JP7236376B2 - UNAUTHORIZED ACCESS DETECTION SYSTEM AND UNAUTHORIZED ACCESS DETECTION METHOD - Google Patents

Description

The present invention relates to an unauthorized access detection system and an unauthorized access detection method.

As automation systems and IoT (Internet of Things) devices increase toward the age of information, it is necessary to aim for safety and high reliability in order to provide convenience. In order to protect confidential information and system functions, it is important to understand the operational status of system functions in advance by means such as detecting attacks and monitoring the system, in order to take more effective countermeasures. .

Malicious humans sometimes analyze application files to find sensitive information, vulnerabilities, cryptographic keys, and more. If a person with malicious intent is an expert, such confidential information can be used to extract information such as how the application operates using techniques such as reverse engineering. Additionally, the functionality of the application can be manipulated or changed. Therefore, in order to quickly grasp the actions of attackers, there is a need for various types of detection.

As a method for detecting and guarding against such an attack, for example, Patent Literature 1 discloses a technique called canary token, and Patent Literature 2 discloses a technique called honey token.

US2015/0381655 US2015/0088760

In these documents, as a general usage, a canary token is attached to an application in advance to detect reverse engineering, or a specific file (honey token) is prepared to detect unauthorized access to this file. However, for example, maintenance applications installed on terminals such as tablets and smartphones used for maintenance work of banknote handling devices such as sorters that sort and count banknotes by denomination may be attacked. There is no mention of detecting unauthorized access. In addition, for example, if a cash settlement device such as an ATM (Automated Teller Machine) that performs transactions such as deposit and withdrawal, transfer, and balance inquiry with customers is targeted as an attack target, Leakage of sensitive information and adversely affect the reliability of the device. Therefore, it is very important to detect the threat of attacks and support prompt countermeasures, but this point is not disclosed in the above document.

An object of the present invention is to provide a technique capable of detecting unauthorized access to a terminal used for maintenance work of a banknote handling apparatus. Another object of the present invention is to provide a technique capable of detecting unauthorized access to a banknote transaction machine and supporting a prompt response.

An unauthorized access detection system according to one aspect of the present invention is an unauthorized access detection system for detecting unauthorized access from a terminal, and is executed by a maintenance terminal authenticated as a maintenance worker who maintains a banknote handling apparatus. A registration unit that registers a token embedded in a maintenance application in the unauthorized access detection system; and a detection unit that detects access including the token acquired from the unauthorized access detection system as unauthorized access. It is configured as an unauthorized access detection system characterized by

Further, an unauthorized access detection system according to one aspect of the present invention is an unauthorized access detection system for detecting unauthorized access from a terminal, and is an application executed by a banknote transaction machine, wherein the application incorporating a token is and a detection unit configured to detect access including the token acquired from the unauthorized access detection system as unauthorized access. be done.

ADVANTAGE OF THE INVENTION According to one aspect of the present invention, unauthorized access to a banknote handling device can be detected. In addition, it is possible to detect unauthorized access to the banknote transaction machine and support prompt countermeasures.

BRIEF DESCRIPTION OF THE DRAWINGS It is a figure for demonstrating the example of an unauthorized access detection system (Example 1). 1 is a diagram showing a functional configuration example of an unauthorized access detection system; FIG. FIG. 4 is a diagram illustrating an example of data stored in a data management unit that manages canaries and libraries; FIG. 10 is a flow chart up to downloading a sorter maintenance application main body; FIG. FIG. 10 is a diagram for explaining an interface and its functions that the sorter maintenance application uses when performing sorter maintenance work; FIG. 3 is a diagram for explaining functions of a system including a detection server; FIG. It is a figure which shows the example of the data which a detection server memorize|stores. FIG. 10 is a diagram for explaining processing from detection of reverse engineering to output of an alarm by the detection server; It is a figure for demonstrating the example of an unauthorized access detection system (Example 2). FIG. 4 is a diagram for explaining the flow up to setting a canary token in an ATM device; FIG. 4 is a diagram showing an example of information stored in a canary token database; FIG. 3 is a diagram for explaining functions of a system including a detection server; FIG. It is a figure which shows the example of the data which a detection server memorize|stores.

Embodiments of the present invention will be described below with reference to the drawings. The following description and drawings are examples for explaining the present invention, and are appropriately omitted and simplified for clarity of explanation. The present invention can also be implemented in various other forms. Unless otherwise specified, each component may be singular or plural.

The position, size, shape, range, etc. of each component shown in the drawings may not represent the actual position, size, shape, range, etc., in order to facilitate understanding of the invention. As such, the present invention is not necessarily limited to the locations, sizes, shapes, extents, etc., disclosed in the drawings.

In the following description, various types of information may be described using expressions such as “table” and “list”, but various types of information may be expressed in data structures other than these. "XX table", "XX list", etc. are sometimes referred to as "XX information" to indicate that they do not depend on the data structure. When the identification information is described, expressions such as "identification information", "identifier", "name", "ID", and "number" are interchangeable.

When there are a plurality of components having the same or similar functions, they may be described with the same reference numerals and different suffixes. However, if there is no need to distinguish between these multiple constituent elements, the subscripts may be omitted in the description.

In addition, in the following description, there are cases where processing performed by executing a program is described. A processor may be the subject of the processing to perform the processing while appropriately using storage resources (eg, memory) and/or interface devices (eg, communication ports). Similarly, a main body of processing executed by executing a program may be a controller having a processor, a device, a system, a computer, or a node. The main body of the processing performed by executing the program may be an arithmetic unit, and may include a dedicated circuit (for example, FPGA (Field-Programmable Gate Array) or ASIC (Application Specific Integrated Circuit)) that performs specific processing. .

A program may be installed on a device, such as a computer, from a program source. The program source may be, for example, a program distribution server or a computer-readable storage medium. When the program source is a program distribution server, the program distribution server may include a processor and storage resources for storing the distribution target program, and the processor of the program distribution server may distribute the distribution target program to other computers. Also, in the following description, two or more programs may be implemented as one program, and one program may be implemented as two or more programs (Example 1).

FIG. 1 is a diagram for explaining an example of an unauthorized access detection system according to the first embodiment. In the unauthorized access detection system 1 of the present embodiment, the system is applied to a sorter maintenance application as an example, and the related parties and the overall configuration are shown. A sorter is, for example, a banknote handling device for a branch employee of a financial institution to sort and count banknotes by denomination.

As shown in FIG. 1, the unauthorized access detection system 1 includes a maintenance application management system 1105, a developer PC (Personal Computer) 1114, a smartphone 1103, a sorter 1104, a monitoring server 1107, and a detection server 1112. have. The maintenance application management system 1105 and the developer's PC 1114 are connected by a network 1111a, and the detection server 1112 and the developer's PC 1114 are connected by a network 1111b. The smartphone 1103, the sorter 1104, and the monitoring server 1107 are connected by the bank gateway 1106, and the detection server 1112 is in an environment where the attacker's PC 1109 can access it via the network 1101c. General hardware can be used for these devices, networks, and gateways.

Further, the functions performed by the devices and devices that make up this system are implemented by, for example, the CPU reading a program from a ROM (Read Only Memory) and reading/writing it from/to a RAM to execute processing. The program may be read from a storage medium such as a USB (Universal Serial Bus) memory, or may be provided by being downloaded from another computer (for example, a server or cloud that manages the ECU) via a network. .

The operation performed by the unauthorized access detection system 1 will be described with reference to FIG. A maintenance worker 1101 uses a general-purpose personal mobile terminal 1102 to access a sorter 1104 via a bank gateway 1106 and perform maintenance work. A sorter 1104 is a device having functions such as identifying, sorting, and counting cash. In the maintenance work, maintenance personnel acquire various information accumulated in the sorter 1104 and troubleshoot the sorter 1104 . When the sorter 1104 malfunctions, the sorter maintenance application 1103 installed on the smartphone 1103 accesses the monitoring server 1107 via the bank gateway 1106 . The monitoring server 1107 receives access from the sorter maintenance application 1103 and monitors and records the behavior of the smartphone 1103 that is the access source. Depending on the implementation method, the monitoring server 1107 and the sorter 1104 can be installed on a different network.

The maintenance application management system 1105 has a function of distributing 1105a the sorter maintenance application 1103 to the personal mobile terminal 1102 and a function of managing various information used in this system.

A developer 1113 uses a developer PC 1114 to develop the sorter maintenance application 1103 and register the above various information in a development environment 1115 . The developer 1113 includes not only programmers but also testers and administrators involved in development.

A developer PC 1114 operated by a developer 1113 registers or updates software (for example, maintenance function library 1201 in which canary data is set, maintenance application body 1202) in maintenance application management system 1105 via network 1111a. . In addition, the developer PC 1114 registers and updates the above various information with the maintenance application management system 1105 via the network 1111a, and registers the above various information with the detection server 1112 via the network 1111b. and updates.

When the detection server 1112 detects access from the attacker PC 1109 operated by the attacker 1108 , it accesses the maintenance application management system 1105 and refers to information managed by the maintenance application management system 1105 . Although specifically described later, the detection server 1112 plays a role of detecting and managing threats from the attacker's PC 1109 operated by the attacker 1108 . The following description is based on the premise that the attacker 1108 operates the attacker PC 1109 to illegally obtain the sorter maintenance application 1103, and the attacker PC 1109 uses the reverse engineering tool 1110 to perform analysis. .

2A to 2C are diagrams for explaining the configuration of maintenance application management system 1105, the role of each unit, and data.

FIG. 2A is a diagram showing a functional configuration example of an unauthorized access detection system. FIG. 2B is a diagram illustrating an example of data stored in a data management unit that manages canaries and libraries. FIG. 2C is a flowchart up to downloading the main body of the sorter maintenance application.

As shown in FIG. 2A, maintenance application management system 1105 is configured with management server 1203 and download server 1204 . Management server 1203 has management database 1205 and delivery management unit 1206 .

The sorter maintenance application 1103 is, for example, an application used in mobile terminals such as smartphones and plates, and can be applied to general operating systems. Therefore, maintenance personnel 1101 can perform maintenance work using a general-purpose personal mobile terminal 1102 instead of a dedicated terminal.

The sorter maintenance application 1103 includes a maintenance function library 1201 associated with an ID for identifying the library, and a maintenance application main body 1202 downloaded from the download server 1204 . Maintenance application body 1202 provides an end-user interface for operating personal mobile terminal 1102, and maintenance function library 1201 implements actual functions.

A maintenance person 1101 uses a personal mobile terminal 1102 to access 1202a a download server (application store) 1204 via a network 1208 such as the Internet. The personal mobile terminal 1102 downloads 1202b the maintenance application main body 1202 specified by the maintenance person 1101 . A download server (application store) 1204 is a general-purpose application store. The maintenance staff 1101 uses the personal mobile terminal 1102 to access 1203a the management server 1203 via the Internet or a dedicated gateway 1207, and obtains 1203b the maintenance function library 1201. FIG. Depending on the implementation method, the management database 1205 may be provided in the management server 1206, or they may be arranged according to the usage environment.

When receiving access from the personal mobile terminal 1102, the management server 1206 refers 1205a to the management database 1205 and acquires 1205b the library ID. After that, the management server 1206 transmits 1203b the library corresponding to the obtained library ID to the 1102 .

FIG. 2B is a diagram showing an example of data stored in the management database 1205. As shown in FIG. FIG. 2B shows that maintenance personnel management data 12051, canary management data 12052, and update history management data 12053 are stored.

(a) of FIG. 2B is a diagram showing an example of maintenance personnel management data 12051 . As shown in (a) of FIG. 2B, the maintenance personnel management data 12051 includes a maintenance personnel ID for identifying the maintenance personnel 1101, the name of the maintenance personnel, the history of the maintenance personnel, and the evaluation of the maintenance personnel. It is stored with For example, the maintenance engineer identified by the maintenance engineer ID "1" has a history of "123" years as a maintenance engineer with the name "X". It also indicates that the maintenance worker's evaluation is "A". The evaluation is, for example, an index indicating the reliability of the maintenance staff, which is determined based on the maintenance staff's experience, working conditions, and the like. Such information is registered in the maintenance personnel management data 12051, for example, when the maintenance personnel 1101 becomes the official person in charge.

(b) of FIG. 2B is a diagram showing an example of the canary management data 12052 . As shown in FIG. 2B, the canary management data 12052 includes a canary ID for identifying canary data, the canary data, and the maintenance function library 1201 of the sorter maintenance application 1103 corresponding to the canary data. A library ID for identification and the maintenance worker ID are stored in association with each other. For example, the canary data identified by the canary ID "1" indicates that it is a website indicated by "https://xx/xx/xx" (a fake IP address that is not the original access destination). . The canary data is used in the maintenance function library 1201 identified by the library ID "#1" in accordance with a request from the personal mobile terminal 1102 operated by the maintenance staff 1101 identified by the maintenance staff ID "1". This is the specific content of the canary token that will be used. The canary token in Example 1 and Example 2, which will be described later, is a token that is not used in processing normally performed by a sorter or ATM, and is information that is accessed by the analyst when analysis such as reverse engineering is performed. be. For example, in the developer PC 1114, a program to be executed in business is designed and registered in the system so as to skip canary tokens.

In this example, a canary token is used as an example, but a honey token may also be used. Also, as canary tokens, instead of fake URLs, various fake information that is not originally intended to be used, such as fake user accounts and keywords, may be used. As explained below, the use of such canary tokens (or honey tokens) is a trick to detect access to applications or files that are not normally used, and to detect unintended use by attackers. I can say.

Canary management data 12052 is registered or updated in management database 1205 before maintenance function library 1201 is registered or updated in library distribution server 1206 . Canary management data 12052 thus stores the relationship between maintenance function library 1201 and maintenance personnel. When the canary management data 12052 is registered in the library management database 1205, the accessible library for each maintenance person 1101 is determined.

(c) of FIG. 2B is a diagram showing an example of the update history management data 12053 . As shown in (c) of FIG. 2B, the update history management data 12053 includes a library ID for identifying the maintenance function library 1201 and an update/download classification indicating whether the library has been updated or downloaded. , the update/download date, and the maintenance worker ID are stored in association with each other. For example, the maintenance function library 1201 identified by library ID "1" was updated on date "xx". It also indicates that the maintenance function library 1201 is registered or updated according to a request from the personal mobile terminal 1102 operated by the maintenance staff 1101 identified by the maintenance staff ID "1".

FIG. 2C is a flowchart up to downloading the main body of the sorter maintenance application. In this system, maintenance personnel 1101 first inputs an instruction to download maintenance application main body 1202 to general-purpose personal mobile terminal 1102 (S201). (Application store) 1204 requests maintenance application body 1202 (S202), and download server 1204 transmits maintenance application body 1202 to personal mobile terminal 1102 in accordance with the request (S203).

After installing the transmitted maintenance application body 1202 (S204), the personal mobile terminal 1102 accepts input of the maintenance staff ID and password from the maintenance staff 1101 (S205), and inputs the received maintenance staff ID and password to the installed maintenance staff. Output to the application body 1202 (S206).

The maintenance application body 1202 transmits the maintenance worker ID and password as authentication information to the management server 1203 (S207). The distribution management unit 1206 of the management server 1203 accesses maintenance personnel authentication information (not shown) stored in advance in the management database 1205 using the maintenance personnel ID and password included in the authentication information as keys, and Acquire the corresponding authentication information (S208, S209). When the authentication information can be obtained from the management database 1205, the distribution management unit 1206 returns the authentication success to the maintenance application body 1202 (S210).

When the personal mobile terminal 1102 receives the notification of successful authentication, it receives from the maintenance personnel 1101 the pressing of the request button for requesting the maintenance function library 1201 (S212), and outputs that the request button has been pressed. (S213). Then, the personal mobile terminal 1102 transmits a request for the maintenance function library 1201 to the distribution management section 1206 of the management server 1203 (S214). The request includes a library ID and a maintenance worker ID.

The distribution management unit 1206 of the management server 1203 reads out the maintenance worker ID included in the above request received from the personal mobile terminal 1102, and stores the library corresponding to the maintenance worker ID stored in the canary management data 12052 of the management database 1205. The ID is read and acquired (S215, S216).

The distribution management unit 1206 of the management server 1203 transmits the maintenance function library 1201 identified by the acquired library ID to the personal mobile terminal 1102 (S217). The maintenance application main body 1202 of the personal mobile terminal 1102 installs the maintenance function library 1201 received from the management server 1203 into the sorter maintenance application 1103 and makes it ready for use (S218).

As described above, the maintenance worker 1101 operates the personal mobile terminal 1102 to obtain the maintenance application body 1202 and the maintenance function library 1201, and the sorter maintenance application having the maintenance function library 1201 different for each maintenance worker 1101 is generated. 1103 is built in the maintenance person's personal mobile terminal 1102 .

FIG. 3 is a diagram for explaining an interface and its functions that the sorter maintenance application 1103 uses when performing sorter maintenance work.
As shown in FIG. 3, the sorter maintenance application 1103 installed in the personal mobile terminal 1102 consists of a maintenance function library 1201 that can be used by maintenance personnel who use the personal mobile terminal 1102, and a maintenance application main body 1202. . A maintenance application body 1202 provides an operation interface 1301, and a maintenance function library 1201 provides actual functions related to maintenance.

As shown in the lower part of FIG. 3 , maintenance personnel 1101 perform maintenance-related operations via operation interface 1301 displayed on personal mobile terminal 1102 . The maintenance application main body 1202 outputs a command 1202 a to call the function of the maintenance function library 1201 . The called maintenance function library 1201 remotely accesses the sorter 1104 via the bank gateway 1106 and displays the information acquired 1202 b on the operation interface 1301 . Maintenance personnel 1101 performs work based on the display.

For example, the operation interface 1301 of the personal mobile terminal 1102 accepts pressing of an approval request button on the access approval request screen 1302 from the maintenance staff 1101 . (Fig. 3, lower part (a)) The maintenance application main body 1202 installed in the personal mobile terminal 1102 outputs a command to the maintenance function library 1201 to call the function of the maintenance function library 1201.

The maintenance function library 1201 includes information about the sorter maintenance application 1103 (for example, an application ID, library ID, and maintenance personnel ID for identifying the application) and a sorter ID for identifying the sorter to be accessed. An access request is sent to sorter 1104 via bank gateway 1106 . In the sorter 1104, an accessible sorter maintenance application 1103, maintenance function library 1201, personal mobile terminal 1102, and maintenance personnel 1101 are stored. It determines that it is possible and sends a message to the personal mobile terminal 1102 approving access.

When the maintenance application body 1202 of the personal mobile terminal 1102 receives the access approval message from the sorter 1104, the maintenance application shown in the lower part (b) of FIG. The screen is changed to the member mode screen 1303 .

On the maintenance personnel mode screen 1303, the maintenance application body 1202 provides various functions depending on the means of implementation and business requirements. In the lower part (b) of FIG. 13, the maintenance application body 1202 displays on the operation interface 1301 a maintenance personnel mode screen 1303 including three maintenance menus of motor check, sensor check, and transport test of the accessed sorter 1104 . . These maintenance menu and maintenance personnel mode screen 1303 are determined according to maintenance personnel 1101 (or personal mobile terminal 1102). For example, in the personal mobile terminal 1102 operated by a maintenance worker 1101, if the maintenance worker history of the maintenance worker 1101 does not meet a predetermined standard, or if the evaluation of the maintenance worker 1101 does not meet a predetermined standard, the individual Maintenance application main body 1202 installed in mobile terminal 1102 does not display “transportation test” on maintenance personnel mode screen 1303 .

When maintenance is performed according to the maintenance menu displayed on the maintenance personnel mode screen 1303 , the maintenance application body 1202 displays on the operation interface 1301 a maintenance result screen 1304 showing the result of the maintenance. In the lower part (c) of FIG. 3, the maintenance application main body 1202 displays on the operation interface 1301 a maintenance result screen 1304 including log information and an error code when maintenance related to the transportation test is executed.

When the maintenance application main body 1202 determines that a message indicating that an abnormality has been detected is displayed as log information, the maintenance operation mode screen 1305 for maintaining the sorter 1104 in which the abnormality has been detected is displayed on the operation interface. 1301 to display. In the lower part (d) of FIG. 13, the maintenance application main body 1202 displays the screen displayed on the display device of the sorter 1104 as the maintenance operation mode screen 1305 on the operation interface 1301 by remote operation technology such as remote desktop. there is The maintenance application main body 1202 displays the maintenance operation mode screen 1305, so that the maintenance personnel 1101 can perform efficient maintenance personnel work. In addition, since the situation can be grasped in advance and the maintenance personnel 1101 can be arranged without going to the place where the sorter 1104 is installed, maintenance work can be performed more efficiently and reliably than before. . As will be described later, in order for the sorter maintenance application 1103 to operate the sorter 1104, a canary token is given to the maintenance function library 1201 that provides the functions of the sorter maintenance application 1103. to protect

4A to 4C are diagrams for explaining the function of the detection server 1112 to detect reverse engineering. FIG. 4A is a diagram for explaining functions of a system including a detection server. FIG. 4B is a diagram illustrating an example of data stored by a detection server; FIG. 4C is a diagram for explaining the processing from detection of reverse engineering by the detection server to output of an alarm.

The detection server 1112 is a server for, when detecting an access from an arbitrary terminal operated by a certain person, determining that there is a threat from the accessed terminal and issuing an alarm.

As shown in FIG. 4A, the detection server 1112 has a detection server database 1401 that stores various data used for reverse engineering detection and alarms, and an alarm unit 1402 that notifies the administrator that reverse engineering has been detected. ing.
The developer 1113 accesses the detection server 1112 via the network 1111b from the development management environment 1406 that manages the data of the detection server 1112, which is preinstalled in the developer PC 1114, and registers necessary information in the detection server database 1401. Keep

Under such an environment, the attacker 1108 operates the attacker's PC 1109 to illegally obtain the sorter maintenance application 1103, and uses the reverse engineering tool 1110 of the attacker's PC 1109 to analyze the source code. For example, the attacker's PC 1109 accesses the download server 1204 according to the operation of the attacker 1108 . If the sorter maintenance application 1103 is an application for smartphones, the attacker PC 1109 camouflages various settings of the PC as if it were a smartphone even though it is not a smartphone, downloads the sorter maintenance application 1103, and obtains it illegally. do.

Furthermore, the attacker 1108 executes analysis software such as a tool on the attacker's PC 1109 to analyze the source code of the downloaded sorter maintenance application 1103 . The analysis software finds and extracts the canary token 1407 assigned to the maintenance function library 1201 that provides the functions of the sorter maintenance application 1103 . Additionally, attacker 1108 utilizes canary token 1409 to provide more detailed information.

For example, the attacker PC 1109 reverse-engineers the acquired sorter maintenance application 1103 according to instructions from the attacker 1108 and finds out the canary token 1409 in the sorter maintenance application 1103 . The canary token 1409 is, for example, the trick URL 1405 assigned to the detection server, as shown as canary data in the canary management data 12052 of FIG. 2B. In this case, the attacker PC 1109 accesses the detection server according to the operation of the attacker 1108 . Since the access destination of the trick URL 1405 is set as the IP address of the detection server 1112 , the attacker's PC 1109 is guided to the detection server 1112 . In this example, the canary token 1409 exemplifies a trick URL, but includes various fake information that is subject to analysis by the attacker 2604, such as user accounts and keywords.

The alarm unit 1402 of the detection server 1112 refers 1112a to the information in the detection server database 1401 and 1112b to the information in the management database 1205 to find out the canary token information and maintenance personnel information. For example, the alarm unit 1402 identifies a record including the trick URL 1405 accessed by the attacker PC 1109 from the canary management data 12052 of the management database 1205 . The alarm unit 1402 reads the library ID included in the identified record, and identifies the record including the same library ID as the read library ID from the update history management data 12053 . Then, the alarm unit 1402 reads the update/download classification, update/download date, and maintenance personnel ID of the specified record. Further, the alarm unit 1402 reads the maintenance worker ID included in the identified record from the canary management data 12052, and identifies the record containing the same maintenance worker ID as the read maintenance worker ID from the maintenance worker management data 12051. do. Then, the alarm unit 1402 reads the name of the maintenance engineer, the history of the maintenance engineer, and the evaluation of the maintenance engineer in the specified record.

Further, the alarm unit 1402 refers to the information obtained from the attacker PC 1109 when the attacker PC 1109 accesses it (for example, the IP address of the attacker PC 1109 and the date of access) and the detection server database 1401 to identify the access source. Chase. For example, the alarm unit 1402 records the IP address and access date of the attacker PC 1109 in the access source information 14011 as information acquired from the attacker PC 1109, as shown in FIG. 4B(a). In addition, as shown in FIG. 4B(b), the alarm unit 1402 records the library ID of the identified record and the access date in the reverse engineering target information 14012 as reverse engineering target information. At this time, the alarm unit 1402 determines the area where the attacker PC 1109 is installed from the IP address recorded in the access source information 14011 and records it in the reverse engineering target information 14012 .

Furthermore, the alarm unit 1402 generates, for example, a threat analysis report 1403 and countermeasures 1404 as follows, and transmits this information to a predetermined destination. As the destination, for example, as shown in FIG. 4B(c), identification information for identifying the person in charge of this system and the contact information (for example, telephone number or e-mail address) of the person in charge are associated with each other. 14013 is referred to and the generated information is transmitted.

The alarm unit 1402 provides, as a threat analysis report 1403, a maintenance function library 1201 that provides the IP address of the access source, the access date, the area, and the function of the sorter maintenance application 1103 that was accessed and reverse-engineered by the attacker PC 1109. library ID, area analyzed based on the IP address, sorter ID included in the access request by the maintenance function library 1201, and other information is output. Furthermore, the alarm unit 1402 generates a message indicating that a threat has been detected, and transmits a threat analysis report 1403 including the message and the list to the destination.

In addition, the alarm unit 1402 implements countermeasures 1404 (for example, network measures such as blocking access from an IP address or region serving as an access source) against threats detected in the threat analysis report 1403 according to the threat analysis. It is transmitted to the destination together with the report 1403 . It is assumed that the threat analysis results and countermeasure proposals are associated with each other in advance.

As shown in FIG. 4C, in the process from detecting that the detection server 1112 has been accessed to sending an alarm, when the attacker PC 1109 illegally obtains the sorter maintenance application 1103 (S401), it reverse-engineers, The canary token 1409 embedded in the sorter maintenance application 1103 is identified (S402). Furthermore, the attacker PC 1109 searches for the identified canary token 1409 on the network (S403), and accesses the link indicated by the token (S404).

In the detection server 1112, when the alarm unit 1402 detects the above access (S405), it identifies the access source and generates a threat analysis report 1403 (S406), the access source information 14011 shown in FIG. 4B and the reverse engineering target information. The information is recorded in 14012, and the proposed countermeasure 1404 and the threat analysis report 1403 are sent to a predetermined e-mail address of the person in charge (S407). As a result, the person in charge of the system can easily and quickly grasp that there has been unauthorized access by the attacker PC 1109 .

As described above, in this embodiment, in the unauthorized access detection system 1 that detects unauthorized access from a terminal, the registration unit (for example, the developer PC 1114) is a maintenance person (for example, the sorter 1104) who maintains the banknote handling device (for example, the sorter 1104). For example, a maintenance application (for example, a sorter maintenance application 1103) executed on a maintenance terminal (for example, a personal mobile terminal 1102) authenticated as a maintenance worker 1101) and a token indicating false information (for example, , canary token 1407) is registered in the unauthorized access detection system, and the detection unit (for example, the detection server 1112) is incorporated in the maintenance application acquired from the unauthorized access detection system. access via the above token is detected as unauthorized access. Therefore, an application for maintaining banknote handling devices such as a sorter used in financial institutions such as banks is illegally installed on a terminal of a third party who is not a maintenance worker, or the third party pretends to be a maintenance worker to perform the maintenance. Even if it is installed in a terminal, it is possible to easily detect unauthorized access because it is possible to know that the application has been accessed via a token that is not intended for its intended use.

The token is stored in a library (for example, the maintenance function library 1201) stored for each maintenance worker, and the management unit (for example, the management server 1206) stores the maintenance terminal authenticated as the maintenance worker. In addition, the maintenance application including the library corresponding to the maintenance personnel is provided. Therefore, when unauthorized access is detected, it is possible to easily ascertain which maintenance worker's terminal has been impersonated or impersonated as a maintenance worker to cause unauthorized access.

Further, the management unit displays, as the maintenance application, a maintenance screen (for example, a maintenance personnel mode screen 1303) on the display unit of the maintenance terminal, which differs according to a predetermined evaluation level of the maintenance personnel. offer. For example, as an application screen corresponding to maintenance personnel whose evaluation is higher than a predetermined standard, all maintenance menus are displayed on the maintenance personnel mode screen 1303, while maintenance personnel whose evaluation is lower than the predetermined standard are displayed. As an application screen, part of all the above maintenance menus is hidden, and maintenance of the hidden maintenance menu is restricted. Therefore, it is possible to display an application screen in consideration of security according to the evaluation by maintenance personnel.

In addition, the alarm unit (for example, the alarm unit 1402 of the detection server 1112) detects access source information (for example, access source information 14011) obtained when unauthorized access is detected, and the person in charge of the unauthorized access detection system. A report (for example, threat analysis report 1403) that analyzes access source information using terminal address information (for example, responsible person information 14013) and countermeasures against unauthorized access (for example, countermeasures 1404) are prepared as described above. Send to the terminal address of the person in charge specified in the address information. Therefore, the person in charge can easily grasp the source of unauthorized access and countermeasures against unauthorized access at a glance (Embodiment 2).

FIG. 5 is a diagram for explaining an example of an unauthorized access detection system according to the second embodiment. In the unauthorized access detection system 1' of this embodiment, the system is applied to an ATM maintenance application as an end-user terminal, and the related parties and overall configuration are shown. ATMs are banknote transaction machines for performing transactions such as deposits and withdrawals, transfers, and balance inquiries with customers.

As shown in FIG. 5, the unauthorized access detection system 1' is connected to a canary management server 2611 having a canary token database 2612, a developer PC 2613 provided in a development environment 2614, and a bank network 2608 via a network 2607. It has an ATM device 2607 and a detection server 2609 . The canary management server 2611 and developer PC 2613 are connected by a network 2603, and the detection server 2609 and developer PC 2613 are connected by a network 2602a. Also, the detection server 2609 is in an environment where the attacker's PC 2605 can access it via the network 2602b. Common hardware can be used for these devices including ATM equipment, networks, and gateways, as in the case of the first embodiment.

Also, the functions performed by the devices and devices that make up this system are implemented by, for example, the CPU reading programs from the ROM, reading and writing to the RAM, and executing processing, as in the case of the first embodiment. . The program may be read from a storage medium such as a USB memory, or may be provided by downloading from another computer (for example, a server that manages the ECU or the cloud) via a network.

4A, the attacker 2604 uses the reverse engineering tool 2606 on the attacker's PC 2605 to analyze an illegally obtained application (for example, a maintenance application for the ATM device 2601). In order to discover the action of the attacker 2604 using the attacker PC 2605 , access from the attacker PC 2605 operated by the attacker 2604 is guided to the detection server 2609 . Attacker PC 2605 operated by attacker 2604 accesses detection server 2609 via network 2602b.

The detection server 2609 traces the source of access when it detects that it has been accessed, as in the case described with reference to FIG. 4A. Furthermore, the detection server 2609 refers to the canary management server 2611 and reads information about the canary and the target file to which the canary is attached. The detection server 2609 performs threat analysis using the access source and attacked target information, refers to the canary token database 2612, and transmits an alarm together with a countermeasure.

The developer 2610 uses the development environment 2614 of the developer PC 2613 to perform work 2601a for the ATM device, such as application development, installation, update, and various setting work for the ATM device 2601 . The developer PC 2613 also manages the detection server 2609, such as registering countermeasures 2609a in the detection server 2609, and manages the canary management server 2611 and canary token database 2612, such as registering canary information 2611a. Specific contents of these will be described later.

6A and 6B are diagrams for explaining the relationship between ATM equipment and canary tokens.
FIG. 6A is a diagram for explaining the flow up to setting a canary token in an ATM device. FIG. 6B is a diagram showing an example of information stored in the canary token database.

As shown in FIG. 6A, ATM equipment 2601 of the system incorporates ATM software 2710 to provide services to customers. ATM software 2710 includes business programs 2706 for customer transactions with the bank, such as deposits and withdrawals, balance inquiries, and transfers. The ATM software 2710 also includes setting files and the like for safely operating the business program 2706 . The setting files include a setting file 2709 specific to the ATM software 2710 and a registry 2708 set in the OS (Operating System). In addition to these files, other files 2705 set in the ATM software 2710 and other data 2707 set in the ATM device 2601 are included.

Under such an environment, in response to an operation from the developer 2610, the developer PC 2613 writes and sets 2614a a unique canary token for each file in the development environment 2614 according to the type of target file. For example, the developer PC 2613 gives a canary token 2702 to the execution file A 2701 of the business program 2706 . Also, for example, the developer PC 2613 gives the canary token 2704 to the setting file B 2703 of the ATM software 2710 .

Since the ATM software 2710 generally runs on the ATM device 2601 with an OS installed, in such a case, a canary token may be given to the registry.

When the developer PC 2613 assigns canary tokens to these files by the operation of the developer 2610, these files to which the canary tokens are assigned are delivered to the ATM device 2601 or updated 2601a. At the ATM 2601 , for example, an execution file A 2701 to which a canary token is assigned runs as a business program 2706 . Also, for example, a setting file B 2703 to which a canary token is assigned is incorporated as one of the setting files 2709 .

As shown in FIG. 6B, the canary token database 2612 stores terminal information data 26121 regarding ATM equipment and canary token data 26122 regarding canary tokens.

FIG. 6B(a) shows an example of the terminal information data 26121. FIG. The terminal information data 26121 includes the terminal ID for identifying the ATM device, the bank and branch where the ATM device is installed, the area where the ATM device is installed, and the ATM software incorporated in the ATM device. are stored in association with each other.

FIG. 6B(b) shows an example of the canary token data 26122. FIG. The canary token data 26122 stores a canary ID for identifying a canary token, canary data that is a canary token, a target file to which the canary token is assigned, and the degree of risk of the attacker 2604 in association with each other. there is The degree of risk is an index that indicates the level of threat posed by the attacker 2604 . For example, if the target file is a text file that does not require advanced analysis, it is determined that the attacker's hacking skill level is low, and the risk level is set to "low". On the other hand, if the target file is a text file that requires advanced analysis, it is determined that the attacker has a high level of hacking technology, and the risk level is set to "high". As to whether or not advanced analysis is necessary, it is sufficient to determine in advance what kind of analysis should be performed and what level should be set. The canary token data 26122 is set, for example, for each financial institution such as a bank that manages the ATM device 2601 and for each branch of the financial institution. Canary tokens include, for example, URLs, user accounts, keywords, and various other false information to be analyzed by the attacker 2604 .

In this example, the level of hacking technique used by the attacker is determined as the risk level, but it may be determined according to, for example, the extent to which the target file is affected, or the degree of urgency until countermeasures are required. . For example, if the risk level is determined according to the degree of impact on the target file, if the executable file A (A.exe) is a very important file related to bank transactions, the risk level is set to "High". set. Further, for example, when the risk level is determined according to the degree of urgency until countermeasures are required, when the setting file 2704 is a file necessary for quick recovery in online business, the risk level is set to "High". ”.

When setting up a canary token, for example, it can be written into a source file or configuration file, or installed when the ATM software 2710 is developed or updated.

7A and 7B are diagrams for explaining a mechanism for detecting reverse engineering by a canary token assigned to an ATM device, which is an end user terminal.
FIG. 7A is a diagram for explaining functions of a system including a detection server. FIG. 7B is a diagram illustrating an example of data stored by a detection server;

As described above, in response to an operation from the developer 2610 before the ATM device 2601 operates, the developer PC 2613 assigns to various files such as an executable file and a setting file to be incorporated in the ATM device 2601 in advance, The information is stored in the detection server database 2801 of the detection server 2609 while being incorporated into the ATM device.

FIG. 7B(a) is a diagram showing an example of threat analysis information 28011 stored in the detection server database 2801. FIG. As shown in FIG. 7B(a), the threat analysis information 28011 stores a threat ID for identifying the type of threat, canary data, a target file to which the canary data is attached, and a degree of risk in association with each other. It is Each of these items is the same as the canary token data 26122 shown in FIG. 6B(b), so description thereof will be omitted here.
After that, the developer PC 2613 stores the information in the detection server database 2801 of the detection server 2609 in response to an operation from the developer 2610 .

FIG. 7B(b) is a diagram showing an example of countermeasure information 28012 stored in the detection server database 2801. As shown in FIG. As shown in FIG. 7B(b), the countermeasure information 28012 includes a countermeasure ID for identifying the type of countermeasure, a specific countermeasure predetermined according to the degree of risk, and a countermeasure based on the countermeasure. and the threat ID are stored in association with each other. Specific countermeasures include, for example, executing a software program that avoids or mitigates risks, temporarily repairs equipment such as hardware in case of emergency, and human intervention, etc.

Under the above-described environment, the attacker 2604 operates the attacker's PC 2605 to illegally install the ATM software 2710 on the attacker's PC 2605, as in the case of FIGS. 4A to 4C, and executes the following processing.

Attacker PC 2605 analyzes illegally installed ATM software 2710 (executable file A 2701, for example) according to instructions from attacker 2604, using analysis means such as reverse engineering, and generates canary token 2702 as a result of the analysis. to get As in the case of FIGS. 4A-C, assume that the obtained canary token 2702 is the trick URL 2809 assigned to the detection server 2609 . Attacker PC 2605 is guided to detection server 2609 when accessing trick URL 2809 via network 2602b. In this example, a trick URL is exemplified as canary token 2702, but as in FIGS. 4A-C, it may be applied to various false information such as user accounts and keywords that are subject to analysis by attacker 2604. .

Detection server 2609 executes threat analysis unit 2802 when alarm unit 2806 detects unauthorized access from attacker PC 2605 . Threat analysis unit 2802 refers to canary token data 26122 and terminal information data 26121 shown in FIG. For example, the threat analysis unit 2802 identifies, from the canary token data 26122, a record containing the canary token 2702 obtained when unauthorized access was detected. Canary token data 26122, which is a file containing the record, is set for each branch of the financial institution. Therefore, the threat analysis unit 2802 reads, from the terminal information data 26121, the record corresponding to the financial institution and branch (for example, Bank A: 123 branch) stored as the canary token data 26122 including the specified record, Identify the ATM device 2601 illegally accessed.

When identifying the illegally accessed ATM device 2601, the threat analysis unit 2802 generates an identification result 2803 of the ATM device, access source information 2804, and risk level information 2805, as in the case of FIGS. 4A to 4C. , the information is sent to a predetermined destination. For example, similar to FIG. 4B(c), the destination includes identification information for identifying the person in charge of this system or the person in charge of the financial institution and/or branch office, and the contact information of the person in charge (for example, telephone number). number and e-mail address) are referenced, and the generated information can be sent.

As the identification result 2803 of the ATM device, for example, the threat analysis unit 2802 detects the terminal information data 26121 of the ATM device 2601 running the ATM software 2701 in which the file attached with the canary token detected by unauthorized access is installed. It should be sent to the contact information of the person in charge.

As the access source information 2804, for example, the threat analysis unit 2802 uses information (for example, the The IP address of the PC 2605, access date) and the detection server database 2801 are referenced to trace the access source. For example, as in FIG. 4B(a), the threat analysis unit 2802 records the IP address and access date of the attacker PC 2605 as information obtained from the attacker PC 2605 in information similar to the access source information 14011. It should be sent to the person in charge.

As the risk level information 2805, for example, the threat analysis unit 2802 reads the risk level (for example, critical) corresponding to the canary token 2702 obtained when unauthorized access is detected, and contacts the person in charge. You should send it first. By sending these information to the person in charge, the person in charge of the financial institution and/or the branch office will know that there was unauthorized access by the attacker PC 2605 and that the ATM device in which the application used for the unauthorized access was installed. can be grasped easily and quickly.

Also, the alarm unit 2806 transmits a countermeasure proposal 2808 and a threat analysis report 2807 similar to the threat analysis report and countermeasure proposal generated by the alarm unit 1402 to a predetermined destination corresponding to the e-mail address of the person in charge. Since the specific contents of the proposed countermeasure 2808 and the threat analysis report 2807 are the same as those of the proposed countermeasure 1404 and the threat analysis report 1403, the description thereof will be omitted here. A list of information such as the name of the file and the name of the ATM software containing the file is output. Furthermore, the alarm unit 2806 generates a message indicating that a threat has been detected, and transmits a threat analysis report 2807 including the message and the above list to the destination.

In addition, the alarm unit 1402 includes a countermeasure proposal 2808 for the threat detected in the threat analysis report 2807 (for example, the name of the file reverse-engineered by the attacker PC 2605 and the ATM software including the file is installed). Action on the network such as blocking access to the ATM device 2601) is transmitted to the destination together with the threat analysis report 2807. FIG.

Thus, in this embodiment, in the unauthorized access detection system 1' that detects unauthorized access from a terminal, the setting unit (for example, the developer's PC 2613) is executed by the banknote transaction device (for example, the ATM device 2601). The application (for example, ATM software 2710) incorporating a token indicating false information (for example, canary token 2702) is set in the bill transaction device, and the detection unit (for example, detection server 2609) Access via the token embedded in the application obtained from the unauthorized access detection system is detected as unauthorized access, and the fact is notified to the financial institution and/or branch office (for example, Fig. 6B (A bank, 123 branch shown in 6B(a)). Therefore, an application that runs on banknote transaction machines such as ATMs used in financial institutions such as banks is illegally installed on a third party's terminal, or the third party pretends to be a developer and installs it on the developer's terminal. Even in such cases, it can be detected that the application has been accessed via a token that is not intended for its intended use, and the person in charge can be notified to that effect, enabling detection of unauthorized access and rapid response can support

In addition, the alarm unit (for example, the alarm unit 2806 of the detection server 2609) detects access source information (for example, information similar to the access source information 14011) obtained when unauthorized access is detected, and the above-described unauthorized access detection system using the terminal address information of the responsible person (for example, information similar to the responsible person information 14013), a report analyzing access source information (for example, threat analysis report 2807), and countermeasures against unauthorized access (for example, Proposed countermeasure 2808) is sent to the terminal address of the person in charge determined by the above address information. Therefore, at a glance, the person in charge can easily grasp the source of unauthorized access and countermeasures against unauthorized access.

In addition, the threat analysis unit (for example, the threat analysis unit 2802 of the detection server 2609) determines the token for each financial institution and/or branch where the banknote transaction machine is installed and the degree of risk of access via the token. Token data (for example, canary token data 26122), terminal information data (for example, terminal information data 26121), identify a banknote transaction device that includes the same application as the application illegally accessed by a terminal other than the development terminal (for example, the attacker PC 2605), and identify the identified banknote transaction device identification result ( For example, the identification result 2803 of the ATM device and the risk level (for example, risk level information 2805) are sent to the terminal address of the person in charge of the financial institution and/or the branch office. Therefore, the person in charge of the financial institution and/or the branch office can quickly and easily find out that there was unauthorized access by the attacker PC 2605 and the ATM device on which the application used for the unauthorized access is installed.

1, 1' unauthorized access detection system 1201 maintenance function library 1202 maintenance application body 1203 management server 1204 download server 1205 management database 1112 detection server 1401 detection server database 1402 alarm unit 2601 canary management server 2602 canary token database 2609 detection server 2801 detection server Database 2802 Threat analysis unit 2803 Alarm unit

Claims (7)

An unauthorized access detection system for detecting unauthorized access from a terminal,
a registration unit for registering, in the unauthorized access detection system , a maintenance application executed by a maintenance terminal authenticated as a maintenance worker who maintains the banknote handling apparatus, the maintenance application incorporating a token ;
a detection unit that detects access including the token obtained from the unauthorized access detection system as unauthorized access;
An unauthorized access detection system comprising: said token is incorporated into a library stored for each of said maintenance personnel;
a management unit that provides the maintenance application including the library corresponding to the maintenance worker to the maintenance terminal authenticated as the maintenance worker;
The unauthorized access detection system according to claim 1, characterized by comprising: The management unit provides, as the maintenance application, an application that causes the display unit of the maintenance terminal to display different maintenance screens according to a predetermined evaluation level of the maintenance worker.
3. The unauthorized access detection system according to claim 2, wherein: A report analyzing the access source information obtained when the unauthorized access is detected and the address information of the terminal of the person in charge of the unauthorized access detection system, and countermeasures against the unauthorized access an alarm unit that transmits the proposal to the terminal address of the person in charge specified by the address information;
The unauthorized access detection system according to claim 1, characterized by comprising: An unauthorized access detection system for detecting unauthorized access from a terminal,
a setting unit configured to set, in the banknote transaction device, the application that is executed in the banknote transaction device and that incorporates a token;
a detection unit that detects access including the token obtained from the unauthorized access detection system as unauthorized access;
Token data defining the token and risk of access via the token for each financial institution and/or branch where the bill transaction device is installed, and the bill defined for each financial institution and/or branch Using the terminal information data that defines the installation area of the transaction device and the application installed in the banknote transaction device, the banknote transaction device that includes the same application as the illegally accessed application is specified, and the specified banknote transaction device a threat analysis unit that transmits the identification result of and the risk level to the address of the terminal of the person in charge of the financial institution and/or branch;
An unauthorized access detection system comprising: A report analyzing the access source information obtained when the unauthorized access is detected and the address information of the terminal of the person in charge of the unauthorized access detection system, and countermeasures against the unauthorized access an alarm unit that transmits the proposal to the terminal address of the person in charge specified by the address information;
6. The unauthorized access detection system according to claim 5, comprising: An unauthorized access detection method performed by an unauthorized access detection system for detecting unauthorized access from a terminal,
The registration unit is a maintenance application executed by a maintenance terminal authenticated as a maintenance worker who maintains the banknote handling apparatus, and registers the maintenance application incorporating a token in the unauthorized access detection system. ,
the detection unit detects access via the token as unauthorized access;
An unauthorized access detection method characterized by:

Images