TWI769240B - Comparison server, comparison method and computer program - Google Patents

Abstract

[Subject] To provide a technique for more efficiently detecting whether the access is an unauthorized access or a legitimate access by an official user using a so-called log-in history. [Solution] The comparison server is equipped with: the communication department, which receives the log-in history from the outside, and sends it to the control department; and the control department, which receives the log-in history from the communication department. log in the log-in history database; and the log-in history database, which keeps the log-in history, the comparison server is characterized by: the control department, when the log-in history sent by the message is a successful history, the Compare the log-in history with the log-in history kept in the log-in history database. When the log-in is not the same as the log-in so far, it will represent the information that does not seem to be my own content, and send it through the Communications Department. to send a message.

Description

Comparison server, comparison method and computer program

The present invention relates to a comparison server that can be used by various websites that provide specific services to users. Also, it relates to a comparison method by the comparison server, and an associated computer program.

From the prior art, a web site (service providing system) that provides various services to users on a network such as the Internet has been known.

A user who wants to use this web site accesses and logs in to the web site using the given ID and password, and can receive a desired service using the web site.

For example, a user who uses a web site of a shopping mall logs in to the web site using an ID and a password, moves to each page provided by the web site, and can find desired products on the site. The purchase of goods is carried out on the page.

In the web site of the prior art, in many cases, an ID and a password are used so that only the official users can use it. It is conceivable that by using this ID and password, so-called malicious intruders can be excluded, and smooth service utilization can be achieved.

<Malicious access> However, in recent years, there have been reports of a malicious third party obtaining the ID and password of another person using an unjust means. In this way, when a malicious third party uses the ID and password of another person to log in to the web site, it is difficult to distinguish who the logged-in person is based on the ID and password alone. As an official user, it is a malicious third party.

Therefore, in recent years, the following general structure has been known: that is, the information of the actions performed by the official users after logging in is recorded in advance, and is databased as a white list. Here, as the information of the recorded action, for example, the following general information is ideal.

・OS ・Browser ・Language ・IP address (representing the geographical location of the user who is accessing) ・Time (the time when the access was performed) The database is constructed by using the list (WhiteList), which can detect that the logged-in user is performing actions that are different from the usual ones. In this way, it is preferable to perform additional authentication in order to confirm that the user who performs an action different from the usual is not a malicious third party. For example, for the user's mobile phone or smart phone, etc., the message "Currently using your ID to access the following web site. Is this access performed by you? If not In this way, please press (touch) the NO button" general message, when the "NO button" is pressed (touched), it can be judged that the person who is accessing is not an official user but has Malicious third party. After that, the system can take the process of cutting off the access of the user immediately.

For example, access from a different location (IP address) than usual, or access from a personal computer (OS, browser) different from usual can be listed. situation etc. In this case, additional authentication is performed to confirm whether the user is an official user (also called identity verification). Also, the whitelist is mostly constructed based on dozens of past accesses caused by the official user, but there may be fewer cases (several times), and there will be more situation (hundreds of times). Furthermore, the whitelist may be updated by replacing it with new information every time an official user accesses it. Also, similarly, there is also a method of constructing a blacklist with information on malicious third parties. It is conceivable that if these whitelists or blacklists are used, malicious third parties and legitimate users can be effectively distinguished.

Prior Patent Documents For example, in the following Patent Document 1, there is disclosed an apparatus for retrieving content information using a whitelist and a blacklist. In this document, it is stated that by using two lists, privacy is protected.

Also, for example, the following Patent Document 2 discloses an access control system that controls access to a web site using a whitelist and a blacklist. Also, for example, the following Patent Document 3 discloses a memory medium specially designed for a structure that restricts access to the memory medium. In this architecture, the system uses a whitelist and a blacklist. [Prior Art Literature] [Patent Literature]

[Patent Document 1] Japanese Patent Laid-Open No. 2012-159939 [Patent Document 2] Japanese Patent Laid-Open No. 2011-3132 [Patent Document 3] Japanese Patent Laid-Open No. 2011-248474

[The problem to be solved by the invention]

In this way, in the web site of the prior art, the information of the access actions of the regular users is pre-recorded as a white list, and it is suitable for users who perform actions that are significantly different from the white list. Additional authentication is performed.

However, a malicious third party will, of course, skillfully disguise himself as the official user, so it is generally difficult to see through this. Therefore, there are many cases where the rules of thumb of the person responsible for the security measures are followed. For example, there is also a basis such as "Withdrawal from a deposit account on a financial institution's website that has reached the withdrawal amount limit is highly likely to be a malicious third party." etc. rule of thumb to discover the case of a malicious third party.

Furthermore, IDs and passwords are often used for a common ID and password for a plurality of web sites. In this case, when a set of IDs and passwords are acquired by a malicious third party, it may be found that unauthorized access is continuously performed to a plurality of web sites. In such a case, it is conceivable that when unauthorized access to a certain web site is detected, the information is provided to the operators of other web sites, and it is conceivable that the above-mentioned use It is effective to prevent continuous unauthorized access caused by the common ID and password.

The inventor of the present application filed a patent application with Japanese Patent Application No. 2016-092850 (hereinafter referred to as a prior patent application) on May 3, 2016 for such a structure. In this prior patent application made by the inventor of the present case, it is proposed to have a structure that uses not only a white list, but also a black list to efficiently detect unauthorized access, and use the The results are shared.

Whitelists and blacklists, etc., are those who record the information of those who have accessed, and it is considered that based on these, it is possible to detect whether the user who has accessed is an official user or not. efficiency. However, it has been known from experience that a person who maliciously accesses will perform a behavior that is clearly different from that of an official user, such as repeatedly failing to access the same site many times.

Here, the whitelist and the blacklist are the character status and static data of the person who has accessed, and there is little information about what kind of login behavior (history) is being performed and what kind of login has been performed so far. Information related to "login history" and "behavior" such as actions.

Therefore, ideally, in addition to the above-mentioned whitelist and blacklist, the so-called log-in history is also used to judge whether the person who has accessed is an official user or a malicious depositor based on the behavior of the person who has accessed. However, so far there has not been such a structure.

The present invention has been made in view of the above-mentioned problems, and an object of the present invention is to provide a method for using a so-called log-in history to determine whether the access is an unauthorized access or an official user. A technique for more efficient detection of legitimate access. [means to solve the problem]

(1) The present invention, in order to solve the above-mentioned problem, is a matching server, which includes a communication unit that is a communication unit that communicates with the outside, and receives a log-in history from the outside , and send the message to the control department; and the aforementioned control department, which records the log-in history sent from the aforementioned communication department in the log-in history database; and the aforementioned log-in history database, which maintains the aforementioned log-in history, the The comparison server is characterized in that: the control unit compares the log-in history with the log-in history kept in the log-in history database when the log-in history sent by the message is a successful history. , when the above login and the previous login behavior are not the same behavior, the information that does not represent the content of my own will be sent through the above-mentioned communication department.

(2) In addition, the present invention is based on the comparison server described in (1), and further includes: a blacklist database, which stores information on malicious hackers, and the control unit when the above-mentioned information is sent. When the log-in resume is a successful one, the above-mentioned log-in resume will be compared with the log-in content of the above-mentioned blacklist database. If there is the same information, it will represent the content of malicious hackers. The information is sent through the aforementioned communication department.

(3) In addition, the present invention is based on the comparison server described in (1), and further includes: a whitelist database that keeps the information of the official users; When the incoming login resume is a successful resume, the above login resume is compared with the login content of the above-mentioned whitelist database. When there is the same information, it will represent the official user. The information of the content is sent through the aforementioned communication department.

(4) The present invention, in order to solve the above-mentioned problems, is a comparison server, which includes a communication unit that performs communication with the outside, and receives a log-in history from the outside. , and send the message to the control department; and the aforementioned control department, which records the log-in history sent from the aforementioned communication department in the log-in history database; and the aforementioned log-in history database, which maintains the aforementioned log-in history; and The blacklist database holds the information of malicious hackers; and the whitelist database holds the information of the official users. The comparison server is characterized by: the aforementioned control department, when the aforementioned information is sent. When the log-in resume is a successful one, the above-mentioned log-in resume is compared with the log-in content of the above-mentioned blacklist database. When there is the same information, it will represent the content of the malicious hacker. , send the message through the above-mentioned communication department, when the result of the comparison with the login content of the above-mentioned blacklist database is that there is no similar information, the above-mentioned log-in history is compared with the above-mentioned log-in history database. The stored login history is compared. When the result of the comparison with the login content of the aforementioned login history database, when the aforementioned login and the previous login behavior are not the same behavior, the aforementioned login history is compared with the aforementioned whitelist data. When comparing the registration content of the database with the registration content of the above-mentioned whitelist database, if there is the same data, the information representing the content of the official user will be sent through the above-mentioned communication department. To send a message, when there is no situation with the same information, it will represent a message that does not seem to be my own content, and it will be sent through the aforementioned communications department.

(5) In addition, the present invention, in the comparison server described in (2) or (4), has the following characteristics: that is, the above-mentioned communication part receives the blacklist registration request from the outside , and send a message to the aforementioned control unit, and the aforementioned control unit will log the malicious hacker information contained in the blacklist registration request sent from the aforementioned communication unit into the aforementioned blacklist database.

(6) In addition, the present invention, in the comparison server described in (3) or (4), has the following characteristics: that is, the above-mentioned communication part receives the whitelist registration request from the outside , and send a message to the aforementioned control unit, and the aforementioned control unit will register the official user information contained in the whitelist registration request sent from the aforementioned communication unit into the aforementioned whitelist database.

(7) The present invention, in order to solve the above-mentioned problem, is a comparison method, which uses a comparison server to check whether the log-in history is the same person, and the comparison server is provided with: a communication unit , is the communication department that communicates with the outside, and receives the log-in history from the outside and sends it to the control department; and the aforementioned control department is the log-in history sent from the communication department. registered in the log-in history database; and the aforementioned log-in history database, which maintains the aforementioned log-in history, and the comparison method is characterized in that it includes: causing the aforementioned control unit to, when the aforementioned log-in history is sent from the message, In the case of a successful record, the above login record will be compared with the login record kept in the above login history database. When the above login and the previous login behavior are not the same behavior, it means that the person does not look like me. The content of the message is sent through the aforementioned communication department.

(8) The present invention, in order to solve the above-mentioned problem, is a comparison method, which uses a comparison server to compare whether the login history is the person, and the comparison server is provided with: a communication unit , is the communication department that communicates with the outside, and receives the log-in history from the outside and sends it to the control department; and the aforementioned control department is the log-in history sent from the communication department. Log in in the login history database; and the aforementioned login history database, which keeps the aforementioned login history; and the blacklist database, which keeps the information of malicious hackers; and the whitelist database, which keeps the information of the official users , the comparison server is characterized in that it includes: the control unit, when the log-in log sent by the message is a successful log, compare the log-in log with the blacklist database. Comparing the registered content, when there is the same data, the message representing the content of the malicious hacker will be sent through the aforementioned communication department; When the result of comparing the log-in contents of the database is that there is no similar data, the steps of comparing the aforementioned log-in history with the log-in history kept in the aforementioned log-in history database; and making the aforementioned control unit, when The result of the comparison with the log-in content of the aforementioned log-in history database, if the aforementioned log-in is not the same as the previous log-in behavior, the steps of comparing the aforementioned log-in history with the log-in content of the aforementioned whitelist database; When the above-mentioned control part is compared with the registered content of the above-mentioned whitelist database, if the same data exists, the information representing the content of the official user will be sent to the above-mentioned communication part through the above-mentioned communication department. When sending a message, when there is no situation with the same information, it will represent a message that does not seem to be my own content, and will be sent through the aforementioned communication department.

(9) The present invention, in order to solve the above-mentioned problems, is a computer program that causes a computer to operate as a comparison server, and the comparison server includes a communication unit for performing communication with the outside world. The communication department that communicates with each other, and receives the log-in history from the outside, and sends it to the control department; and the aforementioned control department registers the log-in history sent from the aforementioned communication department in the log-in history database ; and the above-mentioned log-in history database, which maintains the above-mentioned log-in records, and the computer program is characterized in that it causes the above-mentioned computer to execute the following program: the above-mentioned control unit, when the above-mentioned log-in record sent by the message is a successful record In this case, compare the aforementioned login history with the login history maintained in the aforementioned login history database. When the aforementioned login and the previous login behavior are not the same behavior, it will mean that the content does not resemble my own. The message is sent through the aforementioned communication department.

(10) The present invention, in order to solve the above-mentioned problems, is a computer program that causes a computer to operate as a comparison server, and the comparison server includes a communication unit for performing communication with the outside. The communication department that communicates with each other, and receives the log-in history from the outside, and sends it to the control department; and the aforementioned control department registers the log-in history sent from the aforementioned communication department in the log-in history database ; and the aforementioned log-in history database, which keeps the aforementioned log-in history; and the blacklist database, which keeps the information of malicious hackers; and the whitelist database, which keeps the information of the official users, the computer program, its characteristics In order to make the computer execute the following procedure: the control unit, when the log-in log sent from the message is a successful log, compares the log-in log with the log-in content of the blacklist database , when there is the same information, the information representing the content of malicious hackers will be sent through the aforementioned communication department; As a result of the comparison, when there is no situation with the same data, the process of comparing the aforementioned log-in history with the log-in history kept in the aforementioned log-in history database; As a result of comparing the log-in contents of the database, if the aforementioned log-in is not the same as the log-in so far, the procedure for comparing the aforementioned log-in history with the log-in contents of the aforementioned whitelist database; and making the aforementioned control Department, when the result of the comparison with the registered content of the aforementioned whitelist database, if there is the same data, the message representing the content of the official user will be sent through the aforementioned communication department. When there is no similar information, it will represent a message that does not seem to be my own content, and it will be sent through the aforementioned communication department. [Effect of invention]

In this way, according to the present invention, since a structure is constructed to determine whether or not he is an official user by using the log-in history, it is possible to determine whether the user is an official user. Accesses are detected more efficiently.

Hereinafter, suitable embodiments of the present invention will be described with reference to the drawings. Embodiment 1 1-1. Basic structure The present Embodiment 1 will be described for an example in which a common comparison server is used for plural websites to determine whether or not a user accessing the own website is an official user. In FIG. 1 , an example of using the server 20 for a common ratio of such a plurality of websites (eg, shopping malls) is shown.

In FIG. 1, the hacker 8 is a malicious hacker, not an official user, but attempts to gain access to the websites 10a, 10b, 10c, 10d, etc. for access.

The hacker 8 attempts unauthorized access to the websites 10a, 10b, 10c, and 10d provided via a network such as the Internet. For example, the hacker 8 attempts to gain unauthorized access by means of a list-type attack or masquerading. Masquerading is a method of accessing and seizing a specific website or service in order to pretend to be someone else. In recent years, a method called so-called list attack has also been used.

A manifest attack is one of the methods of attacking various websites or services to seize the accounts of their users. For example, it is a method of trying to log in to the service or website using account information from another service or system. This is an attack method that uses the same account name and password on multiple websites or services for most users, and uses the account name (ID) and password from a certain website. For other websites to try to hack. If the same account name (ID) and password are used, the user's account will be seized on the other website. List attacks are also known as password list attacks, list account hacks, account list attacks, etc.

1-2. Action In the example of Fig. 1, the hacker 8 obtains the official user's ID and password (PW), and uses this information to attempt a manifest attack against the websites 10a, 10b, 10c, 10d Improper access. The comparison server 20 receives the login information (login history) at each website 10a, 10b, 10c, and 10d from each website 10 (a-d), and stores it in the internal login history. The characteristic configuration in the first embodiment is that the comparison server 20 stores the log-in history from each website 10 (a to c) instead of each website 10 (a to c). ~ c), it is convenient for each site 10 (a ~ c) to judge whether or not the person who has accessed has doubts as an official user (not like himself).

As shown in FIG. 1 , the comparison server 20 includes a communication unit 22 , a control unit 24 , a log-in history database 26 , and a blacklist database 28 . The log-in history database 26 is for memorizing the log-in history (log-in history) to the website by instructions and dependencies from various external websites. The log-in history, which includes the log-in for success and failure, is memorized.

The communication unit 22 is an interface for communicating with various external websites through a network such as the Internet, and communication means other than the Internet may also be used, or a so-called (mobile) telephone network may be used. communication interface. The communication part 22 is a suitable example of the communication part corresponding to the scope of the patent application.

The control unit 24 is a means in charge of the operation of the comparison server 20. Specifically, it controls the memory of the log-in history database 26 and the blacklist database 28, and executes various operations related to these databases. action. For example, the system may be constituted by a CPU and a program executed by the CPU. This program is a program in which the processing performed by the comparison server 20 is described. In addition, this program is one suitable example of the computer program corresponding to the scope of the patent application.

The log-in history database 26 memorizes the log-in information (log-in history (log-in history ( login history)) database. The blacklist database 28 is a database that memorizes information on the objects of hackers 8 judged to be malicious. The log-in history database 26 and the blacklist database 28 can be formed by a memory means such as a hard disk. In addition, a semiconductor memory device or an optical memory device may be used. In addition, the log-in history database 26 is one suitable example of the log-in history database corresponding to the scope of the patent application. In addition, the blacklist database 28 is a suitable example of the blacklist database corresponding to the scope of the patent application.

Log in The website 10a is a website 10a in which the user regularly changes the password. As a result, the hacker 8 uses the old ID and password for the website 10a, and the login fails. In this way, the website 10a sends the log-in failure history to the comparison server 20 as a failed log-in. The comparison server 20 stores the sent log-in failure history (login history (login history)) in its internal log-in history database 26 .

The website 10b, like the website 10a, is a website 10b where users frequently update their passwords. As a result, the hacker 8 uses the old ID and password for the website 10b, and the login fails. In this way, the website 10b, like the website 10a, sends the log-in failure history to the matching server 20 as a failed log-in. The comparison server 20 stores the sent login actions (login history) in its internal log-in history database 26 .

The website 10c is different from the websites 10a and 10b, and the user does not frequently update the password. As a result, the hacker 8 uses the official user ID and password from other places and applies it to the website 10c. The login system is successful. As a result, at website 10c, Hacker 8 successfully logged in. Regardless of whether the login is successful or unsuccessful, each website 10 (a-d) sends the login information to the matching server 20. The website 10c, although the login is successful, is also the same as the above-mentioned websites 10a and 10b. The login action caused by the hacker 8 is sent to the comparison server 20, and the comparison server 20 memorizes the login history in the login. Historical database 26.

Checking the Login History by the Comparison Server 20 The comparison server 20, regardless of whether the sent login history is a login failure history or a successful history, is successively memorized in the login history database 26. As mentioned above, at the website 10c, with the correct ID and password, the identity authentication is successful, and the login is successful. However, the website 10c sends the log-in (success) history to the matching server 20 . In the flowcharts of Fig. 3 and Fig. 4, the operation of the comparison server 20 is described when the login history is sent.

In step S3-1 of FIG. 3, first, when the log-in history is sent from the specific website 10 (a-c), the communication part 22 receives the log-in history and sends it to the control part 24 . In step S3-2, the control unit 24 sequentially stores the sent log-in history in the log-in history database 26. In step S3-3, the control unit 24 observes the sent login history, and determines whether the login history is a success history. As a result of the judgment, if it is a case of a successful history, the process proceeds to step S3-4, and if it is a case of a failure history, the process ends.

In step S3-4, the control unit 24 compares the sent log-in history with the log-in content of the blacklist database 28. In step S3-5, when the result of the comparison in the above-mentioned step S3-4 is that the same data is registered, since it can be determined that the person who has accessed is a malicious accessor, so , the system moves to step S3-6. On the other hand, when the same data is not registered, the process proceeds to step S4-1 in FIG. 4 .

In step S3-6, the control part 24 sends a message representing the content of a malicious hacker via the communication part 22 to the website 10 (a-d) from which the log-in history was sent. After that, the processing is terminated. As a result, the website 10 (a to d) can deny the login and prevent malicious access. In the example shown in FIG. 1 , when the website 10c sends the log-in success record, the same information has not been registered in the blacklist database 28 in step S3-5 of FIG. 3 . Actions are explained. In this case, in step S3-5, since the same data as the person who has accessed is not registered in the blacklist database 28, the process proceeds to step S4-1 in Fig. 4 .

In step S4-1 of FIG. 4, the control unit 24 refers to the log-in history of the website from which the log-in history has been sent from the log-in history database 26. Next, in step S4-2, the log-in appearance of the log-in history referred to so far is compared with the log-in (success) history of this time, and it is judged whether or not the behavior of the log-in action is the same as before. As a result of the judgment, when it is different from the behavior of the log-in operation so far, it is judged that it does not look like the person (the official user), and the process proceeds to step S4-3. On the other hand, if the result of the judgment is the same as the behavior of the previous login operation, the operation of checking the login history is terminated, and the memory operation of the login history is terminated. After that, it is in a state of waiting for the next login history to be sent. The judgment of behavior can use various methods. The system can also compare the noted login action with the content in the login history database 26, and determine that the behavior is the same (common, similar) when there are many consistent and similar parameters. In addition, if most of the parameters are identical, similar, or common, even if one largely different parameter is found, it can be determined that the behavior is the same. In addition, the weight may be set according to the type of parameter.

In step S4-3, the control unit 24 notifies the website 10c that he does not appear to be the official user. For example, a message such as "doesn't look like me" is sent to the website 10c via the communication unit 22 .

In this way, the comparison server 20 of the present embodiment not only memorizes the log-in history one by one, but also judges whether the same is registered in the blacklist database 28 according to the log-in history that has been sent. Content. When it is registered in the blacklist database 28, the matter is sent to the website 10. Furthermore, even if it is not registered in the blacklist database 28, it is also determined whether the behavior of the login history is the same as the login history of the website 10 (a-c) in the login history database 26. When the behavior is a different log-in action from the past, the event (for example, a message "not like me", etc.) is sent to the website 10c. By this operation, each website 10 can efficiently determine whether or not the person who has accessed is an official user (whether he is a malicious accessor or not), which is convenient.

In the implementation of the two-factor authentication at the website 10c, in the example shown in FIG. 1, although the website 10c has successfully logged in, the comparison server 20 has received a message of "not like me". (Step S4-3 of FIG. 4). Upon receiving this, the website 10c can execute the two-factor authentication 30, for example. The so-called two-factor authentication is a method of authentication based on two different elements. For example, the website 10c sends a one-time password to the mobile phone of a "user" who wants to log in. The "user" reads the one-time password from the mobile phone and inputs it into the website 10c. The website 10c is judged to be a valid person if the input one-time password is the same one as the one-time password sent by itself.

The so-called authentication materials used for authentication include "things that only the person knows (items) (password)", "items that only the person can possess (financial cards, mobile phones)", There are roughly three types of authentication data such as "personal characteristics (biometric data)", but the method of using two different types of authentication is called "two-factor authentication". In the above-described example, in addition to the first "password", the "mobile phone" that only the person can hold is used as the second authentication data. This is based on the fact that the mobile phone based on the phone number should only be owned by me. In the first embodiment, two types of authentication data are used, but two other types of authentication data may be used.

In the example shown in FIG. 1 , as a result of the two-factor authentication 30 , it is determined that the user is not the user, and therefore, the login is refused (in FIG. 1 , the login refusal 32 ). In the case of this login rejection 32 , the hacker 8 is identified as a malicious person, and is registered in the blacklist database 28 . That is, the website 10c sends a blacklist registration request to the matching server 20 .

Registration to the blacklist database 28 by the comparison server 20 If the comparison server 20 receives a blacklist registration request sent by a message, the content is registered in the blacklist database 28. Specifically, first of all, the Ministry of Communications 22 received the request for blacklist registration. Next, the communication unit 22 sends a blacklist registration request to the control unit 24. If the control unit 24 receives a request for registration of the blacklist, it will follow the request and record the information about the hacker 8 in the blacklist database 28 . The login content of the blacklist database 28 can be any kind of login content as long as the hacker 8 can be identified.

If the utilization of the log-in history database 26 and the blacklist database 28 is based on the example of FIG. 1 , the hacker 8 is recorded on the website 10d, and the execution list type is also recorded in the same manner as the other websites 10a, 10b, and 10c. Example of an attack. The website 10d also utilizes the comparison server 20, and records the login history in the login history database 26 in the comparison server 20. In addition, the website 10d makes a registration request to the blacklist database 28 when it is determined that the user is not the user as described above.

In the example shown in FIG. 1, the website 10d, like the websites 10a, 10b, and 10c, first sends the log-in history to the matching server 20. The operation of the server 20 in this case is as described in the flowchart of FIG. 3 . In particular, in the case of the website 10d shown in FIG. 1, since the login by the ID and password (ID/PW) is successful, the processing is the same as steps S3-3, S3-4, S3- 5 is done generally.

In particular, at the website 10d shown in FIG. 1, the visitor who has logged in is already registered in the blacklist database 28. That is, as described above, the hacker 8 is registered in the blacklist database 28 through the blacklist registration request (refer to FIG. 1 ) sent by the website 10c. Therefore, for the login history of the website 10d, the comparison server 20 determines that the same data exists in step S3-5 of FIG. 3 . As a result, the process proceeds to step S3-6, and a message representing a malicious hacker recorded in the blacklist is sent by the control unit 24 (via the communication unit 22) to the website 10d. The website 10d, by receiving this message, can know that the hacker 8 who is the accessor is a malicious hacker 8, and implements a login refusal.

In this way, in the first embodiment, the website 10d can use the log-in history database 26 and the blacklist database 28 registered in the other websites 10 (a-c), and can make unauthorized use of the website 10d. Logged-in characters are detected efficiently. That is, it is possible to judge whether or not the person who accessed is a legitimate user based on the contents recorded on the other sites 10 (a to c).

Here, various types of contents can be set as the contents to be recorded. As a log-in history, the log-in contents may include the IP address and time of the access person, the input speed of the input ID and password, location information, the type of the access device, and the use of Various parameters such as the type and version of the browser, the name and version of the OS, etc. The system can only use a part of the information as the login content, and can also include more other types of information.

In addition, in the log-in history database 26 and the blacklist database 28, the reliability or the data serving as an index based thereon may be registered in advance. In addition, for example, when the result of the above-mentioned two-factor authentication 30 is that it is determined as a malicious hacker and the login is refused 32, the log-in history (the log-in history in the login history database 26) can also be ), the flag of the hacker judged to be malicious is attached.

In addition, in the present embodiment, the control unit 24 searches the log-in history database 26 based on the data sent from the websites 10 (a to d), and also searches the blacklist database 28 to search. However, it is also possible to configure such that each website 10 ( a - d ) that is a user of the comparison server 20 can directly access the log-in history database 26 and the blacklist database 28 . Moreover, it may be comprised so that the website 10 (a-d) itself can judge based on these contents.

1-3. Summary In this way, according to the first embodiment, if the comparison server 20 having the log-in history database 26 that accumulates log-in history successively is used, the website 10 (a~ d) Since it is possible to refer to the access history of the access user, it is possible to efficiently detect whether the user is a legitimate user or not.

Also, in particular, the matching server 20 is capable of detecting "not like me" accesses based on the contents of the log-in history database 26 . Therefore, each website 10 (a-d) can know the access of "suspicious" which is difficult to judge only by ID and password. In particular, since the comparison server 20 can determine the person who "has doubts" or "doesn't look like me" based on the access history of the other website 10, the comparison server 20 is used to compare the website 10(a to d), people who "have doubts" and "doesn't look like me" can be easily identified, and two-factor authentication can be performed in the same manner as described above.

For example, if it is desired to perform such an operation only through the own website, it is necessary to store the access histories of users to some extent in the own website. Furthermore, since there is no accumulation of an access history for a user who accesses the site 10 (a to d) for the first time, it is difficult to judge. On the other hand, according to the first embodiment, since it is possible to obtain from the comparison server 20 that the access histories stored in the other sites 10 (a to d) have been used for the judgment, even if the There is also a possibility that a user who accesses the site 10 (a to d) for the first time can judge whether or not he or she is an official user.

Furthermore, according to the first embodiment, since the matching server 20 has constructed (registered) the blacklist database 28, when a matching person is found from the blacklist database 28 , the system can immediately refuse to log in, and can more strongly guarantee the security of the website.

As to whether or not a matching person is registered in the blacklist database 28, each website may inquire about the comparison server 20, and each website 10 may make a judgment. Furthermore, when each website 10 wants to log in the log-in history as shown in FIG. 1, the control unit 24 of the comparison server 20 can also be configured to confirm the log-in content of the blacklist database 28. . In this case, when the corresponding content has been registered in the blacklist database 28, if the control unit 24 of the comparison server 20 sends a message representing this matter to the website 10, it will also be for ideal.

Embodiment 2 In the above-mentioned Embodiment 1 and FIG. 1, the comparison server 20 including the log-in history database 26 and the blacklist database 28 has been described. With this configuration, it is possible to combine the log-in history and the blacklist, and to efficiently judge unauthorized access. However, it is also appropriate to combine the login history with the whitelist. In the second embodiment, an example in which the login history and the whitelist are combined in this way will be described.

The second embodiment is the same as the first embodiment, and an example in which a common comparison server 40 is used to determine whether a user accessing the own website is an official user will be described for a plurality of websites. In FIG. 2 , an example of using the server 40 for a common ratio of such a plurality of websites (eg, shopping malls) is shown.

In FIG. 1, the user 18 is a general user or an official user who has performed official registration. The user 18 wants to access the websites 10a, 10b, 10c, 10d, etc. by a normal login action.

The user 18 performs normal login to the websites 10a, 10b, 10c, and 10d provided via a network such as the Internet.

2-2. Operation In the example of FIG. 2, when the user 18 is a user who accesses for the first time, it is obtained by logging in at the website and setting an ID and a password. In the case of a registered official user, the official user's ID and password (PW) are used to access (log in) the websites 10a, 10b, 10c, and 10d. The comparison server 40 receives the login information (login history) at each website 10a, 10b, 10c, and 10d from each website 10 (a-d), and stores it in the internal log-in history. In the second embodiment, as in the first embodiment, the comparison server 40 replaces each website 10 by storing the log-in history from each website 10 (a to d). (a to d), it is convenient for each site 10 (a to d) to judge whether or not the person who has accessed has any doubts as an official user (not like himself). The operation related to the log-in history is similar to the above-mentioned first embodiment.

As shown in FIG. 2 , the comparison server 40 includes a communication unit 42 , a control unit 44 , a log-in history database 46 , and a whitelist database 48 . The log-in history database 46 is the same database as the log-in history database 26 in Embodiment 1 (Fig. 1). The communication part 42 is also the same communication interface as the communication part 22 of the first embodiment (FIG. 1). The communication part 42 is also a suitable example of the communication part corresponding to the scope of the patent application.

The control unit 44 is a means in charge of the operation of the comparison server 40, and specifically, controls the writing and reading of the log-in history database 46 and the whitelist database 48, and executes the connection with the database 46. Various actions of these databases. For example, the system may be constituted by a CPU and a program executed by the CPU. This program is a program in which the processing performed by the comparison server 40 is described. In addition, this program is one suitable example of the computer program corresponding to the scope of the patent application.

The whitelist database 48 is a database for memorizing information of objects judged to be official users. The second embodiment is an embodiment of the comparison server 40 that can make the login history cooperate with the white list and provide an efficient judgment. The whitelist database 48, which is the same as the log-in history database 46, can be formed by a memory means such as a hard disk. In addition, a semiconductor memory device or an optical memory device may be used. In addition, the log-in history database 46 is a suitable example of the log-in history database corresponding to the scope of the patent application. In addition, the whitelist database 48 is a suitable example of the whitelist database corresponding to the scope of the patent application.

The login to the website 10a is to log in the user 18 as an official user and to formally acquire the website 10a with an ID and a password. The user 18 successfully logs in through the usual procedure. In this way, the website 10a sends the log-in as a successful log-in success record to the matching server 40 . The comparison server 40 stores the sent log-in success history (log-in history (log-in history)) in its internal log-in history database 46 .

Website 10b, also like website 10a, is website 10b where user 18 frequently updates passwords. As a result, user 18 succeeds by using the correct ID and password for this website 10b. to log in. In this way, the website 10b, like the website 10a, sends a message to the matching server 40 as a successful login history. The comparison server 40 stores the sent login actions (login history) in its internal log-in history database 46 .

The website 10c is the same as the websites 10a and 10b, and the user 18 can log in normally using the correct ID and password. As a result, the website 10c also sends the login information to the matching server 40 . The website 10c also sends the login action caused by the user 18 to the comparison server 40, and the comparison server 40 records the login history in the login history database 46 one by one. Next, based on the flowchart, the operation of the comparison server 40 when the login history is sent will be explained.

Checking the Login History by the Comparison Server 40 The comparison server 40, regardless of whether the sent login history is a login failure history or a success history, is registered in the login history database 46. In the flowcharts of Fig. 5 and Fig. 6, the operation of the comparison server 40 is described when the login history is sent.

In step S5 - 1 of FIG. 5 , first, when the log-in history is sent from the specific website 10 ( a to c ), the communication unit 42 receives it and sends it to the control unit 44 . In step S5-2, the control unit 44 sequentially registers the sent log-in history in the log-in history database 46.

In step S5-3, the control unit 44 observes the sent log-in history, and determines whether or not the log-in history is a success history. As a result of the judgment, if it is a case of a successful history, the process proceeds to step S5-4. On the other hand, in the case of a failed history, the comparison server 40 ends the processing of the login history, and is in a state of waiting for the next login history to be sent. The situation shown in FIG. 2 represents a normal login action by the official user 18, and therefore, in this case, the process proceeds to step S5-4.

In step S5-4, the control part 44 refers to the log-in history of the website 10 (a-c) which sent the sent log-in history from the log-in history database 46 so far. In step S5-5, the control unit 44 compares the log-in status of the log-in history referred to so far with the log-in (success) log this time, and judges whether or not the behavior of the log-in operation is the same as before. . As a result of the judgment, when it is different from the behavior of the log-in operation so far, it is judged that the behavior is not the behavior of the person (the official user), and the process proceeds to step S5-6.

On the other hand, if the result of the judgment is the same as the behavior of the previous login operation, the operation of checking the login history is terminated, and the memory operation of the login history is terminated. After that, it is in a state of waiting for the next login history to be sent. In the case of the example of the website 10c shown in Fig. 2, a login that is not the user is performed. For example, it is an example of performing a different log-in from the past, such as log-in from a different terminal or log-in from a new location (geographical position). In this case, the process proceeds to step S5-6 as described above.

In step S5-6, the control unit 44 compares the log-in history memorized this time with the log-in contents of the whitelist database 48. Then, it transfers to step S6-1 of FIG. In step S6-1 of FIG. 6, when the result of the comparison in the above-mentioned step S5-6 is that the same data is registered, it can be judged that the person who has accessed has the proper authority. The accessor, therefore, proceeds to step S6-2. On the other hand, when the same data is not registered, the process proceeds to step S6-3 in FIG. 6 .

In step S6-2, the control unit 44, for example, sends a message such as "I am an official user listed in the white list" to the website via the communication unit 42 (a-d) place. After that, the processing of the log-in history is terminated. As a result, the website 10 (a to d) can be recognized as the official user 18, although it has been accessed by behavior that does not appear to be the user.

In step S6 - 3 , the control unit 44 sends, for example, a message such as "not like me" via the communication unit 42 to the website 10 ( a - d ) from which the log-in history was sent. After that, the processing is terminated. As a result, the site 10 (a to d) can recognize that although the ID password is correct, the access is performed by an action that does not appear to be the user.

In this way, the comparison server 40 of the present embodiment not only memorizes the log-in history one by one, but also compares the sent log-in history with the log-in history so far, so that it is not the same. In the case of this behavior, it is judged whether or not the same content is registered in the whitelist database 48 . When it has been registered in the whitelist database 48, the matter is sent to the website 10. Furthermore, even if it is not registered in the whitelist database 48, since the log-in history is a log-in action which is different from the previous log-in action, this matter (for example, "" not like me” etc.) is sent to the website 10 (in the above example, it is 10c). By this operation, each website 10 can efficiently determine whether or not the person who has accessed is an official user (whether he is a malicious accessor or not), which is convenient.

In the implementation of the two-factor authentication at the website 10c, in the example shown in FIG. 2, the website 10c received a message "not like me" from the comparison server 40, although the login was successful. (Step S6-1 of FIG. 6). Upon receiving this, the website 10c can execute the two-factor authentication 50, for example. The two-factor authentication is as described in the first embodiment.

In the example shown in FIG. 2, as a result of the two-factor authentication 50, since it is determined that the person is the person, the login is permitted (in FIG. 2, the login permission 52). In the case of this login permission 52, it is recognized as a legitimate official user 18, and the website 10c sends a whitelist login request to the comparison server 40.

Registration to the whitelist database 48 caused by the comparison server 40 If the comparison server 40 receives a whitelist registration request sent by a message, the content is registered in the whitelist database 48. Specifically, first of all, the Ministry of Communications 42 received the request for whitelist login. Next, the communication unit 42 sends a whitelist registration request to the control unit 44. If the control unit 44 receives a request for registration of the whitelist, it will follow the request and register the information about the user 18 in the whitelist database 48. The login content of the whitelist database 48 can be any kind of login content as long as the user 18 can be identified.

Utilization of the log-in history database 46 and the whitelist database 48 (action in the case of the website 10d) According to the example of FIG. 2, the user 18 is at the website 10d, and is also connected with other websites 10a, 10b, Similarly to 10c, an example of performing a normal login operation using an official ID and password is described. The website 10d also utilizes the comparison server 40, and records the login history in the login history database 46 in the comparison server 40. In addition, the website 10d makes a login request to the whitelist database 48 when it is determined that the origin is the person by the two-factor authentication as described above.

In the example shown in FIG. 2 , the website 10d, like the websites 10a, 10b, and 10c, first sends the log-in history to the matching server 40. The operation of the server 40 in this case is as described in the flowchart of FIG. 5 . In particular, in the case of the website 10d shown in FIG. 2, since the login by the ID and password (ID/PW) is successful, the processing is as in steps S5-3, S5-4, S5- 5 is done generally.

In step S5-5, if it is the same behavior in the comparison with the login history, the processing at the comparison server 40 ends, but when compared with the login history, In the case of a different behavior, a comparison process with the whitelist database 48 is performed at step S5-6.

At the website 10d shown in FIG. 2, the logged-in accessor is already registered in the whitelist database 48. That is, as described above, the user 18 is registered in the whitelist database 48 through the whitelist registration request (refer to FIG. 2 ) sent by the website 10c.

Therefore, for the login history of the website 10d, the comparison server 40 determines that the same data exists in step S6-1 of FIG. 6 . As a result, in step S6 - 2 , the control unit 44 transmits, for example, a message such as "is registered in the white list" to the website 10d via the communication unit 42 . As such, the processing at the matching server 40 ends.

In this way, in the second embodiment, the website 10d can use the log-in history database 46 and the whitelist database 48 registered in the other websites 10(a-c), and can use the website 10d as an official user 18 was detected efficiently. That is, it is possible to determine whether or not the person who accessed is a legitimate user based on the contents recorded on the other website 10 . Here, the recorded contents can be set to various contents. As a log-in history, the log-in contents may include the IP address and time of the access person, the input speed of the input ID and password, location information, the type of the access device, and the use of Various parameters such as the type and version of the browser, the name and version of the OS, etc.

In addition, in the log-in history database 46 and the whitelist database 48, the reliability or the data used as an index based thereon may be registered in advance. Furthermore, for example, when it is determined that the user 18 is the official user 18 and has obtained the login permission 52 as a result of the above-mentioned two-factor authentication 50, the log-in history (login in the log-in history database 46) can also be History), a flag of the user 18 judged to be official is attached.

In addition, in the second embodiment, the control unit 44 searches the log-in history database 46 based on the data sent from the websites 10 (a to d), and also searches the whitelist database. 48 to search. However, it is also possible to configure such that each website 10 ( a - d ) that is a user of the comparison server 40 can directly access the log-in history database 46 and the whitelist database 48 . Moreover, it may be comprised so that the website 10 (a-d) itself can judge based on these contents.

2-3. Summary In this way, according to the second embodiment, since the comparison server 40 having the log-in history database 46 that accumulates log-in histories one by one is used, the website 10 ( a to d), it is possible to refer to the access history of the access person. As a result, each website 10 (a to d) can efficiently detect whether or not the person who has accessed is a legitimate user.

Also, as in the first embodiment, the comparison server 40 can detect an access that "does not look like the person" based on the content of the log-in history database 46 . Therefore, each website 10 (a-d) can know the access of "suspicious" which is difficult to judge only by ID and password. In particular, since the comparison server 40 can determine the person who "has doubts" or "doesn't look like me" based on the access history of other websites 10, the comparison server 40 is used to compare the website 10(a to d), it is possible to easily recognize people who "have doubts" and "doesn't look like the person", and based on the judgment of the comparison server, it is possible to appropriately perform two-factor authentication as described above. .

For example, if it is desired to perform such an operation only through the own website, it is necessary to store the access histories of users to some extent in the own website. Furthermore, since there is no accumulation of an access history for a user who accesses the site 10 (a to d) for the first time, it is difficult to judge. On the other hand, according to the second embodiment, since it is possible to obtain from the comparison server 40 that the access histories stored in the other sites 10 (a to d) have been used for the judgment, even if the There is also a possibility that a user who accesses the site 10 (a to d) for the first time can judge whether or not he or she is an official user.

Furthermore, according to the second embodiment, since the matching server 40 has constructed (registered) a whitelist database 48, when a matching person is found from the whitelist database 48 , the website 10 (a to d) (even if the visitor is a first-time visitor to the own website) can immediately perform login permission.

As to whether or not a matching person is registered in the whitelist database 48, each website may inquire about the matching server 40, and each website 10 may make an individual judgment. Furthermore, when each website 10 wants to log in the log-in history as shown in FIG. 1 , the control unit 44 of the comparison server 40 can also be configured to confirm the log-in content of the whitelist database 48 . . In this case, when the corresponding content has been registered in the whitelist database 48, if the control unit 44 of the comparison server 40 sends a message representing this matter to the website 10, it will also for ideal.

Summary (1) Effects of Embodiments 1 and 2 As such, in Embodiments 1 and 2, since the log-in history databases 26 and 46 are constructed, they can be shared among a plurality of websites 10 ( By comparing the servers 20 and 40 together), it is possible to efficiently detect accesses that are different from the conventional ones.

Furthermore, in particular, in Embodiment 1, since the blacklist database 28 is constructed, it is possible to efficiently determine that the hacker is malicious. In particular, since the information can be shared by a plurality of websites through the comparison server 20, unauthorized access can be prevented more efficiently. In addition, malicious hackers 8 may be operated and accessed by humans themselves, and there may be cases where a computer or the like is mechanically disguised as a legitimate user and access is performed.

In the second embodiment, since the whitelist database 48 is constructed, it is possible to determine a user who has been judged to have accessed legitimately regardless of his behavior. In particular, since the information can be shared by a plurality of websites through the comparison server 40, it is possible to more efficiently determine that the user is a legitimate user.

(2) Adoption of additional authentication (Risk Based Authentication) In Embodiments 1 and 2, the use of two-factor authentication was explained, but other than that, it is also possible to implement Various additional authentication (risk based authentication: Risk Based Authentication).

(3) Contents of the log-in history database 26, 46 The log-in history database 26, 46 can record various log-in information. For example, various types of data as shown in Figure 7 can be separately registered for each login. In FIG. 7 , an explanatory diagram showing a registration example of the log-in history databases 26 and 46 is shown. In this figure, an example of the information registered in one login is shown. In fact, the information can be registered in the login history database 26 for each login. , 46. As shown in the figure, the contents recorded in the log-in history databases 26, 46, for example, can be classified into five categories.

The first type of information is user information, mainly ID and password. This user information is specific information for the user who is the subject of the action. As the ID and password, for example, a hashed ID and a hashed password may be recorded. This is done in order to reduce the amount of data and make it easier to compare and calculate, and it is done to prevent individuals from being completely identified and to reduce the possibility of leakage of personal information,

The second type of information is terminal information, and is information of the terminal used when the user accesses the website 10, and the type of the terminal used, the type of OS, and the like are recorded. Also, the system may record information related to the language used.

The third type of information is information such as the browser that the user is using. This browser information is also recorded for each of the terminals used. When there are plural types of browsers used, the information of plural browsers is also recorded. Here, although it is called a "browser", all means and programs for accessing the website 10 may be included.

The fourth type of information is the IP address of the user accessing it. The system can know the user's location based on this IP address. The fifth type of information is page migration. This information, as shown in FIG. 7, is, for example, a reference address URL, etc., and represents where the website is migrated from.

These are just one example of the login history, and can also be configured to register with less information as the login history. In the above description and FIG. 7 , an example of five types is shown for the types, but the number of types may be smaller (for example, one type) or more. In addition, depending on the website to be used, the contents of the registered log-in history may be different. In the log-in history databases 26 and 46, these log-in histories are registered and gradually accumulated at each log-in.

(4) Contents of the whitelist database 48 and the blacklist database 28 The contents of the whitelist database 48 and the blacklist database 28 constructed in the first and second embodiments may include various parameters. Both, as recorded contents, can be the same contents or different contents. In FIG. 8, there is a record example of the whitelist database 48 showing the information of the user who will be judged as the official user, and the malicious hacker who pretends to be the official user is recorded. An explanatory diagram of a record example of the information blacklist database 28 is shown. As shown in the figure, the contents recorded in the whitelist database 48 (and the blacklist database 28) are slightly the same as the log-in contents of the log-in history databases 26 and 46 shown in FIG. 7, for example , which are divided into 5 categories.

Type 1 information to Type 4 information are the same as above. The fifth type of information is page migration. This information, as shown in FIG. 7 , is, for example, a reference address URL or the like. In particular, the whitelist database 48 and the blacklist database 28 may include, in addition to this, information representing what kind of page was viewed on the web site 10 . For example, in the example of FIG. 8 , after the official user who has displayed the whitelist database 48 has logged in, he has confirmed the purchase history on the purchase history page, and then performed the check on the point confirmation page. In the case of viewing and checking the available points, etc., of the browsing history. In addition, malicious hackers who pretend to be the official users of the blacklist database may also go to the point exchange page immediately after logging in, and want to exchange the points. . In this way, it has been empirically known that there is a large difference between a regular user and a malicious hacker who disguises a page viewed at the web site 10 .

Furthermore, in the information of page transition, the time spent at the web site 10 may also be recorded. Generally speaking, it is well known that malicious hackers spend less time at the web site 10 than regular users. As such time information, further, the time spent on each page that was viewed may be recorded.

In addition, malicious hackers may be human beings or machines (computers) disguised as legitimate users. When such a computer is disguised as an official user, there are many cases where the stay time of the entire web site 10 or the stay time of each page is very short, and there are also cases where it is possible to communicate with human beings based on the stay time. make a distinction. In addition, there are cases where it is possible to distinguish from humans based on the fact that the speed of character input is abnormally fast.

In addition to the above information, various kinds of information may also be included. For example, the system may also include the speed of text input and the like. From experience, it can be known that the key input of malicious programs disguised as humans is abnormally fast.

The recording content described here is only one example, and more various kinds of information can be recorded. In addition, the record content described here is for the purpose of showing a standard example, and a whitelist database and a blacklist database may be constituted by using fewer types of information. In addition, in the above description and FIG. 8, an example of five types is shown for the types, but the number of types may be smaller, and the number of types may be included in the blacklist and the whitelist. to be different. Depending on the application, even if there is only one type, it is still useful.

The detailed configuration of the comparison servers 20 and 40 in the third embodiment and the related technology (1) The comparison server The comparison servers 20 and 40 described above are used by a plurality of websites 10 and gradually accumulate and log in resume server. Rather than having individual websites 10 accumulate their own log-in history, since the log-in history of a certain user 18 can be accumulated more, it is possible to more efficiently determine the access based on the log-in behavior. Whether it is the same behavior as before, and the result is notified to each site 10.

As a result, each website 10 can perform further authentication of the legitimacy of the user 18, such as the two-factor authentication 30, so that unauthorized access can be efficiently detected. Furthermore, each website 10 can make a login request to the blacklist database 28 and the whitelist database 48 based on the result of further verification of legitimacy. Therefore, if it is registered in the blacklist database 28 or the whitelist database 48, it is possible (to make the comparison servers 20, 40 (the control units 24, 44)) to determine whether the accessor is As a legitimate user, the result is provided to each website 10.

(2) Log-in history database The log-in history databases 26 and 46 of the first and second embodiments, regardless of whether the log-in is successful or the log-in fails, successively accumulates the log-in history. Various methods can be used for the accumulation method, but since the log is limited, it is also ideal to delete old data in a timely manner.

The log-in history databases 26 and 46 only need to accumulate the information shown in FIG. 7 one by one at each log-in. However, if the log-in success history of the same user 18 is only accumulated for the latest specific number, It is also ideal to delete them in order starting from the older ones. Such operations can be performed by the control units 24 and 44.

In addition, the log-in history databases 26 and 46 also accumulate the information of the above-mentioned FIG. 7 for each log-in for the log-in failure records. However, it is difficult to determine which records are the same hackers. . Therefore, for the log-in failure history, if the maximum accumulated data amount is pre-determined as a whole, and when the memory capacity of the specified amount exceeds the memory capacity of the specified amount, the old log-in failure log is deleted one by one. is also ideal. Such operations can also be performed by the control units 24 and 44 .

Alternatively, the amount of accumulated data may be determined in advance for each site. It is also preferable to predetermine the maximum amount of accumulated data of the accumulated log-in failure history for each website 10, and delete the old log-in failure history one by one when the amount exceeds this amount. Alternatively, the accumulation time may be determined in advance, and the old login histories that exceed the time may be deleted one by one. Such operations can also be performed by the control units 24 and 44.

(3) The coexistence of the blacklist database 28 and the whitelist database 48 In the above-mentioned Embodiments 1 and 2, although it is for the comparison server 20 with the blacklist database 28 and the whitelist database 48 The comparison server 40 has been described, however, a comparison server having both the blacklist database 28 and the whitelist database 48 may also be configured.

In the case of such a configuration, it can be configured to sequentially execute the comparison with the registration content of the blacklist database 28 , the comparison with the registration history, and the registration content of the whitelist database 48 . Compare. Specifically, it is only necessary to carry out the process so as to proceed to step S5-4 of FIG. 5 following the “NO” side at step S3-5 of FIG. 3 .

4. Significance and effect In recent years, many cases have been found in which malicious third parties use the acquired set of IDs and passwords to continuously illegally access plural websites 10. For such continuous unauthorized access, the comparison servers 20 and 40 in this embodiment can be particularly effective countermeasures. Furthermore, in the first and second embodiments, the following general structure is provided: that is, not only the ID and password of the user 18, but also the login of the actions of the user 18 and the hacker 8 The biographies are recorded and the log-in history databases 26, 46 are constructed and shared among the plurality of websites. Therefore, the identification of the user 18 and the detection of the hacker 8 can be performed more efficiently than in the case of simply allowing one website to manage the user's history.

5. Other Modifications (1) In the above-described embodiment, the comparison servers 20 and 40 may be located anywhere on the Internet as long as they can be accessed from the respective websites 10. . For example, the system may also be located on the same server as a particular website 10 (eg, 10a). In this case, it is a website with a comparison server that can constitute a combination of a comparison server and a website.

(2) The number of records of information (records) of the same user in the whitelist database 48 can be set to a fixed number (for example, n (n is a natural number)), but it can also be a smaller number , and can also be a larger number. In addition, the system may be configured to dynamically adjust the number of registrations according to the situation.

(3) In the above-mentioned embodiment, although the number of records in the blacklist database 28 is not limited, it is also possible to set a limit on the maximum number of records in consideration of the calculation speed of the comparison and comparison. In this case, for example, it is also possible to perform processing such as gradually deleting the old records.

(4) In the above-mentioned embodiment, although the data in the whitelist database 48 is recorded based on actual access, it is also possible to artificially pre-record typical official data. In addition, in the blacklist database 28, it is also possible to artificially pre-record examples of unauthorized accesses that have been identified.

(5) In the above-mentioned embodiment, although the data in the whitelist database 48 is updated every time a new access is made and the old data is deleted, it can also be pre-specified artificially fixed records. This is a measure considered for the user 18 whose access frequency is low.

(6) In addition, the records of the whitelist database 48 and the blacklist database 28 can also be appropriately fine-tuned by artificial means or other means, and can also be manually adjusted by humans that are not too important Record deletion. The system can also impose various artificial operations.

(7) In the above-mentioned embodiment, the hashed ID and the hashed password are recorded in the whitelist database 48 and the blacklist database 28, but the hashed ID and the hashed password are recorded in the whitelist database 48 and the blacklist database 28. The hashed data can also utilize IDs and passwords with specific encryption applied thereto.

In addition, although the embodiment of the present invention has been described in detail, the above-mentioned embodiment is only shown as a specific example for implementing the present invention. The technical scope of the present invention is not limited to the above-described embodiments. In the present invention, various modifications can be made without departing from the gist thereof, and these modifications are also included in the technical scope of the present invention.

8‧‧‧Hacker 10, 10a, 10b, 10c, 10d‧‧‧Website 18‧‧‧User 20, 40‧‧‧Comparison Server 22, 42‧‧‧Communication 24, 44‧‧‧Control Parts 26, 46‧‧‧Login history database 28‧‧‧Blacklist database 30, 50‧‧‧2-factor authentication (implementation) 32‧‧‧Login rejection 48‧‧‧Whitelist database 52‧‧‧ login permission

FIG. 1 is an explanatory diagram showing how a malicious hacker accesses a plurality of websites in the first embodiment. [Fig. 2] is an explanatory diagram showing how the legitimate user 18 accesses plural websites in the second embodiment. [Fig. 3] is a flowchart showing the operation of the comparison server 20 in the first embodiment. [Fig. 4] is the continuation of the flowchart showing the operation of the comparison server 20 in the first embodiment. [Fig. 5] is a flowchart showing the operation of the comparison server 40 in the second embodiment. [Fig. 6] is the continuation of the flow chart showing the operation of the comparison server 40 in the second embodiment. [Fig. 7] is an explanatory diagram showing an example of the contents registered in the log-in history databases 26 and 46 in the first and second embodiments. [Fig. 8] is an explanatory diagram showing an example of the contents registered in the whitelist database 48 and the blacklist database 28 in the first and second embodiments.

8‧‧‧Hacking

10a, 10b, 10c, 10d‧‧‧Website

20‧‧‧Comparison Server

22‧‧‧Communications Department

24‧‧‧Control Department

26‧‧‧Login to History Database

28‧‧‧Blacklist Database

30‧‧‧2-factor authentication (implementation)

32‧‧‧Login Denied

Claims (9)

A comparison server is provided with: a communication unit, which is a communication unit for communicating with the outside, and receives a log-in history from the outside, and sends the information to a control unit; the aforementioned control unit The log-in history sent by the aforementioned communications department is recorded in the log-in history database; the aforementioned log-in history database keeps the aforementioned log-in history; the blacklist database keeps the information of malicious hackers, the comparison server , which is characterized in that: the control unit, when the log-in history sent from the message is a successful log-in, compares the log-in history with the log-in history kept in the log-in history database, and when the log-in history is If the act of logging in is not the same as the act of logging in so far, it will send a message that does not represent the content of the person through the aforementioned communication department. In the case of a successful resume, the above-mentioned log-in resume is compared with the log-in content of the above-mentioned blacklist database, and when there is the same information, a message representing the content of a malicious hacker will be sent via The aforementioned communications department will send the message. For the comparison server described in Item 1 of the scope of the patent application, it further includes: a whitelist database, which keeps the information of the official users, The aforementioned control unit, when the aforementioned log-in history sent by the message is a successful one, compares the aforementioned log-in history with the log-in content of the aforementioned whitelist database, and when there is a situation with the same information, A message representing the content of the official user will be sent through the aforementioned communications department. A comparison server is provided with: a communication unit, which is a communication unit for communicating with the outside, and receives a log-in history from the outside, and sends the information to a control unit; the aforementioned control unit The login history sent by the aforementioned communications department is recorded in the login history database; the aforementioned login history database is to keep the aforementioned login history; the blacklist database is to keep the information of malicious hackers; the whitelist database, The information of the official user is kept, and the comparison server is characterized in that: the control unit, when the log-in record sent from the message is a successful one, compares the log-in record with the black Comparing the registration content of the list database, when there is the same information, the message representing the content of the malicious hacker will be sent through the aforementioned communication department, when compared with the registration content of the aforementioned blacklist database As a result of the comparison, when there is no situation with the same data, the above login history is compared with the login history maintained in the foregoing login history database, and when compared with the login content maintained in the foregoing login history database after comparison As a result, when the above-mentioned login and the previous login behavior are not the same behavior, the above-mentioned login history is compared with the login content of the above-mentioned whitelist database. As a result, when the same information exists, the information representing the content of the official user will be sent through the aforementioned communication department, and when the same information does not exist, it will represent a different Messages such as my own content are sent through the aforementioned communications department. According to the comparison server described in item 1 or item 3 of the scope of the patent application, the communication part receives the blacklist registration request from the outside, and sends the information to the control part, and the control part is The information of malicious hackers included in the blacklist registration request sent from the above-mentioned communication department will be registered in the above-mentioned blacklist database. According to the comparison server described in item 2 or item 3 of the scope of the patent application, the communication part receives the whitelist registration request from the outside, and sends the message to the control part, and the control part is The official user information included in the whitelist registration request sent from the aforementioned communications department will be registered in the aforementioned whitelist database. A comparison method is to use a comparison server to compare whether the login history is like the person. The comparison server has: a communication department, which is a communication department for communication with the outside world, and from the The log-in history is received externally and sent to the control department; the control department records the log-in history sent from the communication department in the log-in history database; the log-in history database keeps the log-in history database The log-in record; the blacklist database holds information of malicious hackers, and the comparison method is characterized in that it includes: making the above-mentioned control department, when the above-mentioned log-in record sent by the message, is a successful record In this case, compare the above login history with the login history kept in the above login history database. When the above login and the previous login behavior are not the same behavior, it will represent a message that does not seem to be my content. , through the above-mentioned communication part to carry out the step of sending the message; so that the above-mentioned control part, when the above-mentioned log-in record sent by the message is a successful one, compare the above-mentioned log-in record with the log-in content of the above-mentioned blacklist database. For comparison, and when there is the same data, the message representing the content of malicious hackers will be sent through the aforementioned communication department. A comparison method is to use a comparison server to compare whether the login resume is like my own, The comparison server is provided with: a communication unit, which is a communication unit for communicating with the outside, and receives the log-in history from the outside, and sends the information to the control unit; the aforementioned control unit will The login history sent by the aforementioned communications department is recorded in the login history database; the aforementioned login history database is to keep the aforementioned login history; the blacklist database is to keep the information of malicious hackers; the whitelist database, The information of the official user is kept, and the matching server is characterized by including: the control unit, when the log-in log sent by the message is a successful log, the log-in log , compared with the login content of the aforementioned blacklist database, when there is the same information, the message representing the content of the malicious hacker will be sent through the aforementioned communication department; , when the result of the comparison with the log-in content of the aforementioned blacklist database is that there is no similar information, the steps of comparing the aforementioned log-in history with the log-in history kept in the aforementioned log-in history database; Make the control unit, when compared with the login content held in the login history database, when the login behavior is not the same as the login behavior so far, compare the login history with the whitelist database. The step of comparing the registered content; the control unit, when the result of the comparison with the registered content of the whitelist database, if there is the same data, will represent the identity The information that is the content of the official user is sent through the aforementioned communication department. When there is no such situation, the information that does not represent the content of the user will be sent through the aforementioned communication department. Information steps. A computer program for making a computer act as a comparison server, the comparison server having: a communication part, which is a communication part for communicating with the outside, and receives the information from the outside to log in the history, And send the message to the control department; the control department records the login history sent from the communication department in the login history database; the login history database keeps the login history; the blacklist database , which holds the information of malicious hackers, and the computer program is characterized by causing the computer to execute the following program: the control unit, when the log-in record sent by the message is a successful record, Comparing the aforementioned login history with the login history maintained in the aforementioned login history database, when the aforementioned login and the previous login behavior are not the same, it will represent information that does not seem to be my content, through the aforementioned The communication department performs the procedure of sending the message; the control department, when the login history sent from the message is a successful history, compares the login history with the login content of the blacklist database, and When there is the same information, the information that represents the content of malicious hackers will be sent through the above-mentioned communication department. A computer program for making a computer act as a comparison server, the comparison server having: a communication part, which is a communication part for communicating with the outside, and receives the information from the outside to log in the history, And send the message to the control department; the control department records the login history sent from the communication department in the login history database; the login history database keeps the login history; the blacklist database , which holds information of malicious hackers; the whitelist database holds information of official users; the computer program is characterized in that it causes the computer to execute the following program: When the log-in resume from the news is a successful one, compare the above-mentioned log-in resume with the log-in content of the above-mentioned blacklist database. If there is the same information, it will represent the content of malicious hackers The information is sent through the communication department; the control department, when compared with the registration content of the blacklist database, does not have the same information, and the above registration The process of comparing the log-in history with the log-in history held in the log-in history database; the result of the comparison between the log-in content and the log-in content held in the log-in history database by the control unit, the log-in and the log-in so far If it is not the same behavior, the above login resume and the above white list The procedure for comparing the registered content of the database; the control unit, when compared with the registered content of the above-mentioned whitelist database, when there is the same data, will represent the official user. The information of the content is sent through the aforementioned communication department. When there is no similar information, it will represent the information that does not seem to be my own content, and it will be sent through the aforementioned communication department.

Images