JP7003361B2 - Authentication device - Google Patents

Description

The present invention relates to an authentication device.

Patent Document 1 discloses an authentication device that generates a model showing a user's characteristics based on a user's behavior history and a user's current behavior information, and authenticates the user using the model. In this model, the place of stay of the user, the application to be used, and the like are used as elements, and the weighting coefficient is determined for each element. The authentication device described in Patent Document 1 evaluates personality by the total of the products of the elements and the weighting factors.

This authentication device uses the user's behavior history as learning data, and among the elements included in the model, the element whose frequency is relatively high for the user as compared with other users has a larger weighting coefficient. That is, in the conventional authentication device, the authentication accuracy of the user to be authenticated is improved by weighting the elements that strongly influence the model showing the characteristics of the user.

Japanese Unexamined Patent Publication No. 2017-134750

However, in the conventional authentication device, elements such as a place of stay and an application to be used are extracted from the user's action history, and weights are given to each extracted element, so that there is a problem that the processing load is large. For example, focusing on the element of the place of stay, the user's home, work place, friend's house, sports gym, etc. are extracted as elements from the user's behavior history, and it is necessary to determine a weighting coefficient for each extracted element. Therefore, the amount of data of the weighting coefficient is enormous, and the data processing load becomes large.

In addition, the weighting coefficient increases as the frequency of inclusion in the user's behavior history increases. Therefore, for example, when a user who has a high stay rate at home and a low stay rate at a sports gym requests authentication at a sports gym, the user There is a problem that the person may not be authenticated even though he / she is the person, and the false rejection rate becomes high.

The present invention has been made in view of the above circumstances, and one of the problems to be solved is to provide a simple authentication device having excellent authentication accuracy.

In order to solve the above problems, when the authentication device according to the preferred embodiment of the present invention receives an authentication request including access information regarding user access, the authentication device according to the evaluation item among the access elements included in the access information is accessed. An index generation unit that generates an index indicating the user's personality regarding the evaluation item based on the elements, an access element related to the evaluation item in the first period, and an access element related to the evaluation item in the second period. It is characterized by including a weighting coefficient generating unit that generates a weighting coefficient according to the degree of fluctuation, and an authentication unit that authenticates the user based on the index and the evaluation value obtained by calculating the weighting coefficient. ..

According to the present invention, it is possible to provide a simple authentication device having excellent authentication accuracy.

It is a figure which shows the system which comprises the authentication server which concerns on a preferred embodiment. It is a block diagram which shows the functional configuration of an authentication server. It is a table which shows an example of an authentication log. This is an example of the first set for each evaluation item. This is an example of the second set for each evaluation item. This is an example of an index set for each evaluation item. It is a figure for demonstrating the 1st period, the 2nd period, and the index period. This is an example of access information at the time of authentication request. It is a flowchart which shows an example of the generation process of the 1st set by an authentication server. It is a flowchart which shows an example of the 2nd set generation processing by an authentication server. It is a flowchart which shows an example of the set generation process for an index by an authentication server. It is a flowchart which shows an example of the authentication process by an authentication server. It is a figure for demonstrating the generation (S42) of an index. It is a figure for demonstrating the calculation of the degree of similarity (S43). It is a figure for demonstrating the calculation (S44) of a weighting coefficient. It is a figure for demonstrating the output (S45) of the evaluation result. It is a figure for demonstrating the variation example of the 1st period, the 2nd period, and the index calculation period. It is a flowchart which shows the 1st set update process when there is an address change. It is a flowchart which shows the 1st set update process when there is a model change. It is a figure which shows an example of the hardware composition of the base station, the mobile device, the storage server, and the authentication server which concerns on one Embodiment of this invention.

Hereinafter, embodiments according to the present invention will be described with reference to the drawings. In the drawings, the dimensions and scale of each part may differ from the actual configuration as appropriate. The embodiments described below are preferred specific examples of the present invention. For this reason, the present embodiment is provided with various technically preferable limitations. However, the scope of the present invention is not limited to these forms unless it is stated in the following description that the present invention is particularly limited.

1. 1. Overall Configuration of System FIG. 1 is a diagram showing a system including an authentication server according to a preferred embodiment. As shown in FIG. 1, the system 100 includes a mobile communication system 4, a network 30 such as the Internet, and an authentication server 50.

The mobile communication system 4 includes a plurality of mobile devices 10, a plurality of base stations 20, and a storage server 40. Further, the mobile communication system 4 includes a wireless network control station (not shown), an exchange station, and the like. In the mobile communication system 4, one mobile device 10 can perform voice communication and data communication with another mobile device 10. An identifier that uniquely identifies the mobile device 10 is assigned to the mobile device 10. In the following description, the identifier that uniquely identifies the mobile device 10 is referred to as a mobile device ID. The mobile device 10 stores the mobile device ID. The mobile device ID corresponds to, for example, a SIM (Subscriber Identity Module) ID or a terminal ID of the mobile device 10.

The mobile device 10 has a function of performing wireless communication. Examples of the mobile device 10 include smartphones, mobile phones, tablets, and wearable terminals.

In the example shown in FIG. 1, one base station 20 accommodates one cell 2. Cell 2 is a range in which the base station 20 can communicate with the mobile device 10. The mobile communication system 4 has a plurality of cells 2. An identifier that uniquely identifies the cell 2 is assigned to each of the plurality of cells 2. In the following description, an identifier that uniquely identifies cell 2 is referred to as a cell ID. In the mobile communication system 4, the position of the user H of the mobile device 10 can be known by specifying the cell ID of the cell 2 in which the mobile device 10 is located.

As the mobile device 10 moves, the cell 2 in which the mobile device 10 is located is switched. The storage server 40 stores the mobile device ID, the cell ID of the cell 2 in which the mobile device 10 is located, and the log 401 in which the time is associated with each other. The storage server 40 may be composed of one server or a plurality of servers.

The mobile communication system 4 is connected to the network 30. The mobile device 10 can communicate with the authentication server 50 via the network 30. The authentication server 50 functions as an authentication device that receives an authentication request transmitted from the mobile device 10 and executes personal authentication of the user H who owns the mobile device 10. The authentication server 50 provides a service to the user H of the mobile device 10. Examples of the service include provision of various contents, purchase of products, use of online buffet, and the like. The authentication server 50 authenticates the person himself / herself, for example, when the user H logs in to the service. Further, the authentication server 50 assigns an identifier to the user H to uniquely identify the user H who uses the service. In the following description, one identifier assigned to one user H is referred to as a user ID.

In the personal authentication, the authentication server 50 uses the user ID and access information included in the authentication request. The access information is information regarding the access status to the authentication server 50 at the time of the authentication request (see FIG. 3). The access information has a plurality of evaluation items. Examples of the evaluation items include a cell ID item, an IP (Internet Protocol) address item, a mobile device ID item of the mobile device 10, a user agent item, and the like. A user agent is, for example, hardware, software (OS, browser, etc.) or a combination thereof used by a user to use a service. For example, each access element included in the cell ID item, that is, the value of the cell ID is "a-1", "a-2", ... In FIG. Each access element included in the item of the IP address, that is, the value of the IP address is "b-1", "b-2", ... In FIG. Each access element included in the mobile device ID item, that is, the value of the mobile device ID is "c-1", "c-2", ... In FIG. The values of each access element included in the user agent item, that is, the user agent are "d-1", "d-2", and so on in FIG. The access information may include items other than the above-mentioned items, or any of the above-mentioned items may be omitted.

When the authentication server 50 receives an authentication request including access information, it generates an index showing the identity of the user H, and a weighting coefficient according to the degree of fluctuation of the element (access element) related to the evaluation item in two different periods. To generate. Then, the authentication server 50 authenticates the user H based on the evaluation value obtained by calculating the index and the weighting coefficient.

2. 2. Function of Authentication Server FIG. 2 is a functional block diagram showing a functional configuration of an authentication server. As shown in FIG. 2, the authentication server 50 includes a communication unit 51, a storage unit 52, and a processing unit 53.

The communication unit 51 communicates with an external device such as the mobile device 10 and the storage server 40 via the network 30. The communication unit 51 is composed of, for example, the communication device 1004 shown in FIG. 20.

The storage unit 52 is a recording medium that can be read by the processing unit 53. The storage unit 52 stores various programs and various data. The storage unit 52 stores the authentication processing program 521 and the service providing program 522. The storage unit 52 is configured, for example, at least one of the memory 1002 and the storage 1003 shown in FIG.

FIG. 3 is an explanatory diagram showing an example of an authentication log. The storage unit 52 stores the authentication log 523 including the user ID and the history of the access information corresponding to the user ID. The storage unit 52 records the authenticated user ID and the access information associated with the authenticated user ID as the authentication log 523 only when the user H is authenticated. From the authentication log 523 shown in FIG. 3, for example, the user H to which the user ID "U001" is assigned is authenticated at "2017/6/1 17:30", and the user H possesses it at the time of the authentication. It can be seen that the mobile device 10 is located in the cell 2 of the cell ID “a-1”. In addition, it can be seen that the user H is using the IP address "b-1", the mobile device ID "c-1", and the user agent "d-1" at the time of the authentication request.

The processing unit 53 shown in FIG. 2 functions as a control center of the authentication server 50. The processing unit 53 functions as a generation unit 530, an index generation unit 534, a weighting coefficient generation unit 535, an authentication unit 536, and an acquisition unit 537 by reading and executing the authentication processing program 521 stored in the storage unit 52. .. Further, the processing unit 53 functions as a service providing unit 538 by reading and executing the service providing program 522 stored in the storage unit 52. The processing unit 53 is composed of, for example, the processor 1001 shown in FIG.

The acquisition unit 537 acquires the log 401 from the storage server 40 and acquires the information about the user H from the mobile device 10. For example, the acquisition unit 537 acquires the user ID of the user H and the access information corresponding to the user ID from the mobile device 10 via the communication unit 51.

The generation unit 530 includes a first generation unit 531, a second generation unit 532, and an index set generation unit 533. The first generation unit 531 and the second generation unit 532 each generate a set of access elements having two different periods. The generated set is used to determine the degree of variation in the access element for the evaluation item. The degree of fluctuation is determined for each evaluation item.

Specifically, the first generation unit 531 generates the first set X1 having the access element of the access information in the first period T1 (see FIG. 7) before the time when the authentication request is received as an element. The first set X1 is obtained for each evaluation item. The first generation unit 531 stores the user ID and the corresponding first set X1 in association with each other in the storage unit 52 for each user ID.

FIG. 4 is an example of the first set for each evaluation item. In this example, for example, four first sets X1 generated for each evaluation item for the user ID "U001" are shown. Specifically, the first set X11 {a-1, a-2, a-8} corresponding to the cell ID item and the first set X12 {b-1, b-2} corresponding to the IP address item. , The first set X13 {c-1} corresponding to the item of the mobile device ID and the first set X14 {d-1, d-2, d-4} corresponding to the item of the user agent are shown. Further, the first set X11 has three access elements (a-1, a-2, and a-8), and the first set X12 has two access elements (b-2, and b-). 2), the first set X13 has one access element (c-1), and the first set X14 has three access elements (d-1, d-2, and d-4). ). When it is not necessary to distinguish the first set X11, X12, X13, and X14, it is referred to as the first set X1.

On the other hand, the second generation unit 532 generates the second set X2 having the access element of the access information in the second period T2 (see FIG. 7) different from the first period T1 as an element. The second set X2 is obtained for each evaluation item. The second generation unit 532 records the user ID and the corresponding second set X2 in association with each other in the storage unit 52 for each user ID.

FIG. 5 is an example of the second set for each evaluation item. In this example, for example, four second sets X2 generated for each evaluation item for the user ID "U001" are shown. Specifically, the second set X21 {a-2, a-3, a-9} corresponding to the cell ID item, the second set X22 {b-1} corresponding to the IP address item, and the mobile device ID. The second set X23 {c-1} corresponding to the item of the user agent and the second set X24 {d-1} corresponding to the item of the user agent are shown. The second set X21 has three access elements (a-2, a-3, and a-9), and the second set X22 has one access element (b-1). , The second set X23 has one access element (c-1), and the second set X24 has one access element (d-1). When it is not necessary to distinguish the second set X21, X22, X23, and X24, it is referred to as the second set X2.

Further, the index set generation unit 533 generates the index set X3 used to generate the index indicating the personality of the user H. The index set generation unit 533 generates the index set X3 having the access element of the access information in the index period T3 (see FIG. 7) before the time when the authentication request is received as an element. The index set X3 is obtained for each evaluation item. The index set generation unit 533 stores the user ID and the corresponding index set X3 in association with each other in the storage unit 52 for each user ID.

FIG. 6 is an example of an index set for each evaluation item. In this example, for example, four index sets X3 generated for each evaluation item for the user ID "U001" are shown. Specifically, the index set X31 {a-1, a-2, a-3, a-8, a-9} corresponding to the cell ID item, and the index set X32 {corresponding to the IP address item. b-1, b-2, b-6}, index set X33 {c-1} corresponding to the mobile ID item, index set X34 {d-1, d-2 corresponding to the user agent item , D-4} is shown. The index set X31 has five access elements (a-1, a-2, a-3, a-8, and a-9), and the index set X32 has three access elements. It has (b-1, b-2, and b-6), the index set X33 has one access element (c-1), and the index set X34 has three access elements (b-1, b-2, and b-6). It has d-1, d-2, and d-4). When it is not necessary to distinguish the index set X31, X32, X33, and X34, it is referred to as the index set X3.

FIG. 7 is a diagram for explaining the first period, the second period, and the index calculation period. The first period T1, the second period T2, and the index period T3 are defined by the start time point and the end time point, respectively. In addition, the first period T1, the second period T2, and the index period T3 are periods before 15:00 on July 7, 2017, which is T0 at the time of certification request, respectively. In the example shown in FIG. 7, the first period T1 is one month from 5:00 on June 1, 2017 to 5:00 on July 1, 2017. The second period T2 is one week from 10:00 on July 1, 2017 to 10:00 on July 7, 2017. The second period T2 includes the T01 at the time of the previous authentication, and is a period up to one week before the T01 at the time of the previous authentication. Further, in the example shown in FIG. 7, the first period T1 is a period before the second period T2, and the length of the first period T1 is longer than the length of the second period T2. Further, in the example shown in FIG. 7, the index period T3 is a period from 15:00 on April 5, 2017 to 10:00 on July 7, 2017. The index period T3 is a period from T0x when the user H is authenticated for the first time to T01 at the time of the previous authentication. Further, in the example shown in FIG. 7, the index period T3 is longer than the first period T1. The index period T3, the first period T1, and the second period T2 are not limited to the periods shown in the drawings.

Further, the first generation unit 531 uses a one-way function to pseudonym each access element of the first set X1, and the second generation unit 532 uses the one-way function to make each access element of the second set X2 into a pseudonym. Is pseudonymized, and the index set generation unit 533 pseudonyms each element of the index set X3 using a one-way function. For example, the first generation unit 531 pseudonyms each element of the first set X1 by using a hash function which is a kind of one-way function. Similarly, the second generation unit 532 uses a hash function to pseudonym each element of the second set X2, and the index set generation unit 533 uses a hash function to pseudonym each element of the index set X3. .. The first generation unit 531, the second generation unit 532, and the index set generation unit 533 may not each have a function of pseudonymizing.

The index generation unit 534 generates an index indicating the personality of the user H. The index is generated based on the access information X0 of T0 at the time of receiving the authentication request, that is, at the time of the authentication request, and the index set X3 generated by the index set generation unit 533 described above. FIG. 8 is an example of access information at the time of authentication request. FIG. 8 shows the access information X0 for the user ID “U001”. For example, the index generation unit 534 determines whether or not the access element including the access information X0 shown in FIG. 8 is included in the index set X3 shown in FIG. 6 for each evaluation item, and the determination result is used as an index. Generate as. The details of index generation will be described in the operation of the authentication server 50 described later.

The weighting coefficient generation unit 535 calculates the similarity between the first set X1 and the second set X2 for each evaluation item, and generates a weighting coefficient according to the similarity. The degree of similarity is the degree of similarity between the first set X1 and the second set X2. From the degree of similarity, the degree of fluctuation of the access element related to the evaluation item can be known. Further, for example, the weighting coefficient generation unit 535 sets the weighting coefficient higher as the degree of similarity is higher. Therefore, it can be said that the higher the similarity of the evaluation items, the less likely it is that the access factors related to the evaluation items will change.

A typical example of the similarity is the Jaccard coefficient, but it may be a Dice coefficient or a Simpson coefficient. The jacquard coefficient is an element of the set B, where the set of the logical sums of the first set X1 and the second set X2 is the set A, and the set of the logical products of the first set X1 and the second set X2 is the set B. It is a value obtained by dividing the number of elements by the number of elements of the set A. For example, the number of access elements related to the first set X11 related to the item of "cell ID" shown in FIG. 4 is 3, and the access elements related to the second set X21 related to the item of "cell ID" shown in FIG. The number of is three. The first set X11 is different from the second set X21 except that it includes the element "a-2". In this case, when the degree of similarity between the first set X11 and the second set X21 is expressed by the Jaccard index, the degree of similarity is 0.2 (= 1/5).

The authentication unit 536 calculates the index generated by the index generation unit 534 and the weighting coefficient generated by the weighting coefficient generation unit 535 for each evaluation item to determine the evaluation value. Further, the authentication unit 536 authenticates that the person who has made the authentication request using the user ID is the user H who has been assigned the user ID, based on the evaluation value. Specifically, when the evaluation result generated by the authentication unit 536 is less than the threshold value, the authentication unit 536 does not authenticate that the person who made the authentication request is the user H himself, and the similarity is equal to or higher than the threshold value. In this case, the person who made the authentication request is authenticated as the user H himself / herself.

The service providing unit 538 determines whether or not to provide the desired service to the user H based on the authentication result by the authentication unit 536. For example, the service providing unit 538 permits the provision of the service when the authentication unit 536 succeeds in the authentication, and disallows the provision of the service when the authentication unit 536 fails in the authentication.

Further, the authentication server 50 may be composed of one server or a plurality of servers, and the authentication server 50 cooperates with the plurality of servers to perform the function of the processing unit 53. You may demonstrate it. Therefore, for example, even if the authentication server 50 includes a server having a generation unit 530, an index generation unit 534, a weighting coefficient generation unit 535, an authentication unit 536, and an acquisition unit 537, and a server having a service providing unit 538. good. Further, for example, the authentication server 50 includes a server having a generation unit 530, an index generation unit 534, a weighting coefficient generation unit 535, and an acquisition unit 537, and a server having an authentication unit 536 and a service provision unit 538. May be good.

3. 3. Operation of the authentication server Next, the main operation of the authentication server 50 will be described. The authentication server 50 includes a first set generation process for generating the first set X1, a second set generation process for generating the second set X2, an index set generation process for generating the index set X3, and an authentication process. , Service provision processing. The authentication process includes an index generation process, a similarity calculation process, a weighting coefficient generation process, and an evaluation value generation process. Hereinafter, these processes will be sequentially described.

3-1. First set generation process FIG. 9 is a flowchart showing an example of the first set generation process by the authentication server. The first set generation process is executed by the first generation unit 531. The first set generation process is executed, for example, every predetermined period.

First, the first generation unit 531 reads the access information in the first period T1 from the authentication log 523 from the storage unit 52 (S11). After that, the first generation unit 531 generates the first set X1 for each evaluation item for each user ID based on the access information in the first period T1 read in step S11 (S12). For example, as shown in FIG. 4, the first set X1 is generated for each evaluation item.

In step S12, the first generation unit 531 may set an upper limit value for the number of access elements possessed by each first set X1. In this case, the elements of the first set X1 may be used in descending order of frequency of access elements included in the authentication log 523 of a certain user ID. For example, the first generation unit 531 may set the upper limit value to 100 pieces. Further, the first generation unit 531 may generate a first set X1 and then pseudonymize the elements of the first set X1. Then, the first generation unit 531 stores each first set X1 associated with the user ID in the storage unit 52.

As described above, the first set generation process is executed every predetermined period, but the predetermined period is arbitrary. The predetermined period may be, for example, 24 hours, 10 minutes, or the like. Further, the trigger for starting the first set generation process is not limited to the elapse of a predetermined period. For example, the first generation unit 531 may start the first set generation process when the authentication log 523 accumulated in the storage unit 52 is updated.

Further, in step S12, when the first set X1 related to a certain user ID is already recorded in the storage unit 52, the first generation unit 531 updates the first set X1 related to the user ID.

3-2. Second set generation process FIG. 10 is a flowchart showing an example of the second set generation process by the authentication server. The second set generation process is executed by the second generation unit 532.

The second set generation process is the same process as the first set generation process described above. However, the second generation unit 532 differs from the above-mentioned first set generation process in that the second set X2 in the second period T2 is generated instead of generating the first set X1 in the first period T1. That is, the second generation unit 532 reads the access information in the second period T2 from the storage unit 52 from the authentication log 523 (S21), and then generates the second set X2 for each evaluation item for each user ID (S22). ). For example, as shown in FIG. 5, a second set X2 is generated for each evaluation item.

3-3. Index set generation process FIG. 11 is a flowchart showing an example of an index set generation process by the authentication server. The index set generation process is executed by the index set generation unit 533.

The index set generation process is the same process as the first set generation process described above. However, the index set generation unit 533 differs from the above-mentioned first set generation process in that instead of generating the first set X1 in the first period T1, the index set X3 is generated in the index period T3. That is, the index set generation unit 533 reads the access information in the index period T3 from the storage unit 52 (S31) from the authentication log 523, and then generates the index set X3 for each evaluation item for each user ID (S31). S32). For example, as shown in FIG. 6, an index set X3 is generated for each evaluation item.

3-4. Authentication processing FIG. 12 is a flowchart showing an example of authentication processing by the authentication server.
First, the acquisition unit 537 determines whether or not the communication unit 51 has received the authentication request from the mobile device 10 (S40), and repeats the determination until the authentication request is received. When the communication unit 51 receives the authentication request, the acquisition unit 537 acquires the user ID of the sender of the authentication request and the corresponding access information X0 from the mobile device 10 via the network 30 (S41).

After that, the index generation unit 534 generates an index indicating the personality of the user H based on the acquired access information X0 and the index set X3 read from the storage unit 52 (S42). Specifically, the index generation unit 534 determines whether or not the access element of the access information X0 is included in the index set X3 related to the user ID of the source of the authentication request in step S41. Then, the index generation unit 534 generates the result of the determination as an index of personality. The determination is made for each evaluation item.

FIG. 13 is a diagram for explaining the generation of the index (S42). For example, when the index generation unit 534 determines that the access element of the access information X0 is not included in the index set X3, the index generation unit 534 expresses the determination result by a numerical value of "0 (zero)" and uses this as an index. On the other hand, when the index generation unit 534 determines that the access information X0 at the time of authentication request is included in the index set X3, the index generation unit 534 expresses the determination result by a numerical value of "10" and uses this as an index. In the example shown in FIG. 13, the access element (a-10) related to the cell ID item of the access information X0 is the access element (a-1, a-2, a-3, a-8) of the index set X31. , A-9) is not included. Therefore, the index generation unit 534 defines the index for the item of "cell ID" as "0 (zero)". Further, the access element (b-1) relating to the item of the IP address possessed by the access information X0 is included in the access element (b-1, b-2, b-6) of the index set X32. Therefore, the index set X3 defines the index for the item of "IP address" as "10".

Next, the weighting coefficient generation unit 535 reads out the first set X1 and the second set X2 of the same user ID as the user ID of the sender of the authentication request in step S41 from the storage unit 52, and reads the first set X1 and the second set X1. The similarity with the two sets X2 is calculated (S43). The similarity is performed for each evaluation item.

FIG. 14 is a diagram for explaining the calculation of similarity (S43). Each similarity shown in this example is a value obtained by the Jaccard index. The similarity expressed by the Jaccard index is expressed by a numerical value from 0 to 1.0, where 0 (zero) is the lowest and 1.0 is the highest. In the example shown in FIG. 14, the similarity of the cell ID items is 0.2 (= 1/5), the similarity of the IP address items is 0.5 (= 1/2), and the similarity of the mobile device ID items. The degree is about 1.0 (= 1/1), and the similarity of the user agent items is about 0.3 (= 1/3). In the example shown in FIG. 14, the item of the mobile device ID has the highest degree of similarity, and the item of the cell ID has the lowest degree of similarity. It can be said that the item of the mobile device ID showing the highest degree of similarity is less likely to change the access element belonging to the item than the access element included in the other evaluation items. On the other hand, it can be said that the item of the cell ID showing the lowest similarity is more likely to change the access element belonging to the cell ID than the access element included in the other evaluation items.

Next, the weighting coefficient generation unit 535 generates a weighting coefficient according to the degree of similarity calculated by the weighting coefficient generating unit 535 (S44). The weighting coefficient generation unit 535 sets a higher weighting coefficient as the evaluation item has a higher degree of similarity. The weighting factor is generated for each evaluation item.

FIG. 15 is a diagram for explaining the generation of the weighting factor (S44). In the example shown in FIG. 15, the weighting coefficient generation unit 535 uses, for example, a value obtained by multiplying the similarity by 10 as the weighting coefficient. In this example, the weighting factor of the cell ID item is 2 (= 0.2 × 10), the weighting factor of the IP address item is 5 (= 0.5 × 10), and the weighting factor of the mobile device ID item is 10. It is (= 1.0 × 10), and the weighting factor of the item of the user agent is 3 (= 0.3 × 10). In this example, the item of the mobile device ID showing the highest degree of similarity is set with the highest weighting factor. On the other hand, the lowest weighting factor is set for the item of the cell ID showing the lowest similarity.

The weighting coefficient may be generated according to the degree of similarity, and is not limited to a value obtained by multiplying the degree of similarity by 10. Further, the weighting coefficient may be the similarity itself. Further, the above-mentioned steps S43 and S44 may be executed before the above-mentioned steps S41 and S42, or may be executed in parallel with the above-mentioned steps S41 and S42.

Next, the authentication unit 536 calculates the index generated in step S42 and the weighting coefficient generated in step S44 for each evaluation item to obtain an evaluation value, and sets the total of each evaluation value as the evaluation result ( S45).

FIG. 16 is a diagram for explaining the output of the evaluation result (S45). In the example shown in FIG. 16, the authentication unit 536 multiplies the index and the weighting coefficient for each evaluation item to obtain the evaluation value, and the total of the evaluation values is used as the evaluation result. In the example shown in FIG. 16, the evaluation value of the item of "cell ID" is 0 (= 0 × 2), the evaluation value of the item of “IP address” is 50 (= 10 × 5), and the “mobile device”. The evaluation value of the item of "ID" is about 100 (= 10 × 10), and the evaluation value of the item of “User agent” is 30 (= 3 × 10). The evaluation result is 180 (= 0 + 50 + 100 + 30). The calculation of the index and the weighting coefficient described above may be addition.

Next, the authentication unit 536 determines whether or not the evaluation result output from the authentication unit 536 is equal to or greater than the threshold value (S46). If the authentication unit 536 determines that the evaluation result is equal to or greater than the threshold value (S46: Yes), it determines that the authentication was successful (S47). That is, when the evaluation result is equal to or higher than the threshold value, the authentication unit 536 determines that the person who has requested authentication using a certain user ID is the user H of that user ID. For example, in the example shown in FIG. 16, when the threshold value is set to 170 in advance, the authentication unit 536 determines that the authentication is successful because the evaluation result is 180 and the evaluation result is equal to or higher than the threshold value.

On the other hand, if the authentication unit 536 determines that the evaluation result is not equal to or higher than the threshold value (S46: No), it determines that the authentication has failed (S48). That is, when the evaluation result is less than the threshold value, the authentication unit 536 determines that the person who has requested the authentication using the user ID of the user H is not the user H of the user ID. That is, the authentication unit 536 determines that the user is impersonating the user H who has requested the authentication by using the user ID of the user H. For example, in the example shown in FIG. 16, when the threshold value is set to 190 in advance, the authentication unit 536 determines that the authentication has failed because the evaluation result is 180 and the evaluation result is not equal to or higher than the threshold value.

The threshold value can be set as appropriate, and the higher the threshold value, the higher the authentication strength. Further, for example, the threshold value may be set according to the service content. For example, in a bank's online service, the transfer service may have a higher threshold than the balance inquiry service.

Further, the authentication unit 536 may make a determination based on the comparison result of comparing the evaluation result and the threshold value. Therefore, in the above description, the authentication unit 536 determines that the authentication is successful when the evaluation result exceeds the threshold value and when the evaluation result and the threshold value are the same value, but the authentication unit 536 determines that the authentication is successful. It may be determined that the authentication is successful only when the value exceeds the threshold value.

3-5. Service provision process Although not shown in the flowchart, the service provision unit 538 provides the service to the user H when the authentication unit 536 succeeds in the authentication, and the service provision unit 538 provides the service to the user H when the authentication unit 536 fails in the authentication. Notify that we will not provide. The service providing unit 538 may provide the user H to request additional authentication if the authentication unit 536 fails in the authentication.

As described above, when the authentication server 50 receives the authentication request including the access information X0 regarding the access of the user H, the authentication server 50 relates to the evaluation item based on the access element related to the evaluation item among the access elements included in the access information X0. An index generation unit 534 that generates an index indicating the personality of the user H is provided. Further, the authentication server 50 includes a weighting coefficient generation unit 535 that generates a weighting coefficient according to the degree of variation between the access element related to the evaluation item of the first period T1 and the access element related to the evaluation item of the second period T2. .. Further, the authentication server 50 includes an authentication unit 536 that authenticates the user H based on the evaluation value obtained by calculating the index and the weighting coefficient.

By including the weighting coefficient generation unit 535, the authentication server 50 generates a weighting coefficient for the evaluation item according to the degree of fluctuation of the access element regarding the evaluation item in the first period T1 and the second period T2, which are two different periods. can. Therefore, the amount of data of the weighting factor can be reduced and the processing load can be reduced as compared with the case where the weighting factor is generated for each access element. Further, the weighting factor is determined according to the variation of the access element included in the evaluation item, not the individual access element. Therefore, even if the access element appears infrequently, the weighting coefficient becomes large if the access elements included in the evaluation items are the same in the first period T1 and the second period T2. Therefore, even if the user H accesses using an access element that appears infrequently, if the fluctuation of the access element of the evaluation item is small, the possibility of authentication refusal can be reduced.

Further, as described above, the weighting coefficient generation unit 535 is generated based on the access information in the first period T1, and is different from the first set X1 having the access element related to the evaluation item as an element and the first period T1. The similarity with the second set having the access element related to the evaluation item as an element, which is generated based on the access information in the two period T2, is calculated. Then, the weighting coefficient generation unit 535 generates a weighting coefficient according to the calculated similarity.

By using the degree of similarity between the first set X1 and the second set X2, it is possible to specify the degree of variation in the access element regarding the evaluation items in the first period T1 and the second period T2. Further, the similarity can be easily generated by using the Jaccard coefficient, the Dice coefficient, or the Simpson coefficient.

In particular, in the present embodiment, the index generation unit 534 generates an index for each of a plurality of evaluation items. For example, an index is generated for each of the user ID item, the IP address item, the mobile device ID item, and the user agent item. Therefore, in the above-mentioned example of FIG. 13, four indexes are generated. Further, the weighting coefficient generation unit 535 has a similarity degree for each of a plurality of evaluation items based on the first set X1 generated for each of the plurality of evaluation items and the second set X2 generated for each of the plurality of evaluation items. Is calculated, and a weighting coefficient is generated for each of a plurality of evaluation items. Further, the authentication unit 536 authenticates the user H based on the total of the evaluation values calculated for each of the plurality of evaluation items.

By using the sum of the evaluation values calculated for each of a plurality of evaluation items, the degree of fluctuation of the access element related to various evaluation items can be reflected, so that the authentication accuracy of the user H can be improved.

Further, by appropriately updating each of the first set X1 and the second set X2, it is possible to generate a weighting coefficient that strongly reflects the characteristics of the user H. Therefore, the accuracy of authentication of the user H can be improved. Further, as described above, the elements of the first set X1 may be used in descending order of frequency of access elements included in the authentication log 523. By using the elements of the first set X1 in descending order of frequency, it is possible to generate a weighting coefficient that more strongly reflects the characteristics of the user H. The same applies to the second set X2.

Further, the index generation unit 534 determines whether or not the access element related to the evaluation item of the access information X0 included in the authentication request is included in the access information in the index period T3, which is a period before the time when the authentication request is received. An index is generated according to the judgment result. In the present embodiment, the index generation unit 534 sets the index to "0" when the access element related to the evaluation item of the access information X0 is not included in the index set X3, and sets the index to "0" when it is included in the index set X3. Sets the index as "10".

The index set X3 is generated based on the history of access information at the time of authentication in the past. Therefore, the index set X3 reflects the access elements that the user H can take at the time of the authentication request. Therefore, by using the determination result of whether or not the access element of the access information X0 included in the authentication request is included in the index set X3 as the index, it becomes easy to reflect the personality.

Further, as described above, the authentication server 50 includes a generation unit 530 that generates the first set X1 and the second set X2 from the authentication log 523 including the history of access information.

By including the generation unit 530, the authentication server 50 can generate the first set X1 and the second set X2 that do not include the time information based on the authentication log 523. Similarly, since the authentication server 50 has the index set generation unit 533, the index set X3 can be generated.

Further, as described above, each first set X1, each second set X2, and each index set X3 have one or more different access elements from which duplication is eliminated as elements. For example, the access elements of the first set X11 shown in FIG. 4 are different from each other, and the first set X11 does not have the same access element. By eliminating the duplication, the amount of data of each of the first set X1, the second set X2, and the index set X3 can be reduced as compared with the case where the duplication is not eliminated, so that the data can be handled easily. ..

Further, 5:00 on July 1, 2017, which is the end time of the first period T1, is before 10:00 on July 1, 2017, which is the start time of the second period T2. That is, since the first period T1 and the second period T2 do not overlap with each other, the authentication accuracy of the user H can be improved as compared with the case where the first period T1 and the second period T2 overlap with each other. In particular, even if the similarity is generated using the Jaccard coefficient or the dice coefficient, it is possible to accurately determine how similar the first set X1 and the second set X2 are.

Further, the second period T2 is longer than the first period T1. By making the length of the first period T1 longer than that of the second period T2, the first set X1 becomes a set that widely captures access information regarding the user H. By using the first set X1, it is possible to generate a weighting coefficient that strongly reflects the characteristics of the user H.

Further, as described above, the second period T2 and the index period T3 each include T01 at the time of the previous authentication. Each of these periods does not have to include the T01 at the time of the previous authentication, but since these periods include the T01 at the time of the previous authentication, the authentication accuracy can be improved as compared with the case where the T01 at the time of the previous authentication is not included. can.

Further, as described above, when the authentication unit 536 determines that the total of the evaluation values is less than the threshold value and the authentication has failed (S48), the authentication unit 536 may request additional authentication. By requesting additional certification, it can be used for risk-based authentication.

The preferred embodiment has been described above. The preferred embodiment can be varied in many ways. Specific embodiments that may be applied to the preferred embodiments described above are illustrated below.

<First modification>
FIG. 17 is a diagram for explaining a variation example between the first period, the second period, and the index period. In the example shown in FIG. 17, the index period T3 is one month from 5:00 on June 1, 2017 to 5:00 on July 1, 2017, and is the same period as the first period T1. be. In this case, the index generation process described above can be omitted, and the first set X1 generated by the first set generation process can be used as the index set X3. Since the index generation process can be omitted, the number of processes by the authentication server 50 can be reduced.

<Second modification>
Although not shown, the first period T1 may partially overlap with the second period T2. That is, the end time point of the first period T1 is later than the start time point of the second period T2, and the first period T1 and the second period T2 may have an overlapping portion. Even with the first period T1 and the second period T2, the access element related to the evaluation item changes based on the similarity between the first set X1 in the first period T1 and the second set X2 in the second period T2. You can ask for ease.

<Third modification example>
FIG. 18 is a flowchart showing the first set update process when the address is changed. The first generation unit 531 uses the address information of the user H to generate the first set X1. The user H notifies the authentication server 50 of the address information by operating the mobile device 10.

First, when the communication unit 51 receives the address information provided by the mobile device 10 of the user H, the first generation unit 531 specifies the previous (before change) access element of the user H from the first set X1 (S51). ). Examples of the access element include a cell ID to which the previous address of user H belongs. After that, when the cell ID to which the address provided by the mobile device 10 belongs is different from the cell ID to which the address of the previous user H belongs, the first generation unit 531 uses the cell ID to which the address of the previous user H belongs. The first set X1 is updated by deleting from the first set X1 (S52). After updating the first set X1, the first generation unit 531 stores it in the storage unit 52.

When the address information of the user H is received, the first generation unit 531 receives the address information of the user H previously received from the first set X1 when the address information of the received user H is different from the address information of the previously received user H. Delete the access element corresponding to the address information. Examples of the access element include a cell ID to which the address of user H belongs.

By deleting the cell ID related to the previous address information when the address is changed, the authentication accuracy of the user H after the address change is improved as compared with the case where the cell ID related to the previous address information is not deleted. Can be done.

Further, it is preferable to delete not only the cell ID to which the address before the address change belongs but also all the cell IDs that have been visited before the address change. This deletion removes the location information that you often visited before changing your address. In general, it is unlikely that you will visit a place you often visited before you changed your address, after you changed your address. Therefore, if the first set X1 includes the cell ID corresponding to the place that was often visited before the address change, the second set X2 does not include the cell ID, so that the similarity is low. be. Therefore, the user H can further improve the authentication accuracy of the user H after the address change.

<Fourth modification>
FIG. 19 is a flowchart showing a first set update process when there is a model change. The first generation unit 531 can generate the first set X1 by using the information of the model change.

First, when the communication unit 51 receives the model information regarding the model of the mobile device 10 of the user H from, for example, an external device, the first generation unit 531 first sets the previous (before change) access elements of the user H. Specify from X1 (S61). Examples of the access element include the user H's previous mobile device ID. After that, when the mobile device ID provided by the external device or the like is different from the conventional mobile device ID, the first generation unit 531 deletes the conventional mobile device ID from the first set X1 and obtains the first set X1. Update (S62). After updating the first set X1, the first generation unit 531 stores it in the storage unit 52.

When the first generation unit 531 receives the model information about the model of the mobile device 10 possessed by the user H, and the received model information is different from the previously received model information, the first set X1 is changed to the previous model information. Delete the mobile device ID that is the corresponding access element.

When the model of the mobile device 10 owned by the user H is changed, the access element related to the model information of the previous mobile device 10 is deleted, and the access element related to the model information of the previous mobile device 10 is not deleted. It is possible to improve the authentication accuracy of the user H after the model of the mobile device 10 is changed.

<Fifth variant>
The number of evaluation items is not limited to a plurality and may be one. When there is one evaluation item, the evaluation value for that one evaluation item becomes the evaluation result.

<Sixth modification>
The authentication server 50 includes an index generation unit 534, a weighting coefficient generation unit 535, an authentication unit 536, and an acquisition unit 537, and may not include a generation unit 530 and a service provision unit 538. For example, when the authentication server 50 does not include the generation unit 530, the authentication server 50 may acquire each of these data from the server that generated the first set X1, the second set X2, and the index set X3. Further, the authentication server 50 does not store the authentication log 523, and may appropriately acquire the authentication log 523 from another server that stores the authentication log 523.

<Hardware configuration>
The block diagram used in the description of the above embodiment shows a block of functional units. These functional blocks (components) are realized by any combination of hardware and / or software. Further, the means for realizing each functional block is not particularly limited. That is, each functional block may be realized by one physically and / or logically coupled device, or directly and / or indirectly by two or more physically and / or logically separated devices. (For example, wired and / or wireless) may be connected and realized by these plurality of devices.

FIG. 20 is a diagram showing an example of a hardware configuration of a base station 20, a mobile device 10, a storage server 40, and an authentication server 50 according to an embodiment of the present invention. The above-mentioned base station 20 (radio base station), mobile device 10, storage server 40, and authentication server 50 physically include a processor 1001, a memory 1002, a storage 1003, a communication device 1004, an input device 1005, and an output device 1006. , Bus 1007 and the like may be configured as a computer device. In the following description, the word "device" can be read as a circuit, a device, a unit, or the like. The hardware configuration of the base station 20, the mobile device 10, the storage server 40, and the authentication server 50 may be configured to include one or more of the devices shown in the figure, or may not include some of the devices. It may be configured in.

Each function in the base station 20, the mobile device 10, the storage server 40, and the authentication server 50 is calculated by the processor 1001 by loading predetermined software (program) on the hardware such as the processor 1001 and the memory 1002. , Communication by the communication device 1004, and reading and / or writing of data in the memory 1002 and the storage 1003 are controlled.

Processor 1001 operates, for example, an operating system to control the entire computer. The processor 1001 may be composed of a central processing unit (CPU) including an interface with a peripheral device, a control device, an arithmetic unit, a register, and the like.

Further, the processor 1001 reads a program (program code), a software module and data from the storage 1003 and / or the communication device 1004 into the memory 1002, and executes various processes according to these. As the program, a program that causes a computer to execute at least a part of the operations described in the above-described embodiment is used. For example, the processing unit 53 of the authentication server 50 may be stored in the memory 1002 and realized by a control program operating in the processor 1001, and other functional blocks may be realized in the same manner. Although it has been described that the various processes described above are executed by one processor 1001, they may be executed simultaneously or sequentially by two or more processors 1001. Processor 1001 may be mounted on one or more chips. The program may be transmitted from the network via a telecommunication line.

The memory 1002 is a computer-readable recording medium, and is composed of at least one such as a ROM (Read Only Memory), an EPROM (Erasable Programmable ROM), an EEPROM (Electrically Erasable Programmable ROM), and a RAM (Random Access Memory). May be done. The memory 1002 may be referred to as a register, a cache, a main memory (main storage device), or the like. The memory 1002 can store a program (program code), a software module, and the like that can be executed to implement the wireless communication method according to the embodiment of the present invention.

The storage 1003 is a computer-readable recording medium, for example, an optical disk such as a CD-ROM (Compact Disc ROM), a hard disk drive, a flexible disk, an optical magnetic disk (for example, a compact disk, a digital versatile disk, a Blu-ray). It may consist of at least one (registered trademark) disk), smart card, flash memory (eg, card, stick, key drive), floppy (registered trademark) disk, magnetic strip, and the like. The storage 1003 may be referred to as an auxiliary storage device. The storage medium described above may be, for example, a database, server or other suitable medium containing memory 1002 and / or storage 1003.

The communication device 1004 is hardware (transmission / reception device) for communicating between computers via a wired and / or wireless network, and is also referred to as, for example, a network device, a network controller, a network card, a communication module, or the like.

The input device 1005 is an input device (for example, a keyboard, a mouse, a microphone, a switch, a button, a sensor, etc.) that receives an input from the outside. The output device 1006 is an output device (for example, a display, a speaker, an LED lamp, etc.) that outputs to the outside. The input device 1005 and the output device 1006 may have an integrated configuration (for example, a touch panel).

Further, each device such as the processor 1001 and the memory 1002 is connected by a bus 1007 for communicating information. The bus 1007 may be composed of a single bus or may be composed of different buses between the devices.

Further, the base station 20, the mobile device 10, the storage server 40, and the authentication server 50 are a microprocessor, a digital signal processor (DSP: Digital Signal Processor), an ASIC (Application Specific Integrated Circuit), and a PLD (Programmable Logic Device), respectively. , FPGA (Field Programmable Gate Array) and the like may be included, and a part or all of each functional block may be realized by the hardware. For example, the processor 1001 may be implemented on at least one of these hardware.

<Others>
The notification of information is not limited to the embodiments / embodiments described herein, and may be performed by other methods. For example, information notification includes physical layer signaling (eg, DCI (Downlink Control Information), UCI (Uplink Control Information)), higher layer signaling (eg, RRC (Radio Resource Control) signaling, MAC (Medium Access Control) signaling, etc. It may be carried out by broadcast information (MIB (Master Information Block), SIB (System Information Block)), other signals, or a combination thereof. Further, the RRC signaling may be referred to as an RRC message, and may be, for example, an RRC Connection Setup message, an RRC Connection Reconfiguration message, or the like.

Each aspect / embodiment described herein includes LTE (Long Term Evolution), LTE-A (LTE-Advanced), SUPER 3G, IMT-Advanced, 4G, 5G, FRA (Future Radio Access), W-CDMA. (Registered Trademarks), GSM (Registered Trademarks), CDMA2000, UMB (Ultra Mobile Broadband), IEEE 802.11 (Wi-Fi), IEEE 802.16 (WiMAX), IEEE 802.20, UWB (Ultra-WideBand), It may be applied to Bluetooth®, other systems that utilize suitable systems and / or next-generation systems that are extended based on them.

The processing procedures, sequences, flowcharts, and the like of each aspect / embodiment described in the present specification may be rearranged in order as long as there is no contradiction. For example, the methods described herein present elements of various steps in an exemplary order and are not limited to the particular order presented.

In some cases, the specific operation performed by the base station in the present specification may be performed by its upper node. In a network consisting of one or more network nodes having a base station, various operations performed for communication with a terminal are performed on the base station and / or other network nodes other than the base station (eg, for example). It is clear that it can be done by (but not limited to) MME or S-GW. Although the case where there is one network node other than the base station is illustrated above, it may be a combination of a plurality of other network nodes (for example, MME and S-GW).

Information and the like can be output from the upper layer (or lower layer) to the lower layer (or upper layer). Input / output may be performed via a plurality of network nodes.

The input / output information and the like may be stored in a specific place (for example, a memory) or may be managed by a management table. Information to be input / output may be overwritten, updated, or added. The output information and the like may be deleted. The input information or the like may be transmitted to another device.

The determination may be made by a value represented by 1 bit (0 or 1), by a boolean value (Boolean: true or false), or by comparing numerical values (for example, a predetermined value). It may be done by comparison with the value).

Each aspect / embodiment described in the present specification may be used alone, in combination, or may be switched and used according to the execution. Further, the notification of predetermined information (for example, the notification of "being X") is not limited to the explicit one, but is performed implicitly (for example, the notification of the predetermined information is not performed). May be good.

Software, whether referred to as software, firmware, middleware, microcode, hardware description language, or other names, is an instruction, instruction set, code, code segment, program code, program, subprogram, software module. , Applications, software applications, software packages, routines, subroutines, objects, executable files, execution threads, procedures, features, etc. should be broadly interpreted.

Further, software, instructions, and the like may be transmitted and received via a transmission medium. For example, the software may use wired technology such as coaxial cable, fiber optic cable, twisted pair and digital subscriber line (DSL) and / or wireless technology such as infrared, wireless and microwave to website, server, or other. When transmitted from a remote source, these wired and / or wireless technologies are included within the definition of transmission medium.

The information, signals, etc. described herein may be represented using any of a variety of different techniques. For example, data, instructions, commands, information, signals, bits, symbols, chips, etc. that may be referred to throughout the above description are voltages, currents, electromagnetic waves, magnetic fields or magnetic particles, light fields or photons, or any of these. It may be represented by a combination of.

The terms described herein and / or the terms necessary for understanding the present specification may be replaced with terms having the same or similar meanings. For example, the channel and / or symbol may be a signal. Also, the signal may be a message. Further, the component carrier (CC) may be referred to as a carrier frequency, a cell, or the like.

The terms "system" and "network" used herein are used interchangeably.

Further, the information, parameters, etc. described in the present specification may be represented by an absolute value, a relative value from a predetermined value, or another corresponding information. .. For example, the radio resource may be indexed.

The names used for the parameters described above are not limited in any way. Further, mathematical formulas and the like using these parameters may differ from those expressly disclosed herein. Since the various channels (eg, PUCCH, PDCCH, etc.) and information elements (eg, TPC, etc.) can be identified by any suitable name, the various names assigned to these various channels and information elements are in any respect. However, it is not limited.

A base station can accommodate one or more (eg, three) cells (also referred to as sectors). When a base station accommodates multiple cells, the entire base station coverage area can be divided into multiple smaller areas, each smaller area being a base station subsystem (eg, a small indoor base station RRH: Remote). Communication services can also be provided by Radio Head). The term "cell" or "sector" refers to a portion or all of the coverage area of a base station and / or base station subsystem that provides communication services in this coverage. Further, the terms "base station", "eNB", "cell", and "sector" may be used interchangeably herein. A base station may also be referred to by terms such as fixed station, NodeB, eNodeB (eNB), access point, femtocell, and small cell.

Mobile stations can be used by those skilled in the art as subscriber stations, mobile units, subscriber units, wireless units, remote units, mobile devices, wireless devices, wireless communication devices, remote devices, mobile subscriber stations, access terminals, mobile terminals, wireless. It may also be referred to as a terminal, remote terminal, handset, user agent, mobile client, client, or some other suitable term.

The terms "determining" and "determining" as used herein may include a wide variety of actions. "Judgment", "decision" is, for example, calculating, computing, processing, deriving, investigating, looking up (eg, table, database or another). It may include searching in the data structure), considering that the confirmation (ascertaining) is "judgment" and "decision". Also, "judgment" and "decision" are receiving (for example, receiving information), transmitting (for example, transmitting information), input (input), output (output), and access. It may include (for example, accessing data in memory) to be regarded as "judgment" or "decision". In addition, "judgment" and "decision" are considered to be "judgment" and "decision" when the things such as solving, selecting, choosing, establishing, and comparing are regarded as "judgment" and "decision". Can include. That is, "judgment" and "decision" may include considering some action as "judgment" and "decision".

The terms "connected", "coupled", or any variation thereof, mean any direct or indirect connection or connection between two or more elements and each other. It can include the presence of one or more intermediate elements between two "connected" or "combined" elements. The connection or connection between the elements may be physical, logical, or a combination thereof. As used herein, the two elements are by using one or more wires, cables and / or printed electrical connections, and, as some non-limiting and non-comprehensive examples, radio frequencies. By using electromagnetic energies such as electromagnetic energies with wavelengths in the region, microwave region and light (both visible and invisible) regions, they can be considered to be "connected" or "coupled" to each other.

The phrase "based on" as used herein does not mean "based on" unless otherwise stated. In other words, the statement "based on" means both "based only" and "at least based on".

Any reference to elements using designations such as "first", "second" as used herein does not generally limit the quantity or order of those elements. These designations can be used herein as a convenient way to distinguish between two or more elements. Therefore, references to the first and second elements do not mean that only two elements can be adopted there, or that the first element must somehow precede the second element.

As long as "including", "comprising", and variations thereof are used herein or within the scope of the claims, these terms are as comprehensive as the term "comprising". Intended to be targeted. Moreover, the term "or" as used herein or in the claims is intended to be non-exclusive.

Throughout this application, if articles are added by translation, for example a, an and the in English, these articles may include more than one unless the context clearly indicates otherwise. ..

It will be apparent to those skilled in the art that the invention is not limited to the embodiments described herein. The present invention can be implemented as modifications and modifications without departing from the spirit and scope of the present invention, which is determined based on the description of the scope of claims. Therefore, the description herein is for illustrative purposes only and has no limiting meaning to the present invention. In addition, a configuration selected from the embodiments and modifications exemplified in the present specification may be combined.

2 ... cell, 10 ... mobile, 20 ... base station, 30 ... network, 40 ... storage server, 50 ... authentication server, 51 ... communication unit, 52 ... storage unit, 53 ... processing unit, 100 ... system, 401 ... log 521 ... Authentication processing program 522 ... Service provision program 523 ... Authentication log 530 ... Generation unit 513 ... First generation unit 532 ... Second generation unit 533 ... Index set generation unit 534 ... Index generation unit 535 ... Weight coefficient generation unit, 536 ... Authentication unit, 537 ... Acquisition unit, 538 ... Service provision unit, H ... User, T1 ... 1st period, T2 ... 2nd period, T3 ... Index period, X0 ... Access information , X1 ... 1st set, X2 ... 2nd set, X3 ... Index set

Claims (10)

When an authentication request including access information related to a user's access is received, an index that generates an index indicating the identity of the user regarding the evaluation item is generated based on the access element related to the evaluation item among the access elements included in the access information. Generator and
A weighting coefficient generator that generates a weighting coefficient according to the degree of variation between the access element related to the evaluation item in the first period and the access element related to the evaluation item in the second period.
An authentication unit that authenticates the user based on the evaluation value obtained by calculating the index and the weighting coefficient, and
An authentication device characterized by being equipped with. The authentication device according to claim 1, wherein the end time point of the first period is before the start time point of the second period. The authentication device according to claim 1 or 2, wherein the length of the second period is longer than the length of the first period. The index generation unit determines whether or not the access element related to the evaluation item of the access information included in the authentication request is included in the access information in a period before the time when the authentication request is received. The authentication device according to any one of claims 1 to 3, wherein the index is generated accordingly. The weighting factor generator is
It is generated based on the access information in the first period, and is generated based on the first set having the access element related to the evaluation item as an element and the access information in the second period different from the first period. , Calculate the similarity with the second set having the access element as an element related to the evaluation item.
The weighting factor is generated according to the calculated similarity.
The authentication device according to any one of claims 1 to 4. The index generation unit generates the index for each of a plurality of evaluation items including the evaluation item.
The weighting coefficient generation unit is based on the first set generated for each of the plurality of evaluation items and the second set generated for each of the plurality of evaluation items, and the weight coefficient generation unit is used for each of the plurality of evaluation items. The similarity is calculated, and the weighting factor is generated for each of the plurality of evaluation items.
The authentication unit authenticates the user based on the total of the evaluation values calculated for each of the plurality of evaluation items.
The authentication device according to claim 5. The authentication device according to claim 5 or 6, further comprising a generation unit that generates the first set and the second set from the history of the access information. When the generation unit receives the address information of the user, when the received address information of the user is different from the address information of the user previously received, the generation unit previously receives the address information of the user from the first set. The authentication device according to claim 7, wherein the access element corresponding to the above is deleted. When the generation unit receives model information about the model of the mobile device possessed by the user, and when the received model information is different from the previously received model information, the generation unit changes from the first set to the previous model information. The authentication device according to claim 7 or 8, wherein the corresponding access element is deleted. If the total of the evaluation values is equal to or greater than the threshold value, the authentication unit determines that the authentication was successful, and if the total of the evaluation values is less than the threshold value, any of claims 1 to 9 requesting additional authentication. The authentication device according to item 1.

Images