JP2007226827A - Login request receiving apparatus and access management apparatus - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent unauthorized access to a computer system.
An authentication server receives a login request from a first user to an in-house network and an input of information for a second user to confirm the validity of the login request. Electronic information including information for confirming the validity of the login request is sent to the cellular phone 5 of the associated second user.
[Selection] Figure 1

Description

  The present invention relates to security management of a computer system, and more particularly to a technique for determining the validity of an access request to a computer system.

  In a closed system in which access authority is given only to a predetermined user (for example, an employee) such as a company internal system, an authorized user may be permitted to access from outside the system.

  When such a system receives an access request from the outside, it is extremely important in terms of security management to confirm whether or not the user is a truly authorized user. Therefore, in such a system, in order to prevent unauthorized access, normally, when an access request or login request is received from a user, it is confirmed whether or not the user is an authorized user (user authentication). Known user authentication methods include password authentication and biometric authentication using fingerprints.

  However, passwords can be stolen or decrypted, and if a fingerprint is created as a dummy, unauthorized access is permitted.

  Therefore, an object of the present invention is to provide a new user authentication technique for preventing unauthorized access.

  Another object of the present invention is for an administrator to support behavior management of a management subject such as a subordinate.

  Still another object of the present invention is to support login permission / rejection determination when a login request is made.

  A login request accepting apparatus for a computer system according to one aspect of the present invention accepts a log-in request from a first user for a computer system and input of information for allowing a second user to confirm the validity of the log-in request. Receiving means, and means for sending electronic information including information for confirming the validity of the login request to the communication device of the second user previously associated with the first user. .

  In a preferred embodiment, the reception unit further receives the identification information of the first user, and the login request reception device stores the user identification information and the communication device of the second user in association with each other. A storage means is further provided.

  Further, the second user may be a person who manages or supervises the first user.

  An access management device according to an aspect of the present invention includes: a receiving unit that receives identification information of the user and information indicating a reason for access from a user who desires access to the computer system; and the user identification information Means for sending electronic information including information for identifying the user and information indicating the reason for the access request to a communication device associated in advance; and the accepting means includes the user identification information and the access request And an access management means for permitting the user to access the computer system when receiving an input of information indicating the reason.

  In a preferred embodiment, the accepting means further accepts a desired access time, and the access management means disconnects the access when the user has accessed the protected system after the desired access time has passed.

  In a preferred embodiment, the apparatus further comprises receiving means for receiving electronic information transmitted from the communication device, and when the receiving means receives electronic information indicating that access is not permitted from the communication device, the access management means is the computer. Disconnect access to the system.

  In a preferred embodiment, the apparatus further comprises authentication means for performing first and second authentication for the user, and the receiving means further receives information necessary for the first and second authentication.

  In a preferred embodiment, the accepting means accepts input of information related to past access of the user to the computer system, the first authentication is authentication based on the user identification information, and the second authentication The authentication is authentication based on information related to the past access.

  An access management device according to an aspect of the present invention includes: a receiving unit that receives identification information of the user and information indicating a reason for access from a user who desires access to the computer system; and the user identification information Means for transmitting electronic information including information for identifying the user and information indicating the reason for access to a communication device associated in advance; and reception for receiving electronic information transmitted from the communication device And an access management means for permitting the user to access the computer system if the electronic information received by the receiving means is information indicating that the access to the computer system is permitted. .

  Hereinafter, a system according to an embodiment to which the present invention is applied will be described with reference to the drawings.

  The overall structure of this system is shown in FIG. The system includes an authentication server 1 for authenticating and monitoring users in order to restrict access to users other than authorized users and protect the computer system. As a preferred example of a computer system to be protected, the present embodiment will be described using an in-house network 9 of a company. A person who can access the in-house network 9 is a predetermined person such as an employee of the company. When an employee wants to access the in-house network 9, the user terminal 2 makes a login request to the authentication server 1 via the network 3 such as the Internet. If this login request is permitted, the user can access the in-house network 9.

  Further, in order to confirm the validity of the access request to the in-house network 9, the authentication server 1 communicates with the network phone 3, the wireless base station 4 and the mobile phone 5 with the administrator's mobile phone 5 that manages the user who has requested the access. Data is transmitted and received through a telephone telephone network (not shown).

  Here, the “manager” includes a person who is in a position to manage, supervise, monitor, or guide the “user” directly or indirectly. Typically, the “manager” and the “user” have a so-called supervisor-subordinate relationship, but are not necessarily limited thereto. For example, when “User” is an outsourced employee, “Administrator” may be an outsourced employee, or “User” and “Administrator” may monitor each other's actions. .

  The authentication server 1 and the user terminal 2 are both configured by, for example, a general-purpose computer system, and individual components or functions described below are realized by executing a computer program, for example. In addition, the mobile phone 5 does not necessarily have to be a mobile phone of the type that is currently in use. For example, portable and desktop personal computers and PDAs (personal data assistants) having an Internet communication function by e-mail or WWW. Alternatively, other types of mobile communication devices such as mobile phones that have evolved from the present to the future may be replaced.

  The authentication server 1 includes a network interface unit 11, a login processing unit 12, a web page 13, an administrator interface 14, an administrator table 15, an access monitoring unit 16, a user table 18, and an access log 19. Prepare.

  The network interface unit 11 controls data input / output with respect to the network 3. Further, the network interface unit 11 records in the access log 19 a communication record (access destination or service used) of a user who is permitted to access the internal network 9. The access log 19 includes, for example, a user ID, usage time, capacity, access destination identification information (address, etc.), transmission / reception command, response code, transmission / reception character string, and the like as data items.

  The user table 18 stores personal information of users who have authority to access the corporate network 9. For example, the user table 18 includes a user ID 181, a password 182, and an e-mail address 183 as data items, as shown in FIG. When receiving the access request, the login processing unit 12 refers to the user table 18 and performs user authentication. The e-mail address 183 is an e-mail address in the in-house network 9 (in-house). When the user with the user ID 181 logs in from the user terminal 2, the login processing unit 12 transmits an email for notifying the fact of login to the email address 183.

  In the administrator table 15, information indicating the administrator of the user registered in the user table 18 is registered. For example, as shown in FIG. 2B, the administrator table 15 stores a user ID 151 and administrator email addresses 152 and 153 in association with each other. Here, there are a plurality of administrator e-mail addresses for the following reasons. That is, as will be described later, the administrator interface 14 refers to the administrator table 15 and transmits an e-mail to the administrator's mobile phone 5. At this time, priorities may be set in advance among a plurality of e-mail addresses, and the e-mail addresses may be transmitted in order from the highest e-mail address.

  The web page 13 accepts input of information from a user who has accessed the authentication server 1 or provides information to the user. An example of the web page 13 is a login application screen 100 shown in FIG. Details of the login application screen 100 will be described later.

  When the login processing unit 12 receives an access request from the user terminal 2, the login processing unit 12 determines whether to permit the request.

  For example, when a user who wishes to log in to the in-house network 9 accesses the authentication server 1 from the user terminal 2, the login application screen 100 is displayed on a display unit (not shown) of the user terminal 2. Then, the authentication server 1 receives information input from the login application screen 100.

  An example of the login application screen 100 is shown in FIG. The login application screen 100 has a user ID input area 101 and a password input area 102. The login processing unit 12 performs user authentication by comparing the user ID and password input here with those stored in the user table 18 in advance. As a result of the user authentication, if it is confirmed that the user is a legitimate user, the login processing unit 12 may permit the login. Alternatively, as will be described later, in addition to authentication using a user ID and password, login may be permitted when a login permission notification is received from the administrator. Further, additional authentication as described later may be performed.

  Login application screen 100 further includes an area for accepting input of additional information for login. In other words, the login application screen 100 has an input area 103 for a scheduled time (time for which access is desired) to continue the logged-in state, where in the in-house network 9 is accessed (access destination), or what to do ( Input area 104 for selecting the (use service) and an input area 105 for the reason for logging in. The validity of the login request can be confirmed with some or all of the items included in the login additional information. Part or all of the additional login information input here is transmitted by e-mail or the like to the cellular phone 5 of the user's administrator who logs in as described later (see FIG. 4).

  The login additional information input here is stored in a storage unit (not shown). At this time, the information input in the input area 104 is stored in the storage unit after being replaced with information that can uniquely identify the access destination, such as the server name or URL (Uniform Resource Locator) of the access destination. Also good.

  Further, even if the login processing unit 12 once permits access to the in-house network 9, it cancels it in a predetermined case such as when an instruction is received from the access monitoring unit 16 or the administrator interface 14. Disconnect communication.

  The administrator interface 14 transmits / receives information to / from an administrator of a user who wishes to log in to the internal network 9. For example, the administrator interface 14 has an electronic mail function. Then, a text file including the login additional information input on the login application screen 100 is generated and transmitted to the communication device 5 of the administrator of the user who has requested access via the network interface 11. At this time, the e-mail addresses 152 and 153 of the administrator's mobile phone 5 corresponding to the ID of the user who has made an access request by referring to the administrator table 15 are acquired as the e-mail addresses of the transmission destinations. To do.

  FIG. 4 is an example when login additional information is displayed on the cellular phone 5 of the administrator who has received the e-mail. That is, the content of the received e-mail is displayed on the display unit 51 of the mobile phone 5. Here, in addition to the additional information, information for specifying the user who requested the access is also included. The information for specifying the user may be information sufficient for the received administrator to specify the user. For example, a user ID, a user name (including a nickname, initial, etc.), or a combination of a department and a user name may be used.

  The administrator interface 14 also transmits an e-mail to the administrator's e-mail address when receiving an e-mail notification instruction from the access monitoring unit 16 as described later.

  The administrator can send a reply mail to the received electronic mail by operating the mobile phone 5. Information indicating login permission or disapproval can be attached to the reply mail. The administrator interface 14 receives this reply mail, and notifies the login processing unit 12 when the reply mail indicates that login is permitted, and when the reply mail indicates that login is not permitted.

  The access monitoring unit 16 monitors user access with reference to the access log 19. When an unauthorized access is detected, such as when accessing a location different from the access destination declared in advance, the login processing unit 12 is instructed to disconnect. Details of the processing of the access monitoring unit 16 will be described later.

  The procedure of the process performed by the authentication server 1 having the above-described configuration will be described with reference to the flowcharts of FIGS.

  As shown in FIG. 5, the processing of the authentication server 1 is performed while the user is accessing the in-house network 9 after the login is permitted and the login processing S1 for determining whether or not the user is permitted to log in. This is divided into in-access processing S2.

  The authentication server 1 performs the following process as the login process S1. That is, when a user who wishes to log in to the internal network 9 accesses the authentication server 1 from the user terminal 2, this is accepted and the login application screen 100 is displayed on the user terminal 2. A user inputs a required information in each input item of the login application screen 100 and makes a login application (S11). When this login application is accepted, the user ID and password input by the login processing unit 12 are checked against the user ID and password registered in the user table 18 to perform user authentication (S12). When the user ID and the password match, the administrator interface 14 generates a text file including login additional information. Then, the administrator's e-mail address 152 corresponding to the user ID is acquired with reference to the administrator table 15. The administrator interface 14 transmits the generated text file to the administrator using the electronic mail function (S13). Note that the order of step S12 and step S13 may be reversed. That is, step S13 may be performed before step S12.

  As a result, the user who requests access can input the login additional information and can notify the administrator of the user. The administrator who has received the notification of the additional login information can confirm in real time what his / her subordinate has applied for as additional information in order to log in to the internal network 9 from the outside. As a result, the administrator can confirm whether the application contents of the subordinates are consistent with the operations of the subordinates and the latest actions.

  In addition to the items exemplified in the present embodiment, the login additional information may be information regarding other items as long as the administrator can confirm the validity of the access request to the internal network 9. Good.

  Next, the authentication server 1 performs the following process as the in-access process S2. That is, the time measuring unit (not shown) measures the time during which the user is actually logged in, obtains the remaining time in comparison with the scheduled login time self-reported, and displays it on the user terminal 2 (S21). While the login to the internal network 9 is permitted, if there is a re-application for a login time extension from the user, the login process of step S1 is repeated (S22: Yes), and the re-applied time is added to the remaining time. To do. When there is no re-application, it is monitored whether the time when the login processing unit 12 is actually accessing exceeds the applied access time (S23). Then, when the actual login time exceeds the requested time, the login processing unit 12 forcibly blocks access (S24).

  Note that a warning may be issued when the remaining time becomes a predetermined time (for example, 2 minutes) or less before the forced disconnection of access. Further, when there is a re-application in step S22, the repetition of the login process S1 may be omitted.

  Next, the login process S1 may be the following process in addition to the process shown in FIG. For example, FIG. 6 shows another aspect of the login process S1. In this aspect, an administrator's approval is required for login. In other words, after step S11 to step S13, step S14 for permitting login when a login permission notification is received may be added. This login permission notification is, for example, a reply mail from the cellular phone 5 of the administrator who transmitted the login additional information in step S13. In step S14, when a reply mail is not received within a predetermined time or when an e-mail indicating that login is not permitted is received, the login processing unit 12 does not permit the access request (S14: No).

  In this aspect, when the administrator receives the notification of the login additional information with the mobile phone 5, the administrator confirms this content and determines whether or not the administrator permits the login. Thereby, a suspicious login request can be rejected in advance.

  Further, as in the aspect of FIG. 6, whether or not the administrator needs to be approved for login may be determined according to a user who logs in, an access destination, or a use service. In this case, whether or not to approve the administrator may be determined according to the authority given to the user, the work in charge, the level of confidentiality of the access destination, or the like.

  FIG. 7 shows still another aspect of the login process S1. In this aspect, step S15 for performing additional authentication of the user is inserted between steps S12 and S13. The additional authentication is authentication performed in addition to the authentication using the user ID and password in step S12, and is performed by the login processing unit 12. For example, information relating to past communication records (such as the reason for the previous login) is input at the time of login application, and the login processing unit 12 collates with information recorded in the access log 19. In this case, an input area may be further provided on the login application screen 100 for input.

  Note that the user authentication in step S12 can replace the authentication by the user ID and the password with the authentication by the electronic certificate or the authentication by the one-time password, or can be applied in combination of two or more of these.

  Next, similarly to the in-access processing S2, processing other than the processing shown in FIG. 5 can be performed. An example of another processing mode is shown in FIG.

  In this processing mode, step S25 for determining whether or not a cutting instruction has been received is added. This step S25 determines whether or not a disconnection instruction has been received from the access monitoring unit 16 or the administrator's mobile phone 5. When a disconnection instruction is given, the login processing unit 12 forcibly disconnects in step S24. As a result, when the access monitoring unit 16 detects unauthorized access, for example, or when the administrator determines that the access is unauthorized, the user can be forcibly disconnected at that time.

  Next, details of processing performed by the access monitoring unit 16 will be described. The following processing is performed for each user using a user ID as a key when a plurality of users are accessing the internal network 9.

  The access monitoring unit 16 compares the login additional information declared by the user at the time of login with the access log 19. This comparison is performed for each item of the login additional information, for example, and it is determined whether the access destination identification information recorded in the access log 19 matches the access destination of the login additional information. Here, when the actual access destination does not match the declared access destination, the unauthorized access may be immediately performed. However, in the present embodiment, the unauthorized access is detected when the number of mismatches exceeds a predetermined threshold. .

  Thereby, if an access different from the self-report is repeated, it is detected as an unauthorized access.

  Also, the importance level may be set in advance according to the actual access destination (see, for example, FIG. 9), and a threshold value for detecting unauthorized access may be set according to the importance level. That is, an access destination with a high importance level is identified as an unauthorized access with a smaller (mismatch) detection count than an access destination with a low importance level.

  FIG. 9 shows an importance level definition table 50 in which importance levels and threshold values for detecting unauthorized access are defined for each access destination. This table 50 is stored, for example, in a storage area (not shown) in the access monitoring unit 16.

  The access monitoring unit 16 further determines whether the mode of access performed by the user is included in the predetermined suspicious behavior type in addition to or in addition to the unauthorized access determination based on the access destination described above. judge. In this determination, the access monitoring unit 16 analyzes the contents stored in the access log 19 and specifies the mode of access by the user (the action performed by the user). Then, it is determined whether or not the access mode belongs to a suspicious access type (suspicious action). Here, the suspicious act is, for example, an access method that is generally considered to be fraudulent or an act that is clearly different from the purpose in relation to the purpose included in the login additional information, or is not related to the purpose. Including behavior that seems to happen. The access method generally considered to be illegal includes, for example, an action that continuously generates a password error (determined by referring to a response code) and a scanning action that accesses a predetermined number of servers within a predetermined time ( Scanning including nonexistent servers, such as tracing the end of the IP address in order from 1 to 100). Among suspicious acts, a level may be set in advance according to the degree of risk.

  As a result, even when the user authentication is cleared and the user logs in, a suspicious action is detected as an unauthorized access.

  Here, as in the case of detecting an unauthorized access destination, an unauthorized access may be immediately detected when a suspicious activity is detected, but in this embodiment, when the number of suspicious activities exceeds a predetermined threshold value, Detect as unauthorized access. Furthermore, a threshold value for detecting as unauthorized access may be set according to the risk of unauthorized activity (for example, FIG. 10). That is, when a suspicious action with a high degree of risk is detected, it is recognized as unauthorized access with a smaller number of times than those with a low degree of risk.

  FIG. 10 shows a risk definition table 60 in which a risk level and a threshold for detecting unauthorized access are defined for each suspicious activity. The table 60 is stored in a storage area (not shown) in the access monitoring unit 16, for example.

  When it is determined that unauthorized access has been detected as described above, the access monitoring unit 16 executes predetermined processing (measures) determined in advance. For example, the access monitoring unit 16 sends an e-mail notification to the e-mail address of the administrator of the user who has made unauthorized access (the normal e-mail address in the in-house network 9 or the e-mail address of the mobile phone 5). 14 or instructing the login processing unit 12 to forcibly disconnect the access. The e-mail notified to the administrator includes information for identifying the detected user who has made unauthorized access, the contents of unauthorized access, and the like.

  The measures taken by the access monitoring unit 16 may be determined based on an actual access destination or a suspicious action, or may be determined from time to time based on a predetermined rule. An example of the predetermined rule will be described with reference to FIGS. 11 and 12. That is, FIG. 11 shows a matrix 70 for determining a countermeasure level from the importance of the access destination shown and the risk of suspicious action, and FIG. 12 shows a countermeasure table 80 corresponding to the countermeasure level for each user ID. Both the matrix 70 and the countermeasure table 80 are stored, for example, in a storage area (not shown) in the access monitoring unit 16.

  First, the access monitoring unit 16 determines a countermeasure level using the matrix 70. When the countermeasure level is determined, the countermeasure table 80 is referred to, and the countermeasure to be implemented is determined according to the user ID.

  Next, a processing procedure for monitoring an access destination performed as the in-access processing S2 will be described with reference to a flowchart shown in FIG.

  First, the access monitoring unit 16 refers to the login additional information and the access log 19 stored in a storage unit (not shown) to determine whether the access destination matches the access destination self-reported by the user (S31, S32).

  If the actual access destination does not match the reported one (S32: No), a counter for counting the number of times by access destination is counted up (S33). Then, the access monitoring unit 16 determines whether or not the count value of the counter has exceeded a predetermined threshold value (S34). When the predetermined threshold value is exceeded (S34: Yes), the access monitoring unit 16 implements a predetermined measure or a measure determined based on a predetermined rule (S35).

  Further, a processing procedure for determining whether or not the access act is illegal will be described with reference to the flowchart shown in FIG.

  First, the access monitoring unit 16 refers to the access log 19 and monitors the user's action while analyzing it (S36). When it is detected that the user is performing a suspicious action (S37: Yes), a counter for counting the number of actions is counted up (S38). The access monitoring unit 16 determines whether the count value of the counter has exceeded a predetermined threshold value (S39). When the predetermined threshold value is exceeded (S39: Yes), the access monitoring unit 16 implements a predetermined measure or a measure determined based on a predetermined rule (S40).

  The above-described embodiments of the present invention are examples for explaining the present invention, and are not intended to limit the scope of the present invention only to those embodiments. Those skilled in the art can implement the present invention in various other modes without departing from the gist of the present invention.

It is a block diagram of the user authentication system to which this invention is applied. It is a figure which shows an example of the data item of an administrator table and a user table. It is a figure which shows an example of a login application screen. It is a figure which shows an example when the content of the email received by the mobile telephone 5 is displayed. It is a flowchart which shows an example of the process which an authentication server performs. It is a flowchart which shows the other aspect of a login process. It is a flowchart which shows the other aspect of a login process. It is a flowchart which shows the aspect of the in-access process. It is a figure which shows an example of an importance level definition table. It is a figure which shows an example of a risk definition table. It is a figure which shows an example of the matrix which defines a countermeasure level. It is a figure which shows an example of the countermeasure table classified by user ID. It is a flowchart which shows the aspect of the process for monitoring an access destination. It is a flowchart which shows the aspect of the process for determining an unauthorized act.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Authentication server, 2 ... User terminal, 3 ... Network, 4 ... Wireless base station, 5 ... Mobile telephone, 9 ... In-house network, 11 ... Network interface part, 12 ... Login processing part, 13 ... Web page, 14 ... Management Administrator interface, 15 administrator table, 16 access monitoring unit, 18 user table, 19 access log. 50 ... Importance level definition table, 60 ... Risk level definition table, 70 ... Matrix for determining countermeasure levels, 80 ... Countermeasure table by user ID.

Claims (13)

A receiving unit that receives a login request from the first user to the computer system and an input of information for the second user to confirm the validity of the login request;
Login to a computer system comprising: means for sending electronic information including information for confirming the validity of the login request to a communication device of the second user previously associated with the first user Request accepting device. The receiving means further receives the identification information of the first user;
The login request receiving apparatus according to claim 1, further comprising a storage unit that stores the user identification information and the second user communication apparatus in association with each other.   The login request receiving apparatus according to claim 1, wherein the second user is a person who manages or supervises the first user. Receiving means for receiving identification information of the user and information indicating a reason for access from a user who desires access to the computer system;
Means for sending electronic information including information for specifying the user and information indicating the reason for the access to a communication device previously associated with the user identification information;
An access management apparatus comprising: an access management unit that permits the user to access the computer system when the receiving unit receives the user identification information and information indicating the reason for the access request. The receiving means further receives a desired access time,
5. The access management device according to claim 4, wherein when the time when the user accesses the protection target system passes the desired access time, the access management means disconnects the access. Further comprising receiving means for receiving electronic information transmitted from the communication device;
5. The access management apparatus according to claim 4, wherein when the receiving means receives electronic information indicating that access is not permitted from the communication apparatus, the access management means disconnects access to the computer system. An authentication means for performing first and second authentication for the user;
The access management apparatus according to claim 4, wherein the reception unit further receives information necessary for the first and second authentications. The accepting means accepts input of information related to past access to the computer system of the user;
The first authentication is authentication based on the user identification information,
The access management apparatus according to claim 7, wherein the second authentication is authentication based on information on the past access. Receiving means for receiving identification information of the user and information indicating a reason for access from a user who desires access to the computer system;
Means for sending electronic information including information for specifying the user and information indicating the reason for the access to a communication device previously associated with the user identification information;
Receiving means for receiving electronic information transmitted from the communication device;
If the electronic information received by the receiving means is information indicating that access to the computer system is permitted, the access management apparatus comprises access management means for permitting the user to access the computer system. . A method for operating an apparatus for accepting a login request to a computer system, comprising:
Receiving a login request from the first user to the computer system and a second user receiving input of information for confirming the validity of the login request;
Sending electronic information including information for confirming the validity of the login request to the communication device of the second user, which is associated with the first user in advance. How to accept. When executed on the computer,
Receiving a login request from the first user to the computer system and a second user receiving input of information for confirming the validity of the login request;
A step of sending electronic information including information for confirming the validity of the login request to a communication device of the second user, which is associated with the first user in advance. Computer program for accepting login requests. A method for operation of an apparatus for managing access requests to a computer system comprising:
Receiving from the user who desires access to the computer system the identification information of the user and information indicating the reason for access;
Sending electronic information including information for specifying the user and information indicating the reason for the access to a communication device previously associated with the user identification information;
An access request management method comprising: permitting the user to access the computer system upon receiving input of the user identification information and information indicating the reason for access. When executed on the computer,
Receiving from the user who desires access to the computer system the identification information of the user and information indicating the reason for access;
Sending electronic information including information for specifying the user and information indicating the reason for the access to a communication device previously associated with the user identification information;
A computer program for managing access requests for a computer system, which, upon receiving input of the user identification information and information indicating a reason for the access request, permits the user to access the computer system.

Images