WO2020044494A1 - Computer program, communication control method, communication control device, and relay device - Google Patents

Computer program, communication control method, communication control device, and relay device Download PDF

Info

Publication number
WO2020044494A1
WO2020044494A1 PCT/JP2018/032126 JP2018032126W WO2020044494A1 WO 2020044494 A1 WO2020044494 A1 WO 2020044494A1 JP 2018032126 W JP2018032126 W JP 2018032126W WO 2020044494 A1 WO2020044494 A1 WO 2020044494A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication data
communication
program
acquired
control unit
Prior art date
Application number
PCT/JP2018/032126
Other languages
French (fr)
Japanese (ja)
Inventor
矢野 義博
伸乃助 仲谷
Original Assignee
大日本印刷株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 大日本印刷株式会社 filed Critical 大日本印刷株式会社
Priority to JP2020539949A priority Critical patent/JP7215486B2/en
Priority to PCT/JP2018/032126 priority patent/WO2020044494A1/en
Publication of WO2020044494A1 publication Critical patent/WO2020044494A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data

Definitions

  • the present invention relates to a computer program, a communication control method, a communication control device, and a relay device.
  • the use of the Internet by client devices such as smartphones and tablet terminals has become active.
  • the user may be required to input a user ID and a password.
  • the service providing side authenticates the identity of the user based on the user ID and the password, and provides a service to the authenticated user (for example, see Patent Document 1).
  • an interface screen very similar to the interface screen prepared by the service providing side is provided, and the user ID and password input through the spoofed interface screen are transmitted to another server installed by a third party. If the program to be transmitted to the device is installed in the client device, the user ID and password may be stolen by a third party.
  • the present invention has been made in view of such circumstances, and it is an object of the present invention to provide a computer program, a communication control method, a communication control device, and a relay device that can suppress leakage of information from a client device. .
  • a computer program is a computer in which a plurality of programs having a function of communicating with an external device via a communication network are installed, and all communication data transmitted through the program is acquired, and the acquired communication data is acquired. And a computer program for executing a process of discarding communication data other than communication data transmitted through a specific program.
  • a computer program is a computer in which a plurality of programs having a function of communicating with an external device via a communication network are installed, and all communication data transmitted through the program is acquired, and the acquired communication data is acquired.
  • a communication program other than communication data transmitted through a specific program the computer program for executing a process of notifying the occurrence of transmission by a program other than the specific program.
  • a communication control method includes a computer in which a plurality of programs each having a function of communicating with an external device via a communication network are installed, acquiring all communication data transmitted through the programs, and acquiring the acquired communication data. A process of discarding communication data other than communication data transmitted through a specific program among data is performed.
  • a communication control device includes a storage unit that stores a plurality of programs having a function of communicating with an external device via a communication network, an acquisition unit that acquires all communication data transmitted through the programs, and an acquisition unit. And a communication discarding unit for discarding communication data other than communication data transmitted through a specific program among the communication data.
  • a relay device from a terminal device installed with a plurality of programs having a function of communicating with an external device via a communication network, an acquisition unit that acquires all communication data transmitted through the programs, A communication discarding unit that discards communication data other than communication data transmitted through a specific program from the acquired communication data.
  • FIG. 1 is a block diagram illustrating an overall configuration of a communication control system according to a first embodiment.
  • FIG. 9 is an explanatory diagram for explaining an illegal act by a malicious program.
  • FIG. 2 is a block diagram illustrating an internal configuration of a client device.
  • 6 is a flowchart illustrating a procedure of a process executed by the client device according to the first embodiment.
  • 15 is a flowchart illustrating a procedure of a process executed by the client device according to the second embodiment.
  • 15 is a flowchart illustrating a procedure of a process executed by the client device according to the third embodiment.
  • 15 is a flowchart illustrating a procedure of a process performed by a client device according to Embodiment 4.
  • FIG. 15 is a flowchart illustrating a procedure of a process performed by a client device according to Embodiment 5.
  • 15 is a flowchart illustrating a procedure of a process performed by a client device according to Embodiment 6.
  • FIG. 15 is a block diagram illustrating an overall configuration of a communication control system according to a seventh embodiment.
  • 5 is a flowchart illustrating an internal configuration of a relay device.
  • 26 is a flowchart illustrating a procedure of a process executed by the relay device according to the seventh embodiment.
  • FIG. 1 is a block diagram illustrating the overall configuration of the communication control system according to the first embodiment.
  • the communication control system according to the present embodiment includes a client device 10 and a server device 20 communicably connected to each other via a communication network N.
  • the client device 10 is a terminal device such as a personal computer and a smartphone used by a user, and it is assumed that software (application program) for accessing the server device 20 is installed.
  • the server device 20 performs user authentication when receiving access from the client device 10, and provides an appropriate service to the client device 10 when the user authentication is successful.
  • the server device 20 is a financial server installed by a financial institution or the like, and communication between the client device 10 and the server device 20 is performed through the financial application 122 (see FIG. 2) installed in the client device 10. The configuration to be performed will be described.
  • the user When trying to receive the service provided by the client device 10, the user starts the financial application 122 on the client device 10 and inputs a user ID and a password through an interface screen provided by the financial application 122.
  • the input user ID and password are transmitted to the server device 20 through the financial application 122.
  • the user authentication is successful in the server device 20, the user can enjoy the service provided from the server device 20.
  • FIG. 2 is an explanatory diagram for explaining a fraudulent act by a malicious program.
  • the financial application 122 properly installed on the client device 10 displays, for example, an interface screen 100A as shown in FIG. 2 on the display unit 14 of the client device 10. Let it.
  • the malicious program prepares an interface screen 100B (a disguised interface screen) very similar to the interface screen 100A of the financial application 122, and displays the interface screen 100A superimposed on the regular interface screen 100A.
  • the malicious program obtains the user ID and the password through the disguised interface screen 100B and transmits the user ID and the password to another server device installed by a third party, thereby obtaining the user ID and the user of the user using the client device 10. Get password incorrectly.
  • the communication data when communication data is transmitted to the outside through a program executed by the client device 10, the communication data is acquired, and other than a specific program (the financial application 122 in the present embodiment).
  • One of the features is to prevent information from being stolen by a third party by discarding communication data transmitted through the program.
  • FIG. 3 is a block diagram illustrating the internal configuration of the client device 10.
  • the client device 10 includes a control unit 11, a storage unit 12, a communication unit 13, a display unit 14, and an operation unit 15.
  • the control unit 11 includes a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), and the like.
  • the CPU included in the control unit 11 loads and executes various computer programs stored in the ROM or the storage unit 12 on the RAM, thereby causing the entire device to function as the communication control device of the present application.
  • the control unit 11 is not limited to the above configuration, and may be any processing circuit including one or more CPUs, a multi-core CPU, a microcomputer, and the like. Further, the control unit 11 may have a function such as a timer for measuring an elapsed time from when a measurement start instruction is given to when a measurement end instruction is given, and a counter for counting the number.
  • the storage unit 12 is configured by a nonvolatile memory such as an EEPROM (Electronically Erasable Programmable Read Only Memory), and stores various software (computer programs) and various data.
  • the software stored in the storage unit 12 includes a VPN application 121 for establishing a VPN with the server device 20, a financial application 122 for accessing the server device 20, and communication in the client device 10.
  • the communication control application 123 to be controlled is included.
  • the information stored in the storage unit 12 may include information (whitelist described later) used for restricting communication partners.
  • the program stored in the storage unit 12 may be provided by a non-transitory recording medium M1 that records the program in a readable manner.
  • the recording medium M1 is, for example, a portable memory such as a CD-ROM, a USB memory, an SD (Secure Digital) card, a micro SD card, and a compact flash (registered trademark).
  • the control unit 11 reads various programs from the recording medium M1 using a reading device (not shown), and installs the read various programs in the storage unit 12.
  • the program stored in the storage unit 12 may be provided by communication via the communication unit 13. In this case, the control unit 11 acquires various programs through the communication unit 13 and installs the acquired various programs in the storage unit 12.
  • the communication unit 13 includes an interface for communicating with the server device 20 via the communication network N.
  • the communication unit 13 transmits the input information to the server device 20 and controls information received from the server device 20 through the communication network N. Output to the unit 11.
  • the display unit 14 includes a display device such as a liquid crystal display or an organic EL display, and displays information to be notified to the user of the client device 10.
  • the operation unit 15 includes a touch panel and various buttons, receives an operation performed by a user of the client device 10, and outputs the received operation information to the control unit 11.
  • FIG. 4 is a flowchart illustrating a procedure of a process performed by the client device 10 according to the first embodiment.
  • the control unit 11 of the client device 10 When receiving the activation instruction of the financial application 122 through the operation unit 15, the control unit 11 of the client device 10 reads the financial application 122 from the storage unit 12, and activates the read financial application 122 (Step S101). Further, the control unit 11 reads the communication control application 123 from the storage unit 12, and activates the read communication control application 123 (Step S102).
  • the communication control application 123 is activated after the financial application 122 is activated, but the activation order of the financial application 122 and the communication control application 123 is not limited to the above.
  • the communication control application 123 is always activated, and the control unit 11 activates the financial application 122 when receiving an instruction to activate the financial application 122 in a state where the communication control application 123 is activated. Is also good.
  • the control unit 11 activates the VPN application 121 stored in the storage unit 12, and performs a VPN with the server device 20 on which the same VPN application (not shown) is executed.
  • a connection is established (step S103).
  • the VPN application 121 may be started in conjunction with the start of the financial application 122, or may be started when a user instruction is received through the operation unit 15.
  • control unit 11 determines whether or not communication data to be transmitted to the outside has been acquired through a program installed in the client device 10 (step S104). If not acquired (S104: NO), the control unit 11 shifts the processing to step S108 described later.
  • the processing from step S104 to step S107 described later is processing realized by the function of the communication control application 123 executed by the control unit 11.
  • the control unit 11 determines that the transmission source program of the acquired communication data is a specific program (finance). It is determined whether the application is the application 122) (step S105). In the present embodiment, in order to restrict transmission from any program other than the financial application 122, it is determined whether or not the source of the acquired communication data is the financial application 122.
  • the control unit 11 transmits the communication data to the destination device via the communication unit 13 (Step S106). .
  • the control unit 11 since a VPN is established between the client device 10 and the server device 20, communication data is transmitted to the server device 20.
  • the control unit 11 executes a process of discarding the communication data without transmitting the communication data (step S105). S107).
  • the program subject to transmission restriction is not limited to a so-called application program.
  • the program may be a single program executed by the control unit 11, or may be any application program such as a script, a command, an applet, a macro, or the like that is incorporated in an OS (Operating System) of the client device 10. May be included.
  • control unit 11 determines whether the financial application 122 has been stopped (step S108). When judging that it has not been stopped (S108: NO), the control unit 11 returns the process to step S104.
  • the control unit 11 stops the VPN application 121 and releases the VPN connection between the client device 10 and the server device 20 (Step S109). .
  • the control unit 11 stops the communication control application 123 (Step S110), and ends the processing according to the flowchart.
  • the application programs permitted to transmit data are limited to the financial application 122. It is not something to be done.
  • the application program permitted to transmit data may be a dedicated application program set in advance to communicate with a specific server, or a general application such as browser software that communicates with an unspecified number of servers. It may be a program.
  • communication data transmitted from another program may be discarded until processing executed through a specific interface screen is completed.
  • the financial application 122 provides an interface screen for receiving the input of the user ID and the password
  • the financial application 122 accepts the input of the user ID and the password through the interface screen, and transmits the received user ID and the password to the server device 20.
  • the communication data transmitted from another program may be discarded.
  • FIG. 5 is a flowchart illustrating a procedure of a process executed by the client device 10 according to the second embodiment.
  • the control unit 11 of the client device 10 determines whether to update the white list (Step S201).
  • the control unit 11 determines that the whitelist is to be updated when an instruction to update the whitelist is received through the operation unit 15 or when a timing set in advance as the whitelist update timing has been reached.
  • control unit 11 determines that the whitelist is to be updated (S201: YES)
  • the control unit 11 acquires a whitelist from the outside and updates the whitelist stored in the storage unit 12 (step S202).
  • the control unit 11 executes the process of step S203.
  • the financial application 122, the communication control application 123, and the VPN application 121 are activated in the same procedure as in the first embodiment, and a VPN connection is established with the server device 20 (steps S203 to S205).
  • control unit 11 determines whether or not communication data to be transmitted to the outside has been acquired through the program installed in the client device 10 (step S206). If not acquired (S206: NO), the control unit 11 shifts the processing to step S211 described below. The processing from step S206 to step S210 described later is processing realized by the function of the communication control application 123 executed by the control unit 11.
  • the control unit 11 When it is determined that the communication data transmitted to the outside through the program installed in the client device 10 has been acquired (S206: YES), the control unit 11 lists the transmission destination of the acquired communication data on the whitelist. It is determined whether or not it is the transmission destination (step S207). When it is determined that the destination is a destination listed in the white list (S207: YES), the control unit 11 shifts the processing to step S209.
  • the control unit 11 determines whether the transmission source program of the acquired communication data is a specific program (financial application 122). (Step S208).
  • the control unit 11 When determining that the transmission source of the acquired communication data is a specific program (financial application 122) (S208: YES), the control unit 11 transmits the communication data to the destination device via the communication unit 13 (Step S209). . In the present embodiment, since a VPN is established between the client device 10 and the server device 20, communication data is transmitted to the server device 20.
  • control unit 11 executes a process of discarding the communication data without transmitting the communication data (step S208). S210).
  • control unit 11 determines whether the financial application 122 has been stopped (step S211). When judging that it has not been stopped (S211: NO), the control unit 11 returns the process to step S206.
  • the control unit 11 stops the VPN application 121 and releases the VPN connection between the client device 10 and the server device 20 (Step S212). . Further, the control unit 11 stops the communication control application 123 (step S213), and ends the processing according to the flowchart.
  • the communication data is transmitted without being discarded. be able to.
  • FIG. 6 is a flowchart illustrating a procedure of a process executed by the client device 10 according to the third embodiment.
  • the control unit 11 of the client device 10 starts the financial application 122, the communication control application 123, and the VPN application 121 in the same procedure as in the first embodiment, and establishes a VPN connection with the server device 20 ( Steps S301 to S303).
  • control unit 11 determines whether or not communication data to be transmitted to the outside has been acquired through the program installed in the client device 10 (step S304). If not acquired (S304: NO), the control unit 11 shifts the processing to step S310 described later. Note that the processing from step S304 to step S309 described later is processing realized by the function of the communication control application 123 executed by the control unit 11.
  • control unit 11 determines that the transmission source program of the acquired communication data is a specific program (finance). It is determined whether the application is the application 122) (step S305).
  • the control unit 11 When determining that the transmission source of the acquired communication data is a specific program (financial application 122) (S305: YES), the control unit 11 transmits the communication data to the destination device via the communication unit 13 (step S306). . In the present embodiment, since a VPN is established between the client device 10 and the server device 20, communication data is transmitted to the server device 20.
  • the control unit 11 inquires of the user whether transmission is possible (step S307). Specifically, the control unit 11 causes the display unit 14 to display an interface screen for inquiring whether transmission is possible, and accepts a setting regarding transmission permission through the interface screen.
  • control unit 11 determines whether transmission from a program other than the specific program (financial application 122) is permitted (step S308). (S308: YES), the communication data is transmitted to the destination device (S306).
  • control unit 11 executes a process of discarding the communication data without transmitting the data (step S309).
  • control unit 11 determines whether the financial application 122 has been stopped (Step S310). When judging that it has not been stopped (S310: NO), the control unit 11 returns the process to step S304.
  • the control unit 11 stops the VPN application 121 and releases the VPN connection between the client device 10 and the server device 20 (step S311). . Further, the control unit 11 stops the communication control application 123 (step S312), and ends the processing according to the flowchart.
  • the communication data is transmitted without being discarded. be able to.
  • FIG. 7 is a flowchart illustrating a procedure of processing executed by the client device 10 according to the fourth embodiment.
  • the control unit 11 of the client device 10 starts the financial application 122, the communication control application 123, and the VPN application 121 in the same procedure as in the first embodiment, and establishes a VPN connection with the server device 20 ( Steps S401 to S403).
  • control unit 11 determines whether or not communication data transmitted to the outside through the program installed in the client device 10 has been acquired (step S404). If not acquired (S404: NO), the control unit 11 shifts the processing to step S409 described below. Note that the processing from step S404 to step S408 described below is processing realized by the function of the communication control application 123 executed by the control unit 11.
  • control unit 11 determines that the transmission source program of the acquired communication data is a specific program (finance). It is determined whether it is the application 122) (step S405).
  • the control unit 11 When determining that the transmission source of the acquired communication data is a specific program (financial application 122) (S405: YES), the control unit 11 transmits the communication data to the destination device via the communication unit 13 (step S406). . In the present embodiment, since a VPN is established between the client device 10 and the server device 20, communication data is transmitted to the server device 20.
  • the control unit 11 determines whether the specific information is included in the communication data to be transmitted. A determination is made (step S407). Here, it is determined whether or not information that is not desirable to be leaked to the outside, such as a user ID and a password, is included in the communication data.
  • control unit 11 If it is determined that the specific information is not included (S407: NO), the control unit 11 transmits the communication data to the destination device (S406). On the other hand, when determining that the specific information is included (S407: YES), the control unit 11 executes a process of discarding the communication data without transmitting the communication data (step S408).
  • control unit 11 determines whether the financial application 122 has been stopped (step S409). When judging that it has not been stopped (S409: NO), the control unit 11 returns the process to step S404.
  • the control unit 11 stops the VPN application 121 and releases the VPN connection between the client device 10 and the server device 20 (Step S410). .
  • the control unit 11 stops the communication control application 123 (step S411), and ends the processing according to the flowchart.
  • the communication data from a program other than the financial application 122 does not include specific information such as a user ID and a password, the communication data is transmitted without being discarded. can do.
  • FIG. 8 is a flowchart illustrating a procedure of processing executed by the client device 10 according to the fifth embodiment.
  • the control unit 11 of the client device 10 starts the financial application 122, the communication control application 123, and the VPN application 121 in the same procedure as in the first embodiment, and establishes a VPN connection with the server device 20 ( Steps S501 to 503).
  • control unit 11 determines whether or not communication data to be transmitted to the outside has been acquired through the program installed in the client device 10 (step S504). If it has not been acquired (S504: NO), the control unit 11 shifts the processing to step S509 described below. Note that the processing from step S504 to step S508 described later is processing realized by the function of the communication control application 123 executed by the control unit 11.
  • control unit 11 determines that the transmission source program of the acquired communication data is a specific program (finance). It is determined whether the application is the application 122) (step S505).
  • the control unit 11 When determining that the transmission source of the acquired communication data is a specific program (financial application 122) (S505: YES), the control unit 11 transmits the communication data to the destination device via the communication unit 13 (Step S506). .
  • the control unit 11 since a VPN is established between the client device 10 and the server device 20, communication data is transmitted to the server device 20.
  • control unit 11 determines whether the transmission source is a non-target application set by the user. Is determined (step S507).
  • the control unit 11 transmits the communication data to the destination device (S506).
  • the control unit 11 executes a process of discarding the communication data without transmitting the communication data (step S508).
  • control unit 11 determines whether the financial application 122 has been stopped (step S509). If it is determined that the operation has not been stopped (S509: NO), the control unit 11 returns the process to step S504.
  • the control unit 11 stops the VPN application 121 and releases the VPN connection between the client device 10 and the server device 20 (Step S510). . Further, the control unit 11 stops the communication control application 123 (step S511), and ends the processing according to the flowchart.
  • the communication data is discarded if the security of the source program (application) is confirmed by the user. Can be sent without.
  • FIG. 9 is a flowchart illustrating a procedure of a process executed by the client device 10 according to the sixth embodiment.
  • the control unit 11 of the client device 10 starts the financial application 122, the communication control application 123, and the VPN application 121 in the same procedure as in the first embodiment, and establishes a VPN connection with the server device 20 ( Steps S601 to 603).
  • control unit 11 determines whether or not communication data to be transmitted to the outside is acquired through the program installed in the client device 10 (step S604). If it has not been acquired (S604: NO), the control unit 11 shifts the processing to step S609 described later.
  • the processing from step S604 to step S607 described later is processing realized by the function of the communication control application 123 executed by the control unit 11.
  • control unit 11 determines that the transmission source program of the acquired communication data is a specific program (finance). It is determined whether the application is the application 122) (step S605).
  • the control unit 11 When determining that the transmission source of the acquired communication data is a specific program (financial application 122) (S605: YES), the control unit 11 transmits the communication data to the destination device via the communication unit 13 (step S606). . In the present embodiment, since a VPN is established between the client device 10 and the server device 20, communication data is transmitted to the server device 20.
  • the control unit 11 informs that the transmission processing of the communication data by a program other than the specific program has occurred. Is notified to the user (step S607). At this time, the control unit 11 may output information to the effect that transmission processing of communication data by a program other than the specific program has occurred to the display unit 14 and cause the display unit 14 to display the information.
  • the client device 10 includes an audio output unit
  • the user may be notified by voice or an alarm that a transmission process of communication data by a program other than a specific program has occurred.
  • the control unit 11 may notify the user of the information before transmitting communication data from a program other than the specific program, and may transmit the information to that effect after the transmission of the communication data is completed. The user may be notified.
  • control unit 11 determines whether the financial application 122 has been stopped (Step S608). When judging that it has not been stopped (S608: NO), the control unit 11 returns the process to step S604.
  • the control unit 11 stops the VPN application 121 and releases the VPN connection between the client device 10 and the server device 20 (Step S609). Further, the control unit 11 stops the communication control application 123 (Step S610), and ends the processing according to the flowchart.
  • the transmission process from any program other than the financial application 122 is notified to the user. Can be notified to the user that the information may have been stolen, and it is possible to take measures such as changing the user ID and the password.
  • FIG. 10 is a block diagram illustrating the overall configuration of the communication control system according to the seventh embodiment.
  • the communication control system according to the present embodiment includes a client device 10, a server device 20, and a relay device 30 that are communicably connected to each other via a communication network N.
  • the client device 10 is a terminal device such as a personal computer and a smartphone used by a user, and it is assumed that software (application program) for accessing the server device 20 is installed.
  • the server device 20 performs user authentication when receiving access from the client device 10, and provides an appropriate service to the client device 10 when the user authentication is successful.
  • the relay device 30 is a server that relays communication between the client device 10 and the server device 20.
  • the relay device 30 transmits communication data received from the client device 10 to the server device 20 and transmits communication data received from the server device 20. Send to client device 10.
  • the server device 20 is a financial server installed by a financial institution or the like and the relay device 30 relays communication data transmitted and received through the financial application 122 installed in the client device 10 will be described.
  • FIG. 11 is a flowchart illustrating the internal configuration of the relay device 30.
  • the relay device 30 includes a control unit 31, a storage unit 32, a communication unit 33, a display unit 34, and an operation unit 35.
  • the control unit 31 includes a CPU, a ROM, a RAM, and the like.
  • the CPU included in the control unit 31 loads various computer programs stored in the ROM or the storage unit 32 on the RAM and executes the computer programs, thereby causing the entire device to function as the relay device of the present application.
  • the control unit 31 is not limited to the above configuration, and may be any processing circuit including one or more CPUs, a multi-core CPU, a microcomputer, and the like. Further, the control unit 31 may have a function such as a timer for measuring an elapsed time from when a measurement start instruction is given to when a measurement end instruction is given, a counter for counting the number, and the like.
  • the storage unit 32 is configured by a nonvolatile storage device such as an EEPROM and a hard disk, and stores various software (computer programs) and various data.
  • the software stored in the storage unit 32 includes a VPN application 321 for establishing a VPN with the client device 10, a communication control application 322 for controlling communication in the relay device 30, and the like.
  • the information stored in the storage unit 32 may include information (whitelist described later) used for restricting communication partners.
  • the program stored in the storage unit 32 may be provided by a non-transitory recording medium M2 in which the program is readablely recorded.
  • the recording medium M2 is, for example, a portable memory such as a CD-ROM, a USB memory, an SD (Secure Digital) card, a micro SD card, and a compact flash (registered trademark).
  • the control unit 31 reads various programs from the recording medium M2 using a reading device (not shown), and installs the read various programs in the storage unit 32.
  • the program stored in the storage unit 32 may be provided by communication via the communication unit 33. In this case, the control unit 31 acquires various programs through the communication unit 33 and installs the acquired various programs in the storage unit 32.
  • the communication unit 33 includes an interface for communicating with the client device 10 and the server device 20 through the communication network N.
  • the communication unit 33 transmits the input information to the client device 10 or the server device 20 and receives the information through the communication network N.
  • the information from the client device 10 or the server device 20 is output to the control unit 31.
  • the display unit 34 includes a display device such as a liquid crystal display and an organic EL display, and displays information to be notified to the administrator of the relay device 30.
  • the operation unit 35 includes a touch panel and various buttons, receives an operation performed by an administrator of the relay device 30, and outputs the received operation information to the control unit 31.
  • FIG. 12 is a flowchart illustrating a procedure of a process executed by the relay device 30 according to the seventh embodiment.
  • the control unit 31 of the relay device 30 Prior to the communication with the client device 10, the control unit 31 of the relay device 30 reads the communication control application 322 from the storage unit 32 and activates the read communication control application 322 (step S701).
  • the control unit 31 activates the VPN application 321 stored in the storage unit 32 and establishes a VPN connection with the client device 10 on which the VPN application 121 is also executed (step S702).
  • control unit 31 determines whether or not communication data transmitted from the client device 10 has been acquired through the communication unit 33 (step S703). If it has not been acquired (S703: NO), the control unit 31 shifts the processing to step S707 described below.
  • the processing from step S703 to step S706, which will be described later, is processing realized by the function of the communication control application 322 executed by the control unit 31.
  • the control unit 31 determines that the transmission source program of the acquired communication data is a specific program (financial application) installed in the client device 10. 122) is determined (step S704). In the present embodiment, in order to restrict transmission from any program other than the financial application 122, it is determined whether or not the source of the acquired communication data is the financial application 122.
  • the control unit 31 When determining that the transmission source of the acquired communication data is a specific program (financial application 122) (S704: YES), the control unit 31 transmits the communication data to the relay destination server device 20 through the communication unit 33. (Step S705).
  • a VPN may be constructed between the relay device 30 and the server device 20.
  • the control unit 31 executes a process of discarding the communication data without transmitting the communication data (step S704). S706).
  • transmission of communication data to a destination specified by an arbitrary program other than the financial application 122 is avoided, so that a malicious program that steals various information such as a user ID and a password is installed.
  • the transmission of data from the program can be stopped.
  • control unit 31 determines whether or not the financial application 122 has been stopped in the client device 10 (step S707). If it is determined that the operation has not been stopped (S707: NO), the control unit 31 returns the process to step S703.
  • the control unit 31 stops the VPN application 321 and releases the VPN connection between the relay device 30 and the client device 10 (step S708). .
  • the control unit 31 stops the communication control application 322 (step S709), and ends the processing according to the flowchart.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

Provided are a computer program, a communication control method, a communication control device, and a relay device. In the present invention, a computer has installed thereon a plurality of programs and is provided with a function for communicating with external devices via a communication network. This computer program is for causing the computer to execute processing in which all of the communication data to be transmitted through the programs is obtained, and from the obtained communication data, communication data other than communication data to be transmitted through a specific program is discarded.

Description

コンピュータプログラム、通信制御方法、通信制御装置及び中継装置Computer program, communication control method, communication control device, and relay device
 本発明は、コンピュータプログラム、通信制御方法、通信制御装置及び中継装置に関する。 << The present invention relates to a computer program, a communication control method, a communication control device, and a relay device.
 近年、スマートフォンやタブレット端末などのクライアント装置によるインターネットの利用が盛んに行われるようになってきている。このようなインターネットを利用したサービスにおいては、ユーザに対してユーザID及びパスワードの入力が求められる場合がある。サービス提供側は、ユーザID及びパスワードによりユーザ本人であることを認証し、認証したユーザに対してサービスを提供するようにしている(例えば、特許文献1を参照)。 In recent years, the use of the Internet by client devices such as smartphones and tablet terminals has become active. In such a service using the Internet, the user may be required to input a user ID and a password. The service providing side authenticates the identity of the user based on the user ID and the password, and provides a service to the authenticated user (for example, see Patent Document 1).
特開2002-73562号公報JP-A-2002-73562
 しかしながら、ユーザが知らない間にクライアント装置に悪意のあるプログラムがインストールされていた場合、不正行為が行われる虞がある。例えば、サービス提供側が用意するインタフェース画面とよく似たインタフェース画面(偽装したインタフェース画面)を提供し、この偽装したインタフェース画面を通じて入力されたユーザID及びパスワードを、第三者によって設置された別のサーバ装置へ送信するプログラムがクライアント装置にインストールされていた場合、ユーザID及びパスワードが第三者に盗まれる虞がある。 However, if a malicious program is installed in the client device before the user knows, there is a possibility that an illegal act may be performed. For example, an interface screen (spoofed interface screen) very similar to the interface screen prepared by the service providing side is provided, and the user ID and password input through the spoofed interface screen are transmitted to another server installed by a third party. If the program to be transmitted to the device is installed in the client device, the user ID and password may be stolen by a third party.
 本発明は、斯かる事情に鑑みてなされたものであり、クライアント装置からの情報の流出を抑制することができるコンピュータプログラム、通信制御方法、通信制御装置及び中継装置を提供することを目的とする。 The present invention has been made in view of such circumstances, and it is an object of the present invention to provide a computer program, a communication control method, a communication control device, and a relay device that can suppress leakage of information from a client device. .
 一態様に係るコンピュータプログラムは、通信網を介して外部装置と通信する機能を備えた複数のプログラムがインストールされたコンピュータに、前記プログラムを通じて送信される全ての通信データを取得し、取得した通信データのうち、特定のプログラムを通じて送信される通信データ以外の通信データを破棄する処理を実行させるためのコンピュータプログラムである。 A computer program according to one aspect is a computer in which a plurality of programs having a function of communicating with an external device via a communication network are installed, and all communication data transmitted through the program is acquired, and the acquired communication data is acquired. And a computer program for executing a process of discarding communication data other than communication data transmitted through a specific program.
 一態様に係るコンピュータプログラムは、通信網を介して外部装置と通信する機能を備えた複数のプログラムがインストールされたコンピュータに、前記プログラムを通じて送信される全ての通信データを取得し、取得した通信データに、特定のプログラムを通じて送信される通信データ以外の通信データが含まれる場合、前記特定のプログラム以外のプログラムによる送信の発生を報知する処理を実行させるためのコンピュータプログラムである。 A computer program according to one aspect is a computer in which a plurality of programs having a function of communicating with an external device via a communication network are installed, and all communication data transmitted through the program is acquired, and the acquired communication data is acquired. A communication program other than communication data transmitted through a specific program, the computer program for executing a process of notifying the occurrence of transmission by a program other than the specific program.
 一態様に係る通信制御方法は、通信網を介して外部装置と通信する機能を備えた複数のプログラムがインストールされたコンピュータにより、前記プログラムを通じて送信される全ての通信データを取得し、取得した通信データのうち、特定のプログラムを通じて送信される通信データ以外の通信データを破棄する処理を行う。 A communication control method according to an aspect includes a computer in which a plurality of programs each having a function of communicating with an external device via a communication network are installed, acquiring all communication data transmitted through the programs, and acquiring the acquired communication data. A process of discarding communication data other than communication data transmitted through a specific program among data is performed.
 一態様に係る通信制御装置は、通信網を介して外部装置と通信する機能を備えた複数のプログラムを記憶する記憶部と、前記プログラムを通じて送信される全ての通信データを取得する取得部と取得した通信データのうち、特定のプログラムを通じて送信される通信データ以外の通信データを破棄する通信破棄部とを備える。 A communication control device according to an aspect includes a storage unit that stores a plurality of programs having a function of communicating with an external device via a communication network, an acquisition unit that acquires all communication data transmitted through the programs, and an acquisition unit. And a communication discarding unit for discarding communication data other than communication data transmitted through a specific program among the communication data.
 一態様に係る中継装置は、通信網を介して外部装置と通信する機能を備えた複数のプログラムがインストールされた端末装置から、前記プログラムを通じて送信される全ての通信データを取得する取得部と、取得した通信データのうち、特定のプログラムを通じて送信される通信データ以外の通信データを破棄する通信破棄部とを備える。 A relay device according to an aspect, from a terminal device installed with a plurality of programs having a function of communicating with an external device via a communication network, an acquisition unit that acquires all communication data transmitted through the programs, A communication discarding unit that discards communication data other than communication data transmitted through a specific program from the acquired communication data.
 本願によれば、クライアント装置からの情報の流出を抑制することができる。 According to the present application, it is possible to suppress the outflow of information from the client device.
実施の形態1に係る通信制御システムの全体構成を説明するブロック図である。FIG. 1 is a block diagram illustrating an overall configuration of a communication control system according to a first embodiment. 悪意のあるプログラムによる不正行為を説明する説明図である。FIG. 9 is an explanatory diagram for explaining an illegal act by a malicious program. クライアント装置の内部構成を説明するブロック図である。FIG. 2 is a block diagram illustrating an internal configuration of a client device. 実施の形態1に係るクライアント装置が実行する処理の手順を説明するフローチャートである。6 is a flowchart illustrating a procedure of a process executed by the client device according to the first embodiment. 実施の形態2に係るクライアント装置が実行する処理の手順を説明するフローチャートである。15 is a flowchart illustrating a procedure of a process executed by the client device according to the second embodiment. 実施の形態3に係るクライアント装置が実行する処理の手順を説明するフローチャートである。15 is a flowchart illustrating a procedure of a process executed by the client device according to the third embodiment. 実施の形態4に係るクライアント装置が実行する処理の手順を説明するフローチャートである。15 is a flowchart illustrating a procedure of a process performed by a client device according to Embodiment 4. 実施の形態5に係るクライアント装置が実行する処理の手順を説明するフローチャートである。15 is a flowchart illustrating a procedure of a process performed by a client device according to Embodiment 5. 実施の形態6に係るクライアント装置が実行する処理の手順を説明するフローチャートである。15 is a flowchart illustrating a procedure of a process performed by a client device according to Embodiment 6. 実施の形態7に係る通信制御システムの全体構成を説明するブロック図である。FIG. 15 is a block diagram illustrating an overall configuration of a communication control system according to a seventh embodiment. 中継装置の内部構成を説明するフローチャートである。5 is a flowchart illustrating an internal configuration of a relay device. 実施の形態7に係る中継装置が実行する処理の手順を説明するフローチャートである。26 is a flowchart illustrating a procedure of a process executed by the relay device according to the seventh embodiment.
 以下、本発明をその実施の形態を示す図面に基づいて具体的に説明する。
(実施の形態1)
 図1は実施の形態1に係る通信制御システムの全体構成を説明するブロック図である。本実施の形態に係る通信制御システムは、通信網Nを介して互いに通信可能に接続されるクライアント装置10とサーバ装置20とを備える。クライアント装置10は、ユーザによって利用されるパーソナルコンピュータ、スマートフォンなどの端末装置であり、サーバ装置20にアクセスするためのソフトウェア(アプリケーションプログラム)がインストールされているものとする。サーバ装置20は、クライアント装置10からのアクセスを受付けた際にユーザ認証を行い、ユーザ認証に成功した場合、クライアント装置10に対して適宜のサービスを提供する。 Hereinafter, the present invention will be specifically described with reference to the drawings showing the embodiments.
(Embodiment 1)
FIG. 1 is a block diagram illustrating the overall configuration of the communication control system according to the first embodiment. The communication control system according to the present embodiment includes a client device 10 and a server device 20 communicably connected to each other via a communication network N. The client device 10 is a terminal device such as a personal computer and a smartphone used by a user, and it is assumed that software (application program) for accessing the server device 20 is installed. The server device 20 performs user authentication when receiving access from the client device 10, and provides an appropriate service to the client device 10 when the user authentication is successful.
 以下では、サーバ装置20を金融機関等によって設置される金融サーバとし、クライアント装置10にインストールされている金融アプリ122(図2を参照)を通じて、クライアント装置10とサーバ装置20との間で通信を行う構成について説明を行う。 Hereinafter, the server device 20 is a financial server installed by a financial institution or the like, and communication between the client device 10 and the server device 20 is performed through the financial application 122 (see FIG. 2) installed in the client device 10. The configuration to be performed will be described.
 クライアント装置10から提供されるサービスを受けようとした場合、ユーザは、クライアント装置10において金融アプリ122を起動し、金融アプリ122によって提供されるインタフェース画面を通じてユーザID及びパスワードを入力する。入力されたユーザID及びパスワードは、金融アプリ122を通じて、サーバ装置20へ送信される。サーバ装置20にてユーザ認証に成功した場合、ユーザはサーバ装置20から提供されるサービスを享受することができる。 When trying to receive the service provided by the client device 10, the user starts the financial application 122 on the client device 10 and inputs a user ID and a password through an interface screen provided by the financial application 122. The input user ID and password are transmitted to the server device 20 through the financial application 122. When the user authentication is successful in the server device 20, the user can enjoy the service provided from the server device 20.
 しかしながら、ユーザが知らない間に、悪意のあるプログラムがクライアント装置10にインストールされていた場合、不正行為が行われる虞がある。図2は悪意のあるプログラムによる不正行為を説明する説明図である。クライアント装置10に正規にインストールされている金融アプリ122は、ユーザに対してユーザID及びパスワードの入力を求める場合、例えば、図2に示すようなインタフェース画面100Aをクライアント装置10の表示部14に表示させる。これに対し、悪意のあるプログラムは、金融アプリ122のインタフェース画面100Aとよく似たインタフェース画面100B(偽装したインタフェース画面)を用意し、正規のインタフェース画面100Aに重畳させて表示する。外見上は、正規のインタフェース画面100Aと偽装したインタフェース画面100Bとは区別することは困難であり、偽装したインタフェース画面100Bを通じてユーザID及びパスワードが入力される虞がある。悪意のあるプログラムは、偽装したインタフェース画面100Bを通じてユーザID及びパスワードを取得し、第三者によって設置された別のサーバ装置へ送信することで、クライアント装置10を利用しているユーザのユーザID及びパスワードを不正に取得する。 However, if a malicious program is installed in the client device 10 before the user knows, there is a possibility that an illegal act may be performed. FIG. 2 is an explanatory diagram for explaining a fraudulent act by a malicious program. When requesting the user to input a user ID and a password, the financial application 122 properly installed on the client device 10 displays, for example, an interface screen 100A as shown in FIG. 2 on the display unit 14 of the client device 10. Let it. On the other hand, the malicious program prepares an interface screen 100B (a disguised interface screen) very similar to the interface screen 100A of the financial application 122, and displays the interface screen 100A superimposed on the regular interface screen 100A. In appearance, it is difficult to distinguish the regular interface screen 100A from the disguised interface screen 100B, and there is a possibility that the user ID and the password are input through the disguised interface screen 100B. The malicious program obtains the user ID and the password through the disguised interface screen 100B and transmits the user ID and the password to another server device installed by a third party, thereby obtaining the user ID and the user of the user using the client device 10. Get password incorrectly.
 そこで、本実施の形態では、クライアント装置10にて実行されるプログラムを通じて通信データが外部へ送信される場合、この通信データを取得し、特定のプログラム(本実施の形態では金融アプリ122)以外のプログラムを通じて送信される通信データを破棄することによって、第三者に情報が盗まれることを防止することを特徴の1つとしている。 Therefore, in the present embodiment, when communication data is transmitted to the outside through a program executed by the client device 10, the communication data is acquired, and other than a specific program (the financial application 122 in the present embodiment). One of the features is to prevent information from being stolen by a third party by discarding communication data transmitted through the program.
 図3はクライアント装置10の内部構成を説明するブロック図である。クライアント装置10は、制御部11、記憶部12、通信部13、表示部14及び操作部15を備える。 FIG. 3 is a block diagram illustrating the internal configuration of the client device 10. The client device 10 includes a control unit 11, a storage unit 12, a communication unit 13, a display unit 14, and an operation unit 15.
 制御部11は、CPU(Central Processing Unit)、ROM(Read Only Memory)、RAM(Random Access Memory)などにより構成されている。制御部11が備えるCPUは、ROM又は記憶部12に記憶されている各種コンピュータプログラムをRAM上に展開して実行することにより、装置全体を本願の通信制御装置として機能させる。 The control unit 11 includes a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), and the like. The CPU included in the control unit 11 loads and executes various computer programs stored in the ROM or the storage unit 12 on the RAM, thereby causing the entire device to function as the communication control device of the present application.
 なお、制御部11は、上記の構成に限定されるものではなく、1又は複数のCPU、マルチコアCPU、マイコン等を含む任意の処理回路であればよい。また、制御部11は、計測開始指示を与えてから計測終了指示を与えるまでの経過時間を計測するタイマ、数をカウントするカウンタ等の機能を備えていてもよい。 The control unit 11 is not limited to the above configuration, and may be any processing circuit including one or more CPUs, a multi-core CPU, a microcomputer, and the like. Further, the control unit 11 may have a function such as a timer for measuring an elapsed time from when a measurement start instruction is given to when a measurement end instruction is given, and a counter for counting the number.
 記憶部12は、EEPROM(Electronically Erasable Programmable Read Only Memory)などの不揮発性メモリにより構成されており、各種のソフトウェア(コンピュータプログラム)及び各種のデータを記憶する。ここで、記憶部12に記憶されているソフトウェアには、サーバ装置20との間でVPNを構築するためのVPNアプリ121、サーバ装置20にアクセスするための金融アプリ122、クライアント装置10における通信を制御する通信制御アプリ123などが含まれる。また、記憶部12が記憶する情報には、通信相手を制限するために用いられる情報(後述するホワイトリスト)が含まれていてもよい。 The storage unit 12 is configured by a nonvolatile memory such as an EEPROM (Electronically Erasable Programmable Read Only Memory), and stores various software (computer programs) and various data. Here, the software stored in the storage unit 12 includes a VPN application 121 for establishing a VPN with the server device 20, a financial application 122 for accessing the server device 20, and communication in the client device 10. The communication control application 123 to be controlled is included. Further, the information stored in the storage unit 12 may include information (whitelist described later) used for restricting communication partners.
 なお、記憶部12に記憶されるプログラムは、当該プログラムを読み取り可能に記録した非一時的な記録媒体M1により提供されてもよい。記録媒体M1は、例えば、CD-ROM、USBメモリ、SD(Secure Digital)カード、マイクロSDカード、コンパクトフラッシュ(登録商標)などの可搬型メモリである。この場合、制御部11は、不図示の読取装置を用いて記録媒体M1から各種プログラムを読み取り、読み取った各種プログラムを記憶部12にインストールする。また、記憶部12に記憶されるプログラムは、通信部13を介した通信により提供されてもよい。この場合、制御部11は、通信部13を通じて各種プログラムを取得し、取得した各種プログラムを記憶部12にインストールする。 The program stored in the storage unit 12 may be provided by a non-transitory recording medium M1 that records the program in a readable manner. The recording medium M1 is, for example, a portable memory such as a CD-ROM, a USB memory, an SD (Secure Digital) card, a micro SD card, and a compact flash (registered trademark). In this case, the control unit 11 reads various programs from the recording medium M1 using a reading device (not shown), and installs the read various programs in the storage unit 12. Further, the program stored in the storage unit 12 may be provided by communication via the communication unit 13. In this case, the control unit 11 acquires various programs through the communication unit 13 and installs the acquired various programs in the storage unit 12.
 通信部13は、通信網Nを通じてサーバ装置20と通信を行うためのインタフェースを備える。通信部13は、サーバ装置20へ送信すべき情報が制御部11から入力された場合、入力された情報をサーバ装置20へ送信する共に、通信網Nを通じて受信したサーバ装置20からの情報を制御部11へ出力する。 The communication unit 13 includes an interface for communicating with the server device 20 via the communication network N. When information to be transmitted to the server device 20 is input from the control unit 11, the communication unit 13 transmits the input information to the server device 20 and controls information received from the server device 20 through the communication network N. Output to the unit 11.
 表示部14は、液晶ディスプレイ、有機ELディスプレイなどの表示デバイスを備え、クライアント装置10のユーザに対して報知すべき情報を表示する。また、操作部15は、タッチパネル、各種ボタンを備え、クライアント装置10のユーザによる操作を受付け、受付けた操作情報を制御部11へ出力する。 The display unit 14 includes a display device such as a liquid crystal display or an organic EL display, and displays information to be notified to the user of the client device 10. The operation unit 15 includes a touch panel and various buttons, receives an operation performed by a user of the client device 10, and outputs the received operation information to the control unit 11.
 図4は実施の形態1に係るクライアント装置10が実行する処理の手順を説明するフローチャートである。クライアント装置10の制御部11は、操作部15を通じて金融アプリ122の起動指示を受付けた場合、記憶部12から金融アプリ122を読出し、読出した金融アプリ122を起動する(ステップS101)。また、制御部11は、記憶部12から通信制御アプリ123を読出し、読出した通信制御アプリ123を起動する(ステップS102)。 FIG. 4 is a flowchart illustrating a procedure of a process performed by the client device 10 according to the first embodiment. When receiving the activation instruction of the financial application 122 through the operation unit 15, the control unit 11 of the client device 10 reads the financial application 122 from the storage unit 12, and activates the read financial application 122 (Step S101). Further, the control unit 11 reads the communication control application 123 from the storage unit 12, and activates the read communication control application 123 (Step S102).
 なお、本実施の形態では、金融アプリ122を起動した後に通信制御アプリ123を起動する構成としたが、金融アプリ122及び通信制御アプリ123の起動順序は上記に限定されるものではない。例えば、通信制御アプリ123は常時起動されており、通信制御アプリ123が起動された状態にて、金融アプリ122の起動指示を受付けた場合、制御部11が金融アプリ122を起動する構成であってもよい。 In the present embodiment, the communication control application 123 is activated after the financial application 122 is activated, but the activation order of the financial application 122 and the communication control application 123 is not limited to the above. For example, the communication control application 123 is always activated, and the control unit 11 activates the financial application 122 when receiving an instruction to activate the financial application 122 in a state where the communication control application 123 is activated. Is also good.
 次いで、制御部11は、サーバ装置20との通信に先立ち、記憶部12に記憶されているVPNアプリ121を起動し、同じくVPNアプリ(不図示)が実行されるサーバ装置20との間でVPN接続を確立させる(ステップS103)。なお、VPNアプリ121は、金融アプリ122の起動に連動して起動されるものであってもよく、操作部15を通じてユーザの指示を受付けた場合に起動されるものであってもよい。 Next, prior to communication with the server device 20, the control unit 11 activates the VPN application 121 stored in the storage unit 12, and performs a VPN with the server device 20 on which the same VPN application (not shown) is executed. A connection is established (step S103). Note that the VPN application 121 may be started in conjunction with the start of the financial application 122, or may be started when a user instruction is received through the operation unit 15.
 次いで、制御部11は、クライアント装置10にインストールされているプログラムを通じて外部へ送信される通信データを取得したか否かを判断する(ステップS104)。取得していない場合(S104:NO)、制御部11は後述するステップS108へ処理を移行させる。なお、ステップS104から後述するステップS107までの処理は、制御部11によって実行される通信制御アプリ123の機能によって実現される処理である。 Next, the control unit 11 determines whether or not communication data to be transmitted to the outside has been acquired through a program installed in the client device 10 (step S104). If not acquired (S104: NO), the control unit 11 shifts the processing to step S108 described later. The processing from step S104 to step S107 described later is processing realized by the function of the communication control application 123 executed by the control unit 11.
 クライアント装置10にインストールされているプログラムを通じて外部へ送信される通信データを取得したと判断した場合(S104:YES)、制御部11は、取得した通信データの送信元のプログラムが特定のプログラム(金融アプリ122)であるか否かを判断する(ステップS105)。本実施の形態では、金融アプリ122以外の任意のプログラムからの送信を制限するために、取得した通信データの送信元が金融アプリ122であるか否かを判断する。 When determining that the communication data transmitted to the outside has been acquired through the program installed in the client device 10 (S104: YES), the control unit 11 determines that the transmission source program of the acquired communication data is a specific program (finance). It is determined whether the application is the application 122) (step S105). In the present embodiment, in order to restrict transmission from any program other than the financial application 122, it is determined whether or not the source of the acquired communication data is the financial application 122.
 取得した通信データの送信元が特定のプログラム(金融アプリ122)であると判断した場合(S105:YES)、制御部11は、当該通信データを通信部13を通じて宛先装置へ送信する(ステップS106)。本実施の形態では、クライアント装置10とサーバ装置20との間でVPNが構築されているため、通信データはサーバ装置20へ送信されることになる。 When it is determined that the transmission source of the acquired communication data is a specific program (financial application 122) (S105: YES), the control unit 11 transmits the communication data to the destination device via the communication unit 13 (Step S106). . In the present embodiment, since a VPN is established between the client device 10 and the server device 20, communication data is transmitted to the server device 20.
 一方、取得した通信データの送信元が特定のプログラム(金融アプリ122)でないと判断した場合(S105:NO)、制御部11は、当該通信データを送信せずに破棄する処理を実行する(ステップS107)。これにより、金融アプリ122以外の任意のプログラムにより指定された宛先への通信データの送信が回避されるので、ユーザID及びパスワード等の各種の情報を盗み出すような悪意のあるプログラムがインストールされた場合であっても、当該プログラムからのデータの送信を止めることができる。なお、送信制限の対象とするプログラムは、いわゆるアプリケーションプログラムに限定されるものではない。制御部11によって実行される単独のプログラムであってもよく、他のアプリケーションプログラムやクライアント装置10のOS(Operating System)に組み込まれるようなスクリプト、コマンド、アプレット、マクロ等の任意の形態のプログラムを含んでもよい。 On the other hand, when determining that the transmission source of the acquired communication data is not the specific program (financial application 122) (S105: NO), the control unit 11 executes a process of discarding the communication data without transmitting the communication data (step S105). S107). As a result, transmission of communication data to a destination specified by an arbitrary program other than the financial application 122 is avoided, so that a malicious program that steals various information such as a user ID and a password is installed. However, the transmission of data from the program can be stopped. Note that the program subject to transmission restriction is not limited to a so-called application program. The program may be a single program executed by the control unit 11, or may be any application program such as a script, a command, an applet, a macro, or the like that is incorporated in an OS (Operating System) of the client device 10. May be included.
 次いで、制御部11は、金融アプリ122が停止されたか否かを判断する(ステップS108)。停止されていないと判断した場合(S108:NO)、制御部11は、処理をステップS104へ戻す。 Next, the control unit 11 determines whether the financial application 122 has been stopped (step S108). When judging that it has not been stopped (S108: NO), the control unit 11 returns the process to step S104.
 一方、金融アプリ122が停止されたと判断した場合(S108:YES)、制御部11は、VPNアプリ121を停止させ、クライアント装置10とサーバ装置20との間のVPN接続を解除する(ステップS109)。また、制御部11は、通信制御アプリ123を停止させ(ステップS110)、本フローチャートによる処理を終了する。 On the other hand, when determining that the financial application 122 has been stopped (S108: YES), the control unit 11 stops the VPN application 121 and releases the VPN connection between the client device 10 and the server device 20 (Step S109). . In addition, the control unit 11 stops the communication control application 123 (Step S110), and ends the processing according to the flowchart.
 以上のように、本実施の形態では、金融アプリ122が起動している間、金融アプリ122以外の任意のプログラムから送信される通信データを破棄する構成としているので、ユーザID及びパスワード等の各種の情報を盗み出すような悪意のあるプログラムがインストールされた場合であっても、当該プログラムからのデータの送信を止めることができる。 As described above, in the present embodiment, while the financial application 122 is running, communication data transmitted from any program other than the financial application 122 is discarded. Even if a malicious program that steals this information is installed, transmission of data from the program can be stopped.
 なお、本実施の形態では、金融アプリ122が起動している間、他のプログラムから送信される通信データを破棄する構成としたが、データの送信が許可されるアプリケーションプログラムは金融アプリ122に限定されるものではない。データの送信が許可されるアプリケーションプログラムは、特定のサーバと通信を行うために予め設定された専用のアプリケーションプログラムであってもよく、不特定多数のサーバと通信を行うブラウザソフト等の一般のアプリケーションプログラムであってもよい。 In the present embodiment, while the financial application 122 is running, communication data transmitted from another program is discarded. However, the application programs permitted to transmit data are limited to the financial application 122. It is not something to be done. The application program permitted to transmit data may be a dedicated application program set in advance to communicate with a specific server, or a general application such as browser software that communicates with an unspecified number of servers. It may be a program.
 また、金融アプリ122が提供するインタフェース画面のうち、特定のインタフェース画面を通じて実行される処理が完了するまでの間、他のプログラムから送信される通信データを破棄する構成としてもよい。例えば、金融アプリ122において、ユーザID及びパスワードの入力を受付けるインタフェース画面を提供する場合、このインタフェース画面を通じてユーザID及びパスワードの入力を受付け、受付けたユーザID及びパスワードをサーバ装置20へ送信するまでの間、他のプログラムから送信される通信データを破棄する構成としてもよい。 (4) Of the interface screens provided by the financial application 122, communication data transmitted from another program may be discarded until processing executed through a specific interface screen is completed. For example, in the case where the financial application 122 provides an interface screen for receiving the input of the user ID and the password, the financial application 122 accepts the input of the user ID and the password through the interface screen, and transmits the received user ID and the password to the server device 20. During this time, the communication data transmitted from another program may be discarded.
(実施の形態2)
 実施の形態2では、各プログラムによる通信データの送信先を判別し、正当な送信先が選択されている場合には、通信データの破棄を行わずに送信を許可する構成について説明する。 (Embodiment 2)
In the second embodiment, a configuration will be described in which the transmission destination of communication data by each program is determined, and when a valid transmission destination is selected, transmission is permitted without discarding the communication data.
 図5は実施の形態2に係るクライアント装置10が実行する処理の手順を説明するフローチャートである。クライアント装置10の制御部11は、ホワイトリストを更新するか否かを判断する(ステップS201)。制御部11は、ホワイトリストの更新指示を操作部15を通じて受付けた場合、若しくはホワイトリストの更新タイミングとして予め設定されているタイミングに到達した場合、ホワイトリストを更新すると判断する。 FIG. 5 is a flowchart illustrating a procedure of a process executed by the client device 10 according to the second embodiment. The control unit 11 of the client device 10 determines whether to update the white list (Step S201). The control unit 11 determines that the whitelist is to be updated when an instruction to update the whitelist is received through the operation unit 15 or when a timing set in advance as the whitelist update timing has been reached.
 ホワイトリストを更新すると判断した場合(S201:YES)、制御部11は、外部からホワイトリストを取得し、記憶部12に記憶されているホワイトリストを更新する(ステップS202)。ホワイトリストを更新しないと判断した場合(S201:NO)、制御部11は、ステップS203移行の処理を実行する。 If the control unit 11 determines that the whitelist is to be updated (S201: YES), the control unit 11 acquires a whitelist from the outside and updates the whitelist stored in the storage unit 12 (step S202). When it is determined that the white list is not updated (S201: NO), the control unit 11 executes the process of step S203.
 次いで、実施の形態1と同様の手順にて、金融アプリ122、通信制御アプリ123、及びVPNアプリ121を起動し、サーバ装置20との間でVPN接続を確立させる(ステップS203~205)。 Next, the financial application 122, the communication control application 123, and the VPN application 121 are activated in the same procedure as in the first embodiment, and a VPN connection is established with the server device 20 (steps S203 to S205).
 次いで、制御部11は、クライアント装置10にインストールされているプログラムを通じて外部へ送信される通信データを取得したか否かを判断する(ステップS206)。取得していない場合(S206:NO)、制御部11は後述するステップS211へ処理を移行させる。なお、ステップS206から後述するステップS210までの処理は、制御部11によって実行される通信制御アプリ123の機能によって実現される処理である。 Next, the control unit 11 determines whether or not communication data to be transmitted to the outside has been acquired through the program installed in the client device 10 (step S206). If not acquired (S206: NO), the control unit 11 shifts the processing to step S211 described below. The processing from step S206 to step S210 described later is processing realized by the function of the communication control application 123 executed by the control unit 11.
 クライアント装置10にインストールされているプログラムを通じて外部へ送信される通信データを取得したと判断した場合(S206:YES)、制御部11は、取得した通信データの送信先がホワイトリストに掲載されている送信先であるか否かを判断する(ステップS207)。ホワイトリストに掲載されている送信先であると判断した場合(S207:YES)、制御部11は、処理をステップS209へ移行させる。 When it is determined that the communication data transmitted to the outside through the program installed in the client device 10 has been acquired (S206: YES), the control unit 11 lists the transmission destination of the acquired communication data on the whitelist. It is determined whether or not it is the transmission destination (step S207). When it is determined that the destination is a destination listed in the white list (S207: YES), the control unit 11 shifts the processing to step S209.
 ホワイトリストに掲載されていない送信先と判断した場合(S207:NO)、制御部11は、取得した通信データの送信元のプログラムが特定のプログラム(金融アプリ122)であるか否かを判断する(ステップS208)。 When determining that the transmission destination is not on the whitelist (S207: NO), the control unit 11 determines whether the transmission source program of the acquired communication data is a specific program (financial application 122). (Step S208).
 取得した通信データの送信元が特定のプログラム(金融アプリ122)であると判断した場合(S208:YES)、制御部11は、当該通信データを通信部13を通じて宛先装置へ送信する(ステップS209)。本実施の形態では、クライアント装置10とサーバ装置20との間でVPNが構築されているため、通信データはサーバ装置20へ送信されることになる。 When determining that the transmission source of the acquired communication data is a specific program (financial application 122) (S208: YES), the control unit 11 transmits the communication data to the destination device via the communication unit 13 (Step S209). . In the present embodiment, since a VPN is established between the client device 10 and the server device 20, communication data is transmitted to the server device 20.
 一方、取得した通信データの送信元が特定のプログラム(金融アプリ122)でないと判断した場合(S208:NO)、制御部11は、当該通信データを送信せずに破棄する処理を実行する(ステップS210)。 On the other hand, when determining that the transmission source of the acquired communication data is not the specific program (financial application 122) (S208: NO), the control unit 11 executes a process of discarding the communication data without transmitting the communication data (step S208). S210).
 次いで、制御部11は、金融アプリ122が停止されたか否かを判断する(ステップS211)。停止されていないと判断した場合(S211:NO)、制御部11は、処理をステップS206へ戻す。 Next, the control unit 11 determines whether the financial application 122 has been stopped (step S211). When judging that it has not been stopped (S211: NO), the control unit 11 returns the process to step S206.
 一方、金融アプリ122が停止されたと判断した場合(S211:YES)、制御部11は、VPNアプリ121を停止させ、クライアント装置10とサーバ装置20との間のVPN接続を解除する(ステップS212)。また、制御部11は、通信制御アプリ123を停止させ(ステップS213)、本フローチャートによる処理を終了する。 On the other hand, when determining that the financial application 122 has been stopped (S211: YES), the control unit 11 stops the VPN application 121 and releases the VPN connection between the client device 10 and the server device 20 (Step S212). . Further, the control unit 11 stops the communication control application 123 (step S213), and ends the processing according to the flowchart.
 以上のように、本実施の形態では、金融アプリ122以外のプログラムからの通信データであっても、送信先の安全性がホワイトリストによって確認できる場合には、通信データを破棄せずに送信することができる。 As described above, in the present embodiment, even if communication data is from a program other than the financial application 122, if the security of the transmission destination can be confirmed by the whitelist, the communication data is transmitted without being discarded. be able to.
(実施の形態3)
 実施の形態3では、ユーザにより送信が許可された場合、通信データの破棄を行わずに送信を許可する構成について説明する。 (Embodiment 3)
In the third embodiment, a configuration will be described in which, when transmission is permitted by a user, transmission is permitted without discarding communication data.
 図6は実施の形態3に係るクライアント装置10が実行する処理の手順を説明するフローチャートである。クライアント装置10の制御部11は、実施の形態1と同様の手順にて、金融アプリ122、通信制御アプリ123、及びVPNアプリ121を起動し、サーバ装置20との間でVPN接続を確立させる(ステップS301~303)。 FIG. 6 is a flowchart illustrating a procedure of a process executed by the client device 10 according to the third embodiment. The control unit 11 of the client device 10 starts the financial application 122, the communication control application 123, and the VPN application 121 in the same procedure as in the first embodiment, and establishes a VPN connection with the server device 20 ( Steps S301 to S303).
 次いで、制御部11は、クライアント装置10にインストールされているプログラムを通じて外部へ送信される通信データを取得したか否かを判断する(ステップS304)。取得していない場合(S304:NO)、制御部11は後述するステップS310へ処理を移行させる。なお、ステップS304から後述するステップS309までの処理は、制御部11によって実行される通信制御アプリ123の機能によって実現される処理である。 Next, the control unit 11 determines whether or not communication data to be transmitted to the outside has been acquired through the program installed in the client device 10 (step S304). If not acquired (S304: NO), the control unit 11 shifts the processing to step S310 described later. Note that the processing from step S304 to step S309 described later is processing realized by the function of the communication control application 123 executed by the control unit 11.
 クライアント装置10にインストールされているプログラムを通じて外部へ送信される通信データを取得したと判断した場合(S304:YES)、制御部11は、取得した通信データの送信元のプログラムが特定のプログラム(金融アプリ122)であるか否かを判断する(ステップS305)。 When determining that the communication data transmitted to the outside has been acquired through the program installed in the client device 10 (S304: YES), the control unit 11 determines that the transmission source program of the acquired communication data is a specific program (finance). It is determined whether the application is the application 122) (step S305).
 取得した通信データの送信元が特定のプログラム(金融アプリ122)であると判断した場合(S305:YES)、制御部11は、当該通信データを通信部13を通じて宛先装置へ送信する(ステップS306)。本実施の形態では、クライアント装置10とサーバ装置20との間でVPNが構築されているため、通信データはサーバ装置20へ送信されることになる。 When determining that the transmission source of the acquired communication data is a specific program (financial application 122) (S305: YES), the control unit 11 transmits the communication data to the destination device via the communication unit 13 (step S306). . In the present embodiment, since a VPN is established between the client device 10 and the server device 20, communication data is transmitted to the server device 20.
 一方、取得した通信データの送信元が特定のプログラム(金融アプリ122)でないと判断した場合(S305:NO)、制御部11は、送信の可否をユーザに問合わせ(ステップS307)。具体的には、制御部11は、送信の可否を問合わせるインタフェース画面を表示部14に表示させ、インタフェース画面を通じて送信の可否に係る設定を受付ける。 On the other hand, when determining that the transmission source of the acquired communication data is not a specific program (financial application 122) (S305: NO), the control unit 11 inquires of the user whether transmission is possible (step S307). Specifically, the control unit 11 causes the display unit 14 to display an interface screen for inquiring whether transmission is possible, and accepts a setting regarding transmission permission through the interface screen.
 制御部11は、送信の可否をユーザに問合わせた結果、特定のプログラム(金融アプリ122)以外のプログラムからの送信が許可されたか否かを判断し(ステップS308)、許可されたと判断した場合(S308:YES)、通信データを宛先装置へ送信する(S306)。 As a result of inquiring the user as to whether or not transmission is possible, the control unit 11 determines whether transmission from a program other than the specific program (financial application 122) is permitted (step S308). (S308: YES), the communication data is transmitted to the destination device (S306).
 一方、送信が許可されていないと判断した場合(S308:NO)、制御部11は、通信データを送信せずに破棄する処理を実行する(ステップS309)。 On the other hand, if it is determined that the transmission is not permitted (S308: NO), the control unit 11 executes a process of discarding the communication data without transmitting the data (step S309).
 次いで、制御部11は、金融アプリ122が停止されたか否かを判断する(ステップS310)。停止されていないと判断した場合(S310:NO)、制御部11は、処理をステップS304へ戻す。 Next, the control unit 11 determines whether the financial application 122 has been stopped (Step S310). When judging that it has not been stopped (S310: NO), the control unit 11 returns the process to step S304.
 一方、金融アプリ122が停止されたと判断した場合(S310:YES)、制御部11は、VPNアプリ121を停止させ、クライアント装置10とサーバ装置20との間のVPN接続を解除する(ステップS311)。また、制御部11は、通信制御アプリ123を停止させ(ステップS312)、本フローチャートによる処理を終了する。 On the other hand, when determining that the financial application 122 has been stopped (S310: YES), the control unit 11 stops the VPN application 121 and releases the VPN connection between the client device 10 and the server device 20 (step S311). . Further, the control unit 11 stops the communication control application 123 (step S312), and ends the processing according to the flowchart.
 以上のように、本実施の形態では、金融アプリ122以外のプログラムからの通信データであっても、送信先の安全性がユーザによって確認された場合には、通信データを破棄せずに送信することができる。 As described above, in the present embodiment, even if communication data is from a program other than the financial application 122, if the security of the transmission destination is confirmed by the user, the communication data is transmitted without being discarded. be able to.
(実施の形態4)
 実施の形態4では、通信データに特定の情報が含まれない場合、通信データの破棄を行わずに送信を許可する構成について説明する。 (Embodiment 4)
In the fourth embodiment, a configuration will be described in which when communication data does not include specific information, transmission is permitted without discarding the communication data.
 図7は実施の形態4に係るクライアント装置10が実行する処理の手順を説明するフローチャートである。クライアント装置10の制御部11は、実施の形態1と同様の手順にて、金融アプリ122、通信制御アプリ123、及びVPNアプリ121を起動し、サーバ装置20との間でVPN接続を確立させる(ステップS401~403)。 FIG. 7 is a flowchart illustrating a procedure of processing executed by the client device 10 according to the fourth embodiment. The control unit 11 of the client device 10 starts the financial application 122, the communication control application 123, and the VPN application 121 in the same procedure as in the first embodiment, and establishes a VPN connection with the server device 20 ( Steps S401 to S403).
 次いで、制御部11は、クライアント装置10にインストールされているプログラムを通じて外部へ送信される通信データを取得したか否かを判断する(ステップS404)。取得していない場合(S404:NO)、制御部11は後述するステップS409へ処理を移行させる。なお、ステップS404から後述するステップS408までの処理は、制御部11によって実行される通信制御アプリ123の機能によって実現される処理である。 Next, the control unit 11 determines whether or not communication data transmitted to the outside through the program installed in the client device 10 has been acquired (step S404). If not acquired (S404: NO), the control unit 11 shifts the processing to step S409 described below. Note that the processing from step S404 to step S408 described below is processing realized by the function of the communication control application 123 executed by the control unit 11.
 クライアント装置10にインストールされているプログラムを通じて外部へ送信される通信データを取得したと判断した場合(S404:YES)、制御部11は、取得した通信データの送信元のプログラムが特定のプログラム(金融アプリ122)であるか否かを判断する(ステップS405)。 When determining that the communication data transmitted to the outside has been acquired through the program installed in the client device 10 (S404: YES), the control unit 11 determines that the transmission source program of the acquired communication data is a specific program (finance). It is determined whether it is the application 122) (step S405).
 取得した通信データの送信元が特定のプログラム(金融アプリ122)であると判断した場合(S405:YES)、制御部11は、当該通信データを通信部13を通じて宛先装置へ送信する(ステップS406)。本実施の形態では、クライアント装置10とサーバ装置20との間でVPNが構築されているため、通信データはサーバ装置20へ送信されることになる。 When determining that the transmission source of the acquired communication data is a specific program (financial application 122) (S405: YES), the control unit 11 transmits the communication data to the destination device via the communication unit 13 (step S406). . In the present embodiment, since a VPN is established between the client device 10 and the server device 20, communication data is transmitted to the server device 20.
 一方、取得した通信データの送信元が特定のプログラム(金融アプリ122)でないと判断した場合(S405:NO)、制御部11は、送信対象の通信データに特定の情報が含まれるか否かを判断する(ステップS407)。ここでは、例えばユーザID及びパスワードといった外部への流出が好ましくない情報が通信データに含まれているか否かを判断する。 On the other hand, when determining that the transmission source of the acquired communication data is not the specific program (financial application 122) (S405: NO), the control unit 11 determines whether the specific information is included in the communication data to be transmitted. A determination is made (step S407). Here, it is determined whether or not information that is not desirable to be leaked to the outside, such as a user ID and a password, is included in the communication data.
 特定の情報が含まれていないと判断した場合(S407:NO)、制御部11は、通信データを宛先装置へ送信する(S406)。一方、特定の情報が含まれていると判断した場合(S407:YES)、制御部11は、通信データを送信せずに破棄する処理を実行する(ステップS408)。 If it is determined that the specific information is not included (S407: NO), the control unit 11 transmits the communication data to the destination device (S406). On the other hand, when determining that the specific information is included (S407: YES), the control unit 11 executes a process of discarding the communication data without transmitting the communication data (step S408).
 次いで、制御部11は、金融アプリ122が停止されたか否かを判断する(ステップS409)。停止されていないと判断した場合(S409:NO)、制御部11は、処理をステップS404へ戻す。 Next, the control unit 11 determines whether the financial application 122 has been stopped (step S409). When judging that it has not been stopped (S409: NO), the control unit 11 returns the process to step S404.
 一方、金融アプリ122が停止されたと判断した場合(S409:YES)、制御部11は、VPNアプリ121を停止させ、クライアント装置10とサーバ装置20との間のVPN接続を解除する(ステップS410)。また、制御部11は、通信制御アプリ123を停止させ(ステップS411)、本フローチャートによる処理を終了する。 On the other hand, when determining that the financial application 122 has been stopped (S409: YES), the control unit 11 stops the VPN application 121 and releases the VPN connection between the client device 10 and the server device 20 (Step S410). . The control unit 11 stops the communication control application 123 (step S411), and ends the processing according to the flowchart.
 以上のように、本実施の形態では、金融アプリ122以外のプログラムからの通信データであっても、ユーザID及びパスワードといった特定の情報が含まれない場合には、通信データを破棄せずに送信することができる。 As described above, in the present embodiment, even if communication data from a program other than the financial application 122 does not include specific information such as a user ID and a password, the communication data is transmitted without being discarded. can do.
(実施の形態5)
 実施の形態5では、ユーザにより送信が許可されているプログラムからの通信データについては、通信データの破棄を行わずに送信を許可する構成について説明する。 (Embodiment 5)
In the fifth embodiment, a configuration will be described in which transmission of communication data from a program permitted to be transmitted by a user is performed without discarding the communication data.
 図8は実施の形態5に係るクライアント装置10が実行する処理の手順を説明するフローチャートである。クライアント装置10の制御部11は、実施の形態1と同様の手順にて、金融アプリ122、通信制御アプリ123、及びVPNアプリ121を起動し、サーバ装置20との間でVPN接続を確立させる(ステップS501~503)。 FIG. 8 is a flowchart illustrating a procedure of processing executed by the client device 10 according to the fifth embodiment. The control unit 11 of the client device 10 starts the financial application 122, the communication control application 123, and the VPN application 121 in the same procedure as in the first embodiment, and establishes a VPN connection with the server device 20 ( Steps S501 to 503).
 次いで、制御部11は、クライアント装置10にインストールされているプログラムを通じて外部へ送信される通信データを取得したか否かを判断する(ステップS504)。取得していない場合(S504:NO)、制御部11は後述するステップS509へ処理を移行させる。なお、ステップS504から後述するステップS508までの処理は、制御部11によって実行される通信制御アプリ123の機能によって実現される処理である。 Next, the control unit 11 determines whether or not communication data to be transmitted to the outside has been acquired through the program installed in the client device 10 (step S504). If it has not been acquired (S504: NO), the control unit 11 shifts the processing to step S509 described below. Note that the processing from step S504 to step S508 described later is processing realized by the function of the communication control application 123 executed by the control unit 11.
 クライアント装置10にインストールされているプログラムを通じて外部へ送信される通信データを取得したと判断した場合(S504:YES)、制御部11は、取得した通信データの送信元のプログラムが特定のプログラム(金融アプリ122)であるか否かを判断する(ステップS505)。 When determining that the communication data transmitted to the outside has been acquired through the program installed in the client device 10 (S504: YES), the control unit 11 determines that the transmission source program of the acquired communication data is a specific program (finance). It is determined whether the application is the application 122) (step S505).
 取得した通信データの送信元が特定のプログラム(金融アプリ122)であると判断した場合(S505:YES)、制御部11は、当該通信データを通信部13を通じて宛先装置へ送信する(ステップS506)。本実施の形態では、クライアント装置10とサーバ装置20との間でVPNが構築されているため、通信データはサーバ装置20へ送信されることになる。 When determining that the transmission source of the acquired communication data is a specific program (financial application 122) (S505: YES), the control unit 11 transmits the communication data to the destination device via the communication unit 13 (Step S506). . In the present embodiment, since a VPN is established between the client device 10 and the server device 20, communication data is transmitted to the server device 20.
 一方、取得した通信データの送信元が特定のプログラム(金融アプリ122)でないと判断した場合(S505:NO)、制御部11は、送信元がユーザによって設定された対象外アプリであるか否かを判断する(ステップS507)。 On the other hand, when determining that the transmission source of the obtained communication data is not the specific program (financial application 122) (S505: NO), the control unit 11 determines whether the transmission source is a non-target application set by the user. Is determined (step S507).
 送信元が対象外アプリであると判断した場合(S507:YES)、制御部11は、通信データを宛先装置へ送信する(S506)。一方、送信元が対象外アプリでないと判断した場合(S507:NO)、制御部11は、通信データを送信せずに破棄する処理を実行する(ステップS508)。 If the source is determined to be a non-target application (S507: YES), the control unit 11 transmits the communication data to the destination device (S506). On the other hand, when determining that the transmission source is not the non-target application (S507: NO), the control unit 11 executes a process of discarding the communication data without transmitting the communication data (step S508).
 次いで、制御部11は、金融アプリ122が停止されたか否かを判断する(ステップS509)。停止されていないと判断した場合(S509:NO)、制御部11は、処理をステップS504へ戻す。 Next, the control unit 11 determines whether the financial application 122 has been stopped (step S509). If it is determined that the operation has not been stopped (S509: NO), the control unit 11 returns the process to step S504.
 一方、金融アプリ122が停止されたと判断した場合(S509:YES)、制御部11は、VPNアプリ121を停止させ、クライアント装置10とサーバ装置20との間のVPN接続を解除する(ステップS510)。また、制御部11は、通信制御アプリ123を停止させ(ステップS511)、本フローチャートによる処理を終了する。 On the other hand, if it is determined that the financial application 122 has been stopped (S509: YES), the control unit 11 stops the VPN application 121 and releases the VPN connection between the client device 10 and the server device 20 (Step S510). . Further, the control unit 11 stops the communication control application 123 (step S511), and ends the processing according to the flowchart.
 以上のように、本実施の形態では、金融アプリ122以外のプログラムからの通信データであっても、送信元のプログラム(アプリ)の安全性がユーザによって確認された場合には、通信データを破棄せずに送信することができる。 As described above, in the present embodiment, even if communication data is from a program other than the financial application 122, the communication data is discarded if the security of the source program (application) is confirmed by the user. Can be sent without.
(実施の形態6)
 実施の形態6では、特定のプログラム(例えば金融アプリ122)以外のプログラムを通じて通信データが送信される場合、その旨をユーザに報知する構成について説明する。 (Embodiment 6)
In the sixth embodiment, a configuration will be described in which, when communication data is transmitted through a program other than a specific program (for example, financial application 122), the user is notified of the fact.
 図9は実施の形態6に係るクライアント装置10が実行する処理の手順を説明するフローチャートである。クライアント装置10の制御部11は、実施の形態1と同様の手順にて、金融アプリ122、通信制御アプリ123、及びVPNアプリ121を起動し、サーバ装置20との間でVPN接続を確立させる(ステップS601~603)。 FIG. 9 is a flowchart illustrating a procedure of a process executed by the client device 10 according to the sixth embodiment. The control unit 11 of the client device 10 starts the financial application 122, the communication control application 123, and the VPN application 121 in the same procedure as in the first embodiment, and establishes a VPN connection with the server device 20 ( Steps S601 to 603).
 次いで、制御部11は、クライアント装置10にインストールされているプログラムを通じて外部へ送信される通信データを取得したか否かを判断する(ステップS604)。取得していない場合(S604:NO)、制御部11は後述するステップS609へ処理を移行させる。なお、ステップS604から後述するステップS607までの処理は、制御部11によって実行される通信制御アプリ123の機能によって実現される処理である。 Next, the control unit 11 determines whether or not communication data to be transmitted to the outside is acquired through the program installed in the client device 10 (step S604). If it has not been acquired (S604: NO), the control unit 11 shifts the processing to step S609 described later. The processing from step S604 to step S607 described later is processing realized by the function of the communication control application 123 executed by the control unit 11.
 クライアント装置10にインストールされているプログラムを通じて外部へ送信される通信データを取得したと判断した場合(S604:YES)、制御部11は、取得した通信データの送信元のプログラムが特定のプログラム(金融アプリ122)であるか否かを判断する(ステップS605)。 When determining that the communication data transmitted to the outside has been acquired through the program installed in the client device 10 (S604: YES), the control unit 11 determines that the transmission source program of the acquired communication data is a specific program (finance). It is determined whether the application is the application 122) (step S605).
 取得した通信データの送信元が特定のプログラム(金融アプリ122)であると判断した場合(S605:YES)、制御部11は、当該通信データを通信部13を通じて宛先装置へ送信する(ステップS606)。本実施の形態では、クライアント装置10とサーバ装置20との間でVPNが構築されているため、通信データはサーバ装置20へ送信されることになる。 When determining that the transmission source of the acquired communication data is a specific program (financial application 122) (S605: YES), the control unit 11 transmits the communication data to the destination device via the communication unit 13 (step S606). . In the present embodiment, since a VPN is established between the client device 10 and the server device 20, communication data is transmitted to the server device 20.
 一方、取得した通信データの送信元が特定のプログラム(金融アプリ122)でないと判断した場合(S605:NO)、制御部11は、特定のプログラム以外のプログラムによる通信データの送信処理が発生した旨をユーザに報知する(ステップS607)。このとき、制御部11は、特定のプログラム以外のプログラムによる通信データの送信処理が発生した旨の情報を表示部14へ出力し、当該情報を表示部14に表示させてもよい。また、クライアント装置10が音声出力部を備える場合、音声又は警報音により、特定のプログラム以外のプログラムによる通信データの送信処理が発生した旨をユーザに知らせてもよい。なお、制御部11は、特定のプログラム以外のプログラムからの通信データを送信する前に、その旨の情報をユーザに報知してもよく、通信データの送信が完了した後に、その旨の情報をユーザに報知してもよい。 On the other hand, when it is determined that the transmission source of the acquired communication data is not the specific program (financial application 122) (S605: NO), the control unit 11 informs that the transmission processing of the communication data by a program other than the specific program has occurred. Is notified to the user (step S607). At this time, the control unit 11 may output information to the effect that transmission processing of communication data by a program other than the specific program has occurred to the display unit 14 and cause the display unit 14 to display the information. In the case where the client device 10 includes an audio output unit, the user may be notified by voice or an alarm that a transmission process of communication data by a program other than a specific program has occurred. Note that the control unit 11 may notify the user of the information before transmitting communication data from a program other than the specific program, and may transmit the information to that effect after the transmission of the communication data is completed. The user may be notified.
 次いで、制御部11は、金融アプリ122が停止されたか否かを判断する(ステップS608)。停止されていないと判断した場合(S608:NO)、制御部11は、処理をステップS604へ戻す。 Next, the control unit 11 determines whether the financial application 122 has been stopped (Step S608). When judging that it has not been stopped (S608: NO), the control unit 11 returns the process to step S604.
 一方、金融アプリ122が停止されたと判断した場合(S608:YES)、制御部11は、VPNアプリ121を停止させ、クライアント装置10とサーバ装置20との間のVPN接続を解除する(ステップS609)。また、制御部11は、通信制御アプリ123を停止させ(ステップS610)、本フローチャートによる処理を終了する。 On the other hand, when it is determined that the financial application 122 has been stopped (S608: YES), the control unit 11 stops the VPN application 121 and releases the VPN connection between the client device 10 and the server device 20 (Step S609). . Further, the control unit 11 stops the communication control application 123 (Step S610), and ends the processing according to the flowchart.
 以上のように、本実施の形態では、金融アプリ122が起動している間、金融アプリ122以外の任意のプログラムからの送信処理をユーザに報知する構成としているので、ユーザID及びパスワード等の各種の情報が盗み出された可能性があることをユーザに知らせることが可能であり、ユーザID及びパスワード等を変更する等の対応を実施することが可能となる。 As described above, in the present embodiment, while the financial application 122 is running, the transmission process from any program other than the financial application 122 is notified to the user. Can be notified to the user that the information may have been stolen, and it is possible to take measures such as changing the user ID and the password.
(実施の形態7)
 実施の形態7では、中継装置を介して目的のサーバ装置20と通信を行う構成について説明する。 (Embodiment 7)
In the seventh embodiment, a configuration in which communication with a target server device 20 is performed via a relay device will be described.
 図10は実施の形態7に係る通信制御システムの全体構成を説明するブロック図である。本実施の形態に係る通信制御システムは、通信網Nを介して互いに通信可能に接続されるクライアント装置10、サーバ装置20、及び中継装置30を備える。クライアント装置10は、ユーザによって利用されるパーソナルコンピュータ、スマートフォンなどの端末装置であり、サーバ装置20にアクセスするためのソフトウェア(アプリケーションプログラム)がインストールされているものとする。サーバ装置20は、クライアント装置10からのアクセスを受付けた際にユーザ認証を行い、ユーザ認証に成功した場合、クライアント装置10に対して適宜のサービスを提供する。中継装置30は、クライアント装置10とサーバ装置20との間の通信を中継するサーバであり、クライアント装置10から受信した通信データをサーバ装置20へ送信すると共に、サーバ装置20から受信した通信データをクライアント装置10へ送信する。 FIG. 10 is a block diagram illustrating the overall configuration of the communication control system according to the seventh embodiment. The communication control system according to the present embodiment includes a client device 10, a server device 20, and a relay device 30 that are communicably connected to each other via a communication network N. The client device 10 is a terminal device such as a personal computer and a smartphone used by a user, and it is assumed that software (application program) for accessing the server device 20 is installed. The server device 20 performs user authentication when receiving access from the client device 10, and provides an appropriate service to the client device 10 when the user authentication is successful. The relay device 30 is a server that relays communication between the client device 10 and the server device 20. The relay device 30 transmits communication data received from the client device 10 to the server device 20 and transmits communication data received from the server device 20. Send to client device 10.
 以下では、サーバ装置20を金融機関等によって設置される金融サーバとし、クライアント装置10にインストールされている金融アプリ122を通じて送受信される通信データを中継装置30が中継する構成について説明する。 In the following, a configuration in which the server device 20 is a financial server installed by a financial institution or the like and the relay device 30 relays communication data transmitted and received through the financial application 122 installed in the client device 10 will be described.
 図11は中継装置30の内部構成を説明するフローチャートである。中継装置30は、制御部31、記憶部32、通信部33、表示部34及び操作部35を備える。 FIG. 11 is a flowchart illustrating the internal configuration of the relay device 30. The relay device 30 includes a control unit 31, a storage unit 32, a communication unit 33, a display unit 34, and an operation unit 35.
 制御部31は、CPU、ROM、RAMなどにより構成されている。制御部31が備えるCPUは、ROM又は記憶部32に記憶されている各種コンピュータプログラムをRAM上に展開して実行することにより、装置全体を本願の中継装置として機能させる。 The control unit 31 includes a CPU, a ROM, a RAM, and the like. The CPU included in the control unit 31 loads various computer programs stored in the ROM or the storage unit 32 on the RAM and executes the computer programs, thereby causing the entire device to function as the relay device of the present application.
 なお、制御部31は、上記の構成に限定されるものではなく、1又は複数のCPU、マルチコアCPU、マイコン等を含む任意の処理回路であればよい。また、制御部31は、計測開始指示を与えてから計測終了指示を与えるまでの経過時間を計測するタイマ、数をカウントするカウンタ等の機能を備えていてもよい。 The control unit 31 is not limited to the above configuration, and may be any processing circuit including one or more CPUs, a multi-core CPU, a microcomputer, and the like. Further, the control unit 31 may have a function such as a timer for measuring an elapsed time from when a measurement start instruction is given to when a measurement end instruction is given, a counter for counting the number, and the like.
 記憶部32は、EEPROM、ハードディスクなどの不揮発性の記憶装置により構成されており、各種のソフトウェア(コンピュータプログラム)及び各種のデータを記憶する。ここで、記憶部32に記憶されているソフトウェアには、クライアント装置10との間でVPNを構築するためのVPNアプリ321、中継装置30における通信を制御する通信制御アプリ322などが含まれる。また、記憶部32が記憶する情報には、通信相手を制限するために用いられる情報(後述するホワイトリスト)が含まれていてもよい。 The storage unit 32 is configured by a nonvolatile storage device such as an EEPROM and a hard disk, and stores various software (computer programs) and various data. Here, the software stored in the storage unit 32 includes a VPN application 321 for establishing a VPN with the client device 10, a communication control application 322 for controlling communication in the relay device 30, and the like. Further, the information stored in the storage unit 32 may include information (whitelist described later) used for restricting communication partners.
 なお、記憶部32に記憶されるプログラムは、当該プログラムを読み取り可能に記録した非一時的な記録媒体M2により提供されてもよい。記録媒体M2は、例えば、CD-ROM、USBメモリ、SD(Secure Digital)カード、マイクロSDカード、コンパクトフラッシュ(登録商標)などの可搬型メモリである。この場合、制御部31は、不図示の読取装置を用いて記録媒体M2から各種プログラムを読み取り、読み取った各種プログラムを記憶部32にインストールする。また、記憶部32に記憶されるプログラムは、通信部33を介した通信により提供されてもよい。この場合、制御部31は、通信部33を通じて各種プログラムを取得し、取得した各種プログラムを記憶部32にインストールする。 Note that the program stored in the storage unit 32 may be provided by a non-transitory recording medium M2 in which the program is readablely recorded. The recording medium M2 is, for example, a portable memory such as a CD-ROM, a USB memory, an SD (Secure Digital) card, a micro SD card, and a compact flash (registered trademark). In this case, the control unit 31 reads various programs from the recording medium M2 using a reading device (not shown), and installs the read various programs in the storage unit 32. Further, the program stored in the storage unit 32 may be provided by communication via the communication unit 33. In this case, the control unit 31 acquires various programs through the communication unit 33 and installs the acquired various programs in the storage unit 32.
 通信部33は、通信網Nを通じてクライアント装置10及びサーバ装置20と通信を行うためのインタフェースを備える。通信部33は、クライアント装置10又はサーバ装置20へ送信すべき情報が制御部31から入力された場合、入力された情報をクライアント装置10又はサーバ装置20へ送信する共に、通信網Nを通じて受信したクライアント装置10又はサーバ装置20からの情報を制御部31へ出力する。 The communication unit 33 includes an interface for communicating with the client device 10 and the server device 20 through the communication network N. When information to be transmitted to the client device 10 or the server device 20 is input from the control unit 31, the communication unit 33 transmits the input information to the client device 10 or the server device 20 and receives the information through the communication network N. The information from the client device 10 or the server device 20 is output to the control unit 31.
 表示部34は、液晶ディスプレイ、有機ELディスプレイなどの表示デバイスを備え、中継装置30の管理者に対して報知すべき情報を表示する。また、操作部35は、タッチパネル、各種ボタンを備え、中継装置30の管理者による操作を受付け、受付けた操作情報を制御部31へ出力する。 The display unit 34 includes a display device such as a liquid crystal display and an organic EL display, and displays information to be notified to the administrator of the relay device 30. The operation unit 35 includes a touch panel and various buttons, receives an operation performed by an administrator of the relay device 30, and outputs the received operation information to the control unit 31.
 図12は実施の形態7に係る中継装置30が実行する処理の手順を説明するフローチャートである。中継装置30の制御部31は、クライアント装置10との通信に先立ち、記憶部32から通信制御アプリ322を読出し、読出した通信制御アプリ322を起動する(ステップS701)。 FIG. 12 is a flowchart illustrating a procedure of a process executed by the relay device 30 according to the seventh embodiment. Prior to the communication with the client device 10, the control unit 31 of the relay device 30 reads the communication control application 322 from the storage unit 32 and activates the read communication control application 322 (step S701).
 また、制御部31は、記憶部32に記憶されているVPNアプリ321を起動し、同じくVPNアプリ121が実行されるクライアント装置10との間でVPN接続を確立させる(ステップS702)。 The control unit 31 activates the VPN application 321 stored in the storage unit 32 and establishes a VPN connection with the client device 10 on which the VPN application 121 is also executed (step S702).
 次いで、制御部31は、通信部33を通じて、クライアント装置10から送信される通信データを取得したか否かを判断する(ステップS703)。取得していない場合(S703:NO)、制御部31は後述するステップS707へ処理を移行させる。なお、ステップS703から後述するステップS706までの処理は、制御部31によって実行される通信制御アプリ322の機能によって実現される処理である。 Next, the control unit 31 determines whether or not communication data transmitted from the client device 10 has been acquired through the communication unit 33 (step S703). If it has not been acquired (S703: NO), the control unit 31 shifts the processing to step S707 described below. The processing from step S703 to step S706, which will be described later, is processing realized by the function of the communication control application 322 executed by the control unit 31.
 クライアント装置10から送信される通信データを取得したと判断した場合(S703:YES)、制御部31は、取得した通信データの送信元のプログラムがクライアント装置10にインストールされた特定のプログラム(金融アプリ122)であるか否かを判断する(ステップS704)。本実施の形態では、金融アプリ122以外の任意のプログラムからの送信を制限するために、取得した通信データの送信元が金融アプリ122であるか否かを判断する。 When it is determined that the communication data transmitted from the client device 10 has been acquired (S703: YES), the control unit 31 determines that the transmission source program of the acquired communication data is a specific program (financial application) installed in the client device 10. 122) is determined (step S704). In the present embodiment, in order to restrict transmission from any program other than the financial application 122, it is determined whether or not the source of the acquired communication data is the financial application 122.
 取得した通信データの送信元が特定のプログラム(金融アプリ122)であると判断した場合(S704:YES)、制御部31は、当該通信データを通信部33を通じて中継先のサーバ装置20へ送信する(ステップS705)。なお、中継装置30とサーバ装置20との間にもVPNを構築してもよいことは勿論のことである。 When determining that the transmission source of the acquired communication data is a specific program (financial application 122) (S704: YES), the control unit 31 transmits the communication data to the relay destination server device 20 through the communication unit 33. (Step S705). In addition, it goes without saying that a VPN may be constructed between the relay device 30 and the server device 20.
 一方、取得した通信データの送信元が特定のプログラム(金融アプリ122)でないと判断した場合(S704:NO)、制御部31は、当該通信データを送信せずに破棄する処理を実行する(ステップS706)。これにより、金融アプリ122以外の任意のプログラムにより指定された宛先への通信データの送信が回避されるので、ユーザID及びパスワード等の各種の情報を盗み出すような悪意のあるプログラムがインストールされた場合であっても、当該プログラムからのデータの送信を止めることができる。 On the other hand, when determining that the transmission source of the acquired communication data is not the specific program (financial application 122) (S704: NO), the control unit 31 executes a process of discarding the communication data without transmitting the communication data (step S704). S706). As a result, transmission of communication data to a destination specified by an arbitrary program other than the financial application 122 is avoided, so that a malicious program that steals various information such as a user ID and a password is installed. However, the transmission of data from the program can be stopped.
 次いで、制御部31は、クライアント装置10において金融アプリ122が停止されたか否かを判断する(ステップS707)。停止されていないと判断した場合(S707:NO)、制御部31は、処理をステップS703へ戻す。 Next, the control unit 31 determines whether or not the financial application 122 has been stopped in the client device 10 (step S707). If it is determined that the operation has not been stopped (S707: NO), the control unit 31 returns the process to step S703.
 一方、金融アプリ122が停止されたと判断した場合(S707:YES)、制御部31は、VPNアプリ321を停止させ、中継装置30とクライアント装置10との間のVPN接続を解除する(ステップS708)。また、制御部31は、通信制御アプリ322を停止させ(ステップS709)、本フローチャートによる処理を終了する。 On the other hand, when determining that the financial application 122 has been stopped (S707: YES), the control unit 31 stops the VPN application 321 and releases the VPN connection between the relay device 30 and the client device 10 (step S708). . The control unit 31 stops the communication control application 322 (step S709), and ends the processing according to the flowchart.
 以上のように、本実施の形態では、クライアント装置10において金融アプリ122が起動している間、金融アプリ122以外の任意のプログラムから送信される通信データを破棄する構成としているので、ユーザID及びパスワード等の各種の情報を盗み出すような悪意のあるプログラムがインストールされた場合であっても、当該プログラムからのデータの中継を停止することができる。 As described above, in the present embodiment, while the financial application 122 is running on the client device 10, communication data transmitted from any program other than the financial application 122 is discarded. Even when a malicious program that steals various information such as a password is installed, the relay of data from the program can be stopped.
 今回開示された実施の形態は、全ての点で例示であって、制限的なものではないと考えられるべきである。本発明の範囲は、上述した意味ではなく、請求の範囲によって示され、請求の範囲と均等の意味及び範囲内での全ての変更が含まれることが意図される。 実 施 The embodiments disclosed this time are illustrative in all aspects and should not be construed as limiting. The scope of the present invention is defined by the terms of the claims, rather than the description above, and is intended to include any modifications within the scope and meaning equivalent to the terms of the claims.
 10 クライアント装置
 11 制御部
 12 記憶部
 13 通信部
 14 表示部
 15 操作部
 20 サーバ装置
 30 中継装置
 121 VPNアプリ
 122 金融アプリ
 123 通信制御アプリ Reference Signs List 10 client device 11 control unit 12 storage unit 13 communication unit 14 display unit 15 operation unit 20 server device 30 relay device 121 VPN application 122 financial application 123 communication control application

Claims (12)

  1.  通信網を介して外部装置と通信する機能を備えた複数のプログラムがインストールされたコンピュータに、
     前記プログラムを通じて送信される全ての通信データを取得し、
     取得した通信データのうち、特定のプログラムを通じて送信される通信データ以外の通信データを破棄する
     処理を実行させるためのコンピュータプログラム。     A computer in which a plurality of programs having a function of communicating with an external device via a communication network is installed,
    Obtain all communication data transmitted through the program,
    A computer program for executing a process of discarding communication data other than communication data transmitted through a specific program among acquired communication data.
  2.  正当な送信先に係る情報を記憶する記憶部を参照して、取得した通信データの送信先が正当な送信先であるか否かを判断し、
     正当な送信先であると判断した場合、前記通信データの送信を許可する
     処理を前記コンピュータに実行させるための請求項1に記載のコンピュータプログラム。     With reference to the storage unit that stores information related to the valid transmission destination, determine whether the transmission destination of the acquired communication data is a valid transmission destination,
    The computer program according to claim 1, wherein the computer program causes the computer to execute a process of permitting transmission of the communication data when it is determined that the communication data is a valid transmission destination.
  3.  正当な送信先に係る情報を外部から取得し、
     取得した情報に基づき、前記記憶部に記憶してある送信先に係る情報を更新する
     処理を前記コンピュータに実行させるための請求項2に記載のコンピュータプログラム。     Obtain information on the valid destination from outside,
    The computer program according to claim 2, wherein the computer program causes the computer to execute a process of updating information on a transmission destination stored in the storage unit based on the acquired information.
  4.  取得した通信データの送信可否に係る設定を受付け、
     送信を可とする設定を受付けた場合、前記通信データの送信を許可する
     処理を前記コンピュータに実行させるための請求項1から請求項3の何れか1つに記載のコンピュータプログラム。     Accepting the setting related to the transmission availability of the acquired communication data,
    The computer program according to any one of claims 1 to 3, wherein the computer program causes the computer to execute a process of permitting transmission of the communication data when a setting to permit transmission is received.
  5.  取得した通信データが特定の情報を含むか否かを判断し、
     前記通信データが特定の情報を含ないと判断した場合、前記通信データの送信を許可する
     処理を前記コンピュータに実行させるための請求項1から請求項4の何れか1つに記載のコンピュータプログラム。     Determine whether the acquired communication data contains specific information,
    The computer program according to any one of claims 1 to 4, wherein the computer program causes the computer to execute a process of permitting transmission of the communication data when it is determined that the communication data does not include specific information.
  6.  通信データの送信を許可するプログラムの選択を受付け、
     取得した通信データが、選択されたプログラムを通じて送信される通信データである場合、該通信データの送信を許可する
     処理を前記コンピュータに実行させるための請求項1から請求項5の何れか1つに記載のコンピュータプログラム。     Accept the selection of a program that allows transmission of communication data,
    The method according to claim 1, wherein when the acquired communication data is communication data transmitted through a selected program, the computer is configured to execute a process of permitting transmission of the communication data. Computer program as described.
  7.  通信網を介して外部装置と通信する機能を備えた複数のプログラムがインストールされたコンピュータに、
     前記プログラムを通じて送信される全ての通信データを取得し、
     取得した通信データに、特定のプログラムを通じて送信される通信データ以外の通信データが含まれる場合、前記特定のプログラム以外のプログラムによる送信の発生を報知する
     処理を実行させるためのコンピュータプログラム。     A computer in which a plurality of programs having a function of communicating with an external device via a communication network is installed,
    Obtain all communication data transmitted through the program,
    When the acquired communication data includes communication data other than communication data transmitted through a specific program, a computer program for executing processing for notifying occurrence of transmission by a program other than the specific program.
  8.  前記通信網は、定められた外部装置との間で構築されるVPN(Virtual Private Network )である
     請求項1から請求項7の何れか1つに記載のコンピュータプログラム。     The computer program according to any one of claims 1 to 7, wherein the communication network is a VPN (Virtual Private Network) constructed with a predetermined external device.
  9.  前記通信網は、定められた中継装置との間で構築されるVPN(Virtual Private Network )である
     請求項1から請求項7の何れか1つに記載のコンピュータプログラム。     The computer program according to any one of claims 1 to 7, wherein the communication network is a VPN (Virtual Private Network) configured with a predetermined relay device.
  10.  通信網を介して外部装置と通信する機能を備えた複数のプログラムがインストールされたコンピュータにより、
     前記プログラムを通じて送信される全ての通信データを取得し、
     取得した通信データのうち、特定のプログラムを通じて送信される通信データ以外の通信データを破棄する
     処理を行う通信制御方法。     By a computer in which a plurality of programs having a function of communicating with an external device via a communication network are installed,
    Obtain all communication data transmitted through the program,
    A communication control method for performing a process of discarding communication data other than communication data transmitted through a specific program from the acquired communication data.
  11.  通信網を介して外部装置と通信する機能を備えた複数のプログラムを記憶する記憶部と、
     前記プログラムを通じて送信される全ての通信データを取得する取得部と
     取得した通信データのうち、特定のプログラムを通じて送信される通信データ以外の通信データを破棄する通信破棄部と
     を備える通信制御装置。     A storage unit that stores a plurality of programs having a function of communicating with an external device via a communication network,
    A communication control device comprising: an acquisition unit that acquires all communication data transmitted through the program; and a communication discard unit that discards communication data other than communication data transmitted through a specific program among the acquired communication data.
  12.  通信網を介して外部装置と通信する機能を備えた複数のプログラムがインストールされた端末装置から、前記プログラムを通じて送信される全ての通信データを取得する取得部と、
     取得した通信データのうち、特定のプログラムを通じて送信される通信データ以外の通信データを破棄する通信破棄部と
     を備える中継装置。     From a terminal device installed with a plurality of programs having a function of communicating with an external device via a communication network, an acquisition unit that acquires all communication data transmitted through the programs,
    And a communication discarding unit that discards communication data other than communication data transmitted through a specific program in the acquired communication data.
PCT/JP2018/032126 2018-08-30 2018-08-30 Computer program, communication control method, communication control device, and relay device WO2020044494A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
JP2020539949A JP7215486B2 (en) 2018-08-30 2018-08-30 COMPUTER PROGRAM, COMMUNICATION CONTROL METHOD, COMMUNICATION CONTROL DEVICE, AND RELAYER
PCT/JP2018/032126 WO2020044494A1 (en) 2018-08-30 2018-08-30 Computer program, communication control method, communication control device, and relay device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2018/032126 WO2020044494A1 (en) 2018-08-30 2018-08-30 Computer program, communication control method, communication control device, and relay device

Publications (1)

Publication Number Publication Date
WO2020044494A1 true WO2020044494A1 (en) 2020-03-05

Family

ID=69644006

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/032126 WO2020044494A1 (en) 2018-08-30 2018-08-30 Computer program, communication control method, communication control device, and relay device

Country Status (2)

Country Link
JP (1) JP7215486B2 (en)
WO (1) WO2020044494A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002207672A (en) * 2001-01-12 2002-07-26 Canon Inc Device, method and program for controlling transmission of electronic mail, and storage medium
JP2014170327A (en) * 2013-03-01 2014-09-18 Canon Electronics Inc Information processing device, control method therefor, and information processing system
JP2016213774A (en) * 2015-05-13 2016-12-15 富士通株式会社 Communication system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5988407B1 (en) * 2015-05-13 2016-09-07 Necプラットフォームズ株式会社 Communication path control device, communication path control system, communication path control method, and communication path control program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002207672A (en) * 2001-01-12 2002-07-26 Canon Inc Device, method and program for controlling transmission of electronic mail, and storage medium
JP2014170327A (en) * 2013-03-01 2014-09-18 Canon Electronics Inc Information processing device, control method therefor, and information processing system
JP2016213774A (en) * 2015-05-13 2016-12-15 富士通株式会社 Communication system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
NTT LEARNING SYSTEMS CORPORATION: ".com Master ★★ 2009 NTT Communications Internet Certification Study Book (.com Master textbook)", 2009, SHOEISHA, ISBN: 978-4-7981-1913-7, article "Port Filtering", pages: 104 - 105 *

Also Published As

Publication number Publication date
JP7215486B2 (en) 2023-01-31
JPWO2020044494A1 (en) 2021-08-12

Similar Documents

Publication Publication Date Title
JP6224792B2 (en) Method, system, and computer-readable recording medium for proxy authentication
US20140282992A1 (en) Systems and methods for securing the boot process of a device using credentials stored on an authentication token
JP6412140B2 (en) Make sure to allow access to remote resources
US20200329032A1 (en) Secure gateway onboarding via mobile devices for internet of things device management
EP3225008B1 (en) User-authentication-based approval of a first device via communication with a second device
US20150350910A1 (en) Shared network connection credentials on check-in at a user&#39;s home location
WO2019015516A1 (en) Methods and apparatus for authentication of joint account login
WO2018095372A1 (en) Method for accessing network, and control terminal and router
US9977888B2 (en) Privacy protected input-output port control
EP2974123B1 (en) Systems and methods for account recovery using a platform attestation credential
US9443069B1 (en) Verification platform having interface adapted for communication with verification agent
CN110213760B (en) Router, mobile terminal, network connection method thereof and storage medium
CN111355723A (en) Single sign-on method, device, equipment and readable storage medium
US20190306153A1 (en) Adaptive risk-based password syncronization
US9984217B2 (en) Electronic authentication of an account in an unsecure environment
EP4172821B1 (en) Method and system of securing vpn communications
JP6984387B2 (en) Information processing equipment, access control methods, programs and systems
KR20210022532A (en) Information processing device, information processing method and program
KR20210011577A (en) Apparatus and Method for Personal authentication using Sim Toolkit and Applet
JP6322976B2 (en) Information processing apparatus and user authentication method
JP2021152975A (en) Information processing apparatus, control method, and program
WO2020044494A1 (en) Computer program, communication control method, communication control device, and relay device
CN108259456B (en) Method, device, equipment and computer storage medium for realizing user login-free
JP4702041B2 (en) Access control system, access control method, and access control apparatus
JP2006040197A (en) Storage device, data management system, and method and program for data invalidation

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18932068

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2020539949

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18932068

Country of ref document: EP

Kind code of ref document: A1