JP6842951B2 - Unauthorized access detectors, programs and methods - Google Patents

Description

The present invention relates to a technique for determining and detecting in advance an unauthorized access performed via a network such as the Internet to effectively prevent the occurrence of damage.

With the spread of the Internet and the expansion of the provision of various services on the Internet, the problem of unauthorized access by illegally using the IDs and passwords of others is increasing.
Unauthorized access means that another person without access authority accesses various systems and servers via a network such as the Internet to leak or leak internal information, etc., and illegally uses the information. Leakage has become a serious problem that has a great impact on the credit and image of companies and organizations.

Especially in recent years, for example, unauthorized access acts of "list-type account hacking" called "password list attack", "account list attack", "list-type attack", etc. have been carried out, and membership-based websites and online shopping It may cause enormous damage on sites, Internet banking, etc.
So far, defense means and defense technologies such as firewalls and WAFs (Web Application Firewalls) have been known for unauthorized access on networks (see, for example, Patent Document 1).

Japanese Unexamined Patent Publication No. 2008-117007

However, unauthorized access in recent years is often carried out systematically and professionally, and its methods are evolving and becoming more sophisticated day by day, and conventional unauthorized access countermeasure technologies cannot provide sufficient protection, especially. , It was difficult to accurately distinguish between the original normal access and the unauthorized access.
Recently, for example, a technique called OpenID (registered trademark) Connect, which allows access to a plurality of servers and systems by one authentication process, has been proposed.
This is an ID linkage technology that enables each user to log in and authenticate with one ID when using various websites and application services on the Internet, and realizes a single sign-on function. It is expected to be used and expanded as a highly convenient system and service.

However, in the authentication process on the network including such a single sign-on system, if the correct authentication information (ID, password, etc.) is used, the authentication process is performed regardless of who inputs or accesses the server. And you will be able to log in to the system.
Therefore, if authentication information such as ID and password is leaked or leaked, it becomes very difficult or impossible to prevent unauthorized access, and this is as disclosed in Patent Document 1. Existing firewalls and WAFs could not be effective defense measures.

The present invention has been proposed to solve the problems of the above-mentioned conventional techniques, and is an unauthorized access to an access request to a plurality of target devices based on the same authentication information from a user terminal. The purpose is to provide an unauthorized access detection device and a program and method used for the unauthorized access detection device, which can determine the possibility and prevent the occurrence of damage such as information leakage in advance.

In order to achieve the above object, the unauthorized access detection device of the present invention is an information processing device that transmits predetermined access permission information related to the user terminal to the target device to which the access request information is transmitted from the user terminal. The authentication information receiving means for receiving the authentication information transmitted from the user terminal, the authentication means for authenticating the user terminal based on the authentication information received by the authentication information receiving means, and the authentication means. An access permission information generating means that generates the access permission information related to the authenticated user terminal and transmits the access permission information to the target device to which the access request information is transmitted from the user terminal.
The same authentication information as the authentication information related to the user terminal from which the access permission information is generated is transmitted from the user terminal that has transmitted the access request information to the target device that is the same as or different from the target device to which the access permission information has been transmitted. Then, the access request information related to the user terminal that has transmitted the same authentication information is provided with a risk determination means for determining a predetermined risk of unauthorized access.

Further, the present invention can be configured as an unauthorized access detection program executed by the unauthorized access detection device according to the present invention as described above.
Furthermore, the present invention can also be configured as an unauthorized access detection method that can be implemented by the unauthorized access detection device and program according to the present invention as described above.

According to the present invention, it is possible to determine in advance the possibility of unauthorized access to an access request to a plurality of target devices based on the same authentication information from a user terminal, and prevent damage such as information leakage from occurring in advance. it can.
As a result, even in a single sign-on system such as OpenID Connect, which enables access to multiple servers and systems by a single authentication process, information leakage due to unauthorized access and damage caused by it can be effectively prevented and eliminated. It becomes possible to do.

It is a block diagram which shows the whole structure of the system provided with the unauthorized access detection apparatus which concerns on one Embodiment of this invention. It is explanatory drawing which shows typically the access pattern in the system provided with the unauthorized access detection apparatus which concerns on one Embodiment of this invention. It is a block diagram which shows the functional structure of the unauthorized access detection apparatus which concerns on one Embodiment of this invention. It is a figure which shows the example of the data structure of the BL / WL holding part of the unauthorized access detection apparatus which concerns on one Embodiment of this invention. It is a figure which shows the example of the data structure of the address information holding part of the unauthorized access detection apparatus which concerns on one Embodiment of this invention. It is a figure which shows the example of the data structure of the BI score determination rule of the unauthorized access detection apparatus which concerns on one Embodiment of this invention. It is a figure which shows the example of the data structure of the FP score determination rule of the unauthorized access detection apparatus which concerns on one Embodiment of this invention. It is a figure which shows the example of the data structure of the 1st determination result holding part and the 2nd determination result holding part of the unauthorized access detection apparatus which concerns on one Embodiment of this invention. It is a figure which shows the example of the data structure of the cumulative score holding part of the unauthorized access detection apparatus which concerns on one Embodiment of this invention. It is a figure which shows the risk determination criteria of the unauthorized access detection apparatus which concerns on one Embodiment of this invention. It is explanatory drawing which shows the setting example of the threat level of the unauthorized access which is risk-determined in the unauthorized access detection apparatus which concerns on one Embodiment of this invention. It is a sequence diagram which shows the operation of the system provided with the unauthorized access detection apparatus which concerns on one Embodiment of this invention.

Hereinafter, embodiments of the unauthorized access detection device according to the present invention will be described with reference to the drawings.
Here, the unauthorized access detection device of the present invention shown below is realized by processing, means, and functions executed by a computer according to a program (software) instruction. The program can send a command to each component of the computer to perform a predetermined process, function, or the like according to the present invention shown below. That is, each process, means, and function in the present invention is realized by concrete means in which a program and a computer cooperate.

All or part of the program is provided by, for example, a magnetic disk, an optical disk, a semiconductor memory, or any other computer-readable recording medium, and the program read from the recording medium is installed and executed in the computer. To. The program can also be loaded and executed directly on the computer through a communication line without going through a recording medium. Further, the unauthorized access detection device according to the present invention may be configured by a single information processing device (for example, one personal computer or the like), and may be composed of a plurality of information processing devices (for example, a group of a plurality of server computers). It can also be configured.

[System configuration]
FIG. 1 schematically shows a configuration of an unauthorized access detection system 1 provided with an unauthorized access detection device 20 according to an embodiment of the present invention.
Further, FIG. 2 is an explanatory diagram schematically showing an access pattern in the unauthorized access detection system 1 according to the present embodiment.
As shown in these figures, the unauthorized access detection system 1 according to the embodiment of the present invention includes a plurality of target servers 12 (12a to 12n) to be monitored for unauthorized success, and a plurality of target servers 12 that can access the target servers 12. User terminals 14 (14a to 14n) and an unauthorized access detection device 20 that monitors and detects unauthorized access to each target server 12 are provided.
The target server 12, the user terminal 14, and the unauthorized access detection device 20 are connected via a communication network 16 including a LAN, a WAN, the Internet, and the like, and network communication with each other is possible.

In the present embodiment, as shown in FIG. 2, the unauthorized access detection device 20 requests access permission information (access) for the user terminal 14 to the target server 12 to which the access request information is transmitted from the user terminal 14. It functions as an authentication device (authentication system) for transmitting tokens), and each target server 12 sends a verification request for access permission information (token verification request) to the unauthorized access detection device 20. (See Fig. 2 (b)).
As a result, the user terminal 14 is allowed / enabled to access the plurality of target servers 12 by one authentication process, and the user who operates the user terminal 14 logs in / authenticates with one ID or the like to the plurality of target servers. A single sign-on function that enables access to 12 will be provided.

Then, when the unauthorized access detection device 20, which is the single sign-on authentication device, transmits the same authentication information from the user terminal 14 to a plurality of different target servers 12, one or two of the same authentication information is transmitted. The access request related to the user terminal 14 described above functions as an unauthorized success detection means for executing a risk determination of unauthorized access.
As a result, in the present embodiment, while providing a single sign-on function that is highly convenient for the user of the user terminal 14 and the service provider of the target server 12, unauthorized access using the authentication information of the user terminal 14 is performed. It is intended to reliably detect and prevent damage to users and service providers.

Here, "illegal access" means accessing a server on which access control (for example, password authentication, etc.) is performed via a network, and inputting another person's identification code or information or command other than the identification code. It is an act of illegally using a function that is originally restricted.
Further, "web access" is remote access to a predetermined server via a communication network, and includes both legitimate access by a user with legitimate authority and unauthorized access by an unauthorized person.

There are various types of unauthorized access, but in particular, spoofing login, unauthorized transactions, and list type that illegally obtain the correct account information (user ID, password, etc.) of another person and use that account information. Account hacking and the like are difficult to deal with with the conventional measures against unauthorized access as described above, and it is particularly difficult to determine unauthorized access as legitimate access.
Also, for example, when unauthorized access is not obvious such that a large amount of access is automatically executed in a short period of time, but when infrequent unauthorized access (for example, once / hour) is executed for a long period of time. Makes it even more difficult to determine unauthorized access as legitimate access.

The unauthorized access detection device 20 according to the present embodiment determines whether or not the web access is unauthorized access based on the behavior of the identity (ID) of the web access to the plurality of target servers 12.
Specifically, a plurality of times of the web in which each of a plurality of types of IDs included in the data of web access to a plurality of target servers 12 performed using the same authentication information (ID, password, etc.) is used. Based on the mode of access, it is determined whether or not the current web access is unauthorized.

Further, the unauthorized access detection device 20 determines that the web access to the predetermined target server 12 is based on the importance of the web access on the target server 12 (hereinafter, also referred to as “BI (Business Impact)”) and the web access is illegal. It is possible to evaluate with two axes of a certain probability (hereinafter, also referred to as "FP (Fraud Probability)") and determine the risk level (threat level) of the access (see FIGS. 6 and 7).
Hereinafter, each component of the unauthorized access detection system 1 provided with the unauthorized access detection device 20 according to the present embodiment will be described in detail in order.

[Target server (authentication / authorization dependent site: RP)]
The target server 12 (12a to 12n) is an information processing device that provides a website, an application, or the like to the user terminal 14 via a communication network 16 such as the Internet. For example, a service providing business that provides a website or the like. It is composed of PCs and servers installed in data centers and offices of people.
Each of the target servers 12a to 12n constitutes the target device according to the present invention.

Specifically, when the access request information is transmitted from the user terminal 14, each of the target servers 12a to 12n is determined by the unauthorized access detection device 20 which becomes the authentication device (authentication system) to relate to the user terminal 14. By receiving and managing the access permission information (for example, the access token described later), data and services are provided in response to the access request of the user terminal 14.
In this way, the target server 12 constitutes an "authentication / authorization dependent site: RP (Relying Party)" that relies on the authentication device (unauthorized access detection device 20) for authentication / authorization.
For example, each of the target servers 12a to 12n has a function of a web server that publishes a website such as communication sales and internet banking on the Internet, and provides web access (HTTP request) from a user terminal 14 that has been authenticated / accessed. A web page for accepting and providing a predetermined service is provided / transmitted to the user terminal 14.

[User terminal]
The user terminals 14 (14a to 14n) are information processing devices equipped with a Web browser, for example, composed of a PC, a tablet terminal, a smartphone, etc., and are a target server 12 or an unauthorized person via a communication network 16 such as the Internet. It constitutes a user terminal according to the present invention, which functions as a web client that can be connected to the access detection device 20.
In each user terminal 14, for example, information such as user identification information, login ID, and password is registered as predetermined registration information in the unauthorized access detection device 20 which is an authentication device. Therefore, the user terminal 14 in which the predetermined registration information is not registered cannot perform the authentication process, and the access request to the target server 12 is denied.
Then, the user who operates the user terminal 14 is a user who is permitted to log in to the website of the target server 12 (that is, a user who has a legitimate authority), and is a target such as illegally using another person's account. It can also be a user who attempts unauthorized access to the server 12.

Specifically, when each of the user terminals 14a to 14n transmits access request information to one target server 12, the unauthorized access detection device 20 that becomes an authentication device (authentication system) provides predetermined authentication information (for example). When the unauthorized access detection device 20 is authenticated by transmitting the predetermined authentication information (ID, password, etc.), the unauthorized access permission information (for example, access token, etc.) is received and stored from the unauthorized access detection device 20. To do.
After that, by transmitting the received access permission information to one target server 12, it is determined that the one target server 12 is the user terminal 14 whose authentication / access permission has been granted by the unauthorized access detection device 20. You will be able to access and provide services to one target server 12.

Then, when accessing another target server 12, the same authentication information (ID, password, etc.) is transmitted to the unauthorized access detection device 20 to obtain authentication, so that the access already received and stored is accessed. By transmitting the permission information to the other target server 12 to be accessed this time, the access is also permitted to the other target server 12.
Here, as the access permission information generated by the unauthorized access detection device 20 and transmitted to the user terminal 14 (and the target server 12), for example, there is an access token.

The access token is information generated and managed by the authentication device (authentication system). For example, the identification information of the issuer (unauthorized access detection device 20), the identification information of the issue destination (target server 12), and the user (user (target server 12)). Information such as identification information and issuance date / time of the user terminal 14) is included.
Such an access token is passed between the unauthorized access detection device 20 and each target server 12 and information is shared, so that if there is an access request accompanied by an access token from the user terminal 14, each target server thereby. At 12, access is permitted.
The access permission information according to the present invention is not limited to the access token. As long as it is possible to identify and determine whether or not to request access to a plurality of target servers 12 for the user terminal 14, the name and information content as the access permission information may be information other than the access token.

[Unauthorized access detection device (authentication / authorization provision system: iDP)]
The unauthorized access detection device 20 is an authentication that transmits access permission information about the user terminal 14 that has requested access to the target server 12 to which access request information has been transmitted from the user terminal 14 via a communication network 16 such as the Internet. It is an information processing device that functions as a device (authentication system), and is composed of PCs and servers installed in data centers and offices of businesses that provide authentication processing services to multiple websites, for example. To. The authentication process by the unauthorized access detection device 20 enables the user terminal 14 to perform single sign-on in which access to a plurality of target servers 12 is permitted by one authentication process (see FIG. 2).
As described above, the unauthorized access detection device 20 constitutes an "authentication / authorization providing system: iDP (Identity Provider)" that provides the authentication / authorization of the user terminal 14 to the plurality of target servers 12.

Then, the unauthorized access detection device 20 according to the present embodiment executes the authentication process of each user terminal 14, and when the same authentication information is transmitted from the user terminal 14 to a plurality of different target servers 12, the authentication process is performed. For access requests related to one or more user terminals 14 that have transmitted the same authentication information, the risk of unauthorized access (threat level) is determined by comprehensively judging the access request information to a plurality of the same or different target servers 12. Execute the judgment.
Hereinafter, the details of the unauthorized access detection device 20 will be described with reference to FIG.

When the unauthorized access detection device 20 receives the attribute information of the web access to the target server 12 via the log file or API (Application Programming Interface) transmitted from each target server 12 that has received the access request, there is a risk for each web access. Execute the judgment.
That is, the unauthorized access detection device 20 detects unauthorized access existing in the web access from the user terminal 14 to the plurality of target servers 12 using the same authentication information.
Then, the unauthorized access detection device 20 requests access permission, re-authentication / additional authentication, and invalidation (destruction / deletion / deletion / deletion / deletion / deletion / deletion / addition / deletion / addition / authentication / addition authentication of the user terminal 14 related to the web access according to the risk determination result. Change) and other processes are executed.

FIG. 3 is a block diagram showing a functional configuration of the unauthorized access detection device 20 according to the present embodiment.
As shown in the figure, the unauthorized access detection device 20 includes each unit of a control unit 22, a storage unit 24, and a communication unit 26.
The control unit 22 executes authentication of the user terminal 14 and data processing for detecting unauthorized access from the user terminal 14 to the target server 12. Further, the control unit 22 sends / receives data to / from the user terminal 14 and the target server 12 via the communication unit 26.
The storage unit 24 is a storage area for storing data referenced or updated by the control unit 22.
The communication unit 26 communicates with the external device according to a predetermined communication protocol. The communication unit 26 constitutes the authentication information receiving means according to the present invention, which receives the authentication information transmitted from the user terminal 14.

[Memory]
As shown in FIG. 3, the storage unit 24 includes an authentication / access permission information holding unit 27, a BL / WL holding unit 28, an address information holding unit 30, a rule holding unit 32, a first determination result holding unit 34, and a second determination. Each unit includes a result holding unit 36 and a cumulative score holding unit 38.
The authentication / access permission information holding unit 27 holds / stores information such as identification information, login ID, and password of each user terminal 14 as registration information about the user terminal 14.
When an access request is made from each user terminal 14 to the target server 12 based on this registration information, the authentication process of the user terminal 14 is first executed by the authentication processing unit 42.

Further, the authentication / access permission information holding unit 27 sets the predetermined access permission information generated / transmitted to the user terminal 14 that is permitted to access the target server 12 through the authentication process as the registration information as described above. Retain and memorize in association.
The access permission information includes, for example, the above-mentioned access token, and the predetermined information (issuer identification information, issue destination identification information, user identification information, issue date and time, etc.) included in the access token is the registration information of the user terminal 14. Is held as.

The BL / WL holding unit 28 holds blacklist and whitelist data related to the user terminal 14.
FIG. 4 shows an example of the data structure of the BL / WL holding unit 28.
In the example shown in the figure, the IP address information (for example, IP address (or network address) + subnet mask length) of the user terminal 14 is set as a key.
Further, a white list identifier (“white” in FIG. 4) or a blacklist identifier (“black” in FIG. 4) is set as a value. The list of keys associated with the whitelist identifier corresponds to the whitelist, and the list of keys associated with the blacklist identifier corresponds to the blacklist.

Here, as the information registered as the blacklist, for example, the IP address, network address, device ID (described later), user ID, etc. of the user terminal 14 found to have been used by an unauthorized person can be recorded. ..
Further, as the information registered as the white list, for example, the IP address, network address, device ID, user ID, etc. of the user terminal 14 fixedly used by a user having a legitimate authority can be recorded.

The address information holding unit 30 holds the correspondence between the IP address and the geographic information.
FIG. 5 shows an example of the data structure of the address information holding unit 30.
In the example shown in the figure, the address information holding unit 30 holds a record in which the IP address of the connection source of the web access to the target server 12 is used as a key and the country, city, latitude, and longitude are used as values. ..
Here, the connection source IP address may be the source IP address set in the IP packet received by the target server 12. For example, it may be the IP address of the user terminal 14, or it may be the IP address of a proxy server, router, or the like that relays communication between the user terminal 14 and the target server 12.

The rule holding unit 32 has a BI score determination rule which is a rule (reference) for determining a BI score indicating the height of BI, and an FP score determination which is a rule for determining an FP score indicating the height of FP. Hold the rules.
The BI score determination rule and the FP score determination rule may be stored in the semiconductor memory in order to enable high-speed access, and may be stored in a computer program in which the BI score derivation unit 46 and the FP score derivation unit 48 described later are implemented. May be incorporated as an algorithm in.

FIG. 6 shows an example of the data structure of the BI score determination rule.
The BI score determination rule holds the determination condition and the BI score when the determination condition is satisfied in association with each other. As the determination condition, the access destination URL, the parameter attribute of GET or POST, and the like may be defined. Further, the BI score is set to a value as large as the important processing or transaction in the target server 12. For example, a larger value may be set for a process or transaction that has a greater influence on the business of the company that provides the service by the target server 12.

The first record of FIG. 6 shows that the BI score is set to "10" when the access from the user terminal 14 to the target server 12 is a POST transmission to the URL for executing login authentication.
Further, the fourth record in FIG. 6 is a POST transmission to the URL for remittance execution on the transmission screen, and when the value of the remittance amount parameter is less than 500,000 yen, the BI score is set to "90". It is shown that.

FIG. 7 shows an example of the data structure of the FP score determination rule.
The FP score determination rule holds the determination condition (identification target and rule content in FIG. 7) in association with the FP score (value is not shown) to be added when the determination condition is satisfied.
The identification target in FIG. 7 is at least one of a plurality of types of identifiers included in the access data. The identification target includes, for example, a country (country specified by an IP address), an IP address, a UA (User Agent), a user ID (user ID specified in a login request), and a device ID. The device ID is an identifier that can uniquely identify a specific user terminal 14, and is a combination of the web browser type and version of the user terminal 14, language setting, installed font, screen resolution, color depth, CPU type, time zone, and the like. Information generated based on.

The "rule content" in FIG. 7 is the value of the identifier to be identified (and the value of another identifier associated with that identifier) and / or the past request history (access) associated with the value of the identifier to be identified. The mode of history) is defined. The “FP score” in FIG. 7 is predetermined for each determination condition based on the type of website provided by the target server 12 and the business content.
Specifically, among a plurality of determination conditions, the higher the suspicion of unauthorized access when satisfied, the larger the FP score is set.

Item 2 of FIG. 7 stipulates that a predetermined FP score is added when the connection source IP address included in the web access data matches the IP address specified in the blacklist.
Item No. 17 in FIG. 7 shows a predetermined FP when the number of connection source IP addresses (unique number) included in the login trial access per unit time is equal to or more than a predetermined value for the login trial access for which a specific user ID is specified. It stipulates that scores should be added. The unit time here may be 5 minutes, and the predetermined value may be 5. Item No. 20 in FIG. 7 adds a predetermined FP score to the login trial access including the same device ID when the number of user IDs (unique number) included in the login trial access per unit time is equal to or more than a predetermined value. To stipulate.

Then, according to the FP score determination rule as shown in FIG. 7, even if the unauthorized access uses the correct user ID and password, the unauthorized access can be detected with high accuracy.
For example, items 10 and 11 in FIG. 7 are based on the number of logins (number of successful logins), and items 12 and 13 in FIG. 7 are based on the number of login failures. In addition to this, items 17 to 20 in FIG. 7 are the number of accesses to the URL for executing login authentication, and are based on the number of login attempts regardless of whether the login is successful or unsuccessful. Therefore, the login is tentatively successful. Even if the web access is performed, it can be determined as unauthorized access.

The first determination result holding unit 34 and the second determination result holding unit 36 hold the risk determination result.
FIG. 8 shows an example of the data structure of the first determination result holding unit 34 and the second determination result holding unit 36.
As shown in the figure, the record group 60 is a plurality of records recorded per one web access.
The access attribute 62 is an attribute value of web access, and includes values of a plurality of types of identifiers (IP address, user ID, device ID).
The risk determination result 64 is a risk determination result based on the access attribute 62, and includes a BI score, an FP score, and a risk rank.
The first determination result holding unit 34 holds the record group 60 recorded per web access only for, for example, 30 days from the access date and time (for example, Time of the access attribute 62). On the other hand, the second determination result holding unit 36 can permanently hold the record group 60 recorded per one web access unless it is explicitly deleted by the administrator.

The cumulative score holding unit 38 holds data including a cumulative value of the FP score (hereinafter, also referred to as “FP cumulative value”) for each of the plurality of types of identifiers designated by at least one web access.
FIG. 9 shows an example of the data structure of the cumulative score holding unit 38.
The cumulative score holding unit 38 includes three records of type (Type), FP cumulative value (SumScore), and last access date / time (LastAccess) for each value of one identifier.
FIG. 9 shows the type, FP cumulative value, and last access date and time recorded for each of the IP address “133.250.195.1”, the device ID “E6JU9Mr ...”, And the user ID “user0001”.

[Control unit]
As shown in FIG. 3, the control unit 22 includes a log acquisition unit 40, an authentication processing unit 42, an access permission processing unit 44, a BI score derivation unit 46, an FP score derivation unit 48, a risk determination unit 50, and a determination result recording unit 52. , A cumulative score recording unit 54, an alert notification unit 56, and a dashboard providing unit 58.

The log acquisition unit 40 is an interface for executing a risk determination for web access of the user terminal 14 as a batch process when an access request including authentication information is transmitted from the user terminal 14.
The log acquisition unit 40 acquires an access log in which web access data (web access attribute) of one or more user terminals 14 is recorded from the target server 12, and reads the web access attribute recorded in the access log.
The log acquisition unit 40 can receive and acquire the access log at the timing when the access is requested from the user terminal 14 to the target server 12, and can also receive the access log periodically transmitted from the target server 12. ..

Here, the web access attributes recorded in the access log include an access date and time, an access destination URL, a connection source IP address, a user ID, a browser type (or User Agent), a device ID, a cookie, and the like.
The user ID may be a user ID sent as a parameter to the login authentication screen, or may be a user ID associated with the user session after login.
The target server 12 holds a device ID acquisition script (for example, a Javascript (registered trademark) program), transmits the script to the user terminal 14 together with the data of the web page, and executes the script on the web browser of the user terminal 14. The device ID can be obtained from the terminal 14.

In addition, the web access attribute can include business-specific parameters on the website of the target server 12.
For example, the web access attribute may further include data added as a parameter in the GET or POST transmission. In this case, judgment conditions based on the values of business-specific parameters may be set in at least one of the BI score judgment rule and the FP score judgment rule. For example, in the case of an Internet banking website, the account number and transaction amount may be included as business-specific parameters. Then, when the account number and the transaction amount satisfy the determination condition, at least one of the BI score and the FP score may be added.

When the authentication processing unit 42 receives the authentication information from the user terminal 14, the authentication processing unit 42 collates the authentication information with the registered authentication information stored in the authentication / access permission information holding unit 27 of the storage unit 24, and the user terminal 14 Execute the authentication process. The authentication result is transmitted to the corresponding user terminal 14 via the communication unit 26.
The authentication processing unit 42 constitutes the authentication means according to the present invention.
Here, the authentication processing information is information corresponding to the registration authentication information registered / stored in the above-mentioned authentication / access permission information holding unit 27, and is information such as identification information, login ID, and password of the user terminal 14. Is.

The access permission processing unit 44 generates predetermined access permission information for the user terminal 14 that has been authenticated by the authentication processing unit 42, and the access request information is transmitted from the user terminal 14 and the user terminal 14. Access permission information is transmitted to the target server 12 devices. The access permission information is transmitted to the corresponding user terminal 14 and the target server 12 via the communication unit 26. Further, the generated access permission information is registered in the authentication / access permission information holding unit 27, and is stored / held together with the identification information / authentication information of the user terminal 14.
The authentication processing unit 42 constitutes the access permission information generation means according to the present invention.

Then, the authentication processing unit 42 and the access permission processing unit 44 execute a predetermined operation for web access having a predetermined risk rank or higher based on the risk determination result of the risk determination unit 50.
The authentication processing unit 42 transmits the authentication information again (additional authentication) to the user terminal 14 that has transmitted the corresponding access request information based on the risk determination result of the risk determination unit 50 (for example, the risk determination result 64 in FIG. 8). ) Is requested.
Here, as the authentication information again, predetermined information for requesting an OTP (One Time Password) can be transmitted to the corresponding user terminal 14.

The access permission processing unit 44 generates and transmits to all the user terminals 14 that have transmitted the same authentication information as the authentication information corresponding to the access request information for which the risk has been determined, based on the risk determination result of the risk determination unit 50. Invalidate the access permission information (access token, etc.) that has been created (token revoking).
The access permission information is invalidated by destroying (deleting) the access permission information stored in the authentication / access permission information holding unit 27.

In this way, by executing a predetermined operation for web access having a predetermined risk rank or higher according to the risk determination result, it becomes possible to prevent the occurrence of damage such as unauthorized access and information leakage.
Here, as a predetermined operation, in addition to the above-mentioned re-authentication request and invalidation of the access token, web access of a predetermined risk rank or higher is blocked, or a web access of a predetermined risk rank or higher is targeted. Includes refusing a transaction. This makes it possible to prevent fraudulent transactions such as goods and funds.
As the predetermined operation according to the risk rank, the predetermined operation is performed for each transaction targeted for web access, for each business process shown in FIG. 6, for each judgment condition shown in FIG. 7, for each rule category, and for each rule content. Can also be set.

The BI score derivation unit 46 derives the BI score for each web access attribute according to the web access attribute acquired by the log acquisition unit 40 and the BI score determination rule held by the rule holding unit 32. In other words, the BI score for each web access from the user terminal 14 to the target server 12 is derived.

When the combination of the access destination URL included in one web access attribute and the parameter attribute value satisfies the specific determination condition defined in the BI score determination rule, the BI score derivation unit 46 associates the access destination URL with the determination condition. The obtained BI score (for example, a value of 0 to 100) is determined as the BI score of the web access.
In the example of FIG. 6 described above, when the access destination URL included in one web access attribute matches the login authentication URL, the BI score of the web access is determined to be "10".
Further, as a modification, when the web access attribute satisfies a plurality of judgment conditions, the total value of the BI scores associated with the plurality of judgment conditions is normalized to a value of 0 to 100, and the value after normalization is used. It may be determined as the BI score of the web access.

The FP score derivation unit 48 derives the FP score for each web access attribute according to the web access attribute acquired by the log acquisition unit 40 and the FP score determination rule held by the rule holding unit 32. That is, the FP score deriving unit 48 derives the FP score for each web access from the user terminal 14 to the target server 12.
In the present embodiment, the FP score deriving unit 48 calculates the FP value for each of a plurality of types of identifiers (for example, connection source IP address, user ID, device ID) included in one web access attribute based on the values for each identifier. It is possible to derive the FP value of one web access by deriving and aggregating the FP values derived for each identifier.

Specifically, the FP score deriving unit 48 refers to the past web access attribute in which the value of the identifier (for example, the value of the connection source IP address) held in the first determination result holding unit 34 matches.
Then, for example, the behavior of a plurality of web accesses specified based on the web access attributes for the other target server 12 this time from one or more web access attributes for one target server 12 is the determination condition of the FP score determination rule. If it matches (for example, item 9 or later in FIG. 7), the FP score associated with the determination condition is added.
Further, the FP score deriving unit 48 can repeat the determination condition satisfaction determination process and the FP score addition process for each identifier included in one web access attribute (for each determination condition of the FP score determination rule).

For example, according to item 2 of FIG. 7, the FP score derivation unit 48 determines the connection source IP address included in the access data in item 2 when the connection source IP address is specified in the blacklist of the BL / WL holding unit 28. Add the obtained FP scores.
Further, according to item 17 of FIG. 7, when the number of login trial IP addresses per unit time for the user ID included in the web access to be determined is equal to or greater than a predetermined value, the FP score derivation unit 48 uses item number 17. Add the specified FP score.
In this case, the FP score deriving unit 48 may search the web access to the login trial URL in which the user ID is specified from the first determination result holding unit 34. Then, the unique number of the connection source IP address in one or more web accesses that hit the search may be counted.

Further, according to item No. 20 of FIG. 7, the FP score deriving unit 48 identifies one or more login trial accesses within a predetermined unit time including the device ID included in the web access to be determined.
Then, when the unique number of the user IDs specified in those login trial accesses is equal to or greater than a predetermined value, the FP score defined in item No. 20 is added.
In this case, the FP score deriving unit 48 may search the web access to the login trial URL in which the device ID is specified from the first determination result holding unit 34. Then, the unique number of user IDs specified in one or more web accesses that hit the search may be counted.

The risk determination unit 50 determines the risk level of each web access (hereinafter, also referred to as “risk rank”) based on the BI score and the FP score derived for each of the web accesses to the plurality of target servers 12. , Generate risk judgment results including the risk rank of each web access.
Then, in the present embodiment, the risk determination unit 50 has the same authentication information as the authentication information related to the user terminal 14 for which the access permission information is generated, which is the same as or different from the target server 12 to which the access permission information is transmitted. When transmitted from the user terminal 14 that has transmitted the access request information to the target server 12, the access request information related to one or more user terminals 14 that have transmitted the same authentication information is sent to each target server 12. The access request information transmitted is subjected to a predetermined risk determination of unauthorized access (see FIGS. 11 and 12).
The risk determination unit 50 constitutes the risk determination means according to the present invention.

The determination result recording unit 52 uses the risk determination result (see risk determination result 64 in FIG. 8) for a certain web access generated by the risk determination unit 50 as the data of the web access attribute (see access attribute 62 in FIG. 8). Is stored in both the first determination result holding unit 34 and the second determination result holding unit 36 in association with.
FIG. 10 shows the risk determination criteria in this embodiment.
As shown in the figure, the risk determination unit 50 determines that the risk rank is “low” when the combination of the BI score and the FP score corresponds to the region 70.
Further, if the above combination corresponds to the area 72, the risk rank is "medium (MID)", if the combination corresponds to the area 74, the risk rank is "high (HIGH)", and if the combination corresponds to the area 76, the risk rank is "serious (SEVERE)". judge.

As shown in FIG. 10, when the BI score of the web access to a target server 12 is relatively large, the risk determination unit 50 has a risk of the web access even if the FP score of the web access is relatively small. Judge the degree relatively high.
Further, when the FP score of the web access to a certain target server 12 is relatively large, the risk determination unit 50 relatively determines the risk of the web access even if the BI score of the web access is relatively small. Judge high.
In other words, when the FP score is a predetermined value (same value), the risk determination unit 50 determines the higher the risk level as the BI score increases. Similarly, when the BI score is a predetermined value (same value), the risk determination unit 50 determines that the higher the FP score, the higher the risk level.

The cumulative score recording unit 54 records the values of a plurality of types of identifiers (for example, IP address, device ID, user ID) included in the web access data for each identifier and the cumulative value of the FP score (that is, the cumulative FP value). It is recorded in the cumulative score holding unit 38 in association with each other.
For example, as shown in FIG. 9 described above, the cumulative score recording unit 54 uses the value of one identifier as a key, and the type, FP cumulative value, and last access date and time (may be a pseudo FP cumulative value update date and time). Can be associated and recorded in the cumulative score holding unit 38.

In addition, the cumulative score recording unit 54 can hold BL additional reference values for each of a plurality of types of identifiers (for example, IP address, device ID, user ID).
As the BL additional reference value, a different value can be set for each type of identifier.
Further, the cumulative score recording unit 54 blacks the value of the identifier when the cumulative value of the FP score recorded in association with the value of a certain identifier exceeds the BL addition reference value from the BL addition reference value or less. It can be automatically registered in the list. Specifically, a record having the value of the identifier as a key and "black" as a value can be added to the BL / WL holding unit 28.

The FP score deriving unit 48 may have an illegal web access for each identifier included in the data related to web access to a target server 12, based on the FP cumulative value recorded in advance for the identifier value. The height of can be detected.
Specifically, in the FP score derivation unit 48, when the value of the identifier is registered in the blacklist, that is, the record in which the cumulative value is used as the key and "black" is used as the value is the BL / WL holding unit. If present at 28, the FP score can be added (eg, items 1-5 in FIG. 7).

Further, in the present embodiment, it is possible to adopt a model in which the FP cumulative value held in the cumulative score holding unit 38 is attenuated by a certain amount with the passage of time.
The cumulative score recording unit 54 can subtract the FP cumulative value recorded in association with the value of a certain identifier according to the elapsed time from the last access including the value of the identifier.
Specifically, the longer the elapsed time from the last access, the larger the subtraction range of the FP cumulative value. For example, for the FP cumulative value "30" recorded in association with the value of a certain IP address (here, "133.250.195.1" in FIG. 8), "133.250.195.1" is connected. The longer the period during which web access using the original IP address is not performed, the smaller the cumulative FP value is.

More specifically, the cumulative score recording unit 54 holds the attenuation d per predetermined unit time. When the web access attribute is accepted, the cumulative score recording unit 54 calculates (elapsed time T × d from the previous update) from the FP cumulative value at the time of the previous update for each identifier included in the web access attribute. Subtract. In other words, the cumulative score recording unit 54 executes the following calculation to update the FP cumulative value for each identifier, and stores the new FP cumulative value in the cumulative score holding unit 38.
New FP cumulative value = FP cumulative value at the time of the previous update-Td

Further, the cumulative score recording unit 54 determines the value of the identifier when the FP cumulative value recorded in association with the value of a certain identifier changes from a state exceeding the BL addition reference value to a BL addition reference value or less. Can be excluded from the blacklist.
Specifically, the record having the value of the identifier as the key and "black" as the value is deleted from the BL / WL holding unit 28.

The alert notification unit 56 notifies each target server 12 of alert information (for example, data of the access attribute 62 and the risk determination result 64 in FIG. 7) indicating web access of a predetermined risk rank or higher. As the notification method, a known method such as e-mail, file transmission, push notification, or the like can be adopted.
In addition, the alert notification unit 56 can periodically transmit alert information to a predetermined administrator terminal held and operated by the administrator of each target server 12 at a predetermined timing.
As for the transmission timing of the alert information, the timing when web access of a predetermined risk rank or higher is detected, in other words, the risk judgment result indicating the predetermined risk rank or higher is the first judgment result holding unit 34, the second judgment result. Alert information can be transmitted at the timing recorded in the holding unit 36.

The dashboard providing unit 58 generates dashboard screen data for displaying the risk determination result and its statistical information, and transmits the screen data to each target server 12 or the terminal of its administrator.
For example, the dashboard providing unit 58 can read the risk determination result held in the second determination result holding unit 36, generate the screen data of the dashboard, and transmit it to the predetermined target server 12 or the like.

[Threat level setting pattern]
Next, a threat level pattern setting for a plurality of accesses to the target server 12 performed using the same authentication information, which is determined and detected as unauthorized access by the unauthorized access detection device 20 as described above, will be described.
FIG. 11 shows an assumed pattern (scenario) when the same authentication information (ID / password) is input / transmitted to a plurality of the same or different target servers 12 to perform authentication, and a pattern (scenario) in that case. This is a setting example that associates the threat level with the response action. In this example, when the same authentication and multiple accesses are performed, the threat level is set to three levels of "low, medium, and high" from the viewpoint of security and user convenience.
Such settings are set and stored in the storage unit 24 of the unauthorized access detection device 20, and are used for risk determination by the risk determination unit 50.

[Threat level: Low]
First, in the upper part of FIG. 11, the second access made to the other target server 12b, which is different from the one target server 12a in which the first access was made, is the same as the first access UA (User). Agent: Web browser identification information).
In this case, it can be determined that the access was made by the same user from the same user terminal 14, and it can be determined that "same UA = secure". Therefore, it is considered unnecessary to take measures such as additional authentication, and the second access. The threat level of is set to "low".

Therefore, in this case, the authentication process (Connect authorization API: Application Program Interface) by the unauthorized access detection device 20 is also the individual service process (Introspection API) on the target servers 12a and 12b, for example, the target server 12a (PR1): "Payment". "Before", target server 12b (RP2): Even for "Before transfer", no additional authentication (OTP) request or access token invalidation (token revoking) is performed.
Further, in this case, in order to prevent the unauthorized access detection device 20 from requesting additional authentication (OTP) for the same UA (user terminal) from the next time onward, the unauthorized access detection (IFD: Identity Fraud Detection) is performed. Risk information can be initialized.

[Threat level: Medium]
Next, the middle part of FIG. 12 is a case where the second access is made to the same target server 12a as the first access from different UAs.
In this case, it can be determined that the same user has accessed from two different user terminals 14 used by the user, and the "UA change" is performed between a PC and a mobile terminal such as a smartphone, for example. Since it can be judged that it is performed normally (frequently), it is considered that there is no problem if additional authentication is performed, and the threat level of the second access can be set to "medium".

Therefore, in this case, both the authentication process (Connect authorization API) by the unauthorized access detection device 20 and the individual service process (Introspection API) on the target server 12a are confirmed to request additional authentication (OTP) for access. Token invalidation (token revoking) is not performed.
Further, in this case, the unauthorized access detection device 20 does not require additional authentication (OTP) for the same plurality of UAs (user terminals) from the next time onward, and only when accessed from a UA that has not been used in the past. IFD risk information can be set, changed, etc. to require additional certification.

[Threat level: High]
Next, in the lower part of FIG. 12, the second access is made to another target server 12b different from the one target server 12a to which the first access was made, and the second access source is This is the case when the country is different from the first access source.
In this case, it can be determined that there is a high possibility of unauthorized access due to leakage or unauthorized use of authentication information, and it is considered that additional authentication or token revoke is required, and the threat level of the second access is "high". Can be set.

In this case, first, for the individual service process (IntrospectionAPI) on the target server 12 related to the first access that has been performed through the authentication process, additional authentication (OTP) is requested, and the authentication process is performed once. Therefore, the access token is not invalidated (token revoking). It is considered too strict to invalidate all the access tokens that have already been issued, including the first access that has been authenticated, and with an emphasis on user convenience, each target server 12 Only perform additional authentication.

On the other hand, the authentication process (Connect authorization API) by the unauthorized access detection device 20 is the strictest because the second access that has not undergone the authentication process is before authentication and there is a high possibility of account hacking, for example. It can be a judgment.
In this case, the unauthorized access detection device 20 requests additional authentication (OTP) before displaying the consent screen after authentication / login using authentication information that is highly likely to have been used illegally.
At the same time, all access tokens issued based on the same authentication information are invalidated (deleted). As a result, an error occurs when the access token issued before that is used by the other target server 12, and even if the access token is stolen or misused, the occurrence of damage can be prevented.

[Operation (Unauthorized access detection method)]
Next, a specific operation (unauthorized access detection method) of the unauthorized access detection device 20 according to the present embodiment having the above configuration will be described with reference to FIG.
FIG. 12 is a sequence diagram showing a processing operation in the unauthorized access detection device 20 according to the present embodiment.

As a premise, in the unauthorized access detection system 1 according to the present embodiment, a plurality of target servers 12 and one or more user terminals 14 for which user registration for authentication processing is performed are provided for the unauthorized access detection device 20. A connection has been established so that it can be accessed and communicated via the communication network 16 (see FIG. 1).
First, access request information is transmitted from a certain user terminal 14 as a service use request to one target server 12a (RP1) among the plurality of target servers 12 (step (1)). The access request information includes information indicating a web access attribute related to the user terminal 14.

The service use request transmitted from the user terminal 14 to the target server 12a undergoes a redirect process and is transmitted to the unauthorized access detection device 20 (Idp) as an authentication authorization request (step (2)). This certification authorization request includes information indicating web access attributes including the above-mentioned threat analysis information.
When the authentication authorization request is received by the unauthorized access detection device 20, the unauthorized access detection device 20 generates an ID / password input screen that serves as authentication information for the user terminal 14, and transmits / presents the authentication / authorization request to the user terminal 14. (Step (3)).

The user terminal 14 is input with an ID / password that serves as authentication information registered on the input screen, and the information is transmitted to the unauthorized access detection device 20 (step (4)).
The unauthorized access detection device 20 verifies and collates the ID / password transmitted from the user terminal 14 with the ID / password registered in the unauthorized access detection device 20, and the transmitted ID / password is registered. If the ID / password matches, the user terminal 14 is authenticated (step (5)).
After that, the information at the time of request including the web access attribute transmitted from the user-authenticated user terminal 14 is stored through other necessary processes, and the access to the user terminal 14 becomes access permission information. A token is generated and issued (step (6)).

When the access token is issued, the access token is transmitted from the unauthorized access detection device 20 to the corresponding user terminal 14 and the target server 12a that has received the access request from the user terminal 14 as response information (step (7). )).
The transmitted access token is stored and held in the user terminal 14, and is also stored and managed in the target server 12a that receives the access request (step (8)). Specifically, the target server 12a stores and manages the received access token in association with the identification information such as the user ID of the user terminal 14 (step (8)).

In this state, the user terminal 14 is permitted / enabled to access the target server 12a for which access is requested. Then, when the user terminal 14 requests the target server 12a to use the individual service (step (9)), the target server 12a illegally accesses the information required for the service using the managed access token. A token verification request (see FIG. 2B) requested to the detection device 20 is transmitted (step (10)).
The unauthorized access detection device 20 verifies the access token transmitted from the target server 12a, collates and compares it with the stored / held access token information, and if the information matches, the verification is OK (step (11)). ), A normal response is returned assuming that the user terminal 14 is free from fraud (step (12)).
As a result, the user terminal 14 can access the target server 12a for which access is requested, and can use the individual service with the target server 12a (step (13)).

In such a state, an access request to the other target server 12b (RP2) and an authentication process associated therewith are performed (see steps (1) to (5)), and in that case, the same as the access request to the target server 12a. It is assumed that the authentication information (ID / password) has been entered and verified.
Then, in this case, the event corresponding to "threat level: high" in the pattern setting of FIG. 11 described above, that is, the second access is different from the first access for the target server 12b as the first time. Is from a different country.

In this case, first, when the authentication process for the second access (see steps (1) to (5)) is performed, the unauthorized access detection device 20 has a high possibility of being illegally used for the second access. After authentication / login with the authentication information related to, additional authentication (OTP) is requested before displaying the consent screen.
When unauthorized access is made, it is not possible to input / send information that matches the additional authentication. Therefore, the access token is issued by the second access, or the target server 12b is accessed to provide services, etc. It will be impossible to receive the use of.

At the same time, the access token issued to the target server 12a based on the same authentication information is invalidated (destroyed) (step (14)).
As a result, when the user terminal 14 that has made the first access requests the target server 12a to use the individual service (step (15)), the target server 12a is required for the service using the access token. A token verification request for requesting information from the unauthorized access detection device 20 is transmitted (step (16)).
Since the unauthorized access detection device 20 has already destroyed the access token issued to the target server 12a, the token verification results in an error, and an error response is returned to the target server 12a (step (17)). ).

Therefore, even the user terminal 14 that has made the first access cannot access the target server 12a, and the individual service cannot be used on the target server 12a (step (13)).
In this way, even in the case of account hacking that "normally responds" without using this system, it is possible to detect an abnormality from a plurality of access contents to the target server 12a and the target server 12b, resulting in damage. It will be possible to prevent the occurrence and spread.

As described above, according to the unauthorized access detection system 1 provided with the unauthorized access detection device 20 according to the present embodiment, a plurality of times for one or more target servers 12 performed using the same authentication information. By verifying the access of the server, comprehensively judging the contents of multiple accesses, and performing threat analysis, it is possible to reliably detect and eliminate the access with a high possibility of fraud.
As a result, even in a system such as OpenID Connect where access to multiple servers and systems is permitted by one authentication process, unauthorized access by stealing the same authentication information can be detected, and reliability and safety can be achieved. It is possible to realize a highly reliable authentication service system.

Further, in the unauthorized access detection device 20 according to the present embodiment, the web access to the target server 12 can be evaluated on the two axes of BI and FP, and the risk rank of the web access can be determined.
As a result, the degree of influence of web access on the website of the target server 12, in other words, the magnitude of the actual risk that web access gives to the business or business executed by the target server 12 is evaluated. The risk level of web access can be provided to the target server and its administrator.

Further, according to the unauthorized access detection device 20 according to the present embodiment, when spoofing login, unauthorized transaction, list-type account hacking, etc. are performed while switching between a plurality of terminals, a plurality of IP addresses, and a plurality of user IDs. However, since the FP score of the web access can be determined by accumulating the FP score for each identifier for the web access including a plurality of types of identifiers, it becomes easy to detect these unauthorized accesses.
For example, even if the access is performed using the correct user ID and password, (1) when logins to many user IDs are performed with the same IP address, (2) login using the same user ID is performed (different IPs). It can be detected as unauthorized access by increasing the FP score, such as when a large number of times are performed (including from the address), (3) when login attempts are made to a large number of user IDs with the same device ID, and so on.

Further, the unauthorized access detection device 20 according to the present embodiment accumulates the FP score for each identifier value, and when the threshold value is exceeded, the value of the identifier is automatically registered in the blacklist. As a result, the degree of suspicion of fraud determined for past web access using the same identifier value can be reflected in the risk determination for this web access.
Further, the unauthorized access detection device 20 can subtract the cumulative value of the FP score according to the elapsed time from the last access, and automatically delete it from the blacklist when it becomes equal to or less than the threshold value. As a result, an increase in the number of registered blacklists can be suppressed, and efficient matching with the blacklist can be realized. In addition, the value of the identifier that has been used for unauthorized access for a long time is excluded from the blacklist, and when a legitimate user subsequently uses the value of the identifier, it is falsely detected as unauthorized access. It can be suppressed from being stored.

Although the present invention has been described above with reference to preferred embodiments, it goes without saying that the present invention is not limited to the above-described embodiments, and various modifications can be made within the scope of the present invention.
For example, as a first modification of the above-described embodiment, the FP score determination rule adds an FP score when there is a predetermined relationship between a plurality of web accesses made from one user terminal 14 to the target server 12. You may decide to do so. Specifically, when the website of the target server 12 is a website that provides a loyalty program (point program), the identification target "user ID" and the rule content "point exchange (exchange for goods)" web page. It may be specified that the time from the HTTP request for which the URL is specified to the HTTP request for which the URL of the withdrawal web page is specified is within a predetermined time (for example, 3 minutes).

While investigating unauthorized access to websites that provide loyalty programs, the present inventor has found that there are many behaviors in which, after performing point exchange, the membership is immediately withdrawn due to the destruction of evidence. According to the aspect of this modification, the detection accuracy of unauthorized access can be further improved by adding the FP score by paying attention to the relationship of a plurality of times of web access that are back and forth in time.

Further, as a second modification, the unauthorized access detection device 20 of the above embodiment detects unauthorized access to the target server 12, but as a modification, the unauthorized access detection device 20 has unauthorized access to its own device from an external device. May be detected. When an unauthorized access is detected, the user of the own device may be notified to that effect, and processing for blocking unauthorized access from an external device (for example, communication invalidation processing, personal firewall setting processing, etc.) May be executed.

Further, the unauthorized access detection device 20 may be an information terminal such as a general PC, tablet terminal, or smartphone, and a computer program on which the functional block shown in FIG. 3 is mounted is installed and executed in the information terminal. Any device configuration may be used as long as it can execute the same processing as the unauthorized access detection device 20 of the above-described embodiment.
Further, the BI score determination rule held in the unauthorized access detection device 20 may be set to, for example, a high BI score for an access that causes a system call in which access from an external device is important. Further, the FP score determination rule may set a high FP score for a typical pattern of hijacking or hacking of administrator authority, for example.

Further, in the above-described embodiment, the risk determination using the BL / WL, BI score, and FP score has been described, but the risk determination using only one of them may be used.
In addition, in the above-described embodiment, the configuration in which the unauthorized access detection function is implemented in the IDP having the authentication / authorization providing function has been described, but the configuration is such that a device having the unauthorized access detection function is newly added independently of the IDP. Alternatively, in this new device, an operation of receiving access data directly from each RP or via IDP from each RP and performing a risk determination may be performed.

Any combination of the above-described embodiments and modifications is also useful as an embodiment of the present invention.
The new embodiment produced by the combination can have the effects of the combined embodiment and the modified example.
Further, it goes without saying that the function to be fulfilled by each of the constituent requirements described in the claims is realized by a single component or a cooperation thereof shown in the above-described embodiments and modifications.

The present invention can be suitably used for a single sign-on system such as OpenID Connect, which enables access to a plurality of servers and systems by one authentication process.

1 Unauthorized access detection system 12 Target server (authentication / authorization dependent site)
14 User terminal 16 Communication network 20 Unauthorized access detection device (authentication / authorization provision system)
22 Control unit 24 Storage unit 26 Communication unit

Claims (5)

An information processing device that transmits predetermined access permission information related to the user terminal to the target device to which the access request information is transmitted from the user terminal.
An authentication information receiving means for receiving the authentication information transmitted from the user terminal, and
An authentication means that authenticates the user terminal based on the authentication information received by the authentication information receiving means, and an authentication means that authenticates the user terminal.
An access permission information generating means that generates the access permission information related to the user terminal authenticated by the authentication means and transmits the access permission information to the target device to which the access request information is transmitted from the user terminal.
The same authentication information as the authentication information related to the user terminal from which the access permission information is generated is transmitted from the user terminal that has transmitted the access request information to the target device that is the same as or different from the target device to which the access permission information has been transmitted. Then, the unauthorized access detection device is provided with a risk determination means for determining a predetermined risk of unauthorized access for the access request information related to the user terminal that has transmitted the same authentication information. The authentication means is
Based on the risk determination result of the risk determination means
The unauthorized access detection device according to claim 1, wherein the user terminal that has transmitted the same authentication information is requested to transmit the predetermined authentication information. The access permission information generation means
When the same authentication information as the authentication information related to the user terminal from which the access permission information is generated is transmitted from the same or different user terminal as the user terminal from which the access permission information is generated.
Based on the risk determination result of the risk determination means
Disabling the access permission information, destroy, delete or change, or to request permission, re-authentication or additional authentication to the user terminal transmitting the same authentication information,
The unauthorized access detection device according to claim 1 or 2. A computer that constitutes an information processing device that transmits predetermined access permission information related to the user terminal to the target device to which access request information is transmitted from the user terminal.
Authentication information receiving means for receiving authentication information transmitted from the user terminal,
An authentication means that authenticates the user terminal based on the authentication information received by the authentication information receiving means,
An access permission information generating means that generates the access permission information related to a user terminal authenticated by the authentication means and transmits the access permission information to a target device to which access request information is transmitted from the user terminal.
The same authentication information as the authentication information related to the user terminal from which the access permission information is generated is transmitted from the user terminal that has transmitted the access request information to the target device that is the same as or different from the target device to which the access permission information has been transmitted. Then, the unauthorized access detection program is characterized in that the access request information related to the user terminal that has transmitted the same authentication information is made to function as a risk determination means for determining a predetermined risk of unauthorized access. It is a method of transmitting predetermined access permission information related to the user terminal to the target device to which the access request information is transmitted from the user terminal.
The computer
Authentication information receiving procedure for receiving the authentication information transmitted from the user terminal,
An authentication procedure for authenticating the user terminal based on the authentication information received in the authentication information receiving procedure,
The access permission information generation procedure, which generates the access permission information related to the user terminal authenticated by the authentication procedure, and transmits the access permission information to the target device to which the access request information is transmitted from the user terminal.
The same authentication information as the authentication information related to the user terminal from which the access permission information is generated is transmitted from the user terminal that has transmitted the access request information to the target device that is the same as or different from the target device to which the access permission information has been transmitted. Then, the unauthorized access detection method is characterized by executing a risk determination procedure for determining a predetermined risk of unauthorized access for the access request information related to the user terminal that has transmitted the same authentication information.