another device, and more particularly, to a method of registering information for identifying a resource of a communication destination which is required to perform relay control.

  With the development of network technology, various types of information are distributed, and there is a very convenient tool for providing such information to many users.

  For example, it is possible to obtain resources desired by the user by clicking a URL for specifying the location of resources such as HTML and images on the Internet.

  However, recently, exploiting the convenience of such tools and causing them to illegally access resources has caused damage such as infection with a virus and demand for a large payment.

  As an example of damage that abuses such a tool, an email with a URL specifying the location of the unauthorized resource is unilaterally sent to the user, the user opens the email, and the URL of the email is erroneously sent. Damage such as clicking has occurred.

  Therefore, as a method for solving such a problem, the URL of the e-mail stored in the folder for storing spam mail is invalidated, while the URL of the e-mail stored in a folder other than such a folder A technology for enabling is disclosed (see, for example, Patent Document 1).

Patent No. 04974076

  However, in the technology described in Patent Document 1, an e-mail that has not been determined as a spam e-mail but has only invalidated the URL given to the e-mail determined to be a spam e-mail by the function of the existing e-mail application software. However, there is a problem that it is difficult to cope with the case where a URL for specifying the location of an unauthorized resource is given.

  As a method of solving such a problem, there is a method of registering a URL for controlling access in the DB and prohibiting the access when the user tries to access the URL registered in the DB.

  In such a method, in order to improve the accuracy of access control, it depends on the accuracy of the URL registered in the DB, and if the URL given to the e-mail is registered in the DB, to the URL It is possible to control access, but if it is not registered in the DB, there arises a problem that the URL is accessed.

  Therefore, the present invention provides an information processing apparatus, an information processing system, a control method, and a program capable of improving security by controlling access to an inappropriate connection destination given to an electronic mail. The purpose is to

The present invention for solving the above problems comprises a first information processing apparatus for receiving an electronic mail, and control of access to an access destination included in the electronic mail received by the first information processing apparatus. An information processing system including the information processing apparatus 2 and storing means for storing an action to be executed according to the degree of threat; and an access destination included in the electronic mail received by the first information processing apparatus Based on the access destination, an acquisition unit for acquiring the degree of threat of the access destination, and an action stored in the storage unit as an action to be executed according to the degree of threat acquired by the acquisition unit. And executing means.
Further, according to the present invention for solving the above problems, there is provided a first information processing apparatus for receiving an electronic mail, and control of access to an access destination included in the electronic mail received by the first information processing apparatus. An information processing system including a second information processing apparatus, wherein the first information processing apparatus determines the threat degree of access to the access destination with respect to the access destination included in the electronic mail A determination unit; and a transmission unit configured to transmit the access destination and the threat degree, wherein the second information processing apparatus receives the access destination and the threat degree transmitted by the transmission unit. And means for determining an action for access to the access destination based on the degree of threat received by the receiving means.
Further, according to the present invention for solving the above problems, there is provided a first information processing apparatus for receiving an electronic mail, and control of access to an access destination included in the electronic mail received by the first information processing apparatus. A control method of an information processing system including a second information processing apparatus to be performed and storage means for storing an action to be executed according to a degree of threat, the e-mail received by the first information processing apparatus Obtaining the step of obtaining the degree of threat of the access destination based on the included access destination, and the action stored in the storage means as an action to be executed according to the degree of threat obtained in the obtaining step; And performing an execution step with respect to the first one.
Further, according to the present invention for solving the above problems, there is provided a first information processing apparatus for receiving an electronic mail, and control of access to an access destination included in the electronic mail received by the first information processing apparatus. A control method of an information processing system including a second information processing apparatus, wherein the first information processing apparatus determines the threat degree of access to the access destination with respect to the access destination included in the electronic mail. And a transmission step of transmitting the access destination and the threat degree, wherein the second information processing apparatus determines the access destination and the threat degree transmitted in the transmission step. A receiving step of receiving, and a determining step of determining an action for access to the access destination based on the degree of threat received by the receiving step; And wherein the Mukoto.
Further, the present invention for solving the above-mentioned problems is an information processing apparatus for controlling access to an access destination included in an electronic mail, and storing means for storing an action to be executed according to the degree of threat, Acquisition means for acquiring the degree of threat of the access destination based on the access destination, and the action stored in the storage means as an action to be executed according to the degree of threat acquired by the acquisition means; And execution means for executing the process .
Further, according to the present invention for solving the above problems, there is provided a control method of an information processing apparatus for controlling access to an access destination included in an electronic mail, including storage means for storing an action to be executed according to the degree of threat. An acquisition step of acquiring the degree of threat of the access destination based on the access destination, and an action stored in the storage means as an action to be executed according to the degree of threat acquired by the acquisition step. And an execution step executed to the access destination.
Further, the present invention for solving the above-mentioned problems is a program, which causes a computer to function as each means of the information processing apparatus according to claim 8.

  According to the present invention, security can be improved by controlling access to an inappropriate connection destination.

It is a block diagram which shows schematic structure of an information processing system. It is a block diagram which shows schematic structure of the hardware of an access relay apparatus, a mail relay apparatus, a mail server, an external server, and a client terminal. It is a block diagram which shows the function structure of an information processing system. It is a flowchart which shows registration determination processing of threat information. It is a flow chart which shows registration processing of threat information. It is a flow chart which shows control processing of Web access. It is a block diagram which shows the structure of a threat information cooperation destination registration screen. It is a block diagram which shows the structure of a threat information cooperation origin registration screen. It is a block diagram which shows the structure of a threat operation setting screen. It is a block diagram which shows the structure of a threat information search screen. It is a block diagram which shows the structure of each table.

Hereinafter, an embodiment of the present invention will be described in detail with reference to the drawings. FIG. 1 is a schematic block diagram of an information processing system according to an embodiment of the present invention.

  As shown in FIG. 1, the information processing system 100 according to the present embodiment has a configuration including an access relay apparatus 102, a mail server 104, a mail relay apparatus 106, a client terminal 108 (provided with at least one or more), and a LAN 110. And is connected to the external server 114 via the wide area network 112.

  The access relay apparatus 102 is an apparatus functioning as an information processing apparatus, and relays between the client terminal 108 and the external server 114 which communicates data via the wide area network 112.

  Also, the access relay apparatus 102 controls communication of the data according to a relay control rule for determining whether to relay or not relay data transmitted and received between the client terminal 108 and the external server 114. ing.

  The mail server 104 is an information processing apparatus used to transmit and receive electronic mail, and has functions such as management of a mail address of the electronic mail and storage of the electronic mail transmitted to the mail address. There is.

  The mail relay apparatus 106 performs transmission control processing for electronic mail transmitted from the mail server 104 and the client terminal 108 using transmission control rules, and also performs reception control processing for electronic mail transmitted from the external server 114, which will be described later. Using the reception control rule.

  Further, the mail relay device 106 accepts or transmits the input of the transmission control rule (reception control rule) used for the transmission control processing (reception control processing) of the electronic mail in response to the request from the user who operates the client terminal 108. As a result of control processing (reception control processing), transmission (reception) for an e-mail for which transmission (reception) is suspended, and input (audit input) of transmission inhibition (reception inhibition) are accepted.

  The client terminal 108 is a terminal device operated by a user who exchanges e-mails using a mail address managed by the mail server 104.

  The client terminal 108 is also a terminal device that provides various contents and the like provided from the external server 114 to the user.

  Furthermore, the client terminal 108 can refer to and register relay control rules, transmission control rules, and reception control rules stored in the access relay apparatus 102 and the mail relay apparatus 106 via the LAN 110.

  The external server 114 is a device for providing various contents and the like to users, and is installed by a service provider or an individual user or the like, or installed as a mail server owned by an external user. Do.

  Next, FIG. 2 describes an example of a hardware configuration of an information processing apparatus applicable to the access relay apparatus 102, the mail server 104, the mail relay apparatus 106, and the client terminal 108.

  In FIG. 2, reference numeral 201 denotes a CPU, which centrally controls devices and controllers connected to the system bus 204. Further, the ROM 202 or the external memory 211 is required to realize a BIOS (Basic Input / Output System) which is a control program of the CPU 201, an operating system program (hereinafter referred to as OS), and functions executed by each server or each PC. The various programs described later are stored.

  A RAM 203 functions as a main memory, a work area, and the like of the CPU 201. The CPU 201 loads a program and the like necessary for execution of processing from the ROM 202 or the external memory 211 to the RAM 203, and implements the various operations by executing the loaded program.

  An input controller 205 controls input from a keyboard (KB) 209 and a pointing device such as a mouse (not shown). A video controller 206 controls display on a display such as a CRT display (CRT) 210 or the like.

  Although FIG. 2 describes the CRT 210, the display may be not only a CRT but also another display such as a liquid crystal display. These are used by the administrator as needed.

  A memory controller 207 is connected via an adapter to a hard disk (HD) storing a boot program, various applications, font data, user files, editing files, various data, etc., a flexible disk (FD), or a PCMCIA card slot. Control access to the external memory 211 such as Compact Flash (registered trademark) memory.

  A communication I / F controller 208 connects and communicates with an external device via a network (for example, the LAN 110 shown in FIG. 1), and executes communication control processing in the network. For example, communication using TCP / IP is possible.

  The CPU 201 enables display on the CRT 210 by executing, for example, outline font rasterization processing on a display information area in the RAM 203. Further, the CPU 201 enables user's instruction with a mouse cursor (not shown) on the CRT 210 or the like.

  Various programs to be described later for realizing the present invention are stored in the external memory 211, and are executed by the CPU 201 by being loaded into the RAM 203 as necessary.

  Furthermore, definition files and various information tables used at the time of execution of the program are also stored in the external memory 211, and a detailed description of these will be described later.

  Next, the functional configuration of the information processing system 100 will be described using FIG. The details of each function will be described later with reference to a flowchart and the like.

  The mail relay device 106 includes a mail reception unit 300, a mail acquisition unit 302, a registration determination unit 304, a reception control unit 306, a reception control rule storage unit 308, a display unit 310, an input reception unit 312, a transmission unit 314, and a determination result storage unit. A setting storage unit 317 is provided.

  The mail reception unit 300 receives an electronic mail transmitted from the mail server 104, the external server 114, and the like, and the mail acquisition unit 302 acquires the electronic mail received by the mail reception unit 300.

  The registration determination unit 304 determines the risk of the URL given to the e-mail, thereby determining whether or not it is the target of the filtering.

  The reception control unit 306 controls the reception of the electronic mail by applying the reception control rule to the electronic mail acquired by the mail acquisition unit 302, and the display unit 310 displays various screens on the client terminal 108. Take control.

  The input reception unit 312 receives an input of information input on various screens displayed by the display unit 310, and the transmission unit 314 transmits, to the access relay apparatus 102, information on the result of the determination made by the registration determination unit 304. Do.

  The determination result storage unit 316 stores information on the result of the determination made by the registration determination unit 304, and the setting storage unit 317 controls the information related to the URL to control access by the URL acquired by the mail relay device 106. It stores information on settings such as whether to turn on or off the function (threat information cooperation) in cooperation with the access relay apparatus 102.

  The access relay apparatus 102 includes a reception unit 318, a cooperation URL storage unit 320, a display unit 322, an access control rule storage unit 324, an access control unit 326, and a URL storage unit 328.

  The reception unit 318 receives information on the determination result transmitted from the transmission unit 314 of the mail relay device 106, and the cooperation URL registration determination unit 319 registers the linked URL from the information on the determination result received by the reception unit 318. It is determined whether to do.

  The linked URL storage unit 320 stores information related to the linked URL determined to be registered by the linked URL registration determination unit 319.

  The display unit 322 controls display of various screens in the client terminal 108, and the access control rule storage unit 324 stores rules for controlling relay of access requested from the client terminal 108.

  The access control unit 326 controls the access by applying the relay control rule stored by the access control rule storage unit 324 to the access requested from the client terminal 108.

  The URL storage unit 328 stores and manages the categorized URLs, and new categories of categorized URLs are registered as appropriate.

  Next, registration determination processing of threat information (described later) in the access relay apparatus 102 will be described using the flowchart shown in FIG.

  In step S100, the mail acquisition unit 302 causes the mail reception unit 300 to acquire the electronic mail received from the external server 114.

  In step S102, the registration determination unit 304 determines whether the electronic mail acquired in step S100 is an electronic mail received by an external attack, and determines that the electronic mail is received by an external attack. In this case, the process proceeds to step S104. If it is not determined that the received e-mail is an external attack, the process proceeds to step S114.

  As a determination method in this step, for example, when the email to be determined is a virus email, a spam email, a scattered email, or a free email, it is determined that the email is received by an external attack.

  In addition, the file attached to the e-mail to be judged contains consecutive blanks of the file name, the file name is RLO controlled, the file name has a double extension, or the file is illegal If the program is embedded or the file is in the executable format, it is determined that the e-mail to be determined is an e-mail received by an external attack.

  Furthermore, if the URL attached to the e-mail to be determined is disguised that the displayed access destination is different from the actual access destination, or if the link destination includes a script, the e-mail to be determined is , It is determined that the received email is an external attack.

  In step S104, the registration determination unit 304 determines whether the threat information cooperation function is on or not. If it is determined that the function is on, the process proceeds to step S106, and is on If not determined, the process proceeds to step S114.

  As a determination method in this step, the determination is performed based on the information set in the threat information cooperation destination setting file (uppermost row in FIG. 11) in the setting storage unit 317.

  The threat information cooperation destination setting file stores information (for example, IP address etc.) required for connection with the cooperation destination of the cooperation destination of cooperation information on / off that stores whether the function to cooperate the threat information is turned on or off. It is configured to include cooperation destination information to be stored.

  These pieces of information are registered by the threat information cooperation destination registration screen 400 shown in FIG. 7, and the threat information cooperation destination registration screen 400 is an off selection unit 402 for selecting when turning off the function to cooperate with threat information, The on-selection unit 404 is provided to select when turning on the threat information cooperation function, and is controlled so that either the off-selection unit 402 or the on-selection unit 404 can be selected.

  The threat information cooperation destination registration screen 400 is displayed by the cooperation destination information input unit 406, the off selection unit 402, or the on selection unit 404 for inputting information (for example, an IP address etc.) required to connect the threat information to the cooperation destination. It has a registration button 408 for pressing when registering the selected information and the information input to the cooperation destination information input unit 406, and a cancel button 410 for pressing when stopping the registration of these information. .

  In this step, when it is determined that ON is stored in the cooperation function on / off of the threat information cooperation destination setting file, the process proceeds to step S106, and it is determined that OFF is stored in the cooperation function on / off. If yes, the process proceeds to step S114.

  In step S106, the registration determination unit 304 extracts, from the electronic mail, information on the URL attached to the electronic mail.

  In step S108, the registration determination unit 304 obtains the degree of threat to the URL attached to the electronic mail.

  The degree of threat indicates, for example, the degree of damage that the access source suffers from the resource at the URL destination when accessing using the URL.

  As an example of how to determine the degree of threat, it is determined in step S102 whether or not the email is an email received from an external attack, but if the URL attached to the email is disguised, the degree of threat is If the e-mail is received by an external attack and the URL attached to the e-mail is not disguised, the threat degree is middle.

  In step S110, the registration determination unit 304 stores the URL and information on threat level (threat information) in the URL list of the determination result storage unit 316 (from the top to the second row in FIG. 11).

  The URL list is linkage source identification information indicating information (for example, product name etc.) identifying the linkage source, a URL, a registered date and time indicating the date and time when the threat information was stored in the URL list, and the threat information. It is configured to include the registration reason indicating the reason to register to, and the degree of threat.

  In this step, information identifying the collaboration source (for example, the name of a product that is executing this process) is specified in the collaboration source specifying information in the URL list, and the URL extracted in step S106 is the URL in the URL list. The date and time described above for the registration date and time of the list, the reason for determining that the email is an email received from an external attack in step S102 for the URL list registration reason, and the threat degree for the URL list Memorize the required threat level.

  If there are a plurality of URLs extracted in step S106, the registration date, registration reason, and threat degree are stored corresponding to each URL.

  In addition, as the registration reason, as described above, for example, a file attached to an e-mail is an e-mail including virus mail, spam e-mail, scattered e-mail, free e-mail, a blank character including consecutive file names. A URL attached to an e-mail that contains, the file name is RLO controlled, the file name has a double extension, the malicious program is embedded in the file, or the file is in executable format However, the reason is that it is determined that the e-mail is received by an attack from the outside, for example, the displayed access destination is different from the actual access destination, or the link destination includes a script.

  In step S112, the transmitting unit 314 transmits the URL list in which the threat information is stored in step S110 to the access relay apparatus 102.

  In step S114, the reception control unit 306 receives, forbids or suspends reception of the electronic mail, according to the result of applying the reception control rule for determining the reception control method of the electronic mail.

  The conditions of the e-mail to which the reception control rule is applied include the sender condition, the receiver condition, the subject / text condition, the attached file condition and the like, and the reception control rule is an electronic device meeting the above conditions It is configured to include an operation indicating a process to be applied to mail data.

  Although the process shows the process applied to the e-mail data meeting the condition, any one of “reception”, “reception prohibition”, and “hold” is registered.

  If "reception" is registered, the electronic mail is transmitted to the designated transmission destination (client terminal 108).

  If "reception prohibited" is registered, the e-mail reception is prohibited. If "hold" is registered, the reception control process according to the "reception" or "reception prohibition" instruction to be received from the administrator on a screen (not shown) or the like is performed with the reception of e-mail suspended. become.

  Next, threat information registration processing will be described using the flowchart shown in FIG.

  In step S200, the receiving unit 318 determines whether the URL list transmitted from the mail relay device 106 has been received, and if it is determined that the URL list has been received, the process proceeds to step S202.

  In step S202, the link URL registration determination unit 319 determines whether the URL of the URL list received in step S200 is an exclusion target for registration in the threat level list (described later), and determines that the URL is an exclusion target. If YES in step S204, the processing ends. If it is not determined that the target is excluded, the processing proceeds to step S204.

  As a determination method in this step, the URL accepted in step S200 is stored using the file (not shown) in which the URL to be excluded from registration in the threat degree list is stored, and the URL stored in the file If it is determined that they match, the process ends, and if it is not determined that they match, the process proceeds to step S204.

  In order to register such a URL, the URL is registered on the threat information cooperation source registration screen 500 shown in FIG.

  The threat information collaboration source registration screen 500 includes a basic setting area 502 for performing basic settings relating to threat information registration, setting of information relating to the collaboration source and collaboration upon receiving the threat information from the collaboration source of the threat information in a push type. To the push type cooperation source setting area 504 for performing the pull, the pull type cooperation source setting area 506 for setting the information related to the cooperation source and the cooperation source upon receiving the threat information in a pull type from the cooperation source of the threat information, and the threat degree list A registration exclusion URL setting area 508 is provided to set a URL to be excluded from the registration of.

  The basic setting area 502 has a maximum registration number input unit 510 for inputting the maximum number of cases where threat information accepted from the cooperation source can be registered in the threat degree list, and a cycle for registering threat information accepted from the cooperation source into the threat degree list Registration interval input unit 512 for entering the registration interval, registration interval unit input unit 514 for entering the unit of the cycle (for example, seconds, minutes, hours, days etc.), and the date when the threat information is registered in the threat degree list It has a deletion target elapsed day 516 for entering the number of days from the to the day to be deleted.

  The push-type cooperation source setting area 504 is selected when the push-type cooperation OFF selection unit 518 for selecting threat information from the cooperation source in a push-type cooperation and the threat information from the cooperation source is to be push-type cooperation. A push type cooperative ON selection unit 520 is provided.

  In addition, the push-type cooperation source setting area 504 includes a push-type cooperation source connection information input unit 522 and a push-type cooperation source connection information input unit 522 for inputting connection information (for example, IP address etc.) of cooperation sources to be cooperated. A connection information addition button 524 pressed to add the input connection information, a connection information correction button 526 pressed to correct the already set connection information, and a deletion of the already set connection information The connection information deletion button 528 to be pressed is provided.

  In addition, the push-type cooperation source setting area 504 includes a connection information display unit 530 for displaying already set connection information, and when the connection information addition button 524 is pressed, the push-type cooperation source connection information is displayed. The connection information input to the input unit 522 is additionally displayed on the connection information display unit 530, and when the connection information displayed on the connection information display unit 530 is selected, the connection information is input to the push-type collaboration source connection information input unit 522. When the connection information correction button 526 is pressed, the selected connection information is updated with the connection information corrected in the push-type cooperation source connection information input unit 522. Be done.

  Further, when the connection information displayed on the connection information display unit 530 is selected and the connection information delete button 528 is pressed, the selected connection information is deleted from the connection information display unit 530.

  The push type cooperation source setting area 504 includes a high threat degree designated value input unit 532 for inputting a designated value for classifying which threat degree is the threat degree accepted from the cooperation source. There is.

  As the threat level, high and middle are assumed, and if the threat level of the collaboration source corresponds to the value input to the high threat level designated value input unit 532, it is classified as high threat level and applicable If not, it will be classified as inside threat.

  The pull-type cooperation source setting area 506 is selected to select the pull-type cooperation OFF selection unit 534 for selecting threat information from the cooperation source when the threat information is not to be cooperated in pull type, and the threat information from the cooperation source. The pull-type cooperative ON selection unit 536 is provided.

  The pull type cooperation source setting area 506 is for inputting a cycle for acquiring threat information to the cooperation source, the pull type cooperation source connection information input unit 538 for inputting connection information (for example, URL etc.) of the cooperation source to be operated. The threat information acquisition interval input unit 540, the threat information acquisition interval unit input unit 542 for inputting the unit of the cycle (for example, seconds, minutes, hours, days, etc.), the threat degree received from the collaboration source, A high threat degree designated value input unit 544 is provided for inputting a designated value for classifying whether the threat degree is a level.

  An exclusion target URL setting area 508 is pressed to add the URL input to the exclusion target URL input unit 546 and the exclusion target URL input unit 546 for inputting the URL to be an exclusion target of registration in the threat degree list. The URL adding button 548, the URL modifying button 550 pressed to correct the already set URL, and the URL deleting button 552 pressed to delete the already set URL are provided.

  In addition, the registration excluded URL setting area 508 is provided with a URL display unit 554 for displaying the already set URL, and when the URL addition button 548 is pressed, it is input to the exclusion target URL input unit 546. When the URL is additionally displayed on the URL display unit 554 and the URL displayed on the URL display unit 554 is selected, the URL is displayed on the exclusion target URL input unit 546, and the displayed URL is corrected to correct the URL. When the button 550 is pressed, the selected URL is updated with the URL corrected in the exclusion target URL input unit 546.

  When the URL displayed on the URL display unit 554 is selected and the URL delete button 552 is pressed, the selected URL is deleted from the URL display unit 554.

  The threat information cooperation source registration screen 500 is input to the basic setting area 502, the push type cooperation source setting area 504, the pull type cooperation source setting area 506, and the registration excluded URL setting area 508 when the update button 556 is pressed. Information is registered in the threat information cooperation setting file (the third row from the top of FIG. 11) and the threshold information file (the fourth row from the top of FIG. 11).

  The threat information linkage setting file contains the maximum number of registrations, registration interval, deletion target elapsed days, linkage function on / off (push), access permission (push), linkage source specific information (push), linkage function on / off (pull) , Data acquisition destination (pull), acquisition interval (pull), and cooperation source identification information (pull).

  The threshold information file is configured to include cooperation source identification information, list items indicating the threat levels (for example, high threat level, medium threat level) existing at the link source, and high threat level designated values.

  The information input on the threat information cooperation source registration screen 500 is registered in each of these items, and the information on the threat information cooperation setting file is described in the maximum registration number, the information input to the maximum registration number input unit 510, In the registration interval, the information input to the registration interval input unit 512 and the registration interval unit input unit 514, and in the deletion target elapsed days, the information input to the deletion target elapsed days 516, cooperation function on / off (push) The information selected by the push-type cooperation OFF selection unit 518 or the push-type cooperation ON selection unit 520, the information displayed on the connection information display unit 530 for access permission (push), cooperation source identification information (push) The information to specify the collaboration source to be linked by push type (pre-set), the pull-down type collaboration OFF selection unit to the collaboration function on / off (pull) 34 or the information selected in the pull type cooperation ON selection unit 536, the information acquired in the pull type cooperation source connection information input unit 538 in the data acquisition destination (pull), the threat information in the acquisition interval (pull) The information input in the acquisition interval input unit 540 and the threat information acquisition interval unit input unit 542 and the cooperation source identification information (pull) are registered with information (previously set) for specifying the cooperation source to be cooperated in a pull type. Ru.

  In addition, with regard to the threshold information file, in the house identification information, information specifying the collaboration source regardless of pull type or push type (previously set), and in the list item, the threat level existing in the collaboration source ( Information entered in the high threat degree designated value input unit 532 or the high threat degree designated value input unit 544 is registered in the high threat degree designated value in advance.

  The degree of threat registered in the list item is displayed in a list so as to be selectable to the high threat degree designated value input unit 532 or the high threat degree designated value input unit 544.

  The URL displayed on the URL display unit 554 is stored in a file (not shown) in which the URL to be excluded from registration in the threat degree list is stored.

  In step S204, the cooperation URL registration determination unit 319 determines whether the URL of the URL list received in step S200 is the URL stored in the URL storage unit 328, and when it is determined that the URL is If the process is ended and it is not determined that the URL is found, the process proceeds to step S206.

  In step S206, the cooperation URL registration determination unit 319 acquires threshold information to be classified into the high threat degree related to the cooperation identification source information of the URL list received in step S200 from the high threat degree designation value of the threshold information file.

  In step S208, the link URL registration determination unit 319 determines whether the threat level of the URL list received in step S200 is high threat or medium threat based on the threshold information acquired in step S206.

  If the middle threat is set in the threshold information, the judgment in this step is regarded as high threat if the threat of the linked URL is equal to or higher than the middle threat, and the high threat is set in the threshold information. If the URL of the linked URL is high, it is considered high threat.

  In step S210, the cooperation URL registration determination unit 319 stores the URL of the URL list received in step S200 in the threat information control setting file (from the top to the fifth in FIG. 11).

  The threat information control setting file is configured to include an existing threat category indicating a dangerous URL category, a high threat URL indicating a high threat URL, and a middle threat URL indicating a medium threat URL.

  In the existing threat category, a dangerous URL category is registered in advance, and in the high threat URL, the URL determined to be high threat in step S210 is registered, and in the middle threat URL, the middle threat in step S210. The URL determined to be registered is registered.

  Next, web access control processing will be described using the flowchart shown in FIG.

  In step S300, the access control unit 326 determines whether there is a request for Web access from the client terminal 108. If it is determined that there is a request, the process proceeds to step S302.

  In step S302, the access control unit 326 determines whether the web access requested in step S300 falls under a predetermined exception rule. If it determines that the web access falls under the exception rule, the process proceeds to step S310. If it is determined not to be the case, the process proceeds to step S304.

  An exception rule is to exceptionally permit Web access with respect to Web access provided with conditions for prohibiting access under normal conditions, and as a specific example, conditions such as URL, time zone, and IP address of access source Can be mentioned as

  In step S304, the access control unit 326 determines whether the information related to the URL for specifying the web access destination requested in step S300 is registered in the threat information control setting file of the cooperation URL storage unit 320, and registration is performed. If it is determined that it has been registered, the process proceeds to step S310. If it is not determined that it has been registered, the process proceeds to step S306.

  In this step, first, the URL storage unit 328 inquires to which category the URL specifying the web access destination belongs, and if there is a category, it is determined whether or not it is registered in the existing threat category, If it is determined that the URL is registered, the process proceeds to step S310. If it is not determined that the URL is registered, it is determined whether the URL specifying the Web access destination is registered in the high threat URL.

  If it is determined that the URL is registered, the process proceeds to step S310. If it is not determined that the URL is registered, it is then determined whether the URL specifying the web access destination is registered in the middle threat URL. .

  If it is determined that it is registered, the process proceeds to step S310. If it is not determined that it is registered, the process proceeds to step S306.

  In step S306, the access control unit 326 determines whether the Web access requested in step S300 falls under a predetermined restriction rule, and if it determines that it does, the process proceeds to step S310, If it is determined not to be the case, the process proceeds to step S308.

  As the restriction rule, conditions such as accessible time zone, day of the week, URL group obtained by grouping URLs, communication method from the client terminal 108, data contents to be communicated (MIME type, keyword, personal information, size, file type, etc.) are conditions. Can be mentioned as

  In step S308, the access control unit 326 relays the web access requested in step S300 (permits access and communicates to the URL destination).

  In step S310, when the web access corresponds to the exception rule, the access control unit 326 determines that the URL specifying the web access destination exists in the threat degree list, or the web access corresponds to the restriction rule. Take action according to the case.

  In this step, as described in step S304, the action to be executed depends on whether the information on the URL for specifying the Web access destination is registered in the existing threat category, the high threat URL, or the middle threat URL. Since it is registered in the setting file (at the bottom of FIG. 11), the corresponding action is executed.

  The threat information operation setting file determines whether Web access has a risk in addition to exception rules and restriction rules for Web access (whether or not a URL for specifying a Web access destination exists in the threat degree list It has an access control on / off for setting whether to turn on or off the function to judge.

  If the access control on / off is on, the process of step S304 is performed. If the access control is off, the process of step S304 is skipped and the process of step S306 is performed.

  The threat information operation setting file contains the existing threat action for setting the action to be executed when the category to which the URL specifying the web access destination belongs is registered in the existing threat category, and the URL specifying the web access destination is High threat action for setting the action to be executed when registered as high threat action, and for setting the action to be performed when the URL specifying the web access destination is registered for medium threat action Has a medium threat action.

  These pieces of information are registered on the threat operation setting screen 600 shown in FIG. The threat operation setting screen 600 includes a URL access specification off selection unit 602 and a URL access specification on selection unit 604, any of these selection units can be selected, and the URL access specification off selection unit 602 is selected. When registration is performed, access control on / off is set as OFF, and when registration is performed by selecting the URL access specification on selection unit 604, access control on / off is set as ON.

  The threat operation setting screen 600 has an input area 606 for setting an action to be executed when information on a URL for specifying a web access destination is registered in the existing threat category, and is registered in the high threat action. An input area 608 for setting an action to be performed, and an input area 610 for setting an action to be performed when registered in the middle threat action.

  The input area 606 is a selection section 612 for selecting a trial (relay) as an action to be executed for Web access, a selection section 614 for selecting to output a warning, and access is permitted by input of a password. A selection unit 616 for selecting to do overriding, a selection unit 618 for selecting to prohibit access, and a selection unit 620 for selecting to redirect to another URL.

  For each of the selection unit 614, the selection unit 616, and the selection unit 618, it is possible to select a screen to be output, and select information for specifying the screen displayed on the screen selection unit 622.

  The input area 606 includes, for the selection unit 620, a redirect destination URL input unit 624 for inputting a URL to be redirected.

  Since the input area 608 and the input area 610 have the same input items as the input area 606, the description will be omitted.

  When information is input in each of these input areas and the update button 626 is pressed, information on the action input in the input area 606 is registered in the existing threat action, and information on the action input in the input area 608 is high. Information on the action registered in the threat action and input in the input area 610 is registered in the medium threat action.

  FIG. 10 shows a threat information search screen 700 for searching for a URL having a threat. The threat information search screen 700 includes a high threat selection unit 702 for pressing a high threat URL as a search target, and a middle threat selection unit 704 for pressing a middle threat URL as a search target. ing.

  If only the high threat selection unit 702 is selected, the high threat URL is searched, and if only the middle threat selection unit 704 is selected, the middle threat URL is searched and the high threat selection unit When 702 and the middle threat selection unit 704 are selected, URLs of high threat and middle threat are searched.

  The threat information search screen 700 includes a search URL input unit 706 for inputting a URL to be searched, a display number input unit 708 for inputting the number of items to be displayed based on a search result, a high threat selection unit 702, and middle threat selection A section 704, a search button 710 for pressing when performing a search based on the information input to the search URL input section 706, and a clear for pressing when clearing information input to each selection section and the input section A button 712 is provided.

  The threat information search screen 700 includes a threat degree display unit 714 for displaying the threat degree to be searched and a URL display unit 716 for displaying the URL to be searched, and the threat degree display unit 714 has high threat. The URL is displayed based on the inputs from the selection unit 702 and the middle threat selection unit 704, and the URL input to the search URL input unit 706 is displayed on the URL display unit 716.

  The threat information search screen 700 displays the search results as a list, and a deletion target selection unit 718 for selecting a URL to be deleted, a URL display unit 720 for displaying the searched URL, a threat of the URL Threat degree display unit 722 that displays the degree, last update date and time display unit 724 that displays the date and time when the URL was registered, cooperation source display unit 726 that displays the cooperation source identification information for specifying the cooperation source of the URL, and And a registration reason display unit 730 for displaying the reason why the URL is registered.

  Information on these search results is obtained by first acquiring supplemental information from the URL list regarding the URL obtained by searching the high threat URL and the medium threat URL from the threat information control setting file.

  The URL display unit 720 displays the URL of the URL list, the threat degree display unit 722 shows the high threat URL of the threat information control setting file, the middle threat URL, and the last updated date display unit 724 displays the URL list registration date The cooperation source display unit 726 displays the cooperation source identification information of the URL list, and the registration reason display unit 730 displays the registration reason of the URL list.

  The threat information search screen 700 includes a delete button 732 for pressing when deleting the URL selected by the deletion target selection unit 718. When the delete button 732 is pressed, information related to the corresponding URL is deleted from the threat information control setting file and the URL list.

  As described above, according to the present invention, it is possible to register information on an inappropriate connection destination with high accuracy.

  The configuration of the various data described above and the contents thereof are not limited to this, and it is needless to say that they are configured in various configurations and contents depending on the application and purpose.

  Although one embodiment has been described above, the present invention can take an embodiment as a method, a program, a recording medium, etc., for example.

  Further, the program in the present invention is a program that can execute the processing method of the flowcharts shown in FIG. 4 to FIG.

  As described above, the recording medium recording the program for realizing the functions of the above-described embodiments is supplied to the system or apparatus, and the computer (or CPU or MPU) of the system or apparatus stores the program stored in the recording medium. It goes without saying that the object of the present invention can be achieved also by reading and executing.

  In this case, the program itself read out from the recording medium realizes the novel function of the present invention, and the recording medium storing the program constitutes the present invention.

  As a recording medium for supplying the program, for example, a flexible disk, hard disk, optical disk, magneto-optical disk, CD-ROM, CD-R, DVD-ROM, magnetic tape, non-volatile memory card, ROM, EEPROM, silicon Disks, solid state drives, etc. can be used.

  Further, by executing the program read by the computer, not only the functions of the above-described embodiment are realized, but also an operating system (OS) or the like running on the computer is actually executed based on the instructions of the program. It goes without saying that the processing is partially or entirely performed, and the processing realizes the functions of the above-described embodiments.

  Furthermore, after the program read from the recording medium is written to the memory provided to the function expansion board inserted into the computer or the function expansion unit connected to the computer, the function expansion board is read based on the instruction of the program code. It goes without saying that the case where the CPU or the like provided in the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiment are realized by the processing.

  It goes without saying that the present invention can also be applied to the case that is achieved by supplying a program to a system or device. In this case, by reading a recording medium storing a program for achieving the present invention into the system or apparatus, the system or apparatus can receive the effects of the present invention.

  Further, by downloading and reading out a program for achieving the present invention from a server on a network, a database or the like by a communication program, the system or apparatus can receive the effects of the present invention.

  In addition, the structure which combined each embodiment mentioned above and its modification is also contained in this invention altogether.

100 information processing system 102 access relay device 104 mail server 106 mail relay device 108 client terminal 110 LAN
112 Wide area network 114 External server

Claims (10)

Information processing including a first information processing apparatus for receiving an electronic mail, and a second information processing apparatus for controlling access to an access destination included in the electronic mail received by the first information processing apparatus A system,
Storage means for storing an action to be performed according to the degree of threat;
Acquisition means for acquiring the degree of threat of the access destination based on the access destination included in the electronic mail received by the first information processing apparatus;
Execution means for executing the action stored in the storage means as the action to be executed according to the degree of threat acquired by the acquisition means, with respect to the access destination ;
An information processing system comprising: Said storage means further stores the access destination for controlling the access,
The execution means, the information processing system according to claim 1, characterized in that to perform different actions with the access destination that is not stored in the access destination and the storage means is stored in said storage means. The apparatus further comprises display control means for controlling to display a screen capable of viewing an action to be executed according to the degree of threat stored in the storage means.
3. The information processing system according to claim 2 , wherein the display control means performs display control of a screen capable of searching for an access destination stored in the storage means. 4. The information processing system according to claim 3, wherein the display control means controls to display a screen capable of changing an action to be executed according to the degree of threat. Information processing including a first information processing apparatus for receiving an electronic mail, and a second information processing apparatus for controlling access to an access destination included in the electronic mail received by the first information processing apparatus A system,
The first information processing apparatus is
Threat degree determining means for determining the degree of threat of access to the access destination with respect to the access destination included in the e-mail;
Transmission means for transmitting the access destination and the threat level;
Equipped with
The second information processing apparatus is
Receiving means for receiving the access destination and the threat degree transmitted by the transmission means;
A determination unit configured to determine an action for access to the access destination based on the degree of threat received by the reception unit;
An information processing system comprising: A first information processing apparatus for receiving an electronic mail, a second information processing apparatus for controlling access to an access destination included in the electronic mail received by the first information processing apparatus, and a degree of threat A control method of an information processing system including: storage means for storing an action to be executed ;
An acquiring step of acquiring the degree of threat of the access destination based on the access destination included in the electronic mail received by the first information processing apparatus;
Executing an action stored in the storage unit as an action to be executed according to the degree of threat acquired in the acquiring step, with respect to the access destination ;
And controlling the information processing system. Information processing including a first information processing apparatus for receiving an electronic mail, and a second information processing apparatus for controlling access to an access destination included in the electronic mail received by the first information processing apparatus A control method of the system,
The first information processing apparatus is
A threat degree determination step of determining a threat degree of access to the access destination with respect to the access destination included in the e-mail;
A transmitting step of transmitting the access destination and the threat level;
Including
The second information processing apparatus is
Receiving the access destination and the threat degree transmitted by the transmission step;
Determining an action for access to the access destination based on the degree of threat received by the receiving step;
And controlling the information processing system. An information processing apparatus that controls access to an access destination included in an electronic mail,
Storage means for storing an action to be performed according to the degree of threat;
Acquisition means for acquiring the degree of threat of the access destination based on the access destination;
Execution means for executing the action stored in the storage means as the action to be executed according to the degree of threat acquired by the acquisition means, with respect to the access destination ;
An information processing apparatus comprising: A control method of an information processing apparatus that controls access to an access destination included in an electronic mail, including a storage unit that stores an action to be executed according to the degree of threat ,
An acquiring step of acquiring the degree of threat of the access destination based on the access destination;
Executing an action stored in the storage unit as an action to be executed according to the degree of threat acquired in the acquiring step, with respect to the access destination ;
And controlling the information processing apparatus. The program for functioning a computer as each means of the information processing apparatus of Claim 8 .

Images