JP2013069016A - Information leakage prevention device and limitation information generation device - Google Patents

Abstract

A technique for preventing leakage of personal information due to unauthorized access is provided.
An information leakage prevention apparatus extracts a pair of user identification data and session identification data from a pair of an information request message and a response message, stores them in association with each other, and personal information included in the response message The user ID data stored in association with the session identification data included in the response message included in the response message including the personal information, According to the result of comparison between the means for acquiring the limit number of personal information for each personal information type, the limit number of personal information for each acquired personal information type, and the number of personal information for each personal information type counted And means for applying a defense process to the response message so that the personal information is not received by the requesting client terminal. .
[Selection] Figure 2

Description

  The present invention relates to a technique for preventing leakage of personal information due to unauthorized access.

  In recent years, Web application systems have become widespread, and various applications such as applications for general users and business applications used in companies have been realized as Web application systems. With such a system, the user can use various applications by operating only the browser.

  On the other hand, the Web application system has a weak point of vulnerability. For example, cross-site scripting, SQL (Structured Query Language) injection, and the like are known as vulnerabilities of Web applications. By exploiting such vulnerabilities, fraudulent acts such as the user's personal information and confidential information handled by a Web application being stolen or tampered have become a problem.

  Therefore, a technique for protecting a system from an attack that exploits a vulnerability of a Web application is provided. For example, there is a technology called WAF (Web Application Firewall). This is a technique for blocking communication including a registered attack pattern by creating a rule for a known attack pattern and registering this rule in the WAF in advance.

  There is also a technique called an intrusion detection system (IDS). The network-type IDS detects illegal access (packets) by monitoring packets flowing on the network and comparing each packet with a known illegal packet pattern. A technique for preventing unauthorized access related to the IDS is proposed in Patent Document 1 below. In this method, it is determined whether or not countermeasures against the unauthorized access type indicated in the unauthorized access log data are taken in the unauthorized access target communication device, and the risk of unauthorized access is determined according to the presence or absence of such countermeasures. The

JP 2005-228177 A

  However, since each of the above-described techniques is effective only for a known attack pattern that is registered to block or detect unauthorized access, there is a high possibility that the technique cannot be applied to an unknown attack pattern.

  An object of the present invention is made in view of the above-described problems, and is to provide a technique for preventing leakage of personal information due to unauthorized access.

  Each aspect of the present invention employs the following configurations in order to solve the above-described problems.

  The first aspect relates to an information leakage prevention apparatus. An information leakage prevention apparatus according to a first aspect includes a restriction information storage unit that stores a restriction number of personal information for each personal information type for each user identification data, and an information request transmitted from a client terminal to a server device A pair of a message and a response message transmitted from the server device in response to the information request message, or an extraction means for extracting a set of user identification data and session identification data from the information request message, and extraction by the extraction means Request information storage means for associating and storing a set of user identification data and session identification data, and the number of personal information included in a response message transmitted from the server device in response to the information request message for each personal information type Included in the counting means for counting and the response message containing personal information. To acquire the user identification data stored in the request information storage means in association with the session identification data to be acquired, and to acquire the limit number of personal information for each personal information type with respect to the acquired user identification data from the restriction information storage means The response message is obtained by comparing the information acquisition means, the restriction number of the personal information for each personal information type acquired by the restriction information acquisition means, and the number of personal information for each personal information type counted by the counting means. Response processing means for applying a defense process to the response message so that the included personal information is not received by the requesting client terminal.

  The second aspect relates to a restriction information generating device. The restriction information generating apparatus according to the second aspect includes a session identification included in a response message including personal information in addition to the restriction information storage means, extraction means, request information storage means, and count means in the first aspect. The user identification data associated with the data and stored in the request information storage means is acquired, and the data relating the acquired user identification data and the number of personal information for each personal information type counted by the counting means is Restriction information generation means for generating as data indicating the limit number of personal information for each type of personal information related to user identification data is provided.

  The third aspect relates to an information leakage prevention method. The information leakage prevention method according to the third aspect includes a pair of an information request message sent from a client terminal to a server device and a response message sent from the server device in response to the information request message, or an information request A set of user identification data and session identification data is extracted from the message, the set of extracted user identification data and session identification data is associated and stored in the request information storage unit, and from the server device in response to the information request message The number of personal information included in the response message to be transmitted is counted for each personal information type, and is stored in association with the session identification data included in the response message including the personal information from the request information storage unit. Acquire user identification data, and for each user identification data, for each personal information type For each personal information type acquired from the limit information storage unit, the limit number of personal information for each personal information type related to the acquired user identification data is acquired from the limit information storage unit that stores the limit number of personal information. In response to the response message, the personal information included in the response message is not received by the requesting client terminal based on the comparison result between the personal information limit number and the personal information count for each type of personal information counted. Including applying defensive processing.

  As another aspect of the present invention, a computer program that causes at least one computer to realize the configuration of the first aspect or the second aspect described above may be used, or a computer-readable recording that records such a program. It may be a medium. This recording medium includes a non-transitory tangible medium.

  According to each of the above aspects, it is possible to provide a technique for preventing leakage of personal information due to unauthorized access.

It is a figure which shows notionally the structural example of the WEB system containing the WEB server apparatus (WEB server) in 1st Embodiment. It is a figure which shows notionally the structural example of the WEB server in 1st Embodiment. It is a figure which shows the example of a request information storage part. It is a figure which shows the example of personal information definition DB. It is a figure which shows the example of a restriction | limiting information storage part. It is a flowchart which shows the operation example of the response processing system of the information leakage prevention part in 1st Embodiment. It is a figure which shows notionally the structural example of the WEB server in 2nd Embodiment. It is a flowchart which shows the operation example of the response processing system of the restriction | limiting information processing part in 2nd Embodiment. It is a figure which shows the example of the request information storage part in 3rd Embodiment. It is a figure which shows the example of the restriction | limiting information storage part in 3rd Embodiment. It is a flowchart which shows the operation example of the information leakage prevention part in 3rd Embodiment. It is a flowchart which shows the operation example of the restriction | limiting information processing part in 3rd Embodiment. It is a figure which shows notionally the structure of the 1st modification of a WEB system. It is a figure which shows notionally the structure of the 2nd modification of a WEB system.

  Hereinafter, the WEB server apparatus as an embodiment of the present invention will be described. In addition, each embodiment given below is an illustration, respectively, and this invention is not limited to the structure of each following embodiment. For example, the present invention is not applicable only to the WEB system, but can be applied to various modes in which personal information is exchanged via communication.

[First Embodiment]
〔System configuration〕
FIG. 1 is a diagram conceptually illustrating a configuration example of a WEB system including a WEB server device (hereinafter simply referred to as a WEB server) 10 in the first embodiment. The WEB server 10 in the first embodiment is communicably connected to a plurality of client terminals 1 via the network 3. The network 3 is a public network such as the Internet, a WAN (Wide Area Network), a LAN (Local Area Network), a wireless communication network, or the like. In this embodiment, the connection form and communication form between the WEB server 10 and each client terminal 1 are not limited.

  The WEB server 10 may be constructed by a general-purpose computer such as a general personal computer (PC) or a dedicated computer. FIG. 1 shows a hardware configuration example of the WEB server 10. The WEB server 10 includes a CPU (Central Processing Unit) 5, a memory 6, an input / output interface (I / F) 7, and the like that are connected to each other via a bus 8 or the like as a hardware configuration. The memory 6 includes a RAM (Random Access Memory), a ROM (Read Only Memory), a hard disk, a portable storage medium, and the like. The input / output I / F 7 is connected to a communication device or the like that communicates with each client terminal 1 via the network 3. The input / output I / F 7 may be connected to a user interface device such as a display device or an input device. Note that this embodiment does not limit the hardware configuration of the WEB server 10.

  The client terminal 1 is a general information processing terminal such as a PC, a portable PC, a cellular phone, or the like. The client terminal 1 has a general communication function capable of accessing the WEB server 10 and receiving data, a general user interface function capable of displaying and operating a screen based on the data provided from the WEB server 10, and the like. If it is. In the present embodiment, an example in which a WEB system is used as an interface between the WEB server 10 and the client terminal 1 is given. Therefore, the client terminal 1 has a so-called WEB browser as a user interface function, and HTTP (Hypertext It has a communication function for executing Transfer Protocol. Note that the present embodiment does not limit the hardware configuration and functional configuration of the client terminal 1.

  The client terminal 1 includes a terminal operated by a user who intends to illegally acquire a large amount of personal information from the WEB server 10 (hereinafter referred to as an unauthorized user). In the present embodiment, this unauthorized user attacks the WEB server 10 by exploiting the vulnerability of the WEB application in at least one client terminal 1.

  In response to a request from the client terminal 1 used by a legitimate user, the WEB server 10 provides a desired WEB service, detects unauthorized access by the unauthorized user as described above, and leaks personal information due to unauthorized access. In advance. Hereinafter, the configuration of the WEB server 10 will be specifically described.

〔Device configuration〕
FIG. 2 is a diagram conceptually illustrating a configuration example of the WEB server 10 in the first embodiment. As shown in FIG. 2, the WEB server 10 in the first embodiment includes a communication unit 11, a WEB application 12, a WEB page storage unit 13, an access control information storage unit 14, an information leakage prevention unit 15, and the like. Each of these processing units is realized as a software component that is a software component (fragment) such as a task, process, function, or data storage area. Therefore, each processing unit is realized, for example, by executing a program stored in the memory 6 by the CPU 5 shown in FIG. The WEB page storage unit 13 and the access control information storage unit 14 are realized on the memory 6.

  The communication unit 11 controls a network interface card connected to the input / output I / F 7 and transmits / receives data exchanged with the client terminal 1 using a protocol such as HTTP. For example, the communication unit 11 receives data such as a WEB page transmitted from the WEB application 12 or the information leakage prevention unit 15 and transmits an HTTP packet including the data to the client terminal 1. Further, when the communication unit 11 receives an HTTP packet transmitted from the client terminal 1, the communication unit 11 sends data included in the packet to the WEB application 12 or the information leakage prevention unit 15.

  In the present embodiment, an example in which the WEB system is used as an interface between the WEB server 10 and the client terminal 1 is described. Therefore, only the data transmitted and received by HTTP will be described, but the communication unit 11 Other communication protocols can be implemented.

  Hereinafter, for convenience of explanation, an HTTP packet for requesting an arbitrary WEB page transmitted from the client terminal 1 is referred to as an HTTP request. This HTTP request can also be generally called an information request message. In addition, a series of HTTP packets that are transmitted from the WEB server 10 and provide information requested by the client terminal 1 are referred to as HTTP responses. This HTTP response may be formed from a plurality of HTTP packets, for example, when the amount of information provided is large. The HTTP response can also be generally called a response message.

  The WEB application 12 has a well-known general WEB server function. For example, the WEB application 12 extracts data requested by the HTTP request from the client terminal 1 from the WEB page storage unit 13 and transmits an HTTP response including the data to the client terminal 1 via the communication unit 11. The WEB page storage unit 13 stores a plurality of WEB pages and various data forming the WEB pages. The WEB page storage unit 13 stores a great variety of personal information.

  Further, the WEB application 12 performs access control on the WEB page to be controlled based on information stored in the access control information storage unit 14. Since this access control may be a well-known general control, the description is simplified here. The access control information storage unit 14 stores access authority information for each account ID. The access authority information includes, for example, pages that are permitted to be accessed, pages that are not permitted to be accessed, the number of personal information that can be browsed, and the types of personal information that can be browsed. Using these pieces of information, the WEB application 12 controls whether or not browsing is possible for the WEB page to be controlled according to the access authority of the access source.

  As described above, an account ID is used for access control. The account ID is input by the user via a login screen provided by the WEB application 12, for example. The account ID is sent from the client terminal 1 to the WEB server 10 by being included in the HTTP request.

  Further, the WEB application 12 performs session management. Since this session management may be a well-known general process, the description is simplified here. For example, when the WEB application 12 receives an HTTP request including an account ID and succeeds in authentication of the account ID, the WEB application 12 issues a session ID for the account ID. The WEB application 12 holds the correspondence between the session ID and the account ID, and exchanges the WEB page with the client terminal 1 while performing access control using the session ID. Note that Cookie may be used for this session management.

  The account ID is data for identifying a user who wants to log in, and can also be called user identification data. The session ID is identification data for specifying a series of communication between the client terminal 1 and the WEB server 10 after the successful authentication (login) of the account ID until disconnection (logoff). It can also be called data.

  The HTTP request includes request source information, request destination information, information location data, account ID, session ID, and the like. The request source information includes information (IP address or the like) for specifying the client terminal 1 that is the request source, and the request destination information is information (IP address) for specifying the WEB server 10 that is the request destination. The information location data includes information such as a URL (Uniform Resource Locator) indicating the location of information such as a desired WEB page. At the time of account authentication, an account ID is included in the HTTP request. Furthermore, after successful account authentication, the session ID is included in the HTTP request.

  The HTTP response includes the information specified by the request destination information together with the request source information and the request destination information included in the corresponding HTTP request. Also, after successful account authentication, the session ID is included in the HTTP response. Note that the HTTP request may include both an account ID and a session ID.

  The information leakage prevention unit 15 is interposed between the communication unit 11 and the WEB application 12. The information leakage prevention unit 15 includes a request information acquisition unit 101, an extraction unit 102, a request information storage unit 105, a restriction information storage unit 107, a response information acquisition unit 111, a personal information analysis unit 112, a restriction information acquisition unit 113, and a response processing unit. 115, a personal information definition database (DB) 117, and the like. Each of these processing units included in the information leakage prevention unit 15 is also realized as the software component.

  The request information acquisition unit 101 and the extraction unit 102 can also be referred to as a request processing system 17 in order to perform processing related to the HTTP request. In addition, each processing unit other than the request processing system 17, the request information storage unit 105, and the restriction information storage unit 107 performs a process related to the HTTP response, and can also be referred to as a response processing system 18. The request information storage unit 105 is shared by the request processing system 17 and the response processing system 18.

<Request processing system 17>
The request information acquisition unit 101 acquires information regarding the HTTP request received by the communication unit 11. The request information acquisition unit 101 may acquire information related to the HTTP request from the communication unit 11, or may acquire information related to the HTTP request sent from the communication unit 11 to the WEB application 12 from the WEB application 12. . Further, the request information acquisition unit 101 may acquire the packet data itself that forms the HTTP request, or may acquire predetermined information related to the HTTP request.

  The extraction unit 102 extracts a pair of account ID and session ID from the information (HTTP request) acquired by the request information acquisition unit 101, and stores the extracted pair in the request information storage unit 105. This process is executed in a form in which an HTTP request including an account ID and a session ID exists.

  On the other hand, as described above, there may be a form in which the account ID and the session ID do not exist in one HTTP request. For example, the account ID is included in the HTTP request before account authentication, and the session ID is included in the HTTP request and the HTTP response after the account authentication is successful.

  In such a form, the extraction unit 102 extracts a set of an account ID and a session ID from an HTTP request and an HTTP response in cooperation with a response information acquisition unit 111 described later. Specifically, the extraction unit 102 extracts the correspondence data indicating the correspondence between the account ID and the HTTP request and the HTTP response from the information acquired by the request information acquisition unit 101, and the account ID and the correspondence data Are stored in the request information storage unit 105 in association with each other. The response information acquisition unit 111 extracts the session ID and the correspondence data from the acquired information about the HTTP response, and stores the account ID associated with the correspondence data and stored in the request information storage unit 105, and the session ID. Are stored in the request information storage unit 105.

  The correspondence data is data included in both the HTTP request and the HTTP response, and is a plurality of combinations of request source information, request destination information, request number, information location data, parameters, and the like. The correspondence data is data included in both the HTTP request and the HTTP response, and may be data that can identify the HTTP request from the HTTP response, and the specific mode is not limited.

  When the extraction unit 102 extracts predetermined data from the HTTP request as described above, the extraction unit 102 transmits the HTTP request to the WEB application 12 as it is.

  The request information storage unit 105 stores a set of account ID and session ID in association with each other. FIG. 3 is a diagram illustrating an example of the request information storage unit 105. Unlike the example of FIG. 3, the request information storage unit 105 may store correspondence data in addition to the set of the account ID and the session ID as described above.

<Response processing system 18>
The response information acquisition unit 111 acquires HTTP response data generated by the WEB application 12 in response to the HTTP request processed by the request processing system 17 as described above. The response information acquisition unit 111 may acquire the HTTP response data from the WEB application 12, or the communication unit 11 sends the HTTP response data sent from the WEB application 12 to the communication unit 11 in the direction of the network 3. You may acquire from the communication part 11 before sending out.

  The personal information analysis unit 112 analyzes the data of the HTTP response acquired by the response information acquisition unit 111, thereby counting the number of personal information included in the HTTP response for each personal information type. Thereby, the personal information analysis unit 112 can also be expressed as a count unit. For example, the personal information analysis unit 112 counts the number of personal information for each personal information type by matching HTTP response data with a regular expression pattern for each personal information type stored in the personal information definition DB 117. .

  FIG. 4 is a diagram illustrating an example of the personal information definition DB 117. The personal information definition DB 117 stores a regular expression pattern for each personal information type ID for identifying a personal information type. According to the example of FIG. 4, the personal information of the credit number is a combination of four numbers of four numbers in which any one of numbers from 0 to 9 are arranged with a hyphen (-) in between. It is shown that it is formed. Since a known method may be used for the count processing of the personal information, the description is simplified here.

  The restriction information acquisition unit 113 acquires the account ID stored in the request information storage unit 105 in association with the session ID extracted from the HTTP response including the personal information, and for each personal information type related to the account ID The limit number of personal information is extracted from the limit information storage unit 107.

  FIG. 5 is a diagram illustrating an example of the restriction information storage unit 107. As shown in FIG. 5, the restriction information storage unit 107 stores the restriction number of personal information for each personal information type for each account ID. According to the example of FIG. 5, for the account “suzuki”, the limit number of personal information types indicated by CREDIT_NO is 5, the limit number of personal information types indicated by INSURANCE_NO is 3, and the individual indicated by TELEPHONE_NO The limited number of information types is 10. Similarly, for the account “yamamoto”, the limit number of personal information types indicated by CREDIT_NO is 3, the limit number of personal information types indicated by INSURANCE_NO is 1, and the limit number of personal information types indicated by TELEPHONE_NO Is 2.

  The response processing unit 115 uses the comparison result between the limited number of personal information for each personal information type acquired by the limited information acquiring unit 113 and the number of personal information for each personal information type counted by the personal information analysis unit 112. The defense process is applied to the HTTP response so that the personal information included in the HTTP response is not received by the client terminal 1 that is the request source. For example, when there is even one personal information type in which the number of counted personal information exceeds the limit number, the response processing unit 115 applies a defense process to the HTTP response. Further, when the number of personal information counted in all personal information types exceeds the limit number, the response processing unit 115 may apply a defense process to the HTTP response. This defense process may be a cancellation of the transmission of the HTTP response, or a process of replacing the personal information in the HTTP response with other data.

[Operation example]
Hereinafter, an operation example of the information leakage prevention unit 15 in the first embodiment will be described.

  FIG. 6 is a flowchart showing an operation example of the response processing system 18 of the information leakage prevention unit 15 in the first embodiment. In the example of FIG. 6, a process in which the response information acquisition unit 111 extracts a session ID and stores the session ID in the request information storage unit 105 in a form in which both the session ID and the account ID are not included in the HTTP request. Is not mentioned. That is, it is assumed that the request information storage unit 105 has already stored a set of account ID and session ID.

  In order to store a set of account ID and session ID, the information leakage prevention unit 15 operates as follows. When the HTTP request data including the account ID and the session ID is acquired, the information leakage prevention unit 15 stores the combination of the account ID and the session ID extracted from the HTTP request in the request information storage unit 105. On the other hand, when the account ID is included in the HTTP request and the session ID is included in the HTTP response, the information leakage prevention unit 15 identifies the pair of the HTTP request and the HTTP response based on the correspondence data. The request information storage unit 105 stores a set of the account ID extracted from the HTTP request and the session ID extracted from the HTTP response.

  By the way, when an HTTP request is received in the WEB server 10, the WEB application 12 generates an HTTP response corresponding to the HTTP request. The information leakage prevention unit 15 acquires the generated HTTP response data (S60).

  Subsequently, the information leakage prevention unit 15 analyzes the data of the HTTP response using the data stored in the personal information definition DB 117, thereby counting the number of personal information included in the HTTP response for each personal information type. (S61). If personal information is not included in the HTTP response (S62; NO), the information leakage prevention unit 15 sends the HTTP response as it is toward the network 3 (S68).

  When the personal information is included in the HTTP response (S62; YES), the information leakage prevention unit 15 further extracts a session ID from the HTTP response (S63). Subsequently, the information leakage prevention unit 15 obtains an account ID stored in the request information storage unit 105 in association with the extracted session ID (S64). Thereby, the account ID that requested the WEB page including the personal information is specified.

  Next, the information leakage prevention unit 15 extracts the limit number of personal information for each personal information type related to the account ID from the limit information storage unit 107 (S65). At this time, the information leakage prevention unit 15 may acquire the limit number only for the personal information types counted in the process (S61).

  The information leakage prevention unit 15 determines whether there is a personal information type in which the number of personal information counted in the process (S61) exceeds the limit number acquired in the process (S65) (S66). If the number of personal information items of all personal information types is within the limit (S66; NO), the information leakage prevention unit 15 sends the HTTP response as it is toward the network 3 (S68). On the other hand, if there are personal information types exceeding the limit (S66; YES), the information leakage prevention unit 15 applies personal information protection processing to the HTTP response (S67). At this time, the information leakage prevention unit 15 may apply personal information protection processing only to personal information of personal information types exceeding the limit, or to personal information of all personal information types. Defense processing may be applied. Then, the information leakage prevention unit 15 sends an HTTP response to which the defense process is applied in the direction of the network 3 (S68).

  Note that the above-described process (S66) may be replaced with a determination as to whether or not the number of personal information items of all personal information types exceeds the respective limit number. In this case, when the number of personal information items of all personal information types exceeds each limit number (S66; YES), the information leakage prevention unit 15 applies personal information protection processing to the HTTP response.

[Operation and Effect in First Embodiment]
In the first embodiment, a set of an account ID and a session ID is stored based on an HTTP request or data extracted from an HTTP request and an HTTP response. In addition, the limit number of personal information for each personal information type is stored in advance for each account ID.

  In addition, in the first embodiment, when HTTP response data is acquired, the number of personal information included in the HTTP response is counted for each personal information type. Then, an account ID stored in association with the session ID included in the HTTP response is specified, and the limit number of personal information for each personal information type related to the account ID is acquired.

  Finally, the personal information included in the HTTP response is prevented from being received by the requesting client terminal 1 based on the comparison result between the number of personal information for each type of personal information included in the HTTP response and the limit number thereof. In addition, a defense process is applied to the HTTP response.

  Thus, according to the first embodiment, when there is a personal information type in which the number of personal information included in the HTTP response exceeds the limit number, the personal information in the HTTP response is not received by the client terminal 1. Can be controlled. That is, according to the first embodiment, communication that attempts to acquire personal information that exceeds the limit number determined in advance for each account ID can be determined as unauthorized communication (attack). Such control can be executed regardless of whether or not the attack pattern is known. That is, according to the first embodiment, it is possible to prevent leakage of personal information due to an unknown attack through communication.

  Furthermore, according to the first embodiment, for example, even when an attack that exploits vulnerability is applied to the system by illegally using an account ID of general user authority, according to the first embodiment It is possible to prevent the number of personal information and personal information types that are not permitted by general user authority from being stolen.

[Second Embodiment]
The information on the limit number stored in the limit information storage unit 107 in the first embodiment may be set in advance before the apparatus is operated or the like, or may be acquired from another apparatus by communication. The WEB server 10 in the second embodiment automatically generates information stored in the restriction information storage unit 107. Hereinafter, the WEB server 10 in the second embodiment will be described focusing on the contents different from the first embodiment, and the same contents as in the first embodiment will be omitted as appropriate.

  FIG. 7 is a diagram conceptually illustrating a configuration example of the WEB server 10 in the second embodiment. The WEB server 10 in the second embodiment further includes a restriction information processing unit 21 in addition to the components shown in the first embodiment. The restriction information processing unit 21 is also realized as a software component, like other processing units.

  The restriction information processing unit 21 generates information stored in the restriction information storage unit 107 using each data of the HTTP request and the HTTP response exchanged between the client terminal 1 and the WEB server 10. The WEB server 10 may be controlled to operate one of the limited information processing unit 21 and the information leakage prevention unit 15 or may be controlled to operate both in parallel. In the former form, the communication unit 11 sends the received HTTP request data to either the restricted information processing part 21 or the information leakage prevention part 15 in operation, and in the latter form, sends it to both. In the former form, the operating processing unit may be switched by the user operating a user interface device (not shown) connected to the input / output I / F 7.

  Similarly to the information leakage prevention unit 15, the limited information processing unit 21 is also interposed between the communication unit 11 and the WEB application 12. The restriction information processing unit 21 includes a request information acquisition unit 201, an extraction unit 202, a request information storage unit 205, a response information acquisition unit 211, a personal information analysis unit 212, a restriction information generation unit 213, a response processing unit 215, a personal information definition database. (DB) 217 and the like. Each of these processing units included in the restriction information processing unit 21 is also realized as the software component.

  Each processing unit other than the restriction information generation unit 213 in the restriction information processing unit 21 includes a request information acquisition unit 101, an extraction unit 102, a request information storage unit 105, a response information acquisition unit 111, and personal information in the information leakage prevention unit 15. Since processing similar to that of the analysis unit 112, the response processing unit 115, and the personal information definition DB 117 may be performed, description thereof is omitted here.

  The restriction information generation unit 213 extracts the account ID stored in association with the session ID included in the HTTP response from the request information storage unit 205, and the personal information counted by the account ID and the personal information analysis unit 212. Data associating with the number of personal information for each species is generated as data to be stored in the restriction information storage unit 107. Note that the restriction information generation unit 213 may directly store the generated data in the restriction information storage unit 107.

[Operation example]
Hereinafter, an operation example of the restriction information processing unit 21 in the second embodiment will be described.

  FIG. 8 is a flowchart showing an operation example of the response processing system 23 of the restriction information processing unit 21 in the second embodiment. At this time, it is assumed that the request information storage unit 205 already stores a pair of an account ID and a session ID, as in the request information storage unit 105 in the first embodiment.

  In the WEB server 10, when an HTTP request is received, the WEB application 12 generates an HTTP response corresponding to the HTTP request. The restriction information processing unit 21 acquires the generated HTTP response data together with the information leakage prevention unit 15 (S80). Thereafter, the processes from the process (S81) to the process (S84) are the same as the processes from the process (S61) to the process (S64) of the information leakage prevention unit 15 shown in FIG.

  The restriction information processing unit 21 obtains data that associates the account ID extracted from the request information storage unit 205 in the process (S84) with the number of personal information for each personal information type counted in the process (S81). The data is generated as data (record) to be stored in the storage unit 107 (S85).

  After that, the restricted information processing unit 21 sends the HTTP response as it is in the direction of the network 3 (S86).

[Operations and effects in the second embodiment]
In the second embodiment, the HTTP request used in the information leakage prevention unit 15 is an HTTP request in which the limited number of personal information for each personal information type for each account ID is actually exchanged between the client terminal 1 and the WEB server 10. And automatically generated using HTTP response data. Accordingly, if the data generated in the second embodiment is stored in the restriction information storage unit 107, the burden of data setting processing on the restriction information storage unit 107 can be reduced.

[Third Embodiment]
In each of the above-described embodiments, the number of personal information is limited for each type of personal information. However, a limit may be set for each information location data. The third embodiment shows an example in which a new configuration for limiting the number of personal information for each information location data and for each personal information type is incorporated in the second embodiment. Such a new configuration may be incorporated in the first embodiment.

  The apparatus configuration of the WEB server 10 is the same as that of the second embodiment described above. However, there are processing units whose processing contents are different from those of the second embodiment. Hereinafter, the WEB server 10 according to the third embodiment will be described focusing on the content different from the above-described second embodiment, and the description of the same content as the above-described second embodiment will be omitted as appropriate.

  The extraction unit 102 extracts information location data and correspondence data indicating the correspondence between the HTTP request and the HTTP response to the information from the information (HTTP request) acquired by the request information acquisition unit 101, and extracts them. The request information is stored in association with the request information storage unit 205. The correspondence data is as described above.

  FIG. 9 is a diagram illustrating an example of the request information storage unit 105 in the third embodiment. The request information storage unit 105 stores a set of correspondence data and information location data in addition to the contents (a set of account ID and session ID, etc.) in the above-described embodiments. In the example of FIG. 9, URL data is stored as information location data.

  FIG. 10 is a diagram illustrating an example of the restriction information storage unit 107 in the third embodiment. As shown in FIG. 10, the restriction information storage unit 107 stores a record including an account ID, information location data, a personal information type ID, and a restriction number. According to the example of FIG. 10, regarding the account of “suzuki”, in the WEB page provided from “/ user / accountinfo”, the limit number of personal information types indicated by CREDIT_NO is 5, and “/ data / info”. In the WEB page provided from, the limit number of personal information types indicated by CREDIT_NO is 20.

  The restriction information acquisition unit 113 extracts the session ID and the corresponding relationship data from the HTTP response including the personal information, and further stores information location data stored in association with the corresponding relationship data, and the session ID and The account ID stored in association with each other is extracted from the request information storage unit 105. The restriction information acquisition unit 113 extracts the restriction number of personal information for each personal information type regarding the information location data and account ID acquired in this way from the restriction information storage unit 107.

  Each process of the extraction unit 202 and the request information storage unit 205 in the restricted information processing unit 21 is the same as that of the extraction unit 102 and the request information storage unit 105 described above.

  The restriction information generation unit 213 extracts the session ID and the corresponding relationship data from the HTTP response including the personal information, and further stores the information location data stored in association with the corresponding relationship data, and the session ID and The account ID stored in association with each other is extracted from the request information storage unit 105. The restriction information generating unit 213 generates data in which the information location data and the account ID acquired in this way are associated with the counted number of personal information for each personal information type.

[Operation example]
FIG. 11 is a flowchart showing an operation example of the information leakage prevention unit 15 in the third embodiment. In FIG. 11, the same reference numerals as those in FIG. 6 are attached to the same contents as the processes in FIG. 6 illustrating the operation example of the first embodiment and the second embodiment. Hereinafter, the operation of the information leakage prevention unit 15 in the third embodiment will be described focusing on the content different from the first embodiment and the second embodiment.

  At this time, the request information storage unit 105 has already stored a set of an account ID and a session ID, and a set of information location data and correspondence data requested by the HTTP request.

  When personal information is included in the HTTP response (S62; YES), the information leakage prevention unit 15 further extracts a session ID and correspondence data from the HTTP response (S111). Subsequently, the information leakage prevention unit 15 obtains an account ID stored in the request information storage unit 105 in association with the extracted session ID (S64). Thereby, the account ID that requested the WEB page including the personal information is specified.

  Furthermore, the information leakage prevention unit 15 acquires information location data stored in the request information storage unit 105 in association with the extracted correspondence data (S112). Thereby, the information location data indicating the location of the WEB page including the personal information is specified.

  The information leakage prevention unit 15 includes the limit number of personal information for each personal information type related to the account ID acquired in the process (S64) and the information location data acquired in the process (S112) from the limited information storage unit 107. Is extracted (S113). Thereafter, the information leakage prevention unit 15 performs processing in the same manner as in the first embodiment, using the extracted limit number.

  FIG. 12 is a flowchart illustrating an operation example of the restriction information processing unit 21 in the third embodiment. In FIG. 12, the same reference numerals as those in FIG. 8 are attached to the same contents as the processes in FIG. 8 illustrating the operation example of the second embodiment. Hereinafter, the operation of the restricted information processing unit 21 in the third embodiment will be described focusing on the content different from the second embodiment. Each process from the process (S80) to the process (S82), the process (S121), the process (S84), and the process (S122) is performed from the process (S60) to the process (S62) of the information leakage prevention unit 15 shown in FIG. It is the same as each processing, processing (S111), processing (S64), and processing (S112).

  The restricted information processing unit 21 uses the account ID and information location data extracted from the request information storage unit 205 in the processing (S84) and processing (S122), and the number of personal information for each personal information type counted in the processing (S81). Are generated as data (records) to be stored in the restriction information storage unit 107 (S123). After that, the restricted information processing unit 21 sends the HTTP response as it is in the direction of the network 3 (S86).

[Operations and effects in the third embodiment]
As described above, in the third embodiment, for each account ID, the limit number of personal information for each information location data and for each personal information type is managed, and from the HTTP request and HTTP response actually transmitted and received, Information location data of a WEP page including a set of session ID and account ID and personal information is held. In addition, the number of personal information included in the HTTP response is counted for each personal information type.

  When an HTTP response including personal information is detected, the corresponding account ID and corresponding information location data are specified using the session ID and the corresponding relationship data as a key, and the personal information regarding the account ID and the information location data is identified. The limit number of personal information for each species is acquired. As a result, a defense process is applied to the HTTP response so that the personal information is not received by the requesting client terminal 1 according to the comparison result between the limit number and the counted personal information number.

  As described above, according to the third embodiment, since the limit number of personal information can be set not only for the account ID but also for each information location data of the WEB page including personal information, detection of unauthorized access and personal Information leakage can be prevented more precisely. For example, when the number of personal information exceeding the number normally provided by a predetermined URL is included in the HTTP response, it can be determined that the communication is unauthorized access.

[Modification]
In each of the above-described embodiments, the request information storage unit 105 stores some data (account ID, session ID, etc.) of the HTTP request and HTTP response, but all data of the HTTP request (including the session ID). May be stored.

  In the second embodiment described above, an example is shown in which the number of personal information included in the HTTP response is used as it is as the limit number. However, a value obtained by performing a predetermined operation on the counted number of personal information is limited. It may be set to a number. In this case, a predetermined calculation may be predetermined for each personal information type. For example, when a credit number is incremented by 2 and a telephone number is doubled, the HTTP response contains 3 credit numbers and 5 phone numbers. The limit number of credit numbers is set to 5, and the limit number of phone numbers is set to 10.

  In the second embodiment and the third embodiment described above, the information leakage prevention unit 15 and the restricted information processing unit 21 are provided with processing units having the same processing content. The part may be shared by the information leakage prevention unit 15 and the restricted information processing unit 21. In this case, a pair of request information acquisition units 101 and 201, a pair of extraction units 102 and 202, a pair of request information storage units 105 and 205, a pair of response information acquisition units 111 and 211, and a pair of personal information analysis units 112 and 212 The pair of response processing units 115 and 215 and the pair of personal information definition DBs 117 and 217 may be realized as one processing unit.

  In each of the above-described embodiments, the information leakage prevention unit 15 and the restriction information processing unit 21 are mounted on the WEB server 10. However, the information leakage prevention unit 15 and the restriction information processing unit 21 are included in the WEB server 10. It may be realized on a different computer. FIG. 13 is a diagram conceptually showing the structure of the first modification of the WEB system. In the example of FIG. 13, the request information acquisition units 101 and 201 receive an HTTP request transmitted from the client terminal 1 from the network 3, and the response information acquisition units 111 and 211 acquire an HTTP response from the WEB server 10. Alternatively, the HTTP response transmitted by the WEB server 10 may be received via the network 3. At this time, the response information acquisition unit 111 receives the HTTP response so that the HTTP response transmitted from the WEB server 10 is not received by the destination client terminal 1.

  Further, the restriction information processing unit 21 may be mounted on the client terminal 1 as a computer different from the information leakage prevention unit 15. FIG. 14 is a diagram conceptually showing the structure of the second modification of the WEB system. In the example of FIG. 14, the request information acquisition unit 201 acquires an HTTP request from the client terminal 1, and the response information acquisition unit 211 receives an HTTP response via the network 3.

  In the plurality of flowcharts used in the above description, a plurality of steps (processes) are described in order, but the execution order of the process steps executed in the present embodiment is not limited to the description order. In the present embodiment, the order of the processing steps shown in the figure can be changed within a range that does not hinder the contents. Moreover, each above-mentioned embodiment and each modification can be combined in the range with which the content does not conflict.

1 Client terminal 3 Network 5 CPU
6 Memory 7 Input / output I / F
DESCRIPTION OF SYMBOLS 10 WEB server 11 Communication part 12 WEB application 13 WEB page storage part 14 Access control information storage part 15 Information leakage prevention part 21 Restriction information processing part 101 Request information acquisition part 102 Extraction part 105 Request information storage part 107 Restriction information storage part 111 Response Information acquisition unit 112 Personal information analysis unit 113 Restriction information acquisition unit 115 Response processing unit 117 Personal information definition DB
201 Request information acquisition unit 202 Extraction unit 205 Request information storage unit 211 Response information acquisition unit 212 Personal information analysis unit 213 Restriction information generation unit 215 Response processing unit 217 Personal information definition DB

Claims (12)

For each user identification data, limit information storage means for storing the limit number of personal information for each type of personal information,
A pair of an information request message transmitted from the client terminal to the server device and a response message transmitted from the server device in response to the information request message, or from the information request message, user identification data and session identification data An extraction means for extracting a set;
Request information storage means for associating and storing a set of the user identification data and the session identification data extracted by the extraction means;
Counting means for counting the number of personal information included in a response message transmitted from the server device in response to an information request message for each personal information type;
For each type of personal information related to the acquired user identification data, acquiring the user identification data stored in the request information storage means in association with the session identification data included in the response message including the personal information Limit information acquisition means for acquiring the limit number of personal information from the limit information storage means;
The response message includes the limited number of personal information for each personal information type acquired by the limiting information acquisition unit and the comparison result between the number of personal information for each personal information type counted by the counting unit. Response processing means for applying a defense process to the response message so that personal information is not received by the client terminal of the request source;
An information leakage prevention device comprising: The limit information storage means stores the limit number of personal information for each type of personal information for each user identification data and each information location data,
The extraction means includes, from the information request message, information location data of information requested by the information request message, and a response message transmitted from the server device in response to the information request message and the information request message. Further extracting correspondence data indicating the correspondence,
The request information storage means further stores the information location data and the correspondence data set in association with each other,
The restriction information acquisition unit includes the user identification data and the information location data stored in the request information storage unit in association with session identification data or correspondence data included in the response message including the personal information. Obtaining a limit number of personal information for each type of personal information related to the acquired user identification data and information location data from the limit information storage means,
The information leakage prevention apparatus according to claim 1. A pair of an information request message transmitted from the client terminal to the server device and a response message transmitted from the server device in response to the information request message, or from the information request message, user identification data and session identification data An extraction means for extracting a set;
Request information storage means for associating and storing a set of the user identification data and the session identification data extracted by the extraction means;
Counting means for counting the number of personal information included in a response message transmitted from the server device in response to an information request message for each personal information type;
The user identification data stored in the request information storage unit in association with the session identification data included in the response message including the personal information is acquired, and is counted by the acquired user identification data and the counting unit. Restricted information generating means for generating data associating the number of personal information for each personal information type, as data indicating the limited number of personal information for each personal information type regarding the user identification data;
A restriction information generating device comprising: The extraction means includes, from the information request message, information location data of information requested by the information request message, and a response message transmitted from the server device in response to the information request message and the information request message. Further extracting correspondence data indicating the correspondence,
The request information storage means further stores the information location data and the correspondence data set in association with each other,
The restriction information generating means includes the user identification data and the information location data stored in the request information storage means in association with session identification data or correspondence data included in the response message including the personal information. And the obtained user identification data, the obtained information location data, and the data associated with the number of personal information for each personal information type counted by the counting means, for each personal information type related to the user identification data Generate as data indicating the limit number of personal information of
The restriction information generating apparatus according to claim 3. Computer
A pair of an information request message transmitted from the client terminal to the server device and a response message transmitted from the server device in response to the information request message, or from the information request message, user identification data and session identification data Extract pairs,
Associating a set of the extracted user identification data and the session identification data and storing them in the request information storage unit,
Counting the number of personal information included in the response message transmitted from the server device in response to the information request message for each personal information type,
Obtaining the user identification data stored in association with the session identification data included in the response message including the personal information from the request information storage unit;
For each user identification data, from the limit information storage unit that stores the limit number of personal information for each personal information type, to acquire the limit number of personal information for each personal information type for the acquired user identification data,
The personal information included in the response message is based on a comparison result between the limited number of personal information for each personal information type acquired from the limited information storage unit and the number of personal information for each counted personal information type. Applying a defense process to the response message so that it is not received by the requesting client terminal,
Information leakage prevention method. The limit information storage unit stores the limit number of personal information for each personal information type for each user identification data and each information location data,
The computer is
Correspondence indicating the correspondence between the information location data of the information requested by the information request message and the response message transmitted from the server device in response to the information request message and the information request message from the information request message Extract relationship data,
Associating a set of the extracted information location data and the corresponding relationship data in the request information storage unit,
Obtaining the information location data stored in the request information storage unit in association with correspondence data included in the response message including the personal information;
Further including
The acquisition of the limit number of the personal information is to acquire the limit number of personal information for each type of personal information related to the acquired user identification data and information location data from the limit information storage unit.
The information leakage prevention method according to claim 5. Said computer or other computer,
Data associating the user identification data acquired from the request information storage unit with the number of personal information for each personal information type counted by the counting means is generated as data for storing in the restriction information storage unit To
The information leakage prevention method according to claim 5, further comprising: Said computer or other computer,
Data that associates the user identification data and the information location data acquired from the request information storage unit with the number of personal information for each personal information type counted by the counting means is stored in the restriction information storage unit. To generate as data for
The information leakage prevention method according to claim 6, further comprising: On the computer,
For each user identification data, limit information storage means for storing the limit number of personal information for each type of personal information,
A pair of an information request message transmitted from the client terminal to the server device and a response message transmitted from the server device in response to the information request message, or from the information request message, user identification data and session identification data An extraction means for extracting a set;
Request information storage means for associating and storing a set of the user identification data and the session identification data extracted by the extraction means;
Counting means for counting the number of personal information included in a response message transmitted from the server device in response to an information request message for each personal information type;
For each type of personal information related to the acquired user identification data, acquiring the user identification data stored in the request information storage means in association with the session identification data included in the response message including the personal information Limit information acquisition means for acquiring the limit number of personal information from the limit information storage means;
The response message includes the limited number of personal information for each personal information type acquired by the limiting information acquisition unit and the comparison result between the number of personal information for each personal information type counted by the counting unit. Response processing means for applying a defense process to the response message so that personal information is not received by the client terminal of the request source;
A program that realizes The limit information storage means stores the limit number of personal information for each type of personal information for each user identification data and each information location data,
The extraction means includes, from the information request message, information location data of information requested by the information request message, and a response message transmitted from the server device in response to the information request message and the information request message. Further extracting correspondence data indicating the correspondence,
The request information storage means further stores the information location data and the correspondence data set in association with each other,
The restriction information acquisition unit includes the user identification data and the information location data stored in the request information storage unit in association with session identification data or correspondence data included in the response message including the personal information. Obtaining a limit number of personal information for each type of personal information related to the acquired user identification data and information location data from the limit information storage means,
The program according to claim 9. On the computer,
A pair of an information request message transmitted from the client terminal to the server device and a response message transmitted from the server device in response to the information request message, or from the information request message, user identification data and session identification data An extraction means for extracting a set;
Request information storage means for associating and storing a set of the user identification data and the session identification data extracted by the extraction means;
Counting means for counting the number of personal information included in a response message transmitted from the server device in response to an information request message for each personal information type;
The user identification data stored in the request information storage unit in association with the session identification data included in the response message including the personal information is acquired, and is counted by the acquired user identification data and the counting unit. Restricted information generating means for generating data associating the number of personal information for each personal information type, as data indicating the limited number of personal information for each personal information type regarding the user identification data;
A program that realizes The extraction means includes, from the information request message, information location data of information requested by the information request message, and a response message transmitted from the server device in response to the information request message and the information request message. Further extracting correspondence data indicating the correspondence,
The request information storage means further stores the information location data and the correspondence data set in association with each other,
The restriction information generating means includes the user identification data and the information location data stored in the request information storage means in association with session identification data or correspondence data included in the response message including the personal information. And the obtained user identification data, the obtained information location data, and the data associated with the number of personal information for each personal information type counted by the counting means, for each personal information type related to the user identification data Generate as data indicating the limit number of personal information of
The program according to claim 11.

Images