TW201928750A - Collation server, collation method, and computer program - Google Patents

Abstract

Provided is a technology for more efficiently detecting whether an access is an illegal access or a legal access made by a legitimate user by using a so-called login history. This collation server comprises: a communication unit for receiving a login history from the outside and transmitting the received login history to a control unit; the control unit for registering the login history transmitted from the communication unit in a login history database; the login history database for holding a login history, wherein, when the transmitted login history is a success history, the control unit compares the login history with the login history held in the login history database, and when the login is not the same behavior as a past behavior of a login, transmits a massage indicating that the login is not made by a person himself/herself through the communication unit.

Description

Comparison server, comparison method and computer program

The present invention relates to a comparison server that can be used by various websites that provide specific services to users. It also relates to a comparison method caused by the comparison server and a related computer program.

From the prior art, web sites (service providing systems) that provide various services to users on networks such as the Internet have been known.

A user who wants to use this web site uses the ID and password given to access and log in to the web site, and can use the web site to receive the desired service.

For example, for a user who uses a web site in a shopping mall, he or she logs in to the web site with an ID and password, and moves to each page provided by the web site, where he can find the desired product. Purchase of goods is carried out at the page.

In prior art web sites, in order to be used only by formal users, IDs and passwords are often used. It is conceivable that by using this ID and password, a so-called malicious intruder can be eliminated, and smooth service utilization can be achieved.

<Malicious Access> However, in recent years, there have been reports of malicious third parties using improper means to obtain other people's IDs and passwords. In this way, when a malicious third party logs in to a web site using the ID and password of another person (as a formal user), it is difficult to distinguish whether the logged in person is based on the ID and password alone. Being a formal user is a malicious third person.

Therefore, in recent years, it has been known to have the following general structure: That is, information on actions performed after login by a formal user is recorded in advance, and databased as a white list. Here, as the recorded action information, for example, the following general information is ideal.

・ OS ・ Browser ・ Language ・ IP address (represents the geographical location of the user who is accessing) 时间 ・ Time (the time when the access was made) If this information is recorded and previously called white The list (WhiteList) to build a database is able to detect that the logged-in user is doing something different from usual. In this way, it is desirable that a user performing an operation different from usual to perform additional authentication in order to confirm that the user is not a malicious third person. For example, for a user ’s mobile phone or smartphone, the message “Now you are using your ID to access the following web sites. Is this access by yourself? If not In this way, please press (touch) the "NO button" general message. When the "NO button" is pressed (touched), it can be determined that the accessing user is not an official user but has Malicious third person. After that, it is possible to take the processing of cutting off the user's access immediately.

For example, there are cases where access is made from a place (IP address) different from usual, or access is made from a personal computer (OS, browser) different from usual. Situation, etc. In this case, additional authentication is implemented and it is confirmed whether or not the user is a formal user (also referred to as personal identification). In addition, the white list is mostly constructed based on the past dozens of times of access by the formal user, but there will be fewer cases (several times), and there will be more Situation (hundreds of times). Furthermore, the white list may be configured to be replaced with new information and updated every time a formal user accesses it. Also, similarly, a method of constructing a malicious third party's data as a blacklist is also used. It is conceivable that if these whitelists or blacklists are used, they can effectively distinguish between malicious third parties and formal users.

In the prior patent documents, for example, Patent Document 1 below discloses a device for retrieving content information using a white list and a black list. In this document, it is stated that by using two lists, privacy is protected.

In addition, for example, Patent Document 2 below discloses an access control system that uses a white list and a black list to control access to a web site. In addition, for example, Patent Document 3 below discloses a memory medium specially designed for a structure that restricts access to the memory medium. In this architecture, a white list and a black list are used. [Prior Art Literature] [Patent Literature]

[Patent Document 1] Japanese Patent Application Publication No. 2012-159939 939 [Patent Document 2] Japanese Patent Application Publication No. 2011-3132 [Patent Literature 3] Japanese Patent Application Publication No. 2011-248474

[Problems to be Solved by the Invention]

In this way, in the prior art web site, the information of actions accessed by regular users is recorded as a white list in advance, and it is suitable for users who perform actions that are significantly different from this white list. Perform additional certification.

However, a malicious third person will of course cleverly disguise himself as a formal user. Therefore, it is generally difficult to see through the matter. Therefore, it is often the case to follow the rules of thumb of the person in charge of security measures to respond. For example, there may also be a basis such as "Withdrawal of a deposit made from a deposit account in a financial institution's web site to the limit of the withdrawal amount, the probability of being a malicious third party is high" The rule of thumb and so on found the situation of a malicious third person.

Furthermore, IDs and passwords are often used in common for multiple web sites. In this case, when a group of IDs and passwords are obtained improperly by a malicious third person, it is sometimes found that unauthorized access to a plurality of web sites is continuously performed. In this case, it is conceivable that when an unauthorized access to a certain web site is detected, the information is provided to the operators of other web sites, and to the use caused by the above. The continuous unauthorized access caused by the common ID and password is effective for prevention.

The inventor of this case is for such a structure, and on May 3, 2016, he filed a patent application with Japanese Patent Application No. 2016-092850 (hereinafter referred to as the prior patent application). In this prior patent application by the inventor of this case, the proposal has a structure that not only uses a white list but also a black list to efficiently detect improper access, and The results are shared.

Whitelists and blacklists are used to record the information of those who have accessed them, and it is considered that based on this, it is possible to make the detection of whether the accessed users are regular users more accurate. effectiveness. However, according to experience, it has been learned that a maliciously accessed person will behave like a failed access repeatedly for the same website, which is generally significantly different from a formal user.

Here, the white list and black list are the character status and static data of the person who has accessed, and they hardly have any login behavior (resume), and what login has been implemented so far. Information such as actions related to "login history" and "behavior".

Therefore, it is better to use the so-called login history in addition to the above white list and black list to judge whether the user is a formal user or a malicious user based on the behavior of the person who accessed it. The structure of the winner, but so far no such structure has appeared.

The present invention has been made in view of the above-mentioned problems, and an object thereof is to provide a use of a so-called login history to make the access as an unauthorized access or as a result of a regular user. The technology of legitimate access is more efficiently detected. [Means to solve the problem]

(1) The present invention is a comparison server for solving the above-mentioned problems. The server includes a communication unit, which is a communication unit that communicates with the outside, and receives a login history from the outside. And send the message to the control department; and the aforementioned control department is used to register the login history sent from the aforementioned communications department in the login history database; and the aforementioned login history database is to maintain the aforementioned login history, the The comparison server is characterized in that the aforementioned control unit compares the aforementioned log-in history with the log-in history held in the aforementioned log-in history database when the log-in history sent from the former is a successful log. When the aforementioned login behavior is not the same as the previous login behavior, it will send a message representing the content that does not look like itself through the aforementioned communication department.

(2) Furthermore, the present invention is provided in the comparison server described in (1), and further includes: a blacklist database, which holds information of malicious hackers, and the control unit, when the above is sent In the case where the login history is a successful one, the aforementioned login history is compared with the registered content of the aforementioned blacklist database. When the same information exists, it will represent the content as a malicious hacker. The information is sent through the aforementioned communication department.

(3) The present invention is based on the comparison server described in (1), and further includes: a whitelist database, which holds information of formal users, and the aforementioned control unit, when the aforementioned information is sent When the log-in history is a successful one, the aforementioned log-in history is compared with the log-in content of the aforementioned white list database, and when the same information exists, it will represent the official user. The content information is sent through the aforementioned communication department.

(4) The present invention is a comparison server for solving the above-mentioned problems. The server includes a communication unit, which is a communication unit that communicates with the outside, and receives a login history from the outside. And send the message to the control department; and the aforementioned control department is registered in the login history database from the login history sent from the aforementioned communication department; and the aforementioned login history database is to maintain the aforementioned login history; and The blacklist database is used to keep information of malicious hackers; and the whitelist database is used to keep information of formal users. The comparison server is characterized by the aforementioned control unit when the aforementioned is sent. When the log-in history is a successful one, the aforementioned log-in history is compared with the log-in content of the aforementioned blacklist database, and when there is the same information, the message representing the content as a malicious hacker will be Send the message through the aforementioned communication department. When the result of comparison with the registered content of the blacklist database does not exist the same information, the aforementioned login history is compared with Compare the log-in history held in the log-in history database, and compare the log-in history with the log-in content in the log-in history database, if the log-in behavior and the log-in behavior so far are not the same, Compared with the registered content of the aforementioned white list database, when compared with the registered content of the aforementioned white list database, when the same information exists, it will be a message representing the content of the official user Send the message through the aforementioned communication department. When the same information does not exist, the message representing the content that does not look like me will be sent through the aforementioned communication department.

(5) In the present invention, the comparison server described in (2) or (4) has the following characteristics: That is, the aforementioned communication unit receives a blacklist registration request from the outside. And send a message to the aforementioned control department, which is to register the information of the malicious hacker included in the blacklist registration request sent from the aforementioned communications department to the aforementioned blacklist database.

(6) In the present invention, the comparison server described in (3) or (4) has the following characteristics: That is, the aforementioned communication unit receives a whitelist registration request from the outside. And send a message to the aforementioned control department. The aforementioned control department will register the official user information included in the whitelist registration request sent from the aforementioned communications department to the aforementioned whitelist database.

(7) The present invention is a comparison method in order to solve the above-mentioned problem. It uses a comparison server to compare whether the login history looks like the person. The comparison server includes: a communication department. , Is the communication department for communication with the outside, and receives the login history from the outside, and sends it to the control department; and the aforementioned control department, is the login history sent from the aforementioned communication department It is registered in the login history database; and the aforementioned login history database is to maintain the aforementioned login history, and the comparison method is characterized in that: the aforementioned control unit, when the aforementioned login history is sent, In the case of a successful resume, compare the previous login history with the previous login history maintained in the previous login history database. When the previous login and the previous login are not the same behavior, the representative will not look like himself The information of the content is sent through the aforementioned communication department.

(8) The present invention is a comparison method in order to solve the above-mentioned problems. It uses a comparison server to compare whether the login history looks like himself. The comparison server includes: a communication department , Is the communication department for communication with the outside, and receives the login history from the outside, and sends it to the control department; and the aforementioned control department, is the login history sent from the aforementioned communication department Registered in the login history database; and the aforementioned login history database, which maintains the aforementioned login history; and the blacklist database, which maintains information of malicious hackers; and the whitelist database, which maintains information of formal users The comparison server is characterized in that it includes: enabling the foregoing control unit to, when the login history sent from the message is a successful history, compare the login history with the blacklist database. The registered content is compared. When the same information exists, the message representing the content as a malicious hacker will be sent through the aforementioned communication department; and the aforementioned control department should be compared with the aforementioned information. The result of comparing the registered contents of the list database is the step of comparing the aforementioned log-in history with the log-in history held by the aforementioned log-in history database when the same information does not exist; and the aforementioned control unit When comparing with the login content of the aforementioned login history database, when the aforementioned login and the previous login behavior are not the same, compare the aforementioned login history with the aforementioned login content of the whitelist database. Steps; and when the aforementioned control unit compares the registered content with the aforementioned white list database, when the same information exists, it will send a message representing the content as a formal user via the aforementioned communication If the same information does not exist, it will be a message that does not look like the content of the person, and the communication step will be used to send the message.

(9) The present invention is a computer program for solving the above-mentioned problems, and it is a computer program that operates a computer as a comparison server. The comparison server is provided with a communication unit for performing communication with an external device. The communication department of the intermediary communication, and receives the login history from the outside, and sends it to the control department; and the aforementioned control department, the login history sent from the aforementioned communication department is registered in the login history database ; And the aforementioned login history database, which maintains the aforementioned login history, the computer program is characterized by causing the aforementioned computer to execute the following procedure: making the aforementioned control unit, when the aforementioned logged-in history is sent, a successful resume In the case of the above, compare the aforementioned log-in history with the log-in history held by the aforementioned log-in history database. When the aforementioned log-in behavior and the previous log-in behavior are not the same behavior, the representative does not look like the content The message is transmitted through the aforementioned communication department.

(10) The present invention is a computer program for solving the above-mentioned problems, and it is a computer program that operates a computer as a comparison server. The comparison server is provided with a communication unit for performing communication with an external device. The communication department of the intermediary communication, and receives the login history from the outside, and sends it to the control department; and the aforementioned control department, the login history sent from the aforementioned communication department is registered in the login history database ; And the aforementioned login history database, which maintains the aforementioned login history; and the blacklist database, which maintains information of malicious hackers; and the whitelist database, which maintains information of formal users, the computer program, its characteristics In order to make the aforementioned computer execute the following procedure: to make the aforementioned control unit compare the aforementioned logged-in history with the logged-in content of the blacklist database when the logged-in history sent by it is a successful one. , When the same information exists, the message representing the content as a malicious hacker will be transmitted through the aforementioned communication department; and the aforementioned control unit shall be The result of comparing the registered contents of the list database is a procedure for comparing the aforementioned log-in history with the log-in history held by the aforementioned log-in history database when the same information does not exist; and the aforementioned control department When comparing with the login content of the aforementioned login history database, when the aforementioned login and the previous login behavior are not the same, compare the aforementioned login history with the aforementioned login content of the whitelist database. Procedures; and when the aforementioned control unit compares the registered content with the aforementioned white list database, when the same information exists, it will send a message representing the content as a formal user through the aforementioned communication If the same information does not exist, it will represent the information that does not look like the content of the person, and the communication process will be performed through the aforementioned communication department. [Effect of the invention]

In this way, according to the present invention, since it is a framework for judging whether the user is a formal user using the login history, it is possible to be caused by a user who is judged as not being a formal user. Accesses are detected more efficiently.

Hereinafter, a preferred embodiment of the present invention will be described with reference to the drawings. Embodiment 1 1-1. Basic Structure This embodiment 1 describes an example in which a common comparison server is used for a plurality of websites to determine whether a user accessing the own website is an official user. In FIG. 1, an example in which such a plurality of websites (for example, shopping malls) use the common comparison server 20 is shown.

In Figure 1, hacker 8 is a malicious hacker, not a formal user. However, it uses unfair means such as masquerading as a formal user to try for websites 10a, 10b, 10c, 10d, etc. for access.

Hacker 8 attempts to gain unauthorized access to the websites 10a, 10b, 10c, and 10d provided through a network such as the Internet. For example, Hacker 8 uses a list-type attack or disguise to attempt unauthorized access. Masquerading is a method of accessing and capturing specific websites or services in order to disguise as others. In recent years, a method called a so-called list-type attack has also been used.

List-type attacks are one of the methods of attacking users' accounts against various websites or services. For example, it is a method of using the account information from other services or systems to try to log in to that service or website. This is an attack method in which most users use the same account name and password on multiple websites or services, and use the account name (ID) and password issued from a certain website to For other websites trying to hack. If the same account name (ID) and password are used, the user's account will be seized from other websites. List-type attacks are also known as password list attacks, list-type account hacking, and account-list attacks.

1-2. Action In the example in Figure 1, Hacker 8 obtains the official user ID and password (PW), and uses this information to use a list-type attack to try on websites 10a, 10b, 10c, and 10d. Make unauthorized access. The comparison server 20 receives the login information (login history) of each of the websites 10a, 10b, 10c, and 10d from each website 10 (a to d), and stores it in the internal login history. The characteristic structure in the first embodiment lies in the comparison server 20, because the login history from each website 10 (a to c) is accumulated instead of each website 10 (a ～ c) to determine whether or not the person who has accessed has any doubt as a regular user (not like himself). Therefore, it is convenient for each website 10 (a to c).

As shown in FIG. 1, the comparison server 20 includes a communication unit 22, a control unit 24, a login history database 26, and a blacklist database 28. The log-in history database 26 is a person who memorizes the log-in history (log-in history) of the log-in to the website through instructions and dependencies from various external websites. The log-in history includes the situations where the login is successful and the failure.

The communication unit 22 is an interface for communicating with various external websites and the like through a network such as the Internet, and may also use a communication means other than the Internet, or a so-called (mobile) telephone network. Communication interface. The communication unit 22 is an appropriate example of the communication unit corresponding to the scope of patent application.

The control unit 24 is a means for controlling the operation of the comparison server 20, specifically, it controls the memory of the login history database 26 and the blacklist database 28, and implements a variety of related databases. Action. For example, it may be constituted by a CPU and a program executed by the CPU. This program is a program describing the processing executed by the comparison server 20. This program is an appropriate example of a computer program equivalent to the scope of patent application.

The login history database 26 is for memorizing the login information (login history (login history) when the user (or malicious hacker 8) has logged in from the websites 10 (a to d) supported by the comparison server 20. Login History)). The blacklist database 28 is a database for memorizing the information of the target of the hacker 8 judged to be malicious. (2) Both the log-in history database 26 and the blacklist database 28 can be constituted by a memory means such as a hard disk. It may also be configured using a semiconductor memory device or an optical memory device. The log-in history database 26 is an appropriate example of the log-in history database corresponding to the scope of patent application. The blacklist database 28 is an appropriate example of a blacklist database corresponding to the scope of patent applications.

Login Website 10a is a website 10a where users regularly change their passwords. As a result, Hacker 8 uses an ID and password that are old for the website 10a, and login fails. In this way, the website 10a sends the login failure history to the comparison server 20. The comparison server 20 stores the log-in failure history (log-in history (log-in history)) sent to the server 20 and stores the log-in history (log-in history) in it.

The website 10b, which is the same as the website 10a, is a website 10b in which users frequently update their passwords. As a result, the hacker 8 uses an ID and password that are old for the website 10b, and login fails. In this way, the website 10b is the same as the website 10a, and sends the login as a failed login failure history to the comparison server 20. The comparison server 20 is a login operation (login history) to be transmitted, and is stored in the login history database 26 therein.

The website 10c is different from the websites 10a and 10b, and the user does not frequently update the password. As a result, the hacker 8 uses the ID and password of the official user flowing out from other places and applies to the website 10c. Login was successful. In this way, at the website 10c, the hacker 8 series successfully logged in. Regardless of whether the login is successful or failed, each website 10 (a ~ d) sends the login information to the comparison server 20. The website 10c, although the login is successful, is also the same as the above websites 10a and 10b, and sends the login action caused by the hacker 8 to the comparison server 20, and the comparison server 20 stores the login history in the login History database 26.

Check of the login history by the comparison server 20 The comparison server 20, regardless of whether the login history sent is a login failure history or a success history, is sequentially stored in the login history database 26. As mentioned above, at the website 10c, with the correct ID and password, my authentication is successful and the login is successful. The website 10c sends the login (success) history to the comparison server 20. The flowcharts in FIGS. 3 and 4 describe the operation of the comparison server 20 when the log-in history is sent.

In step S3-1 of FIG. 3, first, when the login history is sent from a specific website 10 (a to c), the communication unit 22 receives the login history and sends it to the control unit 24. . (2) In step S3-2, the control unit 24 sequentially stores the login history sent to the login history database 26. In step S3-3, the control unit 24 observes the login history that is sent and determines whether the login history is a successful history. As a result of the judgment, when it is a case of a successful history, the process proceeds to step S3-4, and when it is a case of a failed history, the process is ended.

In step S3-4, the control unit 24 compares the sent login history with the registered content of the blacklist database 28. In step S3-5, when the result of the comparison in the above step S3-4 is the case where the same data is registered, it is possible to determine that the person who has accessed is a malicious accessor, so , Go to step S3-6. On the other hand, when the same data is not registered, the process proceeds to step S4-1 in FIG. 4.

In step S3-6, the control unit 24 sends a message representing the content as a malicious hacker to the website 10 (a to d) that sent the login history via the communication unit 22. After that, the processing is ended. As a result, the website 10 (a to d) is able to perform login rejection and prevent malicious access. In the example shown in FIG. 1, when the website 10c sends the login success history to the case, in step S3-5 of FIG. 3, the same data has not been registered in the blacklist database 28. The action is explained. In this case, in step S3-5, since the same information as the person who has accessed is not registered in the blacklist database 28, the process proceeds to step S4-1 in FIG. 4.

In step S4-1 of FIG. 4, the control unit 24 refers to the login history of the website from which the login history has been sent from the login history database 26. Next, in step S4-2, the login appearance of the referenced login history so far is compared with the current login (success) history, and it is determined whether the behavior of the login action is the same as so far. When the result of the judgment is different from the behavior of the login operation so far, it is judged that the person (the official user) does not seem to be the same, and the process proceeds to step S4-3. On the other hand, when the result of the judgment is the same as the behavior of the previous login operation, it is the operation of ending the check of the login history and ending the memory operation of the login history. After that, it is in a state waiting for the next login history to be sent. Judgment of behavior can use various methods. It is also possible to compare the noticed login action with the contents in the login history database 26, and judge that the behavior is the same (common, similar) when there are many consistent and similar parameters. In addition, if the majority of parameters are consistent, similar, and common, even if one parameter that is significantly different is found, the same behavior can be determined. In addition, the weight may be set according to the type of the parameter.

In step S4-3, the control unit 24 notifies the website 10c that it does not seem to be a formal user. For example, a message "not like me" is sent to the website 10c via the communication section 22.

As such, the comparison server 20 of this embodiment not only simply memorizes the login history one by one, but also judges whether or not the same is registered in the blacklist database 28 based on the login history sent. Content. When it is registered in the blacklist database 28, the matter is sent to the website 10. Furthermore, even if it is not registered in the blacklist database 28, it is determined whether the behavior of the login history is the same as the login history of the website 10 (a ~ c) in the login history database 26. The behavior, when it is a behavior different from the login action hitherto, is to send the matter (for example, a message such as "it does not look like me") to the website 10c.此种 With this operation, each website 10 can efficiently determine whether or not the person who has accessed is an official user (whether it is a malicious accessor), and it is convenient.

In the implementation of the two-factor authentication at the website 10c, in the example shown in FIG. 1, although the login of the website 10c was successful, it received a message "not like me" from the comparison server 20. (Step S4-3 in FIG. 4). The website 10c receives this, for example, and can implement the two-factor authentication 30. The so-called two-factor authentication is a method of performing authentication based on two different elements. For example, the website 10c sends a one-time password to the mobile phone of the "user" who wants to log in. The "user" reads the one-time password from his mobile phone and enters it into the website 10c. If the one-time password entered on the website 10c is the same as the one-time password sent by itself, it is judged to be a proper person.

In the so-called authentication data used for authentication, "something (article) (password) only known to this person", "only item (financial card, mobile phone) that this person can hold", There are roughly three types of authentication data such as "my own characteristics (biometric data)". However, the authentication method using two of these different types is called "two-factor authentication". In the example described above, in addition to the original "password", the "mobile phone" that only the person would hold is used as the second authentication information. This is a mobile phone based on the phone number that should only be carried on by me. In the first embodiment, the two types of authentication data are used, but the other two types of authentication data may be used.

In the example shown in FIG. 1, the result of the two-element authentication 30 is that it is determined that it is not the person, and therefore, the login is refused (in FIG. 1, the login refuses 32). In the case of this login rejection 32, he was identified as a malicious hacker 8 and registered in the blacklist database 28. That is, the website 10c sends a blacklist registration request to the comparison server 20.

Registration of the blacklist database 28 by the comparison server 20 If the comparison server 20 is a blacklist registration request sent from the receiving party, the content is registered in the blacklist database 28. Specifically, first of all, the Ministry of Communications 22 is subject to blacklist registration requirements. Next, the communication department 22 sends a blacklist registration request to the control department 24. If the control unit 24 receives the blacklist registration request, it will follow the request and register the information about the hacker 8 in the blacklist database 28. The registered content of this blacklist database 28 may be any type of registered content as long as it can identify the hacker 8.

The utilization of the login history database 26 and the blacklist database 28 is based on the example in FIG. 1, and the hacker 8 is located at the website 10d. It is also recorded in the same list as the other websites 10a, 10b, and 10c. Examples of attacks. (2) The website 10d also uses the comparison server 20 and registers the login history in the login history database 26 in the comparison server 20. When it is determined that the website 10d is not the same as the above, the website 10d makes a registration request for the blacklist database 28.

In the example shown in FIG. 1, the website 10 d is the same as the websites 10 a, 10 b, and 10 c, and first sends the login history to the comparison server 20. In this case, the operation of the server 20 is as described in the flowchart of FIG. 3. In particular, in the case of the website 10d shown in FIG. 1, since the login by the ID and password (ID / PW) is successful, the processing is the same as steps S3-3, S3-4, S3- 5 is generally performed.

In particular, at the website 10d shown in FIG. 1, the registered visitor has been registered in the blacklist database 28. That is, as described above, the hacker 8 is registered in the blacklist database 28 as a blacklist registration request (refer to FIG. 1) sent via the website 10c. Therefore, for the login history of the website 10d, the comparison server 20 is in step S3-5 of FIG. 3, and it is determined that the same data exists. As a result, the process proceeds to step S3-6, and the message representing the malicious hacker recorded in the blacklist is sent to the website 10d via the control unit 24 (via the communication unit 22). The website 10d is able to know that the hacker 8 who is the accessor is a malicious hacker 8 by receiving this message, and the login is refused.

As described above, in the first embodiment, the website 10d can use the login history database 26 and the blacklist database 28 registered in other websites 10 (a to c), and can unfairly attempt to make a mistake. Signed-in people are efficiently detected. That is, it is possible to determine whether or not a person who has accessed is a proper user based on the content recorded on the other websites 10 (a to c).

Here, various types of content can be set as the recorded content. The login history can include the IP address, time, ID, password input speed, location information, type of access device, and usage information in the login content. Various parameters such as the type and version of the browser, the name and version of the OS. Only a part of this information can be used as registration content, and it can further include more other types of information.

Moreover, the login history database 26 and the blacklist database 28 may be data in which the reliability or an index based on the reliability can be registered in advance. Also, for example, when the result of the two-factor authentication 30 described above is determined to be a malicious hacker and a login rejection 32 is performed, the login history (the login history in the login history database 26 may also be used). ), The flag of a hacker determined to be malicious is added.

In addition, in the present embodiment, the control unit 24 searches the login history database 26 based on the data sent from each of the websites 10 (a to d), and also refers to the blacklist database 28. Search. However, the system may be configured such that each website 10 (a to d), which is a user of the comparison server 20, can directly access the login history database 26 and the blacklist database 28. In addition, the system may be configured to enable the website 10 (a to d) itself to make a judgment based on these contents.

1-3. In summary, according to the first embodiment, if a comparison server 20 having a log-in history database 26 that accumulates log-in histories is used, websites 10 such as shopping malls (a ~ d) Since it can refer to the access history of the accessor, it can efficiently detect whether it is a proper user.

Furthermore, in particular, the comparison server 20 is able to detect an access "not like me" based on the contents of the login history database 26. Therefore, each of the websites 10 (a to d) is able to know the "suspected" access that is difficult to judge based on only the ID and password. In particular, the comparison server 20 is able to determine the characters who “have doubts” and “do not look like themselves” based on the access history of other websites 10, and therefore compare the websites used by the server 20 10 (a to d) is a person who can easily know the characters who “have doubts” and “does not look like themselves”, and can perform two-factor authentication as described above.

For example, if you want to perform such an action only by your own website, it is necessary to accumulate a certain degree of user access history in your own website. Furthermore, for users who have accessed the website 10 (a to d) for the first time, since there is no accumulation of access history, it is difficult to judge. On the other hand, according to the first embodiment, since the access server 20 can determine the access history accumulated in other websites 10 (a to d) from the comparison server 20, it is judged that A user who accesses the website 10 (a to d) for the first time may also be able to judge whether he or she is an official user.

Furthermore, according to the first embodiment, the comparison server 20 constructs (registers) a blacklist database 28. Therefore, when a matching person is found from the blacklist database 28, , Is able to immediately log in to reject, and can more strongly guarantee the security of the website.

Regarding whether a matching person is registered in the blacklist database 28, each website may also make an inquiry to the comparison server 20, and each website 10 may determine. In addition, when each website 10 wants to register the login history as shown in FIG. 1, the control unit 24 of the comparison server 20 and the registration content of the blacklist database 28 can be confirmed. . In this case, when the corresponding content has been registered in the blacklist database 28, if the control unit 24 of the comparison server 20 sends the information representing the matter to the website 10, then As ideal.

Embodiment 2 In Embodiment 1 and FIG. 1 described above, the comparison server 20 including the login history database 26 and the blacklist database 28 has been described. With this configuration, it is possible to combine the log-in history and the blacklist and efficiently judge unauthorized access. However, it is also appropriate to combine login history with white list. In the second embodiment, an example in which the login history and the white list are combined in this way will be described.

The second embodiment is similar to the first embodiment, and an example in which a plurality of websites use a common comparison server 40 to determine whether a user accessing the own website is an official user will be described. In FIG. 2, an example in which such a plurality of websites (for example, shopping malls) use the common comparison server 40 is shown.

In FIG. 1, the user 18 is a general user or a regular user who has officially registered. The user 18 wants to access the websites 10a, 10b, 10c, 10d, etc. through a normal login operation.

The user 18 performs a normal login to the websites 10a, 10b, 10c, and 10d provided through a network such as the Internet.

2-2. Operation In the example shown in FIG. 2, when the user 18 is a user who is accessing for the first time, he or she obtains it by logging in to the website and setting an ID and password. In the case of a registered regular user, the user ID and password (PW) of the regular user are used to access (login) the websites 10a, 10b, 10c, and 10d. The comparison server 40 receives the login information (login history) of each of the websites 10a, 10b, 10c, and 10d from each website 10 (a to d), and stores it in the internal login history. In the second embodiment, it is also the same as the first embodiment. The comparison server 40 saves the login history from each website 10 (a to d) instead of each website 10 (a to d) to determine whether or not the person who accessed the site has any doubt as a regular user (it does not look like himself). Therefore, it is convenient for each website 10 (a to d). The action related to the login history is slightly the same as the first embodiment described above.

As shown in FIG. 2, the comparison server 40 includes a communication unit 42, a control unit 44, a login history database 46, and a white list database 48. (2) The login history database 46 is the same database as the login history database 26 of the first embodiment (FIG. 1). The communication unit 42 is also the same communication interface as the communication unit 22 of the first embodiment (Fig. 1). The communication section 42 is also a suitable example of the communication section corresponding to the scope of patent application.

The control unit 44 is a means for managing the operation of the comparison server 40. Specifically, the control unit 44 controls the writing and reading of the login history database 46 and the white list database 48, and is related to Various actions of these databases. For example, it may be constituted by a CPU and a program executed by the CPU. This program is a program describing the processing performed by the comparison server 40. This program is an appropriate example of a computer program equivalent to the scope of patent application.

The white list database 48 is a database that stores information determined to be an object of a formal user. The second embodiment is an embodiment of the comparison server 40 that can make the login history cooperate with this white list and provide efficient judgment. The white list database 48 is the same as the log-in history database 46, and may be formed by a memory means such as a hard disk. It may also be configured using a semiconductor memory device or an optical memory device. The login history database 46 is an appropriate example of the login history database corresponding to the scope of patent application. The white list database 48 is an appropriate example of a white list database corresponding to the scope of patent applications.

The login website 10a is a website 10a for which the user 18 is registered as an official user and an ID and password are formally obtained. The user 18 is successfully logged in through normal procedures. In this way, the website 10a sends the login as a successful login success history to the comparison server 40. The comparison server 40 stores the login success history (login history (login history)) sent to it, and stores it in the log-in history database 46 therein.

The website 10b, which is the same as the website 10a, is a website 10b where the user 18 frequently updates the password. As a result, the user 18 succeeds by using the ID and password which are correct for the website 10b. Sign in. In this way, the website 10b is the same as the website 10a, and sends the login as a successful login success history to the comparison server 40. The comparison server 40 is a log-in operation (log-in history) to be transmitted, and is stored in a log-in history database 46 therein.

The website 10c is the same as the websites 10a and 10b, and the user 18 can log in normally using the correct ID and password. As a result, the website 10c also sends the login information to the comparison server 40. The website 10c also sends the login action caused by the user 18 to the comparison server 40. The comparison server 40 successively registers the login history in the login history database 46. Next, based on a flowchart, the operation of the comparison server 40 when the login history is transmitted will be described.

Check of the login history by the comparison server 40 不论 The comparison server 40 is registered in the login history database 46 regardless of whether the login history sent is a login failure history or a success history. (5) The flowcharts in FIG. 5 and FIG. 6 describe the operation of the comparison server 40 when the log-in history is sent.

In step S5-1 of FIG. 5, first, when the log-in history is sent from a specific website 10 (a to c), the communication unit 42 receives this and sends it to the control unit 44. In step S5-2, the control unit 44 sequentially registers the sent log-in history in the log-in history database 46.

In step S5-3, the control unit 44 observes the login history sent and determines whether the login history is a successful history. As a result of the judgment, when it is a case of successful history, the process proceeds to step S5-4. On the other hand, in the case of a failure history, the comparison server 40 ends the processing of the login history and waits for the transmission of the next login history. The situation shown in FIG. 2 represents a normal login operation by a formal user 18, and therefore, in this case, the processing moves to step S5-4.

In step S5-4, the control unit 44 refers to the login history database 46 from the login history database 46, and refers to the login history of the website 10 (a to c) to which the login history has been sent. In step S5-5, the control unit 44 compares the login appearance of the referenced login history so far with the current login (success) history, and determines whether the behavior of the login action is the same as so far. . If the result of the judgment is different from the behavior of the login operation so far, it is judged that it is not the behavior of the person (official user), and the process proceeds to step S5-6.

On the other hand, when the result of the judgment is the same as the behavior of the previous login operation, it is the operation of ending the check of the login history and ending the memory operation of the login history. After that, it is in a state waiting for the next login history to be sent.时 In the case of the website 10c example shown in FIG. 2, the login is not performed as if it were performed. For example, it is an example of a login that is different from the conventional one, such as a login from a terminal different from usual, or a login from a new location (geographical location). In this case, as described above, the process proceeds to step S5-6.

In step S5-6, the control unit 44 compares the login history memorized this time with the registration content of the white list database 48. After that, the process proceeds to step S6-1 in FIG. 6. In step S6-1 of FIG. 6, when the result of the comparison in the above step S5-6 is the case where the same data is registered, it can be determined that the person who has accessed is a person with proper authority. The accessor therefore proceeds to step S6-2. On the other hand, when the same information is not registered, the process proceeds to step S6-3 in FIG. 6.

In step S6-2, the control unit 44 sends, for example, a message such as "the user is an official user recorded in the white list" to the website (a to d) via the communication unit 42. Office. After that, the processing of the login history is ended. As a result, the website 10 (a to d) is able to recognize that the user is an official user 18 even though the website 10 is accessed in a behavior that does not resemble himself.

In step S6-3, the control unit 44 sends, for example, a message such as "it does not look like me" to the website 10 (a to d) where the log-in history is transmitted via the communication unit 42. After that, the processing is ended. As a result, the website 10 (a to d) can recognize that although the ID password is correct, the access is performed in a manner that does not resemble itself.

In this way, the comparison server 40 of this embodiment is not only simply memorizing the login history one by one, but also compares the login history sent to the previous login history, which is not the same In the case of behavior, it is determined whether or not the same content is registered in the white list database 48. When the situation has been registered in the white list database 48, the matter is sent to the website 10. Furthermore, even when it is not registered in the white list database 48, the behavior of the login history is a behavior different from the login operation so far. Therefore, it is necessary to take this matter (for example, " "It's not like me" and so on) to the website 10 (in the above example, it is 10c).此种 With this operation, each website 10 can efficiently determine whether or not the person who has accessed is an official user (whether it is a malicious accessor), and it is convenient.

In the implementation of the two-factor authentication at the website 10c, in the example shown in FIG. 2, although the login of the website 10c was successful, it received a message "not like me" from the comparison server 40. (Step S6-1 in FIG. 6). The website 10c receives this, for example, and can implement the two-factor authentication 50. The two-factor authentication is as described in the first embodiment.

In the example shown in FIG. 2, the result of the two-factor authentication 50 is that the person is identified as the person, and therefore, the login is permitted (the login permission 52 in FIG. 2). In the case of this login permission 52, it is determined that it is a legitimate official user 18, and the website 10c sends a whitelist registration request to the comparison server 40.

Registration of the white list database 48 by the comparison server 40 The comparison server 40, if it is a white list registration request sent from the receiver, sends the content to the white list database 48. Specifically, first of all, the communication department 42 is required to receive a whitelist registration. Next, the communication unit 42 sends a whitelist registration request to the control unit 44. The control unit 44 registers the information about the user 18 in the white list database 48 in accordance with the request for receiving the white list registration request. As long as the registered content of the whitelist database 48 can identify the user 18, any registered content may be used.

Utilization of login history database 46 and white list database 48 (action in the case of website 10d) If the example in FIG. 2 is used, user 18 is at website 10d, and also works with other websites 10a, 10b, 10c is similar to the example in which a normal login operation is performed using a formal ID and password. (1) The website 10d also uses the comparison server 40 and registers the login history in the login history database 46 in the comparison server 40. In addition, when the website 10d judges that the person is his own person through the two-factor authentication as described above, the website 10d makes a registration request to the white list database 48.

In the example shown in FIG. 2, the website 10 d is the same as the websites 10 a, 10 b, and 10 c, and first sends the login history to the comparison server 40. In this case, the operation of the server 40 is as described in the flowchart of FIG. 5. In particular, in the case of the website 10d shown in FIG. 2, since the login by the ID and password (ID / PW) is successful, the processing is the same as steps S5-3, S5-4, S5- 5 is generally performed.

In step S5-5, if the behavior is the same in the comparison with the login history, the processing at the comparison server 40 ends, but when it is compared with the login history, In the case of a different behavior, a comparison process with the white list database 48 is performed at step S5-6.

At the website 10d shown in FIG. 2, the logged-in visitor has been registered in the white list database 48. That is, as described above, the user 18 is registered in the white list database 48 based on the white list registration request (refer to FIG. 2) sent via the website 10c.

Therefore, for the log-in history of the website 10d, the comparison server 40 is in step S6-1 of FIG. 6, and it is determined that the same data exists. As a result, in step S6-2, the control unit 44 sends a message such as "registered in the white list" to the website 10d via the communication unit 42, for example. Thus, the processing at the comparison server 40 ends.

As such, in the second embodiment, the website 10d can use the login history database 46 and the whitelist database 48 registered in other websites 10 (a to c), and can be a formal user. The 18 incident was detected efficiently. That is, it is possible to determine whether or not the accessed person is a proper user based on the content recorded on the other website 10. At this point, the recorded content can be set in a variety of content. The login history can include the IP address, time, ID, password input speed, location information, type of access device, and usage information in the login content. Various parameters such as the type and version of the browser, the name and version of the OS.

Further, the login history database 46 and the white list database 48 may be data in which the reliability or an index based on the reliability is registered in advance. In addition, for example, when the result of the above-mentioned two-factor authentication 50 is judged to be a formal user 18 and the login permission 52 is obtained, the login history (login in the login history database 46) may also be used. (Resume), a flag judged as a formal user 18 is added.

In addition, in the second embodiment, the control unit 44 searches the log-in history database 46 based on the information sent from each of the websites 10 (a to d), and also refers to the white list database. 48 to search. However, the system may be configured such that each website 10 (a to d) who is a user of the comparison server 40 can directly access the login history database 46 and the white list database 48. In addition, the system may be configured to enable the website 10 (a to d) itself to make a judgment based on these contents.

2-3. In summary, according to the second embodiment, since the comparison server 40 is provided with a login history database 46 that accumulates the login history one by one, the websites 10 of shopping malls and the like ( a to d) can refer to the access history of the accessor. As a result, each of the websites 10 (a to d) can efficiently detect whether or not the person who accessed the website is a proper user.

In addition, as in the first embodiment, the comparison server 40 can detect access "that does not look like me" based on the contents of the login history database 46. Therefore, each of the websites 10 (a to d) is able to know the "suspected" access that is difficult to judge based on only the ID and password. In particular, the comparison server 40 is able to determine the characters who “have doubts” and “do not look like themselves” based on the access history of other websites 10, and therefore compare the websites that use the server 40. 10 (a to d) is a person who can easily know the characters who “have doubts” and “does not look like themselves”, and based on the judgment of the comparison server, it is appropriate to implement two-factor authentication as described above. .

For example, if you want to perform such an action only by your own website, it is necessary to accumulate a certain degree of user access history in your own website. Furthermore, for users who have accessed the website 10 (a to d) for the first time, since there is no accumulation of access history, it is difficult to judge. On the other hand, according to the second embodiment, since the access server 40 can use the access history accumulated in other websites 10 (a to d) to judge from the comparison server 40, the A user who accesses the website 10 (a to d) for the first time may also be able to judge whether he or she is an official user.

Furthermore, according to the second embodiment, the comparison server 40 constructs (registers) a white list database 48. Therefore, when a matching person is found from the white list database 48, The website 10 (a to d) (even if the visitor is a first-time visitor to the own website) is able to perform login permission immediately.

Regarding whether a matching person is registered in the whitelist database 48, each website may make an inquiry to the comparison server 40, and each website 10 may make an individual judgment. In addition, when each website 10 wants to register a login history as shown in FIG. 1, the control unit 44 of the comparison server 40 and the registration content of the white list database 48 may be confirmed. . In this case, when the corresponding content has been registered in the white list database 48, if the control unit 44 of the comparison server 40 sends the information representing the matter to the website 10, then As ideal.

Summary of the first and second embodiments (1) The effect is so. In the first and second embodiments, the login history databases 26 and 46 are constructed, and this can be shared among the plural websites 10 ( It is shared by the comparison servers 20 and 40. Therefore, the system can efficiently detect accesses that are different from hitherto different behaviors.

In particular, in the first embodiment, since the blacklist database 28 is constructed, the system can efficiently judge a malicious hacker. In particular, since a plurality of websites can share the information via the comparison server 20, the system can prevent unauthorized access more efficiently. In addition, the malicious hacker 8 may be operated and accessed by human beings, and may also be a computer such as a computer to disguise itself as a proper user and perform access.

In the second embodiment, since the whitelist database 48 is constructed, users who are judged to have been properly accessed can be judged without regard to their behavior. In particular, since a plurality of websites can share the information via the comparison server 40, the system can more effectively determine that the users are legitimate users.

(2) The use of additional authentication (Risk Based Authentication) In Embodiments 1 and 2, although the example of using two-factor authentication has been described, it can also be implemented in addition to this. Various additional authentications (Risk Based Authentication).

(3) Contents of login history database 26, 46 Login history database 26, 46 can record various login information. For example, each type of data can be registered separately for each login, as shown in FIG. 7.图 In FIG. 7, an explanatory diagram showing a login example with login history databases 26 and 46 is shown. This figure shows an example of the information that was registered during a single login. In fact, each of these information can be registered in the login history database 26 each time. , 46 in. As shown in the figure, the contents recorded in the login history databases 26 and 46 can be divided into five categories, for example.

The first type of information is user information, mainly ID and password. This user information is specific to the user who is the subject of the action. As this ID and password, for example, a hashed ID and a hashed password may be recorded. This is for the purpose of compacting the amount of data and facilitating comparative calculations, etc., and for preventing individuals from being completely identified and reducing the possibility of leakage of personal information,

The second type of information is terminal information and information of the terminal used by the user when accessing the website 10, and the type of the terminal used and the type of the OS are recorded. It is also possible to record information related to the language used.

The third type of information is information such as the browser being used by the user. The information of this browser is also recorded for each of the terminals used. When plural browsers are used, information of plural browsers is also recorded. Although it is referred to herein as a "browser", it may roughly include all means and programs for accessing the website 10.

The fourth type of information is the IP address of the user who made the access. Can know the user's location based on this IP address. The fifth kind of information is the migration of the page. This information, as shown in FIG. 7, is, for example, a reference address URL, etc., and represents where it is migrated to the website.

These are one example of the log-in history, and may be configured to use less information as the log-in history for registration. In the above description and FIG. 7, although five types of examples are shown for the types, the number of types may be smaller (for example, one type may be used) or more. Also, depending on the website used, the content of the registered log-in history may be different. In each of the login history databases 26 and 46, each login history is registered and gradually accumulated.

(4) Contents of the white list database 48 and the black list database 28 The contents of the white list database 48 and the black list database 28 constructed in the first and second embodiments may include various parameters. (2) As recorded content, both can be the same content or different content. In FIG. 8, a record example of a whitelist database 48 showing information of a user judged to be a formal user and a malicious hacker who disguised as a formal user are recorded. An illustration of a record example of the information blacklist database 28 is shown. As shown in the figure, the contents recorded in the white list database 48 (and the black list database 28) are slightly the same as the login contents of the login history databases 26 and 46 shown in FIG. 7, for example The department is divided into 5 categories.

The first kind of information to the fourth kind of information are as described above. The fifth kind of information is the migration of the page. This information is also as shown in FIG. 7, for example, it is a reference address URL. In particular, in addition to the white list database 48 and the black list database 28, information on which pages have been viewed on the web site 10 may also be included. For example, in the example of FIG. 8, after the formal user who has displayed the whitelist database 48 has logged in, after confirming the purchase history at the purchase history page, the point confirmation page is performed. Viewing and reviewing available resumes, etc. In addition, a malicious hacker who masquerades as a formal user in the blacklist database may have a history of viewing the credit exchange page immediately after logging in and wanting to exchange credits. . In this way, it can be learned empirically that there is a big difference between a regular user and a malicious hacker who disguised the page viewed on the web site 10.

Furthermore, the time of staying in the web site 10 may be recorded in the page migration information. Generally speaking, compared with formal users, a malicious hacker spends less time in the web site 10, which is well known. As such time information, it is also possible to record the time spent on each page where the page was viewed.

In addition, malicious hackers may be humans, and may also be machines (computers) disguised as legitimate users. When such a computer is disguised as an official user, there are many cases where the stay time of the entire web site 10 or the stay time of each page is very short, and it is also possible to communicate with humans based on the stay time. Make a difference. In addition, there are cases in which it can be distinguished from humans based on the fact that the speed of text input is abnormally fast.

In addition to the above information, it can also contain a variety of information. For example, the system can also include the speed of text input. It can be known from experience that the key input of a malicious program disguised as a human is abnormally fast.

The content of the records described here is just one example, and more various kinds of information can also be recorded. In addition, the content of the records described here is for the purpose of showing standard examples, and it is also possible to use less types of information to form the white list database and the black list database. In the above description and FIG. 8, although five types are shown as examples for the types, the number of types may be smaller, and the number of types may be included in the black list and the white list. Are different. Depending on the use, even if there is only one type, it is useful.

Detailed structure and related technologies of the comparison server 20 and 40 in the third embodiment (1) The comparison servers 20 and 40 explained above are used by the plurality of websites 10 and gradually accumulate and log in Resume server. Rather than allowing individual websites 10 to accumulate log-in histories by themselves, since the log-in histories of a certain user 18 can be made to accumulate more, it is possible to judge the access more efficiently based on the behavior of log-in Whether the behavior is the same as before and the results are notified to each website 10.

As a result, each website 10 can perform further authentication of the legitimacy such as two-factor authentication 30 for the user 18, and can efficiently detect unauthorized access. Further, each of the websites 10 is capable of making a registration request to the blacklist database 28 and the whitelist database 48 based on the results of the further legitimacy authentication. Therefore, if it is registered in the blacklist database 28 or the whitelist database 48, it is possible (to make the comparison servers 20, 40 (the control units 24, 44)) to determine more accurately whether the accessor Are legitimate users, and the results are provided to each website 10.

(2) Login history database The login history databases 26 and 46 of this embodiment mode 1 and 2 all accumulate login histories, regardless of whether the login was successful or failed. Various methods can be used for the accumulation. However, since the log is limited, it is also desirable to delete old data in a timely manner.

The login history databases 26 and 46 only need to accumulate the information in FIG. 7 one by one each time they log in. However, if the same user 18 has successfully logged in, only the latest specific number of accumulations are made. It is also desirable to delete sequentially from the older ones. Such operations can be performed by the control units 24 and 44.

In addition, the login history databases 26 and 46 are also used to accumulate the information of FIG. 7 for each failed login history, but it is difficult to determine which resumes are the same hacker 8 . Therefore, for the log-in failure history, if the maximum amount of accumulated data is determined in advance as a specific amount, and when the memory capacity of the specific amount is exceeded, the old log-in failure history is deleted one by one, It is also ideal. Such operations can also be performed by the control units 24 and 44.

Alternatively, the amount of accumulated data may be determined in advance for each of the websites. It is also desirable to determine the maximum amount of accumulated data for storing the log-in failure history for each website 10 in advance, and if it exceeds this amount, it is desirable to delete the log-in history from the old log-in failure history one by one. Alternatively, it may be configured such that the accumulation time is determined in advance, and old log-in histories that exceed this time are successively deleted. This kind of operation can also be performed by the control units 24 and 44.

(3) The coexistence of the blacklist database 28 and the whitelist database 48 in the above-mentioned embodiments 1, 2 is aimed at the comparison server 20 having the blacklist database 28 and the whitelist database 48 The comparison server 40 has been described, but it may also constitute a comparison server that includes a blacklist database 28 and a whitelist database 48 together.

In the case of such a structure, it may be structured to be performed sequentially. Comparison with the registered contents of the blacklist database 28. Comparison with the login history. Compare. Specifically, the processing may be performed in a manner of continuing to the "No" side at step S3-5 in Fig. 3 and moving to step S5-4 in Fig. 5.

4. Significance and Effects In recent years, a malicious third party has used the acquired ID and password to continuously perform unauthorized access to the plurality of websites 10, and there are many examples. With regard to such continuous improper access, the comparison servers 20 and 40 in this embodiment can be a particularly effective countermeasure. In addition, in the first and second embodiments, the following general structure is provided: that is, not only the ID and password of the user 18, but also the login of the actions of the user 18 and the hacker 8 The resume is recorded and the login history databases 26 and 46 are constructed, and this is shared among plural websites. Therefore, it is possible to more effectively perform the identification of the user 18 and the detection of the hacker 8 compared with the case where only one website itself manages the user's resume.

5. Other Modifications (1) In the embodiment described above, as long as the comparison servers 20 and 40 are places that can be accessed from each website 10, they may be located anywhere on the Internet. . For example, it may be located on the same server as a specific website 10 (for example, 10a). In this case, it is a website with a comparison server that can constitute a combination of a comparison server + a website.

(2) It is possible to set the number of records of the same user information (record) in the white list database 48 to be fixed (for example, n (n is a natural number)), but it may be a smaller number. And again, for larger quantities. In addition, the system may be configured to dynamically adjust the number of registrations in accordance with the situation.

(3) In the above-mentioned embodiment, although the number of records in the blacklist database 28 is not limited, the calculation speed and the like of the comparison and comparison may be considered, and the maximum number of registrations may be set. In this case, for example, processing such as gradual deletion from the old record may be performed.

(4) In the above-mentioned embodiment, although the data in the white list database 48 is recorded based on actual access, it is also possible to artificially record typical formal data in advance. In addition, the blacklist database 28 may be an example in which unauthorized accesses that have been identified are recorded in advance artificially.

(5) In the above-mentioned embodiment, although the data in the white list database 48 is updated every time a new access is made, and the old data is deleted, the system can also designate humanity in advance. The land has a fixed record. This is a measure that is considered for users 18 whose access frequency is low.

(6) In addition, the records of the white list database 48 and the black list database 28 can also be fine-tuned by human means or other means. It is not too important to manually adjust the records. Record deletion. Departments can also perform various artificial tasks.

(7) In the above-mentioned embodiment, although the hashed ID and hashed password are recorded in the white list database 48 and the black list database 28, the system may also use The hashed data may also use an ID and a password to which a specific encryption is applied.

In addition, although the embodiment of the present invention has been described in detail, the above-mentioned embodiment is only a specific example for implementing the present invention. The technical scope of the present invention is not limited to the embodiments described above. The present invention can be modified in various ways without departing from the gist thereof, and these changes are also included in the technical scope of the present invention.

8‧‧‧ hacker

10, 10a, 10b, 10c, 10d

18‧‧‧ users

20, 40‧‧‧ match server

22, 42‧‧‧ Ministry of Communications

24, 44‧‧‧ Control Department

26, 46‧‧‧Log into history database

28‧‧‧Blacklist database

30, 50‧‧‧2 element certification (implementation)

32‧‧‧Login Rejected

48‧‧‧Whitelist database

52‧‧‧Login permission

[Fig. 1] It is an explanatory diagram showing how a malicious hacker in the first embodiment accesses a plurality of websites. [Fig. 2] It is an explanatory diagram showing how a legitimate user 18 accesses a plurality of websites in the second embodiment. [Fig. 3] is a flowchart showing the operation of the comparison server 20 in the first embodiment. [Fig. 4] is the subsequent content of the flowchart showing the operation of the comparison server 20 in the first embodiment. [Fig. 5] is a flowchart showing the operation of the comparison server 40 in the second embodiment. [FIG. 6] It is the subsequent content of the flowchart showing the operation of the comparison server 40 in the second embodiment. [Fig. 7] It is an explanatory diagram showing an example of the contents registered in the login history databases 26 and 46 in the first and second embodiments. [Fig. 8] It is an explanatory diagram showing examples of contents registered in the white list database 48 and the black list database 28 in the first and second embodiments.

Claims (10)

A comparison server includes: (1) a communication section, which is a communication section for communicating with the outside, and receives a login history from the outside, and sends the information to the control section; and the aforementioned control section, which The login history sent from the aforementioned communication department is registered in the login history database; and the aforementioned login history database is to maintain the aforementioned login history. The comparison server is characterized by: The aforementioned control unit, when the aforementioned is When the log-in history sent from the message is a successful one, the aforementioned log-in history is compared with the log-in history held by the aforementioned log-in history database. When the aforementioned log-in behavior is not the same as the previous log-in At that time, the information that does not look like my content will be sent through the aforementioned communication department. The comparison server described in item 1 of the scope of the patent application, which further includes: a blacklist database, which maintains information of malicious hackers, the aforementioned control department, when the aforementioned log-in is sent to log in When the resume is a successful resume, the aforementioned login resume is compared with the registered contents of the aforementioned blacklist database. When the same information exists, the message representing the content as a malicious hacker is transmitted through The aforementioned communication department is to send the message. The comparison server described in item 1 of the scope of patent application, which further includes: a whitelist database, which maintains the information of formal users, the aforementioned control department, when the aforementioned login is sent by the login When the resume is a successful resume, the aforementioned login resume is compared with the registered content of the aforementioned whitelist database, and when the same information exists, it will be a message representing the content of the official user. Send the message through the aforementioned communication department. A comparison server includes: (1) a communication section, which is a communication section for communicating with the outside, and receives a login history from the outside, and sends the information to the control section; and the aforementioned control section, which The login history sent from the aforementioned communication department is registered in the login history database; and the aforementioned login history database is to maintain the aforementioned login history; and the blacklist database is to maintain information of malicious hackers; and white The list database is to maintain official user information. The comparison server is characterized by: The aforementioned control unit, when the login history sent from the above is a successful one, the aforementioned login history is Compared with the registered content of the aforementioned blacklist database, when the same information exists, the message representing the content as a malicious hacker will be sent through the aforementioned communication department, and it should be compared with the aforementioned blacklist data The result of the comparison of the registered contents of the library is the case where the same information is not available. Compared with the login history maintained in the aforementioned login history database, When compared with the login content maintained in the aforementioned login history database, when the behavior of the aforementioned login and the login so far are not the same, The aforementioned login history is compared with the registered content of the aforementioned white list database. 比较 When compared with the registered content of the aforementioned white list database, when the same information exists, the representative will be a formal user. The information of the content is transmitted through the aforementioned communication department. When the same information does not exist, the information representing the content that does not look like me will be transmitted through the aforementioned communication department. For example, the comparison server described in item 2 or item 4 of the scope of the patent application, wherein: the aforementioned communication department receives the blacklist registration request from the outside and sends a message to the aforementioned control department; The information of the malicious hacker included in the blacklist registration request sent from the aforementioned Ministry of Communications is registered in the aforementioned blacklist database. For example, the comparison server described in item 3 or item 4 of the scope of the patent application, wherein: the aforementioned communication department receives the whitelist registration request from the outside, and sends a message to the aforementioned control department, the aforementioned control department, the Register the official user information contained in the whitelist registration request sent from the aforementioned Ministry of Communications in the aforementioned whitelist database. A comparison method is to use a comparison server to compare whether the login history looks like me. The comparison server is equipped with: Communication section, which is a communication section for communicating with the outside, and from The login history is received externally and sent to the control department; and the aforementioned control department is registered in the login history database from the login history sent from the aforementioned communication department; and the aforementioned login history database is The aforementioned login history is maintained. The comparison method is characterized in that it includes: The aforementioned control unit is configured to, when the aforementioned logged-in history sent by the message is a successful history, compare the aforementioned login history with the aforementioned login history. The log-in history maintained in the database is compared. When the aforementioned log-in behavior is not the same as the previous log-in behavior, the message representing the content that does not look like me will be sent through the aforementioned communication department. A comparison method is to use a comparison server to compare whether the login history looks like me. The comparison server is equipped with: Communication section, which is a communication section for communicating with the outside, and from The login history is received externally and sent to the control department; and the aforementioned control department is registered in the login history database from the login history sent from the aforementioned communication department; and the aforementioned login history database is Maintain the aforementioned log-in history; and the blacklist database, which keeps information of malicious hackers; and the whitelist database, which keeps information of formal users, The comparison server, which is characterized by: The aforementioned control unit compares the aforementioned log-in history with the log-in content of the aforementioned blacklist database when the log-in history sent from the above is a successful one, and when the same information exists, it will The message representing the content as a malicious hacker is transmitted through the aforementioned communication department; and the aforementioned control department When the result of comparison with the registration content of the aforementioned blacklist database does not exist the same information, a step of comparing the aforementioned login history with the login history maintained by the aforementioned login history database; and When the foregoing control unit compares with the login content maintained in the aforementioned login history database, when the aforementioned login behavior is not the same as the previous login behavior, the aforementioned login history is compared with the aforementioned white list database Steps for comparing the registered contents; and when the control section compares with the registered contents of the white list database as described above, it will represent the contents as a formal user when the same information exists. The information is transmitted through the aforementioned communication department. When the same information does not exist, the information representing the content that does not look like me will be transmitted through the aforementioned communication department. A computer program that makes a computer act as a comparison server. The comparison server is equipped with: a communication unit, which is a communication unit that communicates with the outside, and receives a log-in history from the outside. And send the message to the control department; and the aforementioned control department, which logs in the login history sent from the aforementioned communications department, into the login history database; and the aforementioned login history database, which keeps the aforementioned login history, the computer The program is characterized in that the aforementioned computer executes the following procedures: (1) The aforementioned control unit is configured to, when the login history sent from the communication is a successful history, combine the aforementioned login history with the aforementioned login history database. For comparison of the maintained login history, when the aforementioned login and the previous login are not the same behavior, the message representing the content that does not look like me will be transmitted through the aforementioned communication department. A computer program that makes a computer act as a comparison server. The comparison server is equipped with: a communication unit, which is a communication unit that communicates with the outside, and receives a log-in history from the outside. And send a message to the control department; and the aforementioned control department, which logs in the login history sent from the aforementioned communications department, in the login history database; and the aforementioned login history database, which maintains the aforementioned login history; and The list database is used to keep information of malicious hackers; and the white list database is used to keep information of formal users. The computer program is characterized by causing the aforementioned computer to perform the following procedures: enabling the aforementioned control unit, When the log-in history sent from the above is a successful one, the log-in history is compared with the log-in content of the blacklist database. When the same information exists, the representative will be malicious. The information of the contents of the hacker is transmitted through the aforementioned communication department; The result of comparison with the registration content of the aforementioned blacklist database is a procedure for comparing the aforementioned log-in history with the log-in history held by the aforementioned log-in history database when the same information does not exist; and The foregoing control unit compares the above login history with that of the white list database when, as a result of comparison with the above-mentioned login content maintained in the above login history database, the previous login behavior is not the same as the previous login behavior. Procedures for comparing registered contents; and when the aforementioned control section compares the registered contents with the aforementioned white list database with the same information, it will represent the contents of the user as a formal user. The message is transmitted through the aforementioned communication department. When the same information does not exist, the message representing the content that does not look like itself will be transmitted through the aforementioned communication department.