JP7037628B2 - Unauthorized access detector, unauthorized access detection method and computer program - Google Patents

Description

The present invention relates to a data processing technique, and more particularly to a technique for detecting unauthorized access.

In recent years, the number of cases of damage caused by unauthorized access to servers and the like has been at a high level. The breakdown of the damage is that illegal remittances from Internet banking and spoofing to others account for a large proportion. As conventional defense measures against unauthorized access, there are firewalls and WAFs (Web Application Firewalls) (see, for example, Patent Document 1).

Japanese Unexamined Patent Publication No. 2008-117007

The method of unauthorized access has become more sophisticated year by year, and it has sometimes been difficult to distinguish between normal access and unauthorized access with conventional measures against unauthorized access. The present invention has been made in view of these problems, and a main object thereof is to provide a technique for accurately detecting unauthorized access.

In order to solve the above problems, the unauthorized access detection device of a certain aspect of the present invention is based on an acquisition unit that acquires data related to access to a predetermined device via a communication network and data acquired by the acquisition unit. A derivation unit that derives a first index value indicating the importance of access in the device, a second index value indicating the high possibility that access is invalid, and a first index value and a second index value derived by the derivation unit. A determination unit for determining the risk of access based on the index value is provided.

Another aspect of the present invention is also an unauthorized access detection device. This device has an acquisition unit that acquires data related to access made to a predetermined device via a communication network, and an index value indicating the high possibility that access is unauthorized based on the data acquired by the acquisition unit. It is provided with a derivation unit for deriving the data and a determination unit for determining the risk of access based on the index value derived by the derivation unit. The data related to access includes multiple types of identifiers, and the derivator detects the high possibility that access is invalid based on the value of each identifier, and the high possibility that it is detected for each identifier. Aggregate and derive access index values.

Yet another aspect of the present invention is an unauthorized access detection method. In this method, the first index value indicating the importance of access in the device and the access are based on the step of acquiring the data related to the access to the predetermined device via the communication network and the data acquired in the acquisition step. A step of deriving a second index value indicating the high possibility of fraud, a step of determining the risk of access based on the first index value and the second index value derived in the deriving step, and a step of determining the risk of access. Is executed by the computer.

It should be noted that any combination of the above components and a conversion of the expression of the present invention between a system, a computer program, a recording medium in which the computer program is stored, and the like are also effective as aspects of the present invention.

According to the present invention, unauthorized access can be detected with high accuracy.

It is a figure which shows the structure of the information system of an Example. It is a block diagram which shows the functional structure of the unauthorized access detection apparatus of FIG. It is a figure which shows the example of the data structure of the BL / WL holding part. It is a figure which shows the example of the data structure of the address information holding part. It is a figure which shows the example of the data structure of the BI score determination rule. It is a figure which shows the example of the data structure of the FP score determination rule. It is a figure which shows the example of the data structure of the 1st determination result holding part and the 2nd determination result holding part. It is a figure which shows the example of the data structure of the cumulative score holding part. It is a figure which shows an example of the normalization of the FP score. It is a figure which shows the risk judgment criteria of an Example. It is a flowchart which shows the operation of an unauthorized access detection device.

Before explaining the embodiment of the present invention, the outline will be described first. Unauthorized access in this embodiment is a function that is originally restricted by inputting information or a command other than another person's identification code or identification code into a server for which access control (for example, password authentication, etc.) is performed through the network. It is an act of illegal use. "Web access" in the following description is remote access to a predetermined server via a communication network, and includes both legitimate access by a user with legitimate authority and unauthorized access by a fraudulent person.

There are various types of unauthorized access, but in particular, spoofing login, unauthorized transactions, list-type account hacking, etc. that illegally obtain the correct account information (user ID, password, etc.) of another person and use that account information With conventional measures against unauthorized access, it was difficult to determine that the access was legitimate. In addition, if a large amount of unauthorized access is not automatically executed in a short period of time, but a low frequency unauthorized access (for example, once / hour) is executed for a long period of time, the unauthorized access should be determined as a legitimate access. Was even more difficult.

The unauthorized access detection device of the embodiment determines whether or not the web access is unauthorized access based on the behavior of the identity (that is, ID) of the web access to the server. Specifically, whether or not this web access is fraudulent based on the mode of multiple web accesses from the past in which each of the multiple types of IDs included in the data of this web access was used. judge. Further, in the unauthorized access detection device of the embodiment, the web access to the predetermined target device is defined as the importance of the web access in the target device (hereinafter, also referred to as “BI (Business Impact)”) and the web access is unauthorized. Evaluate with two axes of high probability (hereinafter, also referred to as "FP (Fraud Probability)"), and determine the degree of danger of the access. As a result, unauthorized access is detected with high accuracy.

FIG. 1 shows the configuration of the information system of the embodiment. The information system 10 includes a target server 12, a user terminal 14a, a user terminal 14b, a user terminal 14c, an administrator terminal 18, and an unauthorized access detection device 20, which are collectively referred to as a user terminal 14. These devices are connected to each other via a communication network 16 including a LAN, WAN, the Internet, and the like.

The target server 12 is an information processing device that publishes websites such as mail-order sales and Internet banking on the Internet. The target server 12 of the embodiment includes the function of the web server, accepts the web access (HTTP request) from the user terminal 14, and provides the user terminal 14 with a web page for providing a predetermined service.

The user terminal 14 is an information processing device in which web browser software is installed, and functions as a web client. The user terminal 14 may be a PC, a tablet terminal, or a smartphone. The user who operates the user terminal 14a, the user terminal 14b, and the user terminal 14c may be a user who is permitted to log in to the website of the target server 12 (that is, a user who has a legitimate authority), or illegally uses another person's account. It may be a user who attempts unauthorized access to the target server 12.

The administrator terminal 18 is an information processing device in which web browser software is installed, and functions as a web client. The administrator terminal 18 may be a PC, a tablet terminal, or a smartphone, and is operated by the administrator of the target server 12.

When the unauthorized access detection device 20 receives the attribute information of the web access to the target server 12 via the log file or API (Application Programming Interface), the unauthorized access detection device 20 executes the risk determination for each web access. In other words, it detects unauthorized access that exists in a plurality of web accesses from the user terminal 14 to the target server 12. The unauthorized access detection device 20 provides the risk determination result as an API response to the target server 12, and also provides statistical information including the risk determination result to the administrator terminal 18.

FIG. 2 is a block diagram showing a functional configuration of the unauthorized access detection device 20 of FIG. The unauthorized access detection device 20 includes a control unit 22, a storage unit 24, and a communication unit 26. The control unit 22 executes data processing for detecting unauthorized access from the user terminal 14 to the target server 12. The storage unit 24 is a storage area for storing data referenced or updated by the control unit 22. The communication unit 26 communicates with the external device according to a predetermined communication protocol. The control unit 22 sends / receives data to / from the target server 12 and the administrator terminal 18 via the communication unit 26.

Each block shown in the block diagram of the present specification can be realized by an element or a mechanical device such as a CPU / memory of a computer in terms of hardware, and can be realized by a computer program or the like in terms of software. Now, I'm drawing a functional block realized by their cooperation. Therefore, it is understood by those skilled in the art that these functional blocks can be realized in various forms by combining hardware and software.

For example, the function of each block of the control unit 22 may be implemented as a computer program, and the computer program may be installed in the storage of the unauthorized access detection device 20. Then, the CPU of the unauthorized access detection device 20 may read the computer program into the main memory and execute the program to exert the function of each block of the control unit 22. The storage unit 24 may be realized by the main memory or storage of the unauthorized access detection device 20.

The storage unit 24 includes a BL / WL holding unit 28, an address information holding unit 30, a rule holding unit 32, a first determination result holding unit 34, a second determination result holding unit 36, and a cumulative score holding unit 38. Of these, the BL / WL holding unit 28, the address information holding unit 30, the first determination result holding unit 34, and the cumulative score holding unit 38 store frequently used data and require a high-speed response. It is configured as a NoSQL data store (key-value store in the embodiment). The second determination result holding unit 36 stores data that is read at a low frequency, and is configured as a normal DBMS (RDBMS in the embodiment).

The BL / WL holding unit 28 holds blacklist and whitelist data. FIG. 3 shows an example of the data structure of the BL / WL holding unit 28. In FIG. 3, IP address information (for example, IP address (or network address) + subnet mask length) is set as a key. Further, a whitelist identifier (“white” in FIG. 3) or a blacklist identifier (“black” in FIG. 3) is set as a value. The list of keys associated with the whitelist identifier corresponds to the whitelist, and the list of keys associated with the blacklist identifier corresponds to the blacklist.

For example, a blacklist may record an IP address, network address, device ID (discussed below), or user ID that has been found to have been used by an unauthorized person. Further, in the whitelist, an IP address, a network address, a device ID, or a user ID that is fixedly used by a user having a legitimate authority may be recorded.

Returning to FIG. 2, the address information holding unit 30 holds the correspondence between the IP address and the geographic information. FIG. 4 shows an example of the data structure of the address information holding unit 30. The address information holding unit 30 of the embodiment holds a record in which the IP address of the connection source for web access to the target server 12 is used as a key and the country, city, latitude, and longitude are used as values, and the two are associated with each other. The connection source IP address may be the source IP address set in the IP packet received by the target server 12. Typically, it may be the IP address of the user terminal 14, or it may be the IP address of a proxy server, a router, or the like that relays the communication between the user terminal 14 and the target server 12.

Returning to FIG. 2, the rule holding unit 32 determines the BI score determination rule, which is a rule (in other words, a standard) for determining the BI score indicating the height of BI, and the FP score indicating the height of FP. Holds the FP score judgment rule, which is the rule of. The BI score determination rule and the FP score determination rule may be stored in the semiconductor memory in order to enable high-speed access, and the algorithm may be stored in a computer program in which the BI score derivation unit 46 and the FP score derivation unit 48 described later are implemented. It may be incorporated as.

FIG. 5 shows an example of the data structure of the BI score determination rule. The BI score determination rule holds the determination condition and the BI score when the determination condition is satisfied in association with each other. As the determination condition, the access destination URL, the parameter attribute of GET or POST, and the like may be specified. Further, the BI score is set to a value as large as the important processing or transaction in the target server 12. For example, a larger value may be set for a process or transaction that has a greater influence on the business of the company that provides the service by the target server 12.

The first record in FIG. 5 shows that the BI score is set to "10" when the access from the user terminal 14 to the target server 12 is a POST transmission to the URL for executing login authentication. Further, the fourth record in FIG. 5 is a POST transmission to the URL for remittance execution on the transmission screen, and when the value of the remittance amount parameter is less than 500,000 yen, the BI score is set to "90". It is shown that.

FIG. 6 shows an example of the data structure of the FP score determination rule. The FP score determination rule holds the determination condition (identification target and rule content in FIG. 6) in association with the FP score (value is not shown) to be added when the determination condition is satisfied. The identification target in FIG. 6 is at least one of a plurality of types of identifiers included in the access data. The identification target includes, for example, a country (country specified by an IP address), an IP address, a UA (User Agent), a user ID (user ID specified in a login request), and a device ID. The device ID is an identifier that can uniquely identify a specific user terminal 14, and is a combination of the web browser type and version of the user terminal 14, language setting, installed font, screen resolution, color depth, CPU type, time zone, and the like. Information generated based on.

The “rule content” in FIG. 6 is the value of the identifier to be identified (and the value of another identifier associated with that identifier) and / or the past request history (access) associated with the value of the identifier to be identified. It defines the aspect of history). The “FP score” in FIG. 6 is predetermined for each determination condition based on the type of website provided by the target server 12 and the business content. Specifically, among a plurality of determination conditions, the one with a stronger suspicion of unauthorized access when satisfied, the larger the FP score is set.

Item 2 of FIG. 6 stipulates that a predetermined FP score is added when the connection source IP address included in the web access data matches the IP address specified in the blacklist. Item No. 17 in FIG. 6 shows a predetermined FP when the number of connection source IP addresses (unique number) included in the login trial access per unit time is a predetermined value or more for the login trial access in which a specific user ID is specified. It stipulates that scores should be added. The unit time here may be 5 minutes, and the predetermined value may be 5. Item No. 20 in FIG. 6 adds a predetermined FP score to the login trial access including the same device ID when the number of user IDs (unique number) included in the login trial access per unit time is equal to or more than a predetermined value. To stipulate.

According to the FP score determination rule shown in FIG. 6, even if an unauthorized access is performed using a correct user ID and password, the unauthorized access can be detected with high accuracy. For example, items 10 and 11 in FIG. 6 are based on the number of logins (number of successful logins), and items 12 and 13 in FIG. 6 are based on the number of login failures. In addition to this, items 17 to 20 in FIG. 6 are the number of accesses to the URL for executing login authentication, and the number of login attempts regardless of whether the login is successful or unsuccessful is the standard, so that the login is tentatively successful. Even if the web access is accessed, it can be detected as unauthorized access.

Returning to FIG. 2, the first determination result holding unit 34 and the second determination result holding unit 36 hold the risk determination result. FIG. 7 shows an example of the data structure of the first determination result holding unit 34 and the second determination result holding unit 36. The record group 60 is a plurality of records recorded per one web access. The access attribute 62 is an attribute value of web access, and includes values of a plurality of types of identifiers (IP address, user ID, device ID). The risk determination result 64 is a risk determination result based on the access attribute 62, and includes a BI score, an FP score, and a risk rank.

The first determination result holding unit 34 holds the record group 60 recorded per one web access only for 30 days from the access date and time (for example, Time of the access attribute 62). On the other hand, the second determination result holding unit 36 permanently holds the record group 60 recorded per one web access unless it is explicitly deleted by the administrator.

Returning to FIG. 2, the cumulative score holding unit 38 holds data including the cumulative value of the FP score (hereinafter, also referred to as “FP cumulative value”) for each of the plurality of types of identifiers specified by at least one web access. do. FIG. 8 shows an example of the data structure of the cumulative score holding unit 38. The cumulative score holding unit 38 includes three records of type (Type), FP cumulative value (SumScore), and last access date / time (LastAccess) for each value of one identifier. FIG. 8 shows the type, FP cumulative value, and last access date and time recorded for each of the IP address “133.250.195.1”, the device ID “E6JU9Mr ...”, and the user ID “user0001”.

Returning to FIG. 2, the control unit 22 includes a log acquisition unit 40, a determination request reception unit 42, a determination result providing unit 44, a BI score derivation unit 46, an FP score derivation unit 48, a risk determination unit 50, and a determination result recording unit 52. It includes a cumulative score recording unit 54, an alert notification unit 56, and a dashboard providing unit 58.

The log acquisition unit 40 is an interface for executing a risk determination for web access as a batch process. The log acquisition unit 40 periodically acquires an access log in which one or more web access data (also referred to as content or attribute, hereinafter referred to as "web access attribute") is recorded from the target server 12, and the access log. Read the web access attributes recorded in. The log acquisition unit 40 may receive the access log periodically transmitted from the target server 12.

The determination request receiving unit 42 and the determination result providing unit 44 are interfaces for executing risk determination for one web access as real-time processing. The determination request receiving unit 42 acquires one web access attribute specified by the argument when a predetermined API predetermined by the target server 12 is called. The determination result providing unit 44 transmits a risk determination result (for example, the risk determination result 64 in FIG. 7) to the target server 12 as a response to the API call.

The web access attribute of the embodiment includes an access date / time, an access destination URL, a connection source IP address, a user ID, a browser type (or UserAgent), and a device ID. The user ID may be a user ID transmitted as a parameter to the login authentication screen, or may be a user ID associated with the user session after login. The target server 12 holds a device ID acquisition script (for example, a Javascript (registered trademark) program), transmits the script to the user terminal 14 together with the data of the web page, and executes the script on the web browser of the user terminal 14. Acquire the device ID from the terminal 14.

In addition, the web access attribute further includes business-specific parameters on the website of the target server 12. For example, the web access attribute may further include data added as a parameter in the GET transmission or the POST transmission. In this case, a determination condition based on the value of a business-specific parameter may be set in at least one of the BI score determination rule and the FP score determination rule. For example, in the case of an Internet banking website, the account number and transaction amount may be included as business-specific parameters. Then, when the account number and the transaction amount satisfy the determination condition, at least one of the BI score and the FP score may be added.

The BI score derivation unit 46 derives the BI score for each web access attribute according to the web access attribute acquired by the log acquisition unit 40 or the determination request reception unit 42 and the BI score determination rule held in the rule holding unit 32. do. In other words, the BI score for each web access from the user terminal 14 to the target server 12 is derived.

When the combination of the access destination URL included in one web access attribute and the parameter attribute value satisfies the specific determination condition defined in the BI score determination rule, the BI score derivation unit 46 associates the access destination URL with the determination condition. The obtained BI score (for example, a value of 0 to 100) is determined as the BI score of the web access. In the example of FIG. 5, when the access destination URL included in one web access attribute matches the login authentication URL, the BI score of the web access is determined to be "10". As a modification, when the web access attribute satisfies a plurality of judgment conditions, the total value of the BI scores associated with the plurality of judgment conditions is normalized to a value of 0 to 100, and the normalized value is used as the web. It may be determined as the BI score of access.

The FP score derivation unit 48 derives the FP score for each web access attribute according to the web access attribute acquired by the log acquisition unit 40 or the determination request reception unit 42 and the FP score determination rule held in the rule holding unit 32. do. In other words, the FP score for each web access from the user terminal 14 to the target server 12 is derived.

The FP score deriving unit 48 of the embodiment derives FP values for each of a plurality of types of identifiers (for example, connection source IP address, user ID, device ID) included in one web access attribute based on the values of each identifier. , The FP values derived for each identifier are aggregated to derive the FP value for one web access. Specifically, the FP score deriving unit 48 refers to the past web access attribute that matches the value of the identifier (for example, the value of the connection source IP address) held in the first determination result holding unit 34. Then, the behavior of a plurality of web access specified based on the current web access attribute from one or more past web access attributes matches the judgment condition of the FP score judgment rule (for example, item 9 or later in FIG. 6). If so, the FP score associated with the determination condition is added. The FP score deriving unit 48 repeats the determination condition satisfaction determination process and the FP score addition process for each identifier included in one web access attribute (in other words, for each determination condition of the FP score determination rule).

For example, according to item 2 of FIG. 6, the FP score deriving unit 48 determines the connection source IP address included in the access data in item 2 when the connection source IP address is specified in the blacklist of the BL / WL holding unit 28. Add the obtained FP scores. Further, according to item No. 17 of FIG. 6, when the number of login trial IP addresses per unit time for the user ID included in the web access to be determined is equal to or more than a predetermined value, the FP score derivation unit 48 uses item No. 17. Add the specified FP score. In this case, the FP score deriving unit 48 may search the web access to the login trial URL designated by the user ID from the first determination result holding unit 34. Then, the unique number of the connection source IP address in one or more web accesses that hit the search may be counted.

Further, according to the item No. 20 of FIG. 6, the FP score deriving unit 48 identifies one or more login trial accesses within a predetermined unit time including the device ID included in the web access to be determined. Then, when the unique number of the user IDs specified in those login trial access is equal to or more than a predetermined value, the FP score defined in the item No. 20 is added. In this case, the FP score deriving unit 48 may search the web access to the login trial URL specifying the device ID from the first determination result holding unit 34. Then, the unique number of the user ID specified by one or more web accesses that hit the search may be counted.

The FP score deriving unit 48 of the embodiment calculates the FP score (referred to here as “total score”) accumulated for each identifier included in one web access attribute (in other words, for each judgment condition of the FP score judgment rule). Normalize to a value from 0 to 100 and use it as the final FP score. FIG. 9 shows an example of normalization of the FP score. The FP score deriving unit 48 inputs the total score (x) into the predetermined sigmoid function 66, and determines the output value (0 ≦ F (x) ≦ 100) of the sigmoid function 66 as the final FP value. May be good. The values of a and b in the sigmoid function 66 of FIG. 9 may be appropriately determined and adjusted by using regression analysis or the like in the construction phase or tuning phase of the target server 12.

Returning to FIG. 2, the risk determination unit 50 determines the risk level (hereinafter, also referred to as “risk rank”) of each web access based on the BI score and the FP score derived for each of the plurality of web accesses. do. The risk determination unit 50 generates a risk determination result including the risk rank of each web access. The determination result recording unit 52 corresponds the risk determination result (risk determination result 64 in FIG. 7) for a certain web access generated by the risk determination unit 50 with the data of the web access attribute (access attribute 62 in FIG. 7). It is attached and stored in both the first determination result holding unit 34 and the second determination result holding unit 36.

FIG. 10 shows the risk criteria of the embodiment. When the combination of the BI score and the FP score corresponds to the region 70, the risk determination unit 50 determines that the risk rank is “LOW”. Further, if the above combination corresponds to the area 72, the risk rank is "medium (MID)", if the combination corresponds to the area 74, the risk rank is "high (HIGH)", and if the combination corresponds to the area 76, the risk rank is "serious (SEVERE)". judge.

As shown in FIG. 10, when the BI score of a certain web access is relatively large, the risk determination unit 50 relatively determines the risk level of the web access even if the FP score of the web access is relatively small. Judge high. Further, when the FP score of a certain web access is relatively high, the risk determination unit 50 determines that the risk of the web access is relatively high even if the BI score of the web access is relatively small. In other words, when the FP score is a predetermined value (same value), the risk determination unit 50 determines that the higher the BI score, the higher the risk level. Similarly, when the BI score is a predetermined value (same value), the risk determination unit 50 determines that the higher the FP score, the higher the degree of risk.

The cumulative score recording unit 54 records the values of a plurality of types of identifiers (for example, IP address, device ID, user ID) included in the web access data for each identifier and the cumulative value of the FP score (that is, the cumulative value of the FP). It is recorded in the cumulative score holding unit 38 in association with each other. As shown in FIG. 8, in the embodiment, the type, the FP cumulative value, and the last access date / time (may be a pseudo FP cumulative value update date / time) are recorded in association with each other using the value of one identifier as a key.

The cumulative score recording unit 54 holds a BL additional reference value for each of a plurality of types of identifiers (for example, IP address, device ID, user ID). The BL additional reference value may be set to a different value for each type of identifier. When the cumulative value of the FP score recorded in association with the value of a certain identifier exceeds the BL addition reference value from the BL addition reference value or less, the cumulative score recording unit 54 blacklists the identifier value. Register automatically. Specifically, a record having the value of the identifier as a key and "black" as a value is added to the BL / WL holding unit 28.

The FP score deriving unit 48 detects the high possibility that the web access is invalid based on the FP cumulative value recorded in advance for the value of the identifier for each identifier included in the data related to a certain web access. do. Specifically, when the identifier value is registered in the blacklist, the FP score derivation unit 48 holds BL / WL for a record in which the cumulative value is used as a key and "black" is used as a value. If present in part 28, the FP score is added (eg, items 1-5 in FIG. 6).

Further, in the embodiment, a model is adopted in which the FP cumulative value held in the cumulative score holding unit 38 is attenuated by a certain amount with the passage of time. The cumulative score recording unit 54 subtracts the FP cumulative value recorded in association with the value of a certain identifier according to the elapsed time from the last access including the value of the identifier. In the embodiment, the longer the elapsed time from the last access, the larger the subtraction range of the FP cumulative value. For example, for the FP cumulative value "30" recorded in association with the value of a certain IP address (here, "133.250.195.1" in FIG. 8), "133.250.195.1" is connected. The longer the period during which web access using the original IP address is not performed, the smaller the cumulative FP value.

Specifically, the cumulative score recording unit 54 holds the attenuation amount d per predetermined unit time. When the web access attribute is accepted, the cumulative score recording unit 54 calculates (elapsed time T × d from the previous update) from the FP cumulative value at the time of the previous update for each identifier included in the web access attribute. Subtract. In other words, the cumulative score recording unit 54 executes the following calculation, updates the FP cumulative value for each identifier, and stores the new FP cumulative value in the cumulative score holding unit 38.
New FP cumulative value = FP cumulative value at the time of the previous update-Td

When the FP cumulative value recorded in association with the value of a certain identifier changes from the state exceeding the BL additional reference value to the BL additional reference value or less, the cumulative score recording unit 54 blacklists the value of the identifier. Exclude from the list. Specifically, the record whose value is "black" and whose identifier value is used as a key is deleted from the BL / WL holding unit 28.

The alert notification unit 56 notifies the administrator terminal 18 of alert information (for example, data of the access attribute 62 and the risk determination result 64 in FIG. 6) indicating web access of a predetermined risk rank or higher. The notification method may be a known method such as e-mail, file transmission, push notification, or the like. The alert notification unit 56 may periodically transmit alert information to the administrator terminal 18 at a predetermined timing. Further, the timing at which web access of a predetermined risk rank or higher is detected, in other words, the timing at which the risk determination result indicating the predetermined risk rank or higher is recorded in the first determination result holding unit 34 and the second determination result holding unit 36. You may send alert information with.

In this embodiment, alert information indicating web access of a predetermined risk rank or higher is notified to the administrator terminal 18, but instead of or in combination with the processing, the risk rank or higher is higher than the predetermined risk rank. It may be configured to perform a predetermined operation for web access. Here, the predetermined operation includes blocking web access of a predetermined risk rank or higher, rejecting a transaction subject to web access of a predetermined risk rank or higher, or performing additional authentication. .. As a result, in addition to notifying the administrator terminal 18, it is possible to prevent fraudulent transactions. Further, in addition to notifying the administrator terminal 18 of alert information indicating web access of a predetermined risk rank or higher, each transaction targeted for web access, each business process in FIG. 5, each judgment condition in FIG. 5, and the figure. It is also possible to configure the predetermined operation to be set for each of the rule categories of 6 and each of the rule contents of FIG.

The dashboard providing unit 58 generates dashboard screen data for displaying the risk determination result and the statistical information thereof, and transmits the screen data to the administrator terminal 18. The dashboard providing unit 58 reads the risk determination result held in the second determination result holding unit 36 and generates the screen data of the dashboard.

The operation of the information system 10 with the above configuration will be described. The target server 12 publishes a predetermined website (here, referred to as a “monitoring target site”) such as mail-order sales and Internet banking on the Internet. A user with legitimate authority or an unauthorized person operates the user terminal 14 to access the monitored site. The target server 12 provides the web page of the monitored site to the access source user terminal 14, and the web browser of the user terminal 14 displays the web page of the monitored site on the display. The web page of the monitored site includes a device ID acquisition script, and the web browser of the user terminal 14 executes the device ID acquisition script and transfers the device ID generated based on the environment of the own machine to the target server 12. Send.

Each time the target server 12 in this example receives web access from the user terminal 14, it transmits a risk determination request including its web access attribute (connection source IP address, user ID, device ID, etc.) to the unauthorized access detection device 20. .. As described above, the target server 12 may sequentially record the attribute data of the web access received from the user terminal 14 in the access log. Then, as a risk determination request for the unauthorized access detection device 20, the access log may be periodically transmitted to the unauthorized access detection device 20.

FIG. 11 is a flowchart showing the operation of the unauthorized access detection device 20. When the judgment request receiving unit 42 receives the risk judgment request (web access attribute) transmitted from the target server 12 (Y in S10), the following processes S12 to S38 are executed. The unauthorized access detection device 20 repeatedly executes the processes of S12 to S38 for each web access attribute transmitted from the target server 12. When the access log is input from the target server 12, the unauthorized access detection device 20 repeatedly executes the processes S12 to S38 for each web access attribute recorded in the access log.

In the cumulative score recording unit 54, the corresponding FP cumulative value is stored in the cumulative score holding unit 38 for each value of a plurality of types of identifiers (connection source IP address, user ID, device ID, etc.) included in the accepted web access attribute. If it is retained, the FP cumulative value corresponding to the value of each identifier is subtracted according to the elapsed time from the last access date and time to the current date and time (S12). As a result of S12, if the FP cumulative value associated with the value of a certain identifier exceeds the BL addition reference value and becomes less than or equal to the BL addition reference value (Y in S14), that value is excluded from the blacklist. (S16). When the FP cumulative value associated with the value of a certain identifier continues to exceed the BL addition reference value or continues to be below the BL addition reference value (N in S14), S16 is skipped. .. That is, the change of the blacklist is suppressed.

The BI score derivation unit 46 determines the BI score according to the current web access attributes (for example, access destination URL and business-specific parameters, etc.) and the BI score determination rule (S18). The FP score derivation unit 48 determines the FP score according to the web access attribute of this time, the past web access attribute having the same identifier value held in the first determination result holding unit 34, and the FP score determination rule (the FP score determination rule). S20). In S20, the FP score is calculated for each of the plurality of types of identifiers included in the current web access attribute, the FP score for each identifier is aggregated, and the FP score of the current web access attribute is determined. The risk determination unit 50 determines the risk rank so as to have a positive correlation between the BI score and the FP score (S22).

When a risk determination request is input from the target server 12 by an API call (Y in S24), the determination result providing unit 44 inputs the risk determination result (specifically, BI score, FP score, risk rank) to the API call. It is transmitted to the target server 12 as a response (S26). The target server 12 determines the processing for the web access to be determined according to the risk determination result. For example, the target server 12 may decide to reject the request indicated by the web access when the risk rank exceeds a predetermined reference value, and may send a response indicating the rejection to the user terminal 14. When a risk determination request is input from the target server 12 by the access log (N in S24), S26 is skipped.

The determination result recording unit 52 records the web access attribute targeted for determination this time and the risk determination result based on the attribute in both the first determination result holding unit 34 and the second determination result holding unit 36 ( S28). When the risk rank of this web access is equal to or higher than a predetermined threshold value (for example, risk rank "high" or "serious") with the target server 12 (or its administrator) (Y in S30), the alert notification unit. 56 transmits alert information indicating that there is a high-risk web access to the administrator terminal 18 (S32). If the risk rank in the current risk determination result is equal to or less than the threshold value (N in S30), S32 is skipped.

The cumulative score recording unit 54 has the FP score calculated in S20 with respect to the FP cumulative value recorded in association with the value of each identifier for a plurality of types of identifiers included in the web access attribute to be determined this time. Is added (S34). As a result of S34, when the cumulative value of the FP score associated with the value of a certain identifier exceeds the BL addition reference value from the state below the BL addition reference value (Y in S36), the value is added to the blacklist. Register (S38). When the cumulative value of the FP score associated with the value of a certain identifier continues to exceed the BL addition reference value or continues to be below the BL addition reference value (N in S36), S38 is set. skip. That is, the change of the blacklist is suppressed.

If the risk determination request (web access attribute) has not been input from the target server 12 (N in S10), S12 to S38 are skipped. When the dashboard reference request is received from the administrator terminal 18 (Y in S40), the dashboard providing unit 58 refers to the risk determination result for one or more web accesses held in the second determination result holding unit 36. Then, the data of the dashboard screen including the risk determination result for each web access and the result of statistically processing them are transmitted to the administrator terminal 18 and displayed (S42). If the dashboard reference request is not accepted (N in S40), S42 is skipped.

According to the unauthorized access detection device 20 of the embodiment, the web access to the target server 12 is evaluated on the two axes of BI and FP, and the risk rank of the web access is determined. As a result, the degree of influence of web access on the website of the target server 12, in other words, the magnitude of the actual risk given by web access to the business or business executed by the target server 12 was evaluated. The risk of web access can be provided to the target server or administrator.

Currently, spoofing login, fraudulent transactions, list-type account hacking, etc. may be performed while switching between a plurality of terminals, a plurality of IP addresses, and a plurality of user IDs. Since the FP score of each identifier is accumulated for the web access including the identifier and the FP score of the web access is determined, it becomes easy to detect these unauthorized accesses. For example, even if the access is made using the correct user ID / password, (1) if many user IDs are logged in with the same IP address, (2) the login using the same user ID is (different IP). It can be detected as an unauthorized access by increasing the FP score, such as when a large number of times (including from the address) are performed, (3) when login attempts to a large number of user IDs are performed with the same device ID, and the like.

Further, the unauthorized access detection device 20 of the embodiment accumulates the FP score for each value of the identifier, and when the threshold value is exceeded, the value of the identifier is automatically registered in the blacklist. As a result, the degree of suspicion of fraud determined for past web access using the same identifier value can be reflected in the risk determination for this web access. Furthermore, the unauthorized access detection device 20 subtracts the cumulative value of the FP score according to the elapsed time from the last access, and automatically deletes it from the blacklist when it becomes equal to or less than the threshold value. As a result, an increase in the number of registered blacklists can be suppressed, and efficient matching with the blacklist is realized. In addition, since the value of the identifier that has not been used for unauthorized access for a long time is excluded from the blacklist, if a legitimate user subsequently uses the value of the identifier, it will be falsely detected as unauthorized access. It can be suppressed.

The present invention has been described above based on the examples. This embodiment is an example, and it is understood by those skilled in the art that various modifications are possible for each component and combination of each processing process, and that such modifications are also within the scope of the present invention. A modified example is shown below.

The first modification will be described. Although not mentioned in the examples, the FP score determination rule stipulates that the FP score is added to the target server 12 when there is a predetermined relationship between a plurality of web accesses made from one user terminal 14. You may. For example, when the website of the target server 12 is a website that provides a loyalty program (point program), specify the identification target "user ID" and the URL of the web page of the rule content "point exchange (exchange for goods)". It may be stipulated that the time from the HTTP request made to the HTTP request specifying the URL of the withdrawal web page is within a predetermined time (for example, 3 minutes). "

In investigating unauthorized access to websites that provide loyalty programs, the inventor found that there are many behaviors of withdrawing immediately due to the destruction of evidence after performing point exchange. According to the embodiment of this modification, the detection accuracy of unauthorized access can be further improved by adding the FP score by paying attention to the relationship of a plurality of times of web access before and after the time.

The second modification will be described. The unauthorized access detection device 20 of the embodiment detects unauthorized access to the target server 12, but as a modification, the unauthorized access detection device 20 may detect unauthorized access to its own device from an external device. When an unauthorized access is detected, the user of the own device may be notified to that effect, and processing for blocking unauthorized access from an external device (for example, communication invalidation processing, personal firewall setting processing, etc.) May be executed.

The unauthorized access detection device 20 of this modification may be an information terminal such as a general PC, tablet terminal, or smartphone, and a computer program on which the functional block shown in FIG. 2 is mounted is installed in the information terminal. By being executed, the same processing as that of the unauthorized access detection device 20 of the embodiment may be executed. In the BI score determination rule held in the unauthorized access detection device 20 of this modification, for example, a high BI score may be set for an access that causes a system call in which access from an external device is important. Further, in the FP score determination rule, for example, a high FP score may be set for a typical pattern of hijacking or hacking of administrator authority.

Any combination of the examples and modifications described above is also useful as an embodiment of the invention. The new embodiments resulting from the combination have the effects of each of the combined examples and variants. It is also understood by those skilled in the art that the functions to be fulfilled by each of the constituent elements described in the claims are realized by a single component or a cooperation thereof shown in the examples and modifications.

20 Unauthorized access detection device, 40 Log acquisition unit, 42 Judgment request reception unit, 44 Judgment result provision unit, 46 BI score derivation unit, 48 FP score derivation unit, 50 Risk judgment unit, 52 Judgment result recording unit, 54 Cumulative score recording Department.

Claims (8)

An acquisition unit that acquires data related to access to a predetermined device via a communication network, and
Based on the data acquired by the acquisition unit, a derivation that derives a business impact index value indicating the importance of the access in the device and a fraud possibility index value indicating the high possibility that the access is unauthorized. Department and
A determination unit that determines the degree of risk of access based on the business impact index value and fraud possibility index value derived by the derivation unit.
Recording section and
Equipped with
When the value of the identifier included in the access data matches the value specified in the predetermined blacklist, the derivation unit adds the fraud possibility index value.
The recording unit records the cumulative value of the fraudulent possibility index value derived by the derivation unit for the access including the identifier of a certain value.
The recording unit is an unauthorized access detection device, characterized in that, when the cumulative value exceeds a reference value, an identifier of the certain value is added to the blacklist. The recording unit subtracts the cumulative value according to the elapsed time since the last access including the identifier of the certain value is made.
The unauthorized access detection device according to claim 1, wherein the recording unit excludes an identifier of a certain value from the blacklist when the cumulative value becomes a predetermined value or less. The data related to the access includes multiple types of identifiers,
The derivation unit detects the high possibility that the access is fraudulent based on the value of each identifier, and aggregates the high possibility that the access is detected for each identifier, and is an index of the fraudulent possibility of the access. The unauthorized access detection device according to claim 1 or 2, wherein a value is derived. The derivation unit refers to data on past accesses with matching identifier values, and if the mode of multiple accesses from the past satisfies a predetermined condition, it is highly likely that the access is invalid. The unauthorized access detection device according to claim 3, wherein the detection process is executed for each identifier included in the data related to the access. The recording unit records the value of the identifier and the cumulative value of the fraudulent possibility index value derived by the derivation unit in association with each other for each of a plurality of types of identifiers included in the access data.
For each identifier contained in the data related to a certain access, the derivation unit determines the high possibility that the certain access is fraudulent based on the cumulative value of the fraudulent possibility recorded in advance with respect to the value of the identifier. The unauthorized access detection device according to claim 3 or 4, wherein the unauthorized access detection device according to claim 3 or 4, wherein the unauthorized access detection device according to claim 3 or 4, wherein the unauthorized access detection device according to claim 3 or 4, wherein the unauthorized access detection device according to claim 3 or 4, wherein the unauthorized access detection device according to claim 3 or 4 is characterized in that the detection is performed and the high possibility detected for each identifier is aggregated to derive the fraud possibility index value of the certain access. The claim is characterized in that the recording unit subtracts the cumulative value of the fraudulent index value recorded in association with the value of a certain identifier according to the elapsed time from the last access including the value of the identifier. The unauthorized access detection device according to 5. A step to acquire data related to access to a predetermined device via a communication network, and
Based on the data acquired in the acquired step, a business impact index value indicating the importance of the access in the device and a fraud possibility index value indicating the high possibility that the access is unauthorized are derived. Steps and
Based on the business impact index value and fraud possibility index value derived in the derivation step, the step of determining the risk of access and the step
The computer runs,
In the derivation step, when the value of the identifier included in the access data matches the value specified in the predetermined blacklist, the fraud possibility index value is added.
A step of recording the cumulative value of the fraudulent index value derived in the above-described derivation step for an access including an identifier of a certain value, and a step of recording the cumulative value.
When the cumulative value exceeds the reference value, the step of adding the identifier of the certain value to the blacklist and
An unauthorized access detection method, characterized in that the computer further executes the above. A function to acquire data related to access to a predetermined device via a communication network, and
Based on the data acquired by the acquired function, a business impact index value indicating the importance of the access in the device and a fraud possibility index value indicating the high possibility that the access is unauthorized are derived. Functions and
A function to determine the risk of access based on the business impact index value and the fraud possibility index value derived by the derived function, and
To the computer,
When the value of the identifier included in the access data matches the value specified in the predetermined blacklist, the derivation function adds the fraud possibility index value.
A function to record the cumulative value of the fraudulent possibility index value derived by the above-derived function for an access including an identifier of a certain value, and a function to record the cumulative value.
A function to add an identifier of a certain value to the blacklist when the cumulative value exceeds the reference value, and
A computer program for further realizing the above-mentioned computer.

Images