JP7453547B2 - Terminal management system and terminal management program - Google Patents

Description

This invention relates to a terminal management system and terminal management program that blocks unauthorized access.

A technique disclosed in Patent Document 1 is known as a countermeasure when it is detected that one of the communication devices making up a communication network is conducting unauthorized communication. In Patent Document 1, when a communication device performing unauthorized communication is detected, the number of hops of a communication packet is limited.

Japanese Patent Application Publication No. 2016-51935

The technology disclosed in Patent Document 1 only limits the number of hops of communication packets when illegal communication is detected, and cannot block unauthorized access.

The present disclosure has been made based on this situation, and its purpose is to provide a terminal management system and a terminal management program that can block unauthorized access.

The object is achieved by the combination of features recited in the independent claims, and the subclaims define further advantageous embodiments. The numerals in parentheses described in the claims indicate correspondence with specific aspects described in the embodiments described later as one aspect, and do not limit the disclosed technical scope.

The first disclosure related to a terminal management system for achieving the above purpose is:
A server (20), one or more terminals (10) equipped with a wireless communication function, and one or more access points (30) that connect the terminals and the server, and the server, terminals, and access points are connected to a network. A terminal management system (1, 200) configuring a network identified by an ID,
The server is
a fraud detection unit (S11) that detects unauthorized access within the network;
an unauthorized terminal identification unit (S12) that identifies a terminal making unauthorized access when the fraud detection unit detects unauthorized access;
an ID information determination unit (S30) that determines new network ID information necessary for wireless communication within the network when the fraud detection unit detects unauthorized access;
comprising an ID information transmitting unit (S40) that transmits the network ID information determined by the ID information determining unit to an access point configuring the network and a terminal other than the terminal performing unauthorized access;
When receiving the network ID information transmitted by the server, the terminal and the access point set the received network ID information as network ID information for wireless communication.

When this terminal management system detects unauthorized access within the network, it determines new network ID information and uses the new network ID information to access points that make up the network and terminals other than the one that is performing unauthorized access. Send to terminal. On the other hand, new network ID information is not sent to the terminal that is performing unauthorized access.

Therefore, a new network is formed by all the terminals and all the access points except for the terminal that is performing unauthorized access, and the terminal that is performing unauthorized access cannot participate in the new network. Therefore, unauthorized access can be blocked.

The second disclosure regarding the terminal management system for achieving the above purpose is:
A server (20), one or more terminals (10) equipped with a wireless communication function, and one or more access points (30) that connect the terminals and the server, and the server, terminals, and access points are connected to a network. A terminal management system (1, 200) configuring a network identified by an ID,
The server is
a fraud detection unit (S11) that detects unauthorized access within the network;
an unauthorized terminal identification unit (S12) that identifies a terminal making unauthorized access when the fraud detection unit detects unauthorized access;
an initialization instruction section (S20) that transmits an initialization instruction signal to the terminal identified by the unauthorized terminal identification section;
a kitting instruction unit (S60) that performs kitting instruction processing to instruct the initialized terminal to kit after confirming that the terminal has been initialized;
The terminal is
an initialization processing unit (18) that executes initialization processing upon receiving the initialization instruction signal;
A kitting execution unit (19) that performs kitting according to kitting instruction processing is provided.

When this terminal management system detects unauthorized access within the network, it transmits an initialization instruction signal from the server to the terminal that is making unauthorized access. The terminal that receives the initialization instruction signal executes initialization processing. By executing the initialization process, malware is removed from the terminal. Therefore, unauthorized access can be blocked.

In addition, by using the kitting instruction section provided in the server and the kitting execution section provided in the terminal, the unauthorized accessed terminal is kitted after initialization, so there is no need to manually perform kitting on the unauthorized accessed terminal. can also be omitted.

The terminal management system according to the first disclosure can also be configured as follows. That is,
The server is
an initialization instruction section (S20) that transmits an initialization instruction signal to the terminal identified by the unauthorized terminal identification section;
a kitting instruction unit (S60) that performs kitting instruction processing to instruct the initialized terminal to kit after confirming that the terminal has been initialized;
The terminal is
an initialization processing unit (18) that executes initialization processing upon receiving the initialization instruction signal;
a kitting execution unit (19) that performs kitting according to kitting instruction processing;
The kitting instruction unit includes a process of transmitting the network ID information determined by the ID information determination unit,
The kitting execution unit executes processing for connecting to a network determined by network ID information transmitted from the server.

In this way, a terminal that has been detected to be having unauthorized access can be automatically joined to a new network without unauthorized access.

Further, the terminal management system described above can also be configured as follows. That is,
The network ID is a first network ID, the network identified by the first network ID is a first network (41),
comprising a second network (42) identified by a second network ID that is a different network ID from the first network ID;
The server is
Communication is also possible on the second network,
A network that transmits network ID information for causing the unauthorized terminal, which is the terminal identified by the unauthorized terminal identification unit, to switch the connected network to a second network, before the initialization instruction unit transmits the initialization instruction signal. A switching instruction section (S13),
a data acquisition unit (S14) that communicates with the unauthorized terminal connected to the second network and acquires a preset type of data from the unauthorized terminal;
When the unauthorized terminal receives the network ID information transmitted by the server, the unauthorized terminal uses the received network ID information to switch the connected network to the second network.

In this way, even if the unauthorized terminal is initialized, the necessary data stored in the unauthorized terminal can be obtained. Moreover, since the server switches the unauthorized terminal to the second network before acquiring data from the unauthorized terminal, it is possible to suppress the spread of infection to terminals connected to the first network.

Further, the terminal management system described above can also be configured as follows. That is,
The data acquisition unit acquires communication history data from the unauthorized terminal,
The server is
an unauthorized access identification unit (S24) that identifies an access source of unauthorized access from outside the first network based on communication history data;
a communication prohibition instruction section (S25) that transmits a communication prohibition instruction signal for prohibiting communication with the access source identified by the unauthorized access identification section to a terminal connected to the first network;
When the terminal receives the communication prohibition instruction signal from the server, the terminal blocks communication with the access source indicated by the communication prohibition instruction signal.

In this way, it is possible to prevent the terminals connected to the first network from being infected with malware.

Further, the terminal management system described above can also be configured as follows. That is,
The network ID information includes a new network ID to be used for the network and a password corresponding to the network ID.

By updating not only the password but also the network ID, settings can be changed more easily than when only the password is changed without changing the network ID. This is because if only the password is changed, there is a problem that if one party communicating has set the previous password and the other party has set a new password, communication will become impossible.

Further, the terminal management system described above can also be configured as follows. That is,
After transmitting the network ID information to the terminal, the ID information transmitting unit checks whether it is possible to communicate with the terminal using the transmitted network ID information, and if it is not possible to communicate with the terminal using the transmitted network ID information, it confirms that it is not possible to communicate with the terminal. The network ID information is retransmitted using the network.

If the network ID information includes a new network ID to be used for the network and a password corresponding to the network ID, the terminal does not need to make any changes to the previous network information. Therefore, even if the terminal executes the process of setting new network information, it is possible to communicate using the previous SSID and password. Therefore, if the ID information transmitter transmits new network ID information to a terminal but cannot communicate with the terminal using the new network ID information, the ID information transmitter retransmits the new network ID information to the terminal using the previous network. This reduces the possibility that the terminal will not be able to migrate to a network with a new network ID.

A first disclosure regarding a terminal management program for achieving the above object is a terminal management program executed by a server included in a terminal management system according to the first disclosure. That is,
A terminal management program executed by a server that constitutes a network identified by a network ID, together with one or more terminals (10) equipped with a wireless communication function and one or more access points to which the terminals connect,
The server is
Detect unauthorized access within the network (S11),
If unauthorized access is detected, identify the terminal that has been accessed illegally (S12),
When unauthorized access is detected, determining new network ID information necessary for wireless communication within the network (S30);
Sending the determined network ID information to the access points forming the network and to terminals other than the terminal performing unauthorized access (S40);
This is a terminal management program that performs the following process.

A second disclosure regarding a terminal management program for achieving the above object is a terminal management program executed by a server included in a terminal management system according to the second disclosure. That is,
A terminal management program executed by a server that constitutes a network identified by a network ID, together with one or more terminals (10) equipped with a wireless communication function and one or more access points to which the terminals connect,
The server is
Detect unauthorized access within the network (S11),
If unauthorized access is detected, identify the terminal that has been accessed illegally (S12),
Sending an initialization instruction signal to the identified terminal (S20),
After confirming that the terminal has been initialized, a kitting instruction process is performed to instruct the initialized terminal to kit (S60);
This is a terminal management program that performs the following process.

FIG. 1 is a diagram showing the configuration of a terminal management system 1 according to a first embodiment. 3 is a diagram illustrating a communication range 31 of an access point 30. FIG. 1 is a block diagram showing the configuration of a terminal 10. FIG. FIG. 2 is a block diagram showing the configuration of a server 20. FIG. The figure which shows the process which the server 20 performs in 1st Embodiment. 6 is a diagram showing specific processing executed in S10 of FIG. 5. FIG. 6 is a diagram showing specific processing executed in S20 of FIG. 5. FIG. 6 is a diagram showing specific processing executed in S30 of FIG. 5. FIG. 6 is a diagram showing specific processing executed in S40 of FIG. 5. FIG. 6 is a diagram showing specific processing executed in S50 of FIG. 5. FIG. 6 is a diagram showing specific processing executed in S60 of FIG. 5. FIG. The figure which shows the structure of the terminal management system 200 of 2nd Embodiment. The figure which shows the process which the server 20 performs in 2nd Embodiment.

<First embodiment>
Hereinafter, embodiments will be described based on the drawings. FIG. 1 is a diagram showing the configuration of a terminal management system 1 of this embodiment. The terminal management system 1 includes a terminal 10, a server 20, and an access point 30.

The terminal 10 is an optical information reading device for business use that optically reads information codes such as barcodes and two-dimensional codes. The terminal 10 is a smartphone type and includes a display section 11. The display unit 11 displays an operation screen, information obtained by decoding the information code, and the like. Furthermore, the terminal 10 is equipped with a wireless LAN communication function, and uses this function to wirelessly communicate with the server 20 via the access point 30.

Server 20 manages one or more networks 40. The network 40 includes a server 20, an access point 30, and a terminal 10. The server 20 and the access point 30 managed by the server 20 are connected to each other by wire or wirelessly so that they can communicate with each other. Although three access points 30 are shown in FIG. 1, there is no limit to the number of access points 30. The number of access points 30 included in one network 40 may be one, two, or four or more. Further, the cradle in which the terminal 10 is installed may be included in the network 40 by wire.

Access point 30 connects terminal 10 and server 20. Although the server 20 and the access point 30 are connected by wire, they may also be connected wirelessly. The access point 30 has a communication range 31 conceptually shown in FIG. 2, and communicates wirelessly with the terminals 10 located within the communication range 31.

A plurality of terminals 10, a server 20, and a plurality of access points 30 shown in FIGS. 1 and 2 constitute one network 40. To identify this network 40 and other networks 40, an SSID (Service Set Identifier), which is an example of a network ID, is used. Note that ID means an identification code. The terminal 10 establishes a connection with the access point 30 through authentication using the SSID and password. Note that the access point 30 and the server 20 can be configured with multiple SSIDs and belong to multiple networks 40.

[Configuration of terminal 10]
Next, the configuration of the terminal 10 will be explained. FIG. 3 shows a block diagram of the configuration of the terminal 10. The terminal 10 includes a display section 11, a terminal communication section 12, a camera 13, a terminal storage section 14, an operation section 15, and a terminal control section 16.

As described above, the display unit 11 displays an operation screen, information obtained by decoding the information code, and the like. The terminal communication unit 12 directly communicates wirelessly with the access point 30. Further, the terminal communication unit 12 communicates with the server 20 via the access point 30. Communication between the terminal communication unit 12 and the access point 30 is short-range wireless communication. Furthermore, the terminal 10 may also be capable of wide area communication.

The camera 13 is for photographing the information code. Note that the terminal 10 may be equipped with lighting to make it easier to photograph the information code. The terminal storage unit 14 is a nonvolatile memory such as a flash memory. The terminal storage unit 14 stores various information such as the above-mentioned SSID and the password corresponding to the SSID.

The operation unit 15 is a touch panel or the like superimposed on the display surface of the display unit 11, and is operated by an operator when inputting various information into the terminal 10. Note that part or all of the operation unit 15 may be a mechanical key.

The terminal control unit 16 can be realized by a computer including a processor, nonvolatile memory, RAM, I/O, a bus line connecting these components, and the like. The terminal control section 16 is communicatively connected to the display section 11, the terminal communication section 12, the camera 13, the terminal storage section 14, and the operation section 15, and controls these.

A program for operating a general-purpose computer as the terminal control unit 16 is stored in the nonvolatile memory. The stored programs also include the operating system. The operating system is the same as that used in smartphones. Programs other than the operating system stored in non-volatile memory are executed on the operating system.

The terminal control section 16 operates as a reading processing section 17, an initialization processing section 18, and a kitting execution section 19 by the processor executing the program stored in the nonvolatile memory while utilizing the temporary storage function of the RAM. do. Execution of these operations means that a method corresponding to the program is executed.

The reading processing unit 17 acquires image data representing an image taken by the camera 13, analyzes the image data, and decodes the code stored in the information code included in the image.

The initialization processing unit 18 executes processing to initialize the terminal 10. Initialization here means returning the terminal 10 to the state at the time of shipment. Since the terminal 10 is returned to the shipping state, software installed after shipping, setting values set after shipping, etc. are deleted by initialization. However, if it is infected with malware, the malware can be removed by initialization. In order to initialize the terminal 10, for example, a recovery area is provided in the terminal storage unit 14, and a program for initializing the terminal 10 is stored in this recovery area. The initialization process can also use standard functions of the operating system.

The initialization processing unit 18 executes initialization processing when receiving an initialization instruction signal from the server 20. Further, the initialization processing unit 18 transmits an initialization start signal from the terminal communication unit 12 to the server 20 to indicate that the initialization instruction signal has been received. Further, when the initialization processing is completed, the initialization processing unit 18 transmits a signal indicating this to the server 20.

Note that by executing the initialization process, the SSID information that was set in the terminal 10 before the initialization is deleted from the terminal 10. Therefore, immediately after the initialization process, it is not possible to communicate with the server 20 using the SSID information that was set in the terminal 10 before initialization. Various methods are possible for communicating with the server 20 immediately after the initialization process.

One method is as follows. Since the access point 30 has published a new SSID, the terminal 10 attempts to communicate with the access point 30 based on the published SSID. The access point 30 or server 20 determines whether the terminal 10 was previously included in the network 40 based on the MAC address of the terminal 10. When the access point 30 and the server 20 are able to recognize the terminal 10 as previously included in the network 40, they communicate with the terminal 10 temporarily or only for distributing kitting data.

Further, as another method, there is a method in which only a signal indicating completion of initialization and kitting data can be transmitted and received using dedicated SSID information determined in advance. Alternatively, wired communication may be performed via a cradle.

When the kitting execution unit 19 acquires kitting data distributed from the server 20 after the terminal 10 is initialized, it kits the terminal 10 based on the acquired kitting data. A program that causes the terminal control unit 16 to operate as the kitting execution unit 19 is installed at the time of shipment from the factory, and is stored in a storage area of the terminal storage unit 14 that is not erased even by initialization processing.

Kitting means making various settings so that the terminal 10 can be used normally after initialization. Since the terminal 10 is for business use, kitting here means setting the terminal 10 so that it can be used for business purposes. The kitting data distributed from the server 20 includes SSID information, and the SSID information includes the new SSID of the access point 30 and the password corresponding to the SSID. The kitting execution unit 19 sets an SSID and password for communicating with the access point 30 based on this kitting data.

Further, the kitting data can also include settings different from settings for communicating with the access point 30, such as settings for connecting to a management tool. Note that the kitting data distributed by the server 20 may include information necessary for kitting in addition to the SSID information. Further, information necessary for kitting other than the SSID information may be stored in an area of the terminal storage unit 14 that is not erased even after initialization.

Note that, apart from the kitting data, the server 20 may send an SSID and a password in order to switch the network 40 to another network 40. When the kitting execution unit 19 acquires the SSID and password from the server 20, it switches communication with the access point 30 to the network 40 using the newly acquired SSID and password.

[Configuration of server 20]
Next, the configuration of the server 20 will be explained. FIG. 4 shows a block diagram of the configuration of the server 20. The server 20 includes a server communication section 21, a display section 22, a server storage section 23, an operation section 25, and a server control section 26. The server 20 can be realized by, for example, a general personal computer.

The server communication unit 21 wirelessly communicates with the terminal communication unit 12 included in the terminal 10 via the access point 30. The display unit 22 displays an operation screen used when an operator operates the server 20, and the like. The server storage unit 23 includes a nonvolatile storage medium. Nonvolatile storage media include flash memory, hard disks, and the like. A program executed by the server control unit 26 is stored in the storage medium. One of the stored programs is the terminal management program 24. The server storage unit 23 also stores an SSID usage prohibition list. The prohibition list is a list in which SSIDs and the like that have been accessed illegally are stored, and is updated sequentially. The operation unit 25 is a mechanical keyboard, a software keyboard, or the like, and is operated by an operator when inputting various information into the server 20.

The server control unit 26 has a configuration including a processor, nonvolatile memory, RAM, I/O, a bus line connecting these components, and the like. The server control unit 26 is communicatively connected to the server communication unit 21, display unit 22, server storage unit 23, and operation unit 25, and controls these.

The processor included in the server control unit 26 executes the process shown in FIG. 5 by executing the terminal management program 24 stored in the server storage unit 23 while utilizing the temporary storage function of the RAM. Next, the process shown in FIG. 5 will be explained.

In FIG. 5, in step (hereinafter step omitted) S10, unauthorized access is monitored. In S10, specifically, the process shown in FIG. 6 is executed. The process shown in FIG. 6 is divided into S11, which is the process performed by the fraud detection section, and S12, which is the process performed by the fraud terminal identification section. S11 includes S111 and S112.

In S111, the network 40 managed by the server 20 is monitored to see if there is any terminal 10 that is making unauthorized access. A specific monitoring method is to monitor whether or not there has been any unauthorized access by comparing data transmitted and received by each access point 30 with data on unauthorized access registered in advance. In addition, various methods may be employed to monitor the network 40, such as a method of storing normal packets in the network 40 and monitoring whether or not transmission/reception of a packet different from normal is detected. can.

In S112, it is determined whether unauthorized access has been detected as a result of the monitoring in S111. If the determination result in S112 is NO, the process returns to S111. If the determination result in S112 is YES, the process advances to S12.

S12 includes S121, S122, and S123. In S121, the SSID of the access point 30 that was accessed illegally and the network 40 that was accessed illegally is checked. The access point 30 that has been illegally accessed is known at the time the unauthorized access is detected. Note that the access point 30 is specified by a MAC address. The server 20 can acquire the MAC address of the access point 30 when communicating with the access point 30.

The SSID of the network 40 that has been illegally accessed is an SSID that specifies the network 40 to which the access point 30 that has been illegally accessed belongs. Although only one network 40 is shown in FIG. 1, the server 20 may manage multiple networks 40. Therefore, it is necessary to also check the SSID of the network 40 that has been accessed illegally.

Furthermore, in S122, it is determined which terminal 10 is the terminal 10 that is being accessed illegally. Specifically, the data that has been illegally accessed is analyzed and the MAC address of the terminal 10 contained in the data is checked.

In S123, it is determined whether the unauthorized access route has been identified. If the access point 30 and SSID that have been illegally accessed can be identified in S121, and the terminal 10 that has been illegally accessed can be identified in S122, the determination result in S123 becomes YES. If the determination result in S123 is YES, the process in FIG. 6 ends. On the other hand, if the determination result in S123 is NO, the process returns to S121 and continues the process of identifying the unauthorized access route. Note that when the processes of S121 to S123 are repeated a certain number of times, the process of FIG. 6 may be terminated by displaying on the display unit 22 only that there has been an unauthorized access since the unauthorized access route cannot be identified.

The explanation returns to FIG. 5. After executing S10, S20 and S30 are processed in parallel. First, S20 will be explained. S20 is processing as an initialization instruction section. In S20, the unauthorized terminal is automatically initialized. Note that the unauthorized terminal refers to the terminal 10 that is making unauthorized access. The terminal 10 that is being accessed illegally is identified in S122. In S20, specifically, the process shown in FIG. 7 is executed.

In S21, an initialization instruction signal is transmitted to the terminal 10 that has been illegally accessed and identified in S12. The initialization instruction signal is a signal that instructs the terminal 10 to execute initialization processing.

In S22, it is determined whether it has been confirmed that the terminal 10 has received the initialization instruction signal. As described above, upon receiving the initialization instruction signal, the terminal 10 transmits an initialization start signal to the server 20. Therefore, when the server 20 receives the initialization start signal, the determination result in S22 is YES, and when the initialization start signal has not been received, the server 20 determines the determination result in S22 as NO. If the determination result in S22 is NO, the process returns to S21 and the initialization instruction signal is retransmitted.

On the other hand, if the determination result in S22 is YES, the process in FIG. 7 ends. When the processing in FIG. 7 ends, the terminal 10 that has received the processing instruction signal is executing the processing.

The explanation returns to FIG. 5. Next, S30, which is executed in parallel with the above S20, will be explained. S30 is a process performed by the ID information determining section. In S30, specifically, the process shown in FIG. 8 is executed.

In S31, new SSID information is determined. SSID information means a set of SSID and password. SSID information is information necessary for wireless communication between terminal 10 and access point 30, and SSID information is an example of network ID information. For example, a new SSID and password are created randomly.

In the following S32, it is determined whether the SSID determined in S31 is the same as the SSID that was accessed illegally. The SSID that has been illegally accessed is the SSID specified in S121. If the determination result in S32 is YES, the process returns to S31 and new SSID information is determined again. If the determination result in S32 is NO, the process advances to S33.

In S33, it is determined whether the SSID determined in S31 is on the prohibited list stored in the server storage unit 23. If the determination result in S33 is YES, the process returns to S31 and new SSID information is determined again. If the determination result in S33 is YES, the process advances to S34. In S34, the SSID information determined in S31 is determined as the SSID information to be used next.

The explanation returns to FIG. 5. After executing S30, S40 is executed. S40 is a process performed by the ID information transmitter. In S40, the terminals 10 included in the network 40 other than the unauthorized terminals are migrated to the new SSID. In S40, specifically, the process shown in FIG. 9 is executed.

In S41, distribution of the new SSID information determined in S30 is started to terminals other than the unauthorized terminals. The terminal 10 to which the new SSID information is distributed is a terminal 10 included in the network 40 that is not an unauthorized terminal and whose communication using the new SSID information has not been confirmed. The terminal 10 that has acquired the new SSID information switches communication with the access point 30 to the network 40 based on the new SSID information.

In S42, connection switching to the new SSID is performed. Specifically, the SSID information determined in S31 is distributed to all access points 30 included in the network 40 to which the terminal 10 that is making unauthorized access belongs. The access point 30 that has received the SSID information enables communication using the received SSID information. In other words, the access point 30 that has received the SSID information configures a new network 40 based on the received SSID information. At this point, the access point 30 has increased the number of SSIDs it communicates with by one. Further, communication using the new SSID is confirmed with the terminal 10 to which the new SSID information was distributed in S41.

In S43, it is determined whether connection switching to the new SSID has been completed. Specifically, it is determined whether or not it was possible to communicate with all the terminals 10 that were able to communicate using the previous SSID, except for the unauthorized terminal, using the new SSID. If the determination result in S43 is NO, the process returns to S41. On the other hand, if the determination result in S43 is YES, the process shown in FIG. 9 ends.

The explanation returns to FIG. 5. After executing S40, S50 is executed. In S50, processing is executed to prohibit the use of the SSID that has been accessed illegally. In S50, specifically, the process shown in FIG. 10 is executed.

In S51, the SSID used for unauthorized access is added to the prohibited list. In S52, the access point 30 that has set the SSID is instructed to delete the SSID and password added to the prohibited list in S51. In S53, the terminal 10 other than the unauthorized terminal is instructed to delete the SSID and password used for unauthorized access.

The explanation will return to FIG. 5. Next, S60 will be explained. S60 is a process performed by the kitting instruction unit. In S60, the kitting instruction process is executed on the terminal 10 after it has been initialized in S20. Specifically, in S60, the process shown in FIG. 11 is executed.

In S61, it is determined whether it has been confirmed that the automatic initialization of the terminal 10 has been completed. As described above, when the automatic initialization is completed, the terminal 10 transmits a signal indicating this to the server 20. Therefore, in S61, it is determined whether a signal indicating that automatic initialization has been completed has been received. If the determination result in S61 is NO, the determination in S61 is repeated. If the determination result in S61 is YES, the process advances to S62.

In S62, kitting data is distributed to the terminals 10 whose initialization has been confirmed. The kitting data includes new SSID information, the IP address of the server 20, and the like. When the terminal 10 receives this kitting data, the kitting execution unit 19 connects to the network 40 using the new SSID information.

[Summary of the first embodiment]
As described above, when the terminal management system 1 of the first embodiment detects unauthorized access within the network 40 (S112: YES), it determines new SSID information (S30), and transfers the new SSID information to the network 40. The information is transmitted to terminals 10 other than the access point 30 making up the access point 40 and the terminal that is performing unauthorized access (S40). On the other hand, new SSID information is not sent to the terminal 10 that is performing unauthorized access. Therefore, a new network 40 is constituted by all the terminals 10 and all the access points 30 except for the terminal 10 that is making unauthorized access, and the new network 40 includes the terminal 10 that is making unauthorized access. unable to participate. Therefore, unauthorized access can be blocked.

Further, when the terminal management system 1 detects unauthorized access within the network 40 (S112: YES), the terminal management system 1 transmits an initialization instruction signal from the server 20 to the terminal 10 where the unauthorized access was detected (S20). The terminal 10 that has received the initialization instruction signal executes initialization processing. By executing the initialization process, malware is removed from the terminal 10. This also makes it possible to block unauthorized access.

In addition, the server 20 issues a kitting instruction to the initialized terminal 10 (S60), and the kitting execution unit 19 of the terminal 10 executes kitting in response to the kitting instruction. Therefore, the effort of manually performing kitting on the terminal 10 that has been illegally accessed can be omitted.

The server 20 transmits kitting data to the terminal 10 in the kitting instruction (S62), and the kitting data includes the newly determined SSID information. The kitting execution unit 19 of the terminal 10 that has received the SSID information connects to the network 40 determined by the SSID information. Therefore, even the terminal 10 in which unauthorized access has been detected can automatically participate in the updated network 40 without any unauthorized access.

Moreover, when this server 20 detects unauthorized access, it determines a new SSID and a new password as new SSID information. By also updating the SSID, settings can be changed more easily than when changing only the password without changing the SSID.

When both the SSID and password are new, the terminal 10 can still communicate using the previous SSID and password even if it executes the process of setting the newly distributed SSID. Therefore, the server 20 sends the new SSID information to the terminal 10, but if it is not possible to communicate with the terminal 10 using the new SSID (S43: NO), the server 20 resends the new SSID information to the terminal 10 using the previous SSID. (S41). Therefore, the possibility that the terminal 10 cannot be migrated to the network 40 with the new SSID is reduced.

<Second embodiment>
Next, a second embodiment will be described. In the following description of the second embodiment, elements having the same reference numerals as those used up to that point are the same as elements having the same reference numerals in the previous embodiments, unless otherwise specified. Further, when only a part of the configuration is described, the embodiment described above can be applied to other parts of the configuration.

FIG. 12 shows the configuration of a terminal management system 200 according to the second embodiment. The terminal management system 200 includes the network 40 included in the terminal management system 1 of the first embodiment as a first network 41, and also includes a local network 42 as a second network.

The local network 42 is a network to which an unauthorized terminal is connected when an unauthorized terminal is detected, and is preferably a network to which no terminals 10 other than the unauthorized terminal are connected. The local network 42 and the first network 41 are identified by SSID. That is, the SSID of the first network 41 is the first SSID, and the SSID of the local network 42 is the second SSID. Note that the first SSID and the second SSID are examples of the first network ID and the second network ID, respectively.

The server 20 is connected to a first network 41 and also to a local network 42 . In addition to the server 20, one access point 30 is also connected to the local network 42. Note that the number of access points 30 connected to the local network 42 does not need to be one. However, it is preferable that the access point 30 connected to the local network 42 is not connected to the first network 41.

FIG. 13 shows processing executed by the server 20 in the second embodiment. FIG. 13 includes all the processing shown in FIG. Furthermore, the process shown in FIG. 13 has S13, S14, S24, and S25 added to the process shown in FIG.

In the second embodiment as well, the server 20 monitors unauthorized access in S10. If the unauthorized access route can be identified in S12, which is a part of the process of S10, that is, if the terminal 10 that is making unauthorized access can be identified, S13 is executed. S13 corresponds to a network switching instruction unit, which transmits the SSID information of the local network 42 to the unauthorized terminal identified in S12, and causes the unauthorized terminal to switch the network 40 connected to the local network 42.

When the unauthorized terminal receives the SSID information of the local network 42, the unauthorized terminal switches the connected network 40 to the local network 42.

The following S14 corresponds to a data acquisition section, in which the server 20 communicates with the unauthorized terminal using the local network 42 and acquires preset types of data from the unauthorized terminal. The user can arbitrarily set the type of data to be acquired. For example, since the terminal 10 is for business use, data read during business use (hereinafter referred to as business data) is often stored in the terminal storage unit 14. Therefore, the business data is set as the data to be acquired. Furthermore, in this embodiment, communication history data is set as the data to be acquired. After executing S14, S20 is executed to initialize the unauthorized terminal.

After executing S20, the process advances to S24. S24 corresponds to an unauthorized access identification unit, which analyzes the communication history data acquired in S14 to identify the source of unauthorized access. The source of unauthorized access is a medium that transmitted malware from outside the first network 41 and infected the terminal 10. The source of unauthorized access is identified by the IP address. IP addresses that are not necessary for business operations, IP addresses of communication destinations with abnormal data exchange volume or frequency, etc. are identified as sources of unauthorized access.

The following S25 corresponds to a communication prohibition instruction section, which transmits a communication prohibition instruction signal for prohibiting communication with the access source identified in S24 to all terminals 10 connected to the first network 41. The terminal 10 that receives this communication prohibition instruction signal cuts off communication with the access source indicated by the communication prohibition instruction signal. In order to block communication with the access source indicated by the communication prohibition instruction signal, the terminal 10 is set, for example, not to communicate with the access source indicated by the communication prohibition instruction signal. In the second embodiment, after S25 is executed, S60 is executed to issue a kitting instruction.

[Summary of second embodiment]
In the second embodiment, the server 20 acquires preset types of data from the unauthorized terminal before initializing the unauthorized terminal (S14). Therefore, even if the unauthorized terminal is initialized, the necessary data stored in the unauthorized terminal can be obtained. Furthermore, before acquiring data from the unauthorized terminal, the server 20 switches the unauthorized terminal to the local network 42 (S13). This can suppress the spread of infection.

The server 20 also acquires communication history data from the unauthorized terminal (S14), and identifies the source of unauthorized access based on the communication history data (S24). Then, a communication prohibition instruction signal is transmitted to all terminals 10 connected to the first network 41 to prohibit communication with the source of unauthorized access. Thereby, it is possible to prevent the terminal 10 connected to the first network 41 from being infected with malware.

Although the embodiments have been described above, the disclosed technology is not limited to the above-mentioned embodiments, and the following modifications are also included within the disclosed scope, and furthermore, other than the following may be included within the scope of the gist. It can be implemented with various modifications.

<Modification 1>
In the embodiment, the SID information determined when unauthorized access is detected includes the SSID and password. However, the SSID information determined when unauthorized access is detected may be only the password.

1: Terminal management system 10: Terminal 11: Display section 12: Terminal communication section 13: Camera 14: Terminal storage section 15: Operation section 16: Terminal control section 17: Reading processing section 18: Initialization processing section 19: Kitting execution section 20: Server 21: Server communication section 22: Display section 23: Server storage section 24: Terminal management program 25: Operation section 26: Server control section 30: Access point 31: Communication range 40: Network 41: First network 42: Local Network (second network) 200: Terminal management system S11: Fraud detection unit S12: Fraudulent terminal identification unit S13: Network switching instruction unit S14: Data acquisition unit S20: Initialization instruction unit S24: Unauthorized access identification unit S25: Communication prohibition instruction Section S30: ID information determination section S40: ID information transmission section S60: Kitting instruction section

Claims (9)

A server (20), one or more terminals (10) having a wireless communication function, and one or more access points (30) connecting the terminal and the server, the server, the terminal, A terminal management system (1, 200) configuring a network in which the access point is identified by a network ID,
The server is
a fraud detection unit (S11) that detects unauthorized access within the network;
an unauthorized terminal identification unit (S12) that identifies the terminal making unauthorized access when the fraud detection unit detects unauthorized access;
an ID information determination unit (S30) that determines new network ID information necessary for wireless communication within the network when the fraud detection unit detects the unauthorized access;
an ID information transmitting unit (S40) configured to transmit the network ID information determined by the ID information determining unit to the access point constituting the network and the terminal other than the terminal performing the unauthorized access. ,
A terminal management system wherein, when the terminal and the access point receive the network ID information transmitted by the server, the terminal and the access point set the received network ID information as the network ID information for wireless communication. A server (20), one or more terminals (10) having a wireless communication function, and one or more access points (30) connecting the terminal and the server, the server, the terminal, A terminal management system (1, 200) configuring a network in which the access point is identified by a network ID,
The server is
a fraud detection unit (S11) that detects unauthorized access within the network;
an unauthorized terminal identification unit (S12) that identifies the terminal making unauthorized access when the fraud detection unit detects unauthorized access;
an initialization instruction section (S20) that transmits an initialization instruction signal to the terminal identified by the unauthorized terminal identification section;
a kitting instruction unit (S60) that performs kitting instruction processing to instruct the initialized terminal to kit after confirming that the terminal has been initialized;
The terminal is
an initialization processing unit (18) that executes initialization processing upon receiving the initialization instruction signal;
A terminal management system comprising: a kitting execution unit (19) that performs kitting in accordance with the kitting instruction process. The terminal management system according to claim 1,
The server is
an initialization instruction section (S20) that transmits an initialization instruction signal to the terminal identified by the unauthorized terminal identification section;
a kitting instruction unit (S60) that performs kitting instruction processing to instruct the initialized terminal to kit after confirming that the terminal has been initialized;
The terminal is
an initialization processing unit (18) that executes initialization processing upon receiving the initialization instruction signal;
a kitting execution unit (19) that performs kitting in accordance with the kitting instruction process;
The kitting instruction unit includes a process of transmitting the network ID information determined by the ID information determination unit,
The kitting execution unit is a terminal management system that executes a process of connecting to a network determined by the network ID information transmitted from the server. The terminal management system according to claim 2 or 3,
The network ID is a first network ID, and the network identified by the first network ID is a first network (41);
A second network (42) identified by a second network ID that is different from the first network ID,
The server is
Communication is also possible through the second network,
A network ID for causing the unauthorized terminal, which is the terminal identified by the unauthorized terminal identification unit, to switch the connected network to the second network before the initialization instruction unit transmits the initialization instruction signal. a network switching instruction unit (S13) that transmits information;
a data acquisition unit (S14) that communicates with the unauthorized terminal connected to the second network and acquires a preset type of data from the unauthorized terminal;
In the terminal management system, when the unauthorized terminal receives the network ID information transmitted by the server, the unauthorized terminal switches the connected network to the second network using the received network ID information. 5. The terminal management system according to claim 4,
The data acquisition unit acquires communication history data from the unauthorized terminal,
The server is
an unauthorized access identification unit (S24) that identifies an access source of unauthorized access from outside the first network based on the communication history data;
a communication prohibition instruction section (S25) that transmits a communication prohibition instruction signal for prohibiting communication with the access source identified by the unauthorized access identification section to the terminal connected to the first network;
A terminal management system wherein, when the terminal receives the communication prohibition instruction signal from the server, the terminal blocks communication with the access source indicated by the communication prohibition instruction signal. The terminal management system according to claim 1 or 3,
The terminal management system, wherein the network ID information includes the new network ID used for the network and a password corresponding to the network ID. The terminal management system according to claim 6,
After transmitting the network ID information to the terminal, the ID information transmitting unit checks whether it is possible to communicate with the terminal using the transmitted network ID information, and if it is not possible to communicate with the terminal using the transmitted network ID information. , a terminal management system that retransmits the network ID information through the network that was able to communicate with the terminal. A terminal management program executed by a server that constitutes a network identified by a network ID, together with one or more terminals (10) equipped with a wireless communication function and one or more access points to which the terminals connect,
The server is
detecting unauthorized access within the network (S11);
If unauthorized access is detected, identify the terminal that has been unauthorizedly accessed (S12);
If unauthorized access is detected, determining new network ID information necessary for wireless communication within the network (S30);
transmitting the determined network ID information to the access point forming the network and the terminal other than the terminal performing the unauthorized access (S40);
A terminal management program that performs this process. A terminal management program executed by a server that constitutes a network identified by a network ID, together with one or more terminals (10) equipped with a wireless communication function and one or more access points to which the terminals connect,
The server is
detecting unauthorized access within the network (S11);
If unauthorized access is detected, identify the terminal that has been unauthorizedly accessed (S12);
transmitting an initialization instruction signal to the identified terminal (S20);
After confirming that the terminal has been initialized, a kitting instruction process is performed to instruct the initialized terminal to kit (S60);
A terminal management program that performs this process.

Images