JP6923806B2 - Fraud detection devices, fraud detection methods, and fraud detection programs - Google Patents

Description

The present invention relates to a fraud detection device, a fraud detection method, and a fraud detection program.

One of the threats to the security of computer systems is fraudulent activity by persons inside the organization that operates the computer system. Measures to deter such internal fraud are important as a security strategy.

As an internal fraud countermeasure, an operation monitoring system that determines the possibility of fraudulent operations being performed for each user from the operation history of a computer terminal has been considered. Further, in order to monitor an unauthorized operation on a computer, an unauthorized operation monitoring program that calculates an unauthorized score by reflecting a suspicious value indicated from a series of operation progresses of a user who operates the computer is also considered.

Japanese Unexamined Patent Publication No. 2010-21257 International Publication No. 2007/077624

In the conventional internal fraud detection technology, a rule for detection is created in advance, and a series of fraudulent operations according to the rule is detected. In this case, if a rule is set so that all suspicious acts can be detected, unauthorized operations can be detected with a high recall rate. The recall rate is the ratio of tampering that can be detected out of all tampering.

However, if the detection targets by the rules are expanded so that the recall rate is high, over-pointing will increase. Over-pointing is that an operation that is not originally fraudulent is regarded as fraudulent and detected. If there are too many over-points in this way, it will be difficult to identify the operations that were actually performed for fraudulent purposes among the actions detected as fraudulent operations, and as a result, the discovery of fraudulent activities such as internal fraud will be delayed. It becomes.

On one side, the case aims to improve the accuracy of fraud detection.

One proposal provides a fraud detection device having a storage unit and a processing unit.
The storage unit contains difference information indicating the difference between the characteristics of the operation related to a specific operation item during the period in which the illicit operation is performed and the characteristics of the operation related to the operation item in the period in which the illicit operation is not performed, and the monitored user. Stores feature information indicating the characteristics of the user's operation regarding the operation item during the period when is not performing an unauthorized operation. The processing unit acquires an operation log indicating the operation performed by the user within the period to be monitored, and the difference between the operation feature related to the operation item shown in the operation log and the feature shown in the feature information is different from the difference information. Based on the comparison result, the fraud suspicion period in which the fraudulent operation is suspected is specified, and the information indicating the operation performed by the user within the fraudulent suspicion period is output.

According to one aspect, the accuracy of detecting fraudulent activity can be improved.

It is a figure which shows the outline of the 1st Embodiment. It is a figure which shows the system configuration example of the 2nd Embodiment. It is a figure which shows one configuration example of the hardware of the fraud detection device used in this embodiment. It is a block diagram which shows the function which a fraud detection device and a terminal device have. It is a figure which shows an example of the operation log storage part of a terminal device. It is a figure which shows an example of the operation log storage part of a fraud detection device. It is a figure which shows an example of the 1st key operation log. It is a figure which shows an example of the 2nd key operation log. It is a figure which shows the recording example of the log about a key operation. It is a figure which shows an example of a mouse operation log. It is a figure which shows an example of an application state log. It is a figure which shows an example of the information which is stored in a personal characteristic storage part. It is a figure which shows an example of the information which is stored in the determination standard storage part. It is a figure which shows an example of the information which is stored in the fraudulent operation detection result storage part. It is a flowchart which shows an example of the procedure of a personal characteristic extraction process. It is a flowchart which shows an example of the procedure of a judgment criterion learning process. It is a flowchart which shows an example of the procedure of fraud suspicion period determination processing. It is a figure which shows the display example of the illicit operation detection result.

Hereinafter, the present embodiment will be described with reference to the drawings. It should be noted that each embodiment can be implemented by combining a plurality of embodiments within a consistent range.
[First Embodiment]
First, the first embodiment will be described.

FIG. 1 is a diagram showing an outline of the first embodiment. The fraud detection device 10 has a storage unit 11 and a processing unit 12. The storage unit 11 is, for example, a memory or a storage device included in the fraud detection device 10. The processing unit 12 is, for example, a processor or an arithmetic circuit included in the fraud detection device 10.

The storage unit 11 stores the difference information 11a and the feature information 11b. The difference information 11a shows the difference between the characteristics of the operation related to the specific operation item in the period in which the illicit operation is performed and the characteristics of the operation related to the operation item in the period in which the illicit operation is not performed. The feature information 11b shows the characteristics of the user 1's operation regarding the operation item during the period in which the monitored user 1 does not perform an unauthorized operation. When a plurality of users are monitored, the feature information 11b for each user is stored in the storage unit 11. The storage unit 11 can store the difference information 11a and the feature information 11b for each of the plurality of operation items.

The processing unit 12 acquires an operation log 3 indicating an operation performed by the user 1 from the terminal device 2 used by the user 1 within the period to be monitored. The operation log 3 includes, for example, operation contents for a keyboard, operation contents for a pointing device such as a mouse, and contents related to an operation of inserting and removing an external device or a recording medium for the terminal device 2.

Next, the processing unit 12 suspects that an unauthorized operation has been performed based on the comparison result of the difference between the operation feature related to the operation item shown in the operation log 3 and the feature shown in the feature information 11b with the difference information 11a. Identify a period of alleged fraud.

For example, the difference information 11a includes a statistic obtained from the operation time of the operation related to the operation item in the period in which the illicit operation is performed, and a statistic obtained from the operation time of the operation related to the operation item in the period in which the illicit operation is not performed. The range of difference with is shown. When the operation item is the mouse operation time, for example, the average value of the mouse operation time (time from drag to drop) by a plurality of users is the statistic of the operation item. The difference information 11a shows the range of the difference between the average mouse operation time during the period in which the illicit operation is performed and the average mouse operation time during the period in which the illicit operation is performed. For example, it can be presumed that a fraudster who is conscious of tampering is in a tense state at the time of tampering. In general, it is assumed that the mouse operation time tends to be prolonged by a seconds (a is a positive real number) or more at the time of tension. In this case, the difference information 11a is associated with the operation item "mouse operation time", and information is set to prolong the time by a seconds or more at the time of unauthorized operation (during tension).

Further, the feature information 11b shows, for example, a statistic obtained from the operation time of the operation of the user 1 regarding the operation item in the period during which the user 1 does not perform an illegal operation. In this case, the processing unit 12 keeps the difference between the value obtained from the operation time of one operation related to the operation item shown in the operation log 3 and the statistic shown in the feature information 11b within the range shown in the difference information 11a. At one point, the time zone including the time when one operation was performed is specified as the fraud suspicion period. The value obtained from the operation time of one operation is, for example, the elapsed time (operation time) from the operation start time to the operation end time of the corresponding operation.

In the example of FIG. 1, the mouse operation time of the user 1 in normal times is "T1". Further, the operation log 3 of the user 1 shows that the mouse operation of the file drag was performed at the time "t2" and the mouse operation of the file drop was performed at the time "t3". The difference information 11a indicates that the mouse operation time is extended by a seconds or more at the time of unauthorized operation (during tension). In this case, the processing unit 12 has the mouse operation time (t3-t2) shown in the operation log 3 longer than the normal mouse operation time “T1” of the user 1 by a seconds or more (t3-t2> T1 + a). ) Whether or not. When it is confirmed that the mouse operation time is extended by a seconds or more, the processing unit 12 sets the time zone including the time when the mouse operation is performed (t2, t3) as the fraud suspicion period. In the fraud suspicion period, for example, the last operation related to the operation item is performed from "t2-b" (b is a positive real number), which is a predetermined time before the time "t2" when the first operation related to the operation item is performed. It is a period until "t3 + b" after a predetermined time of the time "t3".

The processing unit 12 that specifies the fraud suspicion period outputs information indicating the operation performed by the user 1 during the fraud suspicion period. For example, the processing unit 12 causes the monitor to display the fraudulent operation display screen 4 indicating the operation performed by the user 1 within the fraudulent suspicion period. In the example of FIG. 1, during the period of suspicion of fraud, "USB (Universal Serial Bus) memory connection" at time "t1", "mouse operation (file drag)" at time "t2", and "mouse operation (mouse operation)" at time "t3". File drop) ”and“ USB memory removal ”at time“ t4 ”are included. This series of operations is displayed on the unauthorized operation display screen 4 as an operation to be confirmed whether or not unauthorized information has been taken out.

According to such a fraud detection device 10, the fraud suspicion period in which the user 1 performs an operation performed in a tense state (an operation suspected of fraud) is specified based on the characteristics of the normal operation of the individual user 1. Will be done. As a result, it is possible to suppress over-pointing by displaying the operation within the fraud suspicion period as a priority confirmation target. By suppressing over-pointing, the accuracy of detecting fraudulent activity is improved. As a result, the number of operations for confirming whether or not the fraudulent activity has actually been performed is small, and the delay in finding the fraudulent activity can be suppressed.

The fraud detection process shown in FIG. 1 can be combined with fraud detection using a fraudulent operation scenario. In that case, the storage unit 11 further stores fraudulent scenario information indicating the procedure of fraudulent operation. The processing unit 12 outputs information indicating a series of operations according to the procedure shown in the fraud scenario information among the operations performed by the user 1 during the fraud suspicion period. Thereby, the fraudulent operation can be detected with a high recall rate based on the fraudulent scenario information, and the operation within the fraudulent suspicion period can be displayed as a confirmation target from the detected fraudulent operations. As a result, it is possible to suppress over-pointing while ensuring a high recall rate.

Further, the processing unit 12 can also determine whether or not the user 1 is likely to reflect the psychological state at the time of unauthorized operation in the operation log 3 based on the operation log 3. For example, it is considered that the greater the variation in the operation time from normal times, the easier it is to be upset in a situation where tension is forced, and the psychological state at the time of unauthorized operation is more likely to be reflected in the operation log 3. Therefore, if the standard deviation of the operation time (for example, mouse operation time) related to the operation of each operation item of the user 1 in normal times is equal to or more than a predetermined value, the processing unit 12 indicates that the user 1 has an operation log of the psychological state at the time of unauthorized operation. Judge that it is easy to be reflected in 3. Further, if the standard deviation is less than a predetermined value, the processing unit 12 determines that the user 1 is unlikely to reflect the psychological state at the time of unauthorized operation in the operation log 3.

When the processing unit 12 displays the operation history of a series of operations according to the procedure shown in the fraudulent scenario information performed by the user 1 within the period to be monitored, the psychological state at the time of the fraudulent operation by the user 1 is the operation log 3. The display mode is changed depending on whether or not it is easily reflected in. For example, when the psychological state at the time of fraudulent operation is likely to be reflected in the operation log 3, the processing unit 12 highlights the history of operations performed by the user 1 within the fraudulent suspicion period in the displayed operation history. Further, when it is difficult for the psychological state at the time of unauthorized operation to be reflected in the operation log 3, the processing unit 12 suppresses the highlighting of the history of the operation performed by the user 1 within the suspicion period of unauthorized operation in the displayed operation history.

As a result, when detecting fraudulent activity that leads to internal fraud related to information leakage, the fraud detection result is displayed by distinguishing between those who have an influence on the operation time and others whose psychological state is due to the fraudulent activity. Can be done. As a result, it is possible to individually determine for each user whether or not to reduce false positives (excessive indications) by using the characteristics of individual operations, and to prevent erroneous application of the excessive indication reduction process.

When the storage unit 11 stores the difference information 11a and the feature information 11b for each of the plurality of operation items, the difference information 11a and the feature information 11b of the plurality of operation items are combined to set the fraud suspicion period. It may be specified. For example, in the processing unit 12, for each of the plurality of operation items, the difference between the operation time of one operation related to the operation item shown in the operation log 3 and the statistic shown in the feature information 11b is within the range shown in the difference information 11a. When there is, the time of the suspected fraudulent operation in which one operation was performed is calculated. Then, the processing unit 12 specifies a time zone including the fraudulent suspicion operation time for a predetermined number or more of the operation items as the fraud suspicion period. As a result, the accuracy of determining the fraudulent suspicion period can be improved.

Further, when the storage unit 11 stores the difference information 11a and the feature information 11b for each of the plurality of operation items, for example, the processing unit 12 is in the period during which the illegal operation is performed among the plurality of operation items. Select an operation item for which the value shown in the difference information is equal to or greater than the threshold value. The processing unit 12 obtains the first sum of the values shown in the difference information of the selected operation items. Next, the processing unit 12 obtains a second sum of the statistics for each selected operation item of the values indicating the characteristics of the operation within one period regarding the selected operation item shown in the operation log 3. Next, the processing unit 12 obtains a third sum obtained by summing the values shown in the feature information 11b relating to the selected operation item. Then, the processing unit 12 determines whether or not there is a suspicion that an illegal operation has been performed within one period based on the comparison result of the difference between the second sum and the third sum with the first sum. do. For example, when the difference between the second sum and the third sum is equal to or greater than the first sum for one period, the processing unit 12 specifies the one period as the fraud suspicion period. The processing unit 12 determines whether or not the one period corresponds to the fraud suspicion period while changing the range of one period within the collection period of the operation log 3. As a result, the accuracy of determining the fraudulent suspicion period can be improved.

It should be noted that the user 1 may be in a tense state other than during an unauthorized operation. And when it becomes tense, input errors increase and work efficiency decreases. If the fraud detection device 10 analyzes the length of the fraud suspicion period and the frequency of occurrence of the user 1, it is a time zone that leads to inadvertent mistakes and a decrease in work efficiency, which are related not only to internal fraud but also to tension in normal work. It is also possible to find out and take proactive measures and support.

Further, whether or not the psychological state at the time of unauthorized operation is likely to be reflected in the operation log 3 may differ depending on the time zone even for one user 1. Therefore, for example, the processing unit 12 divides the operation log 3 of one user 1 into a weekly unit, a daily unit, or a finer time zone unit. Then, the processing unit 12 determines whether or not the psychological state at the time of unauthorized operation is likely to be reflected in the operation log 3 for each time zone based on the operation log for each time zone obtained by dividing. As a result, it is possible to appropriately apply the reduction process of over-pointing according to the situation change of each user at regular intervals.

[Second Embodiment]
Next, the second embodiment will be described. In the second embodiment, it is determined whether or not the user who performed the act was in a tense state during the time zone in which the act that may be fraudulent was detected based on the rule base, and the user in the tense state was determined. If the act is performed below, it raises the alert level of the act.

FIG. 2 is a diagram showing a system configuration example of the second embodiment. The fraud detection device 100 is connected to a plurality of terminal devices 41 to 43 via the network 20. The terminal devices 41 to 43 are computers used by users 31 to 33, respectively. The fraud detection device 100 is a computer that monitors the operation status of the terminal devices 41 to 43 by the users 31 to 33 and detects the fraudulent activity by the users 31 to 33.

FIG. 3 is a diagram showing a configuration example of the hardware of the fraud detection device used in the present embodiment. The entire device of the fraud detection device 100 is controlled by the processor 101. A memory 102 and a plurality of peripheral devices are connected to the processor 101 via a bus 109. The processor 101 may be a multiprocessor. The processor 101 is, for example, a CPU (Central Processing Unit), an MPU (Micro Processing Unit), or a DSP (Digital Signal Processor). At least a part of the functions realized by executing the program by the processor 101 may be realized by an electronic circuit such as an ASIC (Application Specific Integrated Circuit) or a PLD (Programmable Logic Device).

The memory 102 is used as the main storage device of the fraud detection device 100. At least a part of an OS (Operating System) program or an application program to be executed by the processor 101 is temporarily stored in the memory 102. Further, various data used for processing by the processor 101 are stored in the memory 102. As the memory 102, for example, a volatile semiconductor storage device such as a RAM (Random Access Memory) is used.

Peripheral devices connected to the bus 109 include a storage device 103, a graphic processing device 104, an input interface 105, an optical drive device 106, a device connection interface 107, and a network interface 108.

The storage device 103 electrically or magnetically writes and reads data from the built-in recording medium. The storage device 103 is used as an auxiliary storage device for a computer. The storage device 103 stores an OS program, an application program, and various data. As the storage device 103, for example, an HDD (Hard Disk Drive) or an SSD (Solid State Drive) can be used.

A monitor 21 is connected to the graphic processing device 104. The graphic processing device 104 causes the image to be displayed on the screen of the monitor 21 in accordance with the instruction from the processor 101. The monitor 21 includes a display device using a CRT (Cathode Ray Tube), a liquid crystal display device, and the like.

A keyboard 22 and a mouse 23 are connected to the input interface 105. The input interface 105 transmits signals sent from the keyboard 22 and the mouse 23 to the processor 101. The mouse 23 is an example of a pointing device, and other pointing devices can also be used. Other pointing devices include touch panels, tablets, touchpads, trackballs and the like.

The optical drive device 106 reads the data recorded on the optical disk 24 by using a laser beam or the like. The optical disk 24 is a portable recording medium on which data is recorded so that it can be read by reflection of light. The optical disk 24 includes a DVD (Digital Versatile Disc), a DVD-RAM, a CD-ROM (Compact Disc Read Only Memory), a CD-R (Recordable) / RW (ReWritable), and the like.

The device connection interface 107 is a communication interface for connecting peripheral devices to the fraud detection device 100. For example, a memory device 25 or a memory reader / writer 26 can be connected to the device connection interface 107. The memory device 25 is a recording medium equipped with a communication function with the device connection interface 107. The memory reader / writer 26 is a device that writes data to or reads data from the memory card 27. The memory card 27 is a card-type recording medium.

The network interface 108 is connected to the network 20. The network interface 108 transmits / receives data to / from another computer or communication device via the network 20.

With the hardware configuration as described above, the function of the fraud detection device 100 according to the second embodiment can be realized. The functions of the terminal devices 41 to 43 can also be realized by the same hardware as the fraud detection device 100. Further, the function of the fraud detection device 10 shown in the first embodiment can also be realized by the same hardware as the fraud detection device 100.

The fraud detection device 100 realizes the processing function of the second embodiment, for example, by executing a program recorded on a computer-readable recording medium. The program that describes the processing content to be executed by the fraud detection device 100 can be recorded on various recording media. For example, a program to be executed by the fraud detection device 100 can be stored in the storage device 103. The processor 101 loads at least a part of the program in the storage device 103 into the memory 102 and executes the program. Further, the program to be executed by the fraud detection device 100 can be recorded on a portable recording medium such as an optical disk 24, a memory device 25, and a memory card 27. The program stored in the portable recording medium can be executed after being installed in the storage device 103 under the control of the processor 101, for example. The processor 101 can also read and execute the program directly from the portable recording medium.

The fraud detection device 100 according to the second embodiment uses both the fraud detection based on the rule and the prediction of the time zone in which the fraud is performed based on the change in the psychological state of each user 31 to 33.

For detection of internal fraud based on rules, if the rules can be set accurately, fraudulent behavior can be detected with a high recall rate according to the set rules. However, if the coverage is increased by expanding the detection target of the rule in order to improve the recall rate, over-pointing will increase.

Therefore, the fraud detection device 100 does not simply detect fraudulent processing only by rules, but determines the psychological state at the time of operation by users 31 to 33 to improve the accuracy of detecting fraudulent operations.

As an example of the psychological state during the operation of the users 31 to 33, it can be mentioned that the users 31 to 33 are in a tense state when performing an illegal operation. If the characteristic behaviors and movements of the users 31 to 33 can be checked in detail, it is possible to measure the degree of tension of each of the users 31 to 33 from the characteristic information regarding the normal operation of each of the users 31 to 33.

Therefore, the fraud detection device 100 finds out the relationship between the degree of tension and the fraudulent operation from the pseudo internal fraudulent activity of the user, and determines the ease of deriving the relationship with the tension at the time of the fraudulent operation. Specifically, the fraud detection device 100 acquires, for example, several weeks' worth of logs of normal operations performed by a plurality of users 31 to 33 on terminal devices 41 to 43. After that, at least a part of the plurality of users 31 to 33 is asked to perform a predetermined pseudo tampering operation. The fraud detection device 100 acquires an operation log from a terminal device used by a user who has performed a fraudulent operation. Then, the fraud detection device 100 analyzes the collected operation log to detect the characteristics of the operation at the time of fraudulent operation.

For example, during an unauthorized operation related to taking out normal information, the psychological state will be different from that during normal operation, such as worrying about the surroundings, feeling guilty, or anxious about finding it (in a psychologically different situation). To be taken). Therefore, when the collected operation logs are analyzed, in various operation items, the operation log at the time of unauthorized operation shows a change different from that at the time of normal operation. For example, changes appear in keyboard keystrokes (speed, interval), changes appear in mouse operations (click, drag speed and time), and changes appear in application switching (number of times, speed). The fraud detection device 100 identifies the operation item in which these changes appear as an operation item used for determining the fraud suspicion period. Then, the fraud detection device 100 calculates a singular value (difference between the statistic at the time of illicit operation and the statistic at normal time) of the specified operation item, and determines the tension time zone during which the illicit operation is performed based on the singular value. , Judge as a fraudulent suspicion period.

Further, the fraud detection device 100 analyzes in detail the amount of change, distribution, singular value, etc. of the operation shown in the operation log of each operation item used for determining the tension time zone, for example, for each time zone. , The user who can easily discriminate the relationship between the time of tampering and the degree of tension and the user who is difficult to discriminate are discriminated. Then, the fraud detection device 100 specifies the fraud suspicion period only for the user who can easily determine the relationship between the time of fraudulent operation and the degree of tension. By deterring the identification of the fraudulent suspicion period for a user whose relationship between the time of tampering and the degree of tension is difficult to determine, it is possible to deter the identification of an inaccurate suspicion period of fraud.

In this way, by implementing a mechanism for preventing excessive indication for each individual by the fraud detection device 100, it is possible to reduce excessive indication of detection of internal fraud that causes information leakage. Hereinafter, with reference to FIG. 4, the functions of the fraud detection device 100 and the terminal devices 41 to 43 for detecting fraud will be described.

FIG. 4 is a block diagram showing the functions of the fraud detection device and the terminal device. The terminal device 41 has an operation detection unit 41a and an operation log storage unit 41b. The operation detection unit 41a detects the operation performed by the user 31 on the terminal device 41, and stores the operation content in the operation log storage unit 41b. For example, the operation detection unit 41a detects the pressing of a key on the keyboard, the movement of the mouse or the pressing of a button, or the attachment / detachment of the device to / from the terminal device 41, and identifies the operation content from those operations. Then, the operation detection unit 41a stores the operation log indicating the specified operation content in the operation log storage unit 41b in association with the user name of the user 31 who is using the terminal device 41, for example. The operation log storage unit 41b stores the operation log. The other terminal devices 42 and 43 also have the same functions as the terminal device 41.

The fraud detection device 100 includes a scenario storage unit 110, an operation log storage unit 120, a personal characteristic storage unit 130, a determination standard storage unit 140, a fraudulent operation detection result storage unit 150, an operation log acquisition unit 161 and a fraudulent operation sequence detection unit 162. It has a personal characteristic extraction unit 163, a determination standard learning unit 164, a fraud suspicion period determination unit 165, and a fraud operation detection result output unit 166.

The scenario storage unit 110 stores a plurality of fraud detection scenarios 111. In the fraud detection scenario, one or more operation contents that appear in the operation log when the user commits a fraudulent act are shown in chronological order. For example, in the case of unauthorized removal of information, procedures such as connecting the memory device to the terminal device and copying important files to the memory device are shown in the fraud detection scenario.

The operation log storage unit 120 stores operation logs collected from a plurality of terminal devices 41 to 43.
The personal characteristic storage unit 130 stores personal characteristic information of each of the users 31 to 33. The personal characteristic information is information indicating the operating state of the terminal devices 41 to 43 in normal times when the users 31 to 33 are not nervous. For example, the average mouse operation time (time from dragging to dropping), average pressing time of keyboard keys (time from pressing a key to releasing), and the like are included in the personal characteristic information.

The determination standard storage unit 140 stores the determination criteria for the period during which the user is in a tense state (suspicion of fraud). For example, the degree of increase (or degree of decrease) of the mouse operation time as compared with the normal time is stored as a determination criterion.

The fraudulent operation detection result storage unit 150 stores the fraudulent operation detection result.
The operation log acquisition unit 161 acquires operation logs from each of the plurality of terminal devices 41 to 43. The operation log acquisition unit 161 stores the acquired operation log in the operation log storage unit 120. When the operation log acquisition unit 161 stores the operation log in the operation log storage unit 120, the operation log acquisition unit 161 can organize and store the operation log for each type.

The fraudulent operation sequence detection unit 162 detects fraudulent operations (a series of processes) that match a plurality of fraud detection scenarios 111 stored in the scenario storage unit 110 from the operation log storage unit 120. The fraudulent operation sequence detection unit 162 stores information regarding a series of operations that match any of the plurality of fraud detection scenarios 111 in the fraudulent operation detection result storage unit 150. At this time, the fraudulent operation sequence detection unit 162 sets, for example, "caution" as the warning level of the detected fraudulent operation.

The personal characteristic extraction unit 163 refers to the operation log storage unit 120, extracts the personal characteristics of each of the plurality of users 31 to 33 for each operation item, and stores them in the personal characteristic storage unit 130. The personal characteristics to be extracted are, for example, an average value of mouse operation time, an average value of key press time, an average value of window switching interval, and the like.

The judgment standard learning unit 164 learns the judgment criteria based on the operation log of the user who has performed the simulated cheating and the personal characteristics of the user. For example, the determination criterion learning unit 164 compares the average value of the mouse operation time in normal times with the average value of the mouse operation time during the period in which the simulated cheating is performed for each user who has performed the simulated cheating. When it is found that the period during which the user commits a simulated cheating tends to be longer than the normal time by a seconds or more, the judgment standard learning unit 164 determines the judgment criterion "mouse operation time is normal". Learn "Longer than a certain second". The determination standard learning unit 164 stores the learned determination standard in the determination standard storage unit 140.

The judgment standard learning unit 164 does not generate a judgment standard for operation items for which there is no significant difference in the statistics between the normal time and the period during which the simulated cheating is performed. That is, the judgment standard learning unit 164 generates the judgment standard only for the operation items for which a difference can be obtained in advance (which can be used for the judgment of the fraud suspicion period). For example, the determination standard learning unit 164 may determine that an operation item having a small change in the amount of data in the operation log of the operation item cannot be used for determining the suspicion period of fraud, depending on whether or not the operation is illegal. In addition, the judgment standard learning unit 164 determines whether or not the operation item can be used for determining the fraudulent suspicion period, and determines the relevance with other operation items and the regularity of the operation log generation status of the corresponding operation item. Etc. may be taken into consideration.

Further, the judgment standard learning unit 164 may analyze the operation log by dividing the time zone (working hours, overtime hours, break time), and create a judgment standard for each time zone.
Operation items that can be used to determine the fraud suspicion period include, for example, keyboard operation (speed, interval), mouse operation (click, drag, speed and time), and operation related to an arbitrary application (number of startups, number of switchings). Further, the judgment standard learning unit 164 can also create a judgment standard for a combination of a plurality of operation items. The operation items for which the judgment criteria are created include file operations, application operations, network operations, device operations, and the like.

Judgment Criteria The learning unit 164 further determines whether or not it is appropriate to be a target for determining whether or not there is an unauthorized operation due to personal characteristics. The presence or absence of suitability is determined, for example, for each user based on the statistic for each operation item of that user. The operation items used for determining the suitability are, for example, a key operation time (from pressing to release), a mouse click operation time (from pressing to release), and the number of times the application software is switched within a unit time. The determination standard learning unit 164 determines, for example, that when the difference between the average value and the median value of these operation items is large, it is appropriate to determine the presence or absence of unauthorized operation due to personal characteristics. Further, when the standard deviation of these operation items is larger than a predetermined value, the determination standard learning unit 164 determines that it is suitable for determining the presence or absence of illicit operation due to personal characteristics. Further, the determination standard learning unit 164 determines that a user who is particularly slow in pressing or dragging a mouse button is suitable for determining whether or not there is an illegal operation due to personal characteristics.

The fraud suspicion period determination unit 165 compares the operation logs of each of the plurality of users 31 to 33 stored in the operation log storage unit 120 with the individual characteristics of each user, and a period that matches the determination criteria (fraud suspicion period). Is detected. Then, the fraudulent operation detection period determination unit 165 is changed so as to raise the warning level for the fraudulent operation detection result within the fraudulent operation detection period of each user in the fraudulent operation detection result storage unit 150.

The fraudulent operation detection result output unit 166 outputs the information regarding the detected fraudulent operation to the monitor 21. The fraudulent operation detection result output unit 166 displays, for example, a list of a series of fraudulent operations according to the fraud detection scenario on the monitor 21 and highlights information indicating the fraudulent operation performed during the fraud suspicion period.

The line connecting each element shown in FIG. 4 indicates a part of the communication path, and a communication path other than the illustrated communication path can be set. Further, the function of each element shown in FIG. 4 can be realized by, for example, causing a computer to execute a program module corresponding to the element.

Hereinafter, the information stored in the storage units of the terminal device 41 and the fraud detection device 100 will be described in detail.
FIG. 5 is a diagram showing an example of an operation log storage unit of the terminal device. The operation log storage unit 41b stores the unauthorized operation monitoring target log 41c. In the illicit operation monitoring target log 41c, a record for each operation performed by the user 31 on the terminal device 41 is recorded as a log of the corresponding operation.

Each record contains the log output time, log name, and log details. The log output time is, for example, the time when the corresponding log is output to the operation log storage unit 41b of the terminal device 41. The log output time is also the event occurrence time of the event related to the operation corresponding to the log. The log name is a name that uniquely identifies the output log. For example, the name of the log includes a character string indicating the type of the log, a serial number of the log, a version number, and the like. The detailed log information includes information indicating the operation content other than the output time of the log.

The operation log acquisition unit 161 of the fraud detection device 100 acquires the fraud operation monitoring target log 41c from the terminal device 41, aggregates the logs for each type of log, and stores the log in the operation log storage unit 120 in the fraud detection device 100.

FIG. 6 is a diagram showing an example of an operation log storage unit of the fraud detection device. The operation log storage unit 120 stores operation logs 121 to 123 acquired from each of the terminal devices 41 to 43. The user name of the user who is using the terminal device from which the corresponding operation log is acquired is set in each of the operation logs 121 to 123.

The operation log 121 includes, for example, a first key operation log 121a, a second key operation log 121b, a mouse operation log 121c, an application status log 121d, and the like. The first key operation log 121a shows hardware-like information (physical information) about the operated key. The second key operation log 121b shows software-like information (logical information) about the operated key. Information related to mouse operation is shown in the mouse operation log 121c. The application status log 121d shows information about the active application.

In addition to the log shown in FIG. 6, the operation log 121 may include, for example, a process status log, a system status log, a network status log, and a file operation log. The process status log is information indicating, for example, the status (start time, end time, etc.) of the process being executed by the terminal device 41. The system status log is information related to a configuration change such as connection or disconnection of an external device to the terminal device 41. The network status log is information such as time-series changes in the amount of communication via the network. The file operation log is information related to file operations such as creating, copying, and deleting files.

The other operation logs 122 and 123 also include the same information as the operation log 121.
FIG. 7 is a diagram showing an example of the first key operation log. Each record of the first key operation log 121a includes an event occurrence time, an active application sequence number, a process ID, a window level, an event type, and a virtual key code.

The event occurrence time is the time when the event indicating the key input of the keyboard occurs. The active application sequence number is an identification number of the software that was active at the time of key input. The process ID is an identification number of the process that was being executed at the time of key input. The window handle is the identification number of the window that is active at the time of keystroke. The event type is information indicating whether the performed key operation is a key pressing operation (KD: KeyDown) or a key releasing operation (KU: KeyUp). The virtual key code is a code for identifying the operated key.

FIG. 8 is a diagram showing an example of the second key operation log. In each record of the second key operation log 121b, the event occurrence time, active application sequence number, process ID, window handle, normal character, special character, virtual key code, repeat count, Ctrl pressing flag, Shift pressing flag, The Alt pressing flag, the Windows key pressing flag, the key input time, the first key input interval, and the second key input interval are included.

The event occurrence time is the time when the event indicating the key input of the keyboard occurs. The active application sequence number is an identification number of the software that was active at the time of key input. The process ID is an identification number of the process that was being executed at the time of key input. The window handle is the identification number of the window that is active at the time of keystroke.

Normal characters are characters entered by key operation. As for the characters that change due to the combined use of the shift key, the converted characters are output as normal characters. For example, when the "Shift + a" key is pressed, the character "A" is output.

As a special character, a character corresponding to each pressed key is output for a key having a special meaning by combining a plurality of key operations such as a shortcut key. For example, when the user 31 presses the "Ctrl + S" key to save the file, a log indicating "Ctrl + S" is output as a special character. In the example of FIG. 8, since there is no record containing a special character, the corresponding field of each record is blank.

The virtual key code is a code for identifying the operated key. The number of repeats is the number of repetitions when the same key is repeatedly pressed. The number of repeats when not repeated is "0". For example, if the same key is input three times in a row, the number of repeats will be "2".

The Ctrl key pressing flag is a flag indicating whether or not the operation is performed while pressing the Ctrl key. If the Ctrl key is being pressed, the Ctrl key pressing flag is set to "1", and if the Ctrl key is not being pressed, the Ctrl key pressing flag is set to "0".

The Shift key pressing flag is a flag indicating whether or not the operation is performed while the Shift key is being pressed. If the Shift key is being pressed, the Shift key pressing flag is set to "1", and if the Shift key is not being pressed, the Shift key pressing flag is set to "0".

The Alt key pressing flag is a flag indicating whether or not the operation is performed while the Alt key is being pressed. If the Alt key is being pressed, the Alt key pressing flag is set to "1", and if the Alt key is not being pressed, the Alt key pressing flag is set to "0".

The Windows key pressing flag is a flag indicating whether or not the operation is performed while the Windows key is pressed. If the Windows key is being pressed, the Windows key pressing flag is set to "1", and if the Windows key is not being pressed, the Windows key pressing flag is set to "0".

The key input time is the elapsed time from the start (press) of key input to the confirmation (release) of key input. The first key input interval is the time (non-input time) from the state in which all the keys are released to the start of the first key input. The second key input interval is a time interval from the confirmation of the input of the immediately preceding key input to the confirmation of the input of the key input that is the target of the log.

FIG. 9 is a diagram showing an example of recording a log related to a key operation. When the operation detection unit 41a of the terminal device 41 detects the release event of the "A" key after detecting the key event of pressing the "A" key, the log indicating that the key operation of the normal character "a" has been performed. Is output. At this time, the time from when the "A" key is pressed until the "A" key is released is the key input time.

Subsequently, when the "B" key is pressed and the "B" key is released, the operation detection unit 41a outputs a log indicating that the key operation of the normal character "b" has been performed. At this time, the time from when the "B" key is pressed until the "B" key is released is the key input time. The time from when the "A" key is released until when the "B" key is pressed is the first key input interval. The time from the release of the "A" key to the release of the "B" key is the second key input interval.

Next, when the "Ctrl" key is pressed, the "A" key is pressed, and the "A" key is released in order, the operation detection unit 41a indicates that the key operation of the normal character "Ctrl + A" has been performed. Output the log. At this time, the time from when the "Ctrl" key is pressed until the "A" key is released is the key input time. The time from when the "B" key is released until the "Ctrl" key is pressed is the first key input interval. The time from the release of the "B" key to the release of the "A" key is the second key input interval.

After that, when the "C" key is pressed and the "C" key is released in order while the "Ctrl" key is pressed, the operation detection unit 41a performs a key operation of the normal character "Ctrl + C". Output a log indicating that. At this time, the time from the release of the "A" key to the release of the "C" key is the key input time and the second key input interval. Since there is no non-input time, the first key input interval is not recorded.

FIG. 10 is a diagram showing an example of a mouse operation log. In each record of the mouse operation log 121c, the event occurrence time, the active application sequence number, the process ID, the window handle, the event type, the control type, the text of the control, the X coordinate, the Y coordinate, the control X coordinate, the control Y coordinate, and the control Includes width, control height, mouse movement distance, and mouse event interval.

The event occurrence time is the time when the event indicating the mouse button input occurs. The active application sequence number is an identification number of the software that was active at the time of button input. The process ID is an identification number of the process that was being executed when the button was pressed. The window handle is the identification number of the window that is active when the button is pressed. The event type is whether the button operation performed is a left button press operation (LD), a left button release operation (LU), a right button press operation (RD), or a right button release operation (RU). ) Is the information.

The control type is the type of control object specified by the pointer when the mouse button is pressed. The text of the control is the text that is set on the control object specified by the pointer when the mouse button is pressed. The X coordinate is the X coordinate of the pointer when the event occurs. The Y coordinate is the Y coordinate of the pointer when the event occurs. The control X coordinate is the upper left X coordinate of the control object specified by the pointer when the button is pressed. The control Y coordinate is the upper left Y coordinate of the control object specified by the pointer when the button is pressed. The control width is the width of the control object specified by the pointer when the button is pressed. The control height is the height of the control object specified by the pointer when the button is pressed.

The mouse movement distance is the distance between the position of the pointer when the event of the previous mouse button operation occurs and the position of the pointer when the event of the current mouse button operation occurs. The mouse event interval is the time from the occurrence of the previous mouse button operation event to the occurrence of the current mouse button operation event.

FIG. 11 is a diagram showing an example of the application status log. In each record of the application status log 121d, the log output time, active application sequence number, process ID, window handle, execution file name, execution file path, window position X, window position Y, window size (width), window size ( Height), number of tabs open during browser, window title, and active time.

The log output time is the output time of the record indicating the switching of the active window. The active application sequence number is an identification number of the software newly activated by switching the active window. The process ID is the identification number of the process that executes the window activated by switching the active window. The window handle is the identification number of the window newly activated by switching the active window. The executable file name is the file name of the executable file of the process that executes the activated window. The executable file path is the directory path of the executable file of the process that runs the activated window. The window position X is the X coordinate of the upper left position of the activated window. The window position Y is the Y coordinate of the upper left position of the activated window. The window size (width) is the width of the activated window. The window size (height) is the height of the activated window. The number of tabs open in a browser is the number of tabs open in that window if the activated window is a tab browser. The window title is the title string set for the activated window. The active time is the time the window was active.

In the example of FIG. 11, in the fifth record, the values of various operation items such as the process ID and the window handle are “0”. This indicates that there is no active window.

FIG. 12 is a diagram showing an example of information stored in the personal characteristic storage unit. For example, the personal characteristic management table 131 is stored in the personal characteristic storage unit 130. In the personal characteristic management table 131, a normal statistic (for example, an average value) for each of a plurality of operation items and an aptitude determination result for determining the presence or absence of unauthorized operation based on personal characteristics are set for each user. Will be done. In the example of FIG. 12, the statistics of the mouse operation time, the key press time, the window switching interval, and the like in the normal psychological state of each user are set.

As the aptitude judgment result, "appropriate" is set for a user who has aptitude to be judged by personal characteristics, and "not aptitude" is set for a user who does not have aptitude to be judged by personal characteristics.

FIG. 13 is a diagram showing an example of information stored in the determination standard storage unit. For example, the determination standard management table 141 is stored in the determination standard storage unit 140. In the determination standard management table 141, determination criteria are set for each of the plurality of operation items. For example, the criterion for the operation item "mouse operation time" is that "it is longer than normal by a second or more".

FIG. 14 is a diagram showing an example of information stored in the fraudulent operation detection result storage unit. For example, the fraudulent operation detection result file 151 is stored in the fraudulent operation detection result storage unit 150. The fraudulent operation detection result file 151 records a header, detection condition information, and a record for each fraudulent operation.

The data included in each record is defined in the header. The detection condition information defines conditions for detecting as an unauthorized operation. For example, the upper limit threshold value of the network communication amount, the type of the external media to be detected for connection, and the like are set in the detection condition information. The content of the detected illicit operation is set in each record.

For example, for each record, warning level, user name, detection target time zone (start time), detection target time zone (end time), mouse click time, network transmission / reception amount, active application monitoring target, file operation-file copy size, File operations-Includes data such as copy destination media, external media connection detection targets, and detection result messages. Of the fields for these data in the record, the fields of data unrelated to the detected tampering are set to empty data.

Unauthorized operation is detected using the above data. Specifically, after the operation log acquisition unit 161 acquires the operation log from each terminal device 41 to 43, the personal characteristic extraction process is performed.

FIG. 15 is a flowchart showing an example of the procedure of the personal characteristic extraction process. Hereinafter, the process shown in FIG. 15 will be described along with the step numbers.
[Step S101] The personal characteristic extraction unit 163 selects one user based on the user name set in each of the plurality of operation logs 121 to 123 stored in the operation log storage unit 120.

[Step S102] The personal characteristic extraction unit 163 reads the operation log of the selected user from the operation log storage unit 120.
[Step S103] The personal characteristic extraction unit 163 selects one operation item to be analyzed. For example, the personal characteristic extraction unit 163 selects one unselected operation item from the plurality of operation items preset in the personal characteristic management table 131.

[Step S104] The personal characteristic extraction unit 163 calculates the statistic for the selected operation item based on the operation log of the selected user. The statistic is, for example, an average value. As a result, for example, operation items related to keyboard keystrokes (speed, interval, etc.), operation items related to mouse operation (click or drag time, etc.), and operation items related to application switching (number of times, speed, etc.) can be obtained in normal times.

[Step S105] The personal characteristic extraction unit 163 stores the value calculated in step S104 in the operation item selected by the selected user in the personal characteristic storage unit 130.
[Step S106] The personal characteristic extraction unit 163 determines whether or not all the operation items have been selected. If all the operation items have been selected, the personal characteristic extraction unit 163 advances the process to step S107. Further, the personal characteristic extraction unit 163 advances the process to step S103 when there is an unselected operation item.

[Step S107] The personal characteristic extraction unit 163 determines whether or not all users have been selected. The personal characteristic extraction unit 163 ends the personal characteristic extraction process if all users have already selected it. If there is an unselected user, the personal characteristic extraction unit 163 advances the process to step S101.

In this way, the statistic for each operation item of each user is calculated and stored in the personal characteristic storage unit 130.
After that, the judgment criterion learning process is performed based on the operation log of the user who committed the fraudulent activity during the fraudulent activity period. For example, at least some of the plurality of users 31 to 33 are asked to perform pseudo-fraud. At this time, the user is asked to maintain a tense state by imposing conditions such as preventing others from seeing the work contents. The system administrator asks the user to report the period of pseudo-fraud. Then, the system administrator causes the fraud detection device 100 to learn the determination criteria based on the period during which the pseudo fraud is performed.

FIG. 16 is a flowchart showing an example of the procedure of the determination standard learning process. Hereinafter, the process shown in FIG. 16 will be described along with the step numbers.
[Step S201] The determination criterion learning unit 164 accepts input of fraudulent activity information including the user who committed the fraudulent activity (the fraudulent person) and the period during which the fraudulent activity was performed (the fraudulent activity period). When there are a plurality of cheating persons, the determination criterion learning unit 164 accepts the input of a plurality of cheating information.

[Step S202] The determination criterion learning unit 164 selects one operation item to be learned.
[Step S203] The determination criterion learning unit 164 selects one of the unselected cheating persons.

[Step S204] The determination criterion learning unit 164 reads the operation log of the cheating period of the selected cheating person from the operation log storage unit 120.
[Step S205] The determination criterion learning unit 164 is based on the operation log output during the fraudulent activity period of the fraudster, and the statistic (for example, average value) of the selected operation item within the corresponding period at the time of fraudulent activity. Is calculated.

[Step S206] The determination criterion learning unit 164 calculates the singular value of the operation item selected by the selected cheating person. For example, the judgment criterion learning unit 164 determines the difference between the statistic of the corresponding operation item obtained in normal times of the cheating person and the statistic at the time of cheating obtained in step S205 (statistic at the time of cheating-statistics at normal times). Quantistic value). If the statistic is larger during cheating, the singular value will be positive, and if the statistic is smaller during cheating, the singular value will be negative.

[Step S207] The determination criterion learning unit 164 determines whether or not all the cheating persons have been selected. If all the cheating persons have been selected, the determination criterion learning unit 164 proceeds to step S208. Further, the determination standard learning unit 164 proceeds to step S203 when there is an unselected cheating person.

[Step S208] Judgment Criteria The learning unit 164 determines a determination criterion for whether or not the fraudulent suspicion period is related to the selected operation item, based on the average of the singular values of the cheating person in the selected operation item. For example, when the average of the singular values of the cheating person is positive, the judgment criterion learning unit 164 determines the period during which the value of the operation item exceeds the singular value or more from the normal statistics of the individual user of the operation item. The period of suspicion of fraud is determined as a criterion. Further, when the average of the singular values of the cheating person is negative, the judgment criterion learning unit 164 determines the period during which the value of the operation item is less than the singular value from the normal statistics of the individual user of the operation item. The period of suspicion of fraud is determined as the criterion for the period of suspicion of fraud.

The judgment criterion learning unit 164 identifies an operation item whose singular value is equal to or higher than the threshold value, that is, an operation item in which a significant difference in statistics occurs between the period of cheating and the period of no cheating, and the specified operation item. The sum of the singular values of may be used to determine the period of suspicion of fraud. In this case, the determination criterion learning unit 164 calculates, for example, the difference between the statistic of the value of the specified operation item in the operation log storage unit 120 and the statistic of the individual user in normal times for the specified operation item. In the case, the period in which the sum of the differences in the statistics exceeds the sum of the singular values of each of the specified operation items is determined as the fraud suspicion period as the criterion for determining the fraud suspicion period.

[Step S209] The determination criterion learning unit 164 stores the determination criterion of the determined fraud suspicion period in the determination criterion storage unit 140.
[Step S210] The determination criterion learning unit 164 determines whether or not all the operation items have been selected. If all the operation items have been selected, the process proceeds to step S211. Further, if there is an unselected operation item, the determination criterion learning unit 164 advances the process to step S202.

[Step S211] The determination criterion learning unit 164 selects one user.
[Step S212] The determination criterion learning unit 164 determines whether or not the selected user can determine the fraud suspicion period based on the personal characteristics (presence or absence of suitability).

For example, the determination criterion learning unit 164 analyzes statistics such as a time change of a value and a singular value (only in the case of a cheating person) for each operation item for a selected user by time zone. Then, the judgment standard learning unit 164 determines whether or not there is a relationship between an operation different from usual such as an illegal operation and the value of the corresponding operation item, and the strength of the relationship.

For example, a user whose time change range of the value of an operation item is usually small is expected that the value of the operation item does not change significantly even in a tense state. Therefore, in the judgment standard learning unit 164, for example, a user who has a predetermined number or more of operation items such that the width of the time change of the value of the operation item is equal to or less than a preset threshold value is subject to the determination of the fraud suspicion period based on personal characteristics. Judge that it is not suitable to do. By analyzing the operation item information in this way, a person who can easily determine the fraudulent suspicion period based on personal characteristics based on the operation log and a person who has difficulty in determining the fraudulent suspicion period can be identified.

At this time, the judgment standard learning unit 164 calculates the number of data per day, the maximum value, the minimum value, the average value, the median value, the variance, the standard deviation, and the statistic of the entire distribution for each operation item, and the central portion. Only the personal characteristics results that come to may be adopted. For example, the determination criterion learning unit 164 determines the presence or absence of suitability by excluding values that are separated from the average value by, for example, 3σ (three times the standard deviation) or more from the plurality of values of each operation item.

[Step S213] The determination standard learning unit 164 stores the determination result as to whether or not the selected user has aptitude in the personal characteristic storage unit 130.
[Step S214] The determination criterion learning unit 164 determines whether or not all users have been selected. The judgment standard learning unit 164 ends the judgment standard learning process if all the users have already selected it. If there is an unselected user, the determination criterion learning unit 164 advances the process to step S211.

In this way, the determination standard of the fraudulent suspicion period is set in the determination standard storage unit 140, and for each user, the suitability of whether or not the fraud suspicion period can be determined based on the individual characteristics is set in the personal characteristic storage unit 130. Will be done. Then, the fraud suspicion period determination process is performed using the information stored in the personal characteristic storage unit 130 and the determination standard storage unit 140.

FIG. 17 is a flowchart showing an example of the procedure for determining the fraudulent suspicion period. Hereinafter, the process shown in FIG. 17 will be described along with the step numbers.
[Step S301] The fraud suspicion period determination unit 165 selects one user.

[Step S302] The fraud suspicion period determination unit 165 determines whether or not the selected user is suitable as a target for determining the fraud suspicion period based on personal characteristics. For example, the fraud suspicion period determination unit 165 refers to the personal characteristic storage unit 130, and if the aptitude determination result of the selected user is set to "appropriate", the suitability as a target for determining the fraud suspicion period based on the personal characteristics. Judge that there is. The fraud suspicion period determination unit 165 proceeds to step S303 if appropriate. If the fraud suspicion period determination unit 165 is not suitable, the process proceeds to step S309.

[Step S303] The fraud suspicion period determination unit 165 reads the operation log of the selected user from the operation log storage unit 120.
[Step S304] The fraud suspicion period determination unit 165 selects one unselected operation item.

[Step S305] The fraud suspicion period determination unit 165 compares the record related to the selected operation item in the operation log of the selected user with the determination criteria of the selected operation item, and performs an operation satisfying the determination criteria. Specify the period (suspicion period of fraud by operation item). For example, when the operations satisfying the determination criteria are continuously performed at intervals of a predetermined time or less, the fraud suspicion period determination unit 165 operates a period including the log output time of each of the consecutive operations. The period of suspicion of fraud by item.

[Step S306] The fraud suspicion period determination unit 165 determines whether or not all the operation items have been selected. If all the operation items have been selected, the fraud suspicion period determination unit 165 proceeds to step S307. If there is an unselected operation item, the fraud suspicion period determination unit 165 proceeds to step S304.

[Step S307] The fraud suspicion period determination unit 165 identifies overlapping periods in a predetermined number or more (for example, half or more of all operation items) of the fraud suspicion periods for each operation item, for example, 15 minutes before and after the specified period. The added period is determined to be the fraud suspicion period of the selected user.

[Step S308] The fraud suspicion period determination unit 165 raises the warning level of the fraudulent operation information detected within the fraud suspicion period of the selected user. For example, the fraudulent operation detection period determination unit 165 extracts a record indicating fraudulent operation information detected within the fraudulent operation detection period of the selected user from the fraudulent operation detection result file 151 in the fraudulent operation detection result storage unit 150. Then, the fraud suspicion period determination unit 165 changes the warning level of the extracted record to "emergency confirmation" and writes it back to the fraud detection result file 151. The warning level "emergency confirmation" is a higher level warning than the warning level "caution".

[Step S309] The fraud suspicion period determination unit 165 determines whether or not all users have been selected. The fraud suspicion period determination unit 165 ends the fraud suspicion period determination process when all the users have been selected. If there is an unselected user, the fraud suspicion period determination unit 165 proceeds to step S301.

The fraud suspicion period determination unit 165 may narrow down the operation items to be selected in step S304 to the operation items whose singular value obtained in step S202 of FIG. 16 is equal to or greater than the threshold value. In this case, instead of the process of step S305, the fraud suspicion period determination unit 165 calculates the statistic of the value in the record within the predetermined determination period for the selected operation item in the operation log of the selected user. Next, the fraud suspicion period determination unit 165 calculates the difference between the calculated statistic and the normal statistic of the operation item selected by the selected user. The determination period is, for example, a plurality of periods obtained by dividing the operation log collection period into fixed time units.

Further, when the fraud suspicion period determination unit 165 narrows down the operation items to be selected to the operation items whose singular value is equal to or greater than the threshold value, the statistic of each determination period calculated for each selected operation item is replaced with the process of step S307. The difference is used to determine the period of suspicion of fraud. For example, the fraud suspicion period determination unit 165 totals the difference in the statistics of the corresponding determination period calculated for each of the selected operation items for each determination period. Further, the fraud suspicion period determination unit 165 calculates the sum of the singular values of each operation item whose singular value is equal to or greater than the threshold value. Then, when the total difference of the statistics of the determination period is equal to or greater than the sum of the singular values, the fraud suspicion period determination unit 165 determines the determination period as the fraud suspicion period of the selected user.

In this way, for example, a time zone in which the user is in a tense state is specified as a fraudulent suspicion period, and a record indicating a fraudulent operation according to a fraud detection scenario performed within the fraud suspicion period is set to a high warning level. Be changed. Then, the fraudulent operation detection result output unit 166 visualizes the fraudulent operation detection result, and the visualized fraudulent operation detection result is displayed on the monitor 21.

FIG. 18 is a diagram showing a display example of an unauthorized operation detection result. On the fraudulent operation detection result display screen 50, for example, the time change of the value for each operation item of a specific user is displayed. In the example of FIG. 18, the time change of the mouse click time is shown. Further, on the fraudulent operation detection result display screen 50, for example, a time-series change of the active application software is displayed.

Then, a list of detected fraudulent operations is displayed on the fraudulent operation detection result display screen 50. In the tampering list, the warning level and the detection time zone for the detected tampering are displayed. Among the displayed illicit operations, the illicit operations performed within the suspicion period of the user's illicit operation have a warning level of "emergency confirmation". An illicit operation with a warning level of "emergency confirmation" is highlighted, for example, in a color different from other illicit operations.

In this way, even if the illicit operation includes over-pointing and a large amount of illicit operation is detected, it is possible to prevent the oversight of the illicit operation that is likely to have actually been performed. .. As a result, delays in finding fraudulent activity are suppressed.

Actually, the operation log information of one week's worth of 24 users is acquired, and those users are made to perform the pseudo-illegal operation of the preset contents at an arbitrary time, and the criterion of the fraud suspicion period is determined. I learned. After that, a specific pseudo fraud operation date was specified, some users were made to perform pseudo fraud, and the fraud detection device 100 narrowed down the detected fraudulent operations. As a result, it was determined that 24 out of 72 illicit operations for 13 people detected in one day of the pseudo tampering day were out of the suspicion period (excessive indication). This means that a total of 24 excessive alerts were suppressed for 13 people. Moreover, the recall rate did not change and could be maintained at 100%. That is, the pseudo-illegal operation performed by the user was detected as an unauthorized operation, and the period during which the pseudo-illegal operation was performed was specified as the fraud suspicion period of the user.

Moreover, fraudulent operations detected for users who are not suitable for determining the fraudulent suspicion period based on their personal characteristics are not subject to reduction of over-pointing, so the recall rate is reduced by inappropriate reduction of over-pointing. Is being deterred.

[Other embodiments]
In the second embodiment, the over-pointing suppression process of illicit operation using the personal characteristic is applied only to the appropriate user who is the target for determining the presence or absence of illicit operation based on the personal characteristic. The presence or absence of such aptitude may be determined not for each user but for each time zone, for example. For example, the fraud detection device 100 can be divided into working hours, overtime hours, and break times, and can determine whether or not it is suitable as a target for determining the presence or absence of fraudulent operations based on personal characteristics. Then, the fraud detection device 100 applies the excessive indication suppression process of fraudulent operation using personal characteristics only in the time zone when it can be determined that the fraud detection device 100 is suitable.

The fraud detection device 100 can also analyze the operation log for each time zone (working hours, overtime hours, break time) as to whether or not each operation item can be used for determining the fraud suspicion period.

Although the embodiment has been illustrated above, the configuration of each part shown in the embodiment can be replaced with another having the same function. Further, any other components or processes may be added. Further, any two or more configurations (features) of the above-described embodiments may be combined.

1 User 2 Terminal device 3 Operation log 4 Illegal operation display screen 10 Illegal detection device 11 Storage unit 11a Difference information 11b Feature information 12 Processing unit

Claims (8)

Difference information indicating the difference between the characteristics of the operation related to a specific operation item during the period when the illicit operation is performed and the characteristics of the operation related to the operation item during the period when the illicit operation is not performed, and the tampered operation by the monitored user. A storage unit that stores feature information indicating the characteristics of the user's operation related to the operation item during the period during which the operation is not performed.
An operation log indicating the operation performed by the user within the period to be monitored is acquired, and the difference between the operation feature related to the operation item shown in the operation log and the feature shown in the feature information is the difference information. Based on the comparison result of, a processing unit that identifies a fraudulent suspicion period suspected of having been fraudulently operated and outputs information indicating an operation performed by the user within the fraudulent suspicion period, and a processing unit.
Fraud detection device with. The difference information is a statistic obtained from the operation time of the operation related to the operation item during the period when the illicit operation is performed and a statistic obtained from the operation time of the operation related to the operation item during the period when the illicit operation is not performed. Shows the range of difference with
The feature information indicates a statistic obtained from the operation time of the operation of the user regarding the operation item during the period during which the user has not performed an unauthorized operation.
When the fraud suspicion period is specified, the processing unit determines that the difference between the value obtained from the operation time of one operation related to the operation item shown in the operation log and the statistic shown in the feature information is When it is within the range shown in the difference information, the time zone including the time when the one operation is performed is specified as the fraud suspicion period.
The fraud detection device according to claim 1. The storage unit stores the difference information and the feature information for each of the plurality of operation items.
For each of the plurality of operation items, the processing unit has the difference between the value obtained from the operation time of the operation for the operation item shown in the operation log and the statistic shown in the feature information. When it is within the range shown in the information, the fraudulent suspected operation time when the one operation is performed is obtained, and the time zone including the fraudulent suspected operation time for the predetermined number or more of the operation items is specified as the fraudulent suspected period. do,
The fraud detection device according to claim 2. The storage unit stores the difference information and the feature information for each of the plurality of operation items.
The processing unit selects an operation item whose value shown in the difference information during the period in which the illegal operation is performed is equal to or greater than the threshold value from the plurality of the operation items, and shows the operation item in the difference information of the selected operation item. The first sum is obtained by summing the values to be obtained, and the statistic for each selected operation item is summed up with the values indicating the characteristics of the operation within one period regarding the selected operation item shown in the operation log. The sum of 2 is obtained, the third sum is obtained by summing the values shown in the feature information regarding the selected operation item, and the difference between the second sum and the third sum is the first sum. Based on the comparison result with the sum, the suspicion period of fraud is specified by determining whether or not there is a suspicion that the fraudulent operation has been performed within the one period.
The fraud detection device according to claim 1. The storage unit further stores fraudulent scenario information indicating the procedure of fraudulent operation.
When outputting the information, the processing unit outputs information indicating a series of operations according to the procedure shown in the fraud scenario information among the operations performed by the user within the fraud suspicion period.
The fraud detection device according to any one of claims 1 to 4. The processing unit
Further, based on the operation log, the user determines whether or not the psychological state at the time of unauthorized operation is likely to be reflected in the operation log.
When the information is output, the operation history of a series of operations according to the procedure shown in the fraudulent scenario information performed by the user within the period to be monitored is displayed, and the psychological state at the time of the fraudulent operation is described. When it is easy to be reflected in the operation log, the history of the operation performed by the user within the fraud suspicion period is highlighted among the displayed operation history, and it is difficult for the psychological state at the time of the fraudulent operation to be reflected in the operation log. In this case, of the displayed operation history, highlighting of the history of operations performed by the user within the fraudulent suspicion period is suppressed.
The fraud detection device according to claim 5. The computer
Acquires an operation log showing the operations performed by the monitored user within the monitored period, and acquires the operation log.
Difference information indicating the difference between the characteristics of the operation related to a specific operation item during the period in which the illicit operation is performed and the characteristics of the operation related to the operation item in the period in which the illicit operation is not performed, and the user performs the illicit operation. The difference between the operation feature related to the operation item and the feature shown in the feature information shown in the operation log with reference to the feature information indicating the feature of the operation of the user regarding the operation item during the non-operation period. Based on the comparison result with the information, identify the period of suspected fraud that was suspected of fraudulent operation,
Outputs information indicating the operation performed by the user within the fraud suspicion period.
Fraud detection method. On the computer
Acquires an operation log showing the operations performed by the monitored user within the monitored period, and acquires the operation log.
Difference information indicating the difference between the characteristics of the operation related to a specific operation item during the period in which the illicit operation is performed and the characteristics of the operation related to the operation item in the period in which the illicit operation is not performed, and the user performs the illicit operation. The difference between the operation feature related to the operation item and the feature shown in the feature information shown in the operation log with reference to the feature information indicating the feature of the operation of the user regarding the operation item during the non-operation period. Based on the comparison result with the information, identify the period of suspected fraud that was suspected of fraudulent operation,
Outputs information indicating the operation performed by the user within the fraud suspicion period.
A fraud detection program that executes processing.

Images