WO2017068714A1 - Illegal communication control apparatus and method - Google Patents

Illegal communication control apparatus and method Download PDF

Info

Publication number
WO2017068714A1
WO2017068714A1 PCT/JP2015/079966 JP2015079966W WO2017068714A1 WO 2017068714 A1 WO2017068714 A1 WO 2017068714A1 JP 2015079966 W JP2015079966 W JP 2015079966W WO 2017068714 A1 WO2017068714 A1 WO 2017068714A1
Authority
WO
WIPO (PCT)
Prior art keywords
list
communication control
reliability
communication
connection destination
Prior art date
Application number
PCT/JP2015/079966
Other languages
French (fr)
Japanese (ja)
Inventor
倫宏 重本
哲郎 鬼頭
磯部 義明
仲小路 博史
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Priority to PCT/JP2015/079966 priority Critical patent/WO2017068714A1/en
Publication of WO2017068714A1 publication Critical patent/WO2017068714A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules

Definitions

  • the present invention relates to a technology for blocking communication by malware while permitting communication affecting business by using feedback from a user.
  • Patent Document 1 discloses a case in which information on vulnerability is obtained for specifications of an information terminal device, a vulnerability value is acquired based on the information, and the information terminal device is connected to a server based on the vulnerability value.
  • a system is disclosed in which a risk level indicating a security risk is calculated, and the server denies access without performing security authentication of the information terminal device when the risk level is equal to or higher than a predetermined threshold.
  • Patent Document 1 Using the technology of Patent Document 1, it is possible to block communication from a fragile environment with a high risk of being infected with malware. However, if communication from a fragile environment is blocked, the user who is working in the fragile environment will also be blocked when communicating with the access destination related to the work. May be affected.
  • the present invention has been made in view of the above circumstances, and an object of the present invention is to provide an unauthorized communication control device that allows communication affecting a business and blocks communication by malware by using feedback from a user. To do.
  • a typical example of the present invention is as follows. That is, a storage unit that stores a suspicious connection destination as a gray list, an authentication unit that confirms connection to a user when observing communication from a terminal to a connection destination that matches the gray list, and an authentication unit A control unit that performs communication control based on the authentication result; and a list update unit that updates the gray list based on the authentication result of the authentication unit.
  • connection destination information to the black list needs to be carefully examined, and there is a problem that registration takes time.
  • the gray list is a list that indicates a connection destination with an intermediate reliability that is not required to be as alert as the black list but is not permitted as the white list.
  • suspicious connection destinations are managed, and when communication to a connection destination that matches the gray list occurs, confirmation to the user is performed, and communication to the connection destination is permitted if confirmation is successful. As a result, it is not necessary to examine the information of the communication destination, and quick response is possible.
  • communication control processing, authentication processing, list update processing, and reliability update processing will be described.
  • FIG. 1 is a diagram illustrating a configuration example of an unauthorized communication control apparatus according to the first embodiment of the present invention.
  • a terminal 118 operated by a user 119 and the Internet 121 are connected via a network 120.
  • the unauthorized communication control device 101 includes a CPU (Central Processing Unit) 103, a main memory 104 for storing data necessary for the CPU 103 to execute processing, and a hard disk or flash memory having a capacity for storing a large amount of data.
  • a storage device 105 such as, an IF (interface) 102 for performing communication with other devices, an input / output device 106 for performing input / output such as a keyboard and a display, and a communication path 107 for connecting these devices.
  • a computer equipped with The communication path 107 is an information transmission medium such as a bus or cable.
  • the CPU 103 executes suspicious communication control by executing the communication control program 108 stored in the main memory 104, authenticates the user 119 by executing the authentication program 109, and executes the additional authentication program 110 to execute the user authentication.
  • the list update program 111 is executed, the gray list 115, the black list 116, and the white list 117 are updated, and the reliability data 114 is updated by executing the reliability update program 112.
  • the reliability indicates an index of how reliable the terminal 118 and the user 119 are.
  • the storage device 105 includes a reliability calculation rule table 113 including a plurality of rules for calculating the reliability of the terminal 118 and the user 119, reliability data 114 indicating the reliability of the terminal 118 and the user 119, and a suspicious communication destination.
  • a gray list 115 indicating information, a black list 116 indicating dangerous communication destination information, and a white list 117 indicating safe communication destination information are stored.
  • Each of the above programs and data may be stored in advance in the memory 104 or the storage device 105, or installed (loaded) from the input / output device 106 or from another device via the IF 102 when necessary. Also good.
  • FIG. 2 is a diagram illustrating an example of the reliability calculation rule table 113.
  • the reliability calculation rule table 113 includes an ID 201, a type 202, an item 203, a determination value 204, and a score 205.
  • the information of the unit identified by the ID 201 is called a reliability calculation rule.
  • ID 201 represents information that can uniquely identify the reliability calculation rule.
  • the type 202 represents a type to which the reliability calculation rule is applied. For example, when the type 202 is “user”, the rule is for calculating the reliability of the user. When the type 202 is “terminal”, the rule is for calculating the reliability of the terminal. Represents.
  • An item 203 represents information on an item used when calculating the reliability
  • a determination value 204 represents a threshold used when calculating the reliability
  • a score 205 is used when calculating the reliability. Represents a value (degree of influence). When the score 205 is “+”, the terminal 118 and the user 119 are reliable, and when the score 205 is “ ⁇ ”, the terminal 118 and the user 119 are unreliable.
  • the additional authentication success rate of 119 is 0.8 or more, it represents that the reliability of the user 119 is incremented by one.
  • the reliability is described as +1 here, in practice, the reliability is normalized before being stored in the reliability data 114. The normalization process will be described later with reference to FIG.
  • the reliability calculation rule is for determining the reliability of the terminal 118 and the user 119.
  • the reliability of the user 119 is calculated by calculating the success rate of additional authentication, the authentication success rate, the number of black list matches, and training. Rules regarding mail unopened rate, communication rate within business hours, business content, number of malware infections, specific users, etc.
  • additional authentication success rate, authentication success rate, number of vulnerable software , OS (Operating System) unapplied patch number, AV (AntiVirus) installation presence / absence, AV signature update date, number of AV alerts, communication rate during business hours, etc. are stored.
  • each piece of information in the reliability calculation rule table 113 may be input or updated as necessary by the administrator.
  • the reliability calculation rule table 113 is used when the reliability update program 112 executed by the CPU 103 updates the reliability of the terminal 118 or the user 119. Specific processing of the reliability update program 112 will be described later with reference to FIG.
  • FIG. 3 is a diagram illustrating an example of the reliability data 114.
  • the reliability data 114 includes an ID 301, a type 302, an item 303, and a reliability 304.
  • ID 301 represents information that can uniquely identify the reliability data.
  • the type 302 represents the type of reliability data. For example, when the type 302 is “user”, the reliability of the user 119 is stored, and when the type 302 is “terminal”, the reliability of the terminal 118 is stored.
  • the item 303 represents information for identifying the terminal 118 or the user 119 stored in the reliability data
  • the reliability 304 represents the reliability of the terminal 118 or the user 119.
  • the reliability 304 stores a value from “0” to “1”. When the reliability 304 is “0”, the reliability 118 indicates that the terminal 118 or the user 119 cannot be trusted. "Represents that the terminal 118 or the user 119 can be trusted, and the closer the reliability is to" 1 ", the higher the reliability of the terminal 118 or the user 119 is.
  • reliability data with ID 301 “1”, type 302 “user”, item 303 “user A”, and reliability 304 “0.9” has a reliability of “user A 119a” “0.9”. ".
  • the reliability data 114 is updated by a reliability update program 112 executed by the CPU 103. Specific processing of the reliability update program 112 will be described later with reference to FIG.
  • FIG. 4 is a diagram illustrating an example of the gray list 115.
  • the gray list 115 includes an ID 401, a connection destination 402, a communication count 403, an additional authentication failure rate 404, and a score 405.
  • ID 401 represents information that can uniquely identify the gray list.
  • the connection destination 402 represents suspicious connection destination information.
  • the host name is described as the suspicious connection destination, but any information that can identify the connection destination may be used.
  • IP Internet Protocol
  • URI Uniform Resource Identifier
  • the communication count 403 represents the number of connections to the connection destination 402
  • the additional authentication failure rate 404 represents the rate at which additional authentication failed during connection to the connection destination 402
  • the score 405 represents the suspicious degree ( (The degree of gray).
  • the score 405 stores a value from “0” to “1”, and the closer the score 405 is to “1”, the higher the suspicious degree.
  • the unauthorized communication control apparatus 101 observes communication to “example.com” 1000 times, and additional authentication to the connection destination fails at a rate of 0.1, and the suspicious degree of the connection destination is 0.4. Represents that.
  • the gray list 115 is updated by the list update program 111 executed by the CPU 103. Specific processing of the list update program 111 will be described later with reference to FIG.
  • each information of the gray list 115 may be input or updated by the administrator as necessary.
  • FIG. 5 is a diagram illustrating an example of the black list 116. As shown in FIG. 5, the black list 116 includes an ID 501, a connection destination 502, a communication count 503, and a score 504.
  • ID 501 represents information that can uniquely identify the black list.
  • the connection destination 502 represents dangerous connection destination information.
  • the host name is described as a dangerous connection destination, but any information that can identify the connection destination may be used.
  • IP Internet Protocol
  • URI Uniform Resource Identifier
  • the communication count 503 represents the number of connections to the connection destination 502, and the score 504 represents the danger level (the degree of black) of the connection destination 502.
  • the score 504 stores values from “0” to “1”, and the closer the score 504 is to “1”, the higher the risk level.
  • a blacklist having an ID 501 of “1”, a connection destination 502 of “black.com”, a communication count 503 of “100”, and a score 504 of “0.99” is “black.com” in the unauthorized communication control device 101. This indicates that the risk of the connection destination is 0.99.
  • the black list 116 is updated by the list update program 111 executed by the CPU 103. Specific processing of the list update program 111 will be described later with reference to FIG.
  • each piece of information in the black list 116 may be input or updated as necessary by the administrator.
  • FIG. 6 is a diagram showing an example of the white list 117. As shown in FIG. 6, the white list 117 includes an ID 601, a connection destination 602, a communication count 603, and a score 604.
  • ID 601 represents information that can uniquely identify the white list.
  • the connection destination 602 represents information on a safe connection destination.
  • the host name is described as a secure connection destination, but any information that can identify the connection destination may be used.
  • IP Internet Protocol
  • URI Uniform Resource Identifier
  • the communication count 603 represents the number of connections to the connection destination 602, and the score 604 represents the safety level (the degree of white) of the connection destination 602.
  • the score 604 stores values from “0” to “1”, and the closer the score 604 is to “1”, the higher the safety level.
  • a whitelist having an ID 601 of “1”, a connection destination 602 of “white.com”, a communication count 603 of “1000”, and a score 604 of “0.99” is “white.com” in the unauthorized communication control apparatus 101. This indicates that the security level of the connection destination is 0.99.
  • the white list 116 is updated by the list update program 111 executed by the CPU 103. Specific processing of the list update program 111 will be described later with reference to FIG.
  • each information of the white list 117 may be input or updated as necessary by the administrator.
  • the communication control program 108 of the unauthorized communication control apparatus 101 receives the communication from the terminal 118, the authentication program 109 authenticates the user 119, the additional authentication program 110 performs additional authentication of the user 119, and updates the list.
  • the program 111 updates the gray list 115, the black list 116, and the white list 117 and the reliability update program 112 updates the reliability data 114 will be described.
  • FIG. 7 is a flowchart showing the processing of the communication control program 108 of the unauthorized communication control apparatus 101. As shown in FIG. 7, the communication control program 108 is executed by the CPU 103, and receives communication from the terminal 118 via the IF 102a (step 701).
  • the communication control program 108 executes the authentication program 109 to authenticate the user 119 using the terminal 118 (step 702).
  • the authentication program 109 uses a combination of a user name and a password to check whether or not the user 119 trying to communicate has the authority to perform communication.
  • the communication control program 108 acquires the authentication result from the authentication program 109. If the authentication is successful, the process proceeds to step 704. If the authentication fails, the process proceeds to step 710 (step 703).
  • the communication control program 108 compares the communication destination information with the connection destination 502 of the black list 116, and if the corresponding connection destination 502 exists, the communication control program 108 increments the communication count 503 of the corresponding connection destination 502 by one, and then step 710 If the corresponding connection destination 502 does not exist, the process proceeds to step 705 (step 704).
  • the communication control program 108 compares the information of the communication destination with the connection destination 602 of the white list 117, and if there is a corresponding connection destination 602, the communication number 603 of the corresponding connection destination 602 is incremented by 1, and then step 711 is performed. If not, the process proceeds to step 706 (step 705).
  • the communication control program 108 compares the communication destination information with the connection destination 402 of the gray list 115, and if the corresponding connection destination 402 exists, the communication control program 108 increments the communication count 403 of the corresponding connection destination 402 by 1 and then step 708. If not, the process proceeds to step 707 (step 706).
  • the communication control program 108 stores communication destination information in the gray list 115 (step 707). At this time, the ID 401 does not exist in the gray list 115, the connection destination 402 has communication destination information, the communication count 403 has “1”, the authentication failure rate 404 has “0”, and the score 405. Stores “0.5”.
  • the communication control program 108 executes the additional authentication program 110 and performs additional authentication of the user 119 using the terminal 118 (step 708).
  • the additional authentication program 110 is a challenge for confirming that the communication from the terminal 118 is not due to a computer (malware) such as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). / Use response type tests.
  • a computer such as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). / Use response type tests.
  • the display screen of the additional authentication program 110 will be described later with reference to FIG.
  • the communication control program 108 acquires the authentication result of the additional authentication program 110. If the authentication is successful, the process proceeds to step 711. If the authentication fails, the communication control program 108 determines the additional authentication failure rate of the connection destination 402 corresponding to the communication destination information. After the update, the process proceeds to step 710 (step 709).
  • the communication control program 108 cuts off communication with the connection destination, and proceeds to step 712 (step 710).
  • the communication control program 108 permits communication to the connection destination and proceeds to step 712 (step 711).
  • the communication control program 108 activates the reliability update program 112 and updates the reliability data 114 of the user 119 and the terminal 118 (step 712).
  • the reliability update program 112 sets the reliability of the user 119 using the reliability calculation rule in which the type 202 of the reliability calculation rule table 113 is “user”, and the type 202 is “terminal”.
  • the reliability of the terminal 118 is updated using the reliability calculation rule.
  • the reliability of the user 119 is updated.
  • a reliability calculation rule whose type 202 is “user” is used.
  • the reliability is updated using eight reliability calculation rules whose ID 201 is “1” to “8”.
  • the “additional authentication success rate” of the item 203 is “0.8 or more” of the determination value 204. "Is satisfied, and if it is satisfied,” +1 "of the score 205 is added to the score" 0 ".
  • the reliability calculation rules with IDs 201 from “2” to “8” it is determined whether or not the item 203 satisfies the determination value 204, and if it satisfies, the score 205 is added. To do. After applying all the corresponding reliability calculation rules, the calculated score is normalized to a value of “0” to “1” in order to obtain the reliability. For example, the minimum and maximum score values that can be taken after applying the corresponding reliability calculation rule are calculated, the minimum score value is subtracted from the calculated score, and the minimum score value is subtracted from the maximum score value. Find by dividing by value. For example, the minimum value of the score that the type 202 in FIG. 2 can have is “ ⁇ 10”, and the maximum value is “+10”. Here, when the calculated score is “+5”, “0.75” is the reliability by the calculation of (+5 ⁇ ( ⁇ 10)) / (+ 10 ⁇ ( ⁇ 10)).
  • the reliability may be calculated for each communication, or may be calculated every certain period (for example, one week) in order to reduce the calculation load.
  • the communication control program 108 starts the list update program 111, updates the gray list 115, the black list 116, and the white list 117, and ends the process (step 713).
  • the processing of the list update program 111 will be described later with reference to FIG.
  • FIG. 8 is a flowchart showing the processing of the list update program 111 for updating the gray list 115, the black list 116, and the white list 117.
  • the list update program 111 is executed by the CPU 103, and starts processing when it receives information on the communication destination of the terminal 118 from the communication control program 108 (step 801).
  • the list update program 111 compares the communication destination information with the connection destination 402 of the gray list 115. If the corresponding connection destination 402 exists, the list update program 111 proceeds to step 803, and if the corresponding connection destination 402 does not exist. Proceed to step 808 (step 802).
  • the list update program 111 updates the score 405 of the gray list 115 (step 803).
  • a predetermined process is used for updating the score 405.
  • a value obtained by adding the reliability 304 of the user 119 that performed the communication and the reliability 304 of the terminal that performed the communication is calculated, and this value is set to a predetermined value (for example, 200 ) Is calculated (hereinafter referred to as communication reliability). If the additional authentication is successful in step 709, the value obtained by subtracting the communication reliability from the score 405 is stored in the score 405 of the gray list 115 as the updated score.
  • the value obtained by adding the communication reliability to the score 405 is stored in the score 405 of the gray list 115 as the updated score.
  • the score 405 is smaller than 0, the score 405 is corrected to 0, and when the score 405 is larger than 1, the score 405 is corrected to 1.
  • the score 405 of the gray list 115 decreases (the degree of suspiciousness decreases), and if the additional authentication in step 709 fails, the score 405 of the gray list 115 decreases. Is increased (suspicious degree is increased), and the higher the reliability of the terminal 118 or the user 119 is, the higher the increase or decrease is, and the lower the reliability of the terminal 118 or the user 119 is, the higher or lowering is. This means that the degree of is small. With this process, the score 405 can be updated according to the reliability of the terminal 118 or the user 119.
  • the list update program 111 proceeds to step 806 if the communication count 403 of the gray list 115 is equal to or greater than a certain threshold (for example, 100) and the score 405 updated in step 803 is equal to or greater than a certain threshold (for example, 0.9). If the communication count 403 of the gray list 115 is less than a certain threshold value (for example, 100) or the score 405 updated in step 803 is smaller than a certain threshold value (for example, 0.9), the process proceeds to step 805 (step 804).
  • a certain threshold for example, 100
  • a certain threshold for example, 0.9
  • the list update program 111 proceeds to step 807 if the communication count 403 of the gray list 115 is equal to or greater than a certain threshold (for example, 100) and the score 405 updated in step 803 is equal to or less than the certain threshold (for example, 0.1). If the number of times of communication 403 in the gray list 115 is less than a certain threshold value (for example, 100) or the score 405 updated in step 803 is larger than a certain threshold value (for example, 0.1), the process is terminated (step 805).
  • a certain threshold for example, 100
  • the score 405 updated in step 803 is equal to or less than the certain threshold (for example, 0.1).
  • the list update program 111 moves the gray list having the communication destination information and the corresponding connection destination 402 to the black list 116, and ends the processing (step 806).
  • the ID 501 has an ID that does not exist in the black list 116
  • the connection destination 502 has communication destination information
  • the communication count 503 has “1”
  • the score 504 has a score 504. “0.5” is stored.
  • the list update program 111 moves the gray list having the communication destination information and the corresponding connection destination 402 to the white list 117, and ends the processing (step 807).
  • the ID 601 has an ID that does not exist in the white list 117
  • the connection destination 602 has communication destination information
  • the communication count 603 has “1”
  • the score 604 has a score 604. “0.5” is stored.
  • the list update program 111 compares the communication destination information with the connection destination 602 of the white list 117. If the corresponding connection destination 602 exists, the list update program 111 proceeds to step 810, and if the corresponding connection destination 602 does not exist. Proceed to step 809 (step 808).
  • the list update program 111 updates the score 504 of the black list 116 (step 809).
  • a predetermined process is used to update the score 504.
  • communication reliability is calculated. If authentication is successful in step 703, a value obtained by subtracting the communication reliability from the score 504 is stored in the score 504 of the black list 116 as an updated score. If authentication fails in step 703, a value obtained by adding the communication reliability to the score 504 is stored in the score 504 of the black list 116 as an updated score.
  • the score 504 is smaller than 0, the score 504 is corrected to 0, and when the score 504 is larger than 1, the score 504 is corrected to 1.
  • the score 504 of the black list 116 decreases (risk level decreases), and if the authentication in step 703 fails, the score 504 of the black list 116 increases. Furthermore, the higher the reliability of the terminal 118 or the user 119, the higher the degree of increase or decrease, and the lower the reliability of the terminal 118 or the user 119, the higher the degree of increase or decrease. Indicates that becomes smaller. With this processing, the score 504 can be updated according to the reliability of the terminal 118 or the user 119.
  • the list update program 111 updates the score 604 of the white list 117 (step 810).
  • a predetermined process is used for updating the score 604.
  • communication reliability is calculated. If authentication is successful in step 703, a value obtained by adding the communication reliability to the score 604 is stored in the score 604 of the white list 117 as an updated score. If authentication fails in step 703, a value obtained by subtracting the communication reliability from the score 604 is stored in the score 604 of the white list 117 as an updated score.
  • the score 604 is smaller than 0, the score 604 is corrected to 0, and when the score 604 is larger than 1, the score 604 is corrected to 1.
  • the score 604 of the white list 117 increases (the degree of safety increases), and if the authentication in step 703 fails, the score 604 of the white list 117 decreases. Further, the higher the reliability of the terminal 118 or the user 119, the higher the degree of increase or decrease, and the lower the reliability of the terminal 118 or the user 119, the higher the degree of increase or decrease. Indicates that becomes smaller. With this process, the score 604 can be updated according to the reliability of the terminal 118 or the user 119.
  • the list update program 111 proceeds to step 813 if the communication count 503 of the black list 116 is equal to or greater than a certain threshold (for example, 100) and the score 504 updated in step 809 is equal to or smaller than the certain threshold (for example, 0.3). If the number of times of communication 503 in the black list 116 is less than a certain threshold value (for example, 100) or the score 504 updated in step 809 is larger than a certain threshold value (for example, 0.3), the process ends (step 811).
  • a certain threshold for example, 100
  • the score 504 updated in step 809 is equal to or smaller than the certain threshold (for example, 0.3).
  • the list update program 111 proceeds to step 813 if the communication count 603 of the white list 117 is equal to or greater than a certain threshold (for example, 100) and the score 604 updated in step 810 is equal to or smaller than a certain threshold (for example, 0.3). If the number of times of communication 603 in the white list 117 is less than a certain threshold value (for example, 100) or the score 604 updated in step 810 is larger than a certain threshold value (for example, 0.3), the process is terminated (step 812).
  • a certain threshold for example, 100
  • a certain threshold for example, 100
  • the score 604 updated in step 810 is equal to or smaller than a certain threshold (for example, 0.3).
  • the list update program 111 shifts the information of the black list 116 or the white list 117, which corresponds in step 811 or step 812, to the gray list 115, and ends the processing (step 813).
  • the ID 401 does not exist in the gray list 115
  • the connection destination 402 has communication destination information
  • the communication count 403 has “1”
  • the authentication failure rate 404 has “0”
  • the score 405. Stores “0.5”.
  • FIG. 9 is an example of an additional authentication screen displayed by the additional authentication program 110.
  • the additional authentication screen is a text (901 in the figure) representing a warning to the user 119, information on the communication destination (902 in the figure), and an image (FIG. 9) composed of distorted characters and numbers. 903), an area (904 in the figure) for reading and inputting the character string displayed in the image (903 in the figure), and a send button (905 in the figure) for sending the input information Consists of content.
  • a human and malware are discriminated based on whether or not such distorted characters and numbers can be read.
  • step 701 to step 713 including step 801 to step 813 will be described using a specific example. For example, it is assumed that “user A” communicates with “example.com” using “terminal A”.
  • the communication control program 108 is executed by the CPU 103 and receives communication from the “terminal A” 118a via the IF 102a (step 701).
  • the communication control program 108 executes the authentication program 109 to authenticate the “user A” 119a using the “terminal A” 118a (step 702).
  • the authentication program 109 executes the authentication program 109 to authenticate the “user A” 119a using the “terminal A” 118a (step 702).
  • “user A” 119a has input a correct user name and password combination.
  • the communication control program 108 acquires the authentication result from the authentication program 109. If the authentication is successful, the process proceeds to step 704. If the authentication fails, the process proceeds to step 710 (step 703). At this time, “User A” 119 a has succeeded in authentication, and the process proceeds to Step 704.
  • the communication control program 108 compares the communication destination information with the connection destination 502 of the black list 116, and if the corresponding connection destination 502 exists, the communication control program 108 increments the communication count 503 of the corresponding connection destination 502 by one, and then step 710 If the corresponding connection destination 502 does not exist, the process proceeds to step 705 (step 704). At this time, since the communication destination information “example.com” does not exist in the black list 116, the process proceeds to step 705.
  • the communication control program 108 compares the information of the communication destination with the connection destination 602 of the white list 117, and if there is a corresponding connection destination 602, the communication number 603 of the corresponding connection destination 602 is incremented by 1, and then step 711 is performed. If not, the process proceeds to step 706 (step 705). At this time, the communication destination information “example.com” does not exist in the white list 117, and thus the process proceeds to step 706.
  • the communication control program 108 compares the communication destination information with the connection destination 402 of the gray list 115, and if the corresponding connection destination 402 exists, the communication control program 108 increments the communication count 403 of the corresponding connection destination 402 by 1 and then step 708. If not, the process proceeds to step 707 (step 706).
  • the communication destination information “example.com” has an ID 401 of “1”, a connection destination 402 of “example.com”, a communication count 403 of “1000”, and an additional authentication failure rate 404 of “0.1”. Since the score 405 corresponds to the gray list of “0.4”, the communication times 403 is incremented by 1, and the process proceeds to step 708. Note that when this process is performed, the communication count 403 is “1001”. Here, for the sake of simplicity, the following process will be described with the communication count 403 being “1000”.
  • the communication control program 108 executes the additional authentication program 110 and performs additional authentication of the “user A” 119a using the “terminal A” 118a (step 708). At this time, the additional authentication screen displayed in FIG. 9 is displayed on the screen of “terminal A” 118a. Here, it is assumed that “user A” 119a correctly reads the distorted character string and presses the transmission button.
  • the communication control program 108 acquires the authentication result of the additional authentication program 110. If the authentication is successful, the process proceeds to step 711. If the authentication fails, the communication control program 108 determines the additional authentication failure rate of the connection destination 402 corresponding to the communication destination information. After the update, the process proceeds to step 710 (step 709). At this time, “User A” 119 a has succeeded in authentication, and the process proceeds to Step 711.
  • the communication control program 108 permits communication to the connection destination and proceeds to step 712 (step 711). At this time, the “user A” 119a communicates with the communication destination “example.com”.
  • the communication control program 108 activates the reliability update program 112 and updates the reliability data 114 of the “user A” 119a and the “terminal A” 118a (step 712).
  • “User A” 119a corresponds to the reliability calculation rule with ID 201 of “1”, “2”, “6”, “8”, and “Terminal A” 118a has ID 201 of “9”, “ It is assumed that the reliability calculation rule of “10” is met.
  • the reliability of “user A” 119a is “0.9” by the calculation of ((+ 1 + 1 + 1 + 5) ⁇ ( ⁇ 10)) / (+ 10 ⁇ ( ⁇ 10)).
  • the reliability of “terminal A” 118a is “0.8” by the calculation of ((+ 1 + 1) ⁇ ( ⁇ 10)) / (+ 5 ⁇ ( ⁇ 10)).
  • the communication control program 108 activates the list update program 111 and updates the gray list 115, the black list 116, and the white list 117 (step 713).
  • the list update program 111 is executed by the CPU 103 and receives the communication destination information “example.com” of the “terminal A” 118a from the communication control program 108 (step 801).
  • the list update program 111 compares the communication destination information with the connection destination 402 of the gray list 115. If the corresponding connection destination 402 exists, the list update program 111 proceeds to step 803, and if the corresponding connection destination 402 does not exist. Proceed to step 808 (step 802). At this time, the communication destination information “example.com” has an ID 401 “1”, a connection destination 402 “example.com”, a communication count 403 “1000”, and an additional authentication failure rate 404 “0. 1 ”and the score 405 corresponds to the gray list of“ 0.4 ”, so the process proceeds to step 803.
  • the list update program 111 updates the score 405 of the gray list 115 (step 803). At this time, the communication reliability is “0.0085” by the calculation of (0.9 + 0.8) / 200. Therefore, the score becomes “0.4085” by the calculation of 0.4 + 0.0085.
  • the list update program 111 proceeds to step 806 if the communication count 403 of the gray list 115 is equal to or greater than a certain threshold (for example, 100) and the score 405 updated in step 803 is equal to or greater than a certain threshold (for example, 0.9). If the communication count 403 of the gray list 115 is less than a certain threshold value (for example, 100) or the score 405 updated in step 803 is smaller than a certain threshold value (for example, 0.9), the process proceeds to step 805 (step 804). At this time, since the communication count 403 is “1000” and the updated score 405 is “0.4085”, the process proceeds to step 805.
  • a certain threshold for example, 100
  • a certain threshold for example, 0.9
  • the list update program 111 proceeds to step 807 if the communication count 403 of the gray list 115 is equal to or greater than a certain threshold (for example, 100) and the score 405 updated in step 803 is equal to or less than the certain threshold (for example, 0.1). If the number of times of communication 403 in the gray list 115 is less than a certain threshold value (for example, 100) or the score 405 updated in step 803 is larger than a certain threshold value (for example, 0.1), the process is terminated (step 805). At this time, since the communication count 403 is “1000” and the updated score 405 is “0.4085”, the processing ends.
  • a certain threshold for example, 100
  • the score 405 updated in step 803 is equal to or less than the certain threshold (for example, 0.1).
  • malware infected with “terminal B” communicates with “malware.com”.
  • This “malware” is assumed to be the malware that steals the authentication information of user B stored in “terminal B” and breaks the authentication.
  • the communication control program 108 is executed by the CPU 103 and receives communication from the “terminal B” 118b via the IF 102a (step 701).
  • the communication control program 108 executes the authentication program 109 to authenticate “malware” using the “terminal B” 118b (step 702).
  • “malware” steals and inputs a combination of a correct user name and password of “user B” 119b.
  • the communication control program 108 acquires the authentication result from the authentication program 109. If the authentication is successful, the process proceeds to step 704. If the authentication fails, the process proceeds to step 710 (step 703). At this time, “malware” has been successfully authenticated, and the process proceeds to step 704.
  • the communication control program 108 compares the communication destination information with the connection destination 502 of the black list 116, and if the corresponding connection destination 502 exists, the communication control program 108 increments the communication count 503 of the corresponding connection destination 502 by one, and then step 710 If the corresponding connection destination 502 does not exist, the process proceeds to step 705 (step 704). At this time, since the communication destination information “malware.com” does not exist in the black list 116, the process proceeds to step 705.
  • the communication control program 108 compares the information of the communication destination with the connection destination 602 of the white list 117, and if there is a corresponding connection destination 602, the communication number 603 of the corresponding connection destination 602 is incremented by 1, and then step 711 is performed. If not, the process proceeds to step 706 (step 705). At this time, since the communication destination information “malware.com” does not exist in the white list 117, the process proceeds to step 706.
  • the communication control program 108 compares the communication destination information with the connection destination 402 of the gray list 115, and if the corresponding connection destination 402 exists, the communication control program 108 increments the communication count 403 of the corresponding connection destination 402 by 1 and then step 708. If not, the process proceeds to step 707 (step 706).
  • the communication destination information “malware.com” has an ID 401 “2”, a connection destination 402 “malware.com”, a communication count 403 “50”, and an additional authentication failure rate 404 “0.9”. Since the score 405 corresponds to the gray list of “0.895”, the communication count 403 is incremented by 1, and the process proceeds to step 708. Note that when this processing is performed, the communication count 403 is “51”. Here, for the sake of simplicity, the following processing will be described with the communication count 403 being “50”.
  • the communication control program 108 executes the additional authentication program 110 to perform additional authentication of “malware” using the “terminal B” 118b (step 708).
  • the additional authentication screen displayed in FIG. 9 is displayed on the screen of “terminal B” 118b.
  • the communication control program 108 acquires the authentication result of the additional authentication program 110. If the authentication is successful, the process proceeds to step 711, and if the authentication fails, the additional authentication failure rate 404 of the connection destination 402 corresponding to the communication destination information. Then, the process proceeds to step 710 (step 709). At this time, “malware” has failed in authentication, and after updating the additional authentication failure rate 404, the process proceeds to step 710.
  • the communication control program 108 cuts off communication with the connection destination, and proceeds to step 712 (step 710). At this time, “malware” fails to communicate with the communication destination “malware.com”.
  • the communication control program 108 activates the reliability update program 112 and updates the reliability data 114 of “user B” 119b and “terminal b” 118b (step 712). At this time, although it is “malware” that is actually performing communication, the communication control program 108 updates the reliability of the user (in this case, the user B 119 b) input by the authentication program 109.
  • “User B” 119b corresponds to the reliability calculation rule with ID 201 of “3”, “4”, “5”, “6”, and “Terminal B” 118b has ID 201 of “11”, “ It is assumed that the reliability calculation rules of “13” and “16” are met.
  • the reliability of “user B” 119b is “0.4” by the calculation of (( ⁇ 5 + 1 + 1 + 1) ⁇ ( ⁇ 10)) / (+ 10 ⁇ ( ⁇ 10)). Further, the reliability of “terminal B” 118b is “0.67” by the calculation of (( ⁇ 3 + 2 + 1) ⁇ ( ⁇ 10)) / (+ 5 ⁇ ( ⁇ 10)).
  • the communication control program 108 activates the list update program 111 and updates the gray list 115, the black list 116, and the white list 117 (step 713).
  • the list update program 111 is executed by the CPU 103 and receives the communication destination information “malware.com” of the “terminal B” 118b from the communication control program 108 (step 801).
  • the list update program 111 compares the communication destination information with the connection destination 402 of the gray list 115. If the corresponding connection destination 402 exists, the list update program 111 proceeds to step 803, and if the corresponding connection destination 402 does not exist. Proceed to step 808 (step 802). At this time, the communication destination information “malware.com” has an ID 401 “2”, a connection destination 402 “malware.com”, a communication count 403 “50”, and an additional authentication failure rate 404 “0.9”. Since the score 405 corresponds to the gray list of “0.895”, the process proceeds to step 803.
  • the list update program 111 updates the score 405 of the gray list 115 (step 803).
  • the communication reliability is “0.00545” by the calculation of (0.4 + 0.67) / 200. Therefore, the score is “0.90045” by calculation of 0.895 + 0.00545.
  • the list update program 111 proceeds to step 806 if the communication count 403 of the gray list 115 is equal to or greater than a certain threshold (for example, 100) and the score 405 updated in step 803 is equal to or greater than a certain threshold (for example, 0.9). If the communication count 403 of the gray list 115 is less than a certain threshold value (for example, 100) or the score 405 updated in step 803 is smaller than a certain threshold value (for example, 0.9), the process proceeds to step 805 (step 804). At this time, since the communication count 403 is “100” and the updated score 405 is “0.90045”, the process proceeds to step 806.
  • the list update program 111 moves the gray list having the communication destination information and the corresponding connection destination 402 to the black list 116, and ends the processing (step 806).
  • the communication destination information “malware.com” corresponds to “2” for the ID 401 and “malware.com” for the connection destination 402
  • the gray list with the ID 401 of “2” is deleted and the black list 116 is displayed.
  • the ID 501 is “3”
  • “malware.com” is stored in the connection destination 502
  • “1” is stored in the communication count 503
  • “0.5” is stored in the score 504, and the processing ends.
  • User-Agent information may be used instead of the connection destinations of the gray list 115, the black list 116, and the white list 117.
  • Malware may use a special User-Agent. By controlling communication from a suspicious User-Agent, it becomes possible to control communication of the malware.
  • connection destinations that are not observed for a predetermined period may be deleted from the gray list 115, the black list 116, and the white list 117. Thereby, the enlargement of the list can be prevented.
  • the gray list 115 may store a list of suspicious connection destinations disclosed by an external organization.
  • the list of suspicious connection destinations disclosed by external organizations may include safe connection destinations, and if communication is stopped immediately, there is a possibility that business will be affected. For this reason, by using the gray list 115, it is possible to control malware communication while permitting communication related to business. Further, as information to be stored in the gray list 115, information on connection destinations observed when the malware is dynamically analyzed and information on connection destinations determined to be dangerous at the URL reputation site may be stored.
  • CAPTCHA CAPTCHA
  • pressing of a button displayed on the confirmation screen, input of a character string displayed in a moving image, input of a character string read by voice, or a password different from the password used at the time of authentication may be used.
  • the additional authentication method may be changed according to the score 405 of the gray list 115. Furthermore, when the score 405 is high, a plurality of additional authentications may be used. Thereby, although the burden on a user increases, it becomes possible to reduce the possibility that malware communicates.
  • the communication registered in the black list 116 may be controlled by a security product such as FW.
  • connection destination information may be used to update the score 405 of the gray list 115.
  • information on the URL reputation site at the connection destination, the elapsed time after the accident when an accident occurs at the connection destination, the number of executable files existing at the connection destination, and the like may be used.
  • an agent may be introduced into the terminal 118 to acquire information on processes that perform communication, and a gray list of processes may be created. As a result, communication control from a suspicious process can be performed.
  • the time required for additional authentication may be used to update the score 405 of the gray list 115.
  • additional authentication may be performed on the terminal 118 or the user 119 with low reliability.
  • the reliability of the terminal 118 and the user 119 can be evaluated from the success or failure of the additional authentication. By using this evaluation result, it becomes possible to control the communication of the terminal 118 with low reliability and the user 119.
  • the present embodiment is an unauthorized communication control apparatus that includes the unauthorized communication control apparatus 101 according to the first embodiment, further acquires and analyzes connection destination information, and provides it as auxiliary information at the time of additional authentication.
  • the additional authentication screen illustrated in FIG. 9 when the additional authentication screen illustrated in FIG. 9 is displayed, only the connection destination information is displayed. Therefore, the user 119 may have difficulty determining whether to permit the connection.
  • an unauthorized communication control device that supports the determination of the user 119 by displaying the detailed information of the connection destination will be described. Thereby, the gray list can be updated based on an appropriate determination.
  • FIG. 10 is an example of the hardware configuration of the malware communication control device in this embodiment.
  • the same components as those in the first embodiment are denoted by the same reference numerals, and the description thereof will be omitted.
  • differences from the first embodiment will be mainly described.
  • the communication control apparatus 1001 includes a communication control program 1002, an additional authentication program 1003, a connection destination acquisition program 1004, and the malware communication control apparatus 101 according to the first embodiment described above. , And a connection destination confirmation program 1005.
  • the communication control program 108 and the additional authentication program 110 also exist in the first embodiment. However, since some processes are different from the communication control program 1002 and the additional authentication program 1003 in the second embodiment, a new code is used here. It was attached.
  • the CPU 103 executes the connection destination acquisition program 1004 stored in the main memory 104 to acquire the connection destination content information, and executes the connection destination analysis program 1005 to analyze the connection destination.
  • Each of the above programs may be stored in the main memory 104 or the storage device 105 in advance, or may be installed (loaded) from the input / output device 106 or from another device via the IF 102 when necessary. Good.
  • the communication control program 1002 executes the connection destination acquisition program 1004 when receiving a connection request from the user. Specifically, in step 702, the authentication program 109 is executed and the connection destination acquisition program 1004 is executed.
  • connection destination acquisition program 1004 connects to the connection destination acquired in step 701 via the network 120b and acquires the content of the connection destination. At this time, the connection destination content is also stored as image information.
  • connection destination acquisition program 1004 executes the connection destination analysis program 1005.
  • the connection destination analysis program 1005 is a program for analyzing connection destination information. For example, information on the country in which the connection destination server exists, URL reputation result of the connection destination, the number of people connected to the connection destination so far, connection destination Analyzes behavior information etc. that occurs in the accessed terminal when accessing.
  • FIG. 11 illustrates an additional authentication screen that the additional authentication program 1003 presents to the user.
  • connection destination information (1101) is displayed on the additional authentication screen. Specifically, the connection destination image information (1102) acquired by the connection destination acquisition program 1004 and the connection destination information (1103) analyzed by the connection destination analysis program 1005 are displayed. With this information, the user 118 can appropriately determine whether or not to connect to the connection destination.
  • a notification button (1104) is displayed on the additional authentication screen.
  • the user 118 confirms the connection destination information 1101 and determines that the connection destination is dangerous, the user 118 presses the report button 1104.
  • the report button 1104. By utilizing the behavior of whether or not the report button (1104) has been pressed when updating the gray list, it is possible to improve the accuracy of the gray list.
  • connection destination acquisition program and the connection destination analysis program are executed on a terminal different from the unauthorized communication control device. Since the connection destination acquisition program accesses an unauthorized site, the possibility of being infected with malware increases. For this reason, it is possible to limit the damage range at the time of malware infection by executing these programs on another terminal.
  • the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage.
  • various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, the constituent elements over different embodiments may be appropriately combined.

Abstract

According to the present invention, communication by means of malware is cut off while permitting communication that affects a business by using user's feedback. The present invention is provided with: a storage unit that stores suspicious connection destinations as a gray list; an authentication unit that asks a user for connection confirmation when communication to a connection destination matching the gray list is observed; a control unit that carries out communication control on the basis of the authentication result of the authentication unit; and a list update unit that updates the gray list on the basis of the authentication result of the authentication unit.

Description

不正通信制御装置および方法Unauthorized communication control apparatus and method
 本発明は、ユーザによるフィードバックを用いることで、業務に影響する通信は許可しつつ、マルウェアによる通信を遮断する技術に関する。 The present invention relates to a technology for blocking communication by malware while permitting communication affecting business by using feedback from a user.
 近年、民間企業や、防衛関連企業、衆参両院を狙ったサイバー攻撃が顕在化しており、個人、企業、国家の利益や安全性を損なうリスクが高まっている。また、攻撃手法も益々巧妙化しており、標的型攻撃、特にAPT(Advanced Persistent Threat)攻撃は、秘密裏に、そして執拗に長期間攻撃を続ける点で従来の脅威とは性質が異なっている。このような背景から、マルウェアは組織に侵入するという前提での対策が重要となる。 In recent years, cyber attacks targeting private companies, defense-related companies, and the House of Representatives have become apparent, increasing the risk of damaging the interests and safety of individuals, companies, and the nation. In addition, attack techniques are becoming more and more sophisticated. Targeted attacks, particularly APT (Advanced Persistent Threat) attacks, are different in nature from conventional threats in that they continue secretly and persistently for a long time. Against this background, it is important to take measures on the premise that malware will invade the organization.
 例えば、特許文献1には、情報端末装置の諸元について脆弱性に関する情報を得て、当該情報に基づいて脆弱値を取得し、当該脆弱値に基づいて情報端末装置をサーバへ接続する場合のセキュリティ上のリスクを示す危険度を算出し、サーバは当該危険度が所定の閾値以上である場合は情報端末装置のセキュリティ認証は行わずアクセスを拒否するシステムが開示されている。 For example, Patent Document 1 discloses a case in which information on vulnerability is obtained for specifications of an information terminal device, a vulnerability value is acquired based on the information, and the information terminal device is connected to a server based on the vulnerability value. A system is disclosed in which a risk level indicating a security risk is calculated, and the server denies access without performing security authentication of the information terminal device when the risk level is equal to or higher than a predetermined threshold.
特開2004-259020号公報JP 2004-259020 A
 特許文献1の技術を用いることで、マルウェアに感染するリスクの高い、脆弱な環境からの通信を遮断することができる。しかし、脆弱な環境からの通信を遮断してしまうと、脆弱な環境を用いて業務を行っているユーザが業務に関連するアクセス先に通信を行う際にも当該通信が遮断されてしまい、業務に影響を与えてしまう可能性がある。 Using the technology of Patent Document 1, it is possible to block communication from a fragile environment with a high risk of being infected with malware. However, if communication from a fragile environment is blocked, the user who is working in the fragile environment will also be blocked when communicating with the access destination related to the work. May be affected.
 本発明は、上記事情に鑑みてなされたものであり、ユーザによるフィードバックを用いることで、業務に影響する通信は許可しつつ、マルウェアによる通信を遮断する不正通信制御装置を提供することを目的とする。 The present invention has been made in view of the above circumstances, and an object of the present invention is to provide an unauthorized communication control device that allows communication affecting a business and blocks communication by malware by using feedback from a user. To do.
 本発明の代表的な一例は、以下の通りである。すなわち、不審な接続先をグレーリストとして記憶する記憶部と、端末から、グレーリストに合致した接続先への通信を観測した際に、ユーザに対して接続確認を行う認証部と、認証部の認証結果に基づき通信制御を行う制御部と、認証部の認証結果に基づきグレーリストを更新するリスト更新部と、を備える。 A typical example of the present invention is as follows. That is, a storage unit that stores a suspicious connection destination as a gray list, an authentication unit that confirms connection to a user when observing communication from a terminal to a connection destination that matches the gray list, and an authentication unit A control unit that performs communication control based on the authentication result; and a list update unit that updates the gray list based on the authentication result of the authentication unit.
 本発明によれば、業務に影響する通信は許可しつつ、マルウェアによる通信を遮断することができる。 According to the present invention, it is possible to block communication by malware while permitting communication affecting business.
本発明の実施例1に係る不正通信制御装置の構成例を示す図である。It is a figure which shows the structural example of the unauthorized communication control apparatus which concerns on Example 1 of this invention. 本発明の実施例1に係る信頼度算出ルールの一例を示す図である。It is a figure which shows an example of the reliability calculation rule which concerns on Example 1 of this invention. 本発明の実施例1に係る信頼度データの一例を示す図である。It is a figure which shows an example of the reliability data based on Example 1 of this invention. 本発明の実施例1に係るグレーリストの一例を示す図である。It is a figure which shows an example of the gray list which concerns on Example 1 of this invention. 本発明の実施例1に係るブラックリストの一例を示す図ある。It is a figure which shows an example of the black list which concerns on Example 1 of this invention. 本発明の実施例1に係るホワイトリストの一例を示す図ある。It is a figure which shows an example of the white list which concerns on Example 1 of this invention. 本発明の実施例1に係る通信制御処理を示すフローチャートである。It is a flowchart which shows the communication control process which concerns on Example 1 of this invention. 本発明の実施例1に係るリスト更新処理を示すフローチャートである。It is a flowchart which shows the list update process which concerns on Example 1 of this invention. 本発明の実施例1に係る追加認証画面の一例を示す図である。It is a figure which shows an example of the additional authentication screen which concerns on Example 1 of this invention. 本発明の実施例2に係る不正通信制御装置の構成例を示す図である。It is a figure which shows the structural example of the unauthorized communication control apparatus which concerns on Example 2 of this invention. 本発明の実施例2に係る追加認証画面の一例を示す図である。It is a figure which shows an example of the additional authentication screen which concerns on Example 2 of this invention.
 通信を制御する方法として、ブラックリストを用いた制御方法が存在する。ブラックリストには危険な接続先の情報が登録されており、ブラックリストに該当する接続先への通信は遮断される。業務に利用する接続先が、誤ってブラックリストに登録されてしまった場合、業務が利用できなくなってしまう。このため、ブラックリストへの接続先情報の登録は慎重に吟味する必要があり、登録に時間を要してしまうという課題があった。 There is a control method using a black list as a method for controlling communication. Information on dangerous connection destinations is registered in the black list, and communication to connection destinations corresponding to the black list is blocked. If the connection destination used for business is mistakenly registered in the black list, the business cannot be used. For this reason, registration of connection destination information to the black list needs to be carefully examined, and there is a problem that registration takes time.
 そこで、本実施形態では、グレーリストを用いる。ここでグレーリストとは、ブラックリスト程警戒は必要ではないが、ホワイトリスト程は許可できない、その中間の信頼度の接続先を示すリストである。このグレーリストでは、不審な接続先を管理し、グレーリストに合致した接続先への通信が発生した場合に、ユーザへの確認を行い、確認に成功すれば接続先への通信を許可する。これにより、通信先の情報を吟味する必要がなくなり、迅速な対応が可能となる。実施例1では、この点に着目し、通信制御処理、認証処理、リスト更新処理、信頼度更新処理について説明する。 Therefore, in this embodiment, a gray list is used. Here, the gray list is a list that indicates a connection destination with an intermediate reliability that is not required to be as alert as the black list but is not permitted as the white list. In this gray list, suspicious connection destinations are managed, and when communication to a connection destination that matches the gray list occurs, confirmation to the user is performed, and communication to the connection destination is permitted if confirmation is successful. As a result, it is not necessary to examine the information of the communication destination, and quick response is possible. In the first embodiment, paying attention to this point, communication control processing, authentication processing, list update processing, and reliability update processing will be described.
 図1は、本発明の実施例1に係る不正通信制御装置の構成例を示す図である。実施例1に係る不正通信制御装置101は、ユーザ119が操作する端末118と、インターネット121と、をネットワーク120を介して接続される。 FIG. 1 is a diagram illustrating a configuration example of an unauthorized communication control apparatus according to the first embodiment of the present invention. In the unauthorized communication control apparatus 101 according to the first embodiment, a terminal 118 operated by a user 119 and the Internet 121 are connected via a network 120.
 不正通信制御装置101は、CPU(Central Processing Unit)103と、CPU103が処理を実行するために必要なデータを格納するためのメインメモリ104と、大量のデータを記憶する容量を持つハードディスクやフラッシュメモリなどの記憶装置105と、他装置と通信を行なうためのIF(インタフェース)102と、キーボード、ディスプレイなどの入出力を行うための入出力装置106と、これらの各装置を接続する通信路107と、を備えたコンピュータである。なお、通信路107は、例えば、バスやケーブルなどの情報伝達媒体である。 The unauthorized communication control device 101 includes a CPU (Central Processing Unit) 103, a main memory 104 for storing data necessary for the CPU 103 to execute processing, and a hard disk or flash memory having a capacity for storing a large amount of data. A storage device 105 such as, an IF (interface) 102 for performing communication with other devices, an input / output device 106 for performing input / output such as a keyboard and a display, and a communication path 107 for connecting these devices. , A computer equipped with The communication path 107 is an information transmission medium such as a bus or cable.
 CPU103は、メインメモリ104に格納された通信制御プログラム108を実行することにより不審な通信の制御を、認証プログラム109を実行することによりユーザ119の認証を、追加認証プログラム110を実行することによりユーザ119の追加認証を、リスト更新プログラム111を実行することによりグレーリスト115、ブラックリスト116、ホワイトリスト117の更新を、信頼度更新プログラム112を実行することにより信頼度データ114の更新を行う。なお、信頼度とは、端末118およびユーザ119がどの程度信頼できるかの指標を表す。 The CPU 103 executes suspicious communication control by executing the communication control program 108 stored in the main memory 104, authenticates the user 119 by executing the authentication program 109, and executes the additional authentication program 110 to execute the user authentication. For the additional authentication of 119, the list update program 111 is executed, the gray list 115, the black list 116, and the white list 117 are updated, and the reliability data 114 is updated by executing the reliability update program 112. The reliability indicates an index of how reliable the terminal 118 and the user 119 are.
 記憶装置105には、端末118およびユーザ119の信頼度を算出するためのルールを複数備える信頼度算出ルールテーブル113、端末118およびユーザ119の信頼度を示す信頼度データ114、不審な通信先の情報を示すグレーリスト115、危険な通信先の情報を示すブラックリスト116、安全な通信先の情報を示すホワイトリスト117が格納されている。 The storage device 105 includes a reliability calculation rule table 113 including a plurality of rules for calculating the reliability of the terminal 118 and the user 119, reliability data 114 indicating the reliability of the terminal 118 and the user 119, and a suspicious communication destination. A gray list 115 indicating information, a black list 116 indicating dangerous communication destination information, and a white list 117 indicating safe communication destination information are stored.
 上記の各プログラムやデータは、あらかじめメモリ104または記憶装置105に格納されていてもよいし、必要な時に、入出力装置106からまたは、IF102を介して他の装置から、インストール(ロード)されても良い。 Each of the above programs and data may be stored in advance in the memory 104 or the storage device 105, or installed (loaded) from the input / output device 106 or from another device via the IF 102 when necessary. Also good.
 図2は、信頼度算出ルールテーブル113の一例を示す図である。図2に示すように、信頼度算出ルールテーブル113は、ID201と、種別202と、項目203と、判定値204と、スコア205と、を含んで構成される。ここで、ID201で識別される単位の情報を信頼度算出ルールと呼ぶ。 FIG. 2 is a diagram illustrating an example of the reliability calculation rule table 113. As shown in FIG. 2, the reliability calculation rule table 113 includes an ID 201, a type 202, an item 203, a determination value 204, and a score 205. Here, the information of the unit identified by the ID 201 is called a reliability calculation rule.
 ID201は、信頼度算出ルールを一意に識別できる情報を表す。 ID 201 represents information that can uniquely identify the reliability calculation rule.
 種別202は、信頼度算出ルールを適用する種別を表す。例えば、種別202が「ユーザ」の場合は、ユーザの信頼度を算出するためのルールであることを、種別202が「端末」の場合は、端末の信頼度を算出するためのルールであることを表す。 The type 202 represents a type to which the reliability calculation rule is applied. For example, when the type 202 is “user”, the rule is for calculating the reliability of the user. When the type 202 is “terminal”, the rule is for calculating the reliability of the terminal. Represents.
 項目203は、信頼度を算出する際に利用する項目の情報を表し、判定値204は、信頼度を算出する際に利用する閾値を表し、スコア205は、信頼度を算出する際に利用する値(影響度)を表す。なお、スコア205が「+」であれば、端末118、ユーザ119が信頼できることを表し、スコア205が「-」であれば、端末118、ユーザ119が信頼できないことを表す。 An item 203 represents information on an item used when calculating the reliability, a determination value 204 represents a threshold used when calculating the reliability, and a score 205 is used when calculating the reliability. Represents a value (degree of influence). When the score 205 is “+”, the terminal 118 and the user 119 are reliable, and when the score 205 is “−”, the terminal 118 and the user 119 are unreliable.
 図2を用いて具体的に説明する。例えば、ID201が「1」、種別202が「ユーザ」、項目203が「追加認証成功割合」、判定値204が「0.8以上」、スコア205が「+1」の信頼度算出ルールは、ユーザ119の追加認証成功割合が0.8以上であった場合に、ユーザ119の信頼度を+1することを表す。なお、ここでは信頼度を+1すると記載したが、実際には、信頼度データ114に格納する前に信頼度の正規化を行う。正規化の処理については、図7を用いて後述する。 This will be specifically described with reference to FIG. For example, the reliability calculation rule in which the ID 201 is “1”, the type 202 is “user”, the item 203 is “additional authentication success rate”, the determination value 204 is “0.8 or more”, and the score 205 is “+1” is user When the additional authentication success rate of 119 is 0.8 or more, it represents that the reliability of the user 119 is incremented by one. Although the reliability is described as +1 here, in practice, the reliability is normalized before being stored in the reliability data 114. The normalization process will be described later with reference to FIG.
 信頼度算出ルールは、端末118やユーザ119の信頼度を判定するためのものであり、例えば、ユーザ119の信頼度算出には、追加認証の成功割合や認証成功割合、ブラックリスト合致回数、訓練メール未開封割合、業務時間内通信割合、業務内容、マルウェア感染回数、特定のユーザ等に関するルールを、例えば、端末118の信頼度算出には、追加認証成功割合、認証成功割合、脆弱なソフトウェア数、OS(Operating System)未適用パッチ数、AV(AntiVirus)インストール有無、AVシグネチャ更新日、AVアラート数、業務時間内通信割合等に関するルールを格納しておく。 The reliability calculation rule is for determining the reliability of the terminal 118 and the user 119. For example, the reliability of the user 119 is calculated by calculating the success rate of additional authentication, the authentication success rate, the number of black list matches, and training. Rules regarding mail unopened rate, communication rate within business hours, business content, number of malware infections, specific users, etc. For example, for calculating the reliability of the terminal 118, additional authentication success rate, authentication success rate, number of vulnerable software , OS (Operating System) unapplied patch number, AV (AntiVirus) installation presence / absence, AV signature update date, number of AV alerts, communication rate during business hours, etc. are stored.
 なお、信頼度算出ルールテーブル113の各情報は、管理者が必要に応じて、入力または更新しても良い。 Note that each piece of information in the reliability calculation rule table 113 may be input or updated as necessary by the administrator.
 信頼度算出ルールテーブル113は、CPU103により実行される信頼度更新プログラム112が、端末118またはユーザ119の信頼度を更新する際に利用される。信頼度更新プログラム112の具体的な処理については、図7を用いて後述する。 The reliability calculation rule table 113 is used when the reliability update program 112 executed by the CPU 103 updates the reliability of the terminal 118 or the user 119. Specific processing of the reliability update program 112 will be described later with reference to FIG.
 図3は、信頼度データ114の一例を示す図である。図3に示すように、信頼度データ114は、ID301と、種別302と、項目303と、信頼度304と、を含んで構成される。 FIG. 3 is a diagram illustrating an example of the reliability data 114. As illustrated in FIG. 3, the reliability data 114 includes an ID 301, a type 302, an item 303, and a reliability 304.
 ID301は、信頼度データを一意に識別できる情報を表す。 ID 301 represents information that can uniquely identify the reliability data.
 種別302は、信頼度データの種別を表す。例えば、種別302が「ユーザ」の場合は、ユーザ119の信頼度を、種別302が「端末」の場合は、端末118の信頼度を格納していることを表す。 The type 302 represents the type of reliability data. For example, when the type 302 is “user”, the reliability of the user 119 is stored, and when the type 302 is “terminal”, the reliability of the terminal 118 is stored.
 項目303は、信頼度データが格納している端末118または、ユーザ119を識別できる情報を表し、信頼度304は、端末118または、ユーザ119の信頼度を表す。なお、信頼度304には、「0」から「1」の値を格納し、信頼度304が「0」の場合は、端末118または、ユーザ119が信頼できないことを、信頼度304が「1」の場合は、端末118または、ユーザ119が信頼できることを表し、信頼度が「1」に近いほど、端末118または、ユーザ119の信頼性が高いことを表す。 The item 303 represents information for identifying the terminal 118 or the user 119 stored in the reliability data, and the reliability 304 represents the reliability of the terminal 118 or the user 119. The reliability 304 stores a value from “0” to “1”. When the reliability 304 is “0”, the reliability 118 indicates that the terminal 118 or the user 119 cannot be trusted. "Represents that the terminal 118 or the user 119 can be trusted, and the closer the reliability is to" 1 ", the higher the reliability of the terminal 118 or the user 119 is.
 図3を用いて具体的に説明する。例えば、ID301が「1」、種別302が「ユーザ」、項目303が「ユーザA」、信頼度304が「0.9」の信頼度データは、「ユーザA119a」の信頼度が「0.9」であることを表す。 This will be specifically described with reference to FIG. For example, reliability data with ID 301 “1”, type 302 “user”, item 303 “user A”, and reliability 304 “0.9” has a reliability of “user A 119a” “0.9”. ".
 信頼度データ114は、CPU103により実行される信頼度更新プログラム112によって更新される。信頼度更新プログラム112の具体的な処理については、図7を用いて後述する。 The reliability data 114 is updated by a reliability update program 112 executed by the CPU 103. Specific processing of the reliability update program 112 will be described later with reference to FIG.
 図4は、グレーリスト115の一例を示す図である。図4に示すように、グレーリスト115は、ID401と、接続先402と、通信回数403と、追加認証失敗割合404と、スコア405と、を含んで構成される。 FIG. 4 is a diagram illustrating an example of the gray list 115. As illustrated in FIG. 4, the gray list 115 includes an ID 401, a connection destination 402, a communication count 403, an additional authentication failure rate 404, and a score 405.
 ID401は、グレーリストを一意に識別できる情報を表す。 ID 401 represents information that can uniquely identify the gray list.
 接続先402は、不審な接続先の情報を表す。なお、図4は、不審な接続先として、ホスト名を記載しているが、接続先を識別できる情報であればよく、例えば、IP(Internet Protocol)アドレスや、URI(Uniform Resource Identifier)を格納してもよい。 The connection destination 402 represents suspicious connection destination information. In FIG. 4, the host name is described as the suspicious connection destination, but any information that can identify the connection destination may be used. For example, an IP (Internet Protocol) address and a URI (Uniform Resource Identifier) are stored. May be.
 通信回数403は、接続先402への接続回数を表し、追加認証失敗割合404は、接続先402への接続時の追加認証に失敗した割合を表し、スコア405は、接続先402の不審度(グレーの度合)を表す。なお、スコア405には、「0」から「1」の値を格納し、スコア405が「1」に近いほど、より不審度が高いことを表す。 The communication count 403 represents the number of connections to the connection destination 402, the additional authentication failure rate 404 represents the rate at which additional authentication failed during connection to the connection destination 402, and the score 405 represents the suspicious degree ( (The degree of gray). The score 405 stores a value from “0” to “1”, and the closer the score 405 is to “1”, the higher the suspicious degree.
 図4を用いて具体的に説明する。例えば、ID401が「1」、接続先402が「example.com」、通信回数403が「1000」、追加認証失敗割合404が「0.1」、スコア405が「0.4」のグレーリストは、不正通信制御装置101で「example.com」への通信を1000回観測し、当該接続先への追加認証に0.1の割合で失敗し、当該接続先の不審度は0.4であることを表す。 This will be specifically described with reference to FIG. For example, a gray list in which the ID 401 is “1”, the connection destination 402 is “example.com”, the communication count 403 is “1000”, the additional authentication failure rate 404 is “0.1”, and the score 405 is “0.4”. The unauthorized communication control apparatus 101 observes communication to “example.com” 1000 times, and additional authentication to the connection destination fails at a rate of 0.1, and the suspicious degree of the connection destination is 0.4. Represents that.
 グレーリスト115は、CPU103により実行されるリスト更新プログラム111によって更新される。リスト更新プログラム111の具体的な処理については、図8を用いて後述する。 The gray list 115 is updated by the list update program 111 executed by the CPU 103. Specific processing of the list update program 111 will be described later with reference to FIG.
 なお、グレーリスト115の各情報は、管理者が必要に応じて、入力または更新しても良い。 In addition, each information of the gray list 115 may be input or updated by the administrator as necessary.
 図5は、ブラックリスト116の一例を示す図である。図5に示すように、ブラックリスト116は、ID501と、接続先502と、通信回数503と、スコア504と、を含んで構成される。 FIG. 5 is a diagram illustrating an example of the black list 116. As shown in FIG. 5, the black list 116 includes an ID 501, a connection destination 502, a communication count 503, and a score 504.
 ID501は、ブラックリストを一意に識別できる情報を表す。 ID 501 represents information that can uniquely identify the black list.
 接続先502は、危険な接続先の情報を表す。なお、図5は、危険な接続先として、ホスト名を記載しているが、接続先を識別できる情報であればよく、例えば、IP(Internet Protocol)アドレスや、URI(Uniform Resource Identifier)を格納してもよい。 The connection destination 502 represents dangerous connection destination information. In FIG. 5, the host name is described as a dangerous connection destination, but any information that can identify the connection destination may be used. For example, an IP (Internet Protocol) address and a URI (Uniform Resource Identifier) are stored. May be.
 通信回数503は、接続先502への接続回数を表し、スコア504は、接続先502の危険度(ブラックの度合)を表す。なお、スコア504には、「0」から「1」の値を格納し、スコア504が「1」に近いほど、より危険度が高いことを表す。 The communication count 503 represents the number of connections to the connection destination 502, and the score 504 represents the danger level (the degree of black) of the connection destination 502. The score 504 stores values from “0” to “1”, and the closer the score 504 is to “1”, the higher the risk level.
 図5を用いて具体的に説明する。例えば、ID501が「1」、接続先502が「black.com」、通信回数503が「100」、スコア504が「0.99」のブラックリストは、不正通信制御装置101で「black.com」への通信を100回観測し、当該接続先の危険度は0.99であることを表す。 This will be specifically described with reference to FIG. For example, a blacklist having an ID 501 of “1”, a connection destination 502 of “black.com”, a communication count 503 of “100”, and a score 504 of “0.99” is “black.com” in the unauthorized communication control device 101. This indicates that the risk of the connection destination is 0.99.
 ブラックリスト116は、CPU103により実行されるリスト更新プログラム111によって更新される。リスト更新プログラム111の具体的な処理については、図8を用いて後述する。 The black list 116 is updated by the list update program 111 executed by the CPU 103. Specific processing of the list update program 111 will be described later with reference to FIG.
 なお、ブラックリスト116の各情報は、管理者が必要に応じて、入力または更新しても良い。 Note that each piece of information in the black list 116 may be input or updated as necessary by the administrator.
 図6は、ホワイトリスト117の一例を示す図である。図6に示すように、ホワイトリスト117は、ID601と、接続先602と、通信回数603と、スコア604と、を含んで構成される。 FIG. 6 is a diagram showing an example of the white list 117. As shown in FIG. 6, the white list 117 includes an ID 601, a connection destination 602, a communication count 603, and a score 604.
 ID601は、ホワイトリストを一意に識別できる情報を表す。 ID 601 represents information that can uniquely identify the white list.
 接続先602は、安全な接続先の情報を表す。なお、図6は、安全な接続先として、ホスト名を記載しているが、接続先を識別できる情報であればよく、例えば、IP(Internet Protocol)アドレスや、URI(Uniform Resource Identifier)を格納してもよい。 The connection destination 602 represents information on a safe connection destination. In FIG. 6, the host name is described as a secure connection destination, but any information that can identify the connection destination may be used. For example, an IP (Internet Protocol) address and a URI (Uniform Resource Identifier) are stored. May be.
 通信回数603は、接続先602への接続回数を表し、スコア604は、接続先602の安全度(ホワイトの度合)を表す。なお、スコア604には、「0」から「1」の値を格納し、スコア604が「1」に近いほど、より安全度が高いことを表す。 The communication count 603 represents the number of connections to the connection destination 602, and the score 604 represents the safety level (the degree of white) of the connection destination 602. The score 604 stores values from “0” to “1”, and the closer the score 604 is to “1”, the higher the safety level.
 図6を用いて具体的に説明する。例えば、ID601が「1」、接続先602が「white.com」、通信回数603が「1000」、スコア604が「0.99」のホワイトリストは、不正通信制御装置101で「white.com」への通信を1000回観測し、当該接続先の安全度は0.99であることを表す。 This will be specifically described with reference to FIG. For example, a whitelist having an ID 601 of “1”, a connection destination 602 of “white.com”, a communication count 603 of “1000”, and a score 604 of “0.99” is “white.com” in the unauthorized communication control apparatus 101. This indicates that the security level of the connection destination is 0.99.
 ホワイトリスト116は、CPU103により実行されるリスト更新プログラム111によって更新される。リスト更新プログラム111の具体的な処理については、図8を用いて後述する。 The white list 116 is updated by the list update program 111 executed by the CPU 103. Specific processing of the list update program 111 will be described later with reference to FIG.
 なお、ホワイトリスト117の各情報は、管理者が必要に応じて、入力または更新しても良い。 In addition, each information of the white list 117 may be input or updated as necessary by the administrator.
 なお、図3から5でのグレーリスト、ブラックリスト、ホワイトリストで説明したスコアの考え方は、他のバリエーションがあっても良い。すなわち、3つのリストで一貫して、数値が高い方をより危険と設定してもよい。その場合、図2のルールのスコア205の符号を適宜逆にする必要がある。 Note that there may be other variations on the score concept described in FIGS. 3 to 5 for the gray list, black list, and white list. That is, a higher value may be set to be more dangerous consistently in the three lists. In that case, it is necessary to reverse the sign of the score 205 of the rule in FIG.
 続いて、不正通信制御装置101の通信制御プログラム108が、端末118から通信を受信し、認証プログラム109が、ユーザ119の認証を行い、追加認証プログラム110がユーザ119の追加認証を行い、リスト更新プログラム111が、グレーリスト115、ブラックリスト116、およびホワイトリスト117を更新し、信頼度更新プログラム112が信頼度データ114を更新する処理について説明する。 Subsequently, the communication control program 108 of the unauthorized communication control apparatus 101 receives the communication from the terminal 118, the authentication program 109 authenticates the user 119, the additional authentication program 110 performs additional authentication of the user 119, and updates the list. A process in which the program 111 updates the gray list 115, the black list 116, and the white list 117 and the reliability update program 112 updates the reliability data 114 will be described.
 図7は、不正通信制御装置101の通信制御プログラム108の処理を示すフローチャートである。図7に示すように、通信制御プログラム108は、CPU103により実行され、端末118からの通信をIF102aを介して受信する(ステップ701)。 FIG. 7 is a flowchart showing the processing of the communication control program 108 of the unauthorized communication control apparatus 101. As shown in FIG. 7, the communication control program 108 is executed by the CPU 103, and receives communication from the terminal 118 via the IF 102a (step 701).
 通信制御プログラム108は、認証プログラム109を実行し、端末118を利用しているユーザ119の認証を行う(ステップ702)。 The communication control program 108 executes the authentication program 109 to authenticate the user 119 using the terminal 118 (step 702).
 ここで、認証プログラム109は、例えば、ユーザ名とパスワードの組み合わせを使って、通信を行おうとしているユーザ119が、通信を行う権限があるかどうかを確認する。 Here, for example, the authentication program 109 uses a combination of a user name and a password to check whether or not the user 119 trying to communicate has the authority to perform communication.
 通信制御プログラム108は、認証プログラム109から認証結果を取得し、認証に成功した場合はステップ704に進み、認証に失敗した場合はステップ710に進む(ステップ703)。 The communication control program 108 acquires the authentication result from the authentication program 109. If the authentication is successful, the process proceeds to step 704. If the authentication fails, the process proceeds to step 710 (step 703).
 通信制御プログラム108は、通信先の情報と、ブラックリスト116の接続先502と、を比較し、該当する接続先502が存在すれば、該当する接続先502の通信回数503を+1した後ステップ710に進み、該当する接続先502が存在しなければステップ705に進む(ステップ704)。 The communication control program 108 compares the communication destination information with the connection destination 502 of the black list 116, and if the corresponding connection destination 502 exists, the communication control program 108 increments the communication count 503 of the corresponding connection destination 502 by one, and then step 710 If the corresponding connection destination 502 does not exist, the process proceeds to step 705 (step 704).
 通信制御プログラム108は、通信先の情報と、ホワイトリスト117の接続先602と、を比較し、該当する接続先602が存在すれば、該当する接続先602の通信回数603を+1した後ステップ711に進み、存在しなければステップ706に進む(ステップ705)。 The communication control program 108 compares the information of the communication destination with the connection destination 602 of the white list 117, and if there is a corresponding connection destination 602, the communication number 603 of the corresponding connection destination 602 is incremented by 1, and then step 711 is performed. If not, the process proceeds to step 706 (step 705).
 通信制御プログラム108は、通信先の情報と、グレーリスト115の接続先402と、を比較し、該当する接続先402が存在すれば、該当する接続先402の通信回数403を+1した後ステップ708に進み、存在しなければステップ707に進む(ステップ706)。 The communication control program 108 compares the communication destination information with the connection destination 402 of the gray list 115, and if the corresponding connection destination 402 exists, the communication control program 108 increments the communication count 403 of the corresponding connection destination 402 by 1 and then step 708. If not, the process proceeds to step 707 (step 706).
 通信制御プログラム108は、通信先の情報をグレーリスト115に格納する(ステップ707)。この時、ID401には、グレーリスト115に存在しないIDを、接続先402には通信先の情報を、通信回数403には「1」を、認証失敗割合404には「0」を、スコア405には「0.5」を格納する。 The communication control program 108 stores communication destination information in the gray list 115 (step 707). At this time, the ID 401 does not exist in the gray list 115, the connection destination 402 has communication destination information, the communication count 403 has “1”, the authentication failure rate 404 has “0”, and the score 405. Stores “0.5”.
 通信制御プログラム108は、追加認証プログラム110を実行し、端末118を利用しているユーザ119の追加認証を行う(ステップ708)。 The communication control program 108 executes the additional authentication program 110 and performs additional authentication of the user 119 using the terminal 118 (step 708).
 ここで、追加認証プログラム110は、例えば、CAPTCHA(Completely Automated Public Turing test to tell Computers and Humans Apart)のような、端末118からの通信がコンピュータ(マルウェア)によるものでないことを確認するための、チャレンジ/レスポンス型のテストを用いる。なお、追加認証プログラム110の表示画面については、図9を用いて後述する。 Here, the additional authentication program 110 is a challenge for confirming that the communication from the terminal 118 is not due to a computer (malware) such as CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart). / Use response type tests. The display screen of the additional authentication program 110 will be described later with reference to FIG.
 通信制御プログラム108は、追加認証プログラム110の認証結果を取得し、認証に成功した場合はステップ711に進み、認証に失敗した場合は通信先の情報に該当する接続先402の追加認証失敗割合を更新した後ステップ710に進む(ステップ709)。 The communication control program 108 acquires the authentication result of the additional authentication program 110. If the authentication is successful, the process proceeds to step 711. If the authentication fails, the communication control program 108 determines the additional authentication failure rate of the connection destination 402 corresponding to the communication destination information. After the update, the process proceeds to step 710 (step 709).
 通信制御プログラム108は、接続先への通信を遮断し、ステップ712に進む(ステップ710)。 The communication control program 108 cuts off communication with the connection destination, and proceeds to step 712 (step 710).
 通信制御プログラム108は、接続先への通信を許可し、ステップ712に進む(ステップ711)。 The communication control program 108 permits communication to the connection destination and proceeds to step 712 (step 711).
 通信制御プログラム108は、信頼度更新プログラム112を起動し、ユーザ119および端末118の信頼度データ114を更新する(ステップ712)。なお、信頼度更新プログラム112は、信頼度算出ルールテーブル113の種別202が「ユーザ」となっている信頼度算出ルールを用いてユーザ119の信頼度を、種別202が「端末」となっている信頼度算出ルールを用いて端末118の信頼度を更新する。 The communication control program 108 activates the reliability update program 112 and updates the reliability data 114 of the user 119 and the terminal 118 (step 712). The reliability update program 112 sets the reliability of the user 119 using the reliability calculation rule in which the type 202 of the reliability calculation rule table 113 is “user”, and the type 202 is “terminal”. The reliability of the terminal 118 is updated using the reliability calculation rule.
 ここで図2を用いて、ユーザ119の信頼度を更新する場合について説明する。ユーザ119の信頼度を更新する場合は、種別202が「ユーザ」となっている信頼度算出ルールを用いる。なお、図2では、ID201が「1」~「8」までの8個の信頼度算出ルールを用いて信頼度を更新することになる。まず、ユーザ119のスコアを「0」として、ID201が「1」、種別202が「ユーザ」の信頼度算出ルールにおける、項目203の「追加認証成功割合」が判定値204の「0.8以上」を満たしているか否かを判定し、満たしている場合には、スコア「0」に対して、スコア205の「+1」を加算する。以下同様に、ID201が「2」~「8」までの信頼度算出ルールに関しても、項目203が、判定値204を満たしているか否かを判定し、満たしている場合には、スコア205を加算する。該当するすべての信頼度算出ルールを適用したあとに、信頼度を求めるために、算出されたスコアを「0」~「1」の値に正規化する。例えば、該当する信頼度算出ルールを適用した後にとりうるスコアの最小値と、最大値を求め、算出されたスコアからスコアの最小値を減算し、スコアの最大値からスコアの最小値を減算した値で除算することで求める。例えば、図2における種別202が「ユーザ」のとりうるスコアの最小値は「-10」であり、最大値は「+10」である。ここで、算出したスコアが「+5」である場合は、(+5-(-10))/(+10-(-10))の計算により、「0.75」が信頼度となる。 Here, the case where the reliability of the user 119 is updated will be described with reference to FIG. When updating the reliability of the user 119, a reliability calculation rule whose type 202 is “user” is used. In FIG. 2, the reliability is updated using eight reliability calculation rules whose ID 201 is “1” to “8”. First, in the reliability calculation rule in which the score of the user 119 is “0”, the ID 201 is “1”, and the type 202 is “user”, the “additional authentication success rate” of the item 203 is “0.8 or more” of the determination value 204. "Is satisfied, and if it is satisfied," +1 "of the score 205 is added to the score" 0 ". Similarly, regarding the reliability calculation rules with IDs 201 from “2” to “8”, it is determined whether or not the item 203 satisfies the determination value 204, and if it satisfies, the score 205 is added. To do. After applying all the corresponding reliability calculation rules, the calculated score is normalized to a value of “0” to “1” in order to obtain the reliability. For example, the minimum and maximum score values that can be taken after applying the corresponding reliability calculation rule are calculated, the minimum score value is subtracted from the calculated score, and the minimum score value is subtracted from the maximum score value. Find by dividing by value. For example, the minimum value of the score that the type 202 in FIG. 2 can have is “−10”, and the maximum value is “+10”. Here, when the calculated score is “+5”, “0.75” is the reliability by the calculation of (+5 − (− 10)) / (+ 10 − (− 10)).
 なお、信頼度は通信のたびに算出してもよいし、計算による負荷を軽減するため、ある一定期間(例えば1週間)ごとに算出してもよい。 Note that the reliability may be calculated for each communication, or may be calculated every certain period (for example, one week) in order to reduce the calculation load.
 通信制御プログラム108は、リスト更新プログラム111を起動し、グレーリスト115、ブラックリスト116、およびホワイトリスト117の更新を行い処理を終了する(ステップ713)。なお、リスト更新プログラム111の処理については、図8を用いて後述する。 The communication control program 108 starts the list update program 111, updates the gray list 115, the black list 116, and the white list 117, and ends the process (step 713). The processing of the list update program 111 will be described later with reference to FIG.
 図8は、グレーリスト115、ブラックリスト116、およびホワイトリスト117の更新を行う、リスト更新プログラム111の処理を示すフローチャートである。図8に示すように、リスト更新プログラム111は、CPU103により実行され、端末118の通信先の情報を、通信制御プログラム108より受信すると、処理を開始する(ステップ801)。 FIG. 8 is a flowchart showing the processing of the list update program 111 for updating the gray list 115, the black list 116, and the white list 117. As shown in FIG. 8, the list update program 111 is executed by the CPU 103, and starts processing when it receives information on the communication destination of the terminal 118 from the communication control program 108 (step 801).
 リスト更新プログラム111は、通信先の情報と、グレーリスト115の接続先402と、を比較し、該当する接続先402が存在すれば、ステップ803に進み、該当する接続先402が存在しなければステップ808に進む(ステップ802)。 The list update program 111 compares the communication destination information with the connection destination 402 of the gray list 115. If the corresponding connection destination 402 exists, the list update program 111 proceeds to step 803, and if the corresponding connection destination 402 does not exist. Proceed to step 808 (step 802).
 リスト更新プログラム111は、グレーリスト115のスコア405の更新を行う(ステップ803)。なお、スコア405の更新には、所定の処理を用いる。所定の処理は、例えば、まず、当該通信を行ったユーザ119の信頼度304と当該通信を行った端末の信頼度304を加算した値を算出し、この値をあらかじめ定められた値(例えば200)で除算した値(以下、通信信頼度)を算出する。ステップ709で追加認証に成功している場合は、スコア405から通信信頼度を減算した値を更新後のスコアとしてグレーリスト115のスコア405に格納する。ステップ709で追加認証に失敗している場合は、スコア405に通信信頼度を加算した値を更新後のスコアとしてグレーリスト115のスコア405に格納する。なお、スコア405が0より小さくなる場合は、スコア405を0に、スコア405が1より大きくなる場合は、スコア405を1に補正する。 The list update program 111 updates the score 405 of the gray list 115 (step 803). A predetermined process is used for updating the score 405. In the predetermined process, for example, first, a value obtained by adding the reliability 304 of the user 119 that performed the communication and the reliability 304 of the terminal that performed the communication is calculated, and this value is set to a predetermined value (for example, 200 ) Is calculated (hereinafter referred to as communication reliability). If the additional authentication is successful in step 709, the value obtained by subtracting the communication reliability from the score 405 is stored in the score 405 of the gray list 115 as the updated score. If additional authentication has failed in step 709, the value obtained by adding the communication reliability to the score 405 is stored in the score 405 of the gray list 115 as the updated score. When the score 405 is smaller than 0, the score 405 is corrected to 0, and when the score 405 is larger than 1, the score 405 is corrected to 1.
 なお、上記処理は、ステップ709の追加認証に成功していればグレーリスト115のスコア405が下降(不審度が減少)し、ステップ709の追加認証に失敗していればグレーリスト115のスコア405が上昇(不審度が増加)することを表し、さらに、端末118またはユーザ119の信頼度が高いほど、上昇または下降の度合が大きく、端末118またはユーザ119の信頼度が低いほど、上昇または下降の度合が小さくなることを表す。本処理により、端末118またはユーザ119の信頼度に応じたスコア405の更新が可能となる。 In the above process, if the additional authentication in step 709 is successful, the score 405 of the gray list 115 decreases (the degree of suspiciousness decreases), and if the additional authentication in step 709 fails, the score 405 of the gray list 115 decreases. Is increased (suspicious degree is increased), and the higher the reliability of the terminal 118 or the user 119 is, the higher the increase or decrease is, and the lower the reliability of the terminal 118 or the user 119 is, the higher or lowering is. This means that the degree of is small. With this process, the score 405 can be updated according to the reliability of the terminal 118 or the user 119.
 リスト更新プログラム111は、グレーリスト115の通信回数403がある閾値(例えば100)以上で、かつ、ステップ803で更新したスコア405がある閾値(例えば0.9)以上であればステップ806に進み、グレーリスト115の通信回数403がある閾値(例えば100)未満、あるいは、ステップ803で更新したスコア405がある閾値(例えば0.9)未満であればステップ805に進む(ステップ804)。 The list update program 111 proceeds to step 806 if the communication count 403 of the gray list 115 is equal to or greater than a certain threshold (for example, 100) and the score 405 updated in step 803 is equal to or greater than a certain threshold (for example, 0.9). If the communication count 403 of the gray list 115 is less than a certain threshold value (for example, 100) or the score 405 updated in step 803 is smaller than a certain threshold value (for example, 0.9), the process proceeds to step 805 (step 804).
 リスト更新プログラム111は、グレーリスト115の通信回数403がある閾値(例えば100)以上で、かつ、ステップ803で更新したスコア405がある閾値(例えば0.1)以下であればステップ807に進み、グレーリスト115の通信回数403がある閾値(例えば100)未満、あるいは、ステップ803で更新したスコア405がある閾値(例えば0.1)より大きければ処理を終了する(ステップ805)。 The list update program 111 proceeds to step 807 if the communication count 403 of the gray list 115 is equal to or greater than a certain threshold (for example, 100) and the score 405 updated in step 803 is equal to or less than the certain threshold (for example, 0.1). If the number of times of communication 403 in the gray list 115 is less than a certain threshold value (for example, 100) or the score 405 updated in step 803 is larger than a certain threshold value (for example, 0.1), the process is terminated (step 805).
 リスト更新プログラム111は、通信先の情報と該当する接続先402を持つグレーリストをブラックリスト116に移行し、処理を終了する(ステップ806)。なお、ブラックリスト116へ移行する際には、ID501には、ブラックリスト116に存在しないIDを、接続先502には通信先の情報を、通信回数503には「1」を、スコア504には「0.5」を格納する。 The list update program 111 moves the gray list having the communication destination information and the corresponding connection destination 402 to the black list 116, and ends the processing (step 806). When moving to the black list 116, the ID 501 has an ID that does not exist in the black list 116, the connection destination 502 has communication destination information, the communication count 503 has “1”, and the score 504 has a score 504. “0.5” is stored.
 リスト更新プログラム111は、通信先の情報と該当する接続先402を持つグレーリストをホワイトリスト117に移行し、処理を終了する(ステップ807)。なお、ホワイトリスト117へ移行する際には、ID601には、ホワイトリスト117に存在しないIDを、接続先602には通信先の情報を、通信回数603には「1」を、スコア604には「0.5」を格納する。 The list update program 111 moves the gray list having the communication destination information and the corresponding connection destination 402 to the white list 117, and ends the processing (step 807). When moving to the white list 117, the ID 601 has an ID that does not exist in the white list 117, the connection destination 602 has communication destination information, the communication count 603 has “1”, and the score 604 has a score 604. “0.5” is stored.
 リスト更新プログラム111は、通信先の情報と、ホワイトリスト117の接続先602と、を比較し、該当する接続先602が存在すれば、ステップ810に進み、該当する接続先602が存在しなければステップ809に進む(ステップ808)。 The list update program 111 compares the communication destination information with the connection destination 602 of the white list 117. If the corresponding connection destination 602 exists, the list update program 111 proceeds to step 810, and if the corresponding connection destination 602 does not exist. Proceed to step 809 (step 808).
 リスト更新プログラム111は、ブラックリスト116のスコア504を更新する(ステップ809)。なお、スコア504の更新には、所定の処理を用いる。所定の処理は、例えば、まず、通信信頼度を算出する。ステップ703で認証に成功している場合は、スコア504から通信信頼度を減算した値を更新後のスコアとしてブラックリスト116のスコア504に格納する。ステップ703で認証に失敗している場合は、スコア504に通信信頼度を加算した値を更新後のスコアとしてブラックリスト116のスコア504に格納する。なお、スコア504が0より小さくなる場合は、スコア504を0に、スコア504が1より大きくなる場合は、スコア504を1に補正する。 The list update program 111 updates the score 504 of the black list 116 (step 809). Note that a predetermined process is used to update the score 504. In the predetermined process, for example, first, communication reliability is calculated. If authentication is successful in step 703, a value obtained by subtracting the communication reliability from the score 504 is stored in the score 504 of the black list 116 as an updated score. If authentication fails in step 703, a value obtained by adding the communication reliability to the score 504 is stored in the score 504 of the black list 116 as an updated score. When the score 504 is smaller than 0, the score 504 is corrected to 0, and when the score 504 is larger than 1, the score 504 is corrected to 1.
 なお、上記処理は、ステップ703の認証に成功していればブラックリスト116のスコア504が下降(危険度が減少)し、ステップ703の認証に失敗していればブラックリスト116のスコア504が上昇(危険度が増加)することを表し、さらに、端末118またはユーザ119の信頼度が高いほど、上昇または下降の度合が大きく、端末118またはユーザ119の信頼度が低いほど、上昇または下降の度合が小さくなることを表す。本処理により、端末118またはユーザ119の信頼度に応じたスコア504の更新が可能となる。 In the above process, if the authentication in step 703 is successful, the score 504 of the black list 116 decreases (risk level decreases), and if the authentication in step 703 fails, the score 504 of the black list 116 increases. Furthermore, the higher the reliability of the terminal 118 or the user 119, the higher the degree of increase or decrease, and the lower the reliability of the terminal 118 or the user 119, the higher the degree of increase or decrease. Indicates that becomes smaller. With this processing, the score 504 can be updated according to the reliability of the terminal 118 or the user 119.
 リスト更新プログラム111は、ホワイトリスト117のスコア604を更新する(ステップ810)。なお、スコア604の更新には、所定の処理を用いる。所定の処理は、例えば、まず、通信信頼度を算出する。ステップ703で認証に成功している場合は、スコア604に通信信頼度を加算した値を更新後のスコアとしてホワイトリスト117のスコア604に格納する。ステップ703で認証に失敗している場合は、スコア604から通信信頼度を減算した値を更新後のスコアとしてホワイトリスト117のスコア604に格納する。なお、スコア604が0より小さくなる場合は、スコア604を0に、スコア604が1より大きくなる場合は、スコア604を1に補正する。 The list update program 111 updates the score 604 of the white list 117 (step 810). A predetermined process is used for updating the score 604. In the predetermined process, for example, first, communication reliability is calculated. If authentication is successful in step 703, a value obtained by adding the communication reliability to the score 604 is stored in the score 604 of the white list 117 as an updated score. If authentication fails in step 703, a value obtained by subtracting the communication reliability from the score 604 is stored in the score 604 of the white list 117 as an updated score. When the score 604 is smaller than 0, the score 604 is corrected to 0, and when the score 604 is larger than 1, the score 604 is corrected to 1.
 なお、上記処理は、ステップ703の認証に成功していればホワイトリスト117のスコア604が上昇(安全度が増加)し、ステップ703の認証に失敗していればホワイトリスト117のスコア604が下降(安全度が低下)することを表し、さらに、端末118またはユーザ119の信頼度が高いほど、上昇または下降の度合が大きく、端末118またはユーザ119の信頼度が低いほど、上昇または下降の度合が小さくなることを表す。本処理により、端末118またはユーザ119の信頼度に応じたスコア604の更新が可能となる。 In the above process, if the authentication in step 703 is successful, the score 604 of the white list 117 increases (the degree of safety increases), and if the authentication in step 703 fails, the score 604 of the white list 117 decreases. Further, the higher the reliability of the terminal 118 or the user 119, the higher the degree of increase or decrease, and the lower the reliability of the terminal 118 or the user 119, the higher the degree of increase or decrease. Indicates that becomes smaller. With this process, the score 604 can be updated according to the reliability of the terminal 118 or the user 119.
 リスト更新プログラム111は、ブラックリスト116の通信回数503がある閾値(例えば100)以上で、かつ、ステップ809で更新したスコア504がある閾値(例えば0.3)以下であればステップ813に進み、ブラックリスト116の通信回数503がある閾値(例えば100)未満、あるいは、ステップ809で更新したスコア504がある閾値(例えば0.3)より大きければ処理を終了する(ステップ811)。 The list update program 111 proceeds to step 813 if the communication count 503 of the black list 116 is equal to or greater than a certain threshold (for example, 100) and the score 504 updated in step 809 is equal to or smaller than the certain threshold (for example, 0.3). If the number of times of communication 503 in the black list 116 is less than a certain threshold value (for example, 100) or the score 504 updated in step 809 is larger than a certain threshold value (for example, 0.3), the process ends (step 811).
 リスト更新プログラム111は、ホワイトリスト117の通信回数603がある閾値(例えば100)以上で、かつ、ステップ810で更新したスコア604がある閾値(例えば0.3)以下であればステップ813に進み、ホワイトリスト117の通信回数603がある閾値(例えば100)未満、あるいは、ステップ810で更新したスコア604がある閾値(例えば0.3)より大きければ処理を終了する(ステップ812)。 The list update program 111 proceeds to step 813 if the communication count 603 of the white list 117 is equal to or greater than a certain threshold (for example, 100) and the score 604 updated in step 810 is equal to or smaller than a certain threshold (for example, 0.3). If the number of times of communication 603 in the white list 117 is less than a certain threshold value (for example, 100) or the score 604 updated in step 810 is larger than a certain threshold value (for example, 0.3), the process is terminated (step 812).
 リスト更新プログラム111は、ステップ811またはステップ812で該当した、ブラックリスト116またはホワイトリスト117の情報をグレーリスト115へ移行し、処理を終了する(ステップ813)。この時、ID401には、グレーリスト115に存在しないIDを、接続先402には通信先の情報を、通信回数403には「1」を、認証失敗割合404には「0」を、スコア405には「0.5」を格納する。 The list update program 111 shifts the information of the black list 116 or the white list 117, which corresponds in step 811 or step 812, to the gray list 115, and ends the processing (step 813). At this time, the ID 401 does not exist in the gray list 115, the connection destination 402 has communication destination information, the communication count 403 has “1”, the authentication failure rate 404 has “0”, and the score 405. Stores “0.5”.
 図9は、追加認証プログラム110によって表示する追加認証画面の一例である。図9に示すように、追加認証画面は、ユーザ119への警告を表す文章(図中901)と、通信先の情報(図中902)と、歪んだ文字や数字で構成される画像(図中903)と、画像(図中903)に表示されている文字列を読み取り、入力するための領域(図中904)と、入力した情報を送信するための送信ボタン(図中905)との内容を含んで構成される。このような歪んだ文字や数字を読み取ることができるか否かで、人間とマルウェア(機械)の判別を行う。 FIG. 9 is an example of an additional authentication screen displayed by the additional authentication program 110. As shown in FIG. 9, the additional authentication screen is a text (901 in the figure) representing a warning to the user 119, information on the communication destination (902 in the figure), and an image (FIG. 9) composed of distorted characters and numbers. 903), an area (904 in the figure) for reading and inputting the character string displayed in the image (903 in the figure), and a send button (905 in the figure) for sending the input information Consists of content. A human and malware (machine) are discriminated based on whether or not such distorted characters and numbers can be read.
 ステップ801からステップ813を含めた、ステップ701からステップ713までの処理の流れを、具体例を用いて説明する。例えば、「ユーザA」が、「端末A」を用いて、「example.com」へ通信を行ったとする。 The flow of processing from step 701 to step 713 including step 801 to step 813 will be described using a specific example. For example, it is assumed that “user A” communicates with “example.com” using “terminal A”.
 通信制御プログラム108は、CPU103により実行され、「端末A」118aからの通信をIF102aを介して受信する(ステップ701)。 The communication control program 108 is executed by the CPU 103 and receives communication from the “terminal A” 118a via the IF 102a (step 701).
 通信制御プログラム108は、認証プログラム109を実行し、「端末A」118aを利用している「ユーザA」119aの認証を行う(ステップ702)。ここで、「ユーザA」119aは正しいユーザ名とパスワードの組み合わせを入力したとする。 The communication control program 108 executes the authentication program 109 to authenticate the “user A” 119a using the “terminal A” 118a (step 702). Here, it is assumed that “user A” 119a has input a correct user name and password combination.
 通信制御プログラム108は、認証プログラム109から認証結果を取得し、認証に成功した場合はステップ704に進み、認証に失敗した場合はステップ710に進む(ステップ703)。この時、「ユーザA」119aは認証に成功し、ステップ704に進む。 The communication control program 108 acquires the authentication result from the authentication program 109. If the authentication is successful, the process proceeds to step 704. If the authentication fails, the process proceeds to step 710 (step 703). At this time, “User A” 119 a has succeeded in authentication, and the process proceeds to Step 704.
 通信制御プログラム108は、通信先の情報と、ブラックリスト116の接続先502と、を比較し、該当する接続先502が存在すれば、該当する接続先502の通信回数503を+1した後ステップ710に進み、該当する接続先502が存在しなければステップ705に進む(ステップ704)。この時、通信先の情報「example.com」は、ブラックリスト116に存在しないため、ステップ705に進む。 The communication control program 108 compares the communication destination information with the connection destination 502 of the black list 116, and if the corresponding connection destination 502 exists, the communication control program 108 increments the communication count 503 of the corresponding connection destination 502 by one, and then step 710 If the corresponding connection destination 502 does not exist, the process proceeds to step 705 (step 704). At this time, since the communication destination information “example.com” does not exist in the black list 116, the process proceeds to step 705.
 通信制御プログラム108は、通信先の情報と、ホワイトリスト117の接続先602と、を比較し、該当する接続先602が存在すれば、該当する接続先602の通信回数603を+1した後ステップ711に進み、存在しなければステップ706に進む(ステップ705)。この時、通信先の情報「example.com」は、ホワイトリスト117に存在しないため、ステップ706に進む。 The communication control program 108 compares the information of the communication destination with the connection destination 602 of the white list 117, and if there is a corresponding connection destination 602, the communication number 603 of the corresponding connection destination 602 is incremented by 1, and then step 711 is performed. If not, the process proceeds to step 706 (step 705). At this time, the communication destination information “example.com” does not exist in the white list 117, and thus the process proceeds to step 706.
 通信制御プログラム108は、通信先の情報と、グレーリスト115の接続先402と、を比較し、該当する接続先402が存在すれば、該当する接続先402の通信回数403を+1した後ステップ708に進み、存在しなければステップ707に進む(ステップ706)。この時、通信先の情報「example.com」は、ID401が「1」、接続先402が「example.com」、通信回数403が「1000」、追加認証失敗割合404が「0.1」、スコア405が「0.4」のグレーリストに該当するため、通信回403を+1した後ステップ708に進む。なお、この処理を行った際に、通信回数403が「1001」となるが、ここでは、説明を簡単にするため、通信回数403が「1000」の状態で以下の処理を説明する。 The communication control program 108 compares the communication destination information with the connection destination 402 of the gray list 115, and if the corresponding connection destination 402 exists, the communication control program 108 increments the communication count 403 of the corresponding connection destination 402 by 1 and then step 708. If not, the process proceeds to step 707 (step 706). At this time, the communication destination information “example.com” has an ID 401 of “1”, a connection destination 402 of “example.com”, a communication count 403 of “1000”, and an additional authentication failure rate 404 of “0.1”. Since the score 405 corresponds to the gray list of “0.4”, the communication times 403 is incremented by 1, and the process proceeds to step 708. Note that when this process is performed, the communication count 403 is “1001”. Here, for the sake of simplicity, the following process will be described with the communication count 403 being “1000”.
 通信制御プログラム108は、追加認証プログラム110を実行し、「端末A」118aを利用している「ユーザA」119aの追加認証を行う(ステップ708)。この時、「端末A」118aの画面には、図9に表示される追加認証画面が表示される。ここで、「ユーザA」119aは、歪んだ文字列を正しく読み取り、送信ボタンを押下したとする。 The communication control program 108 executes the additional authentication program 110 and performs additional authentication of the “user A” 119a using the “terminal A” 118a (step 708). At this time, the additional authentication screen displayed in FIG. 9 is displayed on the screen of “terminal A” 118a. Here, it is assumed that “user A” 119a correctly reads the distorted character string and presses the transmission button.
 通信制御プログラム108は、追加認証プログラム110の認証結果を取得し、認証に成功した場合はステップ711に進み、認証に失敗した場合は通信先の情報に該当する接続先402の追加認証失敗割合を更新した後ステップ710に進む(ステップ709)。この時、「ユーザA」119aは認証に成功し、ステップ711に進む。 The communication control program 108 acquires the authentication result of the additional authentication program 110. If the authentication is successful, the process proceeds to step 711. If the authentication fails, the communication control program 108 determines the additional authentication failure rate of the connection destination 402 corresponding to the communication destination information. After the update, the process proceeds to step 710 (step 709). At this time, “User A” 119 a has succeeded in authentication, and the process proceeds to Step 711.
 通信制御プログラム108は、接続先への通信を許可し、ステップ712に進む(ステップ711)。この時、「ユーザA」119aは、通信先「example.com」へ通信を行う。 The communication control program 108 permits communication to the connection destination and proceeds to step 712 (step 711). At this time, the “user A” 119a communicates with the communication destination “example.com”.
 通信制御プログラム108は、信頼度更新プログラム112を起動し、「ユーザA」119aおよび「端末A」118aの信頼度データ114を更新する(ステップ712)。ここで、「ユーザA」119aは、ID201が「1」、「2」、「6」、「8」の信頼度算出ルールに該当し、「端末A」118aは、ID201が「9」、「10」の信頼度算出ルールに該当したとする。この時、「ユーザA」119aの信頼度は、((+1+1+1+5)-(-10))/(+10-(-10))の計算により「0.9」となる。また、「端末A」118aの信頼度は、((+1+1)-(-10))/(+5-(-10))の計算により「0.8」となる。 The communication control program 108 activates the reliability update program 112 and updates the reliability data 114 of the “user A” 119a and the “terminal A” 118a (step 712). Here, “User A” 119a corresponds to the reliability calculation rule with ID 201 of “1”, “2”, “6”, “8”, and “Terminal A” 118a has ID 201 of “9”, “ It is assumed that the reliability calculation rule of “10” is met. At this time, the reliability of “user A” 119a is “0.9” by the calculation of ((+ 1 + 1 + 1 + 5) − (− 10)) / (+ 10 − (− 10)). The reliability of “terminal A” 118a is “0.8” by the calculation of ((+ 1 + 1) − (− 10)) / (+ 5 − (− 10)).
 通信制御プログラム108は、リスト更新プログラム111を起動し、グレーリスト115、ブラックリスト116、およびホワイトリスト117の更新を行う(ステップ713)。 The communication control program 108 activates the list update program 111 and updates the gray list 115, the black list 116, and the white list 117 (step 713).
 リスト更新プログラム111は、CPU103により実行され、「端末A」118aの通信先の情報「example.com」を、通信制御プログラム108より受信する(ステップ801)。 The list update program 111 is executed by the CPU 103 and receives the communication destination information “example.com” of the “terminal A” 118a from the communication control program 108 (step 801).
 リスト更新プログラム111は、通信先の情報と、グレーリスト115の接続先402と、を比較し、該当する接続先402が存在すれば、ステップ803に進み、該当する接続先402が存在しなければステップ808に進む(ステップ802)。この時、この時、通信先の情報「example.com」は、ID401が「1」、接続先402が「example.com」、通信回数403が「1000」、追加認証失敗割合404が「0.1」、スコア405が「0.4」のグレーリストに該当するためステップ803に進む。 The list update program 111 compares the communication destination information with the connection destination 402 of the gray list 115. If the corresponding connection destination 402 exists, the list update program 111 proceeds to step 803, and if the corresponding connection destination 402 does not exist. Proceed to step 808 (step 802). At this time, the communication destination information “example.com” has an ID 401 “1”, a connection destination 402 “example.com”, a communication count 403 “1000”, and an additional authentication failure rate 404 “0. 1 ”and the score 405 corresponds to the gray list of“ 0.4 ”, so the process proceeds to step 803.
 リスト更新プログラム111は、グレーリスト115のスコア405の更新を行う(ステップ803)。この時、通信信頼度は、(0.9+0.8)/200の計算により、「0.0085」となる。よって、スコアは、0.4+0.0085の計算により、「0.4085」となる。 The list update program 111 updates the score 405 of the gray list 115 (step 803). At this time, the communication reliability is “0.0085” by the calculation of (0.9 + 0.8) / 200. Therefore, the score becomes “0.4085” by the calculation of 0.4 + 0.0085.
 リスト更新プログラム111は、グレーリスト115の通信回数403がある閾値(例えば100)以上で、かつ、ステップ803で更新したスコア405がある閾値(例えば0.9)以上であればステップ806に進み、グレーリスト115の通信回数403がある閾値(例えば100)未満、あるいは、ステップ803で更新したスコア405がある閾値(例えば0.9)未満であればステップ805に進む(ステップ804)。この時、通信回数403は「1000」、更新したスコア405は「0.4085」であるため、ステップ805に進む。 The list update program 111 proceeds to step 806 if the communication count 403 of the gray list 115 is equal to or greater than a certain threshold (for example, 100) and the score 405 updated in step 803 is equal to or greater than a certain threshold (for example, 0.9). If the communication count 403 of the gray list 115 is less than a certain threshold value (for example, 100) or the score 405 updated in step 803 is smaller than a certain threshold value (for example, 0.9), the process proceeds to step 805 (step 804). At this time, since the communication count 403 is “1000” and the updated score 405 is “0.4085”, the process proceeds to step 805.
 リスト更新プログラム111は、グレーリスト115の通信回数403がある閾値(例えば100)以上で、かつ、ステップ803で更新したスコア405がある閾値(例えば0.1)以下であればステップ807に進み、グレーリスト115の通信回数403がある閾値(例えば100)未満、あるいは、ステップ803で更新したスコア405がある閾値(例えば0.1)より大きければ処理を終了する(ステップ805)。この時、通信回数403は「1000」、更新したスコア405は「0.4085」であるため、処理を終了する。 The list update program 111 proceeds to step 807 if the communication count 403 of the gray list 115 is equal to or greater than a certain threshold (for example, 100) and the score 405 updated in step 803 is equal to or less than the certain threshold (for example, 0.1). If the number of times of communication 403 in the gray list 115 is less than a certain threshold value (for example, 100) or the score 405 updated in step 803 is larger than a certain threshold value (for example, 0.1), the process is terminated (step 805). At this time, since the communication count 403 is “1000” and the updated score 405 is “0.4085”, the processing ends.
 続いて、「端末B」に感染した「マルウェア」が、「malware.com」へ通信を行ったとする。なお、この「マルウェア」は、「端末B」に格納された、ユーザBの認証情報を窃取し、認証を突破するマルウェアであるとする。 Subsequently, it is assumed that “malware” infected with “terminal B” communicates with “malware.com”. This “malware” is assumed to be the malware that steals the authentication information of user B stored in “terminal B” and breaks the authentication.
 通信制御プログラム108は、CPU103により実行され、「端末B」118bからの通信をIF102aを介して受信する(ステップ701)。 The communication control program 108 is executed by the CPU 103 and receives communication from the “terminal B” 118b via the IF 102a (step 701).
 通信制御プログラム108は、認証プログラム109を実行し、「端末B」118bを利用している「マルウェア」の認証を行う(ステップ702)。ここで、「マルウェア」は、「ユーザB」119bの正しいユーザ名とパスワードの組み合わせを窃取し、入力したとする。 The communication control program 108 executes the authentication program 109 to authenticate “malware” using the “terminal B” 118b (step 702). Here, it is assumed that “malware” steals and inputs a combination of a correct user name and password of “user B” 119b.
 通信制御プログラム108は、認証プログラム109から認証結果を取得し、認証に成功した場合はステップ704に進み、認証に失敗した場合はステップ710に進む(ステップ703)。この時、「マルウェア」は認証に成功し、ステップ704に進む。 The communication control program 108 acquires the authentication result from the authentication program 109. If the authentication is successful, the process proceeds to step 704. If the authentication fails, the process proceeds to step 710 (step 703). At this time, “malware” has been successfully authenticated, and the process proceeds to step 704.
 通信制御プログラム108は、通信先の情報と、ブラックリスト116の接続先502と、を比較し、該当する接続先502が存在すれば、該当する接続先502の通信回数503を+1した後ステップ710に進み、該当する接続先502が存在しなければステップ705に進む(ステップ704)。この時、通信先の情報「malware.com」は、ブラックリスト116に存在しないため、ステップ705に進む。 The communication control program 108 compares the communication destination information with the connection destination 502 of the black list 116, and if the corresponding connection destination 502 exists, the communication control program 108 increments the communication count 503 of the corresponding connection destination 502 by one, and then step 710 If the corresponding connection destination 502 does not exist, the process proceeds to step 705 (step 704). At this time, since the communication destination information “malware.com” does not exist in the black list 116, the process proceeds to step 705.
 通信制御プログラム108は、通信先の情報と、ホワイトリスト117の接続先602と、を比較し、該当する接続先602が存在すれば、該当する接続先602の通信回数603を+1した後ステップ711に進み、存在しなければステップ706に進む(ステップ705)。この時、通信先の情報「malware.com」は、ホワイトリスト117に存在しないため、ステップ706に進む。 The communication control program 108 compares the information of the communication destination with the connection destination 602 of the white list 117, and if there is a corresponding connection destination 602, the communication number 603 of the corresponding connection destination 602 is incremented by 1, and then step 711 is performed. If not, the process proceeds to step 706 (step 705). At this time, since the communication destination information “malware.com” does not exist in the white list 117, the process proceeds to step 706.
 通信制御プログラム108は、通信先の情報と、グレーリスト115の接続先402と、を比較し、該当する接続先402が存在すれば、該当する接続先402の通信回数403を+1した後ステップ708に進み、存在しなければステップ707に進む(ステップ706)。この時、通信先の情報「malware.com」は、ID401が「2」、接続先402が「malware.com」、通信回数403が「50」、追加認証失敗割合404が「0.9」、スコア405が「0.895」のグレーリストに該当するため、通信回403を+1した後ステップ708に進む。なお、この処理を行った際に、通信回数403が「51」となるが、ここでは、説明を簡単にするため、通信回数403が「50」の状態で以下の処理を説明する。 The communication control program 108 compares the communication destination information with the connection destination 402 of the gray list 115, and if the corresponding connection destination 402 exists, the communication control program 108 increments the communication count 403 of the corresponding connection destination 402 by 1 and then step 708. If not, the process proceeds to step 707 (step 706). At this time, the communication destination information “malware.com” has an ID 401 “2”, a connection destination 402 “malware.com”, a communication count 403 “50”, and an additional authentication failure rate 404 “0.9”. Since the score 405 corresponds to the gray list of “0.895”, the communication count 403 is incremented by 1, and the process proceeds to step 708. Note that when this processing is performed, the communication count 403 is “51”. Here, for the sake of simplicity, the following processing will be described with the communication count 403 being “50”.
 通信制御プログラム108は、追加認証プログラム110を実行し、「端末B」118bを利用している「マルウェア」の追加認証を行う(ステップ708)。この時、「端末B」118bの画面には、図9に表示される追加認証画面が表示される。ここで、「マルウェア」は、歪んだ文字列を読み取れず、追加認証に失敗したとする。 The communication control program 108 executes the additional authentication program 110 to perform additional authentication of “malware” using the “terminal B” 118b (step 708). At this time, the additional authentication screen displayed in FIG. 9 is displayed on the screen of “terminal B” 118b. Here, it is assumed that “malware” cannot read a distorted character string and fails in additional authentication.
 通信制御プログラム108は、追加認証プログラム110の認証結果を取得し、認証に成功した場合はステップ711に進み、認証に失敗した場合は通信先の情報に該当する接続先402の追加認証失敗割合404を更新した後ステップ710に進む(ステップ709)。この時、「マルウェア」は認証に失敗し、追加認証失敗割合404を更新した後ステップ710に進む。 The communication control program 108 acquires the authentication result of the additional authentication program 110. If the authentication is successful, the process proceeds to step 711, and if the authentication fails, the additional authentication failure rate 404 of the connection destination 402 corresponding to the communication destination information. Then, the process proceeds to step 710 (step 709). At this time, “malware” has failed in authentication, and after updating the additional authentication failure rate 404, the process proceeds to step 710.
 通信制御プログラム108は、接続先への通信を遮断し、ステップ712に進む(ステップ710)。この時、「マルウェア」は、通信先「malware.com」への通信に失敗する。 The communication control program 108 cuts off communication with the connection destination, and proceeds to step 712 (step 710). At this time, “malware” fails to communicate with the communication destination “malware.com”.
 通信制御プログラム108は、信頼度更新プログラム112を起動し、「ユーザB」119bおよび「端末b」118bの信頼度データ114を更新する(ステップ712)。この時、実際の通信を行っているのは「マルウェア」であるが、通信制御プログラム108は、認証プログラム109で入力されたユーザ(この場合ユーザB119b)の信頼度を更新することとなる。ここで、「ユーザB」119bは、ID201が「3」、「4」、「5」、「6」の信頼度算出ルールに該当し、「端末B」118bは、ID201が「11」、「13」、「16」の信頼度算出ルールに該当したとする。この時、「ユーザB」119bの信頼度は、((-5+1+1+1)-(-10))/(+10-(-10))の計算により「0.4」となる。また、「端末B」118bの信頼度は、((-3+2+1)-(-10))/(+5-(-10))の計算により「0.67」となる。 The communication control program 108 activates the reliability update program 112 and updates the reliability data 114 of “user B” 119b and “terminal b” 118b (step 712). At this time, although it is “malware” that is actually performing communication, the communication control program 108 updates the reliability of the user (in this case, the user B 119 b) input by the authentication program 109. Here, “User B” 119b corresponds to the reliability calculation rule with ID 201 of “3”, “4”, “5”, “6”, and “Terminal B” 118b has ID 201 of “11”, “ It is assumed that the reliability calculation rules of “13” and “16” are met. At this time, the reliability of “user B” 119b is “0.4” by the calculation of ((−5 + 1 + 1 + 1) − (− 10)) / (+ 10 − (− 10)). Further, the reliability of “terminal B” 118b is “0.67” by the calculation of ((−3 + 2 + 1) − (− 10)) / (+ 5 − (− 10)).
 通信制御プログラム108は、リスト更新プログラム111を起動し、グレーリスト115、ブラックリスト116、およびホワイトリスト117の更新を行う(ステップ713)。 The communication control program 108 activates the list update program 111 and updates the gray list 115, the black list 116, and the white list 117 (step 713).
 リスト更新プログラム111は、CPU103により実行され、「端末B」118bの通信先の情報「malware.com」を、通信制御プログラム108より受信する(ステップ801)。 The list update program 111 is executed by the CPU 103 and receives the communication destination information “malware.com” of the “terminal B” 118b from the communication control program 108 (step 801).
 リスト更新プログラム111は、通信先の情報と、グレーリスト115の接続先402と、を比較し、該当する接続先402が存在すれば、ステップ803に進み、該当する接続先402が存在しなければステップ808に進む(ステップ802)。この時、通信先の情報「malware.com」は、ID401が「2」、接続先402が「malware.com」、通信回数403が「50」、追加認証失敗割合404が「0.9」、スコア405が「0.895」のグレーリストに該当するためステップ803に進む。 The list update program 111 compares the communication destination information with the connection destination 402 of the gray list 115. If the corresponding connection destination 402 exists, the list update program 111 proceeds to step 803, and if the corresponding connection destination 402 does not exist. Proceed to step 808 (step 802). At this time, the communication destination information “malware.com” has an ID 401 “2”, a connection destination 402 “malware.com”, a communication count 403 “50”, and an additional authentication failure rate 404 “0.9”. Since the score 405 corresponds to the gray list of “0.895”, the process proceeds to step 803.
 リスト更新プログラム111は、グレーリスト115のスコア405の更新を行う(ステップ803)。この時、通信信頼度は、(0.4+0.67)/200の計算により、「0.00545」となる。よって、スコアは、0.895+0.00545の計算により、「0.90045」となる。 The list update program 111 updates the score 405 of the gray list 115 (step 803). At this time, the communication reliability is “0.00545” by the calculation of (0.4 + 0.67) / 200. Therefore, the score is “0.90045” by calculation of 0.895 + 0.00545.
 リスト更新プログラム111は、グレーリスト115の通信回数403がある閾値(例えば100)以上で、かつ、ステップ803で更新したスコア405がある閾値(例えば0.9)以上であればステップ806に進み、グレーリスト115の通信回数403がある閾値(例えば100)未満、あるいは、ステップ803で更新したスコア405がある閾値(例えば0.9)未満であればステップ805に進む(ステップ804)。この時、通信回数403は「100」、更新したスコア405は「0.90045」であるため、ステップ806に進む。 The list update program 111 proceeds to step 806 if the communication count 403 of the gray list 115 is equal to or greater than a certain threshold (for example, 100) and the score 405 updated in step 803 is equal to or greater than a certain threshold (for example, 0.9). If the communication count 403 of the gray list 115 is less than a certain threshold value (for example, 100) or the score 405 updated in step 803 is smaller than a certain threshold value (for example, 0.9), the process proceeds to step 805 (step 804). At this time, since the communication count 403 is “100” and the updated score 405 is “0.90045”, the process proceeds to step 806.
 リスト更新プログラム111は、通信先の情報と該当する接続先402を持つグレーリストをブラックリスト116に移行し、処理を終了する(ステップ806)。この時、通信先の情報「malware.com」は、ID401が「2」、接続先402が「malware.com」に該当するため、ID401が「2」のグレーリストを削除し、ブラックリスト116に、ID501が「3」には、接続先502に「malware.com」、通信回数503には「1」、スコア504には「0.5」を格納し、処理を終了する。 The list update program 111 moves the gray list having the communication destination information and the corresponding connection destination 402 to the black list 116, and ends the processing (step 806). At this time, since the communication destination information “malware.com” corresponds to “2” for the ID 401 and “malware.com” for the connection destination 402, the gray list with the ID 401 of “2” is deleted and the black list 116 is displayed. When the ID 501 is “3”, “malware.com” is stored in the connection destination 502, “1” is stored in the communication count 503, and “0.5” is stored in the score 504, and the processing ends.
 このように、本実施例では、ユーザによるフィードバックを用いることで、業務に影響する通信は許可しつつ、マルウェアによる通信を遮断する不正通信制御を行うことが可能となる。
As described above, in this embodiment, by using feedback from the user, it is possible to perform unauthorized communication control that blocks communication by malware while permitting communication affecting business.
 なお、本実施例の一部を変更して、次のように実施しても良い。グレーリスト115や、ブラックリスト116、ホワイトリスト117の接続先の代わりにUser-Agentの情報を用いてもよい。マルウェアは特殊なUser-Agentを利用する場合があり、不審なUser-Agentからの通信を制御することで、マルウェアの通信を制御することが可能となる。 It should be noted that a part of this embodiment may be changed and implemented as follows. User-Agent information may be used instead of the connection destinations of the gray list 115, the black list 116, and the white list 117. Malware may use a special User-Agent. By controlling communication from a suspicious User-Agent, it becomes possible to control communication of the malware.
 また、所定の期間(例えば1カ月)観測されない接続先に関しては、グレーリスト115や、ブラックリスト116、ホワイトリスト117から削除してもよい。これにより、リストの肥大化を防ぐことができる。 Further, connection destinations that are not observed for a predetermined period (for example, one month) may be deleted from the gray list 115, the black list 116, and the white list 117. Thereby, the enlargement of the list can be prevented.
 また、グレーリスト115に外部機関が公開している不審な接続先のリストを格納してもよい。外部機関が公開している不審な接続先のリストの中には、安全な接続先が含まれている可能性があり、即座に通信を止めると業務に影響を与える可能性がある。このため、グレーリスト115を用いることで、業務に関する通信は許可しつつ、マルウェア通信を制御することが可能となる。さらにグレーリスト115に格納する情報として、マルウェアを動的解析した際に観測された接続先や、URLレピュテーションサイトで危険と判断された接続先の情報を格納してもよい。 In addition, the gray list 115 may store a list of suspicious connection destinations disclosed by an external organization. The list of suspicious connection destinations disclosed by external organizations may include safe connection destinations, and if communication is stopped immediately, there is a possibility that business will be affected. For this reason, by using the gray list 115, it is possible to control malware communication while permitting communication related to business. Further, as information to be stored in the gray list 115, information on connection destinations observed when the malware is dynamically analyzed and information on connection destinations determined to be dangerous at the URL reputation site may be stored.
 また、追加認証として、CAPTCHA以外を用いてもよい。例えば、確認画面に表示されるボタンの押下や、動画内で表示される文字列の入力、音声で読まれる文字列の入力や、認証時利用したパスワードと異なるパスワードなどを用いてもよい。 Moreover, you may use other than CAPTCHA as additional authentication. For example, pressing of a button displayed on the confirmation screen, input of a character string displayed in a moving image, input of a character string read by voice, or a password different from the password used at the time of authentication may be used.
 また、グレーリスト115のスコア405に応じて、追加認証の方法を変更してもよい。さらに、スコア405が高い場合は、複数の追加認証を用いてもよい。これにより、ユーザへの負担は増加するが、マルウェアが通信する可能性を低くすることが可能となる。 Also, the additional authentication method may be changed according to the score 405 of the gray list 115. Furthermore, when the score 405 is high, a plurality of additional authentications may be used. Thereby, although the burden on a user increases, it becomes possible to reduce the possibility that malware communicates.
 また、ブラックリスト116に登録されている接続をFW等のセキュリティ製品で通信制御してもよい。 Further, the communication registered in the black list 116 may be controlled by a security product such as FW.
 また、グレーリスト115のスコア405の更新に、接続先の情報を用いてもよい。例えば、接続先のURLレピュテーションサイトの情報や、接続先で事故が発生した場合の事故後経過時間、接続先に存在する実行ファイルの数などを用いてもよい。 Also, connection destination information may be used to update the score 405 of the gray list 115. For example, information on the URL reputation site at the connection destination, the elapsed time after the accident when an accident occurs at the connection destination, the number of executable files existing at the connection destination, and the like may be used.
 また、端末118にエージェントを導入し、通信を行うプロセスの情報を取得し、プロセスのグレーリストを作成してもよい。これにより、不審なプロセスからの通信制御を行うことが可能となる。 Alternatively, an agent may be introduced into the terminal 118 to acquire information on processes that perform communication, and a gray list of processes may be created. As a result, communication control from a suspicious process can be performed.
 また、グレーリスト115のスコア405の更新に、追加認証に要した時間を用いてもよい。世の中には、CAPTCHAを解くアルゴリズムも存在し、マルウェアが当該アルゴリズムを実装した場合、マルウェアであっても追加認証に成功する可能性がある。例えば、CAPTCHAの追加認証に要した時間が1秒未満であれば、追加認証に成功していたとしても、マルウェアによるCAPTCHAの突破だと考え、グレーリストの不審度を増加させる。これにより、グレーリスト115の精度を向上させることが可能となる。 Also, the time required for additional authentication may be used to update the score 405 of the gray list 115. There is also an algorithm for solving CAPTCHA in the world, and when malware implements the algorithm, there is a possibility that additional authentication will succeed even if it is malware. For example, if the time required for additional authentication of CAPTCHA is less than 1 second, even if the additional authentication is successful, it is considered that CAPTCHA has been broken by malware, and the suspicious degree of the greylist is increased. Thereby, the accuracy of the gray list 115 can be improved.
 また、信頼度が低い端末118や、ユーザ119に対して追加認証を実施してもよい。本実施例では、追加認証の成否から端末118やユーザ119の信頼度を評価することが可能となる。この評価結果を用いることで、信頼度の低い端末118や、ユーザ119の通信を制御することが可能となる。 Further, additional authentication may be performed on the terminal 118 or the user 119 with low reliability. In the present embodiment, the reliability of the terminal 118 and the user 119 can be evaluated from the success or failure of the additional authentication. By using this evaluation result, it becomes possible to control the communication of the terminal 118 with low reliability and the user 119.
 本実施例は、実施例1に係る不正通信制御装置101を含み、さらに接続先の情報を取得、解析し、追加認証時の補助情報として提供する不正通信制御装置である。 The present embodiment is an unauthorized communication control apparatus that includes the unauthorized communication control apparatus 101 according to the first embodiment, further acquires and analyzes connection destination information, and provides it as auxiliary information at the time of additional authentication.
 実施例1では、図9で例示した追加認証画面が表示された際に、接続先の情報しか表示されていないため、ユーザ119が接続を許可するかどうか判断に困る恐れがある。そこで、実施例2では、接続先の詳細情報を表示することで、ユーザ119の判断を支援する不正通信制御装置を説明する。これにより、適切な判断に基づいたグレーリストの更新が可能となる。 In the first embodiment, when the additional authentication screen illustrated in FIG. 9 is displayed, only the connection destination information is displayed. Therefore, the user 119 may have difficulty determining whether to permit the connection. Thus, in the second embodiment, an unauthorized communication control device that supports the determination of the user 119 by displaying the detailed information of the connection destination will be described. Thereby, the gray list can be updated based on an appropriate determination.
 図10は、本実施例におけるマルウェア通信制御装置のハードウェア構成の例である。実施例1と同一の構成要素には同一の符号を付すことによってその説明を省略し、以下では、実施例1と異なる点を中心に説明する。 FIG. 10 is an example of the hardware configuration of the malware communication control device in this embodiment. The same components as those in the first embodiment are denoted by the same reference numerals, and the description thereof will be omitted. Hereinafter, differences from the first embodiment will be mainly described.
 図10に示すように、実施例2に係る通信制御装置1001は、既に説明した実施例1のマルウェア通信制御装置101に、通信制御プログラム1002と、追加認証プログラム1003と、接続先取得プログラム1004と、接続先確認プログラム1005と、を含んで構成される。なお、実施例1においても通信制御プログラム108や追加認証プログラム110が存在するが、実施例2での通信制御プログラム1002や追加認証プログラム1003とは一部処理が異なるため、ここでは新たな符号を付した。 As illustrated in FIG. 10, the communication control apparatus 1001 according to the second embodiment includes a communication control program 1002, an additional authentication program 1003, a connection destination acquisition program 1004, and the malware communication control apparatus 101 according to the first embodiment described above. , And a connection destination confirmation program 1005. The communication control program 108 and the additional authentication program 110 also exist in the first embodiment. However, since some processes are different from the communication control program 1002 and the additional authentication program 1003 in the second embodiment, a new code is used here. It was attached.
 CPU103は、メインメモリ104に格納された接続先取得プログラム1004を実行することにより、接続先のコンテンツ情報の取得を、接続先解析プログラム1005を実行することにより、接続先の解析を行う。 The CPU 103 executes the connection destination acquisition program 1004 stored in the main memory 104 to acquire the connection destination content information, and executes the connection destination analysis program 1005 to analyze the connection destination.
 上記の各プログラムは、あらかじめメインメモリ104または記憶装105に格納されていてもよいし、必要な時に、入出力装置106からまたは、IF102を介して他の装置から、インストール(ロード)されてもよい。 Each of the above programs may be stored in the main memory 104 or the storage device 105 in advance, or may be installed (loaded) from the input / output device 106 or from another device via the IF 102 when necessary. Good.
 通信制御プログラム1002は、図7に示したフローに加え、ユーザから接続要求を受信すると、接続先取得プログラム1004を実行する。具体的には、ステップ702で認証プログラム109を実行するとともに、接続先取得プログラム1004を実行する。 In addition to the flow shown in FIG. 7, the communication control program 1002 executes the connection destination acquisition program 1004 when receiving a connection request from the user. Specifically, in step 702, the authentication program 109 is executed and the connection destination acquisition program 1004 is executed.
 接続先取得プログラム1004は、ステップ701で取得した接続先に対して、ネットワーク120bを介して接続し、接続先のコンテンツを取得する。この時、接続先のコンテンツを画像情報としても保存する。 The connection destination acquisition program 1004 connects to the connection destination acquired in step 701 via the network 120b and acquires the content of the connection destination. At this time, the connection destination content is also stored as image information.
 続いて接続先取得プログラム1004は、接続先解析プログラム1005を実行する。接続先解析プログラム1005は、接続先の情報を解析するプログラムであり、例えば、接続先サーバが存在する国の情報や、接続先のURLレピュテーション結果、今までに接続先に接続した人数、接続先にアクセスした際にアクセスした端末で起こる挙動情報などの解析を行う。 Subsequently, the connection destination acquisition program 1004 executes the connection destination analysis program 1005. The connection destination analysis program 1005 is a program for analyzing connection destination information. For example, information on the country in which the connection destination server exists, URL reputation result of the connection destination, the number of people connected to the connection destination so far, connection destination Analyzes behavior information etc. that occurs in the accessed terminal when accessing.
 追加認証プログラム1003がユーザに提示する追加認証画面を図11に例示する。 FIG. 11 illustrates an additional authentication screen that the additional authentication program 1003 presents to the user.
 図11に示すように、追加認証画面には、図9の情報に加え、接続先の情報(1101)が表示される。具体的には、接続先取得プログラム1004で取得した接続先の画像情報(1102)や、接続先解析プログラム1005で解析された接続先の情報(1103)が表示される。これらの情報により、ユーザ118は、接続先に接続するか否かの適切な判断が行えるようになる。 As shown in FIG. 11, in addition to the information of FIG. 9, connection destination information (1101) is displayed on the additional authentication screen. Specifically, the connection destination image information (1102) acquired by the connection destination acquisition program 1004 and the connection destination information (1103) analyzed by the connection destination analysis program 1005 are displayed. With this information, the user 118 can appropriately determine whether or not to connect to the connection destination.
 また、図11に示すように、追加認証画面には、通報ボタン(1104)が表示される。ユーザ118が接続先の情報1101を確認し、接続先が危険だと判断した際に、通報ボタン1104を押下する。通報ボタン(1104)を押下したか否かの挙動を、グレーリスト更新時に活用することで、グレーリストの精度を高めることが可能となる。 Also, as shown in FIG. 11, a notification button (1104) is displayed on the additional authentication screen. When the user 118 confirms the connection destination information 1101 and determines that the connection destination is dangerous, the user 118 presses the report button 1104. By utilizing the behavior of whether or not the report button (1104) has been pressed when updating the gray list, it is possible to improve the accuracy of the gray list.
 なお、本実施例の一部を変更して、次のように実施しても良い。接続先取得プログラムや、接続先解析プログラムを不正通信制御装置とは別の端末上で実行する。接続先取得プログラムは不正なサイトにアクセスを行うため、マルウェアに感染する可能性が高まる。このため、これらのプログラムを別の端末上で実行することにより、マルウェア感染時の被害範囲を限定することが可能となる。 It should be noted that a part of this embodiment may be changed and implemented as follows. The connection destination acquisition program and the connection destination analysis program are executed on a terminal different from the unauthorized communication control device. Since the connection destination acquisition program accesses an unauthorized site, the possibility of being infected with malware increases. For this reason, it is possible to limit the damage range at the time of malware infection by executing these programs on another terminal.
 また、本発明は、上記実施形態そのままに限定されるものではなく、実施段階ではその要旨を逸脱しない範囲で構成要素を変形して具体化することができる。また、上記実施形態に開示されている複数の構成要素の適宜な組み合わせにより、種々の発明を形成することができる。例えば、実施形態に示される全構成要素からいくつかの構成要素を削除してもよい。さらに、異なる実施形態にわたる構成要素を適宜組み合わせても良い。 Further, the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, the constituent elements over different embodiments may be appropriately combined.
101…不正通信制御装置、108…通信制御プログラム、109…認証プログラム、110…追加認証プログラム、111…リスト更新プログラム、112…信頼度更新プログラム、113…信頼度算出ルール、114…信頼度データ、115…グレーリスト、116…ブラックリスト、117…ホワイトリスト、118…端末、119…ユーザ、121…インターネット DESCRIPTION OF SYMBOLS 101 ... Unauthorized communication control apparatus, 108 ... Communication control program, 109 ... Authentication program, 110 ... Additional authentication program, 111 ... List update program, 112 ... Reliability update program, 113 ... Reliability calculation rule, 114 ... Reliability data, 115 ... Gray list, 116 ... Black list, 117 ... White list, 118 ... Terminal, 119 ... User, 121 ... Internet

Claims (10)

  1.  ネットワークを介してユーザが操作する端末、及びインターネットに接続され、前記端末から前記インターネットへの通信を制御する不正通信制御装置であって、
     不審な接続先をグレーリストとして記憶する記憶部と、
     前記端末から、前記グレーリストに合致した前記接続先への通信を検知した際に、前記端末に接続確認を通知する認証部と、
     前記認証部の認証結果に基づき通信制御を行う制御部と、
     前記認証部の認証結果に基づき前記グレーリストを更新するリスト更新部と、
    を備えることを特徴する不正通信制御装置。     A terminal operated by a user via a network, and an unauthorized communication control device connected to the Internet and controlling communication from the terminal to the Internet,
    A storage unit for storing a suspicious connection destination as a gray list;
    When detecting communication from the terminal to the connection destination that matches the greylist, an authentication unit that notifies the terminal of connection confirmation;
    A control unit that performs communication control based on an authentication result of the authentication unit;
    A list update unit that updates the gray list based on an authentication result of the authentication unit;
    An unauthorized communication control device comprising:
  2.  請求項1に記載の不正通信制御装置であって、
     前記認証部の認証結果に基づき、前記ユーザの信頼度と、前記端末の信頼度と、を更新する信頼度更新部をさらに備え、
     前記リスト更新部は、前記認証部の認証結果と、前記ユーザの前記信頼度と、前記端末の前記信頼度と、に基づき前記グレーリストを更新することを特徴とする不正通信制御装置。     The unauthorized communication control device according to claim 1,
    A reliability update unit that updates the reliability of the user and the reliability of the terminal based on the authentication result of the authentication unit;
    The said list update part updates the said gray list based on the authentication result of the said authentication part, the said reliability of the said user, and the said reliability of the said terminal, The unauthorized communication control apparatus characterized by the above-mentioned.
  3.  請求項2に記載の不正通信制御装置であって、
     前記グレーリストには、前記不審な接続先と、前記不審な接続先の不審度とが併せて格納されており、
     前記リスト更新部は、前記認証部の認証結果と、前記ユーザの前記信頼度と、前記端末の前記信頼度と、に基づき前記グレーリストの前記不審度を更新することを特徴とする不正通信制御装置。     The unauthorized communication control device according to claim 2,
    In the gray list, the suspicious connection destination and the suspicious degree of the suspicious connection destination are stored together,
    The list update unit updates the suspicious degree of the gray list based on an authentication result of the authentication unit, the reliability of the user, and the reliability of the terminal. apparatus.
  4.  請求項3に記載の不正通信制御装置であって、
     前記リスト更新部は、前記グレーリストの前記不審度が所定の値より大きい場合に、ブラックリストとして管理し、前記グレーリストの前記不審度が所定の値より小さい場合に、ホワイトリストとして管理する、ことを特徴とする不正通信制御装置。     The unauthorized communication control device according to claim 3,
    The list update unit manages as a black list when the suspicious degree of the gray list is larger than a predetermined value, and manages as a white list when the suspicious degree of the gray list is smaller than a predetermined value. An unauthorized communication control device characterized by the above.
  5.  請求項4に記載の不正通信制御装置であって、
     前記認証部は、人による通信か、機械による通信か、を判別する認証方式を利用する、
     ことを特徴とする不正通信制御装置。     The unauthorized communication control device according to claim 4,
    The authentication unit uses an authentication method for determining whether communication by a person or communication by a machine.
    An unauthorized communication control device characterized by the above.
  6.  不審な接続先をグレーリストとして記憶し、
     端末から、前記グレーリストに合致した前記接続先への通信を検知した際に、前記端末に対して接続確認を行い、
     前記接続確認の結果に基づき通信制御を行い、
     前記接続確認に基づき前記グレーリストを更新する
     ことを特徴する不正通信制御方法。     Memorize suspicious connections as a gray list,
    When communication from the terminal to the connection destination that matches the gray list is detected, a connection check is performed on the terminal,
    Perform communication control based on the result of the connection confirmation,
    The illegal communication control method, wherein the gray list is updated based on the connection confirmation.
  7.  請求項6に記載の不正通信制御方法であって、
     前記接続確認結果に基づき、前記ユーザの信頼度と、前記端末の信頼度と、を更新し、
     前記接続確認結果と、前記ユーザの前記信頼度と、前記端末の前記信頼度と、に基づき前記グレーリストを更新することを特徴とする不正通信制御方法。     The unauthorized communication control method according to claim 6,
    Based on the connection confirmation result, update the reliability of the user and the reliability of the terminal,
    An unauthorized communication control method, wherein the gray list is updated based on the connection confirmation result, the reliability of the user, and the reliability of the terminal.
  8.  請求項7に記載の不正通信制御方法であって、
     前記グレーリストには、予め前記不審な接続先と、前記不審な接続先の不審度とが併せて格納されており、
     前記接続確認結果と、前記ユーザの前記信頼度と、前記端末の前記信頼度と、に基づき前記グレーリストの前記不審度を更新することを特徴とする不正通信制御方法。     The unauthorized communication control method according to claim 7,
    In the gray list, the suspicious connection destination and the suspicious degree of the suspicious connection destination are stored together in advance,
    An unauthorized communication control method, comprising: updating the suspicious degree of the gray list based on the connection confirmation result, the reliability of the user, and the reliability of the terminal.
  9.  請求項8に記載の不正通信制御方法であって、
     前記グレーリストの前記不審度が所定の値より大きい場合に、ブラックリストとして管理し、前記グレーリストの前記不審度が所定の値より小さい場合に、ホワイトリストとして管理する、ことを特徴とする不正通信制御方法。     The unauthorized communication control method according to claim 8,
    The fraud is managed as a black list when the suspicious degree of the gray list is larger than a predetermined value, and is managed as a white list when the suspicious degree of the gray list is smaller than a predetermined value. Communication control method.
  10.  請求項9に記載の不正通信制御方法であって、
     前記接続確認は、人による通信か、機械による通信か、を判別する認証方式を利用する、
     ことを特徴とする不正通信制御方法。     An unauthorized communication control method according to claim 9,
    The connection confirmation uses an authentication method for determining whether communication by a person or communication by a machine.
    An unauthorized communication control method characterized by the above.
PCT/JP2015/079966 2015-10-23 2015-10-23 Illegal communication control apparatus and method WO2017068714A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2015/079966 WO2017068714A1 (en) 2015-10-23 2015-10-23 Illegal communication control apparatus and method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2015/079966 WO2017068714A1 (en) 2015-10-23 2015-10-23 Illegal communication control apparatus and method

Publications (1)

Publication Number Publication Date
WO2017068714A1 true WO2017068714A1 (en) 2017-04-27

Family

ID=58557127

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2015/079966 WO2017068714A1 (en) 2015-10-23 2015-10-23 Illegal communication control apparatus and method

Country Status (1)

Country Link
WO (1) WO2017068714A1 (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2019021094A (en) * 2017-07-19 2019-02-07 株式会社日立製作所 Web access control device
JP2019159383A (en) * 2018-03-07 2019-09-19 株式会社日立製作所 White list management system
WO2023282148A1 (en) * 2021-07-09 2023-01-12 株式会社日立製作所 Information management system, information management method, and information sharing system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004272881A (en) * 2003-02-21 2004-09-30 Nec Software Kyushu Ltd Information filtering system, method, and program
JP2009110334A (en) * 2007-10-31 2009-05-21 Mitsubishi Electric Corp Terminal, security system, terminal program, and security information management method
JP2014186499A (en) * 2013-03-22 2014-10-02 Oki Electric Ind Co Ltd Information evaluation system, information evaluation system server, and information communication terminal
JP2015170219A (en) * 2014-03-07 2015-09-28 株式会社日立システムズ access management method and access management system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004272881A (en) * 2003-02-21 2004-09-30 Nec Software Kyushu Ltd Information filtering system, method, and program
JP2009110334A (en) * 2007-10-31 2009-05-21 Mitsubishi Electric Corp Terminal, security system, terminal program, and security information management method
JP2014186499A (en) * 2013-03-22 2014-10-02 Oki Electric Ind Co Ltd Information evaluation system, information evaluation system server, and information communication terminal
JP2015170219A (en) * 2014-03-07 2015-09-28 株式会社日立システムズ access management method and access management system

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2019021094A (en) * 2017-07-19 2019-02-07 株式会社日立製作所 Web access control device
JP2019159383A (en) * 2018-03-07 2019-09-19 株式会社日立製作所 White list management system
WO2023282148A1 (en) * 2021-07-09 2023-01-12 株式会社日立製作所 Information management system, information management method, and information sharing system

Similar Documents

Publication Publication Date Title
US9942220B2 (en) Preventing unauthorized account access using compromised login credentials
RU2571721C2 (en) System and method of detecting fraudulent online transactions
JP6334069B2 (en) System and method for accuracy assurance of detection of malicious code
USRE46158E1 (en) Methods and systems to detect attacks on internet transactions
JP5925302B2 (en) Method for evaluating social risk resulting from leakage from related contacts, information processing system, and computer program
US7779062B2 (en) System for preventing keystroke logging software from accessing or identifying keystrokes
KR100835820B1 (en) Total internet security system and method the same
JP6654985B2 (en) System and method for secure online authentication
CN113660224B (en) Situation awareness defense method, device and system based on network vulnerability scanning
US20120042365A1 (en) Disposable browser for commercial banking
US10142343B2 (en) Unauthorized access detecting system and unauthorized access detecting method
JP2015225500A (en) Authentication information theft detection method, authentication information theft detection device, and program
US9660981B2 (en) Strong authentication method
JP2017016674A (en) Illegal access detection and processing system, device, method, and computer readable recording medium
WO2017068714A1 (en) Illegal communication control apparatus and method
KR20130006924A (en) Apparatus for connecting update server using trusted ip address of domain and therefor
EP2922265B1 (en) System and methods for detection of fraudulent online transactions
US20150172310A1 (en) Method and system to identify key logging activities
JP2006277063A (en) Hacking defence device and hacking defence program
JP6842951B2 (en) Unauthorized access detectors, programs and methods
Dul et al. Protecting web applications from authentication attacks
JP6890559B2 (en) Access analysis system and access analysis method
Alazab et al. Crime toolkits: The current threats to web applications
KR20110136170A (en) Method, server and device for detecting hacking tools
JP6993792B2 (en) Web access control device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 15906720

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 15906720

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP