JP6563615B1 - Fraud detection system and fraud detection device - Google Patents

Abstract

A plurality of relay devices 200-1 to 200-y that relay data provided from a plurality of user terminals 100-1 to 100-x, and a plurality of node devices 300-1 to 300-z connected by a distributed network In the system comprising the above, the data recording status of each relay device is analyzed for a plurality of data transmitted as records from the relay devices 200-1 to 200-y to the node devices 300-1 to 300-z. By performing an abnormality determination based on the analyzed data recording status, and determining that fraud has been performed on data originating from a relay device whose data recording status is determined to be abnormal, By analyzing whether or not there is an abnormality in the data recording status with respect to the node devices 300-1 to 300-z even if the data has been tampered with before being put into the distributed network To be able to detect that fraud has been performed such as falsification for the data.

Description

  The present invention relates to a fraud detection system and a fraud detection device, and is particularly suitable for use in a system that detects fraudulent acts performed on data communicated over a network.

  In recent years, systems utilizing communication network technologies such as the Internet have been widely used. In this type of system, a large amount of data is transmitted and received between a plurality of terminals or between a terminal and a server. For example, uploading and storing data from the terminal to the server or executing a predetermined process on the server based on data transmitted from the terminal to the server may be a function of most systems.

  There are various types of data flowing on the network, such as confidential information of companies, important information, and personal information of users, and there is a strong demand to protect such information from fraudulent acts such as tampering. In order to respond to this request, various fraud detection systems for discovering that data tampering or unauthorized access to a server storing the data are provided (see, for example, Patent Documents 1 to 3). ).

  In the system described in Patent Document 1 (Japanese Patent Laid-Open No. 2006-350561), destination log information indicating a destination to which each device has transmitted information is collected from a plurality of registered devices, and based on the collected destination log information, When it is detected that the number of pieces of information transmitted from a plurality of registered devices to the same destination exceeds a preset threshold, it is determined that unauthorized access to the destination has occurred.

  In the system described in Patent Document 2 (Japanese Patent Laid-Open No. 2009-169791), when data is transmitted / received between the EDI system and the customer system, the number of slips and the number of slip details when entering the EDI system In the EDI system, the number of slips at the time of output and the number of slip details lines, which are the results of format conversion and business processing, are compared and confirmed, and data loss and increase in fraud are detected.

  In the system described in Patent Document 3 (Japanese Patent Application Laid-Open No. 2014-146868), when first data having the same identifier and a reception interval shorter than a predetermined period is received with respect to the reception data used as a reference, the reference The reception of data having the same identifier as the first data is waited until a predetermined period elapses from the reception time of the received data, and during this time, the second data having the same identifier as the first data is received. Sometimes it is determined that fraud has occurred.

  By the way, in recent years, a distributed ledger technology called a block chain has attracted attention, and examples of utilization in various fields are increasing. The block chain is a distributed network including a plurality of node devices, and the data recorded in the block shared between the node devices cannot be changed retrospectively in theory. Blockchain has a strong resistance to data tampering.

  However, in the block chain, it is only extremely difficult to falsify data recorded in the block, and it is impossible to prevent falsification before data is recorded in the block. That is, when the altered data is input to the block chain, the malicious data is stored in an unchangeable state.

  For example, it is conceivable to use a block chain in a system that records data by transmitting data from a large number of terminals to a server. By arranging the server on the block chain distributed network, it is possible to prevent subsequent alteration of the data recorded in the server.

  However, in this case, if the system configuration is such that a large number of terminals directly write data to the block chain, it becomes necessary to open a network to the large number of terminals and manage a large number of keys. In order to avoid this, it is considered that a small number of relay servers are installed between the terminal and the block chain, and the system is configured to transmit data to the block chain from a large number of terminals via the small number of relay servers. It is done. In this way, it is only necessary to open the network to a small number of relay servers, and the number of keys to be managed can be reduced.

  However, in this case, if the administrator of the relay server is malicious, part or all of the data received from the terminal can be falsified and the falsified data can be put into the block chain. For this reason, even if the system is designed to prevent data tampering using the block chain, a system for detecting that tampering has been performed on the data actually recorded in the block should be introduced. Is desired.

  The present invention has been made in view of such circumstances, and data transmitted from a plurality of transmission devices and recorded in a plurality of node devices connected by a distributed network is altered. The purpose is to be able to detect whether or not.

  In order to solve the above-described problems, in the present invention, in a system including a plurality of transmission devices and a plurality of node devices connected by a distributed network, the history is transmitted from the plurality of transmission devices to the node devices. For a plurality of recorded data, the data recording status is analyzed for each transmitting device, and an abnormality is determined based on the analyzed data recording status, thereby transmitting the transmitting device whose data recording status is determined to be abnormal. It is determined that fraud has been performed on the original data.

  According to the present invention configured as described above, any data transmitted from a plurality of transmission devices and recorded in a plurality of node devices connected by a distributed network may be tampered with in any transmission device. When the fraudulent data is transmitted to the distributed network and recorded in a plurality of node devices, the recording status becomes abnormal. According to the present invention, since it is determined whether or not there is an abnormality in the recording status of the data analyzed for each transmission device, it is confirmed that fraud such as tampering with data is performed in the transmission device in which the recording status is determined to be abnormal. Can be detected.

It is a figure which shows the example of whole structure of the fraud detection system by this embodiment. It is a block diagram which shows the function structural example of the fraud detection apparatus by this embodiment. It is a block diagram which shows the function structural example of the recording condition analysis part by the 1st pattern of this embodiment, and a fraud determination part. It is a block diagram which shows the function structural example of the recording condition analysis part by the 2nd pattern of this embodiment, and a fraud determination part. It is a block diagram which shows the function structural example of the recording condition analysis part by the 3rd pattern of this embodiment, and a fraud determination part. It is a block diagram which shows the function structural example of the recording condition analysis part by the 4th pattern of this embodiment, and a fraud determination part. It is a schematic diagram for demonstrating an example of the processing content of the recording condition analysis part by a 1st pattern of this embodiment, and a fraud determination part. It is a schematic diagram for demonstrating an example of the processing content of the recording condition analysis part by a 2nd pattern of this embodiment, and a fraud determination part. It is a schematic diagram for demonstrating an example of the processing content of the recording condition analysis part and fraud determination part by the 3rd pattern of this embodiment.

Hereinafter, an embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a diagram illustrating an example of the overall configuration of the fraud detection system according to the present embodiment. As shown in FIG. 1, the fraud detection system of the present embodiment includes a plurality (x number) of user terminals 100 _{-1 to} 100 _-x and a plurality (y units, x> y) of transmission devices ( (Relay device) 200 _-1 to 200 _-y , a plurality (z pieces) of node devices 300 _{-1 to} 300 _-z, and a fraud detection device 400.

The user terminal 100 _-1 to 100 _-x provides data to be recorded on a plurality of node devices 300 _-1 to 300 _-z. For example, the user terminals 100 _{-1 to} 100 _-x improve a user's lifestyle through execution of a predetermined process, and thereby a treatment application (hereinafter referred to as a treatment application) for the purpose of treating a specific symptom. For example, a smart phone, a tablet terminal, or a personal computer.

For example, in a treatment application, information on a user's symptom or daily behavior is input at any time, or a predetermined process involving the user's behavior is executed, so that the input information and the execution result of the process are obtained. A predetermined analysis is performed and a message related to the predetermined advice is output. The user gradually improves the lifestyle habits by acting according to this message. The user terminals 100 _{-1 to} 100 _-x provide the transmission devices 200 _-1 to 200 _-y with various data (such as input information and execution results of predetermined processing) acquired by the treatment application.

In addition, a part of various processes including the analysis etc. which a therapeutic application performs are performed independently by a therapeutic application. Also, the node device 300 _-1 300 connected (not shown) trial management server _-z is also processing performed by using the data recorded in the node device 300 _-1 300 _-z. Results investigational management server has processed is or are recorded by transmitting the investigational management server to the node device 300 _-1 to 300 _-z, utilized in the therapeutic application are transmitted to the user terminal 100 _-1 to 100 _-x Or

The node devices 300 _{-1 to} 300 _-z are connected by a distributed network, and record data safely in cooperation with each other. For example, a distributed network is a block chain. That is, the node device 300 _-1 300 _-z is the data provided through the transmission apparatus 200 _-1 to 200 DEG _-y from the user terminal 100 _-1 to 100 _-x plurality of node devices 300 _-1 to 300 _- Consensus building processing (consensus processing) for sharing with _z is performed, and only data for which consensus is formed is newly recorded as a history. By using the block chain, subsequent alteration of the data recorded in the node devices 300 _{-1 to} 300 _-z is prevented.

The transmission devices 200 _-1 to 200 _-y acquire data provided from the plurality of user terminals 100 _{-1 to} 100 _-x and use the acquired data as at least one of the plurality of node devices 300 _{-1 to} 300 _-z . Send to one. As described above, the transmission devices 200 _-1 to 200 _-y relay data provided from the user terminals 100 _{-1 to} 100 _-x to the node devices 300 _{-1 to} 300 _-z . The following describes the transmission device 200 _-1 to 200 DEG _-y instead referred to as the relay device 200 _-1 to 200 DEG _-y.

The relay apparatuses 200 _-1 to 200 _-y are managed by a third party other than the user who receives the treatment using the treatment application and the doctor who performs the treatment. The number (y) of relay devices 200 _-1 to 200 _-y is smaller than the number (x) of user terminals 100 _{-1 to} 100 _-x . This is because when a large number of user terminals 100 _-1 to 100 _-x to system configuration write data directly to the block chain, the network is opened to a large number of user terminals 100 _-1 to 100 _-x, a number of keys The purpose is to avoid this because it needs to be managed.

That is, a small number of relay devices 200 _-1 to 200 _-y are installed between a large number of user terminals 100 _{-1 to} 100 _-x and a block chain (a plurality of node devices 300 _{-1 to} 300 _-z ). Data is transmitted from the user terminals 100 _{-1 to} 100 _-x to the block chain via a small number of relay devices 200 _-1 to 200 _-y . In this way, it is only necessary to open the network to a small number of relay devices 200 _-1 to 200 _-y, and the number of keys to be managed can be reduced.

The fraud detection device 400 is transmitted from a large number of user terminals 100 _{-1 to} 100 _-x via a plurality of relay devices 200 _-1 to 200 _-y and recorded in a plurality of node devices 300 _{-1 to} 300 _-z . This is to detect fraud in the data. Data transmitted to the relay apparatus 200 _-1 to 200 DEG _-y from the user terminal 100 _-1 to 100 _-x is, if it is not tampered with by an administrator of the relay apparatus 200 _-1 to 200 DEG _-y, valid data block It is transmitted to any one of the node devices 300 _{-1 to} 300 _-z on the chain, is distributed and recorded in a plurality of node devices 300 _{-1 to} 300 _-z through consensus formation processing, and subsequent tampering is prevented. .

However, when the administrator of the relay devices 200 _-1 to 200 _-y is malicious, part or all of the data received from the user terminals 100 _{-1 to} 100 _-x is falsified, and the falsified data is converted into a block chain. When the data is input, the altered data is recorded in the node devices 300 _{-1 to} 300 _-z through the consensus forming process. The fraud detection device 400 obtains data recorded in the node devices 300 _{-1 to} 300 _-z of the block chain and performs a predetermined analysis, thereby processing the data recorded in the node devices 300 _{-1 to} 300 _-z . Detects tampering.

  FIG. 2 is a block diagram illustrating a functional configuration example of the fraud detection device 400. As shown in FIG. 2, the fraud detection device 400 includes a history data acquisition unit 11, a recording status analysis unit 12, and an fraud determination unit 13 as its functional configuration.

  Each of the functional blocks 11 to 13 can be configured by any of hardware, DSP (Digital Signal Processor), and software. For example, when configured by software, each of the functional blocks 11 to 13 is actually configured by including a CPU, RAM, ROM, etc. of a computer, and a program stored in a recording medium such as RAM, ROM, hard disk, or semiconductor memory. Is realized by operating.

History data acquisition unit 11, from any of the plurality of node devices 300 _-1 to 300 _-z, acquires data recorded as sent history from the user terminal 100 _-1 to 100 _-x. As described above, the data provided from the user terminals 100 _{-1 to} 100 _-x is shared by the consensus building process in the plurality of node devices 300 _{-1 to} 300 _-z , and the same data is stored in the plurality of node devices 300. _{-1 to} 300- _z . Therefore, the history data acquisition unit 11 can acquire data from any node device.

Node device to the recorded data is 300 _-1 to 300 _-z, identification information for identifying the user terminal 100 _-1 to 100 _-x or user is a data provider, the relay device 200 _-1 to 200 _- Identification information for identifying _y and recording date / time information indicating the date / time when the data was recorded in the node devices 300 _{-1 to} 300 _-z are added.

That is, when the user terminals 100 _{-1 to} 100 _-x transmit data, identification information for identifying the user terminals 100 _{-1 to} 100 _-x or the user is added. As identification information of the user terminals _{100-1 to} 100- _x , for example, a MAC address, a serial number, or the like (hereinafter referred to as a user terminal ID) can be used. As identification information for identifying a user, it is possible to use a user ID or the like that is initially registered when using the treatment application.

Further, when the relay devices 200 _-1 to 200 _-y relay data transmitted from the user terminals 100 _{-1 to} 100 _-x , identification information for identifying the relay devices 200 _-1 to 200 _-y is further added. Added. As identification information for identifying the relay devices 200 _-1 to 200 _-y , for example, a MAC address, a serial number, or the like (hereinafter referred to as a relay device ID) can be used. Then, when the data relayed by the relay devices 200 _-1 to 200 _-y is recorded in the node devices 300 _{-1 to} 300 _-z , the recording date information is further added.

The recording state analysis unit 12 transmits history data acquired by the history data acquisition unit 11 (that is, transmitted from the plurality of relay devices 200 _-1 to 200 _-y to the plurality of node devices 300 _{-1 to} 300 _-z as history). For a plurality of recorded data), the data recording status is analyzed for each relay device. In this analysis, the relay device ID and the recording date / time information are used.

The fraud determination unit 13 transmits the relay devices 200 _-1 to 200 _{-y in} which the data recording state is determined to be abnormal by performing abnormality determination based on the data recording state analyzed by the recording state analysis unit 12. It is determined that fraud (falsification) has been performed on the original data.

  Hereinafter, four patterns will be described as the contents of analysis by the recording state analysis unit 12 and the contents of determination by the fraud determination unit 13. Any one or a plurality of these four patterns can be applied. 3 to 6 are block diagrams showing specific functional configuration examples of the recording state analysis unit 12 and the fraud determination unit 13 corresponding to these four patterns. This will be described in detail below with reference to FIGS.

<First pattern>
As shown in FIG. 3, in the case of the first pattern, the recording state analysis unit 12 is configured by a data number calculation unit 12A, and the fraud determination unit 13 is configured by a fraud determination unit 13A.

The number-of-data calculating unit 12A performs, for each transmission source relay device, a plurality of data transmitted from the plurality of relay devices 200 _-1 to 200 _-y and recorded as history in the plurality of node devices 300 _{-1 to} 300 _-z. Calculate the number of data. As described above, the relay device ID is added to the data recorded in the node devices 300 _{-1 to} 300 _-z . Therefore, the data number calculation unit 12A, by counting the number of the relay device ID, the data recorded in the node device 300 _-1 to 300 _-z, sent by any number from which the relay apparatus data is recorded It is possible to analyze the recording status of whether or not it was made.

  The fraud determination unit 13A compares the number of data calculated for each relay apparatus by the data number calculation unit 12A, determines that the number of data more than a predetermined threshold is more abnormal than the other, and determines that the number of data is abnormal. It is determined that fraud has been performed on data originating from the relay device.

  For example, the fraud determination unit 13A compares the largest number of data among the number of data calculated for each relay device by the data number calculation unit 12A and the second largest number of data, and the difference is equal to or greater than a predetermined threshold value. In this case, it is determined that the largest number of data is abnormal, and it is determined that fraud has been performed on the data whose transmission source is the relay device for which the number of data is determined to be abnormal.

When performing the fraud determination using the first pattern, the history data acquisition unit 11 may acquire data related to the most recent predetermined period from the node devices 300 _{-1 to} 300 _-z based on the recording date and time information. In this case, the “predetermined predetermined period” means a period after the last acquisition of data. That is, each time a predetermined period elapses, the history data acquisition unit 11 acquires data newly recorded as a history during the predetermined period from the node devices 300 _{-1 to} 300 _-z .

1 shows a state in which the administrator of the first switching device 200 _-1 performs data tampering, are charged into the block chain make a large amount of invalid data. In this case, compared to the other relay devices 200 _-2 to 200 _-y that are relaying data legitimately, the node devices 300 _{-1 to} 300 are transmitted from the first relay device 200 _-1 performing the fraud. The number of data recorded in _-z increases. Accordingly, fraud determination unit 13A, the difference in abundance of the number of data, incorrect row for recorded data to be transmitted node apparatus 300 _-1 to 300 _-z from the first relay apparatus 200 _-1 It can be determined that

FIG. 7 is a schematic diagram for explaining an example of processing contents of the recording status analysis unit 12 and the fraud determination unit 13A according to the first pattern. In FIG. 7, a plurality of data transmitted from a plurality of relay devices 200 _-1 to 200 _-y and recorded in a plurality of node devices 300 _{-1 to} 300 _-z during a predetermined period are recorded in the recording status analysis unit 12 ( The number of data calculated by the data number calculation unit 12A) for each relay device is shown in the form of a bar graph.

In the example shown in FIG. 7, fraud determination unit 13A, among the number of data calculated by the relay apparatus by the data number calculation unit 12A, the number of data transmitted from the first relay apparatus 200 _-1 most, third It is determined that the number of data transmitted from the relay device _200-3 is the second largest. When the difference Δ between the two data numbers is equal to or greater than a predetermined threshold, the largest number of data is determined to be abnormal, and the first relay device 200 _-1 that is determined to be abnormal is the transmission source. It is determined that the fraudulent data has been fraudulent.

  Note that the determination method described here is merely an example, and the present invention is not limited to this. For example, when the number of data calculated for each relay device by the data number calculation unit 12A is compared with the average value of the other data numbers and the difference is equal to or greater than a predetermined threshold, The largest number of data may be determined as abnormal. Alternatively, the average value or median value of the number of data calculated for each relay device by the data number calculation unit 12A is calculated, and the number of data whose difference from the average value or the median value is equal to or greater than a predetermined threshold is determined to be abnormal. May be.

In order to facilitate the determination based on the difference in the number of data, the plurality of user terminals 100 _{-1 to} 100 _-x has a predetermined difference in the number of data provided to the plurality of relay devices 200 _-1 to 200 _-y. It is preferable to provide data to at least one of the plurality of relay apparatuses 200 _-1 to 200 _-y according to a predetermined rule set to be within the value. In order to reduce the difference in the number of data provided to the relay apparatuses 200 _-1 to 200 _-y , it is preferable to provide data to two or more relay apparatuses.

For example, the number of data received from the user terminals 100 _{-1 to} 100 _-x is managed in each of the plurality of relay devices 200 _-1 to 200 _-y . Then, when the therapeutic application of the user terminal 100 _-1 to 100 _-x transmits data to one of the relay devices 200 _-1 to 200 DEG _-y, a query to a plurality of relay devices 200 _-1 to 200 DEG _-y Then, the total number of data received by each of the relay devices 200 _-1 to 200 _-y so far is acquired, and the data is transmitted to the relay devices with a small total number.

As described above, the “predetermined threshold” used when the fraud determination unit 13A determines whether or not there is fraud based on the difference in the number of data is relayed by a plurality of user terminals 100 _{-1 to} 100 _-x according to a predetermined rule as described above. Even when data is provided to the devices 200 _-1 to 200 _-y , a value larger by a predetermined margin than the variation is set in consideration of variation in the number of data that may occur in a short period of time. .

<Second pattern>
As shown in FIG. 4, in the case of the second pattern, the recording status analysis unit 12 is configured by a date / time information acquisition unit 12B- ₁ and a data number calculation unit 12B- ₂ , and the fraud determination unit 13 is configured by a fraud determination unit 13B. The

Date and time information acquiring section 12B _-1, for a plurality of data recorded is transmitted as a history in a plurality of node devices 300 _-1 to 300 _-z plurality of relay devices 200 _-1 to 200 DEG _-y, each recording date Get information. As described above, the recording date / time information indicating the recording date / time is added to the data recorded in the node devices 300 _{-1 to} 300 _-z . Therefore, the date information acquisition unit 12B- ₁ can acquire this recording date information for each data.

Data number calculation unit 12B _-2, based on the recording date and time information acquired by the date and time information acquiring section 12B _-1, are transmitted from a plurality of relay devices 200 _-1 to 200 DEG _-y plurality of node devices 300 _-1 to For a plurality of data recorded as a history at 300- _z , the number of data for each relay device is calculated for each predetermined period. The number of data for each relay device can be calculated by counting the relay device ID as described above. In the second pattern, this is calculated every predetermined period. The predetermined period is, for example, several minutes or several hours.

The fraud determination unit 13B determines that a relay device whose number of data has increased by a predetermined ratio or more based on the number of data for each relay device calculated by the data number calculation unit 12B- ₂ for each predetermined period is abnormal. It is determined, and it is determined that fraud has been performed on the data whose transmission source is the relay device determined to be abnormal.

As in FIG. 1, if the administrator of the first switching device 200 _-1 performs data tampering, are charged into the block chain make a large amount of bad data, a large amount of data that has been tampered, the short There is a high probability that it will be put into the blockchain in time. In this case, the number of data transmitted and recorded from the first relay device 200 _-1 performing fraud is smaller than that of other relay devices 200 _-2 to 200 _-y that are relaying data legitimately. Get more at once in minutes or hours. Accordingly, fraud determination unit 13B is the difference in ratio of the number of data increases, it is incorrect for data recorded to the transmitted to the node device 300 _-1 to 300 _-z from the first relay apparatus 200 _-1 It can be determined that it is being performed.

FIG. 8 is a schematic diagram for explaining an example of processing contents of the recording status analysis unit 12 and the fraud determination unit 13B according to the second pattern. In FIG. 8, for the data transmitted from the first relay device 200 _{-1 in} which data has been tampered with and recorded in the node devices 300 _{-1 to} 300 _-z , the data number calculation unit 12B _-2 The number of data calculated for each period (for example, every hour) is shown in the form of a line graph.

That is, the line graph in FIG. 8 is one hour from the data number calculation unit 12B- _{2 using} the oldest recording date and time indicated by the recording date and time information acquired by the date and time information acquisition unit 12B- ₁ as a reference (0 on the horizontal axis). The number of data calculated in units is shown in time series.

In the example shown in FIG. 8, 5 hours up to and 6 hours after the reference time, the number of data recorded in transmitted the node device 300 _-1 to 300 _-z from the first relay apparatus 200 _-1 It shows that there is no big fluctuation. Although not shown, the number of data transmitted from other relay devices 200 _-2 to 200 _-y that are not fraudulent and recorded in the node devices 300 _{-1 to} 300 _-z is also determined in any time zone. There are no major fluctuations.

In contrast, in 1 hour toward 6 hours from 5 hours, the number of data recorded in transmitted the node device 300 _-1 to 300 _-z from the first relay device 200 _-1, a predetermined ratio That's a sudden increase. This is because a lot of data created by falsification is transmitted from the first relay device _200-1 .

Accordingly, fraud determination unit 13B, based on the ratio of the number of data increases, incorrect for data recorded to the transmitted to the node device 300 _-1 to 300 _-z from the first relay apparatus 200 _-1 Is determined to have been performed. In this case, not all of the data as a source of the first switching device 200 _-1, only the data sent to 6:00 5:00 may be determined that incorrect data.

In the second pattern, when the administrator of the first switching device 200 _-1 performs data tampering, was charged in a short period of time (minutes or hours) to block the chain to make a large amount of invalid data In addition, the illegal data can be detected. However, the administrator of the first switching device 200 _-1 without feeding a short period of time the incorrect data, it is possible that come put into block chain shifted intentionally timing. In such a case, alteration of data can be detected by analyzing the first pattern.

In order to facilitate the determination based on the difference in the rate of increase in the number of data, the plurality of user terminals 100 _{-1 to} 100 _-x are the number of data provided to the plurality of relay devices 200 _-1 to 200 _-y. It is preferable to provide data to at least one of the plurality of relay devices 200 _-1 to 200 _-y according to a predetermined rule set so that the difference between them is within a predetermined value. In order to reduce the difference in the number of data provided to the relay apparatuses 200 _-1 to 200 _-y , it is preferable to provide data to two or more relay apparatuses.

The “predetermined ratio” used when the fraud determination unit 13B determines whether or not there is fraud based on the difference in the rate of increase in the number of data is that the plurality of user terminals 100 _{−1 to} 100 _−x are predetermined as described above. In consideration of the rate of increase in the number of data normally assumed when data is provided to the relay devices 200 _-1 to 200 _-y according to the rules of the above, the value is set to a value larger by a predetermined margin than that. The

<Third pattern>
As shown in FIG. 5, in the case of the third pattern, the recording status analysis unit 12 is configured by a date / time information acquisition unit 12C- ₁ and a data number calculation unit 12C- ₂ , and the fraud determination unit 13 is configured by an fraud determination unit 13C. The

Date and time information acquiring unit 12C _-1 are those having the same functions as the date and time information acquiring section 12B _-1, are transmitted from a plurality of relay devices 200 _-1 to 200 DEG _-y plurality of node devices 300 _-1 to 300 For each of a plurality of data recorded as history in _-z , each recording date / time information is acquired.

Data number calculation unit 12C _-2 are those having the same function as data number calculation section 12B _-2, based on the recording date and time information acquired by the date and time information acquiring unit 12C _-1, a plurality of relay devices 200 _- For a plurality of data transmitted from ₁ to 200 _-y and recorded as history in the plurality of node devices 300 _{-1 to} 300 _-z , the number of data for each relay device is calculated for each predetermined period. However, in the third pattern, the predetermined period is longer than that in the second pattern, for example, several days or several weeks.

  For this reason, it is preferable that the history data acquisition unit 11 acquires history data for a relatively longer period than when the first pattern or the second pattern is applied.

The fraud determination unit 13C analyzes the trend of the rate of increase in the number of data based on the number of data for each relay device calculated every predetermined period by the data number calculation unit 12C- ₂ . Then, it is determined that a relay device whose number of data has increased at a rate greater than a predetermined threshold value compared to the analyzed rate is abnormal, and fraud is performed on the data having the relay device determined to be abnormal as a transmission source. It is determined that

In the third pattern, it is assumed that the number of users (that is, the number of user terminals _{100-1 to} 100- _x ) using the treatment application gradually increases. If the number of relay devices 200 _-1 to 200 _-y does not increase even if the number of user terminals 100 _{-1 to} 100 _-x increases gradually, the number of data relayed by one relay device is the user terminal It gradually increases as the number of 100 _{−1 to} 100 _−x increases.

Here, due to the nature of the treatment application, as a premise that the user uses it, the doctor makes a diagnosis on the user's symptoms, and the treatment application can be used when the doctor recognizes that it is necessary. Therefore, unlike an application that increases the number of users at once when popular, such as a general smartphone application, the number of users (that is, user terminals 100 _{-1 to} 100 _-x is different in the case of a treatment application. Number) is expected to increase gradually. Therefore, it is assumed that the number of data relayed by one relay device gradually increases.

Therefore, the fraud determination unit 13C sets the number of data transmitted from the relay devices 200 _-1 to 200 _-y and recorded in the node devices 300 _{-1 to} 300 _-z over a relatively long span (several days or weeks). By calculating as a unit, it is possible to analyze the tendency of how much the number of data relayed by one relay device is increasing.

If the administrator of the first switching device 200 _-1, even when placed in a block chain shifted intentionally timing incorrect data tampering, it is transmitted from the first relay apparatus 200 _-1 node device The number of data recorded in 300 _{-1 to} 300 _-z increases at a rate larger than the rate of increase normally assumed as the number of data relays by the relay device per unit. Therefore, it is possible to determine that a relay apparatus in which the number of data increases at a rate greater than a predetermined threshold value compared to the normal rate of increase obtained by analysis is abnormal.

FIG. 9 is a schematic diagram for explaining an example of processing contents of the recording status analysis unit 12 and the fraud determination unit 13C according to the third pattern. In FIG. 9, the result analyzed by the fraud determination unit 13C as an increasing trend of the number of data relayed by one relay device is indicated by a straight line 91, and the first relay device 200 _{− in} which the data has been tampered with. The transition of the increase in the number of data transmitted from ₁ and recorded in the node devices 300 _{-1 to} 300 _-z is shown in the form of a line graph 92.

For example, the fraud determination unit 13C performs the data number calculation unit 12C on a plurality of data transmitted from the plurality of relay devices 200 _-1 to 200 _-y and recorded as history in the plurality of node devices 300 _{-1 to} 300 _-z. Based on the number of data for each relay device calculated every predetermined period (for example, every week) by _-2, the average value of the number of data for each relay device is calculated for each predetermined period. Then, an approximate straight line is obtained from the average value of the number of data calculated for each predetermined period.

A straight line 91 shown in FIG. 9 is an approximate straight line obtained in this way. The approximate straight line 91 gradually increases the number of data relayed by each relay device (that is, data transmitted from each relay device and recorded in the node devices 300 _{-1 to} 300 _-z ). It shows the tendency of the ratio. As described above, as the number of users of the therapeutic application (the number of user terminals 100 _{-1 to} 100 _-x ) gradually increases, the number of data relayed by one relay device gradually increases. To go. This is indicated by the approximate straight line 91.

On the other hand, the line graph 92, the data recorded in the transmission has been the node device 300 _-1 to 300 _-z from the first relay apparatus 200 _-1 tampering with data is being performed, the data number calculation section 12C _-2 Shows the transition of the number of data calculated for each predetermined period. In other words, the line graph 92 is obtained in units of one week from the data number calculation unit 12C- ₂ with the oldest recording date and time indicated by the recording date and time information acquired by the date and time information acquisition unit 12C- ₁ as a reference (0 on the horizontal axis). This shows the number of data calculated in step chronologically.

In the example shown in FIG. 9, the 1-week toward 6 weeks from 5 weeks, the number of data recorded in transmitted the node device 300 _-1 to 300 _-z from the first relay apparatus 200 _-1 increases The rate of going is greater than the rate indicated by the approximate straight line 91.

The fraud determination unit 13C determines that the first relay device _{200-1 in} which the number of data is increasing at a large ratio equal to or greater than the predetermined threshold is abnormal when the difference in the ratio is equal to or greater than the predetermined threshold. It determines that the first relay apparatus 200 _-1 which is determined as abnormal is made invalid to data as a source. In this case, it is determined that only data transmitted during one week from the fifth week to the sixth week is determined as invalid data, not all the data having the transmission source of the first relay device _200-1. It may be.

In order to facilitate the determination based on the difference in the rate of increase in the number of data, the plurality of user terminals 100 _{-1 to} 100 _-x are the number of data provided to the plurality of relay devices 200 _-1 to 200 _-y. It is preferable to provide data to at least one of the plurality of relay devices 200 _-1 to 200 _-y according to a predetermined rule set so that the difference between them is within a predetermined value. In order to reduce the difference in the number of data provided to the relay apparatuses 200 _-1 to 200 _-y , it is preferable to provide data to two or more relay apparatuses.

  The “predetermined threshold” used when the fraud determination unit 13C determines whether there is fraud based on the difference in the rate of increase in the number of data is an increase that is normally assumed as the number of data relays by the relay device per unit. It is set to a value larger than the ratio by a predetermined margin. Note that the predetermined threshold may be set based on a ratio obtained as a result of the fraud determination unit 13C actually analyzing the increase tendency. For example, a value larger than the slope of the approximate straight line 91 shown in FIG. 9 by a predetermined margin (the margin may be zero) may be set as the predetermined threshold.

<4th pattern>
As shown in FIG. 6, in the case of the fourth pattern, the recording status analysis unit 12 is configured by a date / time information acquisition unit 12D, and the fraud determination unit 13 is configured by a fraud determination unit 13D.

Date and time information acquiring unit 12D are those having the same functions as the date and time information acquiring unit 12C _-1, transmitted from a plurality of relay devices 200 _-1 to 200 DEG _-y to a plurality of node devices 300 _-1 to 300 _-z For each of a plurality of data recorded as a history, each recording date / time information is acquired.

  The fraud determination unit 13D analyzes the tendency of the time zone in which the data is recorded based on the recording date information acquired by the date information acquisition unit 12D, and the data is recorded in a time zone different from the analyzed time zone. The relay device is determined to be abnormal, and it is determined that fraud has been performed on data originating from the relay device determined to be abnormal.

Depending on the content of the treatment application, the time zone in which data is transmitted from the user terminals 100 _{-1 to} 100 _-x may fall within a certain range. For example, in the case of a treatment app for treating sleep disorders, it is assumed that the user inputs and transmits data necessary for the treatment app when waking up or at bedtime. Further, it is assumed that processing such as a drowsiness test is executed at a predetermined time zone in the daytime, and data indicating the test result is transmitted.

Accordingly, fraud determination unit 13D, the relay device 200 _-1 200 a recording date and time information of data recorded on the transmitted the node device 300 _-1 to 300 _-z from _-y, for example, time zone divided every few hours It is possible to analyze the tendency of which data is recorded in which time zone and which data is hardly recorded in which time zone.

Then, fraud determination unit 13D determines that the relay device in which data is recorded in a time zone different from the time zone in which data transmitted from many of relay devices 200 _-1 to 200 _-y is recorded is abnormal. It is possible. For example, it is determined whether or not there is a time zone in which data transmitted from one specific relay device occupies a large proportion and the number of data transmitted from other relay devices is small, and such time If there is a band, a specific relay device in which more data is recorded than that in the other period is determined to be abnormal.

As described above in detail, in this embodiment, a plurality of relay devices (transmission devices) 200 _-1 to 200 _-y that relay data provided from a plurality of user terminals 100 _{-1 to} 100 _-x, and a distributed type in a system having a plurality of the node devices 300 _-1 to 300 _-z connected by a network (block chain), it is transmitted from a plurality of relay devices 200 _-1 to 200 DEG _-y plurality of node devices 300 _-1 to By analyzing the data recording status for each relay device according to the first pattern to the fourth pattern for a plurality of data recorded as history in 300- _z , and performing abnormality determination based on the analyzed data recording status, It is determined that fraud has been performed on data originating from a relay device whose data recording status is determined to be abnormal.

The data transmitted from the plurality of relay devices 200 _-1 to 200 _-y and recorded in the plurality of node devices 300 _{-1 to} 300 _-z connected by the distributed network may be altered in any of the relay devices. fraud is performed and the data related to fraud is recorded in the transmitted plurality of node devices 300 _-1 to 300 _-z the distributed network, abnormality occurs in the recording situation. According to the present embodiment configured as described above, whether or not there is an abnormality in the recording status of the data analyzed for each relay device is determined, so that data has been tampered with before being put into the blockchain. Even in this case, through analysis of the data recording status for the node devices 300 _{-1 to} 300 _-z, it is possible to detect that fraud such as falsification of the data is being performed in the relay device that is determined to have an abnormal recording status. .

In the above embodiment, the user terminals 100 _{-1 to} 100 _-x have been described as terminals equipped with therapeutic applications, but the present invention is not limited to this. That is, the present invention can be applied as long as data acquired by an application other than the treatment application is input to the block chain and recorded in the node devices 300 _{-1 to} 300 _-z .

Moreover, although the said embodiment gave and demonstrated as an example the case where the transmitter of a claim is relay apparatus 200 < _-1 > -200- _y , this invention is not limited to this. For example, the present invention is also applied to a system in which the relay apparatuses 200 _-1 to 200 _-y do not exist and the data is directly transmitted from the user terminals 100 _{-1 to} 100 _-x to the node apparatuses 300 _{-1 to} 300 _-z and recorded. It is possible to apply. In this case, the user terminals 100 _{-1 to} 100 _-x correspond to the transmitting device in the claims. When the number of user terminals 100 _{-1 to} 100 _-x is large, the number of open networks and the number of keys to be managed increase, but fraud detection described in the above embodiment (user terminals 100 _{-1 to} 100 _-x Detection of tampering performed in the process) is possible.

In the above embodiment, although the node device 300 _-1 to 300 _-z actually fraud detection device the recorded data 400 has been described for an example to analyze acquired, the present invention is not limited thereto. For example, data transmitted from the relay devices 200 _-1 to 200 _-y to the node devices 300 _{-1 to} 300 _-z (data before actually recorded in the node devices 300 _{-1 to} 300 _-z ) is detected as fraud. The interception data 400 may be intercepted, and the fraud detection device 400 may record the intercepted data as a history and then analyze the history data.

  In addition, each of the above-described embodiments is merely an example of actualization in carrying out the present invention, and the technical scope of the present invention should not be construed in a limited manner. That is, the present invention can be implemented in various forms without departing from the gist or the main features thereof.

DESCRIPTION OF SYMBOLS 11 History data acquisition part 12 Recording condition analysis part 12A, 12B- ₂ , 12C- ₂ Data number calculation part 12B- ₁ , 12C- ₁ , 12D Date and time information acquisition part 13, 13A, 13B, 13C, 13D Fraud determination part 100 User Terminal 200 Relay device 300 Node device 400 Fraud detection device

Claims (6)

A plurality of transmission devices, a plurality of node devices connected by a distributed network, and a fraud detection device that detects fraud in data transmitted from the plurality of transmission devices and recorded in the plurality of node devices. Fraud detection system,
The fraud detection device
For a plurality of data transmitted from the plurality of transmission devices and recorded as history in the plurality of node devices, a recording status analysis unit that analyzes the recording status of the data for each transmission device;
By performing the abnormality determination based on the recording status of the data analyzed by the recording status analysis unit, fraud is performed on data originating from the transmission device in which the recording status of the data is determined to be abnormal. A fraud determination unit that determines that the
The recording status analysis unit includes a data number calculation unit that calculates the number of data for each transmission device of a transmission source for a plurality of data transmitted from the plurality of transmission devices and recorded as history in the plurality of node devices,
The fraud determination unit compares the number of data calculated for each transmission device by the data number calculation unit, determines that the number of data more than a predetermined threshold than the other is abnormal, and determines that the number of data is abnormal A fraud detection system characterized in that fraud is determined for data originating from a transmission device . A plurality of transmission devices, a plurality of node devices connected by a distributed network, and a fraud detection device that detects fraud in data transmitted from the plurality of transmission devices and recorded in the plurality of node devices. Fraud detection system,
The fraud detection device
For a plurality of data transmitted from the plurality of transmission devices and recorded as history in the plurality of node devices, a recording status analysis unit that analyzes the recording status of the data for each transmission device;
By performing the abnormality determination based on the recording status of the data analyzed by the recording status analysis unit, fraud is performed on data originating from the transmission device in which the recording status of the data is determined to be abnormal. A fraud determination unit that determines that the
The upper recording status analysis unit includes a date / time information acquisition unit that acquires each recording date / time information for a plurality of data transmitted from the plurality of transmission devices and recorded as a history in the plurality of node devices,
The fraud determination unit analyzes the tendency of the time zone in which the data is recorded based on the recording date / time information acquired by the date / time information acquisition unit, and the data is recorded in a time zone different from the analyzed time zone. A fraud detection system, wherein a fraudulent transmission device is determined to be abnormal and it is determined that fraud has been performed on data having the transmission device determined to be abnormal as a transmission source . A plurality of transmission devices, and a plurality of node devices connected by a distributed network, a fraud detection system for detecting incorrect for the data recorded in the plurality of node devices sent from the plurality of transmission apparatuses, the A fraud detection system comprising a plurality of user terminals that provide data ,
The fraud detection device
For a plurality of data transmitted from the plurality of transmission devices and recorded as history in the plurality of node devices, a recording status analysis unit that analyzes the recording status of the data for each transmission device;
By performing the abnormality determination based on the recording status of the data analyzed by the recording status analysis unit, fraud is performed on data originating from the transmission device in which the recording status of the data is determined to be abnormal. A fraud determination unit that determines that the
The transmission device is a relay device that acquires data provided from the plurality of user terminals and transmits the acquired data to at least one of the plurality of node devices,
The plurality of node devices perform consensus formation processing for sharing the data transmitted from the relay device with the plurality of node devices, record the consensus formed data as the history,
The plurality of user terminals provide the data to at least one of the plurality of relay devices according to a predetermined rule set so that a difference in the number of data provided to the plurality of relay devices is within a predetermined value. The fraud detection system according to claim 1 or 2 , characterized in that: A plurality of transmission devices, and a plurality of node devices connected by a distributed network, a fraud detection system for detecting incorrect for the data recorded in the plurality of node devices sent from the plurality of transmission apparatuses, the A fraud detection system comprising a plurality of user terminals that provide data ,
The fraud detection device
For a plurality of data transmitted from the plurality of transmission devices and recorded as history in the plurality of node devices, a recording status analysis unit that analyzes the recording status of the data for each transmission device;
By performing the abnormality determination based on the recording status of the data analyzed by the recording status analysis unit, fraud is performed on data originating from the transmission device in which the recording status of the data is determined to be abnormal. A fraud determination unit that determines that the
The transmission device is a relay device that acquires data provided from the plurality of user terminals and transmits the acquired data to at least one of the plurality of node devices,
The plurality of node devices perform consensus formation processing for sharing the data transmitted from the relay device with the plurality of node devices, record the consensus formed data as the history,
The fraud detection device is data transmitted from the relay device to the node device, acquires data before being recorded in the node device, and records the acquired data as a history inside, A fraud detection system that performs processing of the recording state analysis unit and the fraud determination unit based on data recorded as the history . Applied to a system including a plurality of transmission devices and a plurality of node devices connected by a distributed network, and detects fraud in data transmitted from the plurality of transmission devices and recorded in the plurality of node devices. A fraud detection device that
For a plurality of data transmitted from the plurality of transmission devices and recorded as history in the plurality of node devices, a recording status analysis unit that analyzes the recording status of the data for each transmission device;
By performing the abnormality determination based on the recording status of the data analyzed by the recording status analysis unit, fraud is performed on data originating from the transmission device in which the recording status of the data is determined to be abnormal. A fraud determination unit that determines that the
The recording status analysis unit includes a data number calculation unit that calculates the number of data for each transmission device of a transmission source for a plurality of data transmitted from the plurality of transmission devices and recorded as history in the plurality of node devices,
The fraud determination unit compares the number of data calculated for each transmission device by the data number calculation unit, determines that the number of data more than a predetermined threshold than the other is abnormal, and determines that the number of data is abnormal A fraud detection device, wherein it is determined that fraud has been performed on data originating from a transmission device. Applied to a system including a plurality of transmission devices and a plurality of node devices connected by a distributed network, and detects fraud in data transmitted from the plurality of transmission devices and recorded in the plurality of node devices. A fraud detection device that
For a plurality of data transmitted from the plurality of transmission devices and recorded as history in the plurality of node devices, a recording status analysis unit that analyzes the recording status of the data for each transmission device;
By performing the abnormality determination based on the recording status of the data analyzed by the recording status analysis unit, fraud is performed on data originating from the transmission device in which the recording status of the data is determined to be abnormal. A fraud determination unit that determines that the
The upper recording status analysis unit includes a date / time information acquisition unit that acquires each recording date / time information for a plurality of data transmitted from the plurality of transmission devices and recorded as a history in the plurality of node devices,
The fraud determination unit analyzes the tendency of the time zone in which the data is recorded based on the recording date / time information acquired by the date / time information acquisition unit, and the data is recorded in a time zone different from the analyzed time zone. A fraud detection device, wherein a fraudulent detection device is determined to be abnormal and it is determined that fraud has been performed on data originating from the transmission device determined to be abnormal .