JP6680666B2 - Information analysis device, information analysis system, information analysis method, and information analysis program - Google Patents

Description

  The present invention relates to an information analysis device, an information analysis system, an information analysis method, and an information analysis program.

  By extracting a plurality of feature quantities from user identification information (hereinafter referred to as user ID) used in SNS (Social Networking Service) and the like, and performing machine learning on the extracted plurality of feature quantities, the user ID is obtained. A technique for detecting a large number of unauthorized users is known.

ZAFARANI, Reza LIU, Huan. 10 Bits of Surprise: Detecting Malicious Users with Minimum Information.In: Proceedings of the 24th ACM International on Conference on Information and Knowledge Management.ACM, 2015.p. 423431.

  However, in the related art, the feature amounts extracted are diverse, and the detection accuracy of the illegally acquired user ID may not be improved depending on the combination of the feature amounts.

  The present invention has been made in consideration of such circumstances, and an object thereof is to improve the detection accuracy of an illegally acquired user ID.

  One aspect of the present invention is an acquisition unit that acquires identification information of a user, and a character string indicated by the identification information of the user acquired by the acquisition unit, into a character string or a feature amount related to the probability of existence of a character, and a character string. An illegal extraction is performed from the feature amount related to a specific symbol included and the feature amount extracted from the character string by the extraction unit that extracts at least a part of the feature amount related to the keyboard layout that differs depending on the region. It is an information analysis device comprising: a machine learning unit that selects, using machine learning, a feature amount for detecting the acquired identification information of a user.

  According to one aspect of the present invention, it is possible to improve the detection accuracy of an illegally acquired user ID.

It is a figure showing an example of information analysis system 1 containing information analysis device 100 in an embodiment. It is a figure which shows an example of a structure of the terminal device 10 in embodiment. It is a figure which shows an example of a structure of the server apparatus 50 in embodiment. It is a figure showing an example of account information 54. It is a figure showing an example of composition of information analysis device 100 in an embodiment. It is a flowchart which shows an example of the process which produces | generates the pattern identification model for solving a binary classification problem. It is a figure which shows an example of the teacher data 132. It is a figure showing an example of feature amount information 134. It is a figure which shows an example of the keyboard of QWERTY arrangement | positioning, and the keyboard of DVORAK arrangement | positioning. It is a figure which shows an example of an actual evaluation result. It is a flow chart which shows an example of processing which classifies unclassified user ID into a positive example or a negative example using the generated pattern recognition model. It is a figure which shows an example of the feature-value of Information Surprise according to the presence or absence of limitation of the number of characters of a user ID. 6 is a diagram showing an example of a screen displayed on the display unit 13 of the terminal device 10 when authenticating a user ID. FIG. It is a figure which shows an example of the hardware constitutions of the terminal device 10, the server apparatus 50, and the information analysis apparatus 100 of embodiment.

  An embodiment of an information analysis device, an information analysis system, an information analysis method, and an information analysis program of the present invention will be described below with reference to the drawings.

[Overview]
The information analysis device of the embodiment is realized by one or more processors. The information analysis device acquires a user ID, and from the character string indicated by the user ID, a feature amount regarding the probability of existence of a character string or a character, a feature amount regarding a specific symbol included in the character string, and a keyboard arrangement that differs depending on the region. The feature amount regarding The user ID in the present embodiment is, for example, user identification information represented by a character string including some or all of letters such as alphabets, numbers, and symbols such as underscores.

  The information analysis device selects a feature amount for detecting an illegally acquired user ID from a plurality of feature amounts extracted from a character string by using machine learning. Then, the information analysis device detects the illegally acquired user ID from the plurality of acquired user IDs based on the characteristic amount for detecting the illegally acquired user ID. As a result, it is possible to improve the detection accuracy of the illegally acquired user ID.

  The “illegal acquisition” in the present embodiment means that a predetermined number or more (for example, 100 or more) user IDs are acquired within a certain observation period, for example.

[overall structure]
FIG. 1 is a diagram illustrating an example of an information analysis system 1 including an information analysis device 100 according to the embodiment. The information analysis system 1 according to the embodiment includes one or more terminal devices 10, a server device 50, and an information analysis device 100. These devices are connected to each other via the network NW. The network NW includes, for example, a wireless base station, Wi-Fi access point, communication line, provider, Internet, and the like. Note that it is not necessary that all combinations of the respective devices illustrated in FIG. 1 can communicate with each other, and the network NW may partially include a local network.

  The terminal device 10 is a device used by a user. The terminal device 10 is, for example, a mobile phone such as a smartphone, a tablet terminal, or a computer device such as a personal computer. For example, the terminal device 10 may be used to register a user ID on a website such as a shopping site, a mail service, an SNS service, an information providing service, or the like.

  The server device 50 provides various services. For example, the server device 50 may be a web server device that provides a website for providing various services via a web browser activated on the terminal device 10. Further, the server device 50 may be an application server device that delivers various information by communicating with the terminal device 10 in which a predetermined application program is started (executed). A screen capable of providing various services is displayed on the terminal device 10 in which a predetermined application program has been activated, by communication with the server device 50. Hereinafter, in order to simplify the description, it is assumed that the server device 50 is a web server device.

  For example, the server device 50 authenticates the user ID before providing the service and confirms the user. As a result of the authentication, the server device 50 provides various services if the user has already registered the user ID, and notifies that the user has not registered the user ID if the user has not registered the user ID. , Prompt user ID registration. When the user newly registers the user ID in response to the fact that the user ID has not been registered, the server device 50 issues the newly registered user ID. This allows the user to newly acquire the user ID.

  The information analysis device 100 communicates with the server device 50, acquires the user ID of the user who uses the service provided by the server device 50, and analyzes this user ID by machine learning, whereby the information is illegally acquired. It detects whether or not the user ID exists. The machine learning in this embodiment is supervised learning such as SVM (Support Vector Machine) and logistic regression.

[Configuration of terminal device]
The configuration of each device will be described below. FIG. 2 is a diagram illustrating an example of the configuration of the terminal device 10 according to the embodiment. As illustrated, the terminal device 10 includes, for example, a terminal side communication unit 11, a reception unit 12, a display unit 13, a terminal side storage unit 14, and a terminal side control unit 15.

  The terminal-side communication unit 11 communicates with the server device 50 via the network NW. When receiving information from the server device 50, the terminal-side communication unit 11 outputs the received information to the terminal-side control unit 15. The terminal-side communication unit 11 also receives information from the terminal-side control unit 15 and transmits information to the server device 50.

  The reception unit 12 is, for example, a user interface such as a keyboard, a button, a mouse, a microphone, and a touch panel, and receives an operation from a user. Further, the receiving unit 12 may receive, for example, a voice input. When the display unit 13 is a touch panel, part of the reception unit 12 is formed integrally with the display unit 13.

  The display unit 13 is a display device such as an LCD (Liquid Crystal Display) or an organic EL (Electroluminescence) display, for example. The display unit 13 displays various images based on the information input from the terminal-side control unit 15.

  The terminal-side storage unit 14 is realized by, for example, an HDD (Hard Disc Drive), a flash memory, an EEPROM (Electrically Erasable Programmable Read Only Memory), a ROM (Read Only Memory), a RAM (Random Access Memory), or the like.

  The terminal-side control unit 15 is realized by, for example, a processor such as a CPU (Central Processing Unit) executing a program stored in the terminal-side storage unit 14. The terminal-side control unit 15 may be realized by hardware such as an LSI (Large Scale Integration), an ASIC (Application Specific Integrated Circuit), or an FPGA (Field-Programmable Gate Array), or may be realized by software and hardware. It may be realized by collaboration.

  The terminal-side control unit 15 activates a UA (User Agent) such as a web browser, and a predetermined operation is performed on the reception unit 12, so that the terminal-side communication unit 11 causes the server device 50 to operate. In response, an HTTP (Hypertext Transfer Protocol) request is transmitted. Then, the terminal-side control unit 15 generates a web screen based on the web page returned from the server device 50 and causes the display unit 13 to display the web screen.

[Configuration of server device]
FIG. 3 is a diagram illustrating an example of the configuration of the server device 50 according to the embodiment. As illustrated, the server device 50 includes, for example, a server-side communication unit 51, a server-side storage unit 52, and a server-side control unit 55. The server-side control unit 55 is an example of an “authentication unit”.

  The server-side communication unit 51 communicates with the terminal device 10 or the information analysis device 100 via the network NW. When receiving information from the terminal device 10 or the information analysis device 100, the server-side communication unit 51 outputs the received information to the server-side control unit 55. Further, the server-side communication unit 51 transmits information to the terminal device 10 or the information analysis device 100 under the control of the server-side control unit 55.

  The server-side storage unit 52 is realized by, for example, a HDD, a flash memory, an EEPROM, a ROM, a RAM, or the like. The server-side storage unit 52 stores, for example, information for providing a website (hereinafter referred to as website information 53) and account information 54. The website information 53 is information about a web page including text data described in a markup language such as HTML (Hyper Text Markup Language), style sheets, still image data, moving image data, and audio data. The account information 54 includes information such as a user ID registered on the website, a mail address, and a password.

  FIG. 4 is a diagram showing an example of the account information 54. As in the illustrated example, the account information 54 is information in which information such as a mail address and a password is associated with the user ID.

  The server-side control unit 55 is realized, for example, by a processor such as a CPU executing a program stored in the server-side storage unit 52. The server-side control unit 55 may be realized by hardware such as LSI, ASIC, or FPGA, or may be realized by cooperation of software and hardware.

  For example, when the server-side communication unit 51 receives the HTTP request from the terminal device 10, the server-side control unit 55 sends a web page for authenticating the user ID to the terminal device 10 via the server-side communication unit 51. Reply When the user ID is input to the terminal device 10, the server-side control unit 55 compares the input user ID with the account information 54 and determines whether or not the input user ID has already been registered. .

  If the input user ID has not been registered yet, the server-side control unit 55 notifies the terminal device 10 via the server-side communication unit 51 that the user ID has not been registered or registers the user ID. Send information to encourage you. When the user ID is newly registered in the terminal device 10, the server-side communication unit 51 receives the newly registered user ID from the terminal device 10. Then, the server-side control unit 55 adds the new user ID received by the server-side communication unit 51 to the account information 54. As a result, a new user ID is issued.

  On the other hand, if the input user ID is already registered, the server-side control unit 55 transmits the website information 53 to the terminal device 10 via the server-side communication unit 51. Thereby, the terminal device 10 displays a screen on which a web page where various services can be enjoyed is drawn based on the website information 53 by the function of the web browser.

[Configuration of information analysis device]
FIG. 5 is a diagram illustrating an example of the configuration of the information analysis device 100 according to the embodiment. As illustrated, the information analysis device 100 includes, for example, an analysis device side communication unit 102, an analysis device side control unit 110, and an analysis device side storage unit 130.

  The analyzer communication unit 102 includes, for example, a communication interface such as NIC. The analysis device side communication unit 102 communicates with the server device 50 via the network NW. When receiving the information from the server device 50, the analysis device-side communication unit 102 outputs the received information to the analysis device-side control unit 110. For example, the analysis device side communication unit 102 receives the account information 54 from the server device 50. Further, the analysis device side communication unit 102 is controlled by the analysis device side control unit 110 and transmits information to the server device 50.

  The analyzer control unit 110 includes, for example, an acquisition unit 112, an extraction unit 114, a machine learning unit 116, a detection unit 118, and an output control unit 120. Some or all of these components are realized by a processor such as a CPU executing a program stored in the analysis device side storage unit 130. Further, some or all of the constituent elements of the analyzer control unit 110 may be realized by hardware such as LSI, ASIC, or FPGA, or may be realized by cooperation of software and hardware.

  The analyzer storage unit 130 is realized by, for example, a HDD, a flash memory, an EEPROM, a ROM, a RAM, or the like. The analyzer storage unit 130 stores, for example, teacher data 132, feature amount information 134, learning condition information 136, learning data 138, and fraudulent ID information 140. These pieces of information will be described later.

[Machine learning using teacher data]
First, in machine learning, a process of generating a pattern identification model for solving a binary classification problem will be described using a flowchart. The binary classification problem in the present embodiment is to classify a learning target user ID into whether the acquisition of the user ID is normal (normal) or the acquisition of the user ID is illegal. Say. An example in which the acquisition of the user ID is normal is treated as a “positive example”, and an example in which the acquisition of the user ID is incorrect is treated as a “negative example”.

  FIG. 6 is a flowchart showing an example of processing for generating a pattern identification model for solving a binary classification problem. First, the acquisition unit 112 refers to the teacher data 132 and acquires a user ID from this data (S100).

  FIG. 7 is a diagram showing an example of the teacher data 132. The teacher data 132 is, for example, information in which a flag indicating whether or not the user ID is an illegally acquired user ID is added to the user ID. In other words, the teacher data 132 is information that has already been determined to be fraudulent. For example, if the user ID is an illegally acquired user ID, it is given to the flag of "1", and if the user ID is not improperly acquired and is normally acquired, it is given to the flag of "0". For example, the teacher data 132 is information in which a user ID determined to be illegal at a certain point in the past and a user ID used at the same time as this and determined not to be illegal are aggregated.

  Next, the extraction unit 114 extracts, for each user ID acquired by the acquisition unit 112 from the teacher data 132, various feature amounts specified in the feature amount information 134 from the character string indicated by the user ID (S102). . For example, the extraction unit 114 extracts, from the character string indicated by the user ID, a feature amount indicating the ease of inputting the user ID, the randomness of characters included in the character string, and the like.

  FIG. 8 is a diagram showing an example of the feature amount information 134. As in the illustrated example, the feature amount information 134 represents what the feature amount to be extracted is. For example, there are the following 10 types of feature quantities to be extracted. The following feature amounts (1) and (10) are examples of the “feature amount regarding the existence probability of a character string or a character”. Further, the feature amounts of (2) and (5) are examples of the “feature amount regarding a specific symbol included in the character string”, and the feature amounts of (3), (4), (6) to (9). Is an example of "a feature amount relating to the arrangement of keyboards which differs depending on the region".

(1) Information Surprise
(2) Number of numbers included in the character string of the user ID (3) Percentage of characters included in TopRow of the QWERTY array included in the user ID (4) Characters included in TopRow of the DVORAK array included in the user ID Proportion (5) Proportion of numbers included in the character string of the user ID (6) Expected amount of finger movement [m] when typing the user ID in the DVORAK array
(7) Proportion of characters in HomeRow of QWERTY array included in user ID (8) Amount of movement of finger [m] expected when user ID is typed in QWERTY array
(9) Ratio of characters in BottomRow of DVORAK array included in user ID (10) Entropy of user ID (Shannon information amount)

  FIG. 9 is a diagram showing an example of a QWERTY keyboard and a DVORAK keyboard. For example, in the case of a QWERTY keyboard, the characters in TopRow are the characters "Q, W, E, ..., O, P" below the numeric key. The characters in HomeRow are “A, W, E, ..., O, P” one step below TopRow, and the characters in BottomRow are one step above the space key (one step below HomeRow). ) "Z, X, C, ..., N, M". Note that these characters may include symbols such as underscores, slashes, commas, and signs.

  In addition, depending on the country or region, a part of the above various characteristic amounts may be omitted, or other characteristic amounts may be added. For example, in Japan, a keyboard having a QWERTY layout is the mainstream, so various feature quantities ((4), (6), (9)) relating to the DVORAK layout may be omitted.

  For example, the extraction unit 114 extracts the feature quantity of (1) Information Surprise based on the following mathematical expressions (1) and (2).

I (u) in Expression (1) represents the entropy value of Information Surprise, which is a feature amount. Further, u in the equations (1) and (2) represents a character string of the target user ID, p (u) represents the existence probability of the character string u, and m represents the length of the character string u ( Represents the number of characters). Further, c _i in Expression (2) represents the i-th character in the target character string u.

For example, the extraction unit 114 divides the character string u by shifting n characters (for example, n = 6) by using the n-gram method, as shown in Expression (2), and includes the divided character string u. to derive the _| each character _{c i} is the existence probability _p present in the total character string _{(c i- (n-1)} ...) = (c i) to be. Extraction unit 114, the existence probability p of characters c _i, that derived for each string u obtained by dividing by n-gram method, multiplying all existence probability p of characters c _i for each string u units divided Then, the existence probability p (u) of the character string u is derived.

  Then, the extraction unit 114 derives I (u) representing the entropy value of Information Surprise by substituting the existence probability p (u) of the character string u derived based on Expression (2) into Expression (1). To do. As a result, the feature quantity (1) is extracted.

  The extraction unit 114 also extracts the feature amount (2) by counting the number of 0 to 9 included in the character string of the user ID.

  Further, the extraction unit 114 derives the ratio of the number of characters “Q, W, E, ..., O, P” included in the character string of the user ID to the total number of characters included in the character string of the user ID. , (3) are extracted.

  Further, the extraction unit 114 derives the ratio of the number of characters “P, Y, F, ..., R, L” included in the character string of the user ID to the total number of characters included in the character string of the user ID. , (4) are extracted.

  In addition, the extraction unit 114 extracts the feature amount of (5) by deriving the ratio of the number of 0 to 9 included in the character string of the user ID to the total number of characters included in the character string of the user ID. .

  Further, the extraction unit 114 regards the DVORAK array keyboard as a two-dimensional plane, and when the characters included in the character string are typed in the column order based on the relative positional relationship of each key on the two-dimensional plane. The feature amount of (6) is extracted by deriving the expected moving distance of the user's finger. For example, the extraction unit 114 determines the lower left key of the Bottom Row (Ctrl key) as the origin coordinate O (0,0), and determines the position coordinate of each key in the DVORAK array as the relative coordinate from the origin coordinate O. The coordinates of all keys including the key assigned as the origin coordinate O may be, for example, the center coordinates of the key top area of each key. The extraction unit 114 divides the character string indicated by the user ID into characters, and derives the coordinates of the key corresponding to each character. Then, the extraction unit 114 derives the distance between the coordinates of the keys corresponding to each character in the character string order. For example, when the character string is “ABC”, the extraction unit 114 determines the distance between the coordinates of the “A” key and the coordinates of the “B” key and the “C” from the coordinates of the “B” key. The total distance, including the distance between the coordinates of the keys, is multiplied by a scaling factor based on the actual expected size of the keyboard, and the multiplication value (total distance x scaling factor) is set to a predetermined value (for example, 100). The moving distance of the finger is derived by performing the division. As a result, the feature amount (6) is extracted.

  Further, the extraction unit 114 derives the ratio of the number of characters “A, S, D, ..., K, L” included in the character string of the user ID to the total number of characters included in the character string of the user ID. , (7) are extracted.

  In addition, the extraction unit 114 regards the QWERTY keyboard as a two-dimensional plane and uses the character string based on the relative positional relationship of each key in the two-dimensional plane, as in the feature amount extraction method of (6). The feature amount of (8) is extracted by deriving the moving distance of the user's finger assumed when the characters included in are typed in the column order.

  Further, the extraction unit 114 derives the ratio of the number of characters “Q, J, K, ..., V, Z” included in the character string of the user ID to the total number of characters included in the character string of the user ID. , (9) are extracted.

  Further, the extraction unit 114 extracts (10) the entropy feature amount of the user ID based on the following mathematical expression (3).

  H (u) in the mathematical expression (3) represents the entropy value of the user ID. For example, the extraction unit 114 derives the entropy value H (u) of the user ID based on the definition formula of Shannon's information amount (average information amount) shown in Expression (3). As a result, the feature amount (10) is extracted.

  Here, the description returns to the flowchart of FIG. Next, the machine learning unit 116 performs machine learning using some or all of the plurality of feature amounts extracted by the extraction unit 114 (S104), and extracts the user ID from which the feature amount is extracted as a positive example or A pattern identification model for classifying as a negative example is generated.

  For example, the machine learning unit 116 treats each of the plurality of feature amounts extracted by the extraction unit 114 as a feature in the SVM, and sets each feature vector as a positive example or a negative example in a feature space in which each feature is a feature vector. A hyperplane to be classified (a space having a dimension that is one less than the dimension of the feature space) is derived as a pattern identification model. At this time, the machine learning unit 116 classifies, in the teacher data 132, the user ID to which the flag of “0” is added as a positive example and the user ID to which the flag of “1” is added as a negative example. Derive the hyperplane.

  When using logistic regression as machine learning, the machine learning unit 116 treats each of the plurality of feature quantities extracted by the extraction unit 114 as an independent variable and treats a positive example or a negative example as a dependent variable, thereby A curve (another example of the pattern identification model) is derived.

  Then, the machine learning unit 116 evaluates the derived pattern identification model (S106). For example, the machine learning unit 116 evaluates both the pattern identification models in the SVM and the logistic regression by using the F value (F-measure). The F value is an index for evaluating how much the user ID classification result by the pattern identification model matches the true result. The F value is an example of “score”. For example, the F value is derived based on the following formulas (4) to (6).

  The precision indicates the proportion of user IDs that are actually positive examples (user IDs to which a “0” flag is added in the teacher data 132) among the user IDs that are classified as positive examples by the pattern identification model. ing. TP represents the number of user IDs whose classification result by the pattern identification model is positive and whose true result is also positive, and FP is a user whose classification result by the pattern identification model is positive and whose true result is negative. It represents the number of IDs. “Recall” (reproduction rate) represents the ratio of user IDs classified as positive examples by the pattern identification model among the user IDs that are actually positive examples. FN represents the number of user IDs whose classification result by the pattern identification model is negative and whose true result is positive. For example, if the F value (F-measure) is 100 [%], it means that the teacher data 132 can be completely classified into a positive example and a negative example.

  The machine learning unit 116 determines the learning condition based on the evaluation result (F value) of the pattern identification model for each combination of feature amounts (S108). The learning conditions include (1) designating a combination of feature amounts used in machine learning among a plurality of feature amounts extracted by the extraction unit 114, and (2) limiting the number of characters of a user ID targeted for machine learning. Is provided (for example, a user ID having less than 10 characters is excluded from the target of machine learning), and (3) a suitable method is selected from among a plurality of machine learning methods. The learning condition determined by the machine learning unit 116 is stored in the analyzer storage unit 130 as learning condition information 136.

  The purpose of limiting the number of characters of the user ID is to suppress the influence of noise in machine learning. Generally, in a service that has transitioned from a growth period (transitional period) to a maturity period (steady period), the user ID acquired by the user in the service tends to converge to a certain number of characters or more. This is because the probability that the applied user ID overlaps with the already acquired user ID increases as the years increase. Therefore, by limiting the number of characters of the user ID, it is possible to exclude the user ID having the number of characters different from the number of characters of the user ID which is highly likely to be illegally acquired. That is, it is possible to exclude a user ID that has a low probability of being illegally acquired.

FIG. 10 is a diagram showing an example of an actual evaluation result. As shown in (a) in the figure, the number of user IDs of users (normal users) who have successfully logged in (authenticated) at a certain observation time is about “2.4 × 10 ⁶ ”, which is the same as the above observation time. The number of user IDs of users (illegal users) who acquired 100 or more user IDs at the time was about “12.1 × 10 ³ ”. In addition, the number of user IDs of which the number of characters of the user ID is 10 or more among the unauthorized users was about “9.4 × 10 ³ ”.

  The analyzer control unit 110 treats (a) as learning data 138 and performs machine learning of both SVM and logistic regression to evaluate the pattern identification model in each machine learning. At this time, in consideration of class imbalance, the number of user IDs of normal users treated as the learning data 138 in the observation data of (a) is set to be approximately the same as the number of user IDs of unauthorized users. As for the SVM, the soft margin SVM (C-SVM) is used in consideration of the overlap between the feature vectors in the feature space (in consideration of the case where the feature vectors cannot be linearly separated). Regarding logistic regression, L1 regularized logistic regression was used in order to suppress the occurrence of overfitting. Further, when deriving the F value, K-split cross validation (for example, K = 10) was used.

  FIG. 7B shows the evaluation result of each pattern identification model. In the illustrated example, the learning condition that maximizes the F value without specifying the length (the number of characters) of the user ID is 10 in the soft margin SVM (C-SVM) (1) to (10). It was when the learning was performed by combining all the feature amounts (F value = 85.49 [%]). Further, the learning condition that maximizes the F value when the number of characters of the user ID (the length of the user ID) is specified to be 10 characters or more is (1), (2) in the soft margin SVM (C-SVM), It was when learning was performed by combining the seven feature amounts of (4) to (7) and (10) (F value = 89.77 [%]).

  When the number of characters of the user ID is limited, the result of the F value changes because the characteristic amount of Information Surprise changes. As described above, since the entropy value I (u) of Information Surprise is caused by the existence probability p (u) of the character string u of the target user ID, if the character string u is short, its existence probability p (U) becomes large. This increases I (u) and improves the F value.

  In this way, the machine learning unit 116 refers to the F value of the evaluation result, selects the learning condition having the highest F value, and sets the learning condition as a parameter for the learning after the next time. In the example of FIG. 10, since the F value is 89.77 [%], the machine learning unit 116 sets the combination of the feature amounts used in machine learning as (1), (2), For the seven feature quantities (4) to (7) and (10), the character limit of the user ID is determined to be 10 or more, and the machine learning method is determined to be SVM (C-SVM).

[Machine learning using learning data]
After determining the learning condition by the process of the above-described flowchart, the analysis device-side control unit 110 did not use the generated pattern recognition model as the teacher data 132 among the user IDs registered by the server device 50. User IDs are classified into positive examples and negative examples.

  FIG. 11 is a flowchart showing an example of a process of classifying unclassified user IDs into positive examples or negative examples using the generated pattern recognition model. First, the acquisition unit 112 refers to the learning data 138 and acquires the user ID from this data (S200).

  The learning data 138 is a set of user IDs that have not been used as the teacher data 132 among the user IDs registered by the server device 50 and that have not been determined to be fraudulent. Since it is assumed that the user ID that was determined to be not illegal in the past in the teacher data 132 can be used even now, the learning data 138 is provided with a flag of “0” in the teacher data 132. User ID may be included.

  Next, the extraction unit 114 extracts 10 feature amounts (1) to (10) from the user ID (unclassified user ID) acquired by the acquisition unit 112 (S202).

  Next, the machine learning unit 116 performs machine learning according to the learning condition determined using the teacher data 132 (S204). For example, when the machine learning unit 116 follows the learning condition determined in the example of FIG. 10 described above, (1), (2), (4) to ((10) of the 10 feature amounts extracted by the extraction unit 114. 7) of 7) and (10) are selected, and machine learning by SVM (C-SVM) is performed with these 7 feature quantities as features. At this time, the machine learning unit 116 sets the number of characters of the user ID classified as a negative example to 10 or more.

  Next, the detection unit 118 detects an illegally acquired user ID from the user IDs included in the learning data 138 based on the result of the machine learning by the machine learning unit 116 (S206). For example, when machine learning by SVM is performed, the detection unit 118 extracts a feature vector (feature) classified as a negative example in the feature space, and identifies the user ID from which the feature amount indicated by the feature vector is extracted. By doing so, the illegally acquired user ID is detected. The unauthorized user ID detected by the detector 118 is stored in the analyzer storage unit 130 as the unauthorized ID information 140.

  It should be noted that the detection unit 118 illegally detects, based on the feature amount of Information Surprise extracted by the extraction unit 114, instead of detecting the user ID obtained illegally based on the result of machine learning by the machine learning unit 116. The acquired user ID may be detected.

  FIG. 12 is a diagram showing an example of the Information Surprise feature amount depending on whether or not there is a limit on the number of characters of the user ID. In the figure, (a) shows the result of the feature amount of Information Surprise when the number of characters of the user ID is not limited, and (b) shows Information when the number of characters of the user ID is limited to 10 or more. It shows the result of Surprise features. In each case, the horizontal axis represents the value of the Information Surprise feature quantity normalized by the standard deviation of the feature quantity, and the vertical axis represents the existence probability p (u) of the character string u from which the Information Surprise feature quantity is extracted. Is represented.

  For example, when the feature amount of Information Surprise is equal to or greater than the threshold TH1 (eg, 250), the detection unit 118 determines that the value of the existence probability p (u) of the character string u is equal to or greater than the threshold TH2 (eg, 5 [%]). In addition, the user ID from which the feature amount of the Information Surprise is extracted may be detected as the illegally acquired user ID.

  Next, the output control unit 120 uses the analysis device-side communication unit 102 to transmit the fraudulent ID information 140, which is the detection result of the detection unit 118, to the server device 50 (S208). This completes the processing of this flowchart.

  When the server device 50 receives the unauthorized ID information 140 from the information analysis device 100, the server device 50 may prohibit the use of the service by the user ID included in the unauthorized ID information 140, or change the authentication method of the user ID. Good.

  FIG. 13 is a diagram showing an example of a screen displayed on the display unit 13 of the terminal device 10 at the time of authenticating the user ID. For example, the server-side control unit 55 determines whether or not the user ID received from the terminal device 10 by the server-side communication unit 51 is included in the illegal ID information 140. That is, the server-side control unit 55 determines whether or not the user ID input at the time of authentication is an illegally acquired user ID. When the user ID input at the time of authentication is not included in the unauthorized ID information 140, the server-side control unit 55 determines that the user ID is a normal user ID and provides the service via the website.

  On the other hand, when the user ID input at the time of authentication is included in the fraudulent ID information 140, the server-side control unit 55 causes the display unit 13 of the terminal device 10 to display a new screen for image authentication. This makes it possible to suppress the use of services for IDs that have a high probability of being an unauthorized user ID by increasing the difficulty level of authenticating the user ID. Further, the server-side control unit 55 may perform, in addition to or in addition to the image authentication, keyword authentication for requesting input of preset information (for example, date of birth or family name) and other authentication. The server-side control unit 55 may increase the difficulty level of the image authentication itself by increasing the number of characters of the image displayed in the image authentication or increasing the degree of character distortion. That is, the server-side control unit 55 may suppress the use of the service using the illegally acquired user ID by increasing the number of times of authentication or increasing the difficulty level of each authentication.

  According to the embodiment described above, at least a part of the feature quantities (1) to (10) is obtained from the acquisition unit 112 that acquires the user ID and the character string that is indicated by the user ID acquired by the acquisition unit 112. From the extraction unit 114 to extract and the feature amount extracted from the character string by the extraction unit, a feature amount for detecting an illegally acquired user ID (for example, (1), (2), (4)). To (7) and (10) (feature amount) are provided by the machine learning unit 116 that selects using machine learning, it is possible to improve the detection accuracy of the illegally acquired user ID.

  Further, according to the above-described embodiment, the influence of noise in machine learning can be suppressed by limiting the number of characters of the user ID classified as a negative example.

  Further, according to the above-described embodiment, the illegally acquired user ID is detected based on the feature amount selected by using machine learning, and the detected user ID is used at the time of authentication for using the service. In this case, by increasing the number of times of authentication or increasing the difficulty level of each authentication, it is possible to suppress the use of the service using the illegally acquired user ID.

<Hardware configuration>
The terminal device 10, the server device 50, and the information analysis device 100 of the above-described embodiment are realized by, for example, a hardware configuration as shown in FIG. FIG. 14 is a diagram illustrating an example of a hardware configuration of the terminal device 10, the server device 50, and the information analysis device 100 according to the embodiment. This figure shows an example in which the terminal device 10 is a smartphone.

  In the terminal device 10, the CPU 10-1, the RAM 10-2, the ROM 10-3, the secondary storage device 10-4 such as a flash memory, the touch panel 10-5, and the wireless communication module 10-6 are connected by an internal bus or a dedicated communication line. It is connected to each other. The wireless communication module 10-6 connects to the network NW by accessing the wireless base station. The wireless communication module 10-6 corresponds to the terminal side communication unit 11, and the touch panel 10-5 corresponds to the reception unit 12 and the display unit 13. The RAM 10-2, the ROM 10-3, and the secondary storage device 10-4 correspond to the terminal-side storage unit 14. Further, the program stored in the secondary storage device 10-4 is expanded in the RAM 10-2 by a DMA controller (not shown) or the like and executed by the CPU 10-1, so that the terminal-side control unit 15 is realized.

  In the server device 50, the NIC 50-1, CPU 50-2, RAM 50-3, ROM 50-4, secondary storage device 50-5 such as flash memory and HDD, and drive device 50-6 are connected by an internal bus or a dedicated communication line. It is connected to each other. A portable storage medium such as an optical disk is attached to the drive device 50-6. The NIC 50-1 corresponds to the server-side communication unit 51, and the RAM 50-3, the ROM 50-4, and the secondary storage device 50-5 correspond to the server-side storage unit 52. A program stored in a portable storage medium mounted on the secondary storage device 50-5 or the drive device 50-6 is expanded in the RAM 50-3 by a DMA controller (not shown) or the like and executed by the CPU 50-2. As a result, the server-side control unit 55 is realized. The program referred to by the server-side control unit 55 may be downloaded from another device via the network NW.

  In the information analysis device 100, the NIC 100-1, the CPU 100-2, the RAM 100-3, the ROM 100-4, the secondary storage device 100-5 such as a flash memory or an HDD, and the drive device 100-6 are an internal bus or a dedicated communication line. Are connected to each other by. A portable storage medium such as an optical disk is attached to the drive device 100-6. The NIC 100-1 corresponds to the analysis device side communication unit 102, and the RAM 100-3, the ROM 100-4, and the secondary storage device 100-5 correspond to the analysis device side storage unit 130. The program stored in the secondary storage device 100-5 or the portable storage medium mounted in the drive device 100-6 is expanded in the RAM 100-3 by a DMA (Direct Memory Access) controller (not shown), and the CPU 100- By being executed by 2, each functional unit of the analysis device side control unit 110 is realized. The program referenced by the analyzer control unit 110 may be downloaded from another device via the network NW.

  As described above, the embodiments for carrying out the present invention have been described by using the embodiments, but the present invention is not limited to these embodiments at all, and various modifications and substitutions are made without departing from the gist of the present invention. Can be added.

  DESCRIPTION OF SYMBOLS 1 ... Information analysis system, 10 ... Terminal device, 11 ... Terminal side communication part, 12 ... Reception part, 13 ... Display part, 14 ... Terminal side storage part, 15 ... Terminal side control part, 50 ... Server device, 51 ... Server Side communication unit, 52 ... Server side storage unit, 55 ... Server side control unit, 100 ... Information analysis device, 102 ... Analysis device side communication unit, 110 ... Analysis device side control unit, 112 ... Acquisition unit, 114 ... Extraction unit, 116 ... Machine learning unit, 118 ... Detection unit, 120 ... Output control unit, 130 ... Analysis device side storage unit, 132 ... Teacher data, 134 ... Feature amount information, 136 ... Learning condition information, 138 ... Learning data, 140 ... Illegal ID information, NW ... Network

Claims (12)

An acquisition unit that acquires user identification information,
From a character string indicated by the identification information of the user acquired by the acquisition unit, a characteristic amount relating to a character string or a probability of existence of a character, a characteristic amount relating to a specific symbol included in the character string, and a characteristic relating to a keyboard arrangement which varies depending on regions. An extraction unit for extracting at least a part of the amount,
From the feature amount extracted from the character string by the extraction unit, a machine learning unit that selects a feature amount for detecting illegally acquired user identification information using machine learning,
An information analysis device including. The feature amount relating to the existence probability of the character string or the character is a feature amount based on the entropy value of the existence probability of the character string or character,
The information analysis device according to claim 1. The machine learning unit is
Solving a binary classification problem that classifies the features into positive examples and negative examples, using each of the plurality of feature quantities extracted by the extraction unit as a feature,
A combination of feature amounts having the highest score in the binary classification problem is selected as a feature amount for detecting the illegally acquired identification information of the user.
The information analysis apparatus according to claim 1. The feature amount relating to the existence probability of the character string or the character is a feature amount whose value varies according to the length of the character string,
The machine learning unit derives the score by limiting the length of a character string indicated by the identification information of the user,
The information analysis device according to claim 3. When the region is Japan, the feature amount related to the keyboard layout is set to the feature amount related to the QWERTY layout,
The information analysis device according to any one of claims 1 to 4. Based on the feature amount selected by the machine learning unit, further includes a detection unit that detects the illegally acquired user identification information from among the plurality of user identification information acquired by the acquisition unit,
The information analysis device according to any one of claims 1 to 5. Of the plurality of characteristic amounts extracted by the extraction unit, based on the characteristic amount related to the probability of existence of the character string or the character, the illegally acquired from the identification information of the plurality of users acquired by the acquisition unit Further comprising a detection unit for detecting the identified user identification information,
The information analysis device according to any one of claims 1 to 5. The detection unit, when the feature amount related to the existence probability of the character string or character exceeds a threshold value, the identification information of the user who is the extraction source of the feature amount related to the existence probability of the character string or character exceeding the threshold value, Detected as the illegally acquired user identification information,
The information analysis device according to claim 7. An acquisition unit that acquires user identification information,
An extraction unit that extracts a feature amount relating to the existence probability of a character string or a character from the character string indicated by the identification information of the user acquired by the acquisition unit,
When the feature amount relating to the existence probability of the character string or the character exceeds a threshold value, the identification information of the user who is the extraction source of the feature amount relating to the existence probability of the character string or the character value exceeding the threshold value is illegally acquired by the user. A detection unit that detects the identification information of
An information analysis device including. An information analysis apparatus according to any one of claims 7 to 9,
A reception unit that receives an input operation of the user identification information,
An authentication unit that authenticates the user based on an input operation of the identification information of the user received by the reception unit,
When the identification information of the user detected as the identification information of the illegally acquired user by the detection unit is accepted by the reception unit, the authentication unit changes the difficulty level of the authentication,
Information analysis system. Computer
Obtain the user's identification information,
From the character string indicated by the acquired identification information of the user, at least one of a characteristic amount relating to the probability of existence of a character string or a character, a characteristic amount relating to a specific symbol included in the character string, and a characteristic amount relating to a keyboard layout that differs depending on a region. Extract some,
From the characteristic amounts extracted from the character string, a characteristic amount for detecting the illegally acquired identification information of the user is selected using machine learning,
Information analysis method. On the computer,
Get user identification information,
From the character string indicated by the acquired identification information of the user, of the characteristic amount relating to the existence probability of the character string or the character, the characteristic amount relating to a specific symbol included in the character string, and the characteristic amount relating to the keyboard layout which differs depending on the region. Let at least a portion be extracted,
From among the feature amounts extracted from the character string, a feature amount for detecting illegally acquired user identification information is selected using machine learning,
Information analysis program.

Images