JP2019074893A - Unauthorized login detection method - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an unauthorized login detection method which is easy to use for a user and prevents unauthorized third parties from unauthorized login.
A system using an unauthorized login detection method includes a server group on which an unauthorized login detection program 100 is executed, a website 200 as an unauthorized login detection target, and a user terminal 300. The website has a script for collecting information, and when the user terminal accesses the website, the script is executed in the user terminal, and the user terminal transmits access terminal information and operation information to the first server 110. . The first server records the received access terminal information and operation information, and the second server 120 analyzes whether the login is unauthorized or not based on the recorded access terminal information and operation information. If the analysis result indicates that the possibility of unauthorized login is high, the second server notifies the website of the suspected unauthorized login.
[Selected figure] Figure 1

Description

  The present invention relates to an unauthorized login detection method.

  In recent years, unauthorized logins have been made on the Internet, which has become a social problem. For example, according to the occurrence situation of unauthorized access announced by the National Police Agency, there were 1840 unauthorized access recognized in 2016.

  An example of unauthorized access is a member-only website such as Internet banking or an EC site that holds credit card information. A malicious party illegally obtains a member identifier (hereinafter referred to as a member ID) and password and The criminal act which impersonates as the person and logs in and performs illegal remittance, illegal product purchase etc. is increasing

  In this way, most companies that receive unauthorized access are. The main methods of unauthorized access include unauthorized acquisition of passwords and introduction of unauthorized programs. In order to prevent such unauthorized access, a technology in which a user ID, a password and an IP are linked has been developed.

Japanese Patent

  On the other hand, in recent years, cases of logging in to a web site using a mobile terminal or the like are increasing. Therefore, due to the characteristics of the mobile terminal, the IP address changes frequently, and it is becoming difficult to prevent unauthorized access only by the technique of associating the user ID, password and IP. Moreover, even if it is not a mobile device, there is a case where an unauthorized login to a web site used by the user is made after an unauthorized access to another person's computer.

  As a method to prevent unauthorized access, there is a need to install a special device etc. for the existing ones, resulting in high cost, and in addition to the input of ID and password, in addition to the operation for personal authentication. There are things that can damage the usability of the site, and it is not always easy for users to use.

  Therefore, there is a need for an unauthorized login detection method that is easy for the user to use and prevents malicious third parties from unauthorized login.

  An object of the present invention is to provide an unauthorized login detection method which is easy for a user to use to solve the problems described above and which can prevent a malicious third party from unauthorized login.

(1) A method for detecting an unauthorized login performed on a website in a network using a communication line, comprising: transmitting a program module for collecting information to the website; and accessing the website from a user terminal When the user terminal performs the program module in the user terminal, and transmits the user terminal operation processing information for the web site in the user terminal and the user terminal information to the first server by the program module A process of recording the operation process information and the terminal information in the first server, and a process of the operation process information recorded in the first server and the terminal information in the second server. Analyzing the unauthorized login or not; In the server, if there is a high possibility of fraudulent login as the result of analysis, fraud login detection method and a step of notifying the possibility of unauthorized login to the Web site.

  The program module for information processing is transmitted to the website, and the program module is executed, and user operation processing information (mouse operation information, keyboard operation information, information of swipe operation of mobile terminal, etc.) and terminal information (hardware) Send information, browser information, etc. to the first server. The second server analyzes whether this access is unauthorized access based on the information recorded in the first server. As a result of the analysis, if there is a high possibility of unauthorized access, the website operator is notified that the possibility of unauthorized access is high using means such as e-mail or console notification for management. This can provide an unauthorized login detection method that is easy for the user to use and that prevents unauthorized third parties from unauthorized login without placing a burden on the user.

(2) In the unauthorized login detection method according to (1), in the step of analyzing whether or not the unauthorized login is performed, the unauthorized login act in which a third party hijacks the user terminal and logs in using the user terminal Analysis of whether or not to log in using a program that automatically logs in to the website, or analysis of whether or not to log in using the program that is prepared beforehand, An unauthorized login detection method that performs at least one analysis of non-disclosure analysis.

  The operation processing information recorded so far in the first server is compared with the operation processing information at the time of the current login to analyze the operation by a third party, whether or not it is the operation by the program, or the fraud registered in advance Detect unauthorized login by comparing with access list. In this way, it is possible to provide an unauthorized login detection method that can prevent a malicious third party from unauthorized login.

(3) In the unauthorized login detection method according to (1) or (2), in the step of recording the operation processing information and the terminal information in the first server, a unique identifier for identifying the terminal information. A method of detecting an unauthorized login, comprising the steps of: generating a key; and recording operation processing information and terminal information.

  For example, when specifying with a telephone number etc., if a carrier changes, a possibility that a telephone number may change is considered. Also, when specifying by IP, if you access during movement, IP may change. By generating and recording a unique key for identifying terminal information, the terminal can be identified, operation information for a specific device is recorded, and the accuracy is improved. In this way, it is possible to provide an unauthorized login detection method that can prevent a malicious third party from unauthorized login.

(4) The unauthorized login detection method according to (1) or (2), in the step of recording the operation processing information and the terminal information in the first server, an identification key unique to the terminal information And generating the operation processing information and the terminal information;
Analyzing the analysis result of the step of analyzing whether or not the unauthorized login action is performed by comparison with the information of the fraudulent action list prepared in advance, using the identification key to record the information in the fraudulent action list; Unauthorized login detection methods including:

  Compare the operation processing information recorded so far using the identification key unique to the first server with the operation processing information at the time of this login, and analyze whether it is an operation by a third party or an operation by a program Detects unauthorized login by comparing it with the previously registered unauthorized access list. Furthermore, storing the analysis result in the unauthorized access list can improve the accuracy of the unauthorized access list and improve the unauthorized login detection capability. In this way, it is possible to provide an unauthorized login detection method that can prevent a malicious third party from unauthorized login.

It is a conceptual diagram explaining composition of a system concerning an embodiment of the present invention. It is a conceptual diagram explaining the processing sequence of the system concerning the embodiment of the present invention. It is a flow figure explaining the processing flow of the system concerning the embodiment of the present invention.

  As shown in FIG. 1, a system 1 using an unauthorized login detection method includes a server group 100 in which an unauthorized login detection program is executed, an unauthorized login detection target website 200, and a user terminal 300. . These are respectively connected by telecommunication lines such as the Internet. The server group 100 in which the unauthorized login detection program is executed includes a first server 100 storing various information such as user terminal information described later and operation information, and a second server 120 in which various applications are executed. It is configured. Note that this classification of servers is conceptual, and the actual physical configuration may be any number of two or more servers.

  The user terminal 300 is, for example, a smartphone or a computer. The unauthorized login detection target website 200 is a site to be logged in using the user terminal 300, and is, for example, a site such as a bank, an EC site, or the like.

  In the system 1 using the unauthorized login detection method, the unauthorized login detection target website 200 transmits Java Script (registered trademark) to the user terminal 300 when the user terminal 300 logs in to the unauthorized login detection target website 200. , Transmit user's terminal information and operation information from the user terminal 300. Further, the unauthorized login detection target website 200 transmits the information thereof to the server group 100, and uses the information stored in the second server 120 of the server group 100, the first server 110, etc., on the user terminal 300. Whether or not the behavior is the same as the normal behavior is determined whether or not it is an unauthorized login, and the determination result is transmitted to the unauthorized login detection target website 200, and the determination result is stored in the first server 110.

<Processing sequence>
FIG. 2 shows a sequence of unauthorized login detection processing according to the present invention. The terminal on the user side requests a login screen from the fraud detection target web site. Next, the fraud detection target website 200 transmits the program of the login screen to the terminal on the user side. The terminal on the user side requests Java Script from the server for the unauthorized login detection program.

  The server for the unauthorized login detection program transmits a JavaScript script for unauthorized login detection to the terminal on the user side. Thus, this process is an example of the process of transmitting the program module for information collection to the Web site.

  In the terminal on the user side, Java Script collects access terminal information which is terminal information on the user side. More specifically, (the browser setting language setting information, the screen resolution information, the information set in the terminal including the setting time information) and the like are collected. Thus, this process is an example of a process in which the program module is executed at the user terminal when the website is accessed from the user terminal.

  In the terminal on the user side, Java Script collects operation information which is information on what kind of operation the user performed on the terminal on the user side. More specifically, information such as an interval of key input on the fraud detection target website 200, a moving distance of screen scrolling, and screen coordinates when touching the screen is collected.

  The terminal on the user side hashes the access terminal information and the operation information, and transmits the hash information to the first server 110 for the unauthorized login detection program. After receiving the access terminal information and the operation information, the first server 110 for the unauthorized login detection program transmits information to the effect that the unauthorized login detection has been received to the terminal on the user side. As described above, this process is an example of the process of transmitting the user's operation process information for the web site in the user terminal 300 and the user terminal information to the first server by the program module.

  Based on the information transmitted from the user terminal 300 to the first server 110 for unauthorized login detection program, the second server 120 for unauthorized login detection program is improperly logged in to the fraud detection target web site 200 by the user terminal 300. It is judged whether or not it is. In addition, the detail of determination of whether it is unauthorized login is mentioned later. As described above, this process is an example of the process of analyzing whether or not the unauthorized login is performed based on the operation process information and the terminal information recorded in the first server in the second server.

  As shown in FIG. 3, in step S10, the first server 110 for the unauthorized login detection program registers the access information transmitted from the terminal on the user side. In step S20, the first server 110 for the unauthorized login detection program associates and registers the operation information transmitted from the terminal on the user side with the unique key for identifying the user.

  In step S30, the second server for unauthorized login detection program 120 generates a terminal unique key from the access information transmitted from the terminal on the user side. In step S40, the second server for unauthorized login detection program 120 refers to the personal past history recorded in the first server for unauthorized login detection program 110 from the generated terminal unique key. In addition, the operation information performed in the said user terminal 300 stringed | linked by the terminal unique key is registered into this principal past history. As described above, in this process, in the step of recording the operation processing information and the terminal information in the first server, a unique key for identification of the terminal information is generated and the operation processing information and the terminal information are recorded. It is an example of the unauthorized login detection method including a process.

  In step S50, the second server for unauthorized login detection program 120 collates the personal past history with the current operation information to determine unauthorized login. As an example of the illegal login case method, the operation of the user terminal 300 recorded in order to analyze whether the third party hijacks the user terminal 300 and logs in using the user terminal 300 is an unauthorized login activity or not. There is a method of comparing information and current operation information to determine whether there is a difference. For each user, there are wrinkles such as an interval of key input at the time of operation, a moving distance of screen scrolling, and screen coordinates when touching the screen. By analyzing the habit, it can be determined whether it is the original user or a third party.

  In addition, as an example of another unauthorized login case method, the operation of the user terminal 300 recorded to analyze whether or not an unauthorized login operation is performed by logging in using a program for automatically logging in to a website. There is a method of comparing information and current operation information to determine whether there is a difference. When logging in to a Web site automatically by a program, it is determined whether the information of the operation method such as the screen is different from the operation information of the original user, or the operation information is not found in the first place. be able to.

  In addition, there is a method of determining whether or not an unauthorized login is performed by comparison with information on a fraud list prepared in advance. If the terminal is stolen, lost, or used illegally, the information is collated with the registered fraudulent activity list, and the login by the terminal registered in the list can be determined as an unauthorized login.

  Thus, in this process, a third party hijacks the user terminal 300, analyzes whether or not it is an unauthorized login act to log in using the user terminal 300, and logs in using a program that automatically logs in to a website. This is an example of performing at least one analysis of analysis of fraudulent login behavior or not by analysis of fraudulent login behavior or comparison with information on a fraud list prepared in advance.

  If it is determined that the unauthorized login is performed, the second server for unauthorized login detection program 120 sets a notification necessity flag. Further, the second server for unauthorized login detection program 120 registers the determination result in the first server for unauthorized login detection program 110. When the notification necessity flag is set, the second server for unauthorized login detection program 120 notifies the fraud detection target website 200. Thus, this process analyzes the analysis result of the process of analyzing whether or not the unauthorized login is performed by comparison with the information of the fraud list prepared in advance, using the identification key, the information in the fraud list. It is an example of the process to record.

  As described above, this process is an example of the process of notifying the website of the possibility of the unauthorized login in the second server when the possibility of the unauthorized login is high as the analysis result. As described above, the unauthorized login detection system according to the present invention is an example of a system using an unauthorized login detection method performed on a website in a network using a communication line.

100 Program for detecting unauthorized login 110 First server 120 Second server 200 Website for unauthorized login detection 300 User terminal

Claims (4)

An unauthorized login detection method for a website in a network using a communication line, comprising:
Sending a program module for collecting information to the website;
A step of executing the program module on the user terminal when the web site is accessed from the user terminal;
Sending the user terminal operation processing information for the web site in the user terminal and the user terminal information to the first server by the program module;
Recording the operation processing information and the terminal information in the first server;
Analyzing the unauthorized login based on the operation processing information recorded in the first server and the terminal information in the second server;
And c. Notifying the web site of the possibility of unauthorized login if the second server has a high possibility of unauthorized login as the analysis result. The unauthorized login detection method according to claim 1, wherein
In the step of analyzing whether or not the unauthorized login is performed,
Analysis as to whether a third party hijacks the user terminal and logs in using the user terminal as an unauthorized login act,
Analysis of whether or not it is an unauthorized login act to log in using a program that automatically logs in to the website,
Alternatively, an unauthorized login detection method that performs at least one analysis of analysis of whether or not an unauthorized login is performed by comparison with information on a fraud list prepared in advance. The unauthorized login detection method according to claim 1 or 2, wherein
In the first server, in the step of recording the operation processing information and the terminal information, a unique key for identification of the terminal information is generated, and the step of recording the operation processing information and the terminal information is illegal. Login detection method. The unauthorized login detection method according to claim 1 and claim 2, wherein
The step of recording the operation processing information and the terminal information in the first server includes a step of generating an identification key unique to the terminal information and recording the operation processing information and the terminal information.
Analyzing the analysis result of the step of analyzing whether or not the unauthorized login action is performed by comparison with the information of the fraudulent action list prepared in advance, using the identification key to record the information in the fraudulent action list; Unauthorized login detection methods including: