JP3787431B2 - Abuse detection method - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention relates performs authentication by personal Ri authentication method engaged, the password is previously registered password entered from the keyboard equivalent to the computer operator.
[0002]
[Prior art]
When operating a computer, as a mechanism for authenticating whether or not there is a right to operate the computer, there are a wide variety of systems that perform authentication by allowing a user to input a password from a keyboard or the like and the password is equal to a pre-registered password. It is used. Conventionally, this authentication has been a means of detecting unauthorized computer use based on means. For example, as described in the online manual login (1) section of HP-UX 9.0, when it has been mistaken for a specified number of times, such as 3 times, for example, for 1 minute. If the specified time authentication is not completed, the connection is blocked and the event is recorded. -7) 2.2 Security Function As described in the section “User Account Security”, processing was performed such as recording and reporting to the administrator when mistakes were made in the number of consecutive entries.
[0003]
In addition, information on which terminal the user is operating from was recorded, but attempts to use it for discovering unauthorized use are for example ftp://ftp.aist-nara.ac. As seen in the TCP wrapper, which is free software available from jp / pub / Security / tools / tcp_wrappers, etc., the use from a specific terminal or other than a specific terminal was judged as illegal.
[0004]
Japanese Laid-Open Patent Publication No. 6-6347 describes a method for centrally monitoring security on a network.
[0005]
Japanese Patent Application Laid-Open No. 7-264178 describes a method of identifying an illegal access on a LAN by obtaining information from the relay device by obtaining information from the relay device.
[0006]
[Problems to be solved by the invention]
Such conventional methods have the following problems.
[0007]
In other words, in the case of a system that records a failure when it fails even once, it is recorded even if the password is mistyped during normal use, and whether the administrator is an unauthorized use or just an input mistake It becomes difficult to judge.
[0008]
Further, in the method of disconnecting when the user makes a mistake for a specified number of times (for example, three times), if an unauthorized user mistakes the password for a number of times less than the specified number of times (for example, two times), the specified time (for example 1 Min) In the method of blocking the connection when the authentication is not completed, it is not possible to take a record of unauthorized use by disconnecting from the connection within the specified time. I cannot tell if it was invaded or not.
[0009]
Also, in the system that logs in when password authentication fails, if you enter the wrong password more than the specified number of times, a lot of authentication failure logs will be output and other important messages will be buried Become.
[0010]
In addition, since the prior art does not provide a time interval for counting failures, it is generally impossible to narrow down intrusion events that tend to be concentrated in a specific time zone.
[0011]
In addition, if access is made from multiple locations using an account assigned to the same person, it is considered to be unauthorized use, but means for efficiently detecting such an event is not provided. Absent.
[0012]
One object of the present invention is to solve the above-mentioned problems of the prior art and increase reliability in determining whether a user who has entered a password is a legitimate user or an unauthorized user.
[0013]
Another object of the present invention is to make it easy for an administrator to perform unauthorized access by reporting a series of unauthorized access to the administrator only once in the past. It is in a place where it can be grasped with high accuracy.
[0014]
[Means for Solving the Problems]
The present invention records personal authentication information given by a user such as a password, the time when the information was given, information about the location of the terminal to which the information was given, and the result of matching personal authentication information registered in advance. and have your authentication system, if those information and information on the number of terminals recorded with the current the user about the failure frequency and duration of past adjustment per the uses the following default value or more or the default value, unauthorized use and A method for detecting unauthorized use is provided in which the step of determining the above is executed.
[0015]
Also, in the first step above, whether or not unauthorized access has actually succeeded or failed has been changed by changing the processing depending on whether the end of the series of authentication processing has been successful or whether the login has been unsuccessful. An unauthorized use detection method is provided in which the second step of determining whether or not the user has been executed is performed.
[0016]
Also, in the first and second steps above, if there are multiple events that are judged to be unauthorized use, and if those events are continuous, the third step of combining those events as one event is executed. An illegal use detection method is provided.
[0017]
In addition, when the same user logs in using a plurality of terminals, when usage exceeding the specified number of users is detected, the specified number of users exceeds the specified time or for the specified time. When a use is detected, an unauthorized use detection method is provided in which a fourth step of determining whether the use is normal or unauthorized is performed.
[0018]
Furthermore, in the above first to fourth steps, the results are recorded and reported to the administrator, and the countermeasures specified in advance are automatically executed or more detailed for the computer in which unauthorized use is detected. An unauthorized use detection method is provided which executes a fifth step of transmitting a monitoring program for collecting various information.
[0019]
DETAILED DESCRIPTION OF THE INVENTION
FIG. 2 shows the system configuration of an embodiment of the present invention.
[0020]
A plurality of local computers (201) directly operated by the user, a plurality of remote computers (210) remotely operated by the user, and a manager computer (220) managing them are connected through a network. Any two or all three of these computers may be performed on a single computer. The local computer (201) includes a central processing unit (202), a main memory (203), an input device (204) such as a keyboard, an output device (205) such as a display, and a network control device (206). . The remote computer (210) includes a central processing unit (211), a main storage device (212), a disk device (213), a disk control device (214), and a network control device (215). The manager computer (220) includes a central processing unit (221), a main storage unit (222), a disk unit (223), a disk control unit (224), a network control unit (225), and an input device such as a keyboard (228). ) And an output device (227) such as a display. Further, the manager computer (220) holds the unauthorized access judgment reference information (229) on the disk device (223) for judging unauthorized access, and can send it to the remote computer (210) through the network (232). it can. The remote computer (210) receives the unauthorized access determination criterion information (227) from the manager computer (220) and stores it as unauthorized access determination criterion information (217) on the disk device (213). The user operates the input device (204) of the local computer (201), logs in to the remote computer (210) via the network, and uses it. Has the remote computer (210) received the login operation from the local computer (201), and did the login and logout correctly enter the input time (802), user name (803), and password to log in? Log information (216) Information about whether or not you could log in by entering an incorrect password (804), the name (805) of the local computer (201), and the name (806) of the input device (204) used on the local computer ) Is stored in the disk device (213). Figure 8 shows the log information format. At this time, the unauthorized access reference information (217) is checked at the same time, and if unauthorized access is determined, the unauthorized access information is notified to the manager computer (220) and recorded in the disk device (213). If the manager computer (220) fails to receive the notification of unauthorized access information, the notification is retransmitted until the manager computer (220) can receive the notification based on the log information. The manager computer (220) receives and records unauthorized access information and displays a message on the display console to report to the operator.
[0021]
Here, the remote computer (210) explained the system that detects in real time when the user logged in, but not only the system that detects in real time, but also the log information (216) in a batch after the manager computer ( It is also conceivable that the unauthorized access is detected on the manager computer (220) against the unauthorized access reference information (217).
[0022]
In addition, here, the remote computer (210) detects unauthorized access and described in a format to report to the manager computer (220), but the remote computer (210) transfers user authentication information to the manager computer (220), The central processing unit (221) of the manager computer (220) may detect unauthorized access. At this time, the remote computer (210) transfers the user authentication information to the manager computer (220) in real time and detects it, and the remote computer (210) stores the log information (216) and collects the manager information after the event. The transfer to the computer (220) can be considered, and in each case, the transferred manager computer (220) records the log information in the disk device (223) once in real time and the detection method later A way to do this is conceivable.
[0023]
FIG. 6 shows a software configuration of an embodiment of the present invention. FIG. 6 is a configuration for realizing the method of storing log information on the remote computer and transferring it to the manager computer at an appropriate timing in the configuration described in FIG. The manager computer (601) constitutes a component that realizes the function of the present invention on the operating system (603) that controls the hardware of the computer. The rule management unit (607) includes the above-described unauthorized access standard information (217) (log analysis rule), a standard (filtering rule) for filtering log information collected on the managed computer (602) (remote computer), and This is a processing unit for registering, deleting, or changing a standard (log file management rule) for managing the capacity of the normalized log file (616) and the database (609). The log analysis unit (608) is a processing unit for analyzing the log information collected from the managed computer according to the registered log analysis rules and accumulated in the database (609). The rule distribution unit (610) is a processing unit that distributes and controls the filtering rules and log file management rules registered by the rule management unit to the managed computers. The log collection unit (618) collects and controls log information from the managed computers. It is a processing unit. On the other hand, the management target computer (602) constitutes a component that realizes the function of the present invention on the operating system (604), like the manager computer. The log collection unit (613) periodically collects access logs collected by the operating system (604) and converts them into a common format specified in advance by the log normalization unit (612). Furthermore, only the information designated according to the filtering rule instructed from the manager computer is stored in the normalized log file (616). The regular log collection unit transfers the log information converted into the common format to the manager computer at an appropriate timing (for example, when instructed by the manager computer). Note that communication control between the manager computer and the management target computer is realized using a logical communication path (617) provided by the basic communication control units (605) and (606) of the operating system.
[0024]
FIG. 1 shows an example of criteria for judging unauthorized access in the present invention. As a criterion for judging unauthorized access (FIG. 2 (217)), “It was a normal access when a correct password was entered within a specified number of times within a specified time. Otherwise, it was an unauthorized access.” As an example, the specified number of times is 4 times and the specified time is 1 minute. For one minute from the first input, the input (101) to the input (104) failed for (100), and the input (102) to the input (105) also failed for one minute from the second input. However, the correct password is input in the last input (106) from the input (103) to the input (106) for one minute from the third input. Therefore, these are regarded as a series of processes, and it is determined that this access is a normal access (FIG. 1 (a)). Next, in (110), the input (110) from the input (107) has failed, and the input (108) to the input (111) have also failed for one minute from the second input. Further, the input (109) to the input (112) for one minute from the third input fails in the last input (112), and there is no input thereafter. Therefore, when one minute has passed since the third input, the series of authentication processing was completed, and login was not successful within one minute, so it was considered that the authentication was not successful, and it was determined that the access was unauthorized. (FIG. 1 (b)).
[0025]
The above processing includes a method for determining whether unauthorized access is performed in real time when an input from the user is performed, and a method for determining whether the unauthorized access has been made after the user's behavior is recorded in a log.
[0026]
FIG. 3 shows an example of the processing procedure. In FIG. 6, this procedure can be executed by the log analysis unit (608) of the manager computer or by reading and executing the normalization log on the managed computer (the latter processing unit is shown in FIG. 6). Not shown). In this procedure, it is determined whether the access is unauthorized by reading a log in which the user's action is recorded. Also, in this procedure, if the password input from the user is incorrect, it is not judged as an illegal operation only by the number of consecutive mistakes, but the end of the series of inputs ends with success or failure. It is determined whether the operation is illegal or not. As the format of this log, as shown in FIG. 7, it is necessary to record the user name input from the user, the determination result of whether the password is correct, and the time information when the user input is performed. First, the first input is read (301). Next, a flag for indicating that an unauthorized access has been detected is reset (302). Whether the login is successful is checked (303), and if successful, authentication is completed (304). If it is unsuccessful, the input time is registered as the start time of a series of processes (305), and the scheduled end time is calculated and registered (306). Next, 1 is added to the continuous erroneous input counter (307). The continuous erroneous input counter is checked (308), and if the counter value is more than the specified number, a detection flag is set (309). It is checked whether there is next data (310), and if the next data does not exist, the processing is terminated (311). If it exists, the next data is read (312), and the recording time is compared with the scheduled end time (313). If the scheduled end time is earlier, it is assumed that the series of processing has been completed up to the previous data (314), the detection flag is checked (315), and if it is set, the fact that there was unauthorized access is recorded and reported (316). Then, return to (302) and repeat. If the data input time is earlier, the success of login is checked (317), and if unsuccessful, the process returns to (306) to repeat the process. If it is successful, it is checked whether the detection flag is set (318). If it is set, it is determined that the access is unauthorized (319). Authentication is complete (320). In the above example, the end time is recalculated and updated in (307), but if more strict unauthorized access checks are to be made, the end time is the same as the one calculated at (307) at the beginning. A process that does not perform the update process is also conceivable. That is, the process returns to (307) after the process (317).
[0027]
Next, a processing procedure for processing in real time while collecting logs will be described with reference to FIG.
[0028]
In FIG. 6, this procedure is considered to be executed by the log analysis unit (608) every time one log is transferred to the manager computer, or executed every time one log is normalized on the managed computer. (The latter processing unit is not shown in FIG. 6). In this procedure, in the configuration of FIG. 6, first, the detection flag and the input counter are reset (401). Next, it waits for the user to input authentication information such as a user name and password combination from the keyboard (402). The input time is registered as the start time of a series of processes (403). Check whether the login is successful with the authentication information allowed (404) .If the login is successful, read the values of the various counters counted during the series of processing (405). If it is equal to or higher than the unauthorized access standard, it is considered that there is a possibility of unauthorized access (406), and after raising an alert or leaving a record, the authentication is completed (407). If login fails, the scheduled end time is calculated by adding a certain time to the current time and registered (408). Next, 1 is added to the continuous erroneous input counter (409). It is checked whether the value of the continuous erroneous input counter is less than the specified number of times (410). After the input is made, it is checked whether it is the end time (412). If the input is made before the end time, the process returns to the login success determination part (404). When the end time is reached and the number of previous authentication failures exceeds the specified number, the number of consecutive incorrect inputs is checked (413). (414). Then, the process ends as an authentication failure.
[0029]
Next, as a criterion for determining unauthorized access (FIG. 2 (217)), “determined unauthorized use when logged in from multiple locations with the same user name” will be described. Since this processing needs to match log information collected by a plurality of computers, it is executed by the log analysis unit (608) on the manager computer in FIG. 6 using log information collected from a plurality of managed computers. A single user should be able to exist in a single geographical location, for example, if you cannot touch a device in Tokyo and Osaka at the same time, It is thought that it is being used. In other words, if a single machine logs in from multiple terminals via a network, it is considered that it is being used by an unauthorized user. Information about which device is located geographically, and which device and which device (or which regional device and which regional device) are used at the same time, or unauthorized access Information, such as whether to use illegally when using more than one terminal at the same time, or in any combination of the above conditions, is created in advance and stored in the storage device Remember. First, a process for auditing whether there has been unauthorized use from data recorded in a log will be described. As shown in FIG. 8, the log data includes information on the user name, the distinction between login information and logout information, and the terminal location used. When the terminal location information is logged in using the network in multiple stages, it is assumed that the location where the original input device such as an actual keyboard exists is specified and recorded. However, if the identification is not possible, the information on the terminal location immediately before may be substituted with the knowledge that the detection accuracy is lowered.
[0030]
In addition, in the work area used during the detection process, which terminal is currently used is recorded for each user.
[0031]
FIG. 5 shows the log analysis processing procedure. First, the work area is cleared (501). Next, the unauthorized access standard is read from the storage device (502). Next, it is determined whether there is log data that has not yet been processed (503). If all the data has already been processed, the process ends (504). If data still remains, the first log data is read from the log (505). It is determined whether the read data is log-in data or log-out data (506). If the data is log-out information, the number of terminals used by the user is reduced by one (507) and the log-in information from the terminal position is deleted. Return to the processing of (508) and (503). If it is login information, the number of terminals used by the user is increased by one (509), and the position of the terminal used is recorded (510). Next, the number of used terminals and the used terminal location information regarding the user are compared with the pre-registered geographical information of each terminal and the unauthorized access criteria (511), and when the unauthorized login is determined (512) ), Record (513) and raise alert (514).
[0032]
Then, return to (503) and repeat.
[0033]
In the above processing procedure, further, “only when the number of simultaneously used terminals for a specified time continuously exceeds the default value is regarded as an unauthorized login”, It can be expanded as a criterion for determining unauthorized access, which is considered as unauthorized login when a value exceeds the value.
[0034]
FIG. 7 shows an example of the screen configuration on the display console of the manager computer for reporting unauthorized access. Reference numeral 702 denotes a screen indicating the state of the computer by the connection relationship between the computers to be managed located on the network and the color of the symbol representing each computer. On the other hand, reference numeral 701 denotes a screen that displays messages in chronological order as to what events have occurred. For example, the third and fourth lines are messages indicating that unauthorized access has occurred. If a specific computer is limited, change the symbol color (for example, computer B) and display it to the administrator. To clarify. If it is desired to know details of unauthorized access, a detail screen 703 is displayed by an operation of selecting a menu attached to the screen 701.
[0035]
When an unauthorized access is reported in the manager computer, a specific operation (generally, a computer that has detected unauthorized access) is instructed in advance to a specified operation (for example, deletion of user information in which a problem has occurred). It is possible. These processing programs can be preliminarily incorporated in each computer, or can be distributed from the manager computer and executed on the computer when needed. This procedure will be described with reference to FIG. When an unauthorized access is detected in the manager computer (902), it is checked whether an operation for the reported information is defined, and if it exists, it is read (903). Next, it is checked whether or not there is a processing program for executing the operation on the management target computer (904), and if it exists, only the parameters necessary for the processing are transferred to the management target computer (905). When the processing program does not exist, the processing program for executing the operation together with necessary parameters is transferred to the management target computer (906). The managed computer executes the designated processing program (907) and transfers the execution result to the manager computer (908).
[0036]
Also, when unauthorized access is reported on the manager computer, unauthorized access to a pre-designated program for more detailed information collection and detailed status monitoring (for example, file update status, process operating status, etc.) A method is conceivable in which a monitoring program is distributed to a computer in which the problem occurs and monitoring is performed by the computer. This procedure can also be executed according to the procedure shown in FIG.
[0037]
【The invention's effect】
By performing a highly reliable inspection as to whether the user is a legitimate user or unauthorized use, it is possible to reduce oversight of unauthorized users and false detection of authorized users.
[0038]
In addition, since many related events are reported to the administrator as one of many events, the amount of information that the administrator should pay attention to can be reduced.
[0039]
Furthermore, when unauthorized use is detected, it is possible to automatically execute measures such as automatically deleting user information having a problem with the target computer and collecting detailed information. .
[Brief description of the drawings]
FIG. 1 is a diagram illustrating a normal access example (a) and an unauthorized access example (b).
FIG. 2 is a diagram showing a configuration of a computer to which the present invention is applied.
FIG. 3 is a diagram showing a procedure for detecting unauthorized access in consideration of whether or not login has succeeded last based on log information.
FIG. 4 is a diagram showing a procedure for detecting unauthorized access in consideration of whether login has succeeded last time in real time;
FIG. 5 is a diagram illustrating a procedure for investigating intrusions from a plurality of points based on log information and detecting unauthorized access.
FIG. 6 is a diagram showing a software configuration for realizing the present invention.
FIG. 7 is a diagram illustrating an example of a monitoring screen of a manager computer.
FIG. 8 is a diagram illustrating a format of log information.
FIG. 9 is a diagram illustrating a processing procedure after detection of unauthorized access.
[Explanation of symbols]
101: Login failure, 102: Login failure, 103: Login success, 111: Login failure, 112: Login failure, 201: Local computer, 202: Central processing unit, 203: Main storage, 204: Input device, 205: Output device, 206: Network control device, 210: Remote computer, 211: Central processing unit, 212: Main storage device, 213: Disk device, 214: Disk control device, 215: Network control device, 216 : Log information, 217: Unauthorized access criteria information, 220: Manager computer, 221: Central processing unit, 222: Main storage, 223: Disk unit, 224: Disk control unit, 225: Network control unit, 226: Log information , 227: Unauthorized access standard information 601: Manager computer, 602: Managed computer, 603: Operating system on manager computer, 604: Operating system on managed computer, 605: Basic communication control on manager computer , 606: Basic communication control unit on managed computer, 607: Rule management unit, 608: Log analysis unit, 609: Database, 610: Rule distribution unit, 611: Regular log collection unit, 612: Log normalization unit, 613: Log collection unit, 614: Filtering processing unit, 615: Rule distribution unit, 616: Normalized log file, 617: Logical communication path, 618: Log collection unit, 701: Message display screen, 702: Monitored computer status monitoring screen , 703: Message details display screen

Claims (5)

In a computer system having a function of comparing personal authentication information registered in advance in a database and personal authentication information input from an input device at the time of a login operation,
The computer system includes the number of failed logins in which erroneous personal authentication information has been continuously input, the period from the start of the series of login operations to the success or failure of the login, and whether the last login operation was successful. The final login authentication processing result indicating whether or not it was successful and the unauthorized access criteria information,
The number of login failures in a series of login operations in the period is greater than or equal to a default value; and
By detecting that the last login authentication processing result of the series of login operations in the period is unsuccessful login,
An unauthorized use detection method for determining an unauthorized use of the computer system. In the unauthorized use detection method according to claim 1,
When there are a plurality of events that are determined to be unauthorized use of the computer system, among those events, the event that occurred later is a series of login operations of the events that occurred earlier in the period. An unauthorized use detection method in which, when it is recognized, the computer system collectively reports them as a warning during the period corresponding to the number of events determined to be unauthorized use of the computer system . The unauthorized use detection method according to claim 1, wherein the computer system further comprises:
Record the time, user name, success or failure of the login operation, the name of the computer that was the target of the login operation, and the name of the terminal used,
An unauthorized use detection method in which the computer system performs a process of reading in chronological order based on these. The unauthorized use detection method according to claim 3, wherein the computer system further comprises:
An unauthorized use detection method in which the computer system deletes the record relating to a user who performed a corresponding login operation when it is determined that the computer system is unauthorized use. The unauthorized use detection method according to claim 1, wherein the computer system further comprises:
When it is determined that the computer system is illegally used,
The computer system transmits a monitoring program for acquiring detailed information to the computer system that is the target of the login operation determined to be unauthorized use, or is determined to be unauthorized use. An unauthorized use detection method that is executed in a computer system that is the target of a logged-in operation.

Images