JPH09160878A - Illegal access prevention system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To detect an illegal access to a processor previously and prevent the illegal access by providing an access judging means which judges the adequacy of an access request according to a setting necessity/non-ncessity answer to the access request from a qualified user to which a terminal dedicated to authentification responded. SOLUTION: A terminal calling means 202 dedicated to authentification when receiving an access request from a terminal device 300 extracts a registered selection number corresponding to the access requester to a terminal registration means 201 dedicated to authetification and calls a terminal 400 dedicated to authentification corresponding to the selection number through a communication network 100. An access informing means 203, when the said terminal 400 responds, reports the generation of the access request and confirms whether or not access is necessary. An access judging means 204 judges the adequacy of the access request on the basis of the setting necessity/non-ncessity answer that the qualified user made on the terminal 400 to the access request.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a method for preventing unauthorized access in a communication network, and more particularly to a method for preventing unauthorized access in a communication network accommodating processing devices accessed by a plurality of terminals accommodated by qualified users.

[0002]

2. Description of the Related Art FIG. 12 is a diagram illustrating a conventional database communication system. In FIG. 12, a database communication system is shown as a kind of communication network to which the present invention is applied.

In FIG. 12, a public network (1) accommodates a database device (2), and a subscriber who holds a database qualification [hereinafter referred to as a qualification].
From the plurality of access terminals (3) accommodated in the public network (1) to access the database device (2) via the public network (1) to extract desired information or obtain required information. Store.

The database device (2) stores the identification information (ID) of the qualified user [hereinafter referred to as customer identification information (ID)] and the personal identification number (PW) in advance in the public network (1). When the access request is received from the access terminal (3) accommodated in, the registered customer identification information (I
Access is permitted only to the user who has presented D) and the personal identification number (PW).

The database device (2) is provided with a database (21), a database management unit (22), a personal identification number confirmation unit (23), a personal identification number registration unit (24), and a connection transfer unit (25). There is.

The database (21) stores various information that each access terminal (3) desires to extract or store. The database management unit (22) uses the database (2
Manage the extraction or storage of information for 1).

In the personal identification number registration section (24), customer identification information (ID) of the user of the database device (2) and personal identification number (PW) are registered in advance. The main road code number confirmation unit (23) determines whether or not the subscriber who has requested access to the database device (2) is qualified to use the customer identification information (I).
Confirm with D) and the personal identification number (PW).

The main road connection transfer unit (25) passes through the public network (1) the access terminal (3) to which the main road personal identification number confirmation unit (23) allows access to the database device (2). The database device (2) is connected and the database (21) is accessed.

In FIG. 12, the database device (2)
When a person who desires to access the device calls the public network (1) from the access terminal (3) and selects an access number to the database device (2) defined by the public network (1),
The public network (1) connects the calling access terminal (3) to the database device (2) by a known procedure.

In the database device (2), when the main route code number confirmation unit (23) detects an incoming call from the public network (1), the calling party is notified to the caller via the public network (1). The personal identification number input instruction message (MSG ₀ ) for instructing the input of the customer identification information (ID) and the personal identification number (PW) is returned to the access terminal (3).

Password input instruction message (MSG ₀ )
When the caller receiving the information sends his or her customer identification information (ID) and personal identification number (PW) to the database device (2) via the public network (1), the main route personal identification number confirmation unit ( Two
After receiving the customer identification information (ID) and the personal identification number (PW) sent from the access terminal (3), the reference numeral 3) refers to the personal identification number registration unit (24) to receive the received customer identification information (I).
If D) and the personal identification number (PW) have been registered, the caller is authenticated as a licensed user who has licensed to use the database device (2) and the main path connection transfer unit (25) is activated.

The main road connection transfer unit (25) connects the access terminal (3) received by the database device (2) to the database management unit (22), and the caller qualified to use the access terminal (3). Use to enable access to the database (21).

When the main route PIN confirmation section (23) detects that the received customer identification information (ID) and PIN (PW) are not registered or do not match, the caller is qualified to use the database device (2). Is determined not to be owned, and access to the database (21) is prohibited.

[0014]

As is apparent from the above description, in the conventional database communication system, the calling access terminal (3) transmits the presence / absence of the usage qualification of the calling party to the database device (2). The customer identification information (ID) and the personal identification number (PW) are judged based on the presence or absence of registration. Therefore, if the customer identification information (ID) and the personal identification number (PW) are stolen by another person, it is unqualified for use. Not only is the person permitted to access the database device (2), but also the stolen qualification person has the method of recognizing that his / her customer identification information (ID) and personal identification number (PW) are stolen. If you do not do this, you will not be able to use the database device (2) unexpectedly, and you will only be aware of plagiarism.

An object of the present invention is to detect unauthorized access to a processing device in advance as much as possible and prevent the occurrence thereof.

[0016]

FIG. 1 is a diagram illustrating the principle of the present invention. In FIG. 1, 100 is a communication network which is the subject of the present invention, 200 is a processing device accommodated in the communication network (100),
A terminal device 300 is accommodated in the communication network (100).

Reference numeral 201 denotes a processing device (20) according to the present invention.
It is the authentication dedicated terminal registration means provided in 0). 202
Is an authentication dedicated terminal calling means provided in the processing device (200) according to the present invention.

Reference numeral 203 denotes a processor (20) according to the present invention.
Access notification means provided in 0). 204 is
The access determination means is provided in the processing device (200) according to the present invention.

Reference numeral 205 denotes an abnormal use qualifying person recording means provided in the processing device (200) according to the present invention (claim 4). Reference numeral 206 denotes an abnormal usage qualification prohibiting means provided in the processing device (200) according to the present invention (Claim 5).

Reference numeral 400 denotes an authentication dedicated terminal provided by the present invention. 410 is a portable terminal provided by the present invention (claim 2). The processing device (200) can be accessed by an authorized terminal device from any terminal device (300).

The authentication-dedicated terminal (400) is set separately from the terminal device (300) corresponding to each usage qualification. In the authentication-dedicated terminal registration means (201), the authentication-dedicated terminal (400) corresponding to each authorized user is the communication network (100).
Register the selection number given by.

The authenticating terminal calling means (202) receives the access request from the terminal device (300),
The authentication-dedicated terminal registration means (201) extracts the registered selection number corresponding to the access requester, and calls the authentication-dedicated terminal (400) corresponding to the selection number via the communication network (100).

When the authentication dedicated terminal (400) responds, the access notifying means (203) notifies the occurrence of an access request and confirms whether or not the access is necessary. The access determination means (204) determines the validity of the access request based on the answer of whether or not the setting is required for the access request from the authorized user who responded with the dedicated authentication terminal (400).

It is considered that the authentication-dedicated terminal (400) is a portable terminal (410) that is carried by each user. Further, it is considered that the access notifying means (203) only notifies the access request being received, and the access determining means (204) unconditionally determines the access request being received as valid.

The processor (200) records the identification information of the authorized user when the authorized user who responds to the authentication-dedicated terminal (400) rejects the setting of the notified access request. It is considered to attach a user qualification recording means (205).

Further, the processing device (200), when receiving a new access request, the abnormal use qualified person recording means (2).
05), referring to the abnormal usage qualifying person recording means (205)
It is considered to attach an abnormal user qualified person prohibiting means (206) for prohibiting an access request by a recorded user qualified user.

Further, the access notifying means (203) notifies the access request being received, and then the authentication dedicated terminal (40
0) corresponding to previously registered personal identification number (PW _S) prompts for and access determining means (204), the registered personal identification number from the authentication dedicated terminal (400) (PW _S) is returned Whether or not the access request is normal is considered depending on whether or not the access request is made.

Further, when the portable terminal (410) is dedicated to receiving, the access notifying means (203) notifies the use qualified person of the special number defined for the response connection by the portable terminal (410). However, when the qualified user makes a response connection to the processing device (200) with a special number from the nearest terminal device (300) [separate from the terminal device (300) that accesses the processing device (200)], an access request is issued. Notification of the occurrence of is considered.

Therefore, when the processing device receives the access request, it becomes possible to confirm in advance whether or not the access is required to the authorized user by the predetermined authentication dedicated terminal, and the customer identification information and the personal identification number of the authorized user. It is possible to detect and prevent unauthorized access by plagiarizing the device in advance and notify the qualified user for the robbery as well as the operator of the processing device, thereby significantly improving the reliability of the communication network.

[0030]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below with reference to the drawings. 2 is a diagram showing a database communication system according to an embodiment of the present invention (claims 1 and 2), FIG. 3 is a diagram illustrating a database access process in FIG. 2, and FIG. 4 is a diagram showing the present invention (claim 2). 3) is a diagram showing a database communication system according to the embodiment, FIG. 5 is a diagram illustrating the database access processing in FIG. 4, and FIG. 6 is a diagram showing an embodiment of the present invention (claims 2, 4, and 5). 7 is a diagram showing a database communication system, FIG. 7 is a diagram illustrating a database access process in FIG. 6, and FIG. 8 is a diagram showing a database communication system according to an embodiment of the present invention (claims 2 and 6); FIG. 9 shows FIG.
10 is a diagram illustrating a database access process in FIG. 10, FIG. 10 is a diagram illustrating a database communication system according to an embodiment of the present invention (claims 2 and 7), and FIG. 11 is a diagram illustrating a database access process in FIG. 10. is there. The same reference numerals indicate the same objects throughout the drawings.

2 to 11, the public network (1) is shown as the communication network (100) in FIG. 1, the database device (2) is shown as the processing device (200) in FIG. Terminal device (300) in 1
Is shown as an access terminal (3), and as the authentication dedicated terminal (400) in FIG. 1, a portable terminal (410)
One or more portable authentication-specific terminals (4) corresponding to the above are used by qualified users of the database device (2).

When one or more terminals are used, for example, when the authentication-dedicated terminal (4) is reception-only as will be described later (see FIG. 10), it is possible to send and receive in order to enable the connection availability response. The terminal (5) is also used.

First, an embodiment of the present invention (claims 1 and 2) will be described with reference to FIGS. In FIG. 2, in the database device (2), a bypass registration unit (2) corresponding to the authentication dedicated terminal registration means (201) in FIG.
6) is provided, a bypass transmission unit (27) is provided as the authentication dedicated terminal calling unit (202) in FIG. 1, and a confirmation message notification unit (28) is provided as the access notification unit (203) in FIG. Further, as an access determination means (204) in FIG.
9) is provided.

The personal identification number registration unit (24) stores the customer identification information (ID) of the authorized user and the personal identification number (P) in the same manner as described above.
W) and are registered in advance, and the bypass registration unit (26)
Is a selection number (hereinafter referred to as a bypass number (SP)) assigned from the public network (1) of the authentication-specific terminal (4) carried by the authorized user, the customer identification information (ID) and the secret code. It is registered in correspondence with the number (PW).

When the authorized user owns a plurality of authentication dedicated terminals (4), a plurality of bypass numbers (SP) are registered corresponding to the customer identification information (ID). 2 and 3, a person who wishes to access the database device (2) can access the public network (1) from an arbitrary access terminal (3).
When the access number to the database device (2) is selected, the public network (1) connects the call access terminal (3) to the database device (2) by a known procedure.

In the database device (2), when the main road code number confirmation unit (23) detects an incoming call from the public network (1), the call is made via the public network (1), as described above. The personal identification number input instruction message (MSG ₀ ) for instructing the input of the customer's own customer identification information (ID) and personal identification number (PW) is returned to the person [steps S31 and S32 in FIG. 3].

PIN input message (MSG ₀ )
When the caller who has heard the message inputs his or her customer identification information (ID) and personal identification number (PW) from the access terminal (3), the main route personal identification number confirmation unit (23) outputs the access code from the access terminal (3). After receiving the customer identification information (ID) and the personal identification number (PW) transferred via the public network (1), the customer identification information (ID) and the personal identification number (PW) are referred to by referring to the personal identification number registration section (24). ) And are registered, and if the registration is confirmed [step S33], the side road transmission unit (27) is activated.

When the customer identification information (ID) and the personal identification number (PW) do not match, the connection is cut according to a known procedure. The activated side road transmission unit (27) is connected to the side road registration unit (2
6), referring to the received customer identification information (ID) and personal identification number (PW), the registered by-pass number (SP)
It is searched whether or not there is an unused bypass number (SP) in [step S34].

When the unused side road number (SP) is detected as a result of the search [step S35], the side road transmission unit (27) calls the public network (1) and detects the detected side road number ( S
P) is transmitted to the public network (1) [step S36].

Further, as a result of the search, an unused bypass number (S
If P) cannot be detected [step S35], it instructs the main PIN confirmation unit (23) to prohibit the access request of the called subscriber [step S3B].

The public network (1) is a database device (2).
When a call from the side-route transmitting unit (27) is detected and the side-route number (SP) is received, the authentication-specific terminal (4) corresponding to the side-route number (SP) is selected according to a known procedure, Display incoming call.

When the carrier of the authentication dedicated terminal (4) notices the incoming call to the authentication dedicated terminal (4) and responds to it, the public network (1) returns a response signal to the side route transmission section (27). . The side road transmission unit (27) activates the confirmation message notification unit (28) when detecting the response of the authentication dedicated terminal (4) [step S37].

Confirmation message notification unit (28) which has been activated
Is an access notification confirming that an access request to the database device (2) using the customer identification information (ID) and the personal identification number (PW) has occurred, and whether access to the database device (2) is expected. Acceptability response instruction message (MSG ₁ ) [For example, "There was an access to the database device (2). If you wish to connect, select the number" 1 ", if not, select the number" 2 ". please do it. Etc.] is generated and returned to the authentication dedicated terminal (4) via the public network (1) [step S38].

The access notification / acceptance reply instruction message (MSG ₁ ) returned by the carrier of the authentication dedicated terminal (4)
Is a request for access made by the access terminal (3), and if the user desires to access, select the number button "1" provided on the authentication-specific terminal (4). The selection signal corresponding to "" is returned to the database device (2) via the public network (1).

In the database device (2), when the authentication confirmation unit (29) receives and analyzes the selection signal returned from the authentication-dedicated terminal (4) and identifies that it corresponds to the numeral "1", access is made. It is determined that there is no problem in allowing the access request from the terminal (3) [step S39], and the main path connection transfer unit (25) is activated.

The main-route connection transfer unit (25), which has been activated, stores the access terminal (3), which has arrived at the database device (2) via the public network (1), in the same manner as described above. To access the database (21) [step S3A].

When the carrier of the authentication dedicated terminal (4) who has heard the returned access notification / possibility answer message (MSG ₁ ) is his / her unexpected access request and refuses access, , Authentication terminal (4)
When the number button "2" provided on the is selected, the selection signal corresponding to the number "2" is returned to the database device (2) via the public network (1).

In the database device (2), when the authentication confirmation unit (29) receives and analyzes the selection signal returned from the authentication dedicated terminal (4) and identifies that it corresponds to the numeral "2", access is made. It is determined that the access request from the terminal (3) needs to be prohibited [step S39], and the main road code identification section (23) is instructed to prohibit the access request of the called subscriber [step S3B]. ].

The main road code number confirmation unit (23) executes access prohibition processing such as forcibly disconnecting the incoming call from the calling access terminal (3). As is apparent from the above description, according to the embodiment of the present invention (Claims 1 and 2), when the access request to the database device (2) is generated, the customer identification information (ID) and the personal identification number (PW). ) Is sent to the authentication dedicated terminal (4) carried by the registered licensed person to notify the occurrence of the access request, and to confirm its validity, only the access that the true licensed person expects It is possible to recognize the illegal use of the customer identification information (ID) and the personal identification number (PW) by another person before the access.

Next, an embodiment of the present invention (claims 2 and 3) will be described with reference to FIGS. 4 and 5. The database device (2) shown in FIG. 4 is the same as that in FIG. 2 except that the authentication confirmation section (29) is removed from the database device (2) shown in FIG.

In FIGS. 4 and 5, a person who wishes to access the database device (2) calls the public network (1) from an arbitrary access terminal (3) and gives an access number to the database device (2). If you select, public network (1)
However, similarly to the above, the calling access terminal (3) is connected to the database device (2), and the database device (2)
The main road PIN confirmation section (23) instructs the caller to insert the customer identification information (ID) and PIN (PW),
[FIG. 5 Steps S51 and S52] When the caller inputs his or her customer identification information (ID) and personal identification number (PW) from the access terminal (3), the personal identification number registration unit (24).
After confirming that the customer identification information (ID) and the personal identification number (PW) have been registered by [step S53], the side road transmission unit (2)
7) is started, the unused side road number (SP) corresponding to the customer identification information (ID) is detected from the side road registration unit (26) [steps S54 and S55], and the public network (1) is detected. The process of making a call, sending the detected side route number (SP) to the public network (1) [step S56], and displaying the incoming call on the authentication dedicated terminal (4) is the implementation of the present invention (claim 1). This is similar to [FIG. 3 Steps S31 to S36] in the embodiment.

When the carrier of the authentication dedicated terminal (4) notices the incoming call to the authentication dedicated terminal (4) and responds to it, the public network (1) returns a response signal to the bypass transmission unit (27). . When the response by the authentication dedicated terminal (4) is detected [step S57], the side road transmission unit (27) activates the confirmation message notification unit (28).

Confirmation message notification unit (28) which has been activated
Is an access notification message (MSG) notifying only that an access request to the database device (2) using the customer identification information (ID) and the personal identification number (PW) has occurred.
₂ ) After generating [for example, "There was access to the database device (2), so connect.") And returning it to the authentication terminal (4) via the public network (1) [Step S58], The main path connection transfer part (25) is started.

The main-route connection transfer unit (25), which has been activated, transfers the access terminal (3) that has arrived at the database unit (2) via the public network (1) to the database management unit (22) in the same manner as described above. ) To enable access to the database (21) [step S59].

In addition, the side road transmission unit (27) is connected to the side road registration unit (2).
As a result of searching the unused side road number (SP) from 6), if the unused side road number (SP) cannot be detected [step S55], the main road code number confirmation unit (23) It is instructed to prohibit the access request of the called subscriber [step S5A].

On the other hand, when the carrier of the authentication-specific terminal (4) listens to the access notification message (MSG ₂ ) returned from the database device (2), he / she accesses from the access terminal (3). If it is a request, there is no problem, but if it is an unexpected access request, it is determined that the customer identification information (ID) and the personal identification number (PW) have been stolen by another person, and the database device (2) is separately provided. Take measures such as contacting to notify that the customer identification information (ID) and personal identification number (PW) have been stolen.

As is apparent from the above description, according to the embodiment of the present invention (claims 2 and 3), when the access request to the database device (2) occurs, the customer identification information (ID) and the secret code. In order to notify the occurrence of the access by receiving the number (PW) to the authentication dedicated terminal (4) carried by the registered qualified user, the true authorized user can identify the customer identification information (ID) and the secret code by another person. It is possible to notify the plagiarism of the number (PW) when an access occurs.

Therefore, the theft of the customer identification information (ID) and the personal identification number (PW) cannot be prevented in advance as in the embodiment of the present invention (Claim 1). If the probability that the customer identification information (ID) and the personal identification number (PW) will be stolen is extremely low when the database device (2) is used for the operation of the present invention (claim 1). It is simpler than the form.

Next, an embodiment of the present invention (claims 2, 4, and 5) will be described with reference to FIGS. 6 and 7. The database device (2) shown in FIG. 6 is different from the database device (2) shown in FIG.
A), an abnormal customer registration unit (2B) and an abnormal customer confirmation unit (2C) are additionally installed as an abnormal usage qualification person recording means (205) and an abnormal usage qualification prohibition means (206) in FIG.

In the abnormal customer registration unit (2B), the database device (2) detects the usage qualification of the usage qualifier who has detected an unexpected access request in the same process as in the embodiment of the present invention (Claim 1). Customer identification information (ID) is registered as abnormal customer identification information (ID _H ).

In FIGS. 6 and 7, a person who wishes to access the database device (2) makes a call to the public network (1) from an arbitrary access terminal (3), and the access number to the database device (2) is given. If you select, public network (1)
However, similarly to the above, the calling access terminal (3) is connected to the database device (2), and the database device (2)
The main road PIN confirmation section (23) instructs the caller to insert the customer identification information (ID) and PIN (PW),
[Steps S71 and S72 in FIG. 7] When the caller inputs his or her customer identification information (ID) and personal identification number (PW) from the access terminal (3), the personal identification number registration unit (24).
The process up to confirming that the customer identification information (ID) and the personal identification number (PW) have been registered by [step S73] is the same as in the embodiment of the present invention (claim 1) [step S31 in FIG. 3].
Through S33].

Next, the database device (2) activates the abnormality occurrence customer confirmation unit (2C) before activating the side road transmission unit (27). The activated abnormal customer confirmation unit (2C) refers to the abnormal customer registration unit (2B), and the received customer identification information (ID) is stored in the abnormal customer registration unit (2B) as abnormal customer identification information (ID _H ). Is registered [step S73], and if registered, [step S7]
4], it is determined that there is a possibility that the customer identification information (ID) and the personal identification number (PW) have been stolen by the qualified user corresponding to the customer identification information (ID). 23) is instructed to prohibit the access request of the called subscriber [step S7E], but if not registered [step S74], customer identification information (ID) in the past.
It is confirmed that the usage qualification person corresponding to the customer ID information (ID) and the personal identification number (PW) have not been stolen, and the side road transmission unit (27) is activated.

The activated side road transmission unit (27) performs the same process as in the embodiment of the present invention (Claim 1) [steps S34 to S36 in FIG. 3], and the side road registration unit (26).
The unused side route number (SP) corresponding to the customer identification information (ID) is detected from the device, the public network (1) is called, and the detected side route number (SP) is transmitted to the public network (1). It is sent out and the incoming call is displayed on the authentication dedicated terminal (4) [steps S75 to S75].
78].

When the carrier of the authentication dedicated terminal (4) notices the incoming call to the authentication dedicated terminal (4) and responds, [Step S
79], the side road transmission unit (27) activates the confirmation message notification unit (28) as described above.

Confirmation message notification unit (28) which has been activated
Generates an access notification / acceptance response instruction message (MSG ₁ ) and returns it to the authentication dedicated terminal (4) in the same process [Step S38 in FIG. 3] as in the embodiment of the present invention (claim 1). Step S7A], when the carrier of the authentication dedicated terminal (4) listens to the access notification / approval answer instruction message (MSG ₁ ) and selects the numeric button “1” that he / she desires to access, the authentication confirmation unit ( 29)
However, according to the same process as in the embodiment of the present invention (claim 1) [step S3A in FIG. 3], the main path connection transfer unit (2
5) is started and the calling access terminal (3) connected to the database device (2) via the public network (1) is
Connect to the database management unit (22) to enable access to the database (21) [step S7
C].

Incidentally, the carrier of the authentication dedicated terminal (4) who has heard the access notification / permission response message (MSG ₁ ) selects the number "2" which is an unexpected access request and which is denied access. In this case, the authentication confirmation unit (29) activates the abnormal customer registration unit (2A).

Anomaly occurrence customer registration unit (2A) which is activated
Indicates the customer identification information (ID) as the abnormal customer identification information (I
_DH ) is registered in the abnormal customer registration unit (2B) [step S7D].

Subsequently, the authentication confirmation unit (29) joins the main road code number confirmation unit (23) by the same process as in the embodiment of the present invention (claim 1) [step S3B in FIG. 3]. The access request of the person is prohibited [step S7E].

The main road code number confirmation unit (23) executes access prohibition processing such as forcibly disconnecting the incoming call from the calling access terminal (3). As is clear from the above description, according to the embodiment of the present invention (Claims 2, 4, and 5), it is applicable when the authorized user responds to the access refusal notified by the authentication dedicated terminal (4). It is considered that an abnormal condition such as the theft of the customer identification information (ID) and the personal identification number (PW) has occurred for the qualified user, and it is registered in the abnormal customer registration section (2B). Access request can be prohibited, and the operation section of the database device (2) also extracts the registered contents of the abnormal customer registration unit (2B) and takes appropriate measures against the abnormal customer identification information (ID _H ). Can be taken.

Next, an embodiment of the present invention (claims 2 and 6) will be described with reference to FIGS. 8 and 9. In the database device (2) shown in FIG. 8, a personal identification number registration unit (2D) is added to the database device (2) shown in FIG. 2, and a bypass message is provided instead of the confirmation message notification unit (28). A personal identification number confirmation section (2E) is provided.

The password registration section (2D) has access to qualified users.
A dedicated authentication terminal (4) [bypass number (SP)]
Corresponding to,
(PW _S) ”Is registered.

In FIG. 8 and FIG. 9, a person who wishes to access the database device (2) calls the public network (1) from an arbitrary access terminal (3) and gives the access number to the database device (2). If you select, public network (1)
However, similarly to the above, the calling access terminal (3) is connected to the database device (2), and the database device (2)
The main road code number confirmation unit (23) instructs the called subscriber to input the customer identification information (ID) and the personal identification number (PW) [steps S91 and S92 in FIG. 9]. When the (ID) and the personal identification number (PW) are input from the access terminal (3), the personal identification number registration unit (2
After confirming that the customer identification information (ID) and the personal identification number (PW) have been registered according to 4) [step S93], the side road transmission unit (27) is activated, and the activated side road transmission unit (27) ,
An unused side route number (SP) corresponding to the customer identification information (ID) is detected from the side route registration unit (26), a call is made to the public network (1), and the detected side route number (SP) is detected. Is sent to the public network (1) and the incoming call is displayed on the authentication dedicated terminal (4) [steps S95 and S96]. The process in the embodiment of the present invention (claim 1) is [step S31 in FIG. 3].
Through S36].

When the carrier of the authentication dedicated terminal (4) notices the incoming call to the authentication dedicated terminal (4) and responds, [Step S
97], the by-pass code identification unit (27)
Start E).

The activated side pass code confirmation section (2E)
The authentication dedicated terminal the introduction of bypass PIN already registered corresponding (PW _S) to (4), access instructs the wearer Notify side passage PIN on instruction message (MSG ₃₎ [for example, "Database There was access to the device (2) The side code (PW) corresponding to the authentication terminal (4)
Please input _S ). Etc.] and the public network (1)
Return to the authentication terminal (4) via [Step S
98].

The carrier of the authentication-only terminal (4) sends back the access notification / bypass password input instruction message (M
SG ₃ ) is an access request originated from the access terminal ( ₃ ) by listening to SG ₃ ), and if access is desired, the side pass code (PW) registered corresponding to the authentication dedicated terminal (4) is registered. When turning on the _S) from the authentication dedicated terminal (4), the bypass code number (PW _S) is sent back to the database system (2) via a public network (1).

[0076] In the database apparatus (2), when the bypass PIN check unit (2E) receives an authentication dedicated terminal (4) returned is bypassed PIN from (PW _S) [Step S99], PIN refers to the registration section (2D), the received bypass code number (PW _S) is, the sending side channel number (S
When it is identified as registered in response to P), it is determined that the authentication-specific terminal (4) is carried by the correct user and the access request from the access terminal (3) can be accepted. Step S9A], The main path connection transfer unit (25) is activated via the authentication confirmation unit (29).

The activated main-route connection transfer section (25) controls the access terminal (3) that has arrived at the database apparatus (2) via the public network (1) to the database management section (22) in the same manner as described above. ) To enable access to the database (21) [step S9B].

Incidentally, the carrier of the authentication dedicated terminal (4) who has heard the returned access notice / passenger passcode input instruction message (MSG ₃ ) refuses the access because it is an unexpected access request. in this case, inputting the authentication dedicated terminal (4) to bypass PIN registered in correspondence (PW _S) authentication dedicated terminal other than (4), or not turn on the bypass PIN (PW _S) , A normal bypass code number (P
W _S ) is not returned to the database device (2) via the public network (1).

[0079] In the database apparatus (2), the bypass PIN check unit (2E) is normal bypass PIN from the authentication dedicated terminal (4) (PW _S) and is unexpected sent back [step S9A and S9C] Then, it judges that the access request from the access terminal (3) needs to be prohibited, and instructs the main route password confirmation section (23) to prohibit the access request of the terminating subscriber [step S9D].

The main road code number confirmation unit (23) executes access prohibition processing such as forcibly disconnecting the incoming call from the calling access terminal (3). As is clear from the above description, according to the embodiment of the present invention (claims 2 and 6), when the access request to the database device (2) is generated, the customer identification information (ID) and the personal identification number (PW). ) was coming into the authentication-only terminal that registered the use of qualified personnel is a mobile (4) in order to request the insertion of bypass personal identification number (PW _S), allowing only access to expect is true of the use qualified personnel In addition, it becomes possible not only to recognize the stealing of the customer identification information (ID) and the personal identification number (PW) by another person before the access, but also the authentication dedicated terminal (4) together with the customer identification information (ID) and the personal identification number (PW). Even if the password is stolen, the pass code (P
W _S ) makes it possible to prevent access by a thief.

Next, an embodiment of the present invention (claims 2 and 7)
Will be described with reference to FIGS. 10 and 11. The present invention (contract
In the embodiments of claim 2 to 6), the database device
A terminal dedicated to authentication carried by a person qualified to use the device (2)
(4) is the access transmitted from the database device (2).
Process notification / approval answer instruction message (MSG₁Or
Access notification / side pass code entry message (MS
G_Three) Etc., and the answer of whether access is required [number
Enter "1" or "2"], or bypass PIN (P
W _S), It was possible to communicate in both directions,
In an embodiment of the present invention (claims 2 and 7), data
Dedicated to authentication carried by a person qualified to use the base device (2)
The terminal (4) is transferred from the database device (2)
Only the same message can be received, and only the authentication end
A so-called radio call receiver that cannot be transmitted from the end (4) [I
Receiving-only device such as [name pager].

The database device (2) shown in FIG. 10 is the same as the database device (2) shown in FIG.
A special number registration unit (2F) is added, and a special number notification unit (2) is used instead of the confirmation message notification unit (28).
G) and a special number receiver (2H) are provided.
In the special number registration section (2F), a qualified user who is called by the authentication dedicated terminal (4) is sent from the general terminal (5) accommodated in the public network (1) via the public network (1). A special number (SPN) [plurality] selected when making a response connection to the database device (2) is registered.

In FIG. 10 and FIG. 11, a person who wishes to access the database device (2) calls the public network (1) from an arbitrary access terminal (3) and gives the access number to the database device (2). If you select, public network (1)
However, similarly to the above, the calling access terminal (3) is connected to the database device (2), and the database device (2)
The main road PIN confirmation section (23) instructs the caller to insert the customer identification information (ID) and PIN (PW),
[Steps SB1 and SB2 in FIG. 11] When the caller inputs his or her customer identification information (ID) and personal identification number (PW) from the access terminal (3), the personal identification number registration unit (2)
After confirming that the customer identification information (ID) and the personal identification number (PW) have been registered according to 4) [step SB3], the side road transmission unit (27) is activated, and the activated side road transmission unit (27) is activated. ,
The process up to detecting the bypass number (SP) corresponding to the customer identification information (ID) and the personal identification number (PW) from the bypass registration unit (26) [step SB4] is the implementation of the present invention (claim 1). It is the same as the [FIG. 3 steps S31 to S34] in the embodiment.

Then, the bypass transmission unit (27) activates the special number notification unit (2G). The activated special number notification unit (2G) refers to the special number registration unit (2F), selects an unused special number (SPN), and closes the selected special number (SPN) to the in-use state. [Step SB
5 and SB6].

Subsequently, the side road transmission unit (27) calls the public data communication network (1) and detects the detected side road number (S).
P) is sent to the public network (1), an incoming call is displayed to the authentication dedicated terminal (4), and an access request to the database device (2) using the customer identification information (ID) and the personal identification number (PW) is generated. , After returning the notification display of the response request to the special number (SPN = “XX” number) to the authentication dedicated terminal (4) via the public network (1) [step SB7], the authentication dedicated terminal (4) ), The special number receiving unit (2H) is activated [step SB8].

The activated special number receiving unit (2H) activates a timer to wait for a response from the authentication dedicated terminal (4) with the special number (SPN) [steps SB9 and SBA].

The carrier of the authentication dedicated terminal (4) notices the incoming call display to the authentication dedicated terminal (4) and accesses the database device (2) by his / her customer identification information (ID) and personal identification number (PW). Recognizing that the request has occurred, the nearest general terminal (5) calls the public network (1), and the special number (SPN = "“ XX ”) displayed on the authentication dedicated terminal (4).
No.), the public network (1) connects the calling general terminal (5) to the special number receiving unit (2H) of the database device (2) by an incoming call according to a known procedure.

In the database device (2), if the special number receiving unit (2H) detects a response incoming by the special number (SPN = "No. XX") before the timer detects the elapse of a certain period of time [step SBA], an access notification / permission response message (MSG ₁ ) is generated and returned to the general terminal (5) via the public network (1) [step SBB].

An access notification / acceptance reply instruction message (MSG ₁ ) sent back by the responder from the general terminal (5)
If the user wishes to access and selects the number button "1" provided on the general terminal (5), the selection signal corresponding to the number "1" is sent via the public network (1). It is returned to the database device (2).

In the database device (2), when the authentication confirmation unit (29) receives and analyzes the selection signal returned from the general terminal (5) and identifies that it corresponds to the number "1", the access terminal It is determined that there is no problem in accepting the access request from (3) [step SBC], and the main path connection transfer unit (25) is activated.

The activated main-route connection transfer unit (25) controls the access terminal (3) received by the database device (2) via the public network (1) to the database management unit (22) in the same manner as described above. ) To enable access to the database (21) [step SBD].

The general terminal (5) who listened to the returned access notification / possibility answer message (MSG ₁ )
When the responder according to denies access, he / she selects the number button “2” provided on the general terminal (5),
The selection signal corresponding to the number "2" is returned to the database device (2) via the public network (1).

In the database device (2), when the authentication confirmation unit (29) receives and analyzes the selection signal returned from the general terminal (5) and identifies that it corresponds to the numeral "2", the access terminal It is judged that it is necessary to prohibit the access request from (3) [step SBC], and the main road code identification section (23) is instructed to prohibit the access request of the called subscriber [step SBE]. .

The main route code number confirmation unit (23) executes access prohibition processing such as forcibly disconnecting the incoming call from the calling access terminal (3). As is apparent from the above description, according to the embodiment of the present invention (Claims 2 and 7), the qualified user of the database device (2) carries the authentication-only terminal (4) for reception only. According to the present invention (Claim 1,
In the same manner as in 2), in order to confirm the necessity of execution of access to the qualified user, only the access expected by the true qualified user is permitted, and customer identification information (ID) by another person.
And, the stealing of the personal identification number (PW) can be recognized before the access.

It should be noted that FIGS. 2 to 11 are merely one embodiment of the present invention. For example, in the embodiment of the present invention (Claim 3), the database device (2) has an abnormality occurrence customer registration unit (2A). And the abnormal customer registration unit (2B) is added, the abnormal customer confirmation unit (2C) is omitted, and the abnormal customer identification information (ID _H ) determined by the authentication confirmation unit (29) is added to the abnormal customer registration unit (2B). Many other modifications are considered, such as prohibiting an access request from the access terminal (3) based on only the registration status of the abnormal customer registration unit (2B) by only registering in. However, the effect of the present invention does not change.

Further, the authentication dedicated terminal (4
00) is a portable terminal (41) such as an authentication-only terminal (4).
However, the present invention is not limited to 0) and many other modifications are considered, but the effect of the present invention does not change in any case. Further, the processing device (200) which is the object of the present invention is not limited to the illustrated database device (2), and various modifications can be considered, but in any case, the effect of the present invention Does not change.

[0097]

As described above, according to the present invention, in the communication network, when a processing device receives an access request, it is possible to confirm in advance whether or not access is required by a predetermined qualification terminal with a predetermined authentication dedicated terminal. It is possible to detect and prevent unauthorized access by stealing the customer identification information and password of the licensed user in advance, and also to notify the stolen licensed user and the operator of the processing device. The reliability is greatly improved.

[Brief description of the drawings]

FIG. 1 is a principle diagram of the present invention.

FIG. 2 is a database communication system according to an embodiment of the present invention (claims 1 and 2).

FIG. 3 is a database access process in FIG.

FIG. 4 is a database communication system according to an embodiment of the present invention (claims 2 and 3).

5 is a database access process in FIG.

FIG. 6 is a database communication system according to an embodiment of the present invention (claims 2, 4, and 5).

FIG. 7 is a database access process in FIG.

FIG. 8 is a database communication system according to an embodiment of the present invention (claims 2 and 6).

FIG. 9 is a database access process in FIG.

FIG. 10 is a database communication system according to an embodiment of the present invention (claims 2 and 7).

FIG. 11 is a database access process in FIG.

FIG. 12 A conventional database communication system

[Explanation of symbols]

 1 Public Network 2 Database Device 3 Access Terminal 4 Authentication Dedicated Terminal 5 General Terminal 21 Database 22 Database Management Unit 23 Main Road PIN Number Confirmation Unit 24 PIN Number Registration Unit 25 Main Road Connection Transfer Unit 26 Bypass Registration Unit 27 Bypass Transmission Unit 28 Confirmation message notification section 29 Authentication confirmation section 2A Abnormal customer registration section 2B Abnormal customer registration section 2C Abnormal customer confirmation section 2D PIN code registration section 2E Bypass PIN code confirmation section 2F Special number registration section 2G Special number notification section 2H Special Number receiving unit 100 Communication network 200 Processing device 201 Authentication dedicated terminal registration means 202 Authentication dedicated terminal calling means 203 Access notification means 204 Access determination means 205 Abnormal usage qualified person recording means 206 Abnormal usage qualified person prohibiting means 300 Terminal device 400 Authentication dedicated terminal 410 Handheld terminal

Claims (7)

[Claims] 1. A communication network accommodating a processing device accessible by an authorized terminal from an arbitrary terminal device, wherein an authentication-dedicated terminal accommodated in the communication network corresponds to each of the authorized users. An authentication dedicated terminal registering means for setting the selection number assigned separately from the communication network by the authentication dedicated terminal corresponding to each of the usage qualifiers to the processing device, and access from the terminal device. When a request is received, the authentication dedicated terminal registration means extracts the registered selection number corresponding to the access requester, and calls the authentication dedicated terminal corresponding to the selection number via the communication network. Terminal calling means, access notifying means for notifying the occurrence of the access request and confirming the necessity of the access when the authentication dedicated terminal responds, and the interest responding at the authentication dedicated terminal From qualified, based on the setting necessity answer to the access request, the trusted method characterized by providing and determining access determination means the validity of the access request. 2. The unauthorized access prevention method according to claim 1, wherein the authentication dedicated terminal is a portable terminal carried by each of the usage qualifications. 3. The illegality according to claim 1, wherein the access notifying means only notifies an access request being received, and the access determining means unconditionally determines the access request as valid. Access prevention method. 4. An abnormality in which the identification information of the authorized user is recorded in the processing device when the authorized user who responds to the authentication dedicated terminal refuses the setting of the notified access request. 2. The unauthorized access prevention system according to claim 1, further comprising a recording means for recording the usage qualification. 5. When the processing device receives a new access request, the abnormal usage qualification person recording means is referred to, and the access request by the usage qualification person already recorded in the abnormal usage qualification person recording means is prohibited. 5. The unauthorized access prevention system according to claim 4, further comprising means for prohibiting an abnormal use qualification person. 6. The access notifying means, after notifying an access request being received, requests the input of a personal identification number registered in advance corresponding to the authentication dedicated terminal, and the access determination means makes the authentication dedicated terminal 2. The unauthorized access prevention system according to claim 1, wherein the validity of the access request is judged depending on whether or not the registered personal identification number is returned from the terminal. 7. The access notifying means notifies, when the portable terminal is only for reception, a special number defined for response connection to the authorized person by the portable terminal,
3. The unauthorized access prevention system according to claim 2, wherein when the qualified user makes a response connection from the nearest terminal device to the processing device by the special number, the occurrence of the access request is notified.