JP2019021094A - Web access control device - Google Patents

Abstract

To determine malignancy of a Web site with high accuracy in a Web access control device.SOLUTION: The Web access control device comprises: a Web site malignancy determination program 109 for determining malignancy of an access destination Web site by using a plurality of malignancy assumption apparatuses 124a to 124b respectively allotted with weight on the basis of a predetermined threshold; an additional authentication request program 110 for requesting additional authentication for determining propriety of access to the access destination Web site to user terminals 121a to 121c when the malignancy of the access destination Web site is determined to be higher than the predetermined threshold; and a weight update program 114 for updating the weight respectively allocated to the malignancy assumption apparatuses 124a to 124b on the basis of a result of additional authentication.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a Web access control apparatus.

  In recent years, as seen in targeted attacks, attacks have become more sophisticated and have become a serious threat to companies and nations. In addition, with the advancement of attacks, it has become difficult to completely block intrusions from the outside. Here, in order to suppress damage after being invaded, it is important to block external communication for the purpose of stealing confidential information and spreading infection.

  In view of the above background, there is a demand for a technology that appropriately controls communication to the outside and blocks suspicious communication. As a technique related to this, there is, for example, Patent Document 1.

  In Patent Document 1, a white list with a low malignancy, a black list with a high malignancy, and a gray list that does not belong to any of them are automatically generated based on the malignancy of a Web site calculated from a log of a proxy server or the like. When connecting to a website included in the gray list, additional authentication is requested. When the additional authentication is successful, the gray list is assigned to the white list, and when it has not succeeded for a certain period of time, it is assigned to the black list. Thereby, even a Web site that has not been mechanically distributed to a white list or a black list can be distributed to any list according to the authentication result.

Japanese Patent Laying-Open No. 2015-170219

  However, Patent Document 1 does not consider the accuracy of the mechanism for determining the malignancy of a Web site. For this reason, depending on the accuracy of the malignancy determination mechanism, a Web site with a high malignancy may be determined to be safe and may be damaged during access. Further, depending on the accuracy of the malignancy determination mechanism, a Web site with a low malignancy may be determined to be dangerous, and additional authentication may occur frequently, reducing convenience.

  An object of the present invention is to determine a malignancy of a Web site with high accuracy in a Web access control device.

  A Web access control apparatus according to an aspect of the present invention executes a Web site malignancy determination program using a plurality of malignancy estimators that are connected to the Internet and a user terminal operated by a user and assigned weights. Accordingly, when the malignancy of the access destination website is higher than the predetermined threshold, the malignancy determination unit of the website determines the malignancy of the access destination website based on a predetermined threshold. If determined, an additional authentication request unit that requests additional authentication for determining whether the user terminal can access the access destination website by executing an additional authentication request program; and the additional authentication By executing the weight update program based on the result of the additional authentication of the request unit, the Web site A weight updating section for updating the weights assigned to each of the grade estimator of grading unit, and having a.

  According to one aspect of the present invention, a Web access control apparatus can determine the malignancy of a Web site with high accuracy.

1 is a diagram illustrating a configuration example of a Web access control apparatus according to a first embodiment. It is a figure which shows an example of an authentication information management table. It is a figure which shows an example of an estimator management table | surface. It is a figure which shows an example of a guess weight history. It is a figure which shows an example of a gray list. It is a figure which shows an example of a black list. It is a figure which shows an example of a white list. It is a figure which shows the whole processing flow of the Web access control apparatus of Example 1. FIG. It is a figure which shows the processing flow of a Web site malignancy determination program program. It is a figure which shows the processing flow of a list update program. It is a figure which shows the processing flow of feedback value calculation. It is a figure which shows the processing flow of weight update. It is a figure which shows an example of an additional authentication screen. It is a figure which shows an example of an additional authentication screen. It is a figure which shows the processing flow of the weight update which considered the time series change of Example 2. FIG. It is a figure which shows the estimator group structure of Example 3, and is a figure which shows the process example at the time of arranging an estimator group hierarchically. It is a figure which shows an example of the final prediction result calculation flow of Example 4, (a) is the method of taking the product sum of an estimation result and a weight, (b) is the method of taking a majority vote, (c) is a specific estimator. Each method is described below. It is a figure which shows an example of the additional authentication screen using the additional authentication system of the low difficulty of Example 5. FIG. It is a figure which shows an example of the additional authentication screen using the high difficulty additional authentication method of Example 5. FIG.

First, an embodiment will be described.
In the embodiment, the accuracy of determination is improved based on feedback from the user while determining the malignancy of an access destination website and blocking communication with the malignant site. In the embodiment, a plurality of estimators for determining a malignancy level each assigned a weight are prepared to determine the malignancy level of the access destination website, and if the malignancy level is higher than a certain threshold, additional authentication is performed for the user. Request.

  The Web access control apparatus according to the embodiment is an apparatus that connects a terminal operated by a user and the Internet via a network, and estimates the malignancy of an access destination website using a plurality of mechanisms each weighted. A Web site malignancy determination program, and an additional authentication request program that informs the user when access to a site with a high malignancy is detected and determines whether or not access is possible based on the user's determination.

  The feedback value calculation program for determining the content to be fed back to the website malignancy determination program based on the user's judgment and the accompanying information, and the weight of each estimator constituting the malignancy determination program for the website is the feedback value. A weight update program for updating based on the value calculated by the calculation program.

  According to the embodiment, it is possible to estimate the malignancy of a Web site using a plurality of estimators and determine whether the estimation result is correct or not by feedback from the user. At this time, the overall detection accuracy is automatically improved by using the feedback from the user and increasing the weight of the estimator having a high matching rate between the estimation result and the user judgment. By combining these, communication to the malicious site is cut off, and unnecessary additional authentication and the cost of manually updating the blacklist are suppressed to improve convenience.

  When the user is requested to perform additional authentication, the user determines whether or not the connection to the access destination website is possible. Only when it is determined that there is no problem, the user breaks through the additional authentication and accesses the website. As a result, it is possible to suppress access to a malignant site by malware or the like that is not intended by the user or that does not assume the presence of additional authentication and cannot break through additional authentication.

  Also, the user's judgment and the result calculated by the Web site malignancy determination program are matched, and the weight of each estimator constituting the Web site malignancy determination program is updated depending on whether or not both match. As a result, the determination of a highly accurate estimator is emphasized, and the overall malignancy determination accuracy is improved.

  Further, when confirming the user's judgment, it is estimated whether or not the judgment is correct by using incidentally obtained information, and a more probable user judgment result is reflected in the malignancy determination mechanism. Thereby, the fall of the malignancy determination precision by reflecting the judgment of an incorrect user can be suppressed.

  Hereinafter, a malignant website used for cyber attacks is referred to as a malignant site, and a website that is not a malignant site is referred to as a benign site.

With reference to FIG. 1, the configuration of the Web access control apparatus according to the first embodiment will be described.
As shown in FIG. 1, the Web access control apparatus 101 according to the first embodiment is connected to user terminals 121 a to 121 c operated by a user and the Internet 123 via a network 122.

  The Web access control device 101 includes a CPU (Central Processing Unit) 103, a main memory 104 for storing data necessary for the CPU 103 to execute processing, and a hard disk or flash memory having a capacity for storing a large amount of data. A storage device 105 such as, IF (interfaces) 102a and 102b for communicating with other devices, an input / output device 106 for performing input / output such as a keyboard and a display, and a communication path for connecting these devices 107. The communication path 107 is an information transmission medium such as a bus or cable.

  The CPU 103 controls the suspicious communication by executing the access relay program 108 stored in the main memory 104. Further, the CPU 103 determines the malignancy of the access destination website by executing the website malignancy determination program 109.

  In addition, the CPU 103 performs additional authentication of the user who operates the user terminal 121 by executing the additional authentication request program 110. Further, the CPU 103 acquires the information of the access destination website by executing the access destination information acquisition program 111. In addition, the CPU 103 updates the gray list 118, the black list 119, and the white list 120 by executing the list update program 112.

  In addition, the CPU 103 executes a feedback value calculation program 113 to calculate a value to be fed back to the weights assigned to the respective malignancy estimators 124a to 124b constituting the website malignancy determination program 109. Further, the CPU 103 executes the weight update program 114 to estimate each grade of malignancy that constitutes the website malignancy judgment program 109 recorded in the estimator management table 116 based on the value calculated by the feedback value calculation program 113. The weight assigned to the device 124 is updated.

  The Web access control apparatus 101 according to the first embodiment executes a Web site malignancy determination program 109 using a plurality of malignancy estimators 124 each assigned a weight, thereby determining the malignancy of an access destination Web site. And executing the additional authentication request program 110 when the Web site malignancy determination unit and the Web site malignancy determination unit determine that the malignancy of the access destination website is higher than a predetermined threshold. Based on the result of the additional authentication request unit for requesting additional authentication for determining whether or not the access to the access destination website is permitted to the user terminals 121a to 121c, and the weight update based on the result of the additional authentication of the additional authentication request unit By executing the program 114, it is assigned to the malignancy estimator 124 of the website malignancy determination unit. Having a weight update section for updating the weight that has been applied.

  Furthermore, it has a feedback value calculation unit that calculates a value to be fed back to the weight assigned to each malignancy estimator 124 of the Web site malignancy determination unit by executing the feedback value calculation program 113. The weight update unit updates the weight assigned to each malignancy estimator 124 of the website malignancy determination unit based on the calculated value calculated by the feedback value calculation unit.

  The storage device 105 manages the additional authentication history 115 indicating the additional authentication result of the user who operates the user terminal 121 and the accompanying information at that time, and the information of the malignancy estimator 124 constituting the Web site malignancy determination program 109. An estimator management table 116 is stored.

  The storage device 105 also includes an estimator weight history 117 for managing the weights of the malignancy estimators 124 for each time series, a gray list 118 indicating suspicious communication destination information, and a black list indicating dangerous communication destination information. 119, a white list 120 indicating safe communication destination information is stored.

  Each of the above programs and data may be stored in the memory 104 or the storage device 105 in advance, or may be installed (loaded) from the input / output device 106 or another device via the IF 102 when necessary. good.

Next, an example of the additional authentication history 115 will be described with reference to FIG.
As illustrated in FIG. 2, the additional authentication history 115 includes an ID 201, an authentication result 202, accompanying information 203, user identification information 207, and a URL 208. The accompanying information includes, for example, a time 204 required for authentication, the number of correct answers 205, and site information display presence / absence 206.

  The ID 201 represents information that can uniquely identify authentication information. The authentication result 202 represents whether or not the user has succeeded in additional authentication. For example, when the authentication result 202 is “successful”, the user succeeds in the additional authentication, and when the authentication result 202 is “failure”, the user fails in the additional authentication.

  The accompanying information 203 represents information that is incidentally obtained when the user starts additional authentication. Here, the accompanying information 203 will be described as being composed of the time 204 required for authentication, the number of correct answers 205, and whether or not site information display 206 is provided.

  The time 204 required for authentication represents the time required from when the additional authentication screen is presented to the user until authentication is attempted. For example, when 4.3 seconds are required for an authentication attempt after the additional authentication screen is displayed, “4.3” is recorded regardless of whether the authentication is successful. Also, “timeout” is recorded when there is no attempt to break the authentication for a predetermined time.

  The number of correct answers 205 represents the number of correct answers out of the total number of characters and the correct answer rate when authentication using a character string is used for additional authentication. For example, when the authentication character string is “abcd”, if “abvf” is input, the first two characters out of all four characters are correct, so “2 (50%)” is recorded. . This time is calculated by the difference between the time when the additional authentication screen is presented and the time when the additional authentication character string is received from the user in the additional authentication request program 110.

  The site information display presence / absence 206 indicates whether or not the user has requested additional information as a material for determining whether or not the access destination website is malignant during additional authentication. For example, “Yes” indicates that the user has requested additional information, and “No” indicates that the user has not requested additional information. Note that additional information for assisting the user's judgment includes thumbnail images, whois information, DNS information, and the like of the access destination website.

  The stored information of the additional authentication history 115 is acquired and stored at the time of additional authentication when there is an attempt to access a suspicious site. In addition, this time, the time 204 required for authentication, the number of correct answers 205, and the presence / absence of site information display 206 are listed as accompanying information. However, in addition to these pieces of information, information obtained incidentally may be used. To do.

  The user identification information 207 represents information that can uniquely identify a user who has undergone additional authentication. For example, in a network environment, when a user assigned with an identifier “123” desires authentication, “123” representing the user is recorded. Although the identifier assigned to the user on the network system is used this time, it is sufficient that the user can be uniquely identified. For example, the IP (Internet Protocol) address of the user terminal or the user name of the user may be used.

  URL 208 represents the URL of the suspicious connection destination that is the subject of additional authentication. For example, in the case of “foo.com”, the URL represents a suspicious connection destination that has been subjected to additional authentication. Although the URL is used this time as long as the suspicious connection destination can be identified, for example, an IP address or FQDN (Fully Qualified Domain Name) may be used.

Next, an example of the estimator management table 116 will be described with reference to FIG.
As illustrated in FIG. 3, the estimator management table 116 includes an ID 301, a correct answer rate 302, a weight 303, and a latest malignancy determination result 304.

  The ID 301 represents information that can uniquely identify each malignancy estimator 124 included in the Web site malignancy determination program 109. The correct answer rate 302 represents the coincidence rate between the determination result (malignant / benign) for each suspicious site so far and the user additional authentication result (non-breakthrough / breakthrough). For example, “80%” indicates that the determination result for 0.8N times coincides with the additional authentication result of the user among the N times of suspicious site malignancy determination opportunities. A estimator with a higher correct answer rate is given a higher weight, assuming that the accuracy of identifying a malignant site in an organization that has introduced a Web access control device is higher. A specific processing procedure for calculating a weight to be assigned to each malignancy estimator 124 will be described later with reference to FIG.

  The weight 303 represents a value normalized so that the total value of the weights assigned to each malignancy estimator 124 becomes 1. For example, “0.2” indicates that the malignancy estimator 124 has 20% of the judgment right among all the malignancy estimators 124a to 124b.

  The latest malignancy level determination result 304 represents how the malignancy level to be determined is determined on the occasion of determining the latest malignancy level. For example, “75%” indicates that the malignancy estimator 124 determines that the determination target is malignant with a probability of 75%. In addition, although this time, it demonstrated using the malignancy degree of an access destination website as an index showing the suspicious degree of an access destination website, if it is an index which can express suspicious degree, such as a benign degree of an access destination website. Any information may be used. Note that each piece of information in the estimator management table 116 may be input or updated as necessary by the administrator.

Next, an example of the estimator weight history 117 will be described with reference to FIG.
As shown in FIG. 4, the estimator weight history 117 includes a time 401, a weight 402, a malignancy determination result 403, and a match 404 with the authentication result. The estimator weight history 117 is prepared for each malignancy estimator 124 included in the Web site malignancy determination program 109, and stores information on the malignancy estimator 124. 4 illustrates the malignancy weight history 117 corresponding to the malignancy estimator 124 whose ID is 0 in FIG.

  Time 401 represents the time when the malignancy estimators 124a to 124b determine the malignancy of the suspicious site. In FIG. 4, year / month / day hour: minute: second. Although the notation of fractional seconds is used, any information may be used as long as it is information that can distinguish the time, such as Unixtime.

  The weight 402 represents the weight of the malignancy estimator 124 at the time. For example, “0.3” indicates that a weight of 0.3 is given to the malignancy estimators 124a to 124b at the time.

  The malignancy determination result 403 represents the malignancy calculated by the malignancy estimator 124 for the malignancy determination target Web site at the time. For example, “75%” indicates that the malignancy estimator 124 determines that the determination target is malignant with a probability of 75% at the time.

  The coincidence 404 with the authentication result represents whether or not the determination result (malignant / benign) for the suspicious site at that time coincides with the additional authentication result (non-breakthrough / breakthrough) of the user. For example, “match” indicates that the two match, and “mismatch” indicates that the two do not match.

Next, an example of the gray list 118 will be described with reference to FIG.
As illustrated in FIG. 5, the gray list 118 includes an ID 501, a URL 502, an authentication success user count 503, an authentication failure user count 504, and an authentication result 505 for each user. The ID 501 represents information that can uniquely identify the gray list 118.

  URL 502 represents a URL of a suspicious connection destination. For example, “example.com” indicates that the URL is a suspicious connection destination. Although the URL is used this time, it is only necessary to identify a suspicious connection destination. For example, an IP address or FQDN may be used.

  The number of successful authentication users 503 represents the unique number of users who have passed through the additional authentication of the connection destination. For example, “2” indicates that two users have passed through the additional authentication of the connection destination. The number of successes can be calculated by using an authentication result 505 for each user described later.

  The number of failed users 504 represents the unique number of users who did not break through the additional authentication of the connection destination. For example, “4” indicates that four users did not break through the additional authentication of the connection destination. Note that the number of failures can be calculated by using an authentication result 505 for each user described later.

  The authentication result 505 for each user represents the latest authentication result for each user with respect to the connection destination. For example, “123: success, 789: failure” indicates that the user with the identifier 123 has passed the additional authentication and that the user with the identifier 789 has not passed the additional authentication.

  In the gray list 118, connection destinations determined to be malignant by the Web site malignancy determination program 109 are registered by the list update program 110. Specific processing of the Web site malignancy determination program 109 and the list update program 110 will be described later with reference to FIGS. 9 and 10. Each information of the gray list 118 may be registered or updated as necessary by the administrator.

Next, an example of the black list 119 will be described with reference to FIG.
As shown in FIG. 6, the black list 119 includes an ID 601 and a URL 602. The ID 601 represents information that can uniquely identify the black list 119.

  URL 602 represents the URL of a malignant site. For example, in the case of “black.com”, the URL represents a malicious site. Although the URL is used this time, it is only necessary to identify a malignant site. For example, an IP address or FQDN may be used.

  The black list 119 is determined to be malignant by the Web site malignancy determination program 109, and connection destinations for which a certain number of users have not passed authentication are registered by the list update program 110. Specific processing of the Web site malignancy determination program 109 and the list update program 110 will be described later with reference to FIGS. 9 and 10. Each information of the gray list 119 may be registered or updated as necessary by the administrator.

Next, an example of the white list 120 will be described with reference to FIG.
As shown in FIG. 7, the white list 120 includes an ID 701 and a URL 702. The ID 701 represents information that can uniquely identify the white list 120. URL 702 represents the URL of a benign site. For example, in the case of “white.com”, the URL represents a benign site. Although the URL is used this time, it is only necessary to identify a malignant site. For example, an IP address or FQDN may be used.

  Although the white list 120 is determined to be malignant by the Web site malignancy determination program 109, the list update program 110 registers connection destinations for which a certain number of users have passed authentication. Specific processing of the Web site malignancy determination program 109 and the list update program 110 will be described later with reference to FIGS. 9 and 10. Each information of the white list 119 may be registered or updated as necessary by the administrator.

  As described above, in the Web access control apparatus according to the first embodiment, the access relay program 108 of the Web access control apparatus 101 relays communication from the terminal 121. Next, the website malignancy determination program 109 determines the malignancy of the access destination website, and the additional authentication request program 110 requests the user 121 for additional authentication.

  Next, the access destination information acquisition program 111 acquires information on the access destination website, and the list update program 112 updates the gray list 118, the black list 119, and the white list 120. Next, the feedback value calculation program 113 calculates a value to be fed back to the weight assigned to each malignancy estimator 124 constituting the Web site malignancy determination program 109. Next, the weight update program 114 updates the weight assigned to each malignancy estimator 124 included in the Web site malignancy determination program 109 based on the value calculated by the feedback value calculation program 113.

Hereinafter, the overall processing flow of the Web access control apparatus 101 will be described with reference to FIG.
As shown in FIG. 8, the access relay program 108 is executed by the CPU 103 and relays communication from the user terminal 121 via the IF 102a (step 801).

  The access relay program 108 refers to the black list. If the access destination web site corresponds to the black list, the access relay program 108 proceeds to step 810a. If not, the access relay program 108 proceeds to step 803 (step 802).

  The access relay program 108 refers to the white list, and proceeds to step 811a if the accessed Web site corresponds to the white list, and proceeds to step 804 if it does not correspond (step 803).

  The website malignancy determination program 109 calculates the malignancy of the access destination website, and proceeds to step 805 (step 804). The malignancy calculation flow of the Web site malignancy determination program 109 will be described later with reference to FIG.

  The access relay program 108 compares the malignancy calculated in step 804 with a predetermined threshold, and if the malignancy is lower than the threshold, the process proceeds to step 811a, and if it is higher, the process proceeds to step 806 (step 805). . The additional authentication request program 110 requests the user for additional authentication and proceeds to step 807 (step 806).

  Here, it is conceivable that the additional authentication request program 110 uses a system such as CAPTCHA (Complementary Automated Turing Test to Tell Computers and Humans Apart) that separates humans from machines for additional authentication to users. .

  As a result, even when malware attempts to access a malicious site mechanically, it is difficult to break through the authentication, and in addition to accessing a human malicious site, access to the malicious site by malware can also be suppressed. The display screen of the additional authentication request program 110 will be described later with reference to FIG.

  The additional authentication request program 110 confirms whether the user has requested additional information for additional authentication of the access Web destination site. If there is a request, the process proceeds to step 808. If there is no request, the process proceeds to step 809 (step 807). .

  The access destination information acquisition program 111 acquires site information of the access destination and displays the acquired information on the user terminal 118 (step 808).

  The additional authentication request program 110 confirms whether or not the user has succeeded in the additional authentication, and proceeds to 811b if successful and proceeds to 810b if unsuccessful (step 809).

  The access relay program 108 denies the user access to the site and ends the process (step 810a). The access relay program 108 permits the user to access the site and ends the process (step 811a).

  The access relay program 108 denies the user access to the site and proceeds to step 812 (step 810b). The access relay program 108 permits the user to access the site, and proceeds to Step 812 (Step 811b).

  The access relay program 108 receives the additional authentication character string from the user, records additional authentication information such as an authentication result by the additional authentication character string and accompanying information at the time of authentication in the additional authentication history 115, and goes to Step 813. Proceed (step 812).

  The access relay program 108 notifies the list update program 112 and the feedback content value program 113 of the user additional authentication result (whether or not the authentication has been broken), and proceeds to step 814 and step 815 which are the processes of each program. (Step 813).

  The list update program 112 refers to the additional authentication history 115, acquires the user additional authentication result, and updates the gray list 118, the black list 119, and the white list 120 using the information (step 814). Each list update flow of the list update program 112 will be described later with reference to FIG.

  The feedback value calculation program 113 refers to the additional authentication history 115, obtains the user additional authentication result and accompanying information, calculates a feedback value using the information, and proceeds to step 815 (step 815). The feedback value calculation flow of the feedback value calculation program 113 will be described later with reference to FIG.

  The weight update program 114 updates the weight of each estimator recorded in the estimator management table 116 based on the value calculated by the feedback value calculation program 113, and ends the process (step 816).

  In step 806, when the malignancy of the access destination website is equal to or greater than the threshold value, the user is requested to perform additional authentication. However, the user authentication result is cached and the user performs additional authentication for the access destination site. May be permitted without requiring additional authentication. Thereby, it can be expected that the convenience of the user is efficient.

Next, an example of the processing flow of the website malignancy determination program 109 will be described with reference to FIG.
As shown in FIG. 9, when the communication destination of the user terminal 121 that is not recorded in the black list and the white list is received from the access relay program 108, the processing is started (step 901). ).

  Note that the Web site malignancy determination program is composed of a plurality of malignancy estimators 124 each having a weight, and the final value is calculated by integrating the determination results of the respective estimators. As the malignancy estimator 124 here, one that estimates the malignancy of a website from a URL character string, one that estimates the malignancy of a website from external information about the website (whis information, DNS information, etc.), In addition, it is conceivable to estimate the malignancy of a website from the contents of the website.

  The Web site malignancy determination program 109 inputs the access destination Web site received from the access relay program 108 to each malignancy estimator 124 and proceeds to Step 903 (Step 902).

  The Web site malignancy determination program 109 starts receiving the determination results of each malignancy estimator 124, and after receiving the results from all the estimators, proceeds to step 904 (step 903).

  The Web site malignancy determination program 109 records the determination result of each estimator received in step 903 in the estimator management table 116 and the estimator weight history 117, and proceeds to step 905 (step 904).

  The Web site malignancy determination program 109 multiplies the estimation result received by each estimator received in step 903 by the weight assigned to each estimator obtained by referring to the estimator management table 116, and the total value is finalized. The prediction result is calculated, and the process ends (step 905). In addition, the above-mentioned calculation procedure can be shown like the following calculation formula (Formula 1).

  In addition, although the calculation procedure of the final prediction result using the above-mentioned calculation formula was illustrated this time, any method can be used as long as the weight is reflected on the prediction result of each estimator and finally integrated. May be used. Further, the malignancy estimator 124 can be added and deleted, and the administrator may add and delete the malignancy estimator 124 as necessary.

Next, an example of the processing flow of the list update program 112 will be described with reference to FIG.
As shown in FIG. 10, among the communication destinations of the user terminal 121, the additional authentication result of the user is accessed for the website whose malignancy is determined to be equal to or greater than the threshold by the website malignancy determination program 109. When received from the relay program 108, the processing is started (step 1001).

  The list update program 112 refers to the gray list 118 and proceeds to step 1004 if the accessed Web site corresponds to the gray list, and proceeds to step 1003 if not (step 1002).

  The list update program 112 registers the access destination website in the gray list 118 and proceeds to step 1004 (step 1003).

  The list update program 112 refers to the additional authentication result of the user received from the access relay program 108, records the additional authentication result in the gray list 118, the number of successful authentication users, the number of unsuccessful authentication users of the gray list 118, and the user After updating each authentication result, the process proceeds to step 1005 (step 1004).

  The list update program 112 refers to the additional authentication result of the user received from the access relay program 108. If the authentication has succeeded, the process proceeds to step 1006. If the authentication has failed, the process proceeds to step 1009 (step 1005). ).

  The list update program 112 refers to the gray list 118, and proceeds to step 1007 if the cumulative number of successful authentication users of the access destination website exceeds a certain number, and terminates the processing if it does not exceed (step 1006). ).

  The list update program 112 registers the access destination website in the white list 120 and proceeds to step 1008 (step 1007).

  The list update program 112 deletes the line corresponding to the access destination website from the gray list 118, and ends the process (step 1008).

  The list update program 112 refers to the gray list 118, and proceeds to step 1010 if the cumulative number of failed users at the access destination website exceeds a certain number, and ends the process if it does not exceed (step 1009). ).

  The list update program 112 registers the access destination website in the black list 119 and proceeds to step 1011 (step 1010).

  The list update program 112 deletes the line corresponding to the access destination website from the gray list 118 and ends the process (step 1011).

Next, the processing flow of the feedback value calculation program 113 will be described with reference to FIG.
As shown in FIG. 11, among the communication destinations of the user terminal 121, the additional authentication result of the user for the access destination website whose malignancy is determined to be equal to or greater than the threshold by the website malignancy determination program 109 Is received from the access relay program 108, the processing is started (step 1101).

  In this example, an example of using the authentication result 202 and the time 204 required for authentication, the number of correct answers 205, and the presence / absence of site information display 206 as the accompanying information 203 will be described. It is also possible to calculate the final value with a different processing flow even when using.

  The feedback value calculation program 113 sets an initial value of 1.0 and proceeds to step 1103 (step 1102).

  The feedback value calculation program 113 acquires authentication information from the latest entry of the additional authentication history 115, and proceeds to step 1104 (step 1103).

  The feedback value calculation program 113 refers to the authentication information acquired in Step 1103. If the authentication is successful, the process proceeds to Step 1109. If the authentication is not successful, the process proceeds to Step 1105 (Step 1104).

  The feedback value calculation program 113 refers to the authentication information acquired in Step 1103. If the authentication has timed out, the process proceeds to Step 1112. If not, the process proceeds to Step 1106 (Step 1105).

  The feedback value calculation program 113 refers to the authentication information acquired in step 1103. If site information is displayed, the process proceeds to step 1112; otherwise, the process proceeds to step 1107 (step 1106).

  The feedback value calculation program 113 multiplies the value by 0.5 and proceeds to step 1108 (step 1107).

  The feedback value calculation program 113 refers to the authentication information acquired in step 1103, decreases the value according to the number of correct answers, and proceeds to step 1112 (step 1108).

  The feedback value calculation program 113 refers to the authentication information acquired in step 1103, decreases the value according to the time required for authentication, and proceeds to step 1110 (step 1109).

  The feedback value calculation program 113 refers to the authentication information acquired in step 1103. If site information is displayed, the process proceeds to step 1112. If not, the process proceeds to step 1111 (step 1110).

  The feedback value calculation program 113 multiplies the value by 0.5 and proceeds to step 1112 (step 1111).

  The feedback value calculation program 113 returns the final value calculated in the steps so far and ends the processing (step 1112).

  This process makes it possible to quantify the probability of the user authentication result and provide feedback to each estimator 124 constituting the Web site malignancy determination program 109 according to the certainty.

  The reason why the time 204 required for authentication, the number of correct answers 205, and whether or not the site information display 206 is used as the accompanying information 203 this time is as follows.

  The time 204 required for authentication is mainly used to separate access by humans and access by malware. Additional authentication required when accessing a suspicious site does not occur during normal web access, and humans can respond flexibly when additional authentication is issued, whereas malware that does not assume additional authentication , Timed out without breaking through.

  Or, with the recent sophistication of attacks, malware having a function to break through additional authentication has also been reported. In this case, it is assumed that the program attempts to break through authentication at an input speed that is difficult to achieve by humans.

  As described above, the time required for the authentication by the malware is characterized by a timeout or extremely short, and this information is used because it is useful for human authentication and classification.

  If the authentication result is successful, the feedback value calculation program 113 subtracts the value to be fed back in step 1109 according to the time required for authentication. On the other hand, when the authentication result is failure, the subtraction is not performed.

  This considers a user who accesses without considering the risk even when the access destination website is suspicious. Even if a user with a low security level receives a warning that the access destination website is suspicious, the user may access without considering the risk.

  On the other hand, when the access is canceled without breaking through the additional authentication, it is assumed that the risk of the access destination website is taken into consideration. From the nature of the additional authentication result described above, it is assumed that the reliability of authentication success is higher than the reliability of authentication failure.

  For the reasons described above, in the case of authentication breakthrough, the value to be fed back is subtracted, which is not the case when the authentication breakthrough is not broken, thereby reflecting the reliability of the additional authentication.

  The number of correct answers 205 is mainly used to discriminate whether or not the failure is due to a human error when authentication fails. For example, when authentication fails, it is inferred that if it is intended, nothing is input, or if an appropriate character is input, the character string required for breaking through the authentication is greatly deviated.

  On the other hand, since an unintended thing (human error) is an input that is out of the way of trying to break through, it can be inferred that it is not greatly deviated from the character string requested for breaking through the authentication. As described above, whether or not the authentication failure is due to a human error appears in the correct number of inputs to the character string requested for the authentication breakthrough. Therefore, the information is used.

  The site information display presence / absence 206 is mainly used to verify the accuracy of the user authentication result. As described above, the Web access control apparatus 101 has a function of additionally acquiring and displaying information on an access destination website in response to a user request when additional authentication is requested by the user.

  The user who requested the information is requested to request additional information, and it is inferred that the user is a highly security conscious user who tries to determine the nature of the access destination website from various perspectives. Since the information is based on information, it is assumed that the reliability is higher than the determination that the additional information is not viewed. As described above, since the site information display presence / absence 206 is useful for verifying the reliability of the user authentication result, the information is used.

Next, the processing flow of the weight update program 114 will be described with reference to FIG.
As shown in FIG. 12, when a feedback value that is executed by the CPU 103 and reflected on each malignancy estimator 124 that constitutes the Web site malignancy determination program is received from the feedback value calculation program 113, the processing is started (step 1201). .

  The weight update program 114 sets an initial value 0 to a variable i indicating the ID of the malignancy estimator 124, and proceeds to step 1203 (step 1202).

  The weight update program 114 refers to the additional authentication history 115 and the estimator management table 116, acquires the estimation result and authentication result of the estimator whose ID is the variable i, and then proceeds to step 1204 (step 1203).

  The weight update program 114 compares the estimation result of the estimator whose ID is variable i acquired in step 1103 with the authentication result. If the two match, the process proceeds to step 1205; (Step 1204).

  The weight update program 114 adds the weight of the estimator whose ID is the variable i according to the value received from the feedback value calculation program 113, and adds the weight of the estimator recorded in the estimator management table 116. After updating to the value, the process proceeds to step 1207 (step 1205).

  The weight update program 114 subtracts the weight of the estimator whose ID is the variable i according to the value received from the feedback value calculation program 113, and subtracts the weight of the estimator recorded in the estimator management table 116. After updating to the value, the process proceeds to step 1207 (step 1206).

  The weight update program 114 adds 1 to the variable i and proceeds to step 1203 (step 1207).

  The weight update program 114 compares the variable i with the number of estimators that can be obtained by referring to the estimator management table 116, and if the variable i is less than the number of estimators, the process returns to step 1203 and sets the number of estimators. If so, the process proceeds to step 1209 (step 1208).

  The weight update program 114 normalizes the weights of the respective malignancy estimators 124 recorded in the estimator management table 116 so that the sum of the weights of the estimators becomes 1, and ends the processing (step 1209).

An example of the additional authentication screen displayed by the additional authentication request program 110 will be described with reference to FIGS. 13a and 13b.
As shown in FIG. 13a, when an access destination website malignancy determination program tries to access a website showing a malignancy greater than or equal to the threshold, an additional authentication screen is displayed and only when the additional authentication in the screen is broken. , Allow access to the website. The additional authentication screen includes a warning text 1301 that the access destination website is suspicious, a character string display field 1302 for additional authentication, an additional authentication character string input form 1303, an additional authentication character string transmission button 1304, and additional information. A request button 1305.

  Only when the user determines that the Web site is not malignant, the user correctly inputs the character string shown in the additional authentication character string display field 1302 to the additional authentication character string input form 1303 and clicks the additional authentication character string transmission button 1304. By pressing, access can be continued. Further, when the user hesitates to determine whether access is possible, by pressing an additional information request button 1305, additional information for the determination can be acquired and displayed.

An example of the screen after the additional information is displayed is shown in FIG. 13b.
The additional authentication screen after the additional information display includes a website information display field 1306 and a website thumbnail display field 1307. In the Web site information display field 1306, public information regarding the access destination Web site such as whois information and DNS information is displayed. In the Web site thumbnail display field 1307, thumbnails when the access Web site is actually accessed are displayed as images. Based on these pieces of information, the user determines whether to access the access destination website.
A part of the first embodiment may be changed as follows.

  Even if the final prediction result of the malignancy level of the access destination website is equal to or lower than the threshold value, additional authentication may be requested when one or more estimators calculate a high malignancy level. As a result, even an estimator specialized in detecting a specific malignant site whose weight tends to decrease due to its low versatility can be incorporated into the Web site malignancy determination program 110. Detection omission can be suppressed.

  Further, the difficulty level of the additional authentication may be increased or decreased depending on the malignancy value. For example, if the malignancy is relatively low, only a button click can be performed, and if it is high, CAPTCHA authentication can be performed. Thereby, the load concerning the authentication of the user with respect to the site which is more benign than gray can be suppressed.

  Further, the additional authentication result of the verified user may be treated as correct data (Ground Truth), and the data may be sequentially learned each time the data is given and used as the online learning teacher data for constructing the model. As a result, not only optimization of the weight given to each estimator but also optimization of the estimator itself is possible.

Next, a Web access control apparatus according to the second embodiment will be described with reference to FIG.
The second embodiment includes the Web access control apparatus 101 according to the first embodiment. Further, when updating the weight to be given to the malignancy estimator 124, paying attention to the time series change of the weight, the weight in a more suitable form This is a Web access control device having a function of assigning.

  In the second embodiment, paying attention to the time series change of the weight of the estimator, when a tendency different from the conventional change is seen in the change in the weight, the update of the weight is suspended. For example, the weight of a potentially accurate estimator continues to increase monotonically, and it is assumed that the rising value converges to a saturated value. The weight that has increased or converged to a constant value tends to decrease. By detecting this change point and temporarily deferring the weight update, it is possible to determine whether the change in the weight is correct or noise due to a user authentication error, etc. , It is possible to suppress a decrease in the accuracy of determining the malignancy of the Web site.

FIG. 14 is an example of a weight update flow in this embodiment.
The same components as those in the first embodiment are denoted by the same reference numerals, and the description thereof will be omitted. Hereinafter, differences from the first embodiment will be mainly described.

  In addition to the flow shown in FIG. 12, the weight update program 114 has a processing flow in which attention is paid to the time series change at the time of weight update. Specifically, in step 1204, it is verified whether or not the estimation result of the estimator matches the authentication result, and when branching to a flow for adding / subtracting the weight, actual processing is performed based on the time series change of the weight. Step 1210 and Step 1211 for determining whether to add / subtract the weight. Hereinafter, the processing content of step 1210 and step 1211 will be described.

  The weight update program 114 acquires the time series change of the weight of the estimator whose ID is the variable i with reference to the estimator time series weight management table 117 corresponding to the estimator. Also, if the weight is added, it is verified whether the tendency of the weight change is different from the previous one. If a tendency different from the previous change is seen, the process proceeds to step 1207 to suspend the weight update. If no change in weight change is observed, the process proceeds to step 1205 (step 1210).

  The weight update program 114 acquires the time series change of the weight of the estimator whose ID is the variable i with reference to the estimator time series weight management table 117 corresponding to the estimator. Further, if the weight is subtracted, it is verified whether the tendency of the weight change is different from the previous one. If the tendency different from the previous change is seen, the process proceeds to step 1207 to suspend the weight update. If no different trend is seen in the change in weight, the process proceeds to step 1206 (step 1211).

A Web access control apparatus according to the third embodiment will be described with reference to FIG.
The third embodiment includes the Web access control apparatus 101 according to the first embodiment. Further, in the Web site malignancy determination program 109, the malignancy calculation time is improved by arranging a plurality of malignancy estimators 124 in a hierarchical manner. It has the function to do.

  In the third embodiment, a plurality of malignancy estimators 124 are compared with a surface analysis portion (first group) having a comparatively short processing time, and a detailed analysis portion capable of calculating the malignancy of a website with higher accuracy than the processing time is required. Divide hierarchically into (second group). As a result, for a clearly benign or clearly malignant website, the nature of the website can be determined only by the plurality of malignancy estimators 124 in the surface analysis portion having a short processing time. Can be shortened. Further, when it is difficult to determine the property of the Web site in the surface analysis part, the determination is made using the detailed analysis part, so that the determination accuracy is not significantly reduced.

  FIG. 15 is an example of an estimator group configuration method according to the third embodiment. FIG. 15 is a processing example when a plurality of malignancy estimators 124 are arranged hierarchically in the Web site malignancy determination program 109 in step 804 in the first embodiment. Since the processing flow other than the Web site malignancy determination program 109 is the same as that of the first embodiment, the description thereof will be omitted. In the following, a plurality of malignancy estimators 124 are arranged in a hierarchical manner that is different from the first embodiment. The estimation result derivation method will be mainly described.

  In addition to the flow shown in FIG. 9, the Web site malignancy determination program 109 includes a plurality of malignancy estimators 124 for a surface analysis portion (malignancy estimator A, malignancy estimator B) and a detailed analysis portion (malignancy estimation). And an additional malignancy calculation flow by dividing into C, malignancy estimator D, malignancy estimator E). Specifically, in step 902, the access destination website is not input to all of the plurality of malignancy estimators 124, but is input only to the surface analysis portion (malignancy estimator A, malignancy estimator B). . Thereafter, the estimation results (estimation result A, estimation result B) are received from the surface layer analysis part (grade estimator A, grade estimator B), and the estimation result (interim estimation result) is clearly benign, or If it is clearly malignant, the process proceeds to step 904 with the estimation result as the final prediction result.

  Here, clearly malignant means, for example, a state where the malignancy is 90% or more, and clearly benign means a condition where the malignancy is 10% or less, for example. The specific numerical values are not limited to this. If the surface analysis part (grade estimator A, grade estimator B) cannot be judged to be clearly benign or clearly malignant, the detailed analysis parts (grade estimator C, grade estimator D, The process proceeds to the grade estimator E). At this time, an access destination Web site is input to a plurality of malignancy estimators C, malignancy estimators D, and malignancy estimators E constituting the detailed analysis portion. Thereafter, the estimation results (estimation result C, estimation result D, estimation result E) are received, and the estimation result is used as the final prediction result.

  In FIG. 15, the plurality of malignancy estimators 124 are divided into two stages, but may be divided into three or more stages. In the third embodiment, the malignancy calculation time can be made efficient by the above method.

A Web access control apparatus according to the fourth embodiment will be described with reference to FIG.
The fourth embodiment includes the Web access control apparatus 101 according to the first embodiment. Further, the Web site malignancy determination program 109 pays attention to a method for calculating the final prediction result based on the malignancy received from the plurality of malignancy estimators 124, and calculates the malignancy in a more suitable form. It has a function to improve the accuracy of judging malignancy of a website.

  In the fourth embodiment, in addition to the final prediction result calculation method (a) shown in the first embodiment, a method (b) in which a majority decision is made from the estimation results of the plurality of malignancy estimators 124 and a calculation method in the first embodiment are used. In addition, there is a method (c) in which the prediction result calculated by a single estimator is used in a specific case.

  In the method (b) of taking the majority vote, the malignancy estimator A, the malignancy estimator B, and the malignancy estimator C do not require the calculation process in the method (a) of multiplying the prediction result and the weight and then summing them. Therefore, processing time can be shortened.

  In the method (c) of using prediction results calculated by a single estimator in a specific case, the overall accuracy of estimation is achieved by effectively using the malignancy estimator C specialized in determining the properties of websites having specific properties. Can be improved. For example, the malignancy estimator C specialized for a specific malignant site such as a phishing site or a malware download site has a low estimation accuracy for a benign site with more access, It is conceivable that the weight given to the estimator C is small.

  In this case, even when an access to a phishing site or a malware download site, which is a specialty of the malignancy estimator C, occurs, the weight of the malignancy estimator C is small and is hardly reflected in the final prediction result. For this reason, there is a possibility that the final prediction result cannot be calculated appropriately. Therefore, when the malignancy estimator C specialized for the specific malignant site described above shows a high malignancy for the accessed Web site, even if the overall prediction result is benign, there is a risk of malignancy. Require additional authentication from the user for As a result, it is possible to suppress oversight of the malignant site and improve the overall estimation accuracy as described above.

Next, an example of a final prediction result calculation flow in the fourth embodiment will be described with reference to FIG.
FIG. 16 is an example of each method used to determine whether the property of the accessed Web site is malignant or benign in the Web site malignancy determination program 109 in the first embodiment and in Step 805.

  Further, in order from the left, a method (a) of multiplying the estimation result and the weight of Example 1 by a weight (a), a method of taking a majority vote (b), and a method of using a specific malignancy estimator (c) are illustrated. Yes. Since the processing flow other than the Web site malignancy determination program is the same as that of the first embodiment, its description is omitted. In the following, a method (b) of taking a majority vote, which is a method different from the first embodiment, and a method (c) of using a specific malignancy estimator will be mainly described.

First, the method (b) for taking a majority vote will be described.
The method of taking a majority decision is to compare the estimation results in the malignancy estimator A, the malignancy estimator B, and the malignancy estimator C with the threshold values established in advance. For each malignancy estimator C, it is estimated whether the property of the accessed Web site is malignant or benign. Thereafter, the total number of properties aggregated from the malignancy estimator A, the malignancy estimator B, and the malignancy estimator C is compared, and the one with the largest total number is calculated as the final prediction result. In the example of (b), two of the three grade estimators A, grade estimators B, and grade estimators C are benign, one is benign, and there are more benign. The final prediction result is benign.

Next, the method (c) of using a specific estimator will be described.
In the method of using a specific estimator, first, it is confirmed whether the malignancy estimator C to be used shows a high malignancy. At this time, if the malignancy estimator C has a high value, the Web site is used as a malignant image regardless of the results calculated by the other malignancy estimators A and B. Require additional authentication from the user. When the malignancy estimator C does not output a high value, a final prediction result is calculated by the same method as in the first embodiment, and access control is performed according to the value.

  In the example of (c), among the three malignancy estimators A, malignancy estimators B, and malignancy estimators C, the malignancy estimator C is specialized for a specific malignant site. Since the malignancy estimator C has a high malignancy, the access destination website is determined to be malignant. In the calculation method of the first embodiment, the access destination website is determined to be benign. Further, it is assumed that the specific malignancy estimator C to be used is designated in advance by the administrator, and in this method, whether or not to use each malignancy estimator in the estimator management table 116 in FIG. Has an additional item to represent.

  In the fourth embodiment, the processing time can be shortened and the estimation accuracy can be improved by the above method.

A Web access control apparatus according to the fifth embodiment will be described with reference to FIGS. 17A and 17B.
The fifth embodiment includes the Web access control apparatus 101 according to the first embodiment. Further, the additional authentication request program 110 has a function of improving user convenience by changing the additional authentication method according to the situation and suppressing erroneous access to the malignant site with higher accuracy. In the fifth embodiment, the difficulty level of additional authentication is changed from the following three viewpoints.

  The first is a change in the difficulty level of additional authentication according to the malignancy. Specifically, when requesting additional authentication from a user because there is a possibility of access to a malicious site, if it is determined that the malignancy of the website is very high, additional authentication with a high degree of difficulty is required. know. On the other hand, when the maturity level of the Web site is higher than the threshold value but close to the threshold value and is relatively low among those judged to be malignant, additional authentication with a low degree of difficulty is required when it breaks. As a result, the possibility of erroneous access to a Web site with a higher possibility of malignancy is suppressed, and the accessibility to a site with a relatively low malignancy is improved and convenience is improved.

  In the present method, an additional table showing the percentage of malignancy that is very high or the percentage of malignancy that is relatively low is shown in the storage device 105 of FIG. Have. Each value shall be established by the administrator in advance.

  The second is a change in the difficulty level of the additional authentication according to the reliability of the information source in the gray list. The gray list can manually add a Web site that seems to be a malignant site, but information sources at this time may include those from a highly reliable organization to those that are not.

  Therefore, the difficulty level of additional authentication is changed according to the reliability of the information source. For additional authentication for access to a Web site obtained from a highly reliable information source, a low difficulty level is used. On the other hand, for the additional authentication for the access to the Web site obtained from the information source that is not so, a highly difficult one is used. This improves the convenience for the user and suppresses erroneous access to the malignant site with higher accuracy.

  In this method, for each URL stored in the gray list 118 of FIG. 5, there is an additional item representing the reliability of the information source, for example, as high, medium and low. Each value shall be established by the administrator in advance, and the method of expressing the reliability of the information source is not limited to the above.

  The third is an increase in the difficulty level of additional authentication when a malignancy estimator specialized for a specific malignant site shows a high malignancy. If the malignancy estimator specialized for a specific malignant site shows a high malignancy, the possibility of a malignant site having a specific property that should not be accessed increases. In particular, if the malignancy estimator shows a high malignancy and the overall estimation result is from a benign site, the malignant site imitates a benign site that cannot be detected by other malignancy estimators. There is a possibility. For this reason, it is necessary to further block access to the Web site.

  For the above reasons, the additional authentication required from the user is made with a high degree of difficulty, thereby suppressing erroneous access to the sex site with higher accuracy. Further, it is assumed that the specific malignancy estimator to be used is designated in advance by the administrator, and in this method, the estimator management table 116 in FIG. 3 indicates whether or not to use each malignancy estimator. Has additional items.

  In the fifth embodiment, an additional table indicating which authentication method is used is provided in the storage device 105 of FIG. Which authentication method is to be used shall be established in advance by the administrator. Further, in the fifth embodiment, there are two additional authentication methods having different degrees of difficulty in addition to those shown in the first embodiment.

FIG. 17 a is a diagram illustrating an example of an additional authentication screen using an additional authentication method with a low degree of difficulty.
There is no step of reading and inputting a character string from the screen as in the first embodiment, and it is possible to continue accessing the Web site simply by pressing the connection button 1701 displayed on the screen.

FIG. 17B is a diagram illustrating an example of an additional authentication screen using the high difficulty additional authentication method.
A calculation formula display field 1702 for additional authentication is provided, the calculation formula is read from the calculation formula display field 1702, the calculation result of the calculation formula is correctly input to the additional authentication character string input form 1703, and the add authentication character string transmission button 1704 is pressed. By doing so, the access can be continued.

  In the fifth embodiment, it is possible to improve user convenience and suppress access to a malignant site with higher accuracy by the above method.

101: Web access control device 108: Access relay program 109: Website malignancy determination program 110: Additional authentication request program 111: Access destination information acquisition program 112: List update program 113: Feedback value calculation program 114: Weight update program 115: Additional authentication history 116: estimator management table 117: estimator weight history 118: gray list 119: black list 120: white list 121: user terminal 123: Internet 124: malignancy estimator

Claims (12)

A web access control device connected to the Internet and a user terminal operated by a user,
A website malignancy determination unit that determines the malignancy of an access destination website based on a predetermined threshold by executing a website malignancy determination program using a plurality of malignancy estimators each assigned a weight. When,
When the Web site malignancy determining unit determines that the malignancy of the access destination website is higher than the predetermined threshold, the access destination Web site is executed with respect to the user terminal by executing an additional authentication request program An additional authentication request part for requesting additional authentication for determining whether or not to allow access,
A weight update unit that updates the weights respectively assigned to the malignancy estimators of the Web site malignancy determination unit by executing a weight update program based on the result of the additional authentication of the additional authentication request unit When,
A Web access control apparatus comprising: A feedback value calculation unit that calculates a value to be fed back to the weight assigned to each of the malignancy estimators of the Web site malignancy determination unit by executing a feedback value calculation program;
The weight update unit
2. The Web according to claim 1, wherein the weights respectively assigned to the malignancy estimators of the Web site malignancy determination unit are updated based on the calculated values calculated by the feedback value calculation unit. Access control device. The feedback value calculation unit
In addition to the result of the additional authentication of the additional authentication request unit, the accompanying information obtained at the time of the additional authentication is used to feed back the weight assigned to the malignancy estimator of the Web site malignancy determination unit. The Web access control apparatus according to claim 2, wherein a value to be calculated is calculated. The feedback value calculation unit
4. The Web access control apparatus according to claim 3, wherein as the accompanying information, a time required for the additional authentication or presence / absence of information display of the access destination Web site is used. The feedback value calculation unit
Calculating a value to be fed back to the weight assigned to each of the malignancy estimators using a time-series change of the weight assigned to each of the malignancy estimators of the Web site malignancy determination unit; The Web access control apparatus according to claim 2, wherein the apparatus is a Web access control apparatus. The additional authentication request unit includes:
When the Web site malignancy determination unit determines that the malignancy of the access destination website is higher than the predetermined threshold, the access destination Web site is determined to be a suspicious site, and the suspicious site is transmitted to the user terminal. The Web access control apparatus according to claim 1, further comprising: additional information on the Web access control apparatus. The additional authentication request unit includes:
The Web access control apparatus according to claim 6, wherein a thumbnail image of the access destination Web site is used as the additional information related to the suspicious site. The weight update unit
The estimation result of the malignancy estimator of the Web site malignancy determination program is compared with the authentication result of the additional authentication of the additional authentication request unit, and assigned to the malignancy estimator based on the comparison result. The Web access control apparatus according to claim 1, wherein the weight is updated. The weight update unit
9. The Web according to claim 8, wherein a weight of the malignancy estimator having a high coincidence rate between a comparison result of the estimation result of the malignancy estimator and the authentication result of the additional authentication request unit is increased. Access control device. The plurality of malignancy estimators of the website malignancy determination unit are:
It is divided hierarchically into a first group for determining the malignancy at a first processing time and a second group for determining the malignancy at a second processing time longer than the first processing time. ,
According to the malignancy determined by the malignancy estimator belonging to the first group, it is determined whether or not the malignancy is determined again by the malignancy estimator belonging to the second group. The Web access control apparatus according to claim 1. The website malignancy determination unit
The estimation results in the plurality of malignancy estimators are compared with a predetermined threshold value, and it is estimated for each malignancy estimator whether the accessed Web site is malignant or benign, and the total number of malignant numbers and the benignity The Web access control apparatus according to claim 1, wherein the malignancy degree of the access destination Web site is determined according to a comparison result with the total number of the access points. The website malignancy determination unit
Predetermining a specific malignancy estimator from the plurality of malignancy estimators, prioritizing the estimation results of the specific malignancy estimators over the estimation results of the other malignancy estimators, The Web access control apparatus according to claim 1, wherein the malignancy level of an access destination Web site is determined.

Images