JP6290659B2 - Access management method and access management system - Google Patents

Description

  The present invention relates to an access management method and an access management system, and more particularly to an access management method and system suitable for determining whether a Web site accessed via a network is genuine or malignant. .

  With the spread of the Internet in recent years, the dependence of the network on social life and industrialization activities is increasing, and the network population is steadily increasing. Along with this, cyber attack methods, which are regarded as criminal acts on the network, have been refined to prevent the invasion of malware (malware: malicious software or malicious code created with the intention of performing illegal and harmful operations). Has become difficult. In view of this, a technique for detecting a malware infection as soon as possible by analyzing a log of a proxy server or the like so as not to cause actual damage even if it is invaded by malware has been attracting attention.

  For example, in general, URL (Uniform Resource Locator) information of a malicious website (C & C server: Command & Control Server) that gives an attack command to malware is extracted by analyzing the malware itself, and compiled as a blacklist. A technique for detecting malware by comparing this black list with a connection destination URL included in a log of a proxy server or the like is known.

  Also, Patent Document 1 focuses on the characteristic that access is likely to be periodic when exchanging information such as attack commands between malware and the C & C server, and FW (Fire Wall) and IDS (Intrusion Detection). System: technology for detecting malware by calculating the strength of periodicity of access intervals to a Web site from logs such as a system for unauthorized intrusion detection.

JP 2006-319633 A

  In the prior art, a black list is excluded as a malignant Web site. However, malware creators often change C & C servers frequently, and blacklists are prone to becoming obsolete. In addition, it takes time to create the blacklist because it is necessary to analyze the malware itself. As a result, the method using the black list has a problem that it is difficult to follow the change of the C & C server.

  Also, basically, FW and IDS logs that record access between the terminal and the Web tend to be enormous, and the calculation of periodicity has a large amount of calculation. It takes processing time to detect malware in logs. Therefore, even with this method, it can be said that it is difficult to follow frequent changes of the C & C server.

  The present invention has been made to solve the above-described problems, and an object of the present invention is to efficiently analyze a log for website determination and reliably detect malware infection in a system and access. To provide a management system.

  In the present invention, since it is difficult to specify a C & C server only by the malignancy, a gray list that is neither a white list nor a black list is prepared, and then it is difficult to break through a program such as malware. Additional authentication is performed in the form, and the gray list is divided into a white list or a black list based on the result.

Therefore, according to a preferred example, the access management system according to the present invention does not belong to any of the white list, black list, and any of the website based on the malignancy of the website calculated from the log of the proxy server or the like. It has a list generation management device that generates a gray list, and an additional authentication server that requests additional authentication when connecting to a website listed in the gray list. Additional authentication can be done if the responder is a human being, but is performed in a form such as image authentication, which is difficult to break through with programs such as malware. Then, when the additional authentication is successful, the gray list is assigned to the white list, and when it has not succeeded for a certain period of time, the white list is automatically generated.
The present invention is also configured as a program executed by the access management method and the access management system.

With the above configuration, it is possible to automatically generate not only a black list consisting of URL information of the C & C server but also a white list consisting of legitimate websites, and using this white list or the like, the amount of logs to be analyzed can be reduced. By reducing it, the time required for the analysis process can be shortened. Furthermore, by continuing to use the access management system according to the present invention, the white list and the like can be expanded, and the analysis processing time can be further shortened. As a result, even if the C & C server is changed frequently, it becomes possible to analyze the log efficiently and to detect the malware infection more reliably.
Further, the accuracy of the determination can be improved by once sorting information on the suspicious website into a gray list and authenticating the information by a method that cannot be authenticated unless additional authentication is performed by a person.

  ADVANTAGE OF THE INVENTION According to this invention, the access management which can analyze the log in a website efficiently and can detect the malware infection in a system reliably is realizable.

It is a block diagram which shows the access management system which concerns on 1st embodiment. It is a hardware block diagram of the component of an access management system. It is the conceptual diagram which showed the component of the system and the data flow. It is a flowchart which shows the process which produces | generates a white list etc. after a proxy server collects a log. It is a figure which shows an example of the log of a proxy server. It is a figure which shows an example of a black list, a gray list, and a white list. It is a figure which shows an example of a log analysis result. It is a figure which shows an example of the histogram as log analysis. It is a flowchart explaining the authentication process in an access management system. It is a figure which shows the user interface in the case of an authentication process. It is a flowchart which shows the process which distributes the gray list in a access management system to a white list and a black list. It is a block diagram which shows the access management system which concerns on 2nd embodiment. It is a flowchart which shows the process which distributes the gray list in the access management system of 2nd embodiment into a white list and a black list.

  Embodiments according to the present invention will be described below with reference to FIGS.

Embodiment 1
A first embodiment according to the present invention will be described below with reference to FIGS.
First, the configuration of the access management system according to the first embodiment will be described with reference to FIGS. 1 and 2.

FIG. 1 is a block diagram showing an access management system according to the first embodiment. FIG. 2 is a hardware configuration diagram of components of the access management system.
As shown in FIG. 1, the access management system 1 is configured by connecting a list generation management device 10 that generates a white list or the like from a log and one or more client systems 30 via a network 20.

  The list generation management device 10 includes a filtering unit 102, a log analysis unit 104, a log DB (database) 100, a white list DB 110, a gray list DB 112, and a black list DB 114. Here, the list generation management device 10 is, for example, a server, and has a processing unit (also referred to as a processor) that executes a program, and a storage unit such as a memory or a hard disk device that stores the program or data, as a hardware configuration. Configured. The filtering unit 102 and the log analysis unit 104 are functions realized by executing a program.

  The filtering unit 102 is a device that removes unnecessary information from the log using a white list or the like. The log analysis unit 104 is a part that analyzes logs. The list management unit 106 is a part that manages and updates the white list and the like. The log DB 100 is a database that stores logs. The white list DB 110, the gray list DB 112, and the black list DB 114 are databases that store a white list, a gray list, and a black list, respectively.

  Here, the white list is a list for storing URLs of websites determined to be a problem by the system, and the black list is a list for storing URLs of websites to be excluded, such as a C & C server for controlling malware by the system. The gray list is a list for storing URLs of Web sites that do not belong to the white list or the black list. The specific format of the white list, black list, and gray list will be described later.

  The client system 30 includes an FW (firewall) 302, an IDS (illegal intrusion detection system) 304, a proxy server 306, an additional authentication server 308, and one or more terminals 310 via a LAN (local area network). Take a connected configuration.

The FW 302 is software provided to prevent an attack on the system from the outside, or hardware equipped with the software.
The IDS 304 is a system that detects illegal movements by monitoring packets flowing in a network and internal computer behavior.

  The proxy server 306 is located at the boundary between the internal network and the external network, and instead of a computer on the internal network that cannot be directly connected to the external network, the proxy server 306 has a computer that connects to the external network as a “proxy” and a function for that purpose. It is software to be realized.

The additional authentication server 308 is a server that requests the terminal for additional authentication. The terminal 310 is a computer that accesses a website.
The network 20 may be the Internet or a closed network that does not receive direct access from the Internet. In the client system 30, the FW 302 and the IDS 304 are not essential.

  Next, the hardware configuration of the components of the access management system will be described with reference to FIG.

  The FW 302, IDS 304, proxy server 306, additional authentication server 308, and terminal 310 shown in FIG. 1 are respectively the arithmetic device 322, the memory 324, the storage device 326, and the communication device 328, as shown in FIG. A device such as a device 330 and an input device 332 are connected to the bus. Depending on the configuration of the server or the like, there may be no device.

  The arithmetic device 322 executes instructions of the program stored in the memory 324 and controls each part. The memory 324 is realized by a semiconductor device and stores programs and temporary data. The storage device 326 is an HDD (Hard Disk Drive), an SSD (Solid State Drive), or the like, and is a device that stores a large amount of data. The communication device 328 is a device that communicates with an external device via the network 20. The display device 330 is a device that displays results such as a liquid crystal display. The input device 332 is a device that receives input from a keyboard, a mouse, and the like.

  The filtering unit 102, the log analysis unit 104, and the list management unit 106 may have the same hardware configuration, or may be configured as software as a program stored in the storage device 326 or the memory 324 and executed by the arithmetic device 322. Good. Further, the log DB 100, the white list DB 110, the gray list DB 112, and the black list DB 114 may be realized as a database server with the same hardware configuration as described above, or may be realized as simple data on the storage device 326 or the memory 324. May be.

Next, the outline of the process of the access management method in the access management system will be described with reference to FIG.
FIG. 3 is a conceptual diagram showing system components and data flow.

  When the terminals A, B, and C attempt to access the websites A, B, and C via the network 20, the proxy server 306 requests the terminals A, B, and C to authenticate with IDs and passwords, and the log 202 is It is assumed that it is recorded in the log DB 100. At this time, the log 202 records information such as which terminal tried to access which Web site and whether the authentication was successful.

  In FIG. 3, in terminal A, a user is trying to access a website, malware lurks in terminal C, web server C is a C & C server, and a command is sent to malware lurking in terminal C. It is shown.

  In this embodiment, based on such a premise, it is determined whether the websites A, B, and C are included in the white list or the black list, and the white list or the like is automatically generated.

  First, the filtering unit 102 of the list generation management device 10 removes unnecessary information from the log 202 and sends it to the log analysis unit 104. A specific removal method will be described later with reference to FIG.

Next, the log analysis unit 104 analyzes the log using a predetermined algorithm, and generates a list of probabilities (malignancy levels) that the Web site shown in Table 204 is a C & C server. The degree of malignancy is an index used to exclude a website to be accessed that is calculated based on the presence of a unique access pattern between malware and the C & C server. Details of the algorithm will be described later with reference to FIG.
In the example of FIG. 3, as a result of the analysis, the malignancy of Web site A is calculated to be 0.01%, Web site B is 80%, and Web site C is calculated to be 90%.

  In this example, the website A is predicted to be a legitimate website, but it is not clear whether the websites B and C are C & C servers or because the malignancy is simply calculated high due to the characteristics of the analysis algorithm. is there. For example, when a regular program that is not malware periodically accesses a news site or the like for information collection, it is difficult to distinguish it from when malware accesses a C & C server. Therefore, the list management unit 106 stores information on the website A in the white list 206, and stores information on the websites B and C in the gray list 208 as neither white nor black. Thereafter, the additional authentication server 308 requests additional authentication for the terminal that has passed proxy authentication for access to the Web sites B and C stored in the gray list 208. Here, this additional authentication is not a simple ID password method, but means CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart), a fully automated public Turing test that distinguishes computers and humans. (Also called “image authentication”) and matrix authentication (using a position and order set in advance by the user, extracting the numbers that correspond to the position and order from the matrix table that changes randomly each time it is accessed and authenticating it as a password If the responder is a human, the method can be used, but it is difficult to use a program like malware. Then, the additional authentication server 308 records information related to the additional authentication in the log 202. Details will be described later with reference to FIG.

  In the access management system shown in FIG. 3, after a certain period of time, there are some terminals that have passed additional authentication for access to Web site B, while every terminal has passed additional authentication for Web site C. Suppose you couldn't. At this time, the list management unit 106 moves the information on the website B from the gray list 208 to the white list 206 and further moves the information on the website C to the black list 210. In this way, the white list and the black list are automatically generated by the present system.

  The generated white list 206 and black list 210 are used by the filtering unit 102 to remove unnecessary information from the log 202. That is, since the website listed in the white list is a legitimate site and does not need to calculate the malignancy, it is removed by the filtering unit 102. Further, since the website listed in the black list is the C & C server itself and does not need to be analyzed, it is also removed. Thus, by reducing the amount of logs to be analyzed using a white list or the like, the time required for analysis processing can be shortened. Furthermore, by continuing to use the access management system of this embodiment, the white list and the like are expanded, and the analysis processing time can be further shortened. As a result, even if the C & C server is changed frequently, it becomes possible to analyze the log efficiently and to detect the malware infection more reliably.

Hereinafter, a specific flow of processing for generating a white list and the like of the access management system will be described with reference to FIGS.
FIG. 4 is a flowchart showing processing for generating a white list and the like after the proxy server collects the logs.
FIG. 5 is a diagram illustrating an example of a log of the proxy server.
FIG. 6 is a diagram illustrating an example of a black list, a gray list, and a white list.
FIG. 7 is a diagram illustrating an example of a log analysis result.
FIG. 8 is a diagram illustrating an example of a histogram as log analysis.

  First, the filtering unit 102 collects logs such as proxy servers (S402). FIG. 5A shows an example of the proxy server log 502. This proxy server log 502 includes an access time described in UNIX time, a connection destination URL, a terminal address, an HTTP method, and an HTTP status code. For example. From the proxy server log 502 ID = 1 log, the UNIX time “1326034811.816”, that is, “January 9, 2012 0: 0: 11”, from the terminal with the IP address “151.125.109.231”, “www.google It is possible to read that an HTTP status code “TCP_DENIED / 407” is returned in an attempt to connect to “.com” with the HTTP method “GET”, that is, authentication by the proxy server has failed.

  Next, the filtering unit 102 compares the collected logs with the black list 504, excludes matching logs, and gives a warning (S404). FIG. 5A shows an example of the black list 504. In FIG. 6A, the black list 504 includes a specific URL such as “www.XXXbank.com/css/skin_small_window.css” and a registration date “2012/01/17 18:30”. Has been. In the collation of the black list 504, the log may be removed when the URL completely matches as described above, or the log may be removed when the URL domain name “www.XXXbank.com” matches. . By matching with the blacklist in this manner, the detection rate of the C & C server increases, but the false detection rate for erroneously considering a legitimate website as a C & C server also increases. Which one is adopted may be determined by the user via the input device 332, or may be fixed in advance.

  Similarly, the filtering unit 102 collates the collected logs with the white list and excludes matching logs (S406). FIG. 6C shows an example of the white list 506. In the white list 506 in FIG. 6C, a specific URL such as “www.google.com” and a registration date “2012/01/14 16:34” are described. In the matching of the white list 504, it is also possible to perform matching by matching domain names instead of URLs. However, in this case, the probability of erroneously recognizing the C & C server as a legitimate website is also increased. Also for this, the user may determine through the input device 332, or it may be fixed in advance.

  Note that the order of S404 and S406 may be reversed. In addition, malware creators frequently change the C & C server, and the black list is likely to become obsolete. Therefore, the URL management information registered in the black list or the white list is sequentially updated by the list management unit 106. It may be deleted.

  Generally, since the proxy server log is recorded in the order of access to the proxy server, it is not suitable for analysis as it is. Therefore, the filtering unit 102 next performs log shaping (S408). FIG. 5B shows an example of the shaped log 508. In the log 508, the order is changed so that accesses from the same connection destination URL and terminal are continuous. By such shaping, the access interval becomes clear, and advanced analysis such as calculation of periodicity as described in Patent Document 1 can be performed. Note that the processing of S408 is a step for facilitating log analysis and is not essential.

  As described above, after the filtering unit 102 removes information unnecessary for analysis from the log using a white list or the like, the log analysis unit 104 calculates a probability (malignancy) that the connection destination URL is a C & C server. (S410). FIG. 7 shows a log analysis result 602. In the log analysis result 602, R analysis rules such as the access terminal ratio and the periodicity intensity are used for calculating the malignancy. The access terminal ratio is a value obtained by dividing the number of terminals accessing the same Web site in a certain period such as one month by the total number of terminals belonging to the client system 30. If it is a legitimate Web site, various terminals access it. However, access to the C & C server is limited to terminals infected with malware, and since there are not so many, it can be used to calculate the malignancy of the connection destination. The larger the value, the higher the possibility that the website is legitimate. The period may be determined by the user via the input device 332, or may be fixed in advance.

The periodicity strength is a value that increases as the access interval is periodic. When information such as attack commands is exchanged between malware and the C & C server, access is likely to be periodic compared to humans, and therefore, the malignancy is considered to increase as the periodic strength increases. Hereinafter, a specific method for calculating the periodic strength will be described. First, from the formatted log 508, a histogram is created by counting how many times the same terminal has accessed the same connection destination at a certain interval such as an interval of 10 minutes. In FIG. 6, an example is shown in the histogram 604. The horizontal axis corresponds to the access time, and the vertical axis corresponds to the number of accesses. In the histogram 604, N access numbers a ₀ ,..., A _N−1 are obtained. If counting is performed at intervals of 10 minutes, the histogram 604 represents access for 10 N minutes. The periodic strength can be generally obtained by Fourier transform. That is, the set of frequency components {A _k } is obtained by Fourier transforming the histogram 604 according to the following (Equation 1),

Next, as shown in the following (Expression 2), _k that maximizes the absolute value | A _k | is _obtained from {A _k }, and when this is K, the periodicity P is expressed by the following (Expression 3). Here, A ₀ is a direct current component that does not vary periodically.

Assume that R scores {X _t } are obtained by such a plurality of analysis rules. At this time, the malignancy S is given by a sum obtained by multiplying R weights {r _t } as in (Expression 4). Here, the weight {r _t } is positive when the degree of malignancy should be higher as Xt is larger, negative when it is not, and a large value for an analysis rule that has a high contribution to the degree of malignancy. In case it is set to take a small value. For example, the weight in the case of the number of access terminals is negative, and the weight of the periodicity strength is positive. In the example of the analysis result 602 illustrated in FIG. 7, the malignancy is obtained by setting r ₀ as −1, r ₁ as 1, and r ₂ to r _R as all 0. Since the ratio of access terminals of No = 1, 2, 3 is 0.0001, the number of access terminals is small, the periodicity strength is 0.9 or more and relatively large, the malignancy is calculated high. On the other hand, the malignancy is calculated to be low for connection destination URLs such as No = 10000 where the number of access terminals is large and the periodicity strength is small. Note that the weight {r _t } and the auxiliary variables (such as the access interval at the time of histogram creation) in applying the analysis rule may be determined by the user via the input device 332 or fixed in advance. Also good.

After the analysis processing in the log analysis unit 104 as described above is completed, the list management unit 106 classifies the connection destination URLs into a black list 504, a gray list 505, and a white list 506 based on the malignancy S (S412). Specifically, using threshold values B and W, the connection destination URL is set to the black list 504 when S is B or more (S414), and the connection destination URL is set to the gray list 505 when S is larger than B and smaller than W. (S416) When S is W or less, the connection destination URL is registered in the white list 506 (S418). Here, the threshold values B and W may be determined by the user via the input device 332 or may be fixed in advance. In either case, B is always set to be larger than W. Further, since the range of values that the malignancy S can take varies according to the weight {r _t } of (Equation 4), it is necessary to set the threshold values B and W accordingly.
As described above, the processing for generating the white list and the like of the present invention is completed by the processing steps from S402 to S418.

  The feature of the present invention is that it is difficult to specify the C & C server only by the malignancy, so a gray list that is neither a white list nor a black list is prepared. In such a program, additional authentication is performed in such a way that it is difficult to break through, and based on the result, the gray list is divided into a white list or a black list.

  Therefore, a specific processing flow of authentication processing including additional authentication of the access management system will be described below with reference to FIG. FIG. 9 is a flowchart for explaining the authentication process of the access management system. FIG. 10 is a diagram showing a user interface in the authentication process.

  First, when the terminal 310 accesses a website via the network 20, the terminal 310 transmits information regarding the IP address of the terminal and the URL of the connection destination website to the proxy server 306 (S702). In order to perform authentication, the proxy server 306 requests an ID and a password from the terminal 310 as shown in FIG. 10A (S704). If the authentication is successful, the process jumps to S704. If it fails, the ID and password are requested again, and if the authentication fails continuously for a predetermined number of times, the connection is not permitted (S714).

  When the authentication by the proxy server 306 is broken, the additional authentication server 308 is activated and collates the connection destination URL with the gray list DB 112 of the list generation management device 10 (S706). If the connection destination URL is included in the gray list 505 as a result of the collation, additional authentication is requested (S708). Otherwise, the connection is permitted as it is (S712).

  The additional authentication employs another method such as CAPTCHA (image authentication) or matrix authentication as shown in FIG. 10 (b), instead of authentication based on the ID and password as shown in FIG. 10 (a). When this additional authentication is successful, the connection is permitted (S712), and when the authentication fails continuously for a predetermined number of times, the connection is not permitted (S714).

  After the connection permission (S712) or non-permission (S714) processing, the proxy server 306 and, if necessary, the additional authentication server 308 output the log 502 to the log DB 100 (S716), and the authentication processing is completed. The proxy server log 502 is as shown in FIG. The log 502 of the additional authentication server is the same, and stores information such as access time, connection destination URL, terminal address, HTTP method, HTTP status code, and the like. In the example of ID = 3 in FIG. 5, the status code “TCP_DENIED / 407” indicates that the authentication has failed.

  By the above additional authentication processing, it is possible to distribute the information on the Web site included in the gray list to the white list or the black list.

  The specific procedure will be described below with reference to FIG. FIG. 11 is a flowchart showing a process of distributing a gray list into a white list and a black list in the access management system.

  First, the management apparatus 106 collects logs 502 for a certain period of the additional authentication server 308 from the log DB 100 (S802). Here, the fixed period is assumed to be a period of about one month in which access information to the Web site can be collected to the extent that it can be distributed to a white list or the like depending on the success or failure of the additional authentication. The period may be determined by the user via the input device 332, or may be fixed in advance.

  Next, the list management unit 106 collects the collected logs 502 of the additional authentication server 308 for each connection destination URL, and makes the log 508 shaped as shown in FIG. 5B (S804). Here, the number of connection destination URLs is N.

  Next, the list management unit 106 sets the subscript i to 0 (S806), and counts the number of successful additional authentications for the i-th connection destination URL_i (S808). If the additional authentication is successful at least once, it is determined that URL_i is not a malware but a human access and not a C & C server, and URL_i is deleted from the gray list DB 112 and registered in the white list DB 110 (S810). Conversely, if additional authentication has never been successful, URL_i is determined to be the C & C server that the malware is trying to access, and URL_i is deleted from gray list DB 112 and registered in black list DB 114 (S812).

  If i is smaller than N, i is incremented by 1 and the processing returns to S808 (S814, S816), and the processing from S808 to S812 is performed for all connection destinations. This completes the process of assigning the gray list to the white list.

  In the above, the form for implementing this invention was demonstrated using FIGS. 1-11. Although the description has been limited to the proxy server 306 log so far, the FW and IDS logs also include information such as connection destination, connection source address and access time, and are the same as those in the flowchart shown in FIG. Since the degree of malignancy can be calculated by processing, it is possible to generate a white list or the like from a FW or IDS log with the same system and processing procedure as described above. In other words, the present invention can be implemented if one or more of the proxy server 306, the FW 302, and the IDS 304 exist and there is a log of any of the devices. However, unlike the proxy server, FW and IDS are not authenticated for each access, and in this case, the processing of S704 in FIG. 9 is omitted.

[Embodiment 2]
Hereinafter, a second embodiment according to the present invention will be described with reference to FIGS. 12 and 13.
FIG. 12 is a block diagram showing an access management system according to the second embodiment. FIG. 13 is a flowchart showing a process of distributing a gray list into a white list and a black list in the access management system.

  In the first embodiment, a gray list that is neither a white list nor a black list is prepared, and a white list or the like is automatically generated by assigning the gray list to a white list or a black list using the result of additional authentication. did. However, it may be difficult to introduce the additional authentication server 308 in the LAN of the client system 30 because the jurisdiction between the list generation management device 10 and the client system 30 is different. Therefore, in this embodiment, a system for generating a white list or the like without using the additional authentication server 308 is presented.

  Compared with the access management system shown in FIG. 1, the access management system of the second embodiment does not have the additional authentication server 308 in the client system 90, and instead the malware detection device 902 directly connects to the terminal 904. Has been. Other configurations are the same as those of the access management system of the first embodiment. The malware detection device 902 is a device that detects malware by scanning the memory or storage device of the terminal 904. The hardware configuration of the malware detection device 902 is the same as that shown in FIG.

  Here, it is assumed that the access management system according to the present embodiment performs the log analysis processing similar to that in FIG. 4 and N pieces of information related to the Web site are accumulated in the gray list DB 112. At that time, a specific procedure of the process of distributing the gray list to the white list or the black list will be described with reference to FIG.

  First, the list management unit 106 sets the subscript i to 0 (S1002), scans the log 502 stored in the log DB 100, and identifies the terminal 904 of the i-th connection destination URL_i included in the gray list DB 112. (S1004).

  Next, the malware detection device 902 detects malware by scanning the memory and storage device of the terminal 904 (S1006, S1008). If the terminal 904 is infected with malware, URL_i is deleted from the gray list DB 112 and registered in the black list DB 114 (S1110). If it is not infected, URL_i is deleted from the gray list DB 112 and registered in the white list DB 110 (S1112).

  If i is smaller than N, i is incremented by 1 and the processing returns to S1004 (S1014, S1016), and the processing from S1004 to S1012 is performed for all connection destinations stored in the gray list DB 112. This completes the process of assigning the gray list to the white list.

  As in the first embodiment, if there is a log of one or more of the proxy server 306, FW 302, and IDS 304, this embodiment can be implemented.

Although the embodiments of the present invention have been described above, the present invention is not limited to the above-described embodiments, and various modifications and applications can be made.
For example, the list generation management device 10 illustrated in FIG. 1 may be configured by a plurality of servers by dividing each functional unit, without being configured by one server.

  In addition, expressions such as “more than”, “less than”, “greater than”, “less than” described in the above embodiment are more stringent as mathematical meanings such as whether or not a threshold value is included. It doesn't have to be a thing. The threshold value may or may not be included without departing from the spirit of the present invention.

DESCRIPTION OF SYMBOLS 1 ... Access management system, 10 ... List production | generation management apparatus, 100 ... Log DB, 102 ... Filtering part, 104 ... Log analysis part, 106 ... List management part, 110 ... White list DB, 112 ... Gray list DB, 114 ... Black List DB, 20 ... Network, 30 ... Client system, 302 ... FW, 304 ... IDS, 306 ... Proxy server, 308 ... Additional authentication server, 310 ... Terminal,
202 ... log, 202 ... table, 206 ... white list, 208 ... grey list, 210 ... black list,
322: Arithmetic unit, 324 ... Memory, 326 ... Storage device, 328 ... Communication device, 330 ... Display device, 332 ... Input device,
502 ... Proxy server log, 504 ... Black list, 505 ... Gray list, 506 ... White list, 508 ... Formatted log, 602 ... Analysis result, 604 ... Histogram,
2 ... Access management system, 90 ... Client system, 902 ... Malware detection device, 904 ... Terminal.

Claims (8)

An access management method executed by an access management system that records access information of a website accessed from a terminal as a log and analyzes attributes of the website,
Calculating the malignancy of the website from the log;
When the malignancy is less than or equal to the first threshold, information about the website is registered in the white list, and when the malignancy is greater than or equal to the second threshold, information about the website is registered in the black list. Registering information about the website in a greylist when greater than a value and less than a second threshold;
An access management method comprising: When a terminal connects to a website registered in the gray list, after the first connection authentication, requesting the terminal to perform additional authentication;
When the additional authentication is successful, the Web site information is deleted from the gray list and registered in the white list. When the additional authentication is not successful for a certain period of time, the Web site information is deleted from the gray list. The access management method according to claim 1, further comprising a step of registering in the black list. The malignancy is given as a sum total of a primary form weighted to a score obtained by applying a plurality of analysis rules,
The first analysis rule gives a smaller score as the number of terminals accessing the same website increases, and the corresponding weight is negative.
3. The access management method according to claim 1, wherein the second analysis rule gives a higher score as the periodic strength of access is higher, and the corresponding weight is positive. The access management method according to claim 2 , wherein the additional authentication is performed by image authentication. An access management program that is executed in an access management system that records access information of a website accessed from a terminal as a log and analyzes attributes of the website,
Calculating the malignancy of the website from the log;
When a terminal connects to a website registered in the gray list, after the first connection authentication, requesting the terminal to perform additional authentication;
When I succeeded in the additional authentication, the information of the Web site to remove from the gray list registered in the whitelist, when the well was not successful a certain period of time once, to delete the information of the Web site from the gray list access management program, wherein the executing the steps of blacklisted, the Te. An access management program that is executed in an access management system that records access information of a website accessed from a terminal as a log and analyzes attributes of the website,
The access management system calculating a malignancy of the website from the log;
The access management system registers information about the website in the white list when the malignancy is less than or equal to the first threshold, and registers information about the website in the black list when the degree of malignancy is greater than or equal to the second threshold. Registering information about the website in a greylist when greater than a first threshold and less than a second threshold;
An access management program characterized by comprising: An access management system for recording access information of a website accessed from a terminal as a log and analyzing attributes of the website,
It holds a white list that contains information about legitimate websites, a black list that contains information about malicious websites that give instructions to malware, and information about websites that are not included in any of them. With greylist,
The access management system includes:
The malignancy of the website is calculated from the proxy server log, and when the malignancy is less than or equal to the first threshold, information on the website is registered in the white list, and when the malignancy is greater than or equal to the second threshold, the web A list generation management device for registering information on a site in a black list and registering information on the website in a gray list when the information is greater than a first threshold value and smaller than a second threshold value;
An additional authentication server that requests additional authentication from the terminal after authentication by the proxy server when a terminal connects to a website registered in the gray list,
When the additional authentication is successful, the list generation management device deletes the information on the website from the gray list and registers it in the white list. Is deleted from the gray list and registered in the black list. The access management system includes:
Including firewalls or intrusion detection devices,
8. The access management system according to claim 7, wherein the list generation management device calculates the malignancy of a Web site from a log of a firewall or an unauthorized intrusion detection device instead of a proxy server log.

Images