JP2019168760A - Access method estimation system, and access method estimation method - Google Patents

Abstract

An object of the present invention is to accurately estimate a method of accessing a service providing apparatus in a financial institution. An access method estimating server (20) stores information on access to a service providing device in a financial institution and information on processing executed by the providing device in response thereto, and the providing device stores the information based on the access. A history acquisition unit 22 that acquires the history of the type of processing performed and the processing time of the processing from the storage unit, and that based on the acquired history, a predetermined type of processing is performed at a predetermined frequency or higher in the providing device. An access method estimating unit 23 that, when determined, estimates that the access method is based on automatic processing. [Selection diagram] FIG.

Description

  The present invention relates to an access method estimation system and an access method estimation method.

In recent years, with the rapid development of IT (Information Technology) technology, so-called Fintech (financial technology), which performs a new form of financial business that integrates IT technology.
) Is attracting attention. As one of the operations related to FinTech, IT companies, etc., store login information (ID and password) for accessing financial institution's website from the financial institution's customer, and use it from the website on behalf of the customer. There is web scraping that collects transaction information.

However, information collection by web scraping is automatically and in large quantities performed by a computer-based web crawler or the like. For this reason, the financial institution's website is heavily loaded and may affect the operations of the financial institution. For example, a large amount of access imposes pressure on financial institution computer resources, and a large number of errors occur due to automatic processing, which complicates website management. In addition, it becomes difficult for the financial institution to grasp the needs of customers of the financial institution based on the access history of the website, for example, by analyzing the flow of operation of the user's website. Therefore, it is important for the financial institution to distinguish between access based on automatic processing by a web crawler and operation or access performed by a customer based on individual intentions.

  In this regard, as a technique for discriminating contents of access to a computer, Patent Document 1 discloses a technique for detecting and specifying a malicious attack on an intelligent utility grid system by using non-IT data including event data relating to a specific position. Is disclosed. Further, in Patent Document 2, the electronic terminal device detects the usage of the display based on the fingerprints that characterize the usage of the display, and determines the status of the display based on the index. Describes a technique for obtaining a log of behavior data indicating the participation of a person.

JP 2013-533531 A JP 2017-504121 A

  However, automatic processing by web scraping is different from general malicious access (Patent Document 1), and the processing of a financial institution's website is not necessarily characterized only by the displayed screen (Patent Document). 2). At present, a technique for appropriately analyzing web scraping for a website of a financial institution according to its characteristics has not been developed so much.

  The present invention has been made in view of such a current situation, and an object thereof is to make it possible to accurately estimate a method of accessing a service providing apparatus in a financial institution.

One aspect of the present invention for solving the above problems is an access method estimation system, which stores information on access to a service providing apparatus in a financial institution and processing executed by the providing apparatus in response thereto A history acquisition unit that acquires a history of the type of the process performed by the providing device based on the access and a processing time of the process from the storage unit, and a predetermined amount in the providing device based on the acquired history. An access method estimation unit that estimates that the access method is based on automatic processing when it is determined that the type of processing has been performed at a predetermined frequency or more.

  ADVANTAGE OF THE INVENTION According to this invention, the method of access with respect to the service provision apparatus in a financial institution can be estimated accurately.

FIG. 1 is a diagram illustrating an example of an overall configuration of an access method estimation system 1 according to the present embodiment. FIG. 2 is a diagram illustrating an example of hardware included in each information processing apparatus (the financial institution server 10, the access method estimation server 20, and the customer terminal 40) in the access method estimation system 1. FIG. 3 is a diagram illustrating an example of functions provided in the access method estimation server 20. FIG. 4 is a diagram illustrating an example of the first determination condition information 60. FIG. 5 is a diagram illustrating an example of the second determination condition information 70. FIG. 6 is a diagram illustrating an example of the third determination condition information 80. FIG. 7 is a flowchart for explaining an example of the history collection process. FIG. 8 is a diagram illustrating an example of the login history management table 100. FIG. 9 is a flowchart for explaining an example of the first web scraping determination process. FIG. 10 is a diagram showing an example of the access management table 110 within the specified time. FIG. 11 is a diagram illustrating an example of the updated login history management table 100. FIG. 12 is a diagram showing an example of the access count management table 120 within the specified time. FIG. 13 is a diagram illustrating an example of a screen related to a web scraping user displayed by the access method estimation server 20. FIG. 14 is a diagram illustrating an example of the screen transition history management table 200. FIG. 15 is a flowchart illustrating an example of the web scraping second determination process. FIG. 16 is a diagram illustrating an example of the screen transition pattern management table 210. FIG. 17 is a diagram illustrating an example of the updated screen transition history management table 200. FIG. 18 is a diagram illustrating an example of the screen transition pattern number management table 220. FIG. 19 is a diagram illustrating an example of a screen related to target screen transition displayed by the access method estimation server 20. FIG. 20 is a diagram illustrating an example of the operation history management table 300. FIG. 21 is a flowchart illustrating an example of the web scraping third determination process. FIG. 22 is a diagram showing an example of the access management table 310 within the specified time. FIG. 23 is a diagram illustrating an example of the updated operation history management table 300. FIG. 24 is a diagram illustrating an example of the screen transition count management table 320 within the specified time.

The access method estimation system according to this embodiment will be described below with reference to the drawings.
<< Overall structure >>
FIG. 1 is a diagram illustrating an example of an overall configuration of an access method estimation system 1 according to the present embodiment. As shown in FIG. 1, the access method estimation system 1 includes a financial institution server 10 and an access method estimation server 20 provided corresponding to the financial institution server 10.

  The financial institution server 10 is a providing device that provides services in a financial institution (for example, operations and transactions performed by a financial institution such as confirmation of transaction amount or balance, deposit or refund of deposits, and buying and selling of financial products). An information processing apparatus that performs predetermined information processing (hereinafter referred to as transaction processing) related to a service. The financial institution server 10 is, for example, a server device that stores an online banking website in a financial institution.

  The financial institution server 10 performs transaction processing based on access from at least one customer terminal 40 that is an information processing apparatus managed or possessed by a customer of the financial institution or its agent. The customer terminal 40 and the financial institution server 10 are connected via a wired or wireless communication network 3 such as the Internet, for example.

The access method estimation server 20 is an information processing apparatus that estimates an access method of access (access from the customer terminal 40) performed on the financial institution server 10 by analyzing processing performed by the financial institution server 10. is there. Note that the financial institution server 10 and the access method estimation server 20 are connected via a wired or wireless communication network 4 such as a LAN (Local Area Network), a WAN (Wide Area Network), the Internet, an intranet, a dedicated line, or the like. Connected.

  The access method estimation system 1 according to the present embodiment is based on whether the access by the customer terminal 40 is access by manual operation by a customer or the like, or automatic processing by web scraping or the like performed by a customer agent (company) or the like. Determine if it is an access.

Here, FIG. 2 is a diagram illustrating an example of hardware included in each information processing apparatus (the financial institution server 10, the access method estimation server 20, and the customer terminal 40) in the access method estimation system 1. As shown in the figure, each information processing device includes a processor 51 such as a CPU (Central Processing Unit), a main storage device 52 such as a RAM (Random Access Memory) and a ROM (Read Only Memory), and an HDD (Hard Disk). Drive), an auxiliary storage device 53 such as an SSD (Solid State Drive), an input device 54 composed of a keyboard, a mouse, a touch panel, etc., an output device 55 composed of a monitor (display), and other information processing devices. And a communication device 56 for performing.

Next, the function of the access method estimation server 20 will be described.
<< Function >>
FIG. 3 is a diagram illustrating an example of functions provided in the access method estimation server 20. As shown in the figure, the access method estimation server 20 includes a history acquisition unit 22, an access method estimation unit 23, an access source information output unit 24, and a history output unit 25.

  The storage unit 21 stores information on access to a service providing apparatus (financial institution server 10) in a financial institution and processing executed by the providing apparatus (financial institution server 10) accordingly.

  The history acquisition unit 22 acquires a history of the types of processing (transaction processing) performed by the providing device (financial institution server 10) and processing times of the processing based on the access (access from the customer terminal 40).

  The access method estimation unit 23 includes a first access method estimation unit 231, a second access method estimation unit 232, and a third access method estimation unit 233, and the history acquisition unit 22 acquires the type of processing and the processing time history. If it is determined that a predetermined type of processing is performed at a predetermined frequency (hereinafter referred to as a frequency threshold) or more, it is estimated that the access method is based on automatic processing.

  Specifically, the first access method estimation unit 231 includes a history of login processing and logout processing as types of the processing (transaction processing) performed by the providing device (financial institution server 10), and processing of these processing. A time history is acquired, and based on the acquired history, the frequency that the time from the login process to the logout process is less than a predetermined time (hereinafter referred to as a prescribed access time) is equal to or higher than the predetermined frequency (frequency threshold). If it is determined, the access method is estimated to be based on automatic processing.

(First determination condition information 60)
Here, FIG. 4 is a diagram illustrating an example of information (hereinafter referred to as first determination condition information) in which information on the frequency threshold and the specified access time in the first access method estimation unit 231 is stored. As shown in the figure, the first determination condition information 60 includes a frequency threshold 62 (500 cases per month in the figure) and a prescribed access time 64 (30 seconds in the figure).
The frequency threshold 62 is, for example, the frequency of use of the customer terminal 40, which is as high as is not normally possible when the customer operates the customer terminal 40 with the intention of the person (if the scale of the financial institution or web scraping is performed). It may be set according to the assumed person). The specified access time 64 is an access time (time from login to logout) to the financial institution server 10 that is short enough to be impossible when the customer manually operates the customer terminal 40 with the intention of the customer. The frequency threshold 62 and the specified access time 64 may be specified by specific numerical values, or may be specified by an identifier (ID) assigned for each numerical value.

  Next, the second access method estimation unit 232 shown in FIG. 3 was performed between the login process and the logout process as the type of the process (transaction process) performed by the providing device (financial institution server 10). A plurality of processing histories for outputting predetermined information and processing times of these processings are acquired, and the plurality of processings are performed in a predetermined order (hereinafter referred to as a prescribed screen transition pattern) based on the acquired history. When it is determined that the appearance frequency is equal to or higher than the predetermined frequency (frequency threshold), it is estimated that the access method is based on automatic processing.

(Second determination condition information 70)
Here, FIG. 5 is a diagram illustrating an example of information (hereinafter referred to as second determination condition information) in which information on the frequency threshold value and the prescribed screen transition pattern in the second access method estimation unit 232 is stored. As shown in the figure, the second determination condition information 70 includes a frequency threshold 72 (500 cases per month in the figure) and at least one defined screen transition pattern 74 (two patterns in the figure). .
The frequency threshold 72 is, for example, the frequency of use of the customer terminal 40, which is as high as would normally be possible if the customer operated the customer terminal 40 with the intention of the person (if the financial institution scale or web scraping is performed). It may be set according to the assumed person). The specified screen transition pattern 74 is a screen display order corresponding to the order of transaction processing that is considered to be typically performed by automatic web scraping processing. Note that the frequency threshold 72 and the specified screen transition pattern 74 may be specified by specific numerical values, or identifiers (IDs) assigned to the numerical values.
) May be specified.

  Next, the third access method estimation unit 233 shown in FIG. 3 outputs the first information output process and the second information as the type of the process (transaction process) performed by the providing apparatus (financial institution server 10). A history of information output processing and a history of processing times of these processes are acquired, and based on the acquired history, a time from the output processing of the first information to the output processing of the second information is predetermined. When it is determined that the frequency that is less than the time (hereinafter referred to as the prescribed screen transition time) is equal to or greater than the predetermined frequency (frequency threshold), it is estimated that the access method is based on automatic processing.

(Third determination condition information 80)
Here, FIG. 6 is a diagram illustrating an example of information (hereinafter referred to as third determination condition information) in which information on the frequency threshold and the specified screen transition time in the third access method estimation unit 233 is stored. As shown in the figure, the third determination condition information 80 includes a frequency threshold 82 (500 cases per month in the figure) and a prescribed screen transition time 84 (3 seconds in the figure).
The frequency threshold 82 is, for example, the usage frequency of the customer terminal 40, which is as high as is normally not possible when the customer operates the customer terminal 40 with the intention of the person (if the scale of the financial institution or web scraping is performed). It may be set according to the assumed person). In addition, the specified screen transition time 84 stores a display time interval of each screen, which is short to the extent that it is not normally possible when the customer manually operates the customer terminal 40 with the intention of the customer. The frequency threshold 82 and the specified screen transition time 84 may be specified by specific numerical values, or may be specified by an identifier (ID) assigned for each value.

  Next, the access source information output unit 24 shown in FIG. 3 specifies information that identifies a subject who has made access by the access method based on the history acquired by the history acquisition unit 22, or information on the estimation result of the access method. Is output. The history output unit 25 outputs the history information acquired by the history acquisition unit 22.

  The function of the access method estimation server 20 described above is the function of the hardware of the access method estimation server 20 or the processor 51 of the access method estimation server 20 stored in the main storage device 52 or the auxiliary storage device 53. This is realized by reading and executing the program.

  In addition, these programs are, for example, a secondary storage device, a nonvolatile semiconductor memory, a hard disk drive, a storage device such as an SSD, or a non-transitory data storage that can be read by a computer, such as an IC card, an SD card, or a DVD. Stored on media.

Next, processing performed in the access method estimation system 1 (hereinafter referred to as access method estimation processing) will be described.
<< Access method estimation process >>
<Processing example 1>
First, an access method estimation process (processing example 1) based on the first access method estimation unit 231 will be described.

(History collection processing)
FIG. 7 shows an example of processing (hereinafter referred to as history collection processing) in which the access method estimation server 20 acquires information related to transaction processing performed by the financial institution server 10 based on access from the customer terminal 40 in Processing Example 1. It is a flowchart explaining these. This process is repeatedly performed at a predetermined timing (for example, a predetermined time interval or a predetermined time).

First, the access method estimation server 20 is changed from the financial institution server 10 to the financial institution server 10.
The transaction process and the process time performed by are received (s11). Next, the access method estimation server 20 stores the information received in s11 (s13), and the history collection process ends.

  The transaction processing information received by the access method estimation server 20 includes, for example, information on processing related to business and transactions performed by financial institutions, such as confirmation of transaction amount or balance, deposit or refund of deposits, and buying and selling of financial products. And information related to the log-in process and log-out process corresponding to the access from the customer terminal 40 to the financial institution server 10. For example, at the time of the login process and logout process, the financial institution server 10 receives authentication information (for example, a user) that uses the customer terminal 40 from the customer terminal 40 or an agent (hereinafter referred to as a user). In order to receive a user ID or password, these pieces of information are included.

Here, an example of information stored in s13 will be described.
--Login history management table 100--
8 illustrates information stored in the history collection process according to Process Example 1 in the access method estimation server 20 in which information related to the login process and the logout process from the customer terminal 40 is stored (hereinafter referred to as a login history management table). It is a figure which shows an example. As shown in the figure, the login history management table 100 corresponds to user ID 101 in which information (user ID) for identifying a user using the customer terminal 40 is stored, and access from the user with the user ID 101. A transaction ID 102 for storing information (transaction ID) for identifying a series of processes (transactions) from the login process to the logout process performed, and a login date and time 103 for storing the date or time when the login process was performed in the transaction with the transaction ID 102 The logout date / time 104 when the logout process in the transaction with the transaction ID 102 is performed or the time is stored, and information indicating the transaction time of the transaction ID 102 (hereinafter referred to as the usage time) is stored. The access time 105 and the estimation result of the access method related to the transaction with the transaction ID 102 (whether it is based on the manual operation of the user using the customer terminal 40 or based on the automatic processing of the customer terminal 40) are stored. The estimation result 106 is composed of at least one record having each item. The user ID 101 stores, for example, user authentication information used for the login process. Further, information is not stored in the estimation result 106 at the time of the history collection process.

Next, web scraping determination processing according to Processing Example 1 will be described.
(Web scraping first determination process)
FIG. 9 is a flowchart for explaining an example of processing in which the access method estimation server 20 estimates the access method of the customer terminal 40 to the financial institution server 10 (hereinafter referred to as “web scraping first determination processing”). is there. Note that this processing is performed, for example, when a predetermined input is input from the user to the input device 54 or after the login history management table 100 is generated (for example, a predetermined time interval or a predetermined time). ) Etc.

  First, the access method estimation server 20 specifies the usage time of each transaction of each user based on the generated login history management table 100, and a transaction (hereinafter referred to as a specified time) in which each specified usage time is within the specified access time. (Referred to as an internal transaction) (s21). Specifically, for example, the access method estimation server 20 identifies all records in which the time indicated by the use time 105 is within the specified access time 64 of the first determination condition information 60 among the records of the login history management table 100. To do.

-Access management table 110 within specified time-
Here, FIG. 10 is a diagram illustrating an example of information (hereinafter referred to as an access management table within a specified time) stored by the access method estimation server 20 that stores a transaction within a specified time. As shown in the figure, the specified time access management table 110 includes a user ID 111 that is an item corresponding to the user ID 101 of the login history management table 100 and a transaction that is an item corresponding to the transaction ID 102 of the login history management table 100. It consists of at least one record having each item of ID 112 and specified time ID 113 in which information indicating the specified access time is stored.

  Next, as shown in FIG. 9, the access method estimation server 20 identifies a user who has performed a transaction within a specified time at a frequency threshold or more (s23). Specifically, for example, the access method estimation server 20 determines that the time of the login process related to the transaction ID 112 among the records in the access management table 110 within the specified time period is indicated by the frequency threshold 62 of the first determination condition information 60. (For example, the date and time of the login process (the login date and time 103 of the login history management table 100) is the latest one month), and the user for each value of the user ID 111 of the extracted record. The number of records with ID 111 is counted. And the access method estimation server 20 specifies the content (web scraping user) of the user ID 111 of the record whose counted number of records is equal to or greater than the number indicated by the frequency threshold value 62 of the first determination condition information 60.

  Then, the access method estimation server 20 updates the login history management table 100 based on the user specified in s23 (s25).

  FIG. 11 is a diagram illustrating an example of the updated login history management table 100. As shown in the figure, the web scraping result 106 of the record in which the user ID of the web scraping user is stored in the user ID 101 and the time within the specified access time is stored in the usage time 105 is shown in FIG. Information indicating the user (“scraping”) is stored, and information indicating that the user is not a web scraping user (“user's own access assumption”) is stored in the estimation result 106 of the other records.

  Furthermore, as shown in FIG. 9, the access method estimation server 20 stores information on the web scraping user specified in s23 and displays it on the output device 55, and the web scraping first determination process ends (s27).

Here, an example of the information memorize | stored regarding a web scraping user and the screen displayed regarding this is demonstrated.
-Access count management table 120 within specified time period-
FIG. 12 is a diagram illustrating an example of information (information on the number of accesses within a specified time management table 120) stored as information on web scraping users. The access count management table 120 within the specified time is generated for each web scraping user, the specified time ID 121 in which information indicating the specified access time is stored, and the number of accesses in which the number of transactions within the specified time is stored. There are 122 items. If no web scraping user is found, a message to that effect is displayed.

  FIG. 13 is a diagram illustrating an example of a screen related to a web scraping user displayed by the access method estimation server 20. As shown in the figure, the access method estimation server 20 includes a web scraping user list 30 (for example, a user ID), and a customer terminal used by the web scraping user to access the financial institution server 10. A list 31 of 40 (for example, information on the customer terminal 40 included in the information received in the access history collection process) is displayed.

As described above, the access method estimation system 1 according to the processing example 1 includes the information specifying the login process and the logout process as the types of processes (transaction processes) performed by the providing device (the financial institution server 10), and these When it is determined based on the processing time of the processing that the frequency from the log-in process to the log-out process is less than a predetermined time (regular access time) is a predetermined frequency (frequency threshold) or more, the customer terminal 40 It is presumed that the access method from is based on automatic processing (by web scraping). As described above, the access method estimation system 1 according to the processing example 1 determines the behavior characteristic of the automatic processing that the time from login to logout is short. As a result, it is possible to accurately estimate a method for accessing a service providing apparatus in a financial institution.

<Processing example 2>
Next, an access method estimation process (processing example 2) based on the second access method estimation unit 232 will be described.

(History collection processing)
Since the history collection process according to the process example 2 is the same as the process example 1, the description thereof is omitted. However, in the history collection process according to Process Example 2, the access method estimation server 20 stores the following information different from Process Example 1.

--Screen transition history management table 200--
FIG. 14 shows an example of information relating to the screen history displayed by the financial institution server 10 (hereinafter referred to as a screen transition history management table) among the information stored in the access method estimation server 20 in the history collection processing according to Processing Example 2. FIG. As shown in the figure, the screen transition history management table 200 includes a user ID 201 in which information (user ID) for identifying a user using the customer terminal 40 is stored, and a transaction by a user access of the user ID 201. Transaction ID 203 in which information (transaction ID) for identifying is stored, transition source screen ID 204 in which information indicating the type (screen ID) of the screen displayed in the transaction with transaction ID 203 is stored, next to the screen of transition source screen ID 204 The date and time of transition from the screen (transition source screen) of the transition destination screen ID 204 and the screen of the transition source screen ID 204 (transition source screen) in which information indicating the type of screen (screen ID) displayed in the screen is stored. Or the date 202 when the time information is stored and the transition from the transition source screen The estimation result 206 of the access method related to the transition to the previous screen (whether it is based on the manual operation of the user using the customer terminal 40 or based on the automatic processing of the customer terminal 40) is stored. It is composed of at least one record having each item. The user ID 201 stores, for example, user authentication information used for the login process. The estimation result 206 does not store information at the time of history collection processing.

Next, web scraping determination processing according to Processing Example 2 will be described.
(Web scraping second determination process)
FIG. 15 is a flowchart for explaining an example of processing (hereinafter referred to as “web scraping second determination processing”) in the processing example 2 in which the access method estimation server 20 estimates the access method of the customer terminal 40 to the financial institution server 10. is there. This process is performed, for example, when a predetermined input is input from the user to the input device 54, or after the screen transition history management table 200 is generated, for example, at a predetermined timing (for example, a predetermined time interval or a predetermined time). Etc.)

First, the access method estimation server 20 specifies a screen transition corresponding to one of the specified screen transition patterns 74 (hereinafter referred to as a target screen transition) based on the generated screen transition history management table 200 (s41). Specifically, for example, the access method estimation server 20 identifies all the records in the screen transition history management table 200 in which the same transaction ID is stored in the transaction ID 203, and each date and time 2 of the identified records.
02, by referring to the transition source screen ID 204 and the transition destination screen ID 205, the screen transition of the same pattern as any one of the defined screen transition patterns 74 of the second determination condition information 70 is specified.

Here, an example of information generated by the access method estimation server 20 when the target screen transition is specified will be described.
--Screen transition pattern management table 210--
FIG. 16 is a diagram illustrating an example of information (hereinafter referred to as a screen transition pattern management table) in which the specified target screen transition is stored. As shown in the figure, the screen transition pattern management table 210 includes a screen transition pattern number 213 in which information specifying a specified screen transition pattern corresponding to the target screen transition is stored, and a target screen transition of the screen transition pattern number 213 is executed. A transaction ID 212 in which the transaction ID of the received transaction is stored, and a user ID 211 in which a user ID of a user who has made access corresponding to the transaction of the transaction ID 212 is stored. Consists of records.

  Next, as illustrated in FIG. 15, the access method estimation server 20 specifies a user who has performed the target screen transition at a frequency threshold or more, for example, for each transaction (s43). Specifically, for example, the access method estimation server 20 determines the date and time of the record in the screen transition history management table 200 in which the same content as the transaction ID 212 of each record in the screen transition pattern management table 210 is stored in the transaction ID 203. The value of 202 is acquired, and the record of the screen transition pattern management table 210 that is within the period indicated by the frequency threshold 72 of the second determination condition information 70 (for example, the most recent month) is extracted and extracted. The number of records is counted for each value of the record user ID 211. Then, the access method estimation server 20 specifies the user ID 211 (web scraping user) of the record whose counted number of records is equal to or greater than the number indicated by the frequency threshold 72 of the second determination condition information 70.

  Then, the access method estimation server 20 updates the screen transition history management table 200 based on the user specified in s43 (s45).

  FIG. 17 is a diagram illustrating an example of the updated screen transition history management table 200. As shown in the figure, the estimation result 106 of the record in which the user ID 101 of the web scraping user is stored in the user ID 101 and the target screen transition is stored in the transition source screen ID 204 and the transition destination screen ID 205 is displayed. , Information indicating a web scraping user (“scraping”) is stored, and information indicating that the user is not a web scraping user (“user's own access assumption”) is stored in the estimation result 106 of other records. Is done.

  Further, as shown in FIG. 15, the access method estimation server 20 stores the information related to the web scraping user specified in s43 and displays the information related to the web scraping user on the output device 55 as in the processing example 1. (S47).

Here, an example of the information memorize | stored regarding a web scraping user is demonstrated.
-Screen transition pattern number management table 220-
FIG. 18 is a diagram illustrating an example of information (screen transition pattern number management table 220) storing information related to the specified web scraping user. As shown in the figure, the screen transition pattern number management table 220 is generated for each identified web scraping user, and includes a screen transition pattern number 221 in which information indicating the target screen transition is stored, and a screen transition pattern number 221. Is composed of at least one record having each item of the number of accesses 222 in which the number of screen displays of the target screen transition indicated by is stored.

  Further, as shown in FIG. 15, the access method estimation server 20 displays information related to the target screen transition specified in s43 (s49), and the web scraping second determination process ends (s50).

Here, an example of the screen displayed regarding the target screen transition will be described.
FIG. 19 is a diagram illustrating an example of a screen related to target screen transition displayed by the access method estimation server 20. As shown in the figure, the access method estimation server 20 displays the frequency 33 at which the target screen transition is performed for each of the prescribed screen transition patterns 34.

  As described above, the access method estimation system 1 according to the processing example 2 is performed between the login process and the logout process as the type of process (transaction process) performed by the providing device (financial institution server 10). Based on information for specifying a plurality of processes for outputting predetermined information (transition source screen and transition destination screen output processes) and processing times of these processes, the plurality of processes are performed in a predetermined order (specified screen transition pattern). ) Is determined to be equal to or higher than a predetermined frequency (frequency threshold), it is estimated that the access method from the customer terminal 40 is based on automatic processing (by web scraping). As described above, the access method estimation system 1 according to the processing example 2 frequently causes screen transitions in a specific order (for example, even if the customer does not have a time deposit account, the screen related to the time deposit account is always displayed). Display), a behavior characteristic of automatic processing is determined. As a result, it is possible to accurately estimate a method for accessing a service providing apparatus in a financial institution.

<Processing example 3>
Next, an access method estimation process (processing example 3) based on the third access method estimation unit 233 will be described.

(History collection processing)
Since the history collection process according to Process Example 3 is the same as Process Examples 1 and 2, description thereof is omitted. However, in the history collection process according to Process Example 3, the access method estimation server 20 stores the following information different from Process Examples 1 and 2.

--Operation history management table 300--
FIG. 20 shows an example of information related to the history of processing executed by the financial institution server 10 (hereinafter referred to as an operation history management table) among the information stored in the access method estimation server 20 in the history collection processing according to Processing Example 3. FIG. As shown in the figure, the operation history management table 300 includes a user ID 301 in which information (user ID) for identifying a user who uses the customer terminal 40 is stored, and a transaction by a user access of the user ID 301. Transaction ID 302 in which identification information (transaction ID) is stored, transition source screen ID 305 in which information indicating the type of screen (screen ID) displayed in the transaction with transaction ID 302 is stored, and from customer terminal 40 to financial institution server 10 Based on a predetermined access (operation), a transition destination screen ID 306 in which information indicating a screen type (screen ID) displayed next to the screen of the transition source screen ID 305 is stored, and a screen of the transition source screen ID 305 (transition source) Screen) to the screen of transition destination screen ID 306 (transition destination screen) Operation ID 303 in which an identifier (operation ID) of an access (operation) performed for the purpose is stored, date / time when access (operation) of the operation ID 303 is performed or operation date / time 304 in which information on time is stored, and a transition source Estimated result of storing the access method related to the transition from the screen to the transition destination screen (whether by the manual operation of the user using the customer terminal 40 or based on the automatic processing of the customer terminal 40) Each item of the result 307 is composed of at least one record. The user ID 301 stores, for example, user authentication information used for the login process. The estimation result 307 does not store information at the time of history collection processing.

Next, web scraping determination processing according to Processing Example 3 will be described.
(Web scraping third determination process)
FIG. 21 is a flowchart for explaining an example of processing (hereinafter, web scraping third determination processing) in which the access method estimation server 20 estimates the access method of the customer terminal 40 to the financial institution server 10 in the processing example 3. . This process is performed, for example, when a predetermined input is input from the user to the input device 54 or after the operation history management table 300 is generated, for example, at a predetermined timing (for example, a predetermined time interval or a predetermined time). ) Etc.

  First, based on the generated operation history management table 300, the access method estimation server 20 specifies an access or operation (hereinafter referred to as a target operation) that has caused a screen transition within the specified screen transition time (s61). Specifically, for example, the access method estimation server 20 specifies all the records of the operation history management table 300 in which the same transaction ID is stored in the transaction ID 302, and specifies the operation ID 303, operation date 304, transition of the specified record. By referring to the original screen ID 305 and the transition destination screen ID 306, the order of the screen transition, the operation ID of the operation corresponding to each screen transition, and the time required for each screen transition (the time indicated by the operation date and time 304 of a certain record) The time corresponding to the time indicated by the operation date 304 of another record (hereinafter referred to as transition time) is identified, and the operation corresponding to the screen transition whose transition time is within the specified screen transition time among the identified operation IDs. The ID is specified by the operation ID 303.

Here, an example of information generated by the access method estimation server 20 when the target operation is specified will be described.
-Access management table within specified time 310-
FIG. 22 is a diagram illustrating an example of information storing the target operation (hereinafter referred to as an access management table within a specified time). As shown in the figure, the specified time access management table 310 includes a user ID 311 in which the user ID of the user corresponding to the target operation is stored, and a transaction in which the transaction ID of the transaction in which the target operation is performed is stored. ID 312, transition destination operation ID 313 in which the operation ID of the target operation is stored, and at least one item including specified time ID 314 in which information specifying the transition time corresponding to the target operation of the transition destination operation ID 313 is stored It consists of the above records.

  Next, as illustrated in FIG. 21, the access method estimation server 20 specifies a user who has performed a screen transition related to the target operation at a frequency threshold or higher (s63). Specifically, for example, the access method estimation server 20 includes the operation history management table 300 in which the same content as the content of the transition destination operation ID 313 is stored in the operation ID 303 among the records of the access management table 310 within the specified time. A record of the operation time 304 of the record is acquired, and the acquired value is within the period indicated by the frequency threshold 82 of the third determination condition information 80 (for example, the most recent month), the record of the access management table 310 within the specified time And the number of records is counted for each value of the user ID 311 of the extracted records. Then, the access method estimation server 20 includes the user ID 311 (web scraping user) of the record whose number of records counted is equal to or greater than the number indicated by the frequency threshold 82 of the third determination condition information 80 and the number of records (number of records). ).

  Next, as shown in FIG. 21, the access method estimation server 20 updates the operation history management table 300 based on the user specified in s63 (s65).

FIG. 23 is a diagram illustrating an example of the updated operation history management table 300. As shown in the figure, the operation ID of the target operation is stored in the operation ID 303, and the estimation result 307 of the record in which the target operation is stored in the operation ID 303 includes information indicating the web scraping user (
“Scraping”) is stored, and information indicating that the user is not a web scraping user (“user's own access assumption”) is stored in the estimation result 307 of the other records.

  Further, as illustrated in FIG. 21, the access method estimation server 20 stores the information related to the web scraping user specified in s63 and displays the information related to the web scraping user on the output device 55 as in the processing example 1. (S67), and the web scraping third determination process is terminated (s69).

Here, an example of the information memorize | stored regarding a web scraping user is demonstrated.
-Screen transition count management table 320 within the specified time-
FIG. 24 is a diagram illustrating an example of information (screen transition number management table 320 within a specified time) that stores information related to the specified web scraping user. As shown in the figure, the screen transition count management table 320 within the specified time is generated for each identified web scraping user, and the specified time ID 321 in which information specifying the specified screen transition time is stored, and the target operation It consists of at least one or more records having each item of the number of screen transitions 322 in which information specifying the frequency is stored.

  As described above, the access method estimation system 1 according to the processing example 3 outputs the first information output process and the second information output process (types of processes performed by the providing apparatus (financial institution server 10)). The time from the output process of the first information to the output process of the second information is predetermined based on the information specifying the output process of the transition source screen and the output process of the transition destination screen) and the processing time of these processes If it is determined that the frequency that is less than the predetermined time (regular screen transition time) is equal to or higher than a predetermined frequency (frequency threshold), it is estimated that the access method is based on automatic processing (access by web scraping). As described above, the access method estimation system 1 according to the processing example 3 determines a behavior characteristic of automatic processing, such as transition of a screen of specific information in a short time. As a result, it is possible to accurately estimate a method for accessing a service providing apparatus in a financial institution.

  The above description of the embodiment is for facilitating the understanding of the present invention, and does not limit the present invention. The present invention can be changed and improved without departing from the gist thereof, and the present invention includes equivalents thereof.

  For example, although it is assumed that there is only one financial institution server 10 in the present embodiment, the access method estimation server 20 is connected to a plurality of financial institution servers 10 and is connected to each of the connected financial institution servers 10. The access method may be estimated.

  Moreover, you may use processing example 1-3 suitably combining. For example, the web scraping user is specified by the processing example 1, the web scraping user is specified by the processing example 2, and the web scraping user specified by both or both is used as the final web scraping usage. You may make it identify as a person. Similarly, a combination of Process Examples 2 and 3, a combination of Process Examples 1 and 3, and a combination of Process Examples 1-3 may be used.

  The contents of the first determination condition information 60, the second determination condition information 70, and the third determination condition information 80, which are condition information for estimating the access method by the customer terminal 40, are for each user or financial institution server. You may change and set every ten.

At least the following will be clarified by the description of the present specification. That is, the access method estimation system 1 of the present embodiment includes a storage unit that stores information on access to a service providing apparatus in a financial institution and processing executed by the providing apparatus according to the access, and the providing apparatus based on the access The history acquisition unit that acquires the history of the type of processing performed and the processing time of the processing from the storage unit, and a predetermined type of processing is performed at a predetermined frequency or more in the providing device based on the acquired history. And an access method estimation unit that estimates that the access method is based on automatic processing when it is determined that the access has been broken.
Accordingly, for example, the cause of the consumption of the resources of the financial institution server 10 is specified, the number of errors occurring in the financial institution server 10 is reduced accordingly, or the customer based on the processing history stored in the financial institution server 10 The flow line analysis can be accurately performed.
That is, according to the access method estimation system 1 of the present embodiment, it is possible to accurately estimate a method for accessing a service providing apparatus (such as a financial institution's Internet banking website) at a financial institution.

In the access method estimation system 1 according to the present embodiment, the access method estimation unit includes a history of login processing and logout processing as the types of processing performed by the providing device, and history of processing times of these processing, The access method is based on automatic processing when it is determined that the frequency from the login process to the logout process is less than the predetermined frequency based on the acquired history is less than the predetermined frequency. It may be estimated that.
In this way, by determining the behavior characteristic of automatic processing that the time from login to logout is short, login and logout are repeated frequently in a short time, and a particularly heavy load is applied to the financial institution server 10. Access can be estimated accurately.

Further, in the access method estimation system 1 according to the present embodiment, the access method estimation unit outputs predetermined information performed between a login process and a logout process as the type of the process performed by the providing device. The history of a plurality of processes to be performed and the history of the processing times of these processes are acquired, and based on the acquired history, it is determined that the frequency at which the plurality of processes are performed in a predetermined order is equal to or higher than the predetermined frequency In this case, it may be estimated that the access method is based on automatic processing.
In this way, by making a determination about the behavior characteristic of automatic processing that screen transitions in a specific order frequently occur, for example, even if a customer has a time deposit account, it is related to the time deposit account. It is possible to accurately estimate an access that places a special load on the financial institution server 10 by repeating unnecessary screen transitions such as displaying the screen without fail.

Further, in the access method estimation system 1 of the present embodiment, the access method estimation unit includes a history of first information output processing and second information output processing as the types of processing performed by the providing device. And a history of the processing times of these processes, and based on the acquired history, there is a frequency that the time from the first information output process to the second information output process is less than a predetermined time. When it is determined that the frequency is equal to or higher than the predetermined frequency, the access method may be estimated to be based on automatic processing.
In this way, it is possible to accurately estimate an access that places a heavy resource load on the financial institution server 10 such that the screen transition of specific information is frequently performed in a short time.

Further, in the access method estimation system 1 according to the present embodiment, based on the acquired history, access source information output that outputs information that identifies a subject that has made access by the access method or information on the estimation result of the access method It is good also as providing a part.
As described above, by outputting the information on the entity that has accessed the financial institution server 10 or the estimation result, the administrator (financial institution) of the financial institution server 10 can access the current state of the access to the financial institution server 10. Can be easily grasped.

The access method estimation system 1 of the present embodiment may further include a history output unit that outputs the acquired history information.
In this way, by outputting the acquired history information, the administrator (financial institution) of the institution server 10 can perform flow analysis of customers of the institution using this.

  Further, in the access method estimation system 1 according to the present embodiment, based on the acquired history, access source information output that outputs information that identifies a subject that has made access by the access method or information on the estimation result of the access method The access method estimation unit acquires a log of log-in processing and log-out processing as the types of processing performed by the providing device, and a history of processing times of these processing, and acquires the acquired history. If it is determined that the frequency from the login process to the logout process is less than a predetermined time is equal to or higher than the predetermined frequency, the access method is estimated to be based on an automatic process. Good.

  In addition, the access method estimation method according to the present embodiment stores information on an access to a service providing apparatus in a financial institution and processing executed by the providing apparatus in response to the access method estimating apparatus having a processor and a memory. Processing, a history acquisition process for acquiring the history of the type of the process performed by the providing device based on the access and the processing time of the processing from the storage unit, and a predetermined amount in the providing device based on the acquired history An access method estimation process for estimating that the access method is based on an automatic process when it is determined that the type of process has been performed at a predetermined frequency or more is executed.

  In the access method estimation method according to the present embodiment, the access method estimation process includes a log of log-in processing and log-out processing as the types of processing performed by the providing device, and a history of processing times of these processing. The access method is based on automatic processing when it is determined that the frequency from the login process to the logout process is less than the predetermined frequency based on the acquired history is less than the predetermined frequency. It may be estimated that there is.

  In the access method estimation method according to the present embodiment, the access method estimation process outputs predetermined information performed between a login process and a logout process as the type of the process performed by the providing device. When a history of a plurality of processes and a history of processing times of these processes are acquired, and based on the acquired history, it is determined that the frequency at which the plurality of processes are performed in a predetermined order is equal to or higher than the predetermined frequency In addition, it may be estimated that the access method is based on automatic processing.

  In the access method estimation method according to the present embodiment, the access method estimation process includes the history of the first information output process and the second information output process as the type of the process performed by the providing device; The processing time history of these processes is acquired, and based on the acquired history, the frequency that the time from the first information output process to the second information output process is less than a predetermined time is When it is determined that the frequency is equal to or higher than a predetermined frequency, it may be estimated that the access method is based on automatic processing.

  Further, in the access method estimation method of the present embodiment, based on the acquired history, an access source information output unit that outputs information that identifies an entity that has accessed by the access method, or information on an estimation result of the access method It is good also as comprising.

  The access method estimation method according to the present embodiment may further include a history output unit that outputs the acquired history information.

Further, in the access method estimation method of the present embodiment, access source information output processing for outputting information for identifying a subject who has made access by the access method based on the acquired history or information on the estimation result of the access method Further, the access method estimation process acquires a log of log-in process and log-out process as the type of the process performed by the providing device, and a log of the process time of these processes. If it is determined that the frequency from the login process to the logout process is less than a predetermined time is equal to or higher than the predetermined frequency, the access method is estimated to be based on an automatic process. Good.

DESCRIPTION OF SYMBOLS 1 Access method estimation system, 10 Financial institution server, 20 Access method estimation server, 22 History acquisition part, 23 Access method estimation part, 24 Access origin information output part, 25 History output part

Claims (14)

A storage unit storing information on access to a service providing apparatus in a financial institution and processing executed by the providing apparatus according to the access;
A history acquisition unit that acquires, from the storage unit, a history of the type of the process performed by the providing device based on the access and the processing time of the process;
An access method estimation unit that estimates that the access method is based on automatic processing when it is determined that a predetermined type of processing is performed at a predetermined frequency or more in the providing device based on the acquired history; ,
An access method estimation system comprising: The access method estimation unit acquires a history of login processing and logout processing as the types of processing performed by the providing device, and a history of processing times of these processing, and based on the acquired history, the login processing When it is determined that the frequency from the time until the logout process is less than a predetermined time is equal to or higher than the predetermined frequency, the access method is estimated to be based on automatic processing.
The access method estimation system according to claim 1. The access method estimation unit includes a history of a plurality of processes for outputting predetermined information performed between a login process and a logout process as types of the processes performed by the providing device, and processes of these processes The access method is based on automatic processing when it is determined that the frequency at which the plurality of processes are performed in a predetermined order is greater than or equal to the predetermined frequency based on the acquired history. Presume that there is
The access method estimation system according to claim 1. The access method estimation unit obtains a history of output processing of the first information and output processing of the second information and a history of processing times of these processing as types of the processing performed by the providing device And when it is determined that the frequency from the output process of the first information to the output process of the second information is less than a predetermined time based on the acquired history is equal to or higher than the predetermined frequency. Presuming that the access method is based on automatic processing;
The access source estimation system according to claim 1.   The access method estimation according to claim 1, further comprising: an access source information output unit that outputs information that identifies an entity that has made access by the access method based on the acquired history, or information on an estimation result of the access method. system.   The access method estimation system according to claim 1, further comprising a history output unit that outputs the acquired history information. Based on the acquired history, further comprising: an access source information output unit that outputs information that identifies an entity that has performed access by the access method, or information on an estimation result of the access method;
The access method estimation unit acquires a history of login processing and logout processing as the types of processing performed by the providing device, and a history of processing times of these processing, and based on the acquired history, the login processing When it is determined that the frequency from the time until the logout process is less than a predetermined time is equal to or higher than the predetermined frequency, the access method is estimated to be based on automatic processing.
The access method estimation system according to claim 1. An access method estimation apparatus having a processor and a memory,
A storage process for storing information on a service providing apparatus in a financial institution and processing executed by the providing apparatus in response thereto;
A history acquisition process for acquiring, from the storage unit, a history of a type of the process performed by the providing device based on the access and a processing time of the process;
An access method estimation process for estimating that the access method is based on an automatic process when it is determined that a predetermined type of process is performed at a predetermined frequency or more in the providing device based on the acquired history; ,
The access method estimation method to be executed. The access method estimation process acquires a log of log-in processes and log-out processes as types of the processes performed by the providing device and a log of processing times of these processes, and the log-in process based on the acquired logs When it is determined that the frequency from the time until the logout process is less than a predetermined time is equal to or higher than the predetermined frequency, the access method is estimated to be based on automatic processing.
The access method estimation method according to claim 8. The access method estimation process includes a history of a plurality of processes for outputting predetermined information performed between a login process and a logout process as types of the processes performed by the providing device, and processes of these processes. The access method is based on automatic processing when it is determined that the frequency at which the plurality of processes are performed in a predetermined order is greater than or equal to the predetermined frequency based on the acquired history. Presume that there is
The access method estimation method according to claim 8. The access method estimation process obtains the history of the output process of the first information and the output process of the second information as the type of the process performed by the providing device, and the history of the process time of these processes. And when it is determined that the frequency from the output process of the first information to the output process of the second information is less than a predetermined time based on the acquired history is equal to or higher than the predetermined frequency. Presuming that the access method is based on automatic processing;
The access source estimation method according to claim 8.   The access method estimation according to claim 8, further comprising: an access source information output unit that outputs information specifying a subject who has made access by the access method based on the acquired history, or information on an estimation result of the access method. Method.   The access method estimation method according to claim 8, further comprising a history output unit that outputs the acquired history information. Based on the acquired history, further performs access source information output processing for outputting information that identifies an entity that has performed access by the access method, or information on an estimation result of the access method,
The access method estimation process acquires a log of log-in processes and log-out processes as types of the processes performed by the providing device and a log of processing times of these processes, and the log-in process based on the acquired logs When it is determined that the frequency from the time until the logout process is less than a predetermined time is equal to or higher than the predetermined frequency, the access method is estimated to be based on automatic processing.
The access method estimation method according to claim 8.

Images