WO2007110951A1 - ユーザ確認装置、方法及びプログラム - Google Patents
ユーザ確認装置、方法及びプログラム Download PDFInfo
- Publication number
- WO2007110951A1 WO2007110951A1 PCT/JP2006/306501 JP2006306501W WO2007110951A1 WO 2007110951 A1 WO2007110951 A1 WO 2007110951A1 JP 2006306501 W JP2006306501 W JP 2006306501W WO 2007110951 A1 WO2007110951 A1 WO 2007110951A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- user
- address
- agent information
- information
- access source
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/13—File access structures, e.g. distributed indices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
- G06F21/34—User authentication involving the use of external additional devices, e.g. dongles or smart cards
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2101—Auditing as a secondary aspect
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2111—Location-sensitive, e.g. geographical location, GPS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/082—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying multi-factor authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/126—Applying verification of the received information the source of the received data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/168—Implementing security features at a particular protocol layer above the transport layer
Definitions
- the present invention relates to a user confirmation apparatus, method, and program, and in particular, a user confirmation apparatus for confirming whether a user who operates a terminal apparatus is a valid user or not is applicable to the user confirmation apparatus.
- the present invention relates to a user confirmation method and a user confirmation program for causing a computer to function as the user confirmation device.
- Patent Document 1 related to the above describes that in addition to the user ID and password, the telephone number of the caller notified from the telephone exchange matches the telephone number of the telephone line used by the registered user.
- a technique for authenticating a user is also disclosed by also determining the power and denial.
- an IP address (and a link source URL) permitting use of the service is stored in the database together with the ID 'password, and in addition to authentication by ID' password, an access source IP address is By determining whether the link source URL is registered in the database or not (and if the link source URL exists in the access signal, the link source URL may or may not be registered in the database), the service A technology is disclosed to determine whether to allow the use.
- Patent Document 1 Japanese Patent Application Laid-Open No. 2000-209284
- Patent Document 2 Japanese Patent Application Publication No. 2001-325229 Disclosure of the invention
- Patent Documents 1 and 2 use the telephone number and the IP address to determine whether the terminal device of the access source is a valid terminal device, thereby determining the terminal device of the access source. It is confirmed whether the user is a valid user or not (a third party is a spoofing user or not). While the technology described in Patent Document 1 has the advantage of being able to uniquely identify a terminal device by using a telephone number, other than the terminal device connected to the network via a telephone exchange. Is not applicable to
- IP address used in the technology described in Patent Document 2 is always constant as long as the global IP address is fixedly applied, such a terminal apparatus is Very few, for example, most terminal devices are owned by Internet service providers (hereinafter referred to simply as "providers") when accessing the Internet. Since any IP address is automatically assigned from the global IP address, the IP address will be different each time access is made. For this reason, as in the technology described in Patent Document 2, when the user is confirmed or authenticated based on whether or not the IP address matches, the access by the legitimate user is regarded as incorrect access as incorrect access. There is a risk that the user may be judged as a legitimate user.
- the present invention has been made in consideration of the above facts, and a user confirmation apparatus, a user confirmation method, and a user confirmation apparatus capable of improving the accuracy of user confirmation without impairing the convenience of the user.
- the purpose is to obtain a one-on-one confirmation program.
- HTTP HyperText
- Transfer Protocol the packet received by the terminal device will be attached with an HTTP header.
- This HTTP header contains user agent (User-Agent) information.
- user agent information the format etc. are not specified on HTTP protocol, and arbitrary character string can be set.
- the terminal device is a computer such as a PC (Personal Computer: personal 'computer) and the application that transmits packets is also a browser (browser: browsing software)
- the default setting of the browser is the user agent
- information information is set that includes information representing the version of the operating system (Operating System) operating on the computer, and information representing the version of the browser.
- the setting of the browser or the like may be changed in advance so that a desired character string is transmitted as user agent information.
- the user agent information set by the default setting browser includes, in addition to the version of the OS and browser, information on the extent to which the patch has been applied to the OS and browser.
- user agent information is set by the browser of setting, although there are terminals that transmit the same user agent information, the degree of difference of user agent information transmitted by each terminal is high.
- user agent information may be patched to the OS or browser, or the content may be changed if the version is upgraded or replaced, or the OS or browser is patched, or the OS or browser is updated. Since the frequency of version upgrade or replacement and content change is very low, the user agent information transmitted by each terminal can be regarded as approximately constant.
- the degree of difference of the user agent information transmitted by each terminal device is further increased.
- the inventor of the present invention stores user agent information set in the HTTP header of a packet previously received from a terminal device operated by a certain user.
- the terminal device power operated by the user assumed to be identical is also set in the HTTP header of the received packet, and the user agent information stored is compared with the user agent information stored and received this time. It is possible to determine whether the terminal device that transmitted the received packet has the same capability as the terminal device that transmitted the previously received packet, and it is possible to improve the accuracy of user confirmation, and the present invention is achieved. It reached.
- the user confirmation device is the user agent information set in the HTTP header of the packet from the packet to which HTTP is applied as a protocol of the application layer and received from the terminal device.
- Information management means to be stored in each of the user agent information extracted by the extraction means from the packet received from an arbitrary terminal device in association with the user identification information of the user operating the arbitrary terminal device By comparing with user agent information stored in storage means, And a determination unit that determines whether the user operating the terminal device is a valid user or not.
- the invention according to claim 1 is an extracting unit for extracting user agent information set in the HTTP header of the packet from the packet received from the terminal device to which HTTP is applied as a protocol of the application layer.
- the information management means includes user agent information extracted by the extraction means from packets received from the terminal devices operated by the individual users in association with the user identification information of the individual users in the storage means.
- the user identification information for example, a user ID input by an individual user who operates the terminal apparatus or other identification information uniquely determined from the user ID can be applied.
- the user agent information may be stored in the storage means as it is, but it is better to store the user agent information in the storage means after encryption using a known encryption method such as a method using a hash function. Preferred for security.
- the determination means according to the invention of claim 1 operates the user agent information extracted by the extraction means from the bucket received from an arbitrary terminal device by using an arbitrary terminal device. If the user who operates an arbitrary terminal device is legitimate user power or not, by collating with the user agent information that is stored in the storage means in association with the user identification information of the user. To judge. As described above, since user agent information to which individual terminal equipment power can be transmitted can be considered to be approximately constant, as described above, user agent information extracted from a received packet can be used for any terminal equipment. The terminal device that received the current packet has been used for the past by the same user by collating it with the user agent information stored in the storage means in association with the user identification information of the operating user. It is possible to determine whether the terminal apparatus is powered or not, and based on the determination, it is possible to determine whether the user operating the terminal apparatus that has received the packet this time is a valid user.
- the extraction means receives The access source IP address is also extracted from the received packets, and the information management means individually separates the access source IP address and the user agent information extracted by the extraction means from the packets received from the terminal devices operated by the individual users.
- the access source IP address and the user agent information extracted from the packet received from an arbitrary terminal device are stored in association with the user identification information of each user in the storage means.
- Access source IP address and user stored in the storage means in association with the user identification information of the user It corresponds to the Jento information! A user who operates an arbitrary terminal device and determines whether he / she is or not Preferred to be configured to determine if there is a legitimate user power.
- the IP address assigned to each terminal may be different each time access, the IP address (global IP address) held by each provider for assignment to a terminal is within a certain range. Because each individual terminal device accesses via a certain provider, the IP address allocated to each terminal device at each access is not always the same, although the individual terminal devices are different from each other. For example, the upper few bits always have a high degree of matching, such as constant.
- the user agent information is added to the user agent information from the packet received from the terminal device, the access source IP address is also extracted, and the extracted access source IP address and user agent information are extracted.
- Each of the storage means is stored in association with the user identification information, and an access source IP address and user agent information power extracted from a packet received from an arbitrary terminal device.
- the user operates an arbitrary terminal device by determining whether or not the user's ability or not is corresponding to the access source IP address and user agent information stored in the storage means in association with the identification information. Since it is determined whether or not the insulting user is a valid user, the accuracy of user confirmation can be further improved.
- the required level of accuracy of user confirmation for the user confirmation device Is relatively low, but for example, financial transactions such as deposit balance inquiry, deposit and withdrawal inquiry, account transfer, and transfer according to individual user's instructions.
- financial transactions such as deposit balance inquiry, deposit and withdrawal inquiry, account transfer, and transfer according to individual user's instructions.
- very high accuracy is required also for user confirmation by the user confirmation device according to the present invention.
- the storage means stores the password preset for each individual user as the user of each individual user.
- the determination means is stored in association with the identification information, and the determination means is extracted by the extraction means when the combination of the user identification information and the password inputted by the user operating any terminal device is stored in the storage means. It may be configured to perform the above-mentioned judgment (judgment of a user operating an arbitrary terminal apparatus as a valid user's power or no power) based on the received information.
- the user confirmation based on the user agent information (and the access source IP address) is performed.
- the accuracy of the confirmation can be further improved, and a third party who illegally obtains the user identification information and password of the valid user detects it even if the third party tries to impersonate the legitimate user and access it illegally. Can be blocked.
- the determination means for example, as described in claim 4, the access source IP address extracted from the received packet is stored in the storage means in a predetermined bit unit with the access source IP address. It is determined whether or not the access source IP address extracted from the received packet is stored in the storage means, and the access source IP address corresponding to the access source IP address is determined by determining whether the coincidence rate of The user agent information extracted from the received packet is judged to be the same as the user agent information stored in the storage means.
- the access source IP address extracted from the received packet and the user agent information stored in the storage means are stored in correspondence with the access source IP address and the user agent information. It is possible to accurately determine whether or not the
- user agent information for each user can be obtained, for example, in the case where access from each user is limited to only access of a certain terminal device power.
- the access source IP address may be stored in the storage means one by one, but in the invention according to claim 2, in the case where individual users are allowed to access various terminal equipment powers, for example,
- the information management means compares the access source IP address extracted from the received packet and the user agent information with the access source IP address stored in the storage means and the user agent information. As a result, the access source IP address and the user agent information extracted from the received packet are stored by the determination means.
- the access source IP address and the user agent information extracted from the received packet are associated with the user identification information.
- the access source IP address and the user agent information associated with the user identification information of the user who is operating an arbitrary terminal device are stored in a plurality of sets in the storage unit.
- the access source IP address and the user agent information extracted from the packet received from an arbitrary terminal device are stored in a plurality of sets, and each is compared with the access source IP address and the user agent information. It is preferable to configure to determine whether the user operating the terminal device of is a valid user.
- the access source IP address extracted from the received packet by the judging means And user agent information is stored in the storage means is judged as source IP address of user and user agent information, and it is judged that the user is not a legitimate user !, but in this case, the received packet
- the access source IP address and the user agent information extracted from the above are additionally stored in the storage unit by the information management unit in association with the user identification information.
- the determination means receives from an arbitrary terminal device when a plurality of sets of access source IP address and user agent information associated with the user identification information of the user operating the terminal device are stored in the storage means.
- the access source IP address and user agent information extracted from the URL are compared with the multiple sets of stored access source IP address and user agent information, respectively, and the user operating any terminal device is valid. Therefore, it is determined that the user is a valid user at the next and subsequent accesses through the above new terminal device.
- each of the users is a desired one of a plurality of terminal devices such as a terminal device installed at home and a terminal device installed at work. It can be accessed using a terminal device. Even if each user is allowed to access each unfixed terminal device, the number of terminal devices used by each user is limited. It is extremely rare that the access is performed through a new terminal each time, and it is extremely often judged that the user is not a legitimate user.
- the access source IP address extracted from the received packet and the user agent information stored in the storage means correspond to the access source IP address and the user agent information. If it is determined that the information management means determines that the user operating the terminal device of the packet transmission source is a valid user by a method different from the determination means, the information management means determines Only the access source IP address and user agent information may be additionally stored in the storage means.
- the determination means is associated with the user identification information of the user who operates an arbitrary terminal device. If the access source IP address and user agent information are stored in the storage unit, the access source IP address and user agent information extracted from the received packet are stored in the storage unit. If it is determined that the user's access source IP address and user agent information correspond to at least one set of access source IP address and user agent information, a user who operates an arbitrary terminal device can It can be configured to determine that it is a valid user. In this way, even when an authorized user selectively accesses a plurality of terminal devices, the authorized user can be accurately determined.
- the judging means is, for example, as described in claim 7.
- a plurality of access source IP addresses and user agent information associated with the user identification information of the user operating any terminal device are stored in the storage means.
- a plurality of access source IPs are stored.
- the address and the user agent information there is no combination of the access source IP address extracted from the received packet and the access source IP address determined to correspond to the user agent information and the user agent information respectively.
- it can be configured to determine that the user operating any terminal device is not a valid user.
- the terminal device used for access is a portable terminal device such as a notebook PC that is accessed each time using a different terminal device or when using a certain terminal device.
- the usage environment is special, such as when accessing using a different hot spot (HOTS POT: a place where public wireless LAN can be used) each time, it is stored in the storage means, Access source IP address and user agent information extracted from the received packet among the plurality of access source IP addresses and user agent information And Mashimashi set Son of Ento information, Do not, that is, Do a legitimate user!, And it is determined! /, Cormorants inconvenience occurs.
- HOTS POT a place where public wireless LAN can be used
- the information management means determines that the user determined not to be a valid user by the determination means is a determination means
- the predetermined identification information is stored in the storage unit in association with the user identification information of the user
- the determination unit Predetermined identification information is stored in the storage means in association with user identification information of a user who is operating an arbitrary terminal device, and a plurality of sets of access source IP addresses and user agent information are received Access source IP determined to correspond to the access source IP address extracted from the received packet If there is more than one set of access source IP address and user agent information that is determined to correspond to the user agent information extracted from the received packet or there is more than one set of address and user agent information In this case, it is preferable that the user who operates an arbitrary terminal device is determined to be a valid user.
- the user is judged to be a valid user by a confirmation method different from the user confirmation by the user judgment means judged to be not a valid user by the judgment means.
- predetermined identification information is stored in the storage means in association with the user identification information of the user. Then, for a user whose predetermined identification information is stored in the storage means, the received packet power corresponds to the extracted access source IP address in multiple sets of access source IP address and user agent information.
- Access source IP address and user agent information that are determined to correspond to the user agent information extracted from the received packet or a plurality of sets of access source IP address and user agent information If there are a plurality of sets of entry information, it is determined that the user who operates any terminal device is a valid user.
- a plurality of access source IP addresses stored and stored are stored. Based on the fact that there are multiple sets of access source IP address determined to correspond to the access source IP address extracted from the received packet, and user agent information in the address and user agent information, It can be determined that the user is In addition, when a valid user is accessing using a portable terminal device and using a different hot spot each time, etc., the stored multiple a's of access source ip addresses and user agent information are stored.
- the user is a valid user based on the existence of a plurality of sets of access source IP address determined to correspond to user agent information extracted from the received packet and user agent information. can do. Therefore, according to the invention described in claim 8, even when the user's use environment is special, user confirmation can be performed accurately.
- the e-mail address used by each user is the user identification information of each user.
- the information management means stores the access source IP address and the user agent information extracted from the received packet.
- the access source IP address and the user agent information extracted from the received packet are determined by the decision means in the storage means. Stored as, corresponding to both the access source IP address and the user agent information! /,! /, It is determined that the user identification information of the user who is operating any terminal apparatus is associated with it.
- the access source IP address extracted from the received packet and the user agent information are stored in the storage unit, and among the plurality of sets of access source IP addresses and user agent information, the time stored in the storage unit is the most frequent.
- the old access source IP address and the user agent information may be overwritten and stored in the storage means.
- the combination of the access source IP address and the user agent information is prevented from being stored in the storage means beyond the upper limit value, and the storage capacity of the storage means can be saved.
- Access source IP address and user agent information to be compared with the access source IP address and user agent information extracted from the received packet. Since the number of sets of agent information also becomes equal to or less than the upper limit value, it is possible to prevent the determination means from being heavily loaded.
- a plurality of sets of access source IP address and user agent information extracted from the received packet are stored in the storage means by the determination means, and the access source IP address and! The access source IP address and the user stored in the storage means in association with the user identification information of the user who is determined not to correspond to any of the user agent information and that is also operating an arbitrary terminal device.
- the information management means confirms that the user operating the terminal apparatus of the packet transmission source is a valid user by a method different from the judgment means. Overwrites the new access source IP address and user agent information extracted from the received packet into the storage means only when Let me remember it.
- a plurality of sets of access source IP addresses and user agent information extracted from the received packet are stored in the storage means by the determination means, and the access source IP address and! The access source IP address and the user stored in the storage means in association with the user identification information of the user who is determined not to correspond to any of the user agent information and that is also operating an arbitrary terminal device.
- the information management means unconditionally sets the new source IP address and the user agent information (as described above, according to a method different from the determination means).
- New access source IP address and user agent when stored by overwriting (regardless of whether or not a valid user is confirmed) If the agent information is the information corresponding to unauthorized access, the information corresponding to the valid user may be overwritten and deleted. If it can be detected that there has been unauthorized access, it will produce an effect.
- the information management means stores the access source IP address and the user agent information extracted from the received packet. Access source IP address and user agent stored in multiple threads The access source IP address and the user agent information extracted from the received packet are judged by the judging means as a result of each comparison with the agent information, and the access source IP address and the user agent information stored in the storage means If it is determined that the source IP address and the user agent information correspond to a specific set, at least user agent information of the access source IP address and the user agent information extracted from the received packet is accessed It is preferable to overwrite the specific set of IP address and user agent information and store it in the storage means.
- a new patch is applied to the OS or the browser, or version up or replacement is performed.
- the content is changed, and the user is set by the user to transmit a desired character string as user agent information.
- the user agent information is transmitted, the user changes the character string to be transmitted.
- the user agent information of the access source IP address and the user agent information extracted from the received packet is the IP address of the access source determined to be compatible and the user agent information
- the latest information is stored in the storage means at least for the user agent information, and the accuracy of the user confirmation thereafter can be improved. it can.
- the access source IP address extracted from the received packet may be overwritten along with the user agent information and stored.
- HTTP is applied as a protocol of the application layer, and is set in the HTTP header of the packet received from the terminal device operated by each user !, User agent information is extracted, and the extracted user agent information is stored in the storage means in association with the user identification information of the individual user, and HTTP is applied as a protocol of the application layer to execute arbitrary terminal.
- User agent information set in the HTTP header of the packet received from the device is extracted, and the extracted user agent information is used to operate the arbitrary terminal device.
- the user terminal information stored in the storage means is correlated with the user identification information of the user in question so as to determine whether the user is a valid user by operating the arbitrary terminal device. As in the invention according to claim 1, it is possible to improve the accuracy of user confirmation without impairing the convenience of the user.
- the user confirmation program according to the invention of claim 13 includes a computer having storage means, from a packet received from a terminal apparatus to which HTTP is applied as a protocol of the application layer, to the HTTP header of the packet.
- Extraction means for extracting set user agent information, and packets received from terminal devices operated by individual users.
- User agent information extracted by each of the extraction means is associated with user identification information of the individual users.
- Information management means to be stored in the storage means, and user agent information of user agent information extracted by the extraction means from a packet received from an arbitrary terminal device by operating the arbitrary terminal device User agents stored in the storage means in association with identification information By information and collation, the user operating the arbitrary terminal apparatus to function as a determining means for determining an authorized user force.
- the user confirmation program according to the invention of claim 13 is a program for causing a computer provided with storage means to function as the above extraction means, information management means, and judgment means.
- the computer functions as the user confirmation device according to claim 1, and as in the invention according to claim 1, the convenience of the user can be obtained.
- the accuracy of user confirmation can be improved without loss of
- HTTP is applied as a protocol of the application layer, and HTTP header power of a packet received from a terminal device operated by each user is extracted user agent information of the user of each user.
- the user agent information extracted from the HTTP header of the packet received from an arbitrary terminal device is stored in association with the identification information, and the user identification of the user operating the arbitrary terminal device. By matching the user agent information stored in association with the information Since the user operating any terminal device determines whether the user is authorized or not, it is possible to improve the accuracy of user confirmation without impairing the convenience of the user. Have.
- FIG. 1 is a block diagram showing a schematic configuration of a computer system according to an embodiment of the present invention.
- FIG. 2 is a conceptual diagram for explaining addition and removal of a header in each layer, in addition to transmission of HTTP data to the server.
- FIG. 3 Application 'It is a flow chart showing the contents of the user authentication process performed by the server.
- FIG. 4 is a schematic view showing the contents of usage history information.
- FIG. 5 It is a table showing the judgment conditions of authentication OKZNG based on usage history information.
- FIG. 6 is an image diagram showing an example of a re-authentication request mail.
- FIG. 7 is a flowchart showing the contents of usage history table update processing.
- FIG. 8 is an image view showing an example of a confirmation e-mail.
- the computer system 10 is configured to include a web server 12 installed in a specific financial institution.
- the web server 12 includes a CPU 12A, a memory 12B including a RAM and the like, a hard disk drive (HDD) 12C, and a network interface (IZF) unit 12D.
- An authentication information database (DB) and a use history table are stored in the HDD 12C, and correspond to storage means according to the present invention.
- DB authentication information database
- a use history table are stored in the HDD 12C, and correspond to storage means according to the present invention.
- a user authentication program for the CPU 12A to perform user authentication processing described later is installed in the HDD 12C.
- the user authentication program corresponds to the user confirmation program according to claim 13, and when the CPU 12A executes the user authentication program, the web server 12 functions as a user confirmation device according to the present invention.
- the network IZF section 12D of the web server 12 is connected to a computer 'network (Internet) 16 in which a large number of web servers are interconnected via a communication line. It is directly connected, and is also connected to an intranet (LAN) 26 installed in a specific financial institution. An accounting system 28 is connected to the intranet 26.
- LAN local area network
- An accounting system 28 is connected to the intranet 26.
- client terminals 18 Connected to the Internet 16 are a large number of client terminals 18, each of which is also a PC.
- a browser is installed on each client terminal 18 and corresponds to the terminal device according to the present invention.
- the connection form of each client terminal 18 to the Internet 16 is a case where it is directly connected to the Internet 16 (a connection is made via a provider not shown in detail) as in the client terminal with the code “18A”.
- the client terminal may be installed in the enterprise and connected to the Internet 16 via the proxy server 22 as a client terminal with the code "18B".
- the specified financial institution is a website for online financial transactions operated by the web server 12 as a service that enables a user who has an account at a specified financial institution to conduct online financial transactions.
- We provide online financial transaction reception service that accepts instructions to execute online financial transactions by using the power of users.
- the user browses the web page of the online financial transaction website via the client terminal 18, and inputs necessary information on the web page.
- Information for instructing the execution of the financial transaction that is desired (financial transaction instruction information) is transmitted from the client terminal 18 to the web server 12.
- the financial transaction instruction information is transferred from the web server 12 to the accounting system 28 and the like connected to the intranet 26 so that the financial transaction instructed by the user based on the financial transaction instruction information can be conducted. Became to be implemented by etc.
- a user who uses the online financial transaction reception service applies for use of the service to a specific financial institution in advance.
- the specified financial institution assigns a user ID (corresponding to the user identification information according to the present invention) to the user each time the user applies for use of the service, and sets the assigned user ID to a password set by the user (this embodiment
- the authentication information DB according to the invention is registered in the authentication information DB stored in the HDD 12C of the web server 12 together with the notified e-mail address (the e-mail address used by the user) and the notified user's power.
- the HDD 12 C stores the storage unit according to claim 3 and claim 9. Corresponding to the e-mail address storage means described above.
- IP is applied as a protocol of the Internet layer
- TCP Transmission Control Protocol
- HTTP is applied as a protocol of the layer protocol.
- the instruction for accessing the online financial transaction website is the URL of the online financial transaction website (Uniform) by operating the input device of the user terminal S client terminal 18 while the browser is activated on the client terminal 18. This is done by performing operations such as specifying a Resource Locator.
- an application that performs processing corresponding to the application layer [a browser which is a program] delivers a web page corresponding to a designated UR L to a web server 12
- an HTTP header in which the information corresponding to the application layer is set is added to the beginning of the HTTP data (see Fig. 2).
- the information set in the HTTP header includes user agent information, and in the default setting of the browser, the version of the OS or browser itself operating on the client terminal 18 as this user agent information.
- Information is set that indicates the extent to which the game, notes, etc. have hit.
- it is possible to change the browser setting so that an arbitrary character string is fixedly set as user agent information, and when such a setting change is performed, the character designated in advance is set.
- the column is set as user agent information.
- HTTP header added HTTP data is sequentially passed from the upper layer processing module to the lower layer processing module, and the processing module of each layer performs processing corresponding to each layer, and at the top of the delivered information, to each layer Performs processing to add a header in which the corresponding information is set.
- HTTP data is added with a network header corresponding to the network interface layer, an IP header corresponding to the Internet layer, a TCP header corresponding to the transport layer, and an HTTP header corresponding to the application layer. Is sent as a packet to the web server 12.
- a processing module corresponding to the Internet layer is used as a destination IP address indicating the destination of the packet as information corresponding to the Internet layer, a source IP address (assigned to the client terminal 18).
- Information such as an IP address is set, and information such as a TCP port number is set in the TCP header as information corresponding to the transport layer by the processing module corresponding to the transport layer.
- the processing modules of each layer are also operating on the web server 12, and packets from the client terminal 18 are handed over from the processing module of the lower layer to the processing module of the upper layer in order.
- the processing module refers to the header corresponding to each layer added to the beginning of the delivered packet, performs the processing corresponding to each layer based on the information set in the header, and then transmits the header. Perform the removal process sequentially.
- this processing module also includes the processing module for performing user authentication processing described later
- the web server 12 performs the process using the source IP address (access source IP address) set in the IP header of the packet received from the client terminal 18. Since the IP header is already removed when the processing module that performs user authentication receives a packet, the source IP address can not be detected as it is. Therefore, the processing module of the Internet layer operating on the web server 12 performs processing such as adding the transmission source IP address, which is set in the IP header of the packet received from the client terminal 18, to the HTTP data. By the application layer Transmit the sender IP address to the processing module (processing module that performs user authentication processing).
- a predetermined processing module operating on the web server 12 (This processing module is also a processing module corresponding to the application layer. Then, it is determined whether or not the packet received from the client terminal 18 is an authentication request packet based on whether or not predetermined information is set in the HTTP data.
- An online financial transaction website is a collection of a large number of web pages linked to one another by links, and the user wants execution by linking from the website's home page.
- a financial transaction execution instruction page is displayed that allows you to specify the conditions of the financial transaction and instruct execution.
- the input fields for entering the user ID and password are displayed.
- a message prompting the user to log in is also displayed. Then, when the user inputs a user ID and password in the corresponding input fields of the home page and instructs transmission, an authentication request packet in which predetermined information is set in HTTP data is transmitted from the client terminal 18 operated by the user. Be done.
- the predetermined processing module determines that the packet received from the client terminal 18 is not an authentication request packet, processing according to the received packet, for example, data of the website of the website for online financial transaction is requested. It generates HTTP data for delivery to the client terminal 18, and performs processing such as adding an HTTP header to the generated HTTP data.
- the HTTP data and the HTTP header are transmitted as a packet to the client terminal 18 through a process reverse to the process shown in FIG. As a result, the display of the client terminal 18 displays the web page requested by the user via the client terminal 18 for delivery.
- the predetermined processing module activates a processing module that performs user authentication processing.
- the user authentication program is executed by the CPU 12A, and the user authentication process shown in FIG. 3 is performed.
- the user authentication process first in step 30, the user ID and password are extracted from the HTTP data of the received authentication request packet, and in the next step 32, a combination of the user ID and password extracted in step 30. Performs an authentication process to search whether the combination is registered in the authentication information DB.
- step 34 whether or not the authentication process in step 32 succeeded in the authentication process based on whether or not the combination of user ID and password was extracted in the authentication information DB by the search in step 32. judge.
- step 74 a predetermined processing module of the activation source is notified of authentication failure, and the user authentication processing is terminated.
- the predetermined processing module performs an error process such as displaying a message notifying that the input user ID or password is incorrect on the display of the client terminal 18 of the authentication request packet transmission source.
- step 34 determines whether the authentication is successful in the authentication process of step 32 (corresponding to “the case where the combination of the user identification information and the password is stored in the storage means” according to claim 3).
- step 36 the process proceeds to step 36 to extract the HTTP data of the received authentication request packet Access source IP address (source IP address) and extract user agent information from the HTTP header of the authentication request packet.
- This step 36 corresponds to the extraction means according to the present invention (more specifically, the extraction means according to claim 2).
- the usage history information corresponding to the user ID extracted in the previous step 30 is extracted from the usage history table stored in the HDD 12C, and the extracted usage history information is stored in the memory 12B.
- the use history table according to the present embodiment is as shown in FIG. 4 for each user (legal user) who has applied for the use of the online financial transaction reception service in advance and is given a user ID!
- Each area for storing use history information is provided and configured, and the use history information storage area corresponding to each user includes a customer, a transaction stop flag, a special environment flag, a threshold for matching determination, and an index.
- the stop trading flag is usually It is a flag indicating whether or not to stop the certificate (authentication based on the access source IP address and user agent information), and it is an initial value of the transaction stop flag in the transaction stop flag area initially 0 (normal route authentication (Means valid) is set.
- the special environment flag is a flag indicating whether the user's use environment is special or not, and the special environment flag area is initially set to 0 (meaning the normal environment), which is the initial value of the special environment flag. Ru.
- the index id is information indicating which of the two sets of access source IP addresses and user event information (IP0, UA0 and IP1, UA1) registered as usage history information is the latest, and is used in the index area. Is initially set to an initial value O (indicating that IP0 and UA0 are the latest). In addition, blank (no information) is set as an initial value in each access source IP address area and user agent information area.
- step 38 described above by searching the customer master (not shown) using the user ID extracted in step 30 above as a key, the account possessed by the user to whom the user ID is assigned is obtained.
- the account number is extracted
- the customer ID is obtained using the hash function from the extracted account number
- the use history table is searched using the obtained customer ID as a key to extract use history information corresponding to the user ID. Do.
- step 40 it is determined whether or not the transaction suspension flag in the extracted usage history information is “1”. If the determination is negative, the process proceeds to step 42, where it is determined whether or not the access source IP address and the user agent information are registered in one or more sets in the extracted usage history information.
- the access source IP address and user agent information extracted from the authentication request packet in step 36 are registered as use history information when access to the online financial transaction website is performed one or more times (details will be described later). ). If the access source IP address and the user agent information are already registered as usage history information, the determination at step 42 is affirmed, and the process proceeds to step 44, and the access source IP address extracted from the authentication request packet at step 36 and User agent information is registered as usage history information, and is compared with the access source IP address and user event information.
- the verification of the IP address is performed as follows.
- the IP address is 4-byte data.
- the hash value is calculated using the hash function for each byte. Four hash values are registered as the access source IP address. Therefore, the hash value is calculated for each byte also for the access source IP address extracted in step 36, and the four hash values obtained are the four hash values registered in the access source IP address area. Compare and find the match rate in units of values. Then, the obtained match rate is compared with the threshold value for collation determination set as usage history information, and if the match rate is equal to or more than the threshold value, the current access source IP address is registered. If the matching rate is less than the threshold value, the current access source IP address is registered, and it is determined that the IP address does not correspond to the current IP address.
- the IP address (global IP address) of the client terminal 18 A is fixed beforehand by a contract with a provider, every time a connection is made to the Internet 16, the provider may assign an undefined IP address (any of the IP addresses within a certain range that the provider has secured in advance for assignment).
- the enterprise acquires its own domain and is used for assignment.
- the packet is sent from the client terminal 18 B is secured by the company in advance for assignment by the source IP address proxy server 22 set in the IP header. Sent to the Internet 16 after being overwritten with any of the IP addresses in the specified range
- the assigned IP address falls within a certain range (the upper several bytes are the same).
- the user agent information if the current user agent information is identical to the registered user agent information, it is determined as “corresponding”, and the user for which the current user agent information is registered. If not identical to agent information
- the authentication for the user operating the client terminal 18 of the authentication request packet transmission source is “successful” “ Judgment is made as to either conditional success or failure, and branches depending on the judgment result.
- the above determination is performed according to the determination table shown in FIG.
- “ ⁇ ” in FIG. 5 is determined to be “corresponding” in the comparison of step 44
- “X” corresponds to each corresponding when it is determined “corresponding” / ”. It is.
- the “latest” access source IP address and user agent information in FIG. Pointing indicates the access source IP address and user agent information
- the "previous" access source IP address and user agent information indicate the other access source IP address and user agent information.
- one set of access source IP address and user agent information one set of access source IP address and user agent information (
- step 46 If only the "latest” information is registered, it is determined that both the "previous” access source IP address and the comparison result with the user agent information are determined as "corresponding,”. Then, the determination of step 46 is performed.
- the above steps 44 and 46 correspond to the determination means according to the present invention (more specifically, the determination means according to claim 2 to claim 8) together with step 64 described later.
- the matching result in the previous Step 44 [Access source IP address extracted from authentication request packet and user agent information power registered in 2 as use history information, registered out of 2 sets of access source IP address and user agent information This result corresponds to at least one access source IP address and user agent information corresponding to! /, And “!” Condition (referred to as the first condition for convenience).
- step 46 as shown in FIG. 5 as "Authentication OK" in the above case, it is determined that the authentication is "success”.
- the matching result in the previous Step 44 “The access source IP address and the user extracted from the authentication request packet in the set of the access source IP address registered as usage history information and the user agent information If there is a set determined that each corresponds to the agent information, the result is that the condition is satisfied (referred to as the second condition for convenience), the current access is the same. Since at least one of the access source and the client terminal 18 is different from when the user accessed the online financial transaction website in the past, the user who operates the client terminal 18 of the authentication request packet transmission source Is not a valid user, possible 3 ⁇ 4 ⁇ high.
- a large number of client terminals 18 available for accessing a website for online financial transactions are possessed, and an indefinite number of client terminals 18 may be used.
- Access a website for online financial transactions through the terminal 18 (in this case, there is a high possibility that the user agent information will differ from each other each time), or use a portable client terminal 18 such as a notebook PC.
- the usage environment is special. A user may exist, and a user having a special usage environment of this type also falls under the second condition.
- the collation result in step 44 is “as usage history information. Either two registered sets of access source IP address and user agent information are determined to correspond to the access source IP address extracted from the authentication request packet, or extracted from the authentication request packet If it is determined that it corresponds to the user agent information 't condition (for convenience, referred to as the third condition), it is written as “conditional authentication OK” in FIG. As shown, if it is determined that the authentication is "conditional success”, and if the comparison result in step 44 satisfies the above second condition but does not satisfy the above third condition, "authentication NG” in FIG. As shown, it is judged that the authentication is "failure”.
- step 46 If it is determined in step 46 that the authentication is "success", the process proceeds to step 48, and it is determined whether the special environment flag of the usage history information is 1 or not. If the determination is negative, the process proceeds to step 52, and the authentication processing is notified to the predetermined processing module of the activation source. In this case, processing such as distribution of a predetermined web page to be distributed only to a user confirmed to be a valid user by the predetermined processing module to the client terminal 18 of the authentication request packet transmission source is performed. It will be.
- the index id points to the access source IP address and user agent information registered as access source IP address and user agent information usage history information extracted from the authentication request packet.
- step 60 the access source IP address and the user agent information extracted from the authentication request packet are registered as use history information.
- step V “newest” access source IP address and user agent information are overwritten and registered, and the process proceeds to step 62. If the determination in step 54 is denied, the process proceeds to step 56, where the access source IP address and user agent information extracted from the authentication request packet are registered as usage history information, and "previous" access is made. Registers by overwriting the source IP address and user agent information (index id points to the access source IP address and user agent information) (Note that the access source IP address and user agent information to be overwritten are "blank". In this case, the overwrite registration in step 56 corresponds to the "additional storage" described in claim 5). Also, in the next step 58, By inverting the bit of the task id, the access source IP address and user agent information overwritten and registered in step 56 are changed to "latest".
- step 62 the usage history information stored in the memory 12B is written back to the usage history table, thereby updating the usage history information on the usage history table and ending the user authentication process.
- the access source IP address and user agent information extracted from the authentication request packet are overwritten on the access source IP address and user agent information registered as usage history information, as in steps 60 and 56 above.
- step 70 the electronic mail address stored in the authentication information DB in association with the user ID extracted in step 32 is read, and the re-authentication request mail is sent to the read electronic mail address. For example, as shown in FIG.
- Step 70 corresponds to the transmitting means of claim 9.
- step 72 notification of authentication failure is given to a predetermined processing module of the activation source, and the process proceeds to step 54.
- overwrite registration of access source IP address extracted from authentication request packet and usage history information of user agent information is performed. Usage history information is written back to usage history table and user authentication is performed.
- step 46 if it is determined that the authentication is “failed” in step 46, 1 is set in the transaction stop flag. If the user authentication process is executed again for the same user, the determination in step 40 is affirmed and the process proceeds to step 70 to perform authentication on the normal route (access source IP address and user The authentication based on the agent information is not performed, the re-authentication request mail is sent again (step 68), and the predetermined processing module of the activation source is notified of the authentication failure again (step 72). Therefore, if the previous user authentication process in which the authentication was determined to be “failed” in step 46 was performed by an unauthorized access by a third party who obtained the user ID and password illegally, then a valid user is online. Even if you try to access the financial transaction website and receive authentication, the authentication will be “failed”, but instead it can be detected that there has been unauthorized access.
- the user operating the client terminal 18 of the authentication request packet transmission source is a valid user, if it is determined that the authentication is “failed” in step 46 as described above, The user receives the re-authentication request mail sent in step 70 above, performs an operation to access the re-authentication dedicated web page from the link 100 attached to the received re-authentication request mail, Receive a predetermined recertification procedure via the recertification web page displayed on the display. If it is confirmed in this re-authentication procedure that the user is a valid user, the processing module performing the user authentication process is notified of the success of the re-authentication.
- the processing module performing the user authentication processing performs the usage history table update processing shown in FIG. 7 when notified of the re-authentication success. That is, the user ID of the user confirmed to be a valid user by the re-authentication procedure is added as information to the above re-authentication notification, and in step 80, first, it is determined that the user is a valid user. Extract 'acquired user ID of user. In the next step 82, the usage history information corresponding to the user ID acquired in step 80 is extracted, and the extracted usage history information is stored in the memory 12B. In step 84, the extracted usage history information is In addition, set the special environment flag to 1 as well as returning the suspension flag to 0.
- Step 86 the usage history information is written back to the usage history table, and the usage history table updating process is ended.
- the transaction suspension flag is returned to 0
- the determination in step 40 is negative, and the authentication on the normal route is resumed. It will be.
- Step 84 corresponds to the information management means described in claim 8.
- step 46 determines whether or not the special environment flag in the usage history information is 1 is set.
- the authentication is "conditionally successful”, as described above, the user who operates the client terminal 18 of the authentication request packet transmission source is highly likely to be a user whose usage environment is special. It can not be denied that it may be unauthorized access by a third party.
- condition success in the present embodiment is based on the condition that authentication is successful in the above-mentioned re-authentication procedure as a condition of authentication success, that is, when the determination of step 64 is denied, ie
- the process proceeds to step 68 in the case of V, N, or in the case, the processing such as transmission of the above-mentioned re-authentication request mail is performed.
- step 64 determines whether re-authentication success is notified and usage history table update processing (FIG. 7) is performed, and if it is determined that the process proceeds to step 66, step 32
- the date and time etc. are described in this confirmation e-mail, and even if this access is an unauthorized access, there has been an unauthorized access by referring to 'the confirmation e-mail received by the legitimate user'. Can be detected.
- step 66 the process proceeds to step 52, and after notifying the predetermined processing module of the activation source of the authentication success, the use history of the access source IP address and user agent information extracted from the authentication request packet in step 54 and later. Overwrite registration to information. Use history information is written back to the usage history table, and user authentication processing is terminated. In this way, even a user whose usage environment is special can be judged as a valid user.
- step 46 determines whether or not the special environment flag is set to 1 in step 48. If the determination is affirmed, the special environment flag is reset to 0 in step 50 and then the process proceeds to step 52. This can eliminate the above-mentioned drawbacks.
- the access source IP address and the user agent information are not registered in the usage history information, and in this state, authentication on the normal route is difficult, so the determination at step 42 is denied and the process moves to step 68.
- the transaction stop flag is set to 1, and processing such as sending of the reauthentication request mail is performed, so that a predetermined reauthentication procedure is received via the reauthentication dedicated web page.
- the source IP address and user agent information are registered in the usage history information in step 60, and the transaction suspension flag is reset to 0 if re-authentication is successful, so the next access will be normally performed using the normal route. Authentication will take place.
- the upper limit of the number of registered user agent information sets may be 3 or more.
- the set of access source IP address and user agent information that has already been registered corresponding to the new access source IP address and user agent information extracted from the authentication request packet, If the determined pair does not exist, a new pair of access source IP address and user agent information is added while the number of registrations of the pair of access source IP address and user agent information reaches the upper limit.
- an upper limit is set for the number of registrations of access source IP address and user agent information pairs. You don't have to. For example, in consideration of a special use environment such as access using a large number of client terminals 18 or multiple types of access sources (for example, multiple hotspots) selectively, the access source IP address and user agent information Register the set without an upper limit (In the set of the access source IP address and user agent information that has already been registered, the new access source IP address extracted from the authentication request packet and the user agent information correspond to each other. Then, if there is a pair determined to be, new access source IP address and user agent information is registered by overwriting the pair determined to be compatible, and in the other cases, new access is made.
- the length of the elapsed period of force registration exceeds the threshold Or, corresponds to the new access source IP address and user-agent information, Do, and the number of times that is determined may be deleted sets of the access source IP address and user-agent information exceeds a threshold value.
- the usage history information may be enlarged, but even if the usage environment is a special user, authentication can be determined as “successful” in step 46, so There is no need to create a conditional success, and security can be further improved.
- the client terminal 18 which is also equal to a PC is described as an example of the terminal device according to the present invention
- the mobile terminal such as a PDA or a cellular phone having a function of accessing the Internet is not limited thereto. Even.
- This type of mobile terminal is connected to the Internet via a gateway server provided in a wireless communication network, but in detail, the information transmitted by the mobile terminal for accessing any website is received by the gateway server.
- Protocols that are received and applied to communications via the Internet 16 Internet layer protocol: IP, transport layer protocol: TCP, application layer protocol: HTTP
- the IP address of the wireless communication provider or mobile terminal is set as the sender IP address in the IP header, of any of the IP addresses within a certain range that the wireless communication provider has secured in advance for assignment.
- After information including model, model number, browser version etc. is set in HTTP header as user agent information Sent to the Internet 16
- IP address and user agent information are set.
- the range of IP address secured for assignment is different for each wireless carrier. Therefore, even if the terminal device is a portable terminal, it is possible to apply the present invention to confirm whether the user operating the portable terminal is a valid user or not.
- the user authentication in any site other than this is not limited to this. And applicable to user confirmation.
- user authentication according to the present invention is used in combination with user authentication using a user ID and password in the above, there is a request from a user who registered in advance simple user identification information such as an e-mail address. Since a highly accurate user confirmation (authentication) is not necessary if the website provides an information transmission type service that delivers certain information every time, user authentication based on password is omitted and input by the user. Only user confirmation (authentication) to which the present invention is applied may be performed based on user identification information such as the e-mail address.
- the present invention is not limited to this.
- electronic certificates for individual users In the case of allowing access only from a specific terminal device to individual users, such as a web site allowing access only from client terminals that have installed e.g.
- the user identification information is stored in association with the user identification information, and user confirmation (authentication) is performed based on whether or not the user agent information is registered in agreement with the user agent information. ,. Explanation of sign
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Description
Claims
Priority Applications (11)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/886,902 US8347368B2 (en) | 2006-03-29 | 2006-03-29 | Apparatus, method, and program for validating user |
JP2007543641A JP4616352B2 (ja) | 2006-03-29 | 2006-03-29 | ユーザ確認装置、方法及びプログラム |
PCT/JP2006/306501 WO2007110951A1 (ja) | 2006-03-29 | 2006-03-29 | ユーザ確認装置、方法及びプログラム |
CN200680010930.9A CN101167079B (zh) | 2006-03-29 | 2006-03-29 | 用户确认装置和方法 |
EP12174044A EP2506184A1 (en) | 2006-03-29 | 2006-03-29 | Apparatus, method, and program for validating user |
EP06730449A EP1873673A4 (en) | 2006-03-29 | 2006-03-29 | USER VERIFICATION DEVICE, METHOD, AND PROGRAM |
EP11186311A EP2413262A1 (en) | 2006-03-29 | 2006-03-29 | Apparatus, method, and program for validating user |
US13/445,678 US20120240207A1 (en) | 2006-03-29 | 2012-04-12 | Apparatus, method, and program for validating user |
US13/679,401 US9021555B2 (en) | 2006-03-29 | 2012-11-16 | Apparatus, method, and program for validating user |
US14/510,427 US20150026789A1 (en) | 2006-03-29 | 2014-10-09 | Apparatus, method, and program for validating user |
US16/806,096 US20200204533A1 (en) | 2006-03-29 | 2020-03-02 | Apparatus, method, and program for validating user |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2006/306501 WO2007110951A1 (ja) | 2006-03-29 | 2006-03-29 | ユーザ確認装置、方法及びプログラム |
Related Child Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/886,902 A-371-Of-International US8347368B2 (en) | 2006-03-29 | 2006-03-29 | Apparatus, method, and program for validating user |
US13/445,678 Continuation US20120240207A1 (en) | 2006-03-29 | 2012-04-12 | Apparatus, method, and program for validating user |
US13/679,401 Continuation US9021555B2 (en) | 2006-03-29 | 2012-11-16 | Apparatus, method, and program for validating user |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2007110951A1 true WO2007110951A1 (ja) | 2007-10-04 |
Family
ID=38540891
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2006/306501 WO2007110951A1 (ja) | 2006-03-29 | 2006-03-29 | ユーザ確認装置、方法及びプログラム |
Country Status (5)
Country | Link |
---|---|
US (5) | US8347368B2 (ja) |
EP (3) | EP2413262A1 (ja) |
JP (1) | JP4616352B2 (ja) |
CN (1) | CN101167079B (ja) |
WO (1) | WO2007110951A1 (ja) |
Cited By (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090055919A1 (en) * | 2007-08-10 | 2009-02-26 | Fujitsu Limited | Unauthorized communication detection method |
US20090055912A1 (en) * | 2007-08-21 | 2009-02-26 | Nhn Corporation | User authentication system using ip address and method thereof |
WO2009115034A1 (zh) * | 2008-03-21 | 2009-09-24 | 华为技术有限公司 | 一种协议报文的检测方法、系统及设备 |
JP2012528386A (ja) * | 2009-05-29 | 2012-11-12 | グーグル インコーポレイテッド | アカウント回復技術 |
US20140119374A1 (en) * | 2012-11-01 | 2014-05-01 | Telefonaktiebolaget L M Ericsson (Publ) | Downlink service path determination for multiple subscription based services in provider edge network |
JP5547814B2 (ja) * | 2010-11-08 | 2014-07-16 | 株式会社日立製作所 | 計算機システム、仮想サーバへのボリューム割り当て方法及び計算機読み取り可能な記憶媒体 |
CN104519069A (zh) * | 2014-12-27 | 2015-04-15 | 广州华多网络科技有限公司 | 一种拦截资源请求的方法和装置 |
JP2015537282A (ja) * | 2012-09-21 | 2015-12-24 | アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited | 訪問ユーザのための統一ユーザ識別子の決定 |
US9762483B2 (en) | 2015-03-06 | 2017-09-12 | Telefonaktiebolaget Lm Ericsson (Publ) | BNG / subscriber management integrated, FIB based, per subscriber, opt-in opt-out, multi application service chaining solution via subscriber service chaining nexthop and meta IP lookup |
JP2018067043A (ja) * | 2016-10-17 | 2018-04-26 | シャープ株式会社 | 情報処理装置、情報処理システムおよび情報処理方法 |
JP2018526936A (ja) * | 2015-09-10 | 2018-09-13 | アルカテル−ルーセント | 自動構成サーバおよび方法 |
JP2021060770A (ja) * | 2019-10-04 | 2021-04-15 | 株式会社Flux | 情報処理装置および情報処理方法 |
Families Citing this family (47)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7581112B2 (en) * | 2004-12-30 | 2009-08-25 | Ebay, Inc. | Identifying fraudulent activities and the perpetrators thereof |
US8347368B2 (en) * | 2006-03-29 | 2013-01-01 | The Bank Of Tokyo-Mitsubishi Ufj, Ltd. | Apparatus, method, and program for validating user |
US8280982B2 (en) | 2006-05-24 | 2012-10-02 | Time Warner Cable Inc. | Personal content server apparatus and methods |
US9386327B2 (en) * | 2006-05-24 | 2016-07-05 | Time Warner Cable Enterprises Llc | Secondary content insertion apparatus and methods |
US8024762B2 (en) | 2006-06-13 | 2011-09-20 | Time Warner Cable Inc. | Methods and apparatus for providing virtual content over a network |
US8650589B2 (en) * | 2007-01-08 | 2014-02-11 | At&T Intellectual Property I, Lp | System for provisioning media services |
US8181206B2 (en) | 2007-02-28 | 2012-05-15 | Time Warner Cable Inc. | Personal content server apparatus and methods |
US9503691B2 (en) | 2008-02-19 | 2016-11-22 | Time Warner Cable Enterprises Llc | Methods and apparatus for enhanced advertising and promotional delivery in a network |
WO2009122915A1 (ja) * | 2008-04-02 | 2009-10-08 | 日本電気株式会社 | 通信システム及び通信方法 |
CN101394282A (zh) * | 2008-10-30 | 2009-03-25 | 王昌懿 | 具有身份验证的密码输入方法及系统 |
JP5372711B2 (ja) * | 2009-11-13 | 2013-12-18 | アラクサラネットワークス株式会社 | 複数認証サーバを有効利用する装置、システム |
US20110184840A1 (en) * | 2010-01-27 | 2011-07-28 | Ebay Inc. | Systems and methods for facilitating account verification over a network |
US9058210B2 (en) * | 2010-03-23 | 2015-06-16 | Ebay Inc. | Weighted request rate limiting for resources |
US20110264530A1 (en) | 2010-04-23 | 2011-10-27 | Bryan Santangelo | Apparatus and methods for dynamic secondary content and data insertion and delivery |
US20120042067A1 (en) * | 2010-08-13 | 2012-02-16 | Neuralitic Systems | Method and system for identifying applications accessing http based content in ip data networks |
CN103220980B (zh) | 2010-10-28 | 2015-05-20 | 株式会社日立医疗器械 | 超声波诊断装置以及超声波图像显示方法 |
US9143508B2 (en) * | 2010-12-30 | 2015-09-22 | Verizon Patent And Licensing Inc. | Service location based authentication |
JP5870527B2 (ja) * | 2011-07-26 | 2016-03-01 | 株式会社リコー | 出力振り分けシステム、出力振り分け装置、出力先情報提供装置および記録媒体 |
WO2013173561A2 (en) | 2012-05-17 | 2013-11-21 | Specific Media Llc | Internet connected household identification for online measurement & dynamic content delivery |
US11463403B2 (en) | 2012-05-17 | 2022-10-04 | Viant Technology Llc | Internet connected household identification for online measurement and dynamic content delivery |
EP2913776B1 (en) * | 2012-10-29 | 2020-11-25 | Mitsubishi Electric Corporation | Facility management device, facility management system and program |
US20140282786A1 (en) | 2013-03-12 | 2014-09-18 | Time Warner Cable Enterprises Llc | Methods and apparatus for providing and uploading content to personalized network storage |
FR3003976B1 (fr) * | 2013-03-28 | 2016-08-26 | Cie Ind Et Financiere D'ingenierie Ingenico | Procede de delivrance d'une assertion de localisation |
JP6248448B2 (ja) * | 2013-07-24 | 2017-12-20 | 株式会社リコー | 情報処理装置及びそのデータ蓄積制御方法 |
CN103458035A (zh) * | 2013-09-05 | 2013-12-18 | 深圳市共进电子股份有限公司 | 基于web服务器的客户端配置界面实现方法 |
JP6322444B2 (ja) * | 2014-02-28 | 2018-05-09 | ゲヒルン株式会社 | ユーザ認証サーバ、ユーザ認証方法、ユーザ認証サーバ用プログラム |
KR102422372B1 (ko) * | 2014-08-29 | 2022-07-19 | 삼성전자 주식회사 | 생체 정보와 상황 정보를 이용한 인증 방법 및 장치 |
US10122757B1 (en) * | 2014-12-17 | 2018-11-06 | Amazon Technologies, Inc. | Self-learning access control policies |
US10986131B1 (en) | 2014-12-17 | 2021-04-20 | Amazon Technologies, Inc. | Access control policy warnings and suggestions |
US10043030B1 (en) | 2015-02-05 | 2018-08-07 | Amazon Technologies, Inc. | Large-scale authorization data collection and aggregation |
US9148424B1 (en) * | 2015-03-13 | 2015-09-29 | Snapchat, Inc. | Systems and methods for IP-based intrusion detection |
CN107851290B (zh) * | 2015-08-27 | 2021-12-07 | J-Data株式会社 | 历史管理方法 |
US20180229689A1 (en) * | 2016-02-03 | 2018-08-16 | Averon Us, Inc. | Method and apparatus for facilitating access to an automobile utilizing frictionless two-factor authentication |
WO2017134632A1 (en) | 2016-02-03 | 2017-08-10 | Averon Us, Inc. | Method and apparatus for facilitating frictionless two-factor authentication |
US20180234418A1 (en) * | 2016-02-03 | 2018-08-16 | Averon Us, Inc. | Method and apparatus for facilitating access to publish or post utilizing frictionless two-factor authentication |
US20180232514A1 (en) * | 2016-02-03 | 2018-08-16 | Averon Us, Inc. | Method and apparatus for facilitating access to a device utilizing frictionless two-factor authentication |
US20180316671A1 (en) * | 2016-02-03 | 2018-11-01 | Averon Us, Inc. | Method and apparatus for facilitating authorization of a specified task via multi-stage and multi-level authentication processes utilizing frictionless two-factor authentication |
CN111263345B (zh) * | 2018-11-30 | 2022-11-08 | 中国移动通信集团山东有限公司 | 一种用户终端的识别方法和装置 |
CN110661901B (zh) * | 2019-08-08 | 2022-11-04 | 网宿科技股份有限公司 | 一种ip库的采信方法、整合方法、电子设备和可存储介质 |
US11711310B2 (en) * | 2019-09-18 | 2023-07-25 | Tweenznet Ltd. | System and method for determining a network performance property in at least one network |
US11403849B2 (en) | 2019-09-25 | 2022-08-02 | Charter Communications Operating, Llc | Methods and apparatus for characterization of digital content |
US11716338B2 (en) | 2019-11-26 | 2023-08-01 | Tweenznet Ltd. | System and method for determining a file-access pattern and detecting ransomware attacks in at least one computer network |
US11539746B2 (en) * | 2020-02-18 | 2022-12-27 | Td Ameritrade Ip Company, Inc. | Methods and systems for browser spoofing mitigation |
CN112121412B (zh) * | 2020-09-15 | 2024-05-17 | 北京智明星通科技股份有限公司 | 一种游戏账号的快速登录方法、系统及游戏设备 |
CN114244566B (zh) * | 2021-11-17 | 2023-12-22 | 广东电网有限责任公司 | 基于ip地址的非法外联检测方法、装置、计算机设备 |
US11936703B2 (en) | 2021-12-09 | 2024-03-19 | Viant Technology Llc | Out-of-home internet connected household identification |
US20240146726A1 (en) * | 2022-10-26 | 2024-05-02 | Whatsapp Llc | Accessing an encrypted platform |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004236105A (ja) * | 2003-01-31 | 2004-08-19 | Matsushita Electric Ind Co Ltd | 画像サーバ |
JP2005044277A (ja) * | 2003-07-25 | 2005-02-17 | Fuji Xerox Co Ltd | 不正通信検出装置 |
Family Cites Families (28)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5930479A (en) * | 1996-10-21 | 1999-07-27 | At&T Corp | Communications addressing system |
US6310889B1 (en) * | 1998-03-12 | 2001-10-30 | Nortel Networks Limited | Method of servicing data access requests from users |
JP2000209284A (ja) | 1999-01-18 | 2000-07-28 | Nec Commun Syst Ltd | 認証装置、及び、認証方法 |
US6725381B1 (en) * | 1999-08-31 | 2004-04-20 | Tumbleweed Communications Corp. | Solicited authentication of a specific user |
JP2001325229A (ja) | 2000-05-17 | 2001-11-22 | Daiwa House Ind Co Ltd | インターネットにおける認証システム及びサービスシステム |
WO2002014991A2 (en) * | 2000-08-11 | 2002-02-21 | Incanta, Inc. | Resource distribution in network environment |
JP2002091851A (ja) * | 2000-09-12 | 2002-03-29 | Toshiba Corp | 情報提供方法および中継サーバ装置 |
CN1394044A (zh) * | 2001-06-28 | 2003-01-29 | 杨磊 | 因特网ip-用户身份认证机制(方法) |
US20030033356A1 (en) * | 2001-08-13 | 2003-02-13 | Luu Tran | Extensible client aware detection in a wireless portal system |
US20030084439A1 (en) | 2001-10-04 | 2003-05-01 | Ross Perkins | Incentive system for distributing software over a computer network |
NZ532258A (en) * | 2001-10-17 | 2006-04-28 | Npx Technologies Ltd | Verfication of a person identifier received online |
US7624437B1 (en) * | 2002-04-02 | 2009-11-24 | Cisco Technology, Inc. | Methods and apparatus for user authentication and interactive unit authentication |
CN1208927C (zh) * | 2002-06-12 | 2005-06-29 | 华为技术有限公司 | 网络设备中基于代理方式接入网络的控制方法 |
US20040230825A1 (en) * | 2003-05-16 | 2004-11-18 | Shepherd Eric Robert | Secure browser |
US7591017B2 (en) * | 2003-06-24 | 2009-09-15 | Nokia Inc. | Apparatus, and method for implementing remote client integrity verification |
US7472413B1 (en) * | 2003-08-11 | 2008-12-30 | F5 Networks, Inc. | Security for WAP servers |
US7665147B2 (en) * | 2004-02-05 | 2010-02-16 | At&T Mobility Ii Llc | Authentication of HTTP applications |
US7853533B2 (en) * | 2004-03-02 | 2010-12-14 | The 41St Parameter, Inc. | Method and system for identifying users and detecting fraud by use of the internet |
GB0410724D0 (en) * | 2004-05-13 | 2004-06-16 | Watkins Daniel R | Authorisation system |
US20060021004A1 (en) * | 2004-07-21 | 2006-01-26 | International Business Machines Corporation | Method and system for externalized HTTP authentication |
US7496750B2 (en) * | 2004-12-07 | 2009-02-24 | Cisco Technology, Inc. | Performing security functions on a message payload in a network element |
US7581112B2 (en) * | 2004-12-30 | 2009-08-25 | Ebay, Inc. | Identifying fraudulent activities and the perpetrators thereof |
US7908645B2 (en) * | 2005-04-29 | 2011-03-15 | Oracle International Corporation | System and method for fraud monitoring, detection, and tiered user authentication |
US8347368B2 (en) * | 2006-03-29 | 2013-01-01 | The Bank Of Tokyo-Mitsubishi Ufj, Ltd. | Apparatus, method, and program for validating user |
US8230490B2 (en) * | 2007-07-31 | 2012-07-24 | Keycorp | System and method for authentication of users in a secure computer system |
JP4877145B2 (ja) * | 2007-08-10 | 2012-02-15 | 富士通株式会社 | 通信装置を制御するプログラム及び通信装置 |
US8849988B2 (en) * | 2008-11-25 | 2014-09-30 | Citrix Systems, Inc. | Systems and methods to monitor an access gateway |
US7941550B1 (en) * | 2009-02-12 | 2011-05-10 | Sprint Communications Company L.P. | Multiple cookie handling |
-
2006
- 2006-03-29 US US11/886,902 patent/US8347368B2/en not_active Expired - Fee Related
- 2006-03-29 JP JP2007543641A patent/JP4616352B2/ja active Active
- 2006-03-29 CN CN200680010930.9A patent/CN101167079B/zh not_active Expired - Fee Related
- 2006-03-29 EP EP11186311A patent/EP2413262A1/en not_active Withdrawn
- 2006-03-29 EP EP06730449A patent/EP1873673A4/en not_active Withdrawn
- 2006-03-29 EP EP12174044A patent/EP2506184A1/en not_active Withdrawn
- 2006-03-29 WO PCT/JP2006/306501 patent/WO2007110951A1/ja active Application Filing
-
2012
- 2012-04-12 US US13/445,678 patent/US20120240207A1/en not_active Abandoned
- 2012-11-16 US US13/679,401 patent/US9021555B2/en active Active
-
2014
- 2014-10-09 US US14/510,427 patent/US20150026789A1/en not_active Abandoned
-
2020
- 2020-03-02 US US16/806,096 patent/US20200204533A1/en not_active Abandoned
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2004236105A (ja) * | 2003-01-31 | 2004-08-19 | Matsushita Electric Ind Co Ltd | 画像サーバ |
JP2005044277A (ja) * | 2003-07-25 | 2005-02-17 | Fuji Xerox Co Ltd | 不正通信検出装置 |
Non-Patent Citations (2)
Title |
---|
OTANI S.: "ITpro Ketai no Business Tanmatsu o Tokutei shi Fusei Shinnyu o Fusegu Zenpen", NIKKEI BUSINESS PUBLICATIONS, INC., 8 July 2004 (2004-07-08), XP003018039, Retrieved from the Internet <URL:http://www.itpro.nikkeibp.co.jp/free/TIS/keitai/20040706/146863/?ST=print> * |
See also references of EP1873673A4 * |
Cited By (17)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8490173B2 (en) * | 2007-08-10 | 2013-07-16 | Fujitsu Limited | Unauthorized communication detection method |
US20090055919A1 (en) * | 2007-08-10 | 2009-02-26 | Fujitsu Limited | Unauthorized communication detection method |
US20090055912A1 (en) * | 2007-08-21 | 2009-02-26 | Nhn Corporation | User authentication system using ip address and method thereof |
US8474030B2 (en) * | 2007-08-21 | 2013-06-25 | Nhn Business Platform Corporation | User authentication system using IP address and method thereof |
WO2009115034A1 (zh) * | 2008-03-21 | 2009-09-24 | 华为技术有限公司 | 一种协议报文的检测方法、系统及设备 |
JP2012528386A (ja) * | 2009-05-29 | 2012-11-12 | グーグル インコーポレイテッド | アカウント回復技術 |
JP5547814B2 (ja) * | 2010-11-08 | 2014-07-16 | 株式会社日立製作所 | 計算機システム、仮想サーバへのボリューム割り当て方法及び計算機読み取り可能な記憶媒体 |
JP2015537282A (ja) * | 2012-09-21 | 2015-12-24 | アリババ・グループ・ホールディング・リミテッドAlibaba Group Holding Limited | 訪問ユーザのための統一ユーザ識別子の決定 |
US9397950B2 (en) * | 2012-11-01 | 2016-07-19 | Telefonaktiebolaget Lm Ericsson (Publ) | Downlink service path determination for multiple subscription based services in provider edge network |
US20140119374A1 (en) * | 2012-11-01 | 2014-05-01 | Telefonaktiebolaget L M Ericsson (Publ) | Downlink service path determination for multiple subscription based services in provider edge network |
CN104519069A (zh) * | 2014-12-27 | 2015-04-15 | 广州华多网络科技有限公司 | 一种拦截资源请求的方法和装置 |
US9762483B2 (en) | 2015-03-06 | 2017-09-12 | Telefonaktiebolaget Lm Ericsson (Publ) | BNG / subscriber management integrated, FIB based, per subscriber, opt-in opt-out, multi application service chaining solution via subscriber service chaining nexthop and meta IP lookup |
JP2018526936A (ja) * | 2015-09-10 | 2018-09-13 | アルカテル−ルーセント | 自動構成サーバおよび方法 |
US10924507B2 (en) | 2015-09-10 | 2021-02-16 | Alcatel Lucent | Auto configuration server and method |
JP2018067043A (ja) * | 2016-10-17 | 2018-04-26 | シャープ株式会社 | 情報処理装置、情報処理システムおよび情報処理方法 |
JP2021060770A (ja) * | 2019-10-04 | 2021-04-15 | 株式会社Flux | 情報処理装置および情報処理方法 |
JP7175006B2 (ja) | 2019-10-04 | 2022-11-18 | 株式会社Flux | 情報処理装置および情報処理方法 |
Also Published As
Publication number | Publication date |
---|---|
US20150026789A1 (en) | 2015-01-22 |
EP1873673A4 (en) | 2011-05-18 |
EP2506184A1 (en) | 2012-10-03 |
CN101167079B (zh) | 2010-11-17 |
US8347368B2 (en) | 2013-01-01 |
JP4616352B2 (ja) | 2011-01-19 |
JPWO2007110951A1 (ja) | 2009-08-06 |
US9021555B2 (en) | 2015-04-28 |
US20090034521A1 (en) | 2009-02-05 |
US20200204533A1 (en) | 2020-06-25 |
CN101167079A (zh) | 2008-04-23 |
US20120240207A1 (en) | 2012-09-20 |
US20130081107A1 (en) | 2013-03-28 |
EP1873673A1 (en) | 2008-01-02 |
EP2413262A1 (en) | 2012-02-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2007110951A1 (ja) | ユーザ確認装置、方法及びプログラム | |
JP4964338B2 (ja) | ユーザ確認装置、方法及びプログラム | |
US8856919B2 (en) | Authorization of server operations | |
JP4413774B2 (ja) | 電子メールアドレスとハードウェア情報とを利用したユーザ認証方法及びシステム | |
CN101350717B (zh) | 一种通过即时通信软件登录第三方服务器的方法及系统 | |
US10397008B2 (en) | Management of secret data items used for server authentication | |
KR20090077958A (ko) | 원격 서버 액세스를 인증하기 위한 시스템 및 방법 | |
JP5456842B2 (ja) | ユーザ確認装置、方法及びユーザ認証システム | |
JP2013251000A (ja) | ユーザ確認装置、方法及びプログラム | |
JP5216904B2 (ja) | ユーザ確認装置、方法及びプログラム | |
JP4746709B2 (ja) | ユーザ確認装置、方法及びプログラム | |
JP4918170B2 (ja) | ユーザ確認装置、方法及びプログラム | |
JP4551368B2 (ja) | サービスシステムおよびサービスシステム制御方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200680010930.9 Country of ref document: CN |
|
ENP | Entry into the national phase |
Ref document number: 2007543641 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11886902 Country of ref document: US |
|
REEP | Request for entry into the european phase |
Ref document number: 2006730449 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006730449 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2006730449 Country of ref document: EP |
|
NENP | Non-entry into the national phase |
Ref country code: DE |