Apparatus, method, and program for validating user

US 8,347,368 B2
Filed: 03/29/2006
Issued: 01/01/2013
Est. Priority Date: 03/29/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A user validation apparatus comprising:

an extraction device which extracts user-agent information set by default in an HTTP header of a packet received from a terminal device, and extracts an access source IP address from the packet, by applying HTTP as a protocol of an application layer and IP as a protocol of an Internet layer;

an information management device which stores the access source IP address and the user-agent information extracted by the extraction device from the packet received from the terminal device, which is operated by an individual user, in a storage device so as to correspond to user identification information of the individual user; and

a determination device which determines whether or not a user operating a given terminal device is a valid user by verifying the access source IP address and user-agent information extracted by the extraction device from the packet received from the given terminal device against the access source IP address and user-agent information which are stored in the storage device so as to correspond to user identification information of the user operating the given terminal device, and by determining whether or not the access source IP address and the user-agent information extracted from the packet received from the given terminal device correspond to the access source IP address and the user-agent information which are stored in the storage device, whereinfor the access source IP address extracted from the received packet, the determination device determines whether or not the access source IP address extracted from the received packet corresponds to the access source IP address stored in the storage device by determining whether or not a coincidence ratio of a predetermined bit unit to the access source IP address stored in the storage device is equal to or higher than a threshold and, for the user-agent information extracted from the received packet, the determination device determines whether or not the user-agent information extracted from the received packet corresponds to the user-agent information stored in the storage device by determining whether or not the user-agent information extracted from the received packet is identical to the user-agent information stored in the storage device, andwhen a plurality of sets of the access source IP address and the user-agent information are stored in the storage device so as to correspond to the user identification information of the user operating the given terminal device, the determination device determines that the user operating the given terminal device is a conditionally valid user if the determination device determines that only one of the access source IP address and the user-agent information extracted from the received packet corresponds to at least two sets of the access source IP addresses or the user-agent information among the plurality of sets stored in the storage device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Accuracy of user validation is improved without reducing user'"'"'s convenience. When a authentication request packet is received from a terminal, when the authentication is successful based on a user ID and a password (affirmative in 34), an HTTP header and user-agent (UA) information are extracted from the packet and an access source IP address is also extracted (36), and user authentication is performed by verifying the access source IP address and the UA information against usage history information (38, 44, and 46) where at most two sets of the IP address and the UA information extracted from the authentication request packet which is received from the same user previously are registered. When the set of the IP address and the UA information corresponding to the new extracted IP address and the new extracted UA information is registered in the usage history information, it is determined that the authentication is successful, and the usage history information is overwritten with the new IP address and the new UA information (52, 54, 60, and 62).

Citations

16 Claims

1. A user validation apparatus comprising:
- an extraction device which extracts user-agent information set by default in an HTTP header of a packet received from a terminal device, and extracts an access source IP address from the packet, by applying HTTP as a protocol of an application layer and IP as a protocol of an Internet layer;
  
  an information management device which stores the access source IP address and the user-agent information extracted by the extraction device from the packet received from the terminal device, which is operated by an individual user, in a storage device so as to correspond to user identification information of the individual user; and
  
  a determination device which determines whether or not a user operating a given terminal device is a valid user by verifying the access source IP address and user-agent information extracted by the extraction device from the packet received from the given terminal device against the access source IP address and user-agent information which are stored in the storage device so as to correspond to user identification information of the user operating the given terminal device, and by determining whether or not the access source IP address and the user-agent information extracted from the packet received from the given terminal device correspond to the access source IP address and the user-agent information which are stored in the storage device, whereinfor the access source IP address extracted from the received packet, the determination device determines whether or not the access source IP address extracted from the received packet corresponds to the access source IP address stored in the storage device by determining whether or not a coincidence ratio of a predetermined bit unit to the access source IP address stored in the storage device is equal to or higher than a threshold and, for the user-agent information extracted from the received packet, the determination device determines whether or not the user-agent information extracted from the received packet corresponds to the user-agent information stored in the storage device by determining whether or not the user-agent information extracted from the received packet is identical to the user-agent information stored in the storage device, andwhen a plurality of sets of the access source IP address and the user-agent information are stored in the storage device so as to correspond to the user identification information of the user operating the given terminal device, the determination device determines that the user operating the given terminal device is a conditionally valid user if the determination device determines that only one of the access source IP address and the user-agent information extracted from the received packet corresponds to at least two sets of the access source IP addresses or the user-agent information among the plurality of sets stored in the storage device.
- View Dependent Claims (12)
- - 12. The user validation apparatus of claim 1, wherein the threshold is less than 100%.

2. A user validation apparatus comprising:
- an extraction device which extracts user-agent information set by default in an HTTP header of a packet received from a terminal device, and extracts an access source IP address from the packet, by applying HTTP as a protocol of an application layer and IP as a protocol of an interne layer;
  
  an information management device which stores the access source IP address and the user-agent information extracted by the extraction device from the packet received from the terminal device, which is operated by an individual user, in a storage device so as to correspond to user identification information of the individual user; and
  
  a determination device which determines whether or not a user operating a given terminal device is a valid user by verifying the access source IP address and user-agent information extracted by the extraction device from the packet received from the given terminal device against the access source IP address and user-agent information which are stored in the storage device so as to correspond to user identification information of the user operating the given terminal device, and determining whether or not the access source IP address and the user-agent information extracted from the packet received from the given terminal device correspond to the access source IP address and the user-agent information which are stored in the storage device, whereinwhen, as a result of verifying the access source IP address and the user-agent information extracted from the received packet against the access source IP address and the user-agent information stored in the storage device, the determination device determines that the access source IP address and the user-agent information extracted from the received packet do not correspond to the access source IP address and the user-agent information stored in the storage device, the information management device additionally stores the access source IP address and the user-agent information extracted from the received packet in the storage device so as to correspond to the user identification information,the determination device determines whether or not the user operating the given terminal device is a valid user by respectively verifying the access source IP address and the user-agent information extracted from the packet received from the given terminal against a plurality of sets of the access source IP address and the user-agent information, when the plurality of sets of the access source IP address and the user-agent information are stored in the storage device so as to correspond to the user identification information of the user operating the given terminal device, andthe determination device determines that the user operating the given terminal device is a conditionally valid user if the determination device determines that only one of the access source IP address and the user-agent information extracted from the received packet corresponds to at least two sets of the access source IP addresses or the user-agent information among the plurality of sets stored in the storage device.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 13)
- - 3. The user validation apparatus of claim 2, wherein, when the plurality of sets of the access source IP address and the user-agent information are stored in the storage device so as to correspond to the user identification information of the user operating the given terminal device, the determination device determines that the user operating the given terminal device is a valid user when determination device determines that the access source IP address and the user-agent information extracted from the received packet correspond to at least one set of the access source IP address and the user-agent information among the plurality of sets of the access source IP address and the user-agent information stored in the storage device.
  - 4. The user validation apparatus of claim 2, wherein, when the plurality of sets of the access source IP address and the user-agent information are stored in the storage device so as to correspond to the user identification information of the user operating the given terminal device, the determination device determines that the user operating the given terminal device is not a valid user when no set of the access source IP address and the user-agent information that is determined to respectively correspond to the access source IP address and the user-agent information extracted from the received packet, exists among the plurality of sets of the access source IP address and the user-agent information stored in the storage device.
  - 5. The user validation apparatus of claim 4, wherein when notified that the user who has been determined by the determination device not to be a valid user and has been determined to be a valid user by a confirmation method different from the user validation of the determination device:
    - the information management device stores predetermined identification information in the storage device so as to correspond to the user identification information of the user, andthe determination device then determines that the user operating the given terminal device is a valid user when the predetermined identification information is stored in the storage device so as to correspond to the user identification information of the user operating the given terminal device and when, among the plurality of sets of the access source IP address and the user-agent information, more than one set of the access source IP address and the user-agent information exists which is determined to correspond to the access source IP address extracted from the received packet, or when more than one set of the access source IP address and the user-agent information exists which is determined to correspond to the user-agent information extracted from the received packet.
  - 6. The user validation apparatus of claim 2, further comprising:
    - an electronic mail address storage device which stores an electronic mail address used by the individual user so as to correspond to the user identification information of the individual user; and
      
      a transmission device which transmits electronic mail, at which a link to a predetermined web page is added in order to confirm whether or not the user is a valid user by a method different from the determination device, to the electronic mail address stored in the electronic mail address storage device so as to correspond to the user identification information of the user, when the determination device determines that the user operating the given terminal device is not a valid user.
  - 7. The user validation apparatus of claim 2, wherein, as a result of respectively verifying the access source IP address and the user-agent information extracted from the received packet against the plurality of sets of the access source IP address and the user-agent information stored in the storage device, when the determination device determines that the access source IP address and the user-agent information extracted from the received packet do not correspond to any one of the plurality of sets of the access source IP address and the user-agent information stored in the storage device, and when the number of sets of the access source IP address and the user-agent information stored in the storage device so as to correspond to the user identification information of the user operating the given terminal device reaches a predetermined upper limit value, the information management device overwrites the set of the access source IP address and the user-agent information which was stored in the storage device earliest among the plurality of sets of the access source IP address and the user-agent information stored in the storage device, with the access source IP address and the user-agent information extracted from the received packet, and stores the access source IP address and the user-agent information extracted from the received packet in the storage device.
  - 8. The user validation apparatus of claim 2, wherein, as a result of respectively verifying the access source IP address and the user-agent information extracted from the received packet against the plurality of sets of the access source IP address and the user-agent information stored in the storage device, when the determination device determines that the access source IP address and the user-agent information extracted from the received packet correspond to a specific set of the access source IP address and the user-agent information among the plurality of sets of the access source IP address and the user-agent information stored in the storage device, the information management device overwrites the specific set of the access source IP address and the user-agent information with at least the user-agent information of the set of the access source IP address and the user-agent information extracted from the received packet, and stores the user-agent information in the storage device.
  - 13. The user validation apparatus of claim 2, wherein a plurality of sets of the access source IP address and user-agent information stored in the storage device corresponds to each valid user and the determination device determines that the user operating the given terminal device is a valid user when the access source IP address and the user-agent information extracted from the received packet correspond to at least one set of the access source IP address and the user-agent information among the plurality of sets of the access source IP address and user-agent information stored in the storage device.

9. A user validation method comprising:
- extracting user-agent information set by default in an HTTP header of a packet received from a terminal device operated by an individual user, and extracting an access source IP address from the packet, by applying HTTP as a protocol of an application layer and IP as a protocol of an Internet layer, and storing the extracted user-agent information and the access source IP address in a storage unit so as to correspond to user identification information of the individual user;
  
  extracting user-agent information set in an HTTP header of a packet received from a given terminal device, and extracting an access source IP address from the packet, by applying HTTP as the protocol of the application layer and IP as a protocol of the Internet layer, and determining whether or not a user operating the given terminal device is a valid user by verifying the extracted access source IP address and the extracted user-agent information against an access source IP address and user-agent information which are stored in the storage unit so as to correspond to user identification information of the user operating the given terminal device, and determining whether or not the extracted access source IP address and the extracted user-agent information correspond to the access source IP address and the user-agent information which are stored in the storage unit;
  
  additionally storing the access source IP address and the user-agent information extracted from the packet received from the given terminal device in the storage unit so as to correspond to the user identification information, when determining that the access source IP address and the user-agent information extracted from the packet received from the given terminal device do not correspond to the access source IP address and the user-agent information stored in the storage unit as a result of verifying the access source IP address and the user-agent information extracted from the received packet against the access source IP address and the user-agent information stored in the storage unit, anddetermining whether or not the user operating the given terminal device is a valid user by respectively verifying the access source IP address and the user-agent information extracted from the packet received from the given terminal against a plurality of sets of the access source IP address and the user-agent information, when the plurality of sets of the access source IP address and the user-agent information are stored in the storage unit so as to correspond to the user identification information of the user operating the given terminal device, whereinwhen storing a plurality of sets of the access source IP address and the user-agent information corresponding to the user identification information of the user operating the given terminal in the storage unit, the determining further includes determining that the user operating the given terminal device is a conditionally valid user if only one of the access source IP address and the user-agent information extracted from the received packet corresponds to at least two sets of the access source IP addresses or the user-agent information among the plurality of sets stored in the storage unit.
- View Dependent Claims (14)
- - 14. The user validation method of claim 9, wherein when a plurality of sets of the access source IP address and user-agent information stored in the storage device corresponds to each valid user, the determination device determines that the user operating the given terminal device is a valid user when the access source IP address and the user-agent information extracted from the received packet correspond to at least one set of the access source IP address and the user-agent information among the plurality of sets of the access source IP address and user-agent information stored in the storage device.

10. A non-transitory computer-readable medium encoded with a user validation program which causes a computer including a storage unit to act as:
- an extraction unit which extracts user-agent information set by default in an HTTP header of a packet received from a terminal device, and extracts an access source IP address from the packet, by applying HTTP as a protocol of an application layer and IP as a protocol of an interne layer;
  
  an information management unit which stores the access source IP address and the user-agent information, which are extracted by the extraction unit from the packet received from the terminal device, which is operated by an individual user, in a storage unit so as to correspond to user identification information of the individual user; and
  
  a determination unit which determines whether or not a user operating a given terminal device is a valid user by verifying the access source IP address and user-agent information extracted by the extraction unit from the packet received from the given terminal device against the access source IP address and user-agent information which are stored in the storage unit so as to corresponding to user identification information of the user operating the given terminal device, and determining whether or not the access source IP address and the user-agent information extracted from the packet received from the given terminal device correspond to the access source IP address and the user-agent information which are stored in the storage unit, whereinwhen, as a result of verifying the access source IP address and the user-agent information extracted from the received packet against the access source IP address and the user-agent information stored in the storage unit, the determination unit determines that the access source IP address and the user-agent information extracted from the received packet do not correspond to the access source IP address and the user-agent information stored in the storage unit, the information management unit additionally stores the access source IP address and the user-agent information extracted from the received packet in the storage unit so as to correspond to the user identification information,the determination unit determines whether or not the user operating the given terminal device is a valid user by respectively verifying the access source IP address and the user-agent information extracted from the packet received from the given terminal against a plurality of sets of the access source IP address and the user-agent information, when the plurality of sets of the access source IP address and the user-agent information are stored in the storage unit so as to correspond to the user identification information of the user operating the given terminal device, andwhen a plurality of sets of the access source IP address and the user-agent information are stored in the storage unit so as to correspond to the user identification information of the user operating the given terminal device, the determination unit determines that the user operating the given terminal device is a conditionally valid user if the determination unit determines that only one of the access source IP address and the user-agent information extracted from the received packet corresponds to at least two sets of the access source IP addresses or the user-agent information among the plurality of sets stored in the storage unit.
- View Dependent Claims (15)
- - 15. The non-transitory computer-readable medium encoded with a user validation program of claim 10, wherein when a plurality of sets of the access source IP address and user-agent information stored in the storage device corresponds to each valid user, the determination device determines that the user operating the given terminal device is a valid user when the access source IP address and the user-agent information extracted from the received packet correspond to at least one set of the access source IP address and the user-agent information among the plurality of sets of the access source IP address and user-agent information stored in the storage device.

11. A user validation apparatus comprising:
- an extraction device which extracts user-agent information set by default in an HTTP header of a packet received from a terminal device, and extracts an access source IP address from the packet, by applying HTTP as a protocol of an application layer and IP as a protocol of an internet layer;
  
  an information management device which stores the access source IP address and the user-agent information extracted by the extraction device from the packet received from the terminal device, which is operated by an individual user, in a storage device so as to correspond to user identification information of the individual user; and
  
  a determination device which determines whether or not a user operating a given terminal device is a valid user by verifying the access source IP address and user-agent information extracted by the extraction device from the packet received from the given terminal device against the access source IP address and user-agent information which are stored in the storage device so as to correspond to user identification information of the user operating the given terminal device, and determining whether or not the access source IP address and the user-agent information extracted from the packet received from the given terminal device correspond to the access source IP address and the user-agent information which are stored in the storage device, whereinthe determination device determines whether or not the user operating the given terminal device is a valid user by respectively verifying the access source IP address and the user-agent information extracted from the packet received from the given terminal against a plurality of sets of the access source IP address and the user-agent information, when the plurality of sets of the access source IP address and the user-agent information are stored in the storage device so as to correspond to the user identification information of the user operating the given terminal device, andwhen a plurality of sets of the access source IP address and the user-agent information are stored in the storage device so as to correspond to the user identification information of the user operating the given terminal device, the determination device determines that the user operating the given terminal device is a conditionally valid user if the determination device determines that only one of the access source IP address and the user-agent information extracted from the received packet corresponds to at least two sets of the access source IP addresses or the user-agent information among the plurality of sets stored in the storage device.
- View Dependent Claims (16)
- - 16. The user validation apparatus of claim 11, wherein when a plurality of sets of the access source IP address and user-agent information stored in the storage device corresponds to each valid user, the determination device determines that the user operating the given terminal device is a valid user when the access source IP address and the user-agent information extracted from the received packet correspond to at least one set of the access source IP address and the user-agent information among the plurality of sets of the access source IP address and user-agent information stored in the storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Bank of Tokyo-Mitsubishi UFJ Limited (Mitsubishi UFJ Financial Group Incorporated)
Original Assignee
Bank of Tokyo-Mitsubishi UFJ Limited (Mitsubishi UFJ Financial Group Incorporated)
Inventors
Kato, Takaya
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
WANG, HARRIS C

Application Number

US11/886,902
Publication Number

US 20090034521A1
Time in Patent Office

2,470 Days
Field of Search

726/7
US Class Current

726/7
CPC Class Codes

G06F 16/13   File access structures, e.g...

G06F 21/31   User authentication

G06F 21/34   involving the use of extern...

G06F 2221/2101   Auditing as a secondary aspect

G06F 2221/2111   Location-sensitive, e.g. ge...

H04L 2463/082   applying multi-factor authe...

H04L 63/08   for authentication of entit...

H04L 63/083   using passwords cryptograph...

H04L 63/101   Access control lists [ACL]

H04L 63/126   the source of the received ...

H04L 63/168   above the transport layer

Apparatus, method, and program for validating user

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus, method, and program for validating user

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links