JP7058464B2 - Anti-fraud system and anti-fraud method - Google Patents

Description

The present invention relates to a fraud countermeasure system and a fraud countermeasure method.

In recent years, in a predetermined service via the Internet, an unfavorable act for a business operator providing the service, for example, a so-called annoying act such as intentionally repeating a click for a malicious purpose may be performed. A method for suppressing such annoying acts is known (see Patent Document 1). This method involves collecting information about the behavior of the user after clicking on the search ad and then going to the advertiser's website, and then going to the advertiser's website after the user clicks on the search ad. When the behavior exceeds a predetermined reference value from the average behavior pattern of the user, this is judged as an unauthorized click.

Japanese Unexamined Patent Publication No. 2008-176787

However, the above-mentioned conventional technique may not be sufficient to suppress nuisance.
The present invention has been made in consideration of such circumstances, and one of the objects of the present invention is to provide a fraud countermeasure system capable of more effectively suppressing annoying acts and a fraud countermeasure method.

One aspect of the present invention is an acquisition unit that acquires log information that is a history of actions performed in connection with a service provided via a network, and information generated based on the information acquired by the acquisition unit. Is a fraud countermeasure system provided with an output control unit for displaying the information on the display unit and an execution unit for receiving and executing measures against annoying acts by a person who sees the information displayed by the display unit. Is a fraud countermeasure system that acquires log information after a measure is executed by the execution unit, and the acquisition unit, the output control unit, and the execution unit repeatedly execute the operation.

According to one aspect of the present invention, nuisance can be suppressed more effectively.

It is a figure which shows the structure and use environment of an anti-fraud system. It is a sequence diagram which shows the process executed by a fraud countermeasure system. It is a figure which shows the image IM displayed on the display device 40. It is a figure which shows the image IM1 displayed on the display device 40. It is a figure which shows an example of the measures to be executed. It is a figure which shows the image IM2 displayed on the display device 40. It is a figure which shows the image IM3 displayed on the display device 40. It is a figure which shows the image IM4 displayed on the display device 40. It is a conceptual diagram of the process executed by the fraud countermeasure system 1. It is a figure which shows an example of the functional structure of the fraud countermeasure system 1A of the 2nd Embodiment. It is a flowchart which shows the flow of the process executed by the visualization apparatus 30A of the 2nd Embodiment. It is a figure which shows an example of the correspondence table 37.

Hereinafter, embodiments of the anti-fraud system of the present invention and the anti-fraud method will be described with reference to the drawings. The anti-fraud system of the present invention is realized by one or more processors. Anti-fraud systems are more effective in curbing harassment. Therefore, the anti-fraud system acquires log information, which is a history of actions performed in connection with services provided via the network, and displays and displays the information generated based on the acquired information on the display unit. It repeatedly executes operations such as accepting and executing measures against annoying acts by a person who sees the information, and acquiring log information after the measures are executed. Details of such a function will be disclosed step by step by the following description.
<First Embodiment>
[Constitution]
FIG. 1 is a diagram showing a configuration and a usage environment of the fraud countermeasure system 1. The fraud countermeasure system 1 includes, for example, one or more web servers 10, a collection server 20, a visualization device 30, and a display device 40.

The web server 10 provides a service via the web W in response to a request from a user connected to the web W. The Web W is a network such as the Internet, and is accessed by an unspecified number of users. The service may be a service provided via a network, for example, a service related to shopping or providing specific information (for example, content). Further, the web server 10 stores log information which is a history of actions performed by the user with respect to the provided service.

The collection server 20 acquires the log information stored in the web server 10. The log information includes, for example, an access log for the web server 10, a CS work log, user data, a posting log, a measure log, and the like.

The access log is, for example, log information acquired when the user's terminal device accesses the web server 10. For example, the access log includes information about the cookie, the IP address of the terminal device of the user who accessed the web server 10, and the like.

The CS work log is, for example, the treatment time performed on the web server 10 by the administrator of the web server 10, the number of treatments, and the like. For example, when the web server 10 accepts the user's comments, the CS work log includes the number of deleted comments that the administrator has determined to be annoying, the time required for the deletion, and the like. In the present embodiment, the nuisance act is an act that is annoying to others in the provided service, and includes sending spam, hijacking a user ID, posting a large amount of malicious comments on a bulletin board, and the like. ..

The user data is, for example, a history of the user's behavior after the user accesses the web server 10 and logs in using an ID given in advance, an evaluation of the user, and the like. The user evaluation is, for example, the result of an evaluation made by another user who has used the service provided by the web server 10.

The posting log is, for example, a posting history of comments and the like made to the web server 10.

The measure log is log information caused by the execution of the measure (details will be described later) for the web server 10. Measures are measures taken by humans to curb harassment.

Further, the collection server 20 selectively (or processes) from the above-mentioned log information based on the information to be processed by the visualization device 30, and the log information (measure) of a preset type. Information to determine)). The preset type of log information is information for the visualization device 30 to generate information, and may be different for each service provided by the web server 10 to the user. Instead of the collection server 20 selectively acquiring the log information, the acquisition unit 32 of the visualization device 30 may select the information from the log information.

The visualization device 30 includes, for example, an acquisition unit 32, an output control unit 34, and a storage unit 36. One or both of the acquisition unit 32 and the output control unit 34 are realized by, for example, a processor such as a CPU (Central Processing Unit) executing a program (software). Further, one or both of the acquisition unit 32 and the output control unit 34 may be realized by hardware such as LSI (Large Scale Integration), ASIC (Application Specific Integrated Circuit), and FPGA (Field-Programmable Gate Array). However, software and hardware may work together.

The storage unit 36 is realized by, for example, an HDD (Hard Disk Drive), a flash memory, a RAM (Random Access Memory), a ROM (Read Only Memory), or the like. The storage unit 36 stores information such as log information acquired by the acquisition unit 32 and processing results executed by the output control unit 34.

The acquisition unit 32 acquires log information which is a history of actions performed in connection with the service provided via the network. The acquisition unit 32 acquires, for example, the information collected by the collection server 20. The output control unit 34 causes the display device 40 to display the information generated based on the information acquired by the acquisition unit 32.

The display device 40 is, for example, a display device such as an LCD (Liquid Crystal Display) or an organic EL (Electroluminescence). An image including information generated by the output control unit 34 is displayed on the display device 40.

[process]
FIG. 2 is a sequence diagram showing a process executed by the anti-fraud system 1. First, the collection server 20 acquires log information from the web server 10 (S100), and stores the acquired log information in a storage device (not shown) of the collection server 20 (S102). Next, the acquisition unit 32 of the visualization device 30 acquires the log information stored in the storage device of the collection server 20 (S104), and stores the acquired log information in the storage unit 36 (S106). Next, the output control unit 34 of the visualization device 30 causes the display device 40 to display an image including information generated based on the log information stored in the storage unit 36 (S108).

The information generated based on the log information is information derived based on the log information of a preset type acquired by the acquisition unit 32, and the administrator of the visualization device 30 recognizes the nuisance. It is information that contributes to analysis. Hereinafter, as an example, the information derived based on the information selectively acquired from the CS work log by the acquisition unit 32 will be described.

FIG. 3 is a diagram showing an image IM displayed on the display device 40. In the figure, the vertical axis is the work time derived based on the CS work log. The working time is the time required for the administrator of the web server 10 to take measures to suppress the nuisance. In the figure, the horizontal axis indicates the time when the treatment was performed. In the illustrated example, the working time up to time t is shown.

FIG. 4 is a diagram showing an image IM1 displayed on the display device 40. The illustrated example is a diagram showing the aggregated results by country having jurisdiction over the IP address associated with the terminal device performing the nuisance at the time t. In the illustrated example, for example, it is assumed that most of the nuisance acts are performed by access from a foreign country other than Japan.

By visually recognizing the information displayed by the display device 40, the administrator who manages the visualization device 30 recognizes that most of the nuisance acts are performed by the terminal device corresponding to the IP address under the jurisdiction of a foreign country. can do. In this case, for example, the administrator who manages the web server 10 implements a measure for the web server 10 to suppress the use of the terminal device corresponding to the IP address under the jurisdiction of the foreign country. Note that the use means that the user actually uses the service provided by the web server 10 after accessing the web server 10 providing the service, and purchases an article if it is a shopping site. The act of doing is the use. The web server 10 is an example of an "execution unit" that receives and executes measures by a person who sees the information displayed by the display device 40.

For example, as a measure, a condition for a user to receive a service is set. For example, since the user is presumed to be a foreigner, it is a condition for providing the service that the Japanese input displayed on the user's terminal device is input by the user. FIG. 5 is a diagram showing an example of measures to be implemented. Before providing the service to the user, the web server 10 displays the predetermined Japanese and also displays the information for displaying the image instructing the user to input the displayed Japanese into the area AR. Provided to the user's terminal device. When the Japanese displayed in the area AR is input, the web server 10 provides a service to the user's terminal device. By implementing the measures in this way, it is expected that the nuisance acts performed by foreign users will be suppressed.

In the example of FIG. 3 above, the graph centered on the work time and the time is displayed on the display device 40, but instead of this, the access log, user data, posting log, or measures are taken. The log information selectively acquired from the log may be used as the axis of the graph. For example, the axes of the graph are user attributes, content attributes, number of deleted information (or degree), cost required for work, magnitude of damage, number of accesses, number of posted information (or degree). ) Etc.

In addition, measures are determined based on the information generated based on the log information. For example, instead of having the user input the above-mentioned Japanese, restricting access and use through a provider that provides a network connection service to the terminal device used by the user for annoying acts. May be.

Returning to the description of FIG. After the measure is executed as described above, the collection server 20 acquires the log information after the measure is executed from the web server 10 (S110), and stores the acquired log information in the storage device (not shown) of the collection server 20. ) (S112). Next, the acquisition unit 32 of the visualization device 30 acquires the log information stored in the storage device of the collection server 20, and stores the acquired log information in the storage unit 36 (S114). Next, the output control unit 34 of the visualization device 30 causes the display device 40 to display an image including information generated based on the log information stored in the storage unit 36 (S116).

FIG. 6 is a diagram showing an image IM2 displayed on the display device 40. FIG. 6 shows the transition of the post-measure log up to the time t + 1. The description overlapping with FIG. 3 will be omitted. In the figure, the vertical axis shows the post-measure log. The post-measure log is log information generated by the execution of the above-mentioned measures for causing the user to input Japanese, and is the number of times indicating the result of the process in which the input of Japanese fails. Since the above measures are taken at time t, it is expected that the post-measure log will tend to increase after time t.

FIG. 7 is a diagram showing an image IM3 displayed on the display device 40. FIG. 7 shows the working time up to the time t + 1. The description overlapping with FIG. 3 will be omitted. As shown in the figure, for example, when the above-mentioned measures are executed immediately after the time t, it is predicted that the post-measures log will increase and the work time will decrease as described above. This is because it is expected that the implementation of such measures will reduce the nuisance caused by the terminal devices corresponding to the IP addresses under the jurisdiction of foreign countries.

FIG. 8 is a diagram showing an image IM4 displayed on the display device 40. The illustrated example is a diagram showing the aggregated results by country having jurisdiction over the IP address associated with the terminal device performing the nuisance at the time t + 1. As shown in the figure, it is expected that the rate of harassment by terminal devices associated with IP addresses under the jurisdiction of foreign countries will decrease.

As described above, the administrator who manages the visualization device 30 can visually check the information such as the work time before and after the execution of the measure displayed by the display device 40 and the log after the measure in a contrastable manner. It is possible to judge the usefulness and whether or not the nuisance is suppressed. If the nuisance is not suppressed even though the measure has been implemented, the administrator implements another measure.

FIG. 9 is a conceptual diagram of the processing executed by the fraud countermeasure system 1. (1) The generated information is displayed on the display device 40 based on the log information. (2) The administrator of the visualization device 30 analyzes the information displayed on the display device 40 and recognizes the characteristics of the nuisance. (3) The manager selects a measure for suppressing the harassment based on the recognized characteristics of the harassment, and determines whether or not to implement the measure. (4) Then, the administrator of the visualization device 30 or the administrator of the web server 10 executes the measures.

Further, the visualization device 30 acquires the log information after the measure is executed, and causes the display device 40 to display the information generated based on the acquired log information. As a result, the manager of the visualization device 30 can determine whether or not the measure was effective.

In this way, by repeating the above-mentioned (1) to (4), it is possible to implement effective measures for suppressing harassment, and it is possible to suppress harassment more effectively.

By repeating the above-mentioned (1) to (4), the following effects can be obtained. By organizing the information necessary for the analysis of the nuisance and displaying it on the display device 40, the administrator can easily investigate and analyze the nuisance. In addition, since the information necessary for the analysis of the nuisance is repeatedly collected, the trouble of collecting the log information can be saved, and the nuisance can be quickly suppressed by accelerating the initial action of the administrator. Further, by visualizing the information for analyzing the nuisance, it is possible to easily grasp the nuisance peculiar to the service provided by the web server 10 and the degree of damage caused by the nuisance.

According to the first embodiment described above, the acquisition unit 32 for acquiring the log information which is the history of the actions performed in connection with the service provided via the network, and the information acquired by the acquisition unit 32. An anti-fraud system including an output control unit 34 that displays the information generated based on the display device 40 on the display device 40, and a web server 10 that receives and executes measures against annoying acts by a person who sees the information displayed by the display device 40. 1. The acquisition unit 32 acquires the log information after the measure is executed by the web server 10, the acquisition unit 32, the output control unit 34, and the web server 10 repeat the above operations. , Annoying acts can be suppressed more effectively.

<Second Embodiment>
Hereinafter, the second embodiment will be described. In the first embodiment, the administrator causes the web server 10 to execute the measure, but in the second embodiment, the execution request unit 38 of the visualization device 30A causes the web server 10 to execute the measure.

FIG. 10 is a diagram showing an example of the functional configuration of the fraud countermeasure system 1A of the second embodiment. The fraud countermeasure system 1A of the second embodiment further includes an operation device 42 in addition to the functional configuration of the first embodiment. The operation device 42 receives the operation performed by the administrator, and outputs the information corresponding to the received operation to the visualization device 30A. For example, the administrator inputs a measure to be executed by the web server 10 via the operation device 42.

The fraud countermeasure system 1A of the second embodiment includes a visualization device 30A instead of the visualization device 30. The visualization device 30A includes an execution request unit 38 in addition to the acquisition unit 32, the output control unit 34, and the storage unit 36. The execution request unit 38 transmits instruction information instructing the web server 10 to execute the measure input by the operation device 42 to the web server 10 via the network. The web server 10 acquires the instruction information transmitted by the execution request unit 38, and executes the measure based on the acquired instruction information.

FIG. 11 is a flowchart showing a flow of processing executed by the visualization device 30A of the second embodiment. First, the acquisition unit 32 acquires log information from the collection server 20 (S200). Next, the output control unit 34 generates information based on the acquired log information (S202), and causes the display device 40 to display the generated information (S204).

Next, the execution request unit 38 determines whether or not the measure has been input within a predetermined time (S206). If no measure is entered, the processing of this flowchart ends. When the measure is input, the execution request unit 38 transmits instruction information to the web server 10 to execute the measure (S208). Then, the web server 10 acquires the instruction information and executes the measure based on the acquired instruction information. This ends the processing of one routine in this flowchart.

According to the second embodiment described above, the same effect as that of the first embodiment is obtained, and the administrator of the visualization device 30A instructs the execution of the measure while referring to the information displayed on the display device 40. Because it can be done, the convenience for the administrator is further improved.

[Modification example]
In the second embodiment, the execution request unit 38 causes the web server 10 to execute the measure by transmitting the instruction information input by the operation device 42 to the web server 10. Instead of this, the execution request unit 38 may automatically select a measure for annoying acts and cause the web server 10 to execute the selected measure.

For example, the storage unit 36 stores a correspondence table 37 in which a measure for annoying acts and an annoying act are associated with each other. FIG. 12 is a diagram showing an example of the corresponding table 37. For example, in the correspondence table 37, when the work time of the treatment for the use of the service by the terminal device corresponding to the IP address under the jurisdiction of a foreign country is longer than the predetermined time, the measure shown in FIG. 5 is executed. It shall be attached.

In this case, the execution request unit 38 automatically selects the above measures and causes the web server 10 to execute the measures. Further, when the execution request unit 38 determines that the automatically selected measure is not useful, the execution request unit 38 may automatically select a measure different from the above measures and cause the web server 10 to execute the measure. For example, the execution request unit 38 determines that the executed measure is not useful when the degree of change in the predetermined log information between before and after the measure is small, and causes the web server 10 to execute another measure. The measures to be executed when the executed measures are not useful are stored in the correspondence table 37 as, for example, the measures to be executed when the executed measures are not useful.

Further, the execution request unit 38 may execute the measures a predetermined number of times, but if it is determined that the measures are not useful, the display device 40 may output information indicating that the administrator needs to take action. .. By automatically executing the measures in this way, it is possible to improve the convenience for the administrator.

Although the embodiments for carrying out the present invention have been described above using the embodiments, the present invention is not limited to these embodiments, and various modifications and substitutions are made without departing from the gist of the present invention. Can be added.

1, 1A ... Fraud countermeasure system, 10 ... Web server, 20 ... Collection server, 30, 30A ... Visualization device, 32 ... Acquisition unit, 34 ... Output control unit, 36 ... Storage unit, 38 ... Execution request unit, 40 ... Display Device, 42 ... Operation device

Claims (8)

An acquisition unit that acquires log information that is a history of actions performed in connection with services provided by a web server via a network, and an acquisition unit.
An output control unit that displays information generated based on the information acquired by the acquisition unit on the display unit.
An execution unit that accepts and executes measures against harassment by a person who sees the information displayed by the display unit.
It is a fraud countermeasure system equipped with
The acquisition unit, the output control unit, and the execution unit repeatedly execute the operation.
The measure is a measure for restricting the provision of the service to the terminal device after the user's terminal device accesses the web server.
The output control unit performs (a) information indicating the timing at which the measure is taken and the transition of the log information before and after the measure, or (b) the annoying act before and after the measure. Information indicating the aggregated results for each country that has jurisdiction over the IP address being used is displayed on the display unit.
Anti-fraud system. An acquisition unit that acquires log information that is a history of actions performed in connection with services provided by a web server via a network, and an acquisition unit.
An output control unit that displays information generated based on the information acquired by the acquisition unit on the display unit.
An execution unit that accepts and executes measures against harassment by a person who sees the information displayed by the display unit.
It is a fraud countermeasure system equipped with
The acquisition unit, the output control unit, and the execution unit repeatedly execute the operation.
The measure is to have the user input the character information in the language of the specific country in order to suppress the use of the service by the user who causes annoying acts from the terminal device other than the specific country. Is to set the conditions for receiving,
Anti-fraud system. The acquisition unit selects information for determining the measure from the log information and acquires the selected log information.
The fraud countermeasure system according to claim 1 or 2. The output control unit displays information before and after the measure is executed on the display unit in a contrastable manner, and further, time-series information on the time required for the treatment to suppress the nuisance act, and the above-mentioned Information indicating the transition of log information between before the measure is taken and after the measure is taken is displayed on the display unit.
The fraud countermeasure system according to any one of claims 1 to 3. The computer
The first step to get log information, which is the history of actions taken in connection with the service provided by the web server over the network,
The second step of displaying the information generated based on the acquired information on the display unit, and
The third step of accepting and implementing measures against harassment,
It is a fraud countermeasure method that repeats the execution of
The first step, the second step, and the third step are repeatedly executed.
The measure is a measure for restricting the provision of the service to the terminal device after the user's terminal device accesses the web server.
In the second step, (a) information indicating the timing at which the measure is taken and the transition of the log information before and after the measure, or (b) the annoying act before and after the measure is performed. Information indicating the aggregated results for each country that has jurisdiction over the IP address being used is displayed on the display unit.
Fraud countermeasure method. The computer
The first step to get log information, which is the history of actions taken in connection with the service provided by the web server over the network,
The second step of displaying the information generated based on the acquired information on the display unit, and
The third step of accepting and implementing measures against harassment,
It is a fraud countermeasure method that repeats the execution of
The first step, the second step, and the third step are repeatedly executed.
The measure is to have the user input the character information in the language of the specific country in order to suppress the use of the service by the user who causes annoying acts from the terminal device other than the specific country. Is to set the conditions for receiving,
Fraud countermeasure method. An acquisition unit that acquires log information that is a history of actions performed in connection with services provided by a web server via a network, and an acquisition unit.
A generation unit that generates information based on the information acquired by the acquisition unit, and a generation unit.
Based on the information generated by the generation unit, the execution request unit that automatically determines the measures against the nuisance and causes the execution unit that executes the measures to execute the determined measures.
It is a fraud countermeasure system equipped with
The acquisition unit, the generation unit, and the execution request unit repeatedly execute the operation.
The measure is a measure for restricting the provision of the service to the terminal device after the user's terminal device accesses the web server.
The information generated by the generation unit is (a) information indicating the timing at which the measure is taken and the transition of the log information before and after the measure, or (b) the information before and after the measure. Information for displaying information indicating the aggregated results by country that has jurisdiction over the IP address that is causing annoying acts on the display unit.
Anti-fraud system. An acquisition unit that acquires log information that is a history of actions performed in connection with services provided by a web server via a network, and an acquisition unit.
A generation unit that generates information based on the information acquired by the acquisition unit, and a generation unit.
Based on the information generated by the generation unit, the execution request unit that automatically determines the measures against the nuisance and causes the execution unit that executes the measures to execute the determined measures.
It is a fraud countermeasure system equipped with
The acquisition unit, the generation unit, and the execution request unit repeatedly execute the operation.
The measure is to have the user input the character information in the language of the specific country in order to suppress the use of the service by the user who causes annoying acts from the terminal device other than the specific country. Is to set the conditions for receiving,
Anti-fraud system.

Images