JP2018190209A - Web access control device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To determine the degree of malignancy of an access destination Web site and block access to a malignant site not intended by the user. SOLUTION: For an access destination whose malignancy of an access destination website is determined to be higher than a certain threshold value, a user is asked whether or not the access is possible, and access is permitted only when the user authenticates. Further, by verifying the authentication result of the user and reflecting the authentication result with high certainty in the malignancy determination mechanism, the accuracy of the determination mechanism is improved. [Selection diagram] Fig. 1

Description

  The present invention relates to a technique for improving the determination accuracy based on feedback from a user while determining the malignancy of an access destination website and blocking communication with the malignant site.

  In recent years, as seen in targeted attacks, attacks have become more sophisticated and have become a serious threat to companies and nations. In addition, with the advancement of attacks, it has become difficult to completely block intrusions from the outside. Here, in order to suppress damage after being invaded, it is important to block external communication for the purpose of stealing confidential information and spreading infection.

  In view of the above background, there is a demand for a technology that appropriately controls communication to the outside and blocks suspicious communication.

  By using the technique of Patent Document 1, access to a known malignant site can be blocked. Another possible application is to allow access only to known benign sites. However, with this technology, the problem is that it is not possible to deal with unknown sites and that it is necessary to keep the list updated manually.

  Here, based on the malignancy of the Web site calculated from the log of the proxy server or the like as in Patent Document 2, a white list with a low malignancy, a black list with a high malignancy, and a gray list that does not belong to any of them There is a technology that automatically generates Thereby, manual list update cost can be suppressed. There is also a technology for requesting additional authentication when connecting to a website included in the gray list, distributing the gray list to the white list when the additional authentication is successful, and distributing to the black list when it has not succeeded for a certain period of time. Have. Thereby, even a Web site that has not been mechanically distributed to a white list or a black list can be distributed to any list according to the authentication result.

JP 2005-275604 A Japanese Patent Laying-Open No. 2015-170219

  In the existing technology, the mechanism for determining the malignancy of the Web site and the accuracy of the authentication result are not taken into consideration. For this reason, depending on the accuracy of the malignancy determination mechanism, a Web site with high malignancy is determined to be safe, and a Web site with low possibility of being damaged during access or a Web site with low malignancy is determined to be dangerous. There is a possibility that additional authentication occurs frequently and the convenience is lowered. In addition, if the result of additional authentication is different from what should originally be due to lack of user knowledge or operation mistakes, the accuracy of sorting from the gray list to each list may be reduced, and the same problem may occur. There is sex.

  Hereinafter, a malignant website used for a cyber attack is referred to as a malignant site, and a website that is not a malignant site is referred to as a benign site.

  A typical example of the present invention is as follows. In other words, the Web access control apparatus of the present invention is an apparatus that connects a terminal operated by a user and the Internet via a network, and includes a plurality of mechanisms each weighted with a malignancy of an access destination website. Web site malignancy determination program to be used and an additional authentication request program that notifies the user when access to a high malignancy site is detected and determines whether access is possible based on the user's determination A feedback value calculation program for determining the content to be fed back to the website malignancy determination program based on the user's judgment and its accompanying information, and the weight of each estimator constituting the malignancy determination program for the website Weight update program that is updated based on the value calculated by the feedback value calculation program , A gram, a Web access control apparatus comprising: a.

  According to the present invention, it is possible to estimate the malignancy of a Web site using a plurality of estimators and to determine whether the estimation result is correct or not by feedback from the user. At this time, the overall detection accuracy is automatically improved by using the feedback from the user and increasing the weight of the estimator having a high matching rate between the estimation result and the user judgment. By combining these, communication to the malicious site is blocked, unnecessary additional authentication and the cost of manually updating the blacklist are suppressed, and convenience is improved.

It is the figure which showed the structural example of the web access control apparatus which concerns on the Example of this invention. It is a figure which shows an example of the authentication information management table | surface which concerns on the Example of this invention. It is a figure which shows an example of the estimator management table | surface which concerns on the Example of this invention. It is a figure which shows an example of the estimator weight log | history which concerns on the Example of this invention. It is a figure which shows an example of the gray list which concerns on the Example of this invention. It is a figure which shows an example of the black list which concerns on the Example of this invention. It is a figure which shows an example of the white list which concerns on the Example of this invention. It is a figure which shows the whole processing flow based on the Example of this invention. It is a figure which shows the processing flow of the Web site malignancy determination program based on the Example of this invention. It is a figure which shows the processing flow of the list update program which concerns on the Example of this invention. It is a figure which shows the processing flow of the feedback value calculation which concerns on the Example of this invention. It is a figure which shows the processing flow of the weight update which concerns on implementation of this invention. It is a figure which shows an example of the additional authentication screen (before additional information acquisition) which concerns on the Example of this invention. It is a figure which shows an example of the additional authentication screen (after additional information acquisition) which concerns on the Example of this invention. It is a figure which shows the processing flow of the weight update in consideration of the time series change based on implementation of this invention.

  Hereinafter, modes (examples) for carrying out the present invention will be described. In this embodiment, a plurality of estimators for determining the malignancy with weights assigned thereto are prepared, the malignancy of the access destination website is determined, and if the malignancy is higher than a certain threshold, the user is informed. Request additional authentication. When the user is requested to perform additional authentication, the user determines whether or not connection to the access destination website is possible. Only when it is determined that there is no problem, the user breaks through the additional authentication and accesses the website. As a result, it is possible to suppress access to a malicious site by malware or the like that is not intended by the user or that does not assume the presence of additional authentication and cannot break through the additional authentication. Further, the user judgment and the result calculated by the website malignancy determination program are matched, and the weight of each estimator constituting the website malignancy determination program is updated depending on whether or not the two match. As a result, the determination of a highly accurate estimator is emphasized, and the overall malignancy determination accuracy is improved. Further, when confirming the user judgment, it is estimated whether or not the judgment is correct by using the information obtained incidentally, and the more probable result of the user judgment is reflected in the malignancy judging mechanism. Thereby, the fall of the malignancy determination precision by reflecting incorrect user judgment can be suppressed.

  In the following, focusing on these points, examples of the malignancy determination process flow of the website, the list update process, and the feedback value calculation process will be described.

  FIG. 1 is a diagram illustrating a configuration example of a Web access control apparatus according to an embodiment of the present invention. The Web access control apparatus 101 according to the embodiment is connected to a user terminal 121 operated by a user and the Internet 123 via a network 122.

  The Web access control device 101 includes a CPU (Central Processing Unit) 103, a main memory 104 for storing data necessary for the CPU 103 to execute processing, and a hard disk or flash memory having a capacity for storing a large amount of data. A storage device 105 such as, an IF (interface) 102 for performing communication with other devices, an input / output device 106 for performing input / output such as a keyboard and a display, and a communication path 107 for connecting these devices. , A computer equipped with The communication path 107 is an information transmission medium such as a bus or cable.

  The CPU 103 adds suspicious communication control by executing the access relay program 108 stored in the main memory 104, and the malignancy determination of the access destination website by executing the Web site malignancy determination program 109. By executing additional authentication of a user who operates the user terminal 121 by executing the authentication request program 110, acquiring information of the access destination website by executing the access destination information acquisition program 111, and executing the list update program 112 The update of the gray list 118, the black list 119, and the white list 120 is performed by executing the feedback value calculation program 113 to the weight assigned to each malignancy estimator 124 included in the Web site malignancy determination program 109. Each malignancy constituting the Web site malignancy determination program 109 recorded in the estimator management table 116 based on the value calculated by the feedback value calculation program 113 by executing the weight update program 114 is calculated. The weight assigned to the degree estimator 124 is updated. The storage device 105 manages the additional authentication history 115 indicating the additional authentication result of the user who operates the user terminal 121 and the accompanying information at that time, and the information of the malignancy estimator 124 constituting the Web site malignancy determination program 109. The estimator management table 116, the estimator weight history 117 for managing the weight of each estimator in time series, the gray list 118 indicating information on a suspicious communication destination, the black list 119 indicating information on a dangerous communication destination, a safe A white list 120 indicating communication destination information is stored.

  Each of the above programs and data may be stored in advance in the memory 104 or the storage device 105, or installed (loaded) from the input / output device 106 or from another device via the IF 102 when necessary. Also good.

  FIG. 2 is a diagram illustrating an example of the additional authentication history 115. As illustrated in FIG. 2, the additional authentication history 115 includes an ID 201, an authentication result 202, accompanying information 203, user identification information 207, and a URL 208. The accompanying information includes, for example, a time 204 required for authentication, the number of correct answers 205, and site information display presence / absence 206.

  The ID 201 represents information that can uniquely identify authentication information.

  The authentication result 202 represents whether or not the user has succeeded in additional authentication. For example, when the authentication result 202 is “successful”, the user succeeds in the additional authentication, and when the authentication result 202 is “failure”, the user fails in the additional authentication.

  The accompanying information 203 represents information that is incidentally obtained when the user starts additional authentication. Here, the accompanying information 203 will be described as being composed of the time 204 required for authentication, the number of correct answers 205, and whether or not site information display 206 is provided.

  The time 204 required for authentication represents the time required from when the additional authentication screen is presented to the user until authentication is attempted. For example, when 4.3 seconds are required for an authentication attempt after the additional authentication screen is displayed, “4.3” is recorded regardless of whether the authentication is successful. Also, “timeout” is recorded when there is no attempt to break the authentication for a predetermined time.

  The number of correct answers 205 represents the number of correct answers out of the total number of characters and the correct answer rate when authentication using a character string is used for additional authentication. For example, when the authentication character string is “abcd”, if “abvf” is input, the first two characters out of all four characters are correct, so “2 (50%)” is recorded. . The time is calculated by the difference between the time when the additional authentication screen is presented and the time when the additional authentication character string is received from the user in the additional authentication request program 110.

  The site information display presence / absence 206 indicates whether or not the user has requested additional information as a material for determining whether or not the access destination website is malignant during additional authentication. For example, “Yes” indicates that the user has requested additional information, and “No” indicates that the user has not requested additional information. The additional information for assisting the user's judgment includes a thumbnail image, whois information, DNS information of the access destination website, and the like.

  The stored information of the additional authentication history 115 is acquired and stored at the time of additional authentication when there is an attempt to access a suspicious site. In addition, the time 204 required for authentication, the number of correct answers 205, and the presence / absence of site information display 206 are listed as accompanying information this time, but information obtained incidentally may be used in addition to the information. .

  The user identification information 207 represents information that can uniquely identify a user who has undergone additional authentication. For example, in the network environment, when a user assigned with an identifier “123” desires for the authentication, “123” representing the user is recorded. Although the identifier given to the user on the network system is used this time, it is sufficient that the user can be uniquely identified. For example, the IP (Internet Protocol) address of the user terminal or the user name of the user may be used. .

  A URL 208 represents a URL of a suspicious connection destination that is a target of the additional authentication. For example, in the case of “foo.com”, the URL represents a suspicious connection destination that is a target of the additional authentication. Although the URL is used this time as long as the suspicious connection destination can be identified, for example, an IP address or FQDN (Fully Qualified Domain Name) may be used.

  FIG. 3 is a diagram illustrating an example of the estimator management table 116. As illustrated in FIG. 3, the estimator management table 116 includes an ID 301, a correct answer rate 302, a weight 303, and a latest malignancy determination result 304.

  The ID 301 represents information that can uniquely identify each malignancy estimator 124 included in the Web site malignancy determination program 109.

  The correct answer rate 302 represents the coincidence rate between the determination result (malignant / benign) for each suspicious site so far and the additional authentication result (non-breakthrough / breakthrough) of the user. For example, “80%” indicates that the determination result for 0.8N times coincides with the additional authentication result of the user among the N times of suspicious site malignancy determination opportunities. The estimator with the higher correct answer rate is given a higher weight as the malignant site discriminating accuracy in the organization in which the Web access control device is introduced is higher. A specific processing procedure for calculating the weight to be assigned to each estimator will be described later with reference to FIG.

  The weight 303 represents a value normalized so that the total value of the weights assigned to each estimator becomes 1. For example, “0.2” indicates that the estimator has 20% of the judgment right among all the estimators.

  The latest malignancy determination result 304 represents how the malignancy of the determination target is determined in the most recent malignancy determination opportunity. For example, “75%” indicates that the estimator has determined that the determination target is malignant with a probability of 75%. In addition, although this time, it demonstrated using the malignancy degree of this access destination website as an index indicating the suspicious degree of the access destination website, it is an index that can express the suspicious degree such as the benign degree of the access destination website. Any information may be used as long as it exists.

  Note that each piece of information in the estimator management table 116 may be input or updated as necessary by the administrator.

  FIG. 4 is a diagram illustrating an example of the estimator weight history 117. As shown in FIG. 4, the estimator weight history 117 includes a time 401, a weight 402, a malignancy determination result 403, and a match 404 with the authentication result. Further, the estimator weight history 117 is prepared for each malignancy estimator 124 constituting the Web site malignancy determination program 109, and stores information related to the estimator. 4 illustrates the malignancy weight history 117 corresponding to the malignancy estimator 124 whose ID is 0 in FIG.

  Time 401 represents the time when the estimator determined the malignancy of the suspicious site. In the figure, year / month / day hour: minute: second. Although the notation of fractional seconds is used, any information may be used as long as it is information that can distinguish the time, such as Unixtime.

  A weight 402 represents the weight of the estimator at the time. For example, “0.3” indicates that a weight of 0.3 was given to the estimator at the time.

  The malignancy determination result 403 represents the malignancy calculated by the estimator for the malignancy determination target Web site at the time. For example, “75%” indicates that the estimator has determined that the determination target is malignant with a probability of 75% at the time.

  The coincidence 404 with the authentication result represents whether or not the determination result (malignant / benign) for the suspicious site at that time coincides with the additional authentication result (non-breakthrough / breakthrough) of the user. For example, “match” indicates that the two match, and “mismatch” indicates that the two do not match.

  FIG. 5 is a diagram illustrating an example of the gray list 118. As illustrated in FIG. 5, the gray list 118 includes an ID 501, a URL 502, an authentication success user count 503, an authentication failure user count 504, and an authentication result 505 for each user.

  The ID 501 represents information that can uniquely identify the gray list 118.

  URL 502 represents a URL of a suspicious connection destination. For example, “example.com” indicates that the URL is a suspicious connection destination. Although the URL is used this time, it is only necessary to identify a suspicious connection destination. For example, an IP address or FQDN may be used.

  The number of successful authentication users 503 represents the unique number of users who have passed through the additional authentication of the connection destination. For example, “2” indicates that two users have passed through the additional authentication of the connection destination. The number of successes can be calculated by using an authentication result 505 for each user described later.

  The number of failed users 504 represents the unique number of users who did not break through the additional authentication of the connection destination. For example, “4” indicates that four users did not break through the additional authentication of the connection destination. The number of failures can be calculated by using an authentication result 505 for each user described later.

  The authentication result 505 for each user represents the latest authentication result for each user for the connection destination. For example, “123: success, 789: failure” indicates that the user with the identifier 123 has passed the additional authentication and that the user with the identifier 789 has not passed the additional authentication.

  In the gray list 118, connection destinations determined to be malignant by the Web site malignancy determination program 109 are registered by the list update program 110. Specific processing of the Web site malignancy determination program 109 and the list update program 110 will be described later with reference to FIGS. 9 and 10.

  Each information of the gray list 118 may be registered or updated as necessary by the administrator.

  FIG. 6 is a diagram illustrating an example of the black list 119. As shown in FIG. 6, the black list 119 includes an ID 601 and a URL 602.

  The ID 601 represents information that can uniquely identify the black list 119.

  URL 602 represents the URL of a malignant site. For example, “black.com” indicates that the URL is a malicious site. Although the URL is used this time, it is only necessary to identify a malignant site. For example, an IP address or FQDN may be used.

  The black list 119 is determined to be malignant by the Web site malignancy determination program 109, and connection destinations for which a certain number of users have not passed authentication are registered by the list update program 110. Specific processing of the Web site malignancy determination program 109 and the list update program 110 will be described later with reference to FIGS. 9 and 10.

  Each information of the gray list 119 may be registered or updated as necessary by the administrator.

  FIG. 7 is a diagram illustrating an example of the white list 120. As shown in FIG. 7, the white list 120 includes an ID 701 and a URL 702.

  The ID 701 represents information that can uniquely identify the white list 120.

  URL 702 represents the URL of a benign site. For example, “white.com” indicates that the URL is a benign site. Although the URL is used this time, it is only necessary to identify a malignant site. For example, an IP address or FQDN may be used.

  Although the white list 120 is determined to be malignant by the Web site malignancy determination program 109, the list update program 110 registers connection destinations for which a certain number of users have passed authentication. Specific processing of the Web site malignancy determination program 109 and the list update program 110 will be described later with reference to FIGS. 9 and 10.

  Each information of the white list 119 may be registered or updated as necessary by the administrator.

  Subsequently, the access relay program 108 of the Web access control apparatus 101 relays communication from the terminal 121, the Web site malignancy determination program 109 determines the malignancy of the access destination Web site, and the additional authentication request program 110 is the user. 121 requests additional authentication, the access destination information acquisition program 111 acquires information on the access destination website, the list update program 112 updates the gray list 118, the black list 119, and the white list 120, and the feedback value The calculation program 113 calculates a value to be fed back to the weight assigned to each malignancy estimator 124 constituting the Web site malignancy determination program 109, and the weight update program 114 is based on the value calculated by the feedback value calculation program 113. It is described a process for updating the weights assigned to each grade estimator 124 that configures the Web site grading program 109.

  FIG. 8 is a diagram showing an overall processing flow of the Web access control apparatus 101. As shown in FIG. 8, the access relay program 108 is executed by the CPU 103 and relays communication from the user terminal 121 via the IF 102a (step 801).

  The access relay program 108 refers to the black list, and proceeds to step 810a if the accessed Web site corresponds to the black list, and proceeds to step 803 if not (step 802).

  The access relay program 108 refers to the white list, and if the access destination web site corresponds to the white list, the access relay program 108 proceeds to step 811a, and if not, proceeds to step 804 (step 803).

  The website malignancy determination program 109 calculates the malignancy of the access destination website, and proceeds to step 805 (step 804). The malignancy calculation flow of the Web site malignancy determination program 109 will be described later with reference to FIG.

  The access relay program 108 compares the malignancy calculated in step 804 with a predetermined threshold, and if the malignancy is lower than the threshold, the process proceeds to step 811a, and if higher, the process proceeds to step 806 (step 805). ).

  The additional authentication request program 110 requests the user for additional authentication and proceeds to step 807 (step 806).

  Here, it is conceivable that the additional authentication request program 110 uses a system such as CAPTCHA (Complementary Automated Turing Test to Tell Computers and Humans Apart) that separates humans from machines for additional authentication to users. . As a result, even when malware attempts to access a malicious site mechanically, it is difficult to break through the authentication, and in addition to accessing a human malicious site, access to the malicious site by malware can also be suppressed. Of the user. The display screen of the additional authentication request program 110 will be described later with reference to FIG.

  The additional authentication request program 110 confirms whether the user has requested additional information for additional authentication of the access Web destination site. If there is a request, the process proceeds to step 808. If there is no request, the process proceeds to step 809 (step 807). .

  The access destination information acquisition program 111 acquires access destination site information and displays the acquired information on the user terminal 118. (Step 808).

  The additional authentication request program 110 confirms whether or not the user has succeeded in the additional authentication, and proceeds to 811b if successful and proceeds to 810b if unsuccessful (step 809).

  The access relay program 108 denies the user access to the site and ends the process (step 810a).

  The access relay program 108 permits the user to access the site and ends the process (step 811a).

  The access relay program 108 denies the user access to the site and proceeds to step 812 (step 810b).

  The access relay program 108 permits the user to access the site, and proceeds to Step 812 (Step 811b).

  The access relay program 108 receives the additional authentication character string from the user, records additional authentication information such as an authentication result by the additional authentication character string and accompanying information at the time of authentication in the additional authentication history 115, and step 813. (Step 812).

  The access relay program 108 notifies the list update program 112 and the feedback content value program 113 of the user additional authentication result (whether or not the authentication has been broken), and proceeds to step 814 and step 815 which are the processes of each program. (Step 813).

  The list update program 112 refers to the additional authentication history 115, acquires the user additional authentication result, and updates the gray list 118, the black list 119, and the white list 120 using the information (step 814). Each list update flow of the list update program 112 will be described later with reference to FIG.

  The feedback value calculation program 113 refers to the additional authentication history 115, obtains the user additional authentication result and accompanying information, calculates a feedback value using the information, and proceeds to step 815 (step 815). The feedback value calculation flow of the feedback value calculation program 113 will be described later with reference to FIG.

  The weight update program 114 updates the weight of each estimator recorded in the estimator management table 116 based on the value calculated by the feedback value calculation program 113, and ends the process (step 816).

  In step 806, when the malignancy of the access destination website is equal to or greater than the threshold value, the user is requested to perform additional authentication. However, the user authentication result is cached and the user performs additional authentication for the access destination site. May be permitted without requiring additional authentication. Thereby, it can be expected that the convenience of the user is efficient.

  FIG. 9 is a diagram illustrating an example of a processing flow of the website malignancy determination program 109. As shown in FIG. 9, when the communication destination of the user terminal 121 that is not recorded in the black list and the white list is received from the access relay program 108, the processing is started (step 901). ). Note that the Web site malignancy determination program is composed of a plurality of malignancy estimators 124 each having a weight, and the final value is calculated by integrating the determination results of the respective estimators. The malignancy estimator here estimates the malignancy of the Web site from the URL character string, and estimates the malignancy of the Web site from external information (whis information, DNS information, etc.) about the Web site. And those that infer the malignancy of the website from the contents of the website.

  The Web site malignancy determination program 109 inputs the access destination Web site received from the access relay program 108 to each malignancy estimator 124 and proceeds to Step 903 (Step 902).

  The Web site malignancy determination program 109 starts receiving the determination results of each malignancy estimator 124, and after receiving the results from all the estimators, proceeds to step 904 (step 903).

The Web site malignancy determination program 109 records the determination result of each estimator received in step 903 in the estimator management table 116 and the estimator weight history 117, and proceeds to step 905 (step 904).
The Web site malignancy determination program 109 multiplies the estimation result received by each estimator received in step 903 by the weight assigned to each estimator obtained by referring to the estimator management table 116, and the total value is finalized. The prediction result is calculated, and the process ends (step 905). The above calculation procedure can be expressed as the following calculation formula (Equation 1).

なお、今回は上述の計算式を用いた最終予測結果の算出手順を例示したが、各推測器の予測結果に対して重みを反映させ、最終的に統合する方式であれば、どのような方式を用いても良い。

In addition, although the calculation procedure of the final prediction result using the above-mentioned calculation formula was illustrated this time, any method can be used as long as the weight is reflected on the prediction result of each estimator and finally integrated. May be used.

  Further, the malignancy estimator 124 can be added / deleted, and the administrator may add / delete the malignancy estimator 124 as necessary.

  FIG. 10 is a diagram illustrating an example of a processing flow of the list update program 112. As shown in FIG. 10, among the communication destinations of the user terminal 121, the additional authentication result of the user is accessed for the website whose malignancy is determined to be equal to or greater than the threshold by the website malignancy determination program 109. When received from the relay program 108, the processing is started (step 1001).

  The list update program 112 refers to the gray list 118 and proceeds to step 1004 if the accessed Web site corresponds to the gray list, and proceeds to step 1003 if not (step 1002).

  The list update program 112 registers the access destination website in the gray list 118 and proceeds to step 1004 (step 1003).

  The list update program 112 refers to the additional authentication result of the user received from the access relay program 108, records the additional authentication result in the gray list 118, the number of successful authentication users, the number of unsuccessful authentication users, and the user After updating each authentication result, the process proceeds to step 1005 (step 1004).

  The list update program 112 refers to the additional authentication result of the user received from the access relay program 108. If the authentication has succeeded, the process proceeds to step 1006. If the authentication has failed, the process proceeds to step 1009 (step 1005). ).

  The list update program 112 refers to the gray list 118, and proceeds to step 1007 if the cumulative number of successful authentication users of the access destination website exceeds a certain number, and terminates the processing if it does not exceed (step 1006). ).

The list update program 112 registers the access destination website in the white list 120 and proceeds to step 1008 (step 1007).
The list update program 112 deletes the line corresponding to the access destination website from the gray list 118, and ends the process (step 1008).

  The list update program 112 refers to the gray list 118, and proceeds to step 1010 if the cumulative number of failed users at the access destination website exceeds a certain number, and ends the process if it does not exceed (step 1009). ).

The list update program 112 registers the access destination website in the black list 119 and proceeds to step 1011 (step 1010).
The list update program 112 deletes the line corresponding to the access destination website from the gray list 118 and ends the process (step 1011).

  FIG. 11 is a diagram illustrating a processing flow of the feedback value calculation program 113. As shown in FIG. 11, among the communication destinations of the user terminal 121, the additional authentication result of the user for the access destination website whose malignancy is determined to be equal to or greater than the threshold by the website malignancy determination program 109 Is received from the access relay program 108, the processing is started (step 1101). In this example, an example of using the authentication result 202 and the time 204 required for authentication, the number of correct answers 205, and the presence / absence of site information display 206 as the accompanying information 203 will be described. It is also possible to calculate the final value with a different processing flow even when using.

  The feedback value calculation program 113 sets an initial value of 1.0 and proceeds to step 1103 (step 1102).

  The feedback value calculation program 113 acquires authentication information from the latest entry of the additional authentication history 115, and proceeds to step 1104 (step 1103).

  The feedback value calculation program 113 refers to the authentication information acquired in Step 1103. If the authentication is successful, the process proceeds to Step 1109. If the authentication is not successful, the process proceeds to Step 1105 (Step 1104).

  The feedback value calculation program 113 refers to the authentication information acquired in Step 1103. If the authentication has timed out, the process proceeds to Step 1112. If not, the process proceeds to Step 1106 (Step 1105).

  The feedback value calculation program 113 refers to the authentication information acquired in step 1103. If site information is displayed, the process proceeds to step 1112; otherwise, the process proceeds to step 1107 (step 1106).

The feedback value calculation program 113 multiplies the value by 0.5 and proceeds to step 1108 (step 1107).
The feedback value calculation program 113 refers to the authentication information acquired in step 1103, decreases the value according to the number of correct answers, and proceeds to step 1112 (step 1108).
The feedback value calculation program 113 refers to the authentication information acquired in step 1103, decreases the value according to the time required for authentication, and proceeds to step 1110 (step 1109).
The feedback value calculation program 113 refers to the authentication information acquired in step 1103. If site information is displayed, the process proceeds to step 1112. If not, the process proceeds to step 1111 (step 1110).

The feedback value calculation program 113 multiplies the value by 0.5 and proceeds to step 1112 (step 1111).
The feedback value calculation program 113 returns the final value calculated in the steps so far and ends the processing (step 1112).

  This process makes it possible to quantify the probability of the user authentication result and provide feedback to each estimator 124 that configures the Web site malignancy determination program 109 according to the certainty.

  The reason why the time 204 required for authentication, the number of correct answers 205, and whether or not the site information display 206 is used as the accompanying information 203 this time is as follows.

  The time 204 required for authentication is mainly used to separate access by humans and access by malware. The additional authentication required when accessing a suspicious site does not occur during normal Web access, and humans can flexibly respond when the additional authentication is issued, but the additional authentication is not assumed Malware can't break through and times out. Or, with the recent sophistication of attacks, malware having a function to break through additional authentication has also been reported. In this case, it is assumed that the program attempts to break through authentication at an input speed that is difficult to achieve by humans. As described above, the time required for the authentication by the malware is characterized by timeout or extremely short, and this information is used because it is useful for human authentication and classification.

  If the authentication result is successful, the feedback value calculation program 113 subtracts the value to be fed back in step 1109 according to the time required for authentication. On the other hand, when the authentication result is failure, the subtraction is not performed. This considers a user who accesses without considering the risk even when the access destination website is suspicious. Even if a user with a low security level receives a warning that the access destination website is suspicious, the user may access without considering the risk. On the other hand, when the access is canceled without breaking through the additional authentication, it is assumed that the risk of the access destination website is taken into consideration. From the nature of the additional authentication result described above, it is assumed that the reliability of authentication success is higher than the reliability of authentication failure. For the reasons described above, in the case of authentication breakthrough, the value to be fed back is subtracted, which is not the case when the authentication breakthrough is not broken, thereby reflecting the reliability of the additional authentication.

  The number of correct answers 205 is mainly used to discriminate whether or not the failure is due to a human error when authentication fails. For example, when authentication fails, it is inferred that if it is intended, nothing is input, or if an appropriate character is input, the character string required for breaking through the authentication is greatly deviated. On the other hand, since an unintended thing (human error) is an input that is out of the way of trying to break through, it can be inferred that it is not greatly deviated from the character string requested for breaking through the authentication. As described above, whether or not the authentication failure is due to a human error appears in the correct number of inputs to the character string requested for the authentication breakthrough. Therefore, the information is used.

  The site information display presence / absence 206 is mainly used to verify the accuracy of the user authentication result. As described above, the Web access control apparatus 101 has a function of additionally acquiring and displaying information on an access destination website in response to a user request when additional authentication is requested by the user. The user who requested the information is requested to request additional information, and it is inferred that the user is a highly security conscious user who tries to determine the nature of the access destination website from various perspectives. Since the information is based on information, it is assumed that the reliability is higher than the determination that the additional information is not viewed. As described above, since the site information display presence / absence 206 is useful for verifying the reliability of the user authentication result, the information is used.

  FIG. 12 is a diagram illustrating a processing flow of the weight update program 114. As shown in FIG. 12, when a feedback value that is executed by the CPU 103 and reflected on each malignancy estimator 124 that constitutes the Web site malignancy determination program is received from the feedback value calculation program 113, the processing is started (step 1201). .

  The weight update program 114 sets an initial value 0 to a variable i indicating the ID of the malignancy estimator 124, and proceeds to step 1203 (step 1202).

  The weight update program 114 refers to the additional authentication history 115 and the estimator management table 116, acquires the estimation result and authentication result of the estimator whose ID is the variable i, and then proceeds to step 1204 (step 1203).

  The weight update program 114 compares the estimation result of the estimator whose ID is variable i acquired in step 1103 with the authentication result. If the two match, the process proceeds to step 1205; (Step 1204).

  The weight update program 114 adds the weight of the estimator whose ID is the variable i according to the value received from the feedback value calculation program 113, and adds the weight of the estimator recorded in the estimator management table 116. After updating to the value, the process proceeds to step 1207 (step 1205).

  The weight update program 114 subtracts the weight of the estimator whose ID is the variable i according to the value received from the feedback value calculation program 113, and subtracts the weight of the estimator recorded in the estimator management table 116. After updating to the value, the process proceeds to step 1207 (step 1206).

  The weight update program 114 adds 1 to the variable i and proceeds to step 1203 (step 1207).

  The weight update program 114 compares the variable i with the number of estimators that can be obtained by referring to the estimator management table 116, and if the variable i is less than the number of estimators, the process returns to step 1203 and sets the number of estimators. If so, the process proceeds to step 1209 (step 1208).

  The weight update program 114 normalizes the weights of the respective malignancy estimators 124 recorded in the estimator management table 116 so that the sum of the weights of the estimators becomes 1, and ends the processing (step 1209).

  FIG. 13 is a diagram illustrating an example of an additional authentication screen displayed by the additional authentication request program 110. As shown in FIG. 13a, when an access destination website malignancy determination program tries to access a website showing a malignancy greater than or equal to the threshold, an additional authentication screen is displayed and only when the additional authentication in the screen is broken. , Permit access to the Web site. The additional authentication screen includes a warning message 1301 that the access destination website is suspicious, a character string display field 1302 for additional authentication, an additional authentication character string input form 1303, an additional authentication character string transmission button 1304, and an addition An information request button 1305. Only when the user determines that the Web site is not malignant, the user correctly inputs the character string shown in the additional authentication character string display field 1302 to the additional authentication character string input form 1303 and clicks the additional authentication character string transmission button 1304. By pressing, access can be continued. Further, when the user hesitates to determine whether access is possible, by pressing an additional information request button 1305, additional information for the determination can be acquired and displayed. An example of the screen after the additional information is displayed is shown in FIG. 13b. The additional authentication screen after the additional information display includes a website information display field 1306 and a website thumbnail display field 1307. In the Web site information display field 1306, public information regarding the access destination Web site such as whois information and DNS information is displayed. In the Web site thumbnail display field 1307, thumbnails when the access Web site is actually accessed are displayed as images. Based on these pieces of information, the user determines whether or not access to the access destination website is possible.

  It should be noted that a part of this embodiment may be modified and implemented as follows.

  Even if the final prediction result of the malignancy level of the access destination website is equal to or lower than the threshold value, additional authentication may be requested when one or more estimators calculate a high malignancy level. As a result, even an estimator specialized in detecting a specific malignant site whose weight tends to decrease due to its low versatility can be incorporated into the Web site malignancy determination program 110. , Detection omission can be suppressed.

  Further, the difficulty level of the additional authentication may be increased or decreased depending on the malignancy value. For example, if the malignancy is relatively low, only a button click can be performed, and if it is high, CAPTCHA authentication can be performed. Thereby, the load concerning the user's authentication with respect to the gray site from benign can be suppressed.

  Further, the additional authentication result of the verified user may be treated as correct data (Ground Truth), and the data may be sequentially learned each time the data is given and used as the online learning teacher data for constructing the model. As a result, not only optimization of the weight given to each estimator but also optimization of the estimator itself is possible.

  Further, the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, the constituent elements over different embodiments may be appropriately combined.

  The present embodiment includes the Web access control apparatus 101 according to the first embodiment, and when updating the weight to be given to the malignancy estimator 124, pays attention to the time series change of the weight and weights in a more suitable form This is a Web access control device having a function of assigning.

  In the second embodiment, paying attention to the time series change of the weight of the estimator, when a tendency different from the conventional change is seen in the change in the weight, the update of the weight is suspended. For example, the weight of a potentially accurate estimator continues to increase monotonically, and it is assumed that the rising value converges to a saturated value. The weight that has increased or converged to a constant value tends to decrease. By detecting this change point and temporarily deferring the weight update, it is possible to determine whether the change in the weight is correct or noise due to a user authentication error, etc. , It is possible to suppress a decrease in the accuracy of determining the malignancy of the Web site.

  FIG. 14 is an example of a weight update flow in this embodiment. The same components as those in the first embodiment are denoted by the same reference numerals, and the description thereof will be omitted. Hereinafter, differences from the first embodiment will be mainly described.

  In addition to the flow shown in FIG. 12, the weight update program 114 has a processing flow in which attention is paid to the time series change at the time of weight update. Specifically, in step 1204, it is verified whether or not the estimation result of the estimator matches the authentication result, and when branching to a flow for adding / subtracting the weight, actual processing is performed based on the time series change of the weight. Step 1210 and Step 1211 for determining whether to add / subtract the weight. Hereinafter, the processing content of step 1210 and step 1211 will be described.

  The weight update program 114 refers to the estimator time-series weight management table 117 corresponding to the estimator and acquires the time-series change in the weight of the estimator whose ID is the variable i. Also, if the weight is added, it is verified whether the tendency of the weight change is different from the previous one. If a tendency different from the previous change is seen, the process proceeds to step 1207 to suspend the weight update. If no change in weight change is observed, the process proceeds to step 1205 (step 1210).

  The weight update program 114 refers to the estimator time-series weight management table 117 corresponding to the estimator and acquires the time-series change in the weight of the estimator whose ID is the variable i. Further, if the weight is subtracted, it is verified whether the tendency of the weight change is different from the previous one. If the tendency different from the previous change is seen, the process proceeds to step 1207 to suspend the weight update. If no different trend is seen in the change in weight, the process proceeds to step 1206 (step 1211).

  Further, the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope in the implementation stage. Moreover, various inventions can be formed by appropriately combining a plurality of constituent elements disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, the constituent elements over different embodiments may be appropriately combined.

101: Web access control device 108: Access relay program 109: Website malignancy determination program 110: Additional authentication request program 111: Access destination information acquisition program 112: List update program 113: Feedback value calculation program 114: Weight update program 115: Additional authentication history 116: Guesser management table 117: Guesser weight history 118: Gray list 119: Black list 120: White list 121: User terminal 123: Internet 124: Malignancy estimator

Claims (2)

A web access control device connected to a terminal operated by a user via a network,
A website malignancy determination unit that estimates a malignancy of an access destination website using a plurality of estimators;
An additional authentication request part that determines whether or not access is possible when an access to a highly malignant site is detected;
A Web access control apparatus comprising: A web access control method using a web access control device connected to a terminal operated by a user via a network,
Estimate the malignancy of the website to access using multiple estimators,
Require additional authentication to determine whether access is possible when it detects access to a high-grade site,
A Web access control method characterized by the above.

Images