JP7799558B2 - Risk-based authentication system and risk-based authentication method - Google Patents

Description

The present invention relates to a risk-based authentication system and a risk-based authentication method.

The IT environment has undergone major changes in recent years. The use of cloud services has steadily increased, with 64.7% of companies using cloud services at least partially in 2019. Furthermore, with the rapid spread of working from home (WFH) due to COVID-19, companies have rapidly adopted teleworking, and the percentage of companies planning to adopt it in the future is nearly 60%. In addition to these changes in IT usage patterns, attacks targeting corporate information are also evolving. Cyberattacks are becoming more sophisticated, and APT (Advanced Persistent Threat) attacks, in particular, differ from traditional threats in that they are covert, persistent, and sustained over long periods of time, making it impossible to detect or prevent malware from infiltrating corporate networks. Furthermore, since the most common route for the leak of corporate trade secrets is through internal perpetrators, simply preventing attacks from outside the company will not prevent information leaks.

In this climate, risk-based authentication is attracting increasing attention. Risk-based authentication is a method of more reliable identity authentication and access control by using records such as user access logs to calculate the risk level of a user's access and dynamically changing the authentication method and access permissions according to the risk level.

For example, if a cloud service is accessed from another country immediately after a user from Japan accesses it, it is possible to determine that there is a high risk of spoofing and perform additional authentication, thereby preventing unauthorized access. It is also possible to implement access control based on the status of the user and the client device they use, such as preventing access to important resources in teleworking. Furthermore, issuing a warning when access is performed in a pattern that differs from the user's usual behavior pattern could serve as a countermeasure against insider theft.

As such, risk-based authentication has been attracting attention due to recent changes in the IT environment. However, while risk-based authentication recommends correlative analysis of various information, such as user behavior and device status, the input information and analysis methods have not been established.

Patent Document 1 provides background technology for solving this problem. Patent Document 1 states, "In a risk-based authentication system, by changing the risk level assessment results based on externally obtained risk information on the Internet and changing the decision level for performing additional authentication, it is possible to achieve more flexible risk-based authentication."

Japanese Patent Application Laid-Open No. 2019-191657

The technology described in Patent Document 1 performs risk-based authentication based on rule analysis, behavioral analysis, and externally obtained internet risk level information, enabling more flexible and accurate risk-based authentication. However, because multiple risk assessment methods are all implemented during authentication and authorization, the processing time for risk assessment and the resource consumption of the system used to perform the risk assessment increase.

The present invention has been made to address the above-mentioned problems. That is, one of the objects of the present invention is to provide a risk-based authentication system and a risk-based authentication method that can reduce the processing time for risk assessment and the resource consumption of the system used to perform the risk assessment.

To solve the above problem, the risk-based authentication system of the present invention includes an information processing device that evaluates the risk of access to resources by a client terminal and performs processing according to the evaluation results. The information processing device is configured to perform risk score calculation using risk calculation data, which is information necessary to calculate a risk score indicating a risk level, using each of a plurality of risk assessment methods. The information processing device is configured to be able to set, for each of the plurality of risk assessment methods, execution stages for gradually setting the order in which the risk score calculations using the risk assessment methods are performed. The information processing device is configured to calculate the risk score by performing the risk score calculation using the risk assessment method for each execution stage, calculate a stage risk score for each execution stage by integrating the calculated risk scores, and perform risk evaluation to evaluate the risk of the access based on the calculated stage risk score in a stepwise manner, starting from the smallest execution stage and transitioning to the next execution stage only in predetermined cases.

The risk-based authentication method of the present invention uses an information processing device that evaluates the risk of access to resources by a client terminal and performs processing according to the evaluation results. The information processing device performs risk score calculation using risk calculation data, which is information necessary to calculate a risk score indicating a risk level, using each of a plurality of risk assessment methods to calculate the risk score. Execution stages for setting the order in which the risk score calculations are performed using the risk assessment methods can be set for each of the plurality of risk assessment methods. The risk score is calculated by performing the risk score calculation using the risk assessment method for each execution stage, and the calculated risk scores are integrated to calculate a stage risk score for each execution stage. The risk assessment that evaluates the risk of the access based on the calculated stage risk score is performed in stages, starting from the smallest execution stage and transitioning to the next execution stage only in specified cases.

This invention reduces the processing time for risk assessment and the resource consumption of the system used to perform the risk assessment.

FIG. 1 is a block diagram showing an entire system including a risk-based authentication system according to an embodiment of the present invention. FIG. 2 is a block diagram showing details of a risk determination device included in the risk-based authentication system. FIG. 3 is a diagram showing an example of the risk assessment means table. FIG. 4 is a diagram showing an example of the threshold table. FIG. 5 is a diagram showing an example of a risk determination result log table. FIG. 6 is a UML sequence diagram showing an overview of the processing of a system having a risk-based authentication system. FIG. 7 is a flowchart showing the process flow of the risk calculation data update process. FIG. 8 is a flowchart showing the processing flow of the risk determination process. FIG. 9 is a flowchart showing the processing flow of the parameter update process. FIG. 10 is a diagram showing an example of the rejection screen. FIG. 11 is a diagram showing an example of a client terminal risk display screen.

<<Embodiment>>
Hereinafter, an embodiment of the present invention will be described with reference to Figures 1 to 11. In this embodiment, the same components are generally designated by the same reference numerals, and repeated description will be omitted. It should be noted that this embodiment is merely an example for realizing the present invention and does not limit the technical scope of the present invention. In the following embodiment, the risk assessment process will be described as an example in which the function is realized by a computer executing software, but it may also be realized by hardware logic.

In the following explanation, various types of information may be described using expressions such as "table," but the various types of information may also be expressed using other data structures. Furthermore, when describing identification information, expressions such as "ID," "code," and "identification information" are used, but these are interchangeable. Furthermore, in the following explanation, processing may be described using a functional block as the subject, but the subject of the processing may be the CPU instead of the functional block.

A program may be installed into a computer (information processing device) from a program source. The program source may be, for example, a program distribution server or a storage medium (portable storage medium) readable by the computer (information processing device). In an embodiment, two or more programs may be realized as a single program, or one program may be realized as two or more programs.

The present invention relates to a system that uses multiple risk assessment means (risk determination methods) to assess the risk of access by client terminals to resources such as servers. Furthermore, the present invention relates to technology for optimizing the processing time required for risk assessment, the accuracy of risk assessment, and resource consumption by databases, risk management assessment systems, and client terminals involved in risk assessment processing. Furthermore, the present invention relates to technology for optimizing resource consumption, etc., by varying the weighting of each risk assessment means, whether or not risk assessment means are implemented and the order in which they are implemented, the update frequency of risk calculation data created for risk assessment, and the collection period for log data required to create risk calculation data.

First, using Figure 1, we will explain the system configuration of a risk-based authentication system 1 according to an embodiment of the present invention. The system comprises a client terminal 101 used by a user in various environments such as a telework environment, a home office, or an overseas office, resources 102 located in various environments such as a cloud environment, a home office, or an overseas office, which the user accesses using the client terminal 101, the risk-based authentication system 1, and a log management device 105, all of which are connected via a network 106. The network 106 may be, for example, a wired LAN (Local Area Network) or a wireless LAN, or a global network such as the Internet.

The risk-based authentication system 1 includes an authentication device 103 and a risk assessment device 104. The authentication device 103 is a device that authenticates the client terminal 101 and the user using it each time the client terminal 101 accesses a resource 102. An example of the frequency of authentication is each time the client terminal 101 sends a request to the server that owns the resource 102. Another example of the frequency of authentication is not to perform authentication multiple times for accesses within a certain period of time, such as from login to logout. During authentication, the authentication device 103 queries the risk assessment device 104 about the risk level (magnitude of risk) of the access, and imposes appropriate authentication and access control on the user based on the result (i.e., the authentication device 103 dynamically changes the authentication level imposed on the user based on the risk level). The log management device 105 stores information required by the risk assessment device 104 when calculating the risk level (risk score indicating the risk level).

In FIG. 1, as an example, client terminals 101 exist in three locations: a telework environment, a home office, and an overseas office. Note that client terminals 101 may also exist in other environments. Similarly, resources 102 exist in three locations: a cloud environment, a home office, and an overseas office. Resources 102 may also exist in other environments. Also, although three log management devices 105, A to C, are shown, there is no set number.

Next, the risk assessment device 104 will be described using Figure 2. The risk assessment device 104 is realized by a general information processing device such as a PC (Personal Computer) or server as shown in Figure 2, and is equipped with a communication interface (communication IF) 111, a CPU (Central Processing Unit) 112, a main memory 113, a storage device 114, and a communication path 115 connecting each of these components. The communication path 115 is, for example, an information transmission medium such as a bus or cable. Note that the risk assessment device 104 may be realized by multiple information processing devices. The information processing device may also be a virtual information processing device built on the cloud.

Main memory 113 is a semiconductor storage device such as RAM (Random Access Memory), and temporarily stores programs loaded from storage device 114 and executed by CPU 112, as well as necessary work data.

The CPU 112 executes programs stored in the main memory 113.

The storage device 114 is, for example, a large-capacity magnetic storage device or semiconductor storage device such as an HDD (Hard Disk Drive) or SSD (Solid State Drive), and stores programs executed by the CPU 112 and data used by the CPU 112.

In this embodiment, the CPU 112 loads into the main memory 113 the following programs: a risk calculation data creation unit 121, a data collection unit 122, a risk assessment unit 123, a parameter update unit 124, and a display unit 125. The CPU 112 executes these programs loaded into the main memory 113, thereby realizing the functions of the risk calculation data creation unit 121, the data collection unit 122, the risk assessment unit 123, the parameter update unit 124, and the display unit 125.

The risk calculation data creation unit 121 is a program that creates and updates the risk calculation data 133 required to calculate the risk score based on log data collected from the log management device 105 using the data collection unit 122, as described below.

The data collection unit 122 is a program that provides a unified interface that eliminates differences depending on the type of log management device 105 when the risk calculation data creation unit 121 collects log data from one or more types of log management device 105.

The risk assessment unit 123 is a program that calculates a risk score using the risk assessment means table 131, threshold table 132, and risk calculation data 133 described below.

The parameter update unit 124 is a program that updates the settings of the risk assessment means table 131 and threshold table 132, which are described below, using the risk assessment result log table 134, which is described below.

The display unit 125 is a program that displays the screen and processes inputs to the screen, as described below.

The storage device 114 also stores a risk assessment means table 131, a threshold table 132, risk calculation data 133, and a risk assessment result log table 134. Details of each table will be described later.

The authentication device 103 may also be realized by a general information processing device such as a PC (Personal Computer) or a server. The authentication device 103 may also be realized by multiple information processing devices. Furthermore, the authentication device 103 and the risk assessment device 104 may be realized by a single information processing device. The information processing device may also be a virtual information processing device built on the cloud.

Next, we will explain the data structure used in the risk-based authentication system 1 according to this embodiment using Figures 3 to 5.

First, an example of a risk assessment means table will be described using Figure 3. The risk assessment means table 131 is a table that records information that specifies one or more risk assessment means (also referred to as "risk assessment information" or "risk assessment methods") that the risk assessment device 104 (risk assessment unit 123) uses to calculate a risk score. This table stores information that specifies risk assessment methods in correspondence with each other.

An entry in the risk assessment means table 131 has the following fields: ID 301, risk assessment means 302, type 303, weight 304, stage 305, risk calculation data update frequency 306, usage log acquisition period 307, and real-timeness 308. ID 301 stores a code for uniquely identifying the record within the table. Risk assessment means 302 stores the name of the risk assessment means. Type 303 stores one of two values, "behavior" and "state," which are the types of risk assessment means. "Behavior" is a means (method) of creating a baseline based on past data and assessing risk based on the deviation from the baseline. For example, the greater the deviation, the higher the risk score calculated. State, on the other hand, is a means (method) of assessing risk based on the current or most recent state. For example, a risk score is calculated based on whether the current or most recent state differs from a specified state, or the degree to which the current or most recent state differs from the specified state (e.g., the degree to which there are signs of an attack on the device).

Weight 304 stores the weight used when the risk assessment device 104 integrates the risk scores calculated by each risk assessment means (risk assessment method) and calculates the stage risk score.

Stage 305 stores the stage at which the risk assessment means (risk assessment method) is executed. As shown in the risk assessment process S604 described below, the risk assessment device 104 calculates the risk score on a stage-by-stage basis, starting with the result of the risk assessment means (risk assessment method) with the smallest value stored in the stage. In other words, stage is information for gradually setting the order in which risk score calculations are performed by the risk assessment means (risk assessment method) on a stage-by-stage basis. A stage is also referred to as an "execution stage," and a stage unit is also referred to as an "execution stage unit."

Risk calculation data update frequency 306 stores setting information for the frequency at which the risk calculation data 133 used by the risk assessment means (risk assessment method) to calculate the risk score is updated. For example, if the risk calculation data update frequency 306 is set to one day, log data is collected from the log management device 105 once a day, and the risk calculation data 133 is updated. Specific processing will be described later in the risk calculation data update processing flowchart in Figure 7.

Risk calculation data 133 is data (including machine learning models) required to calculate (compute) a risk score, and could refer to something simple, such as the percentage of web browsers used by a user, generated from access logs stored in the log management device 105, or a machine learning model generated from access logs that distinguishes between general users and insiders.

The usage log acquisition period 307 stores a setting value that determines how much log data from the current date and time is collected from the log management device 105 when updating the risk calculation data 133. If the value is large, it will be possible to calculate the risk score based on information going back further in time, but since a large amount of logs will be collected from the log management device 105, the resource consumption, network consumption, and log data collection time of the log management device 105 will increase. If the type 303 is behavior, logs for the entire period are required, so the value will be the same as the risk calculation data update frequency 306.

On the other hand, when type 303 is "state," usage log acquisition period 307 is set to a value equal to or smaller than risk calculation data update frequency 306. This is because collecting logs for a period longer than risk calculation data update frequency 306 results in duplicate logs being collected. Real-timeness 308 stores a setting value that determines how recent data needs to be used when calculating a risk score using the risk assessment means (risk assessment method). In other words, real-timeness 308 stores a time (value) that specifies the real-timeness of risk calculation data 133 required by the risk assessment method (risk assessment means) when the risk assessment unit 123 calculates a risk score. For information with little short-term fluctuation, such as access log trends, the period (time) of real-timeness 308 may be lengthened. Conversely, for information requiring real-time detection, such as traces of an attack appearing on a user terminal, the period (time) of real-timeness 308 may be shortened. This value is set to a value equal to or smaller than risk calculation data update frequency 306. This is because, if a value greater than the risk calculation data update frequency 306 is set, no matter what value is used, the processing result will be the same as if the value were the same as the risk calculation data update frequency 306 in the procedure (processing) of step 804 described below. Furthermore, the set value may be set differently for each client terminal 101. In that case, some client terminals 101 may not implement some risk assessment means (risk assessment methods).

Next, an example of a threshold table will be explained using Figure 4. The threshold table 132 is a table that stores tiered thresholds (sometimes referred to as "threshold scores" for convenience) that are used to determine how to control access at each stage 305, as a result of executing the risk assessment means 302 (risk assessment method) for which the stage is set, on a stage-by-stage basis, and integrating the results.

An entry in the threshold table 132 has fields for ID 401, stage 402, threshold 403, and judgment result 404. ID 401 stores identification information (code) for uniquely identifying the record within the table. Stage 402 stores the stage number to which threshold 403 is applied. Threshold 403 stores a threshold for determining judgment result 404. This threshold can also be considered a threshold used to evaluate the risk level (access risk) based on the stage risk score. Judgment result 404 stores the access control processing to be executed when the risk score (stage risk score) obtained by integrating the results of all risk judgment means (risk judgment methods) for each stage 402 exceeds threshold 403.

The weight 304, stage 305, risk calculation data update frequency 306, usage log acquisition period 307, and threshold 403 may be set in advance by the administrator or may be updated by the administrator.

Furthermore, the weight 304, stage 305, risk calculation data update frequency 306, usage log acquisition period 307, and threshold 403 may be set or updated by machine learning. In this case, for example, access patterns that should be detected and access patterns that should not be detected are prepared. Risk assessment is performed using these, and information including the results is stored in the risk assessment result log table 134, which will be described in detail later. Then, based on the information in the risk assessment result log table 134, at least one of the weight 304, stage 305, risk calculation data update frequency 306, usage log acquisition period 307, and threshold 403 is mechanically set (updated) using machine learning such as a genetic algorithm to optimize at least one of the risk assessment processing time, assessment accuracy, and resource consumption. "Optimization" here refers to determining the setting values for the weight 304, stage 305, risk calculation data update frequency 306, usage log acquisition period 307, and threshold 403 such that there are no setting values that can simultaneously improve all three indicators of risk assessment processing time, assessment accuracy, and resource consumption. It is not possible to optimize all three indicators—risk assessment processing time, assessment accuracy, and resource consumption—and they are in a trade-off relationship. For example, minimizing risk assessment processing time can be achieved by reducing the value of the risk calculation data update frequency 306, thereby suppressing the occurrence of the risk calculation data update process (step 805) in the risk assessment process S604 (described later). However, in this case, the risk calculation data update process is executed more frequently, resulting in increased resource consumption. Alternatively, it is possible to reduce the number of risk assessment processes executed by, for example, reducing the number of risk assessment processes executed in the early stages of stage 305 and setting the threshold 403 so that transition to the next stage is less likely. However, in this case, reducing the number of risk assessment processes executed results in a deterioration of risk assessment accuracy. The same is true for other indicators: improving one indicator will result in a deterioration of the other indicators. Therefore, there will be multiple optimal values. In other words, optimization here refers to calculating Pareto-optimal solutions using a multi-objective optimization algorithm.

Next, an example of a risk assessment result log table will be described using Figure 5. The risk assessment result log table 134 is a table that records the results of risk assessment. An entry in the risk assessment result log table 134 has the following fields: ID 501, date and time 502, client terminal identifier 503, risk assessment method 504, whether risk calculation data has been updated 505, processing time 506, resource consumption 507, risk score 508, and stage 509.

ID 501 stores identification information (code) for uniquely identifying a record within the table. Date and time 502 stores the date and time when the risk assessment was performed. Client terminal identifier 503 stores an identifier that uniquely identifies the client terminal 101 on which the risk assessment was performed. Risk assessment means 504 stores the executed risk assessment means (risk assessment method). Risk calculation data update status 505 stores information on whether an update process for risk calculation data 133 occurred during the risk assessment process described later in Figure 8. Processing time 506 stores the processing time required from the execution of the risk assessment means until the risk score is calculated. Resource consumption 507 stores the amount of resources consumed when calculating the risk score. The amount of resource consumption may store individual items such as network communication volume, database, risk authentication system, client terminal 101 CPU, memory, etc., or may store an index that combines these items. Risk score 508 stores the risk score obtained as a result of executing the risk assessment means (risk assessment method). Stage 509 stores the stage at which the risk assessment means (risk assessment method) was executed.

Next, the processing of the risk-based authentication system 1 will be explained using Figures 6 to 8. First, an overview of the processing of the risk-based authentication system 1 will be explained using Figure 6.

When the client terminal 101 accesses the resource 102, it makes an access request to the authentication device 103 (S601). At that time, the authentication device 103 uses some method to identify the client terminal 101 or the user using the client terminal 101. Examples of identification methods include a combination of a user ID and password, or using a client certificate held by the client terminal 101. The authentication device 103 queries the risk assessment device 104 about the risk of access from the client terminal 101 (S602).

Next, the risk assessment device 104 performs a risk assessment process described later in Figure 8 (S604). Next, the risk assessment device 104 responds to the authentication device 103 with the risk assessment result obtained in the risk assessment process S604 (S608). Based on the risk assessment result received from the risk assessment device 104, the authentication device 103 responds to the client terminal 101 as to whether or not the client terminal 101 can access the resource 102 (S609).

The subsequent processing changes depending on the access permission result received by the client terminal 101. If the access permission result is access permission (S611), the client terminal 101 accesses the resource 102 (S612). If the access permission result is additional authentication (S613), the client terminal 101 sends information to the authentication device 103 for identifying the client terminal 101 and its user (S614). The authentication device 103 verifies the received identification information and responds with the result of the additional authentication to the client terminal 101 (S615). If the access permission result is access denial (S616), a screen indicating that access has been denied is displayed on the screen of the client terminal 101, and processing ends (S617).

The subsequent processing changes depending on the additional authentication result received by the client terminal 101. If the additional authentication result is access permission (S619), the client terminal 101 accesses the resource 102 (S620). If the additional authentication result is access denial (S621), a screen indicating that access has been denied is displayed on the screen of the client terminal 101, and processing ends (S622).

Next, the risk calculation data advance update process will be explained using Figure 7. Figure 7 is a flowchart showing the processing flow of the risk calculation data update process executed by the risk calculation data creation unit 121. This update process updates the calculation data for each client terminal 101 for each risk assessment method at a predetermined update frequency.

The risk calculation data creation unit 121 starts processing from step 700, proceeds to step 701, the start of loop 1 processing, selects an unselected risk assessment means from the risk assessment means stored in the risk assessment means table 131, and begins executing loop 1 processing from step 701 to step 707. This loop 1 processing is repeatedly executed until the termination condition of loop 1 processing is met (loop 1 processing is executed for all risk assessment means stored in the risk assessment means table 131).

The risk calculation data creation unit 121 proceeds to step 702, the start point of loop 2 processing, and begins executing loop 2 processing from step 702 to step 706 for client terminals 101 on which loop 2 processing of the selected risk assessment means has not yet been executed. This loop 2 processing is repeatedly executed until the termination condition for loop 2 processing (loop 2 processing has been executed for all client terminals 101) is met.

The risk calculation data creation unit 121 proceeds to step 703 and obtains the update frequency data (risk calculation data update frequency) for the selected risk assessment means stored in the risk assessment means table 131.

Next, the risk calculation data creation unit 121 proceeds to step 704 and determines whether the value (time) obtained by subtracting the "risk calculation data update date and time" from the "current date and time" is less than the "risk calculation data update frequency" obtained in step 703. Note that the "risk calculation data update date and time" is the date and time when the risk calculation data update process of step 705, described below, was last performed (the date and time when the most recent risk calculation data update process was performed, based on the time of step 704).

If the value obtained by subtracting the "risk calculation data update date and time" from the "current date and time" is less than the "risk calculation data update frequency," the risk calculation data creation unit 121 determines "Yes" in step 704 and proceeds to step 706, which is the end point of loop 2 processing.

On the other hand, if the value obtained by subtracting the "risk calculation data update date and time" from the "current date and time" is equal to or greater than the "risk calculation data update frequency," the risk calculation data creation unit 121 determines "No" in step 704 and proceeds to step 705, where it collects logs from the log management device 105 and updates the risk calculation data. The risk calculation data creation unit 121 then proceeds to step 706, which is the end point of loop 2 processing.

If the termination condition for Loop 2 processing (Loop 2 processing is executed for all client terminals 101) is not met at step 706, the end point of Loop 2 processing, the risk calculation data creation unit 121 returns to step 702, the start point of Loop 2 processing. Upon returning to step 702, the risk calculation data creation unit 121 starts executing Loop 2 processing for client terminals 101 that have not yet executed Loop 2 processing.

On the other hand, if the termination condition for loop 2 processing (loop 2 processing is executed for all client terminals 101) is met at step 706, which is the end point of loop 2 processing, the risk calculation data creation unit 121 terminates loop 2 processing and proceeds to step 707, which is the end point of loop 1 processing.

If the termination condition for loop 1 processing (loop 1 processing is executed for all risk assessment means stored in the risk assessment means table 131) is not met at step 707, the end point of loop 1 processing, the risk calculation data creation unit 121 returns to step 701, the start point of loop 1 processing. When returning to step 701, the risk calculation data creation unit 121 selects an unselected risk assessment means that has not yet been selected, and starts executing loop 1 processing again.

On the other hand, if the termination condition for loop 1 processing (loop 1 processing is executed for all risk assessment means stored in the risk assessment means table 131) is met at step 707, which is the end point of loop 1 processing, the risk calculation data creation unit 121 terminates loop 1 processing, proceeds to step 795, and temporarily terminates this processing flow.

Next, the risk assessment process will be described in detail using Figure 8. Figure 8 is a flowchart showing the processing flow of the risk assessment process executed by the risk assessment unit 123. This process corresponds to S604 in Figure 6.

The risk assessment unit 123 starts processing from step 800 and proceeds to step 801, where it acquires request information from the authentication device 103. The risk assessment unit 123 then proceeds to step 802, the start point of loop 1 processing, selects a stage in ascending order, and begins executing loop 1 processing from step 802 to step 811. This loop 1 processing is repeatedly executed until the termination condition of loop 1 processing is met (loop 1 processing is executed for all stages of stage 305 in the risk assessment means table 131).

The risk assessment unit 123 then proceeds to the start of loop 2 processing at step 803 and begins executing loop 2 processing from step 803 to step 807. This loop 2 processing is repeatedly executed until the termination condition of loop 2 processing is met (loop 2 processing is executed for all risk assessment means that match the stage selected in loop 1 processing).

The risk assessment unit 123 proceeds to step 804 and determines whether the value (time (i.e., the time elapsed since the update date and time)) obtained by subtracting the "risk calculation data update date and time" from the "current date and time" is less than the value of real-timeness 308. The risk calculation data update date and time is the date and time when the risk calculation data update process (step 805) described below was last performed (the date and time when the most recent risk calculation data update process was performed, based on the time of step 804).

If the value obtained by subtracting the "risk calculation data update date and time" from the "current date and time" is equal to or greater than the value of real-timeness 308, the risk assessment unit 123 determines "No" in step 804 and proceeds to step 805, where it collects logs from the log management device 105 and updates the risk calculation data 133. The risk assessment unit 123 calculates a risk score using the risk calculation data 133 updated in step 805.

On the other hand, if the value obtained by subtracting the "risk calculation data update date and time" from the "current date and time" is less than the value of real-timeness 308, the risk assessment unit 123 judges "Yes" in step 804 and proceeds to step 806, where it calculates a risk score based on the existing risk calculation data 133 that has already been created, without updating the risk calculation data 133.

Then, the risk assessment unit 123 proceeds to step 807, the end point of loop 2 processing. If the termination condition of loop 2 processing (loop 2 processing is executed for all assessment means that match the stage selected in loop 1 processing) is not met at step 807, the end point of loop 2 processing, the process returns to step 803, the start point of loop 2 processing. When the risk assessment unit 123 returns to step 803, the start point of loop 2 processing, it selects an unselected risk assessment means that has not yet been selected, and starts executing loop 2 processing again.

If the termination condition for loop 2 processing is met at step 807, the end point of loop 2 processing (loop 2 processing is executed for all determination means that match the stage selected in loop 1 processing), the risk assessment unit 123 terminates loop 2 processing and proceeds to step 808, where it integrates all risk scores within the same stage calculated in loop 2 processing using weight 304 (for example, sums up values obtained by multiplying the risk score by weight 304) to calculate a stage risk score. Note that at this time, the risk assessment unit 123 may also calculate the stage risk score using the stage risk score of the previous stage.

Then, the risk assessment unit 123 proceeds to step 809, compares the stage risk score calculated in step 808 with the threshold value 403 (i.e., evaluates the risk of access), determines the assessment result 404, and proceeds to step 810.

When the risk assessment unit 123 proceeds to step 810, it determines whether the assessment result 404 is "Proceed to the next stage."

If the judgment result 404 is "Proceed to the next stage," the risk judgment unit 123 judges "Yes" in step 810 and proceeds to step 811, the end point of loop 1 processing. If the termination condition of loop 1 processing (loop 1 processing is executed for all stages 305 in the risk judgment means table 131) is not met in step 811, the end point of loop 1 processing, the risk judgment unit 123 returns to step 802, the start point of loop 1 processing, and executes loop 2 processing for the risk judgment means of the next stage.

If the termination condition for loop 1 processing is met at step 811, which is the end point of loop 1 processing, the risk assessment unit 123 ends loop 1 processing and proceeds to step 812, where it calculates an integrated risk score by integrating the stage-level risk scores (stage risk scores) for each stage. The integrated risk score is, for example, the average value of the stage risk scores. The risk assessment unit 123 then proceeds to step 813, where it transmits the assessment result to the authentication device 103.

If the determination result 404 is not "proceed to the next stage" in step 810, the risk determination unit 123 determines "No" in step 810 and proceeds directly to step 812, executes the processing of step 812 described above, and then proceeds to step 813 and transmits the determination result to the authentication device 103. Note that in this example, the stages and risk determination means are executed sequentially, but they may also be executed in parallel.

Next, the parameter update process for the risk assessment means table 131 and threshold table 132 will be explained using Figure 9. Figure 9 is a flowchart showing the processing flow of the parameter update process executed by the parameter update unit 124. The parameter update unit 124 executes this processing flow when an administrator issues a command to start the update process at any timing desired by the administrator. The parameter update unit 124 starts processing from step 900 and executes the processes of steps 901 to 905 described below, then proceeds to step 995 and temporarily ends this processing flow.

Step 901: The parameter update unit 124 obtains the risk assessment means table 131, the threshold table 132, and the assessment result log table 134.

Step 902: The parameter update unit 124 outputs the information necessary for analysis, including the risk assessment means table 131, threshold table 132, and assessment result log table 134, to the terminal (not shown) of the administrator of the risk assessment device 104, to allow the administrator to analyze the risk assessment means table 131, threshold table 132, and assessment result log table 134. The administrator analyzes based on the information output to the terminal, and inputs information for changing the parameters to desired parameters into the risk assessment device 104 via the terminal (input device).

Step 903: The parameter update unit 124 updates the parameters (at least one parameter) of the risk assessment means table 131 and the threshold table 132 based on the information input in step 902.

Step 904: The parameter update unit 124 calculates the values of each indicator (risk assessment processing time, assessment accuracy, and resource consumption) based on the information input in step 902.

Step 905: If the values of each index calculated in step 904 "satisfy the termination condition," the process judges "Yes" and proceeds to step 995, temporarily terminating this processing flow. On the other hand, if the values do not "satisfy the termination condition," the process judges "No" and repeats the processing from step 902. The termination condition here refers to, for example, when the value of each index becomes better than a target value set by the administrator.

The parameter update process described above is performed based on information entered by the administrator, but the parameter update unit 124 may also perform automatic and periodic analysis and parameter updates mechanically (automatically) using machine learning (e.g., AI learning, etc.). In this case, the parameters (at least one parameter) of the risk assessment means table 131 and threshold table 132 may be updated mechanically so that a Pareto-optimal solution is calculated for at least one of risk assessment processing time, assessment accuracy, and resource consumption (or at least one of risk assessment processing time and resource consumption).

Next, the refusal display screen will be described using Figure 10. The refusal screen 1001 is a screen that is displayed when access to the resource 102 is denied. The refusal screen 1001 is, for example, a GUI screen that constitutes a GUI (Graphical User Interface) and is displayed on a display device (not shown) provided in the client terminal 101. The user operates the GUI via an input device such as a mouse or keyboard connected to the client terminal 101.

As shown in FIG. 10, the refusal screen 1001 includes a refusal message display area 1002 and a risk calculation data update button 1003. The refusal message display area 1002 is an area that displays a message indicating that the connection has been refused. The main reason for the refusal may be written (displayed) as a message in this area (the refusal message display area 1002). This makes it easier for the user to take corrective action to reduce risk (to resolve the connection refusal). On the other hand, to prevent attackers or insiders from exploiting the main reason for the refusal to gain access permission, it may be possible to only display the fact that the connection has been refused, as in the example of FIG. 10.

The risk calculation data update button 1003 is a button for requesting the risk assessment unit 123 to update the risk calculation data. By using (operating) this button, the risk calculation data 133 is updated, allowing the user to immediately reflect the actions taken to reduce risk in the risk assessment.

Next, the client terminal risk display screen will be described using Figure 11. The client terminal risk screen 1101 is a screen that displays the access risk status of a specific client terminal 101. The client terminal risk screen 1101 is a screen that is displayed, for example, on a display device (not shown) connected to the risk assessment device 104. As shown in Figure 11, the client terminal risk screen 1101 includes a risk score transition display area 1102 and a risk assessment result display area 1103.

The risk score transition display area 1102 contains information (in this example, a graph) showing the time transition of the risk score when a resource is accessed. The risk assessment result display area 1103 is an area that displays information showing details of the risk assessment result when a resource is accessed.

<Effects>
As described above, the risk-based authentication system 1 according to an embodiment of the present invention calculates a risk score using a risk assessment method for each stage, calculates a stage risk score for each stage based on the risk scores, and evaluates the risk of access for each stage based on the calculated stage risk scores. This risk assessment is performed in stages, starting from the lowest execution stage and transitioning to the next execution stage only in predetermined cases. This allows the risk-based authentication system 1 according to an embodiment to reduce the processing time for risk assessment and the resource consumption of the system used to perform the risk assessment. Furthermore, the risk-based authentication system according to an embodiment of the present invention is configured to variably set parameters defining multiple risk assessment methods. This allows the risk-based authentication system 1 according to an embodiment to set multiple risk assessment methods so as to optimize at least one of the risk assessment accuracy, processing speed, and resource consumption required for risk assessment in risk-based authentication. Furthermore, the risk-based authentication system 1 according to an embodiment performs risk assessment using multiple risk assessment methods configured to optimize at least one of the risk assessment accuracy, processing speed, and resource consumption required for risk assessment in risk-based authentication, thereby optimizing at least one of the processing speed and resource consumption required for risk assessment in risk-based authentication.

<<Modifications>>
The present invention is not limited to the above-described embodiment, and various modifications can be adopted within the scope of the present invention. For example, in the above-described embodiment, the number of stages is not limited to two, and may be three or more.

1...Risk-based authentication system, 101...Client terminal, 102...Resource, 103...Authentication device, 104...Risk assessment device, 105...Log management device, 106...Network, 121...Risk calculation data creation unit, 122...Data collection unit, 123...Risk assessment unit, 124...Parameter update unit, 125...Display unit, 131...Risk assessment means table, 132...Threshold table, 133...Risk calculation data, 134...Risk assessment result log table

Claims (11)

A risk-based authentication system including an information processing device that evaluates a risk of access to a resource by a client terminal and performs processing according to a result of the evaluation,
The information processing device includes:
a risk score calculation is performed to calculate a risk score indicating a risk level using risk calculation data, which is information necessary for calculating the risk score by each of a plurality of risk determination methods;
The information processing device includes:
An execution stage for setting a stepwise order of performing the risk score calculation by the risk assessment method can be set for each of the plurality of risk assessment methods,
The information processing device includes:
a risk assessment that calculates the risk score by performing the risk score calculation using the risk assessment method for each execution stage, calculates a stage risk score for each execution stage by integrating the calculated risk scores, and evaluates the risk of the access based on the calculated stage risk scores;
The execution stage is performed in stages, starting from the smallest execution stage and transitioning to the next execution stage only in predetermined cases.
It was configured as follows:
Risk-based authentication system. 10. The risk-based authentication system of claim 1,
The information processing device includes:
Only when it is required to proceed to the risk assessment for the execution step unit of the next execution stage based on the evaluation result of the risk assessment for the execution step unit, proceed to the risk assessment for the execution step unit of the next execution stage;
It was configured as follows:
Risk-based authentication system. 10. The risk-based authentication system of claim 1,
a storage device capable of storing data;
The information processing device includes:
acquiring log information of the client terminal accessing the resource, generating the risk calculation data based on the acquired log information, and storing the data in the storage device;
It is configured as follows:
The information processing device includes:
a frequency at which the risk calculation data is updated can be set for each of the plurality of risk assessment methods;
generating the risk calculation data at the set frequency, and updating the risk calculation data stored in the storage device with the generated risk calculation data;
It was configured as follows:
Risk-based authentication system. 4. The risk-based authentication system of claim 3,
The storage device stores parameters for defining each of the plurality of risk assessment methods,
The information processing device includes:
Calculating the risk score by the risk assessment method according to the parameters;
It was configured as follows:
Risk-based authentication system. 5. The risk-based authentication system of claim 4,
The storage device stores a plurality of threshold scores for each execution step unit,
The information processing device includes:
performing the risk assessment by comparing the calculated stage risk score with a plurality of the threshold scores;
It was configured as follows:
Risk-based authentication system. 6. The risk-based authentication system of claim 5,
The storage device stores log information of risk assessment results relating to the risk assessment method executed in the past,
The information processing device includes:
Using the risk assessment result log information, calculate at least one of the parameters and the threshold score so as to calculate a Pareto-optimal solution in terms of at least one of the accuracy of the risk assessment, the processing speed of the risk score calculation by the risk assessment method, and the resource consumption of the system used to calculate the risk score, and update at least one of the parameters and the threshold score.
It was configured as follows:
Risk-based authentication system. 6. The risk-based authentication system of claim 5,
an input device for inputting information to the information processing device;
The information processing device includes:
configured to modify at least one of the parameters and the threshold score based on information input via the input device;
Risk-based authentication system. 5. The risk-based authentication system of claim 4,
The storage device stores, as the parameters, a stage indicating the execution stage, a weight for calculating the stage risk score, a risk calculation data update frequency, a period for acquiring the log information, and a time for specifying the real-time nature of the risk calculation data.
Risk-based authentication system. 9. The risk-based authentication system of claim 8,
The information processing device includes:
Before calculating the risk score, the time elapsed since the most recent update date and time of the risk calculation data is calculated;
If the elapsed time is equal to or greater than the time for specifying the real-time nature of the risk calculation data, the risk calculation data is updated, and the risk score is calculated using the updated risk calculation data.
It was configured as follows:
Risk-based authentication system. 10. The risk-based authentication system of claim 1,
a display device capable of displaying a GUI screen;
The information processing device includes:
If access to the resource is denied based on the risk assessment for each execution stage, displaying information indicating that access to the resource has been denied and an operation button on the GUI screen;
When the operation button is operated, the risk calculation data is updated.
It was configured as follows:
Risk-based authentication system. A risk-based authentication method using an information processing device that evaluates a risk of access to a resource by a client terminal and performs processing according to a result of the evaluation,
By the information processing device,
performing a risk score calculation for calculating the risk score by each of a plurality of risk assessment methods using risk calculation data, which is information necessary to calculate the risk score indicating the risk level;
An execution stage for setting a stepwise order of performing the risk score calculation by the risk assessment method can be set for each of the plurality of risk assessment methods;
a risk assessment that calculates the risk score by performing the risk score calculation using the risk assessment method for each execution stage, calculates a stage risk score for each execution stage by integrating the calculated risk scores, and evaluates the risk of the access based on the calculated stage risk scores;
The execution stage is performed in stages, starting from the smallest execution stage and transitioning to the next execution stage only in predetermined cases.
Risk-based authentication methods.