JP6530578B1 - Fraud detection system and fraud detection device - Google Patents

Abstract

A plurality of relay devices relaying data transmitted from a plurality of user terminals 100 that are data transmission sources, a plurality of node devices 300 connected by a distributed network, and a plurality of user terminals 100 to a plurality of node devices 300 And a fraud detecting device 400 for detecting fraudulent activity performed by the relay device 200, and the plurality of user terminals 100 transmit data to at least one of the plurality of relay devices 200 according to a predetermined transmission rule. The fraud detection device 400 analyzes not the data recorded in the node device 300 but the data processed by the plurality of relay devices 200, and the data is transmitted in a mode that violates a predetermined transmission rule. The node device 300 is actually determined by determining that the relay apparatus 200 that is processing is performing an unauthorized action. Over data to be able to detect that the abuse is occurring in the relay apparatus 200 before being recorded.

Description

  The present invention relates to a fraud detection system and a fraud detection device, and is particularly suitable for use in a system for detecting a fraud performed on data communicated over a network.

  In recent years, systems utilizing communication network technology such as the Internet are widely used. In this type of system, much data is transmitted and received between a plurality of terminals or between a terminal and a server. For example, uploading and storing data from the terminal to the server, and executing predetermined processing on the server based on the data transmitted from the terminal to the server may be said to be a function that most systems have.

  Although the data sent from the terminal to the server varies, it is strongly demanded that any fraudulent action such as falsification of the data to be sent or transmission of illegal data due to the hijacking of the terminal be quickly taken and appropriate action be taken promptly It is done. In order to respond to this request, various fraud detection systems for detecting that fraudulent activity is being performed are provided (see, for example, Patent Documents 1 and 2).

  In the system described in Patent Document 1, destination log information indicating destinations to which each device has transmitted information is collected from a plurality of registered devices, and based on the collected destination log information, a plurality of registered devices are sent to the same destination. When it is detected that the number of pieces of information to be transmitted exceeds a preset threshold value, it is determined that unauthorized access to the destination has occurred.

  In the system described in Patent Document 2, when transmitting and receiving data between the EDI system and the supplier system, the number of slips and the number of slip specification lines at the time of input to the EDI system, and format conversion and work within the EDI system The number of slips at the time of output and the number of slip specification lines, which are the results of processing, are compared and confirmed to detect data loss and an increase in fraud.

  By the way, in recent years, distributed ledger technology called block chain has attracted attention, and examples of use in various fields are increasing. The block chain is a distributed network including a plurality of node devices, and data recorded in a block shared among the node devices is theoretically considered to be retroactively unchangeable, Blockchains are highly resistant to data tampering.

  However, the block chain is only extremely difficult to falsify the data recorded in the block, and can not prevent the fraud before the data is recorded in the block. For example, if data generated illegally as a result of the transmission source device hijacking is input to the block chain, the illegal data is stored in an unchangeable state.

  For example, in the case where a block chain is used in a system in which data is transmitted from a large number of terminals to a server and recorded, terminals and block chains of data transmission sources are used to simplify key management by suppressing the number of open networks. It is conceivable to configure the system to transmit data to the block chain via a small number of relay servers from a large number of terminals between the small number of relay servers.

  In a system configured in this way, if a relay server is hijacked by a malicious third party, illegally generated data will be injected into the block chain. For this reason, even when using a system in which block chains are used as a data storage mechanism to prevent falsification of data recorded in block chains, fraudulent activity is performed before data is actually recorded in block chains. It is desirable to introduce a system to detect that is being done.

  Non-Patent Document 1 discloses that in a Bitcoin network (block chain) in which a plurality of nodes are connected by a peer-to-peer network, anomaly detection is performed by data mining, and unauthorized nodes are detected by the anomaly detection. It is done. However, the technology described in this non-patent document 1 is for detecting fraud in node devices included in the Bitcoin network, and fraudulent activity occurs in the relay server before data is actually recorded in the block chain. It is not possible to detect what is happening.

JP, 2006-350561, A JP, 2009-169791, A https://ieeexplore.ieee.org/abstract/document/7802939/, “Unsupervised Learning for Robust Bitcoin Fraud Detection”, Published in 2016 Information Security for South Africa (ISSA), 17-18 Aug. 2016

  The present invention has been made in view of such circumstances, and in a system configured to record data transmitted from a transmitting device via a relay device in a plurality of node devices connected by a distributed network. An object of the present invention is to detect that fraudulent activity is being performed in a relay device before data is actually recorded in a node device.

  In order to solve the problems described above, according to the present invention, a plurality of transmission devices that are data transmission sources, a plurality of node devices connected by a distributed network, and a plurality of data transmitted from a plurality of transmission devices In a system comprising a plurality of relay devices relaying to a node device, the system includes a fraud detection device for detecting fraudulent activity performed by the relay device, and the plurality of transmission devices execute at least the plurality of relay devices according to a predetermined transmission rule. The configuration is made to transmit data to one, and the fraud detection device analyzes the data being processed by the plurality of relay devices, or the processing status of the data, and processes the data in a manner that violates a predetermined transmission rule. A relay device that is located is detected as a relay device that is performing fraudulent activity.

  According to the present invention configured as described above, fraudulent activity in the relay device is detected not by data recorded in the node device but by analysis of data processed by the relay device or the processing status of the data. Therefore, in a system in which data transmitted from a transmitting device via a relay device is recorded in a plurality of node devices connected by a distributed network, relay before data is actually recorded in the node device It can detect that cheating is being performed on the device.

BRIEF DESCRIPTION OF THE DRAWINGS It is a figure which shows the example of whole structure of the fraud detection system by 1st Embodiment. It is a block diagram showing an example of functional composition of a fraud detecting device by a 1st embodiment. It is a block diagram showing an example of functional composition of a fraud detecting device by a 2nd embodiment.

First Embodiment
Hereinafter, a first embodiment of the present invention will be described based on the drawings. FIG. 1 is a diagram showing an example of the entire configuration of the fraud detection system according to the first embodiment. As shown in FIG. 1, fraud detection system according to the first embodiment, a relay of a plurality (x pieces to) the user terminal 100 _-1 to 100 _-x of multiple (.x and y-number> y) a device 200 _-1 to 200 DEG _-y, and the node device 300 _-1 to 300 _-z plurality (a number z), constituted by a fraud detection system 400.

Between the user terminal 100 _-1 to 100 _-x and the relay device 200 _-1 to 200 DEG _-y is connected via a communication network including the Internet and mobile phone network. Further, between the relay device 200 _-1 to 200 DEG _-y and node device 300 _-1 to 300 _-z is also connected via a communications network. Further, between the plurality of relay devices 200 _-1 to 200 DEG _-y and fraud detection unit 400 is also connected via a communications network. Between the plurality of relay devices 200 _-1 to 200 DEG _-y and fraud detection device 400 may be a dedicated line using a VPN (Virtual Private Network) and the like.

In the following description, any one or more of the plurality of user terminals _{100-1 to} 100- _x will be referred to as "user terminal 100". Furthermore, when it means any one or more of the plurality of relay devices 200 _-1 to 200 DEG _-y is referred to as "relay apparatus 200". Similarly, when to mean any one or more of the plurality of node devices 300 _-1 to 300 _-z is referred to as a "node apparatus 300".

The user terminal 100 _-1 to 100 _-x is a plurality of transmitting apparatuses is the data source, transmits the data to be recorded on a plurality of node devices 300 _-1 to 300 _-z. For example, the user terminal _{100-1 to} 100- _x improves a user's lifestyle through execution of a predetermined process, and thereby a treatment application intended to treat a specific symptom (hereinafter referred to as a treatment application) ), And is configured of, for example, a smartphone, a tablet terminal, a personal computer, and the like.

For example, in the therapeutic application, information on the user's symptoms and daily activities etc. may be input as needed, or a predetermined process involving the user's actions may be executed, based on the input information and execution results of the process. Perform a predetermined analysis, and output a message regarding a predetermined advice. The user gradually improves the lifestyle by acting in accordance with this message. The user terminal 100 _-1 to 100 _-x transmits various data acquired by the therapeutic application (such as input information or a predetermined process execution result) to the relay device 200 _-1 to 200 DEG _-y.

Note that the therapeutic application performs a part of various processes including analysis and the like performed by the therapeutic application alone. Also, the node device 300 _-1 300 connected (not shown) trial management server _-z is also processing performed by using the data recorded in the node device 300 _-1 300 _-z. Results investigational management server has processed is or are recorded by transmitting the investigational management server to the node device 300 _-1 to 300 _-z, utilized in the therapeutic application are transmitted to the user terminal 100 _-1 to 100 _-x Be done.

A plurality of node devices 300 _-1 to 300 _-z is connected by a distributed network, securely record data in cooperation with each other. For example, a distributed network is a block chain. That is, the node device 300 _-1 300 _-z, the user terminal 100 _-1 to 100 the data provided via the relay device 200 _-1 to 200 DEG _-y from _-x plurality of node devices 300 _-1 to 300 _{- z} Consensus-making processing (consensus processing) for sharing by _z , and only data that has been made consensus is newly recorded as history. By using the block chain, thereby preventing subsequent alteration of the data recorded in the node device 300 _-1 to 300 _-z.

The relay apparatus 200 _-1 to 200 DEG _-y acquires data transmitted from a plurality of user terminals 100 _-1 to 100 _-x, the acquired data of a plurality of node devices 300 _-1 to 300 _-z least 1 Send to Thus, the relay device 200 _-1 to 200 DEG _-y is to relay the data to be provided from the user terminal 100 _-1 to 100 _-x to the node device 300 _-1 to 300 _-z.

The relay apparatus 200 _-1 to 200 DEG _-y is another third party to manage the physician to perform user and therapy treated with the therapeutic application. The number of the relay devices 200 _-1 ~200 _-y (y-number) is less than the number of user terminals 100 _-1 ~100 _-x (x number). This is because when a large number of user terminals 100 _-1 to 100 _-x to system configuration write data directly to the block chain, the network is opened to a large number of user terminals 100 _-1 to 100 _-x, a number of keys The purpose is to avoid this as it needs to be managed.

That is, set up a small number of relay devices 200 _-1 to 200 DEG _-y between many user terminals 100 _-1 to 100 _-x and the block chain (a plurality of node devices 300 _-1 to 300 _-z), a number of It is to be transmitted to the block chain data through fewer relay device 200 _-1 to 200 DEG _-y from the user terminal 100 _-1 to 100 _-x. In this way, it is only necessary to open the network only to a small number of the relay apparatus 200 _-1 to 200 DEG _-y, can be reduced the number of to be managed key.

Fraud detection device 400 by analyzing the data in which a plurality of relay devices 200 _-1 to 200 DEG _-y is processing, for detecting fraud being carried out by the relay station 200 _-1 to 200 DEG _-y It is a thing. In the present embodiment, fraud detection unit 400, unauthorized third party to detect whether performed cheating hijack one of the relay devices 200 _-1 to 200 DEG _-y. The fraudulent act is an act of generating fraudulent data and transmitting it to the node device 300 _{-1 to} 300 _-z .

Here, the data relay apparatus 200 _-1 to 200 DEG _-y is "process", and the relay device 200 _-1 to 200 DEG _-y is "received" from a plurality of user terminals 100 _-1 to 100 _-x Data. That, fraud detection unit 400 performs a predetermined analyzing data stored in the relay on the transmission has been the relay apparatus 200 _-1 to 200 DEG _-y from the user terminal 100 _-1 to 100 _-x as monitored. Specifically, fraud detection unit 400, the data stored in a predetermined area of the plurality of relay devices 200 _-1 to 200 DEG _-y comprises storage device periodically obtains, given the acquired data Perform an analysis.

The predetermined analysis performed by the fraud detection unit 400 is the determined analyzing the identity of the data in which a plurality of relay devices 200 _-1 to 200 DEG _-y is receiving from the user terminal 100 _-1 to 100 _-x respectively . In order to be able to judge the identity of this data, a plurality of user terminals 100 _-1 to 100 _-x is two or more relay devices 200 of the plurality of relay devices 200 _-1 to 200 DEG _-y The same data is transmitted to two or more relay apparatuses 200 according to a predetermined transmission rule of transmitting the same data.

For example, the therapeutic application of the user terminal 100 _-1 to 100 _-x, in transmitting the data to one of the relay devices 200 _-1 to 200 DEG _-y, for example, two to send the same data to the relay device 200 Make it Whether to send the two which of the plurality of relay devices 200 _-1 to 200 DEG _-y, it may be adapted to determine arbitrarily each time. For example, when transmitting data from a therapeutic application of one user terminal 100, the data may be transmitted to two fixed relay devices 200 set in advance with respect to the therapeutic application, It may be made to transmit to two relay apparatuses 200 selected at random each time.

  FIG. 2 is a block diagram showing an example of the functional configuration of the fraud detection device 400 according to the first embodiment. As shown in FIG. 2, the fraud detection device 400 according to the first embodiment includes a data acquisition unit 41, a data content analysis unit 42, and a fraud detection unit 43 as its functional configuration.

  Each of the functional blocks 41 to 43 can be configured by any of hardware, DSP (Digital Signal Processor), and software. For example, when configured by software, each of the functional blocks 41 to 43 is actually configured to include a CPU, a RAM, a ROM, etc. of a computer, and a program stored in a storage medium such as a RAM, a ROM, a hard disk or a semiconductor memory Is realized by operating.

Data acquisition unit 41 periodically accesses to a plurality of relay devices 200 _-1 to 200 DEG _-y, acquires the data stored in a predetermined area of the storage device by the relay apparatus 200 _-1 to 200 DEG _-y comprises . Here, the relay device 200 _-1 to 200 DEG _-y shall configuration is performed in advance to store the data received from the user terminal 100 _-1 to 100 _-x in a predetermined area of the storage device. Accordingly, fraud detection unit 400, if access to a predetermined area of the storage device of the relay apparatus 200 _-1 to 200 DEG _-y, the relay device 200 _-1 to 200 DEG _-y is received from the user terminal 100 _-1 to 100 _-x It is possible to obtain data.

The data data data acquisition unit 41 acquires need not be all the data stored in a predetermined area of the storage device of the relay apparatus 200 _-1 to 200 DEG _-y, added from the previous acquisition It may be (unacquired data) only. Various known techniques can be applied as a method of identifying the added data. For example, and manages records the time that the relay device 200 _-1 to 200 DEG _-y receives data (which may be recorded time data in the storage device) in the storage device, the time after the previous data acquisition time It is possible to acquire only the recorded data.

Data content analysis section 42 is equivalent to the analysis portion of the appended claims, the data that the data acquisition unit 41 has acquired from the plurality of relay devices 200 _-1 to 200 DEG _-y, i.e., a plurality of relay devices 200 _{- 1} to 200- _y analyze the contents of data being processed (received). In the present embodiment, the data content analysis unit 42 in the data in which a plurality of relay devices 200 _-1 to 200 DEG _-y is receiving, the data of the same content to analyze whether two exists. Whether the data has the same content is determined, for example, by opening the file and comparing the data content. Alternatively, whether or not the data has the same content may be determined based on whether or not the property information such as the file name, the file creation date and time, and the data capacity of the file match.

As described above, the user terminals _{100-1 to} 100- _x transmit the same data to the two relay apparatuses 200 as a function of the installed therapeutic application. Therefore, if the situation data legitimate relay device 200 _-1 to 200 DEG _-y from a legitimate user terminal 100 _-1 to 100 _-x is transmitted, the relay is receiving the same data at approximately the same time unit There will always be two hundred.

  On the other hand, if an unauthorized third party hijacks any relay device 200 and an illegal terminal possessed by the third party transmits data generated illegally to the illegal relay device 200, the illegal data is illegal. The same data is not received by the other relay device 200. Therefore, two relay apparatuses 200 receiving the same data at substantially the same time do not exist.

Incidentally, if the predetermined transmission rule so as to transmit from one user terminal 100 the same data to three relay apparatus 200 is set, the data content analysis unit 42, a plurality of relay devices 200 _-1 to 200 DEG _-y In the data being received, it is analyzed whether three pieces of data of the same contents exist. Alternatively, the data content analysis unit 42 in the data in which a plurality of relay devices 200 _-1 to 200 DEG _-y is receiving, the data of the same contents may be analyze whether at least two are present .

  The fraud detection unit 43 detects, based on the analysis result by the data content analysis unit 42, the relay device 200 processing data in a manner against the predetermined transmission rule as the relay device 200 performing fraudulent activity. . In the first embodiment, the fraud detection unit 43 detects a relay device 200 that receives data for which the same data has not been processed in another relay device 200 as a relay device 200 that is performing fraudulent activity.

That is, there is a relay device 200, the data legitimate manner that it does not interfere with the predetermined transmission rules that are set in the user terminal 100 _-1 to 100 _-x (rule of transmitting the same data to at least two relay device 200) If it has been received, there should be another relay device 200 that is receiving the same data as the data received by a given relay device 200.

  On the other hand, when a given relay device 200 is taken over by an unauthorized third party and the given relay device 200 receives data only from a wrong terminal in a mode against the predetermined transmission rule, the given relay device 200 It means that the other relay device 200 has received the same data not received. Therefore, the fraud detection device 400 detects such a relay device 200 as a fraudulent relay device 200.

If the fraud detection unit 43 detects an unauthorized repeater 200, fraud detection unit 400 is, for example, as data from the relay device 200 is not transmitted to the node device 300 _-1 to 300 _-z, unauthorized repeater 200 Lock the operation of Alternatively, the unauthorized relay device 200 may be forcibly shut down. Alternatively, data stored in the unauthorized relay device 200 may be deleted.

In the above embodiment, as an example of a data relay apparatus 200 _-1 to 200 DEG _-y is "process", the relay apparatus 200 _-1 to 200 DEG _-y from a plurality of user terminals 100 _-1 to 100 _-x Although the example of analyzing the "receiving" data has been described, the present invention is not limited thereto. For example, to obtain data relay apparatus 200 _-1 to 200 DEG _-y is "sent" to the node device 300 _-1 to 300 _-z at fraud detection system 400 may be analyzed the transmitted data .

That is, in the above embodiment, the storage device in which a plurality of relay devices 200 _-1 to 200 DEG _-y has each as a target of monitoring, a plurality of relay devices 200 _-1 to 200 DEG _-y is processed (received) an example is shown to analyze are data, to acquire the data transmitted from a plurality of relay devices 200 _-1 to 200 DEG _-y to the node device 300 _-1 to 300 _-z, using the acquired data Te may be analyze data in which a plurality of relay devices 200 _-1 to 200 DEG _-y is processing (transmission).

For example, by setting in advance the address of the fraud detection unit 400 as the data transmission destination address of the relay device 200 _-1 to 200 DEG _-y, data transmitted from the relay device 200 _-1 to 200 DEG _-y node device so that also reaches the fraud detection unit 400 in addition to the 300 _-1 to 300 _-z. In this way, unauthorized (actively) detection apparatus 400 periodically accesses the relay device 200 _-1 to 200 DEG _-y eliminates the need to go to pick up the data, the relay device 200 _-1 to 200 DEG _-y Analysis can be performed on data received passively from.

  When the same data transmitted from one user terminal 100 to two relay apparatuses 200 is transmitted from the two relay apparatuses 200 at approximately the same time, the fraud detection apparatus 400 transmits the same data to two at approximately the same time. It will be received from the relay device 200. On the other hand, when data is transmitted only from the wrong terminal to the wrong relay device 200 (the relay device taken over), the data is sent from only one relay device 200, and from the other relay devices 200. Is not transmitted, the fraud detection device 400 does not receive two identical data at approximately the same time. Therefore, in this case, the fraud detection device 400 can detect that fraudulent activity is being performed in the relay device 200 that is the transmission source of the data.

In the case of performing the analysis as the target data transmitted from the relay device 200 _-1 to 200 DEG _-y is unauthorized third party took over relay device 200 via a malicious relay device 200 from unauthorized terminal in addition to the illegal act of sending incorrect data to the node apparatus 300 _-1 to 300 _-z, illegal act of generating and transmitting incorrect data to the node apparatus 300 _-1 to 300 _-z the relay device 200 to the compromised It is also possible to detect

Second Embodiment
Next, a second embodiment of the present invention will be described based on the drawings. FIG. 3 is a block diagram showing an example of a functional configuration of the fraud detection device 400 'according to the second embodiment. In addition, in this FIG. 3, since what attached | subjected the code | symbol same as the code | symbol shown in FIG. 2 has the same function, the description which overlaps here is abbreviate | omitted.

  As shown in FIG. 3, the fraud detecting apparatus 400 'according to the second embodiment includes a data acquisition unit 41, a processing status analyzing unit 44, and a fraud detecting unit 45 as its functional configuration. Further, the fraud detecting device 400 ′ according to the second embodiment includes an acquired data storage unit 46 that stores data acquired by the data acquiring unit 41. Although the fraud detection apparatus 400 shown in FIG. 2 also has a data storage unit and analyzes data stored in the data storage unit, the acquired data storage unit 46 in FIG. Are stored in chronological order, unlike the first embodiment.

  The functional blocks 41, 44 and 45 can be configured by any of hardware, DSP, and software. For example, when configured by software, each of the functional blocks 41, 44 and 45 actually comprises a CPU, a RAM, a ROM, etc. of a computer, and is stored in a recording medium such as a RAM, a ROM, a hard disk or a semiconductor memory. Is realized by the operation of the program.

In the second embodiment, the fraud detection unit 400 'does not analyze the contents of the data, by analyzing the processing status of the data in the relay apparatus 200 _-1 to 200 DEG _-y, generates a large number of incorrect data Detection of fraudulent acts such as transmitting to node devices 300 _{-1 to} 300 _-z . The “processing status” to be analyzed is the “reception status” of the data transmitted from the user terminals 100 _{−1 to} 100 _{−x at} the relay devices 200 ₋₁ to 200 _−y , or the relay devices 200 ₋₁ to 200 _−y may be any of "transmission status" of data to the node apparatus 300 _-1 to 300 _-z from.

Same manner as described in the first embodiment, when analyzing the data receiving condition of the relay device 200 _-1 to 200 DEG _-y, data acquisition unit 41 to periodically relay device 200 _-1 to 200 DEG _-y Access to actively acquire data. On the other hand, when analyzing the transmission status of the data from the relay device 200 _-1 to 200 DEG _-y, sure you set the address of the fraud detection unit 400 'to the relay apparatus 200 _-1 to 200 DEG _-y, data acquisition unit 41 Passively acquires data sent to the address.

The data acquired by the data acquisition unit 41 is stored in the acquired data storage unit 46. Here, the acquired data storage unit 46, data obtained from a plurality of relay devices 200 _-1 to 200 DEG _-y is successively stored in time series separately repeater. Processing status analyzer 44, as the target data stored in the acquired data storage unit 46, analyzes the processing status of data in the relay devices 200 _-1 to 200 DEG _-y (receiving state or transmission state).

Processing status analyzer 44 is equivalent to the analysis of the claims, relates to a data in which a plurality of relay devices 200 _-1 to 200 DEG _-y is processing, per unit time of the number of processing or data processing The time intervals (hereinafter, these are simply referred to as "processing frequency") are analyzed. The fraud detection unit 45 detects a relay device 200 having a processing frequency different from that of another relay device 200 as the relay device 200 performing a fraudulent act.

As described above, the user terminal 100 _-1 to 100 _-x is the treated with therapeutic application installed data node via the relay device 200 _-1 to 200 DEG _-y device 300 _-1 to 300 _- Send to _z . As described above, in the present embodiment, it is premised that a plurality of user terminals 100 _{-1 to} 100 _-x all use the same therapeutic application and transmit data as a function of the therapeutic application. In addition, in the case of a therapeutic application for the purpose of improving the lifestyle habits of the user, as a function of the therapeutic application, it is possible to input information of desired behavior or purpose within a substantially fixed time zone of the day. prompt the user, and transmits the information obtained by it to the node device 300 _-1 to 300 _-z. Therefore, the relay apparatus 200 frequency _-1 to 200 DEG _-y is to receive data from the user terminal 100 _-1 to 100 _-x, i.e. the data to the node apparatus 300 _-1 to 300 _-z from the relay device 200 _-1 to 200 DEG _-y the frequency of transmission can be expected to become any relay device 200 _-1 within contemplation that even to 200 DEG _-y.

Therefore, if the situation data legitimate relay device 200 _-1 to 200 DEG _-y from a legitimate user terminal 100 _-1 to 100 _-x is transmitted, the data relay apparatus 200 _-1 to 200 DEG _-y processes The number of processes per unit time or the time interval of data processing is a value within an assumed range in any relay device, and it can be said that the difference between relay devices regarding the value of the processing frequency falls within a predetermined value.

  On the other hand, if an unauthorized third party hijacks any of the relay devices 200 and an unauthorized terminal possessed by the third party transmits a large number of data created illegally to the unauthorized relay device 200, the unauthorized relay device The data processing frequency at 200 is significantly different from the data processing frequency at other relay devices.

Similarly, unauthorized third party takeover one of the relay device 200 and generates a large number of incorrect data in the relay apparatus 200 transmits to the node device 300 _-1 to 300 _-z, its unauthorized repeater The number of processes per unit time of data to be transmitted by 200 or the time interval of data processing (transmission frequency) are significantly different from the transmission frequency of data in other relay devices.

  Therefore, as described above, the fraud detection unit 45 can detect the relay device 200 having a processing frequency different from that of the other relay devices 200 as the relay device 200 performing the fraudulent activity. For example, when analyzing the processing status of one relay device 200, the average value of the data processing frequency in the other relay devices 200 is calculated, and the data processing frequency in the relay device 200 to be analyzed is the average value. When it is larger, it is possible to detect the relay device 200 to be analyzed as the incorrect relay device 200.

In addition, in order to facilitate detection of the unauthorized relay device 200 by the above analysis, the plurality of user terminals _{100-1 to} 100- _x transmit data to at least one relay device 200 according to a predetermined transmission rule. It is preferable to do so. For example, a plurality of user terminals 100 _-1 to 100 _-x a predetermined rule that the difference of the data number to be provided to a plurality of relay devices 200 _-1 to 200 DEG _-y transmits data to be within a predetermined value The data is transmitted to at least one relay apparatus 200 according to

There are various conceivable processes for satisfying the predetermined rule in this case. For example, be adapted to send data to all the relay devices 200 _-1 to 200 DEG _-y from the user terminal 100, it is possible to satisfy the predetermined rule. Alternatively, data is transmitted from the user terminal 100 to one or more (not all) relay apparatuses 200, and the transmission destination relay apparatus 200 is changed in order each time data is transmitted. It is also good. In this case, in order to difference in the number of data provided to the relay device 200 _-1 to 200 DEG _-y becomes less, preferably it transmits two or more data to the relay apparatus 200.

Alternatively, the following method may be used. That is, in the server for managing the downloading of the therapeutic application, keep the state of preset whether the destination to transmit the data to which the relay device 200 _-1 to 200 DEG _-y individual therapeutic application. Then, when setting the destination to the individual therapeutic application, the difference between the number of data to be transmitted to a plurality of relay devices 200 _-1 to 200 DEG _-y sets the destination to be within a predetermined value.

As another example, the following method may be used. That is, in each of the plurality of relay devices 200 _-1 to 200 DEG _-y, to manage the number of data received from the user terminal 100 _-1 to 100 _-x. Then, when the therapeutic application of the user terminal 100 _-1 to 100 _-x transmits data to one of the relay devices 200 _-1 to 200 DEG _-y, a query to a plurality of relay devices 200 _-1 to 200 DEG _-y go and the total number of data each of the relay apparatus 200 _-1 to 200 DEG _-y received so far were obtained from, respectively, so as to transmit the data to the total number is less relay apparatus 200. According to this method, even if the transmission frequency of the data is not used in the user terminal 100 _-1 to 100 _-x therapeutic application as somewhat leveled, a plurality of user terminals 100 _-1 to 100 _-x difference in the number of data to be transmitted to a plurality of relay devices 200 _-1 to 200 DEG _-y from can be made to be within a predetermined value.

Incidentally, in the second embodiment, the fraud detection unit 400 'is then stored in the acquired data storage unit 46 obtains the data from the relay device 200 _-1 to 200 DEG _-y, has been stored in the acquired data storage unit 46 data Although the example which analyzes a process condition by making it into object is demonstrated, this invention is not limited to this. For example, fraud detection unit 400 'may perform the analysis of the processing status as a target data relaying apparatus 200 _-1 to 200 DEG _-y is stored in a predetermined area of the storage device provided respectively. Further, if the log information indicating the reception history or transmission history data in the storage device by the relay device 200 _-1 to 200 DEG _-y comprises respectively are stored, to perform the analysis of the processing status by using the log information May be

As described above in detail, according to the first and second embodiments, instead of the data recorded in the node device 300 _-1 to 300 _-z, and processing relay apparatus 200 _-1 to 200 DEG _-y is since abuse at the relay device 200 _-1 200 _-y by analysis targeting data or the processing status of the data that are is detected, the relay device 200 _-1 to 200 from the user terminal 100 _-1 to 100 _{-x -y} in a system adapted to record a plurality of node devices 300 _-1 to 300 _-z connected by a distributed network of data transmitted through the actually data to the node apparatus 300 _-1 to 300 _-z There it is possible to detect that the abuse is occurring in front of the relay device 200 _-1 to 200 DEG _-y recorded.

When analyzing processing status data or the data relay apparatus 200 _-1 to 200 DEG _-y is received, upon detection of fraud in any of the relay device 200, immediately the unauthorized repeater 200 By performing predetermined processing for the above, it is possible to prevent data from being transmitted from the illegitimate relay apparatus 200. On the other hand, when analyzing the processing status of the data or the data relay apparatus 200 _-1 to 200 DEG _-y is transmitting, upon detection of fraud in any of the relay device 200, immediately the unauthorized relaying By performing a predetermined process on the device 200, it is possible to prevent data from being transmitted from the illegitimate relay device 200 in the next time.

In the first and second embodiments, the user terminals 100 _{-1 to} 100 _-x are described as being terminals equipped with a therapeutic application, but the present invention is not limited to this. That is, if the data obtained by the application of non-therapeutic application intended for recording was put into block chain to the node device 300 _-1 to 300 _-z, it is possible to apply the present invention.

  In addition, the first and second embodiments described above are merely examples of implementation for carrying out the present invention, and the technical scope of the present invention can be interpreted limitedly by these. It is something that can not be done. That is, the present invention can be implemented in various forms without departing from the scope or main features of the present invention.

41 Data acquisition unit 42 Data content analysis unit 43, 45 Fraud detection unit 44 Processing status analysis unit 46 Acquisition data storage unit 100 User terminal (transmission device)
200 relay device 300 node device 400, 400 'fraud detection device

Claims (6)

A plurality of transmission devices that are data transmission sources, a plurality of node devices connected by a distributed network, and a plurality of relay devices that relay data transmitted from the plurality of transmission devices to the plurality of node devices; A fraud detection system comprising: a fraud detection device for detecting fraudulent activity performed by the relay device;
The plurality of transmitting devices transmit data to at least one of the plurality of relay devices according to a predetermined transmission rule,
The fraud detection device is
An analysis unit that analyzes data being processed by the plurality of relay devices or a processing status of the data;
According to the present invention, there is provided a fraud detection unit for detecting a relay device processing data in a manner against the above-mentioned predetermined transmission rule based on the analysis result by the analysis unit as a relay device performing fraudulent activity. Characterized fraud detection system. The transmitting apparatus is configured to transmit data to the two or more relay apparatuses according to the predetermined rule of transmitting the same data to two or more relay apparatuses among the plurality of relay apparatuses.
The analysis unit analyzes the content of data processed by the plurality of relay devices;
The fraud detection unit according to claim 1, characterized in that a relay device processing data for which the same data is not processed in another relay device is detected as a relay device performing an unauthorized action. Fraud detection system. The plurality of transmission devices transmit data to at least one of the plurality of relay devices according to the predetermined rule that data is transmitted such that the difference in the number of data provided to the plurality of relay devices falls within a predetermined value. Send
The analysis unit analyzes the number of processes per unit time or the time interval of data processing with respect to data processed by the plurality of relay devices;
The fraud detecting unit is characterized in that a relay device having a different number of processing per unit time or a time interval of the data processing compared with another relay device is detected as a relay device performing fraudulent activity. The fraud detection system according to claim 1.   The analysis unit analyzes data processed by the plurality of relay devices or the processing status of the data, with the storage devices respectively included in the plurality of relay devices as targets of monitoring. The fraud detection system according to any one of Items 1 to 3.   The analysis unit acquires data transmitted from the plurality of relay devices to the node device, and analyzes data processed by the plurality of relay devices or a processing state of the data. The fraud detection system according to any one of claims 1 to 3. An illegal operation being performed by the relay device for monitoring a plurality of relay devices that relay data between a plurality of transmission devices that are data transmission sources and a plurality of node devices connected by a distributed network A fraud detection device that detects an activity,
An analysis unit that analyzes data being processed by the plurality of relay devices or a processing status of the data;
The fraud which detects the relay apparatus which is processing data in the mode contrary to the predetermined transmission rule set to the above-mentioned a plurality of transmitting apparatuses based on the result of the analysis by the above-mentioned analysis part as a relay apparatus which is doing fraudulent activity A fraud detection device comprising: a detection unit.