Information processing device, information processing method, and program
The information processing system effectively identifies legitimate and unauthorized users by clustering and visualizing user behavior, addressing the challenge of distinguishing between them in application programs.
Patent Information
- Authority / Receiving Office
- JP · JP
- Patent Type
- Applications
- Current Assignee / Owner
- GUMI INC
- Filing Date
- 2026-04-10
- Publication Date
- 2026-06-23
Smart Images

Figure 2026102990000001_ABST
Abstract
Description
Technical Field
[0001] The present invention relates to an information processing apparatus, an information processing method, and a program.
Background Art
[0002] A mechanism for detecting unauthorized access to a server device is known. For example, in Patent Document 1, even in the case of access using a correct user ID and password, when (1) a large number of logins to multiple user IDs are performed from the same IP address, (2) a large number of logins are performed using the same user ID, (3) a large number of login attempts to multiple user IDs are performed using the same device ID, etc., it is described that it is detected as unauthorized access due to an increase in the FP score.
Prior Art Documents
Patent Documents
[0003]
Patent Document 1
Summary of the Invention
Problems to be Solved by the Invention
[0004] Patent Document 1 has a mechanism in which suspicion parameters are added to a terminal with incorrect authentication using an ID and a password. With this mechanism, it is difficult to detect whether an account with a legitimate ID and password is acting maliciously or whether a program is operating the account.
[0005] The present invention has been made in view of the above circumstances, and an object thereof is to visualize information for identifying whether a user who uses an application program is a legitimate user or an unauthorized user.
Means for Solving the Problems
[0006] To achieve the above objective, the present invention provides an information processing device used to identify whether a user of a predetermined application program is a legitimate user or an unauthorized user, comprising: an access history information acquisition unit that acquires access history information, which is information relating to the history of access to the application program by the user; a group extraction unit that extracts users having the same and / or similar behavioral characteristics as a group by clustering based on the access history information of a considerable number of users; and a visualization information generation unit that generates visualization information, which is information for displaying the extracted group in a visualized state so that it can be identified. [Effects of the Invention]
[0007] According to the present invention, it is possible to visualize information for identifying whether a user of an application program is a legitimate user or an unauthorized user. [Brief explanation of the drawing]
[0008] [Figure 1] This is a schematic diagram showing an example of the configuration of an information processing system. [Figure 2] This is a schematic block diagram illustrating an example of the functions of an information processing device. [Figure 3] This figure shows an example of the hardware configuration of an information processing device. [Figure 4] The first figure shows an example of visualization information. [Figure 5] The second figure shows an example of visualization information. [Figure 6] The third figure shows an example of visualization information. [Figure 7] The fourth figure shows an example of visualization information. [Figure 8] Figure 5 shows an example of visualized information. [Figure 9] Figure 6 shows an example of visualization information. [Figure 10] Figure seven shows an example of visualization information. [Figure 11] This figure shows an example of a visualization information display screen. [Figure 12] This figure shows an example of an annotation screen. [Figure 13] This flowchart shows an example of the visualization process flow. [Figure 14] This flowchart shows an example of the annotation process. [Modes for carrying out the invention]
[0009] Embodiments of the present invention will be described below with reference to the drawings. In all drawings, similar components are denoted by the same reference numerals, and their descriptions are omitted as appropriate. (Previous problems)
[0010] Operators of social game application programs used on mobile devices such as smartphones need to analyze user behavior to develop strategies. However, if the user base of the application program includes unofficial users, it becomes difficult to conduct proper analysis.
[0011] A typical example of an unauthorized user is a malicious program called a bot. Bots, commonly used in social games, are programs that automatically play games with the aim of collecting game resources such as characters, items, in-game currency, paid gems, and free gems at low cost. Bots are characterized by executing predetermined scenarios, such as reset marathons (so-called "rerolling"), login bonus collection, and event marathons. A reset marathon involves repeatedly resetting an account (creating a new one) to draw initial gacha (loot boxes) and create a high-value account that has obtained better items and characters. Accounts whose value has been increased by collecting game resources such as characters, items, in-game currency, paid gems, and free gems using such bots are traded at high prices in the market.
[0012] For an operator who provides an application program, by excluding unauthorized users such as bots and performing analysis, accurate statistical values can be obtained and appropriate measures can be taken.
[0013] Therefore, in order to detect unauthorized users with higher accuracy than before, it is conceivable to use machine learning to extract groups that perform the same actions and determine whether the extracted groups are authorized users or unauthorized users.
[0014] In order to classify target data by supervised machine learning, annotations indicating whether the data is from an authorized user or an unauthorized user need to be attached to the training data. Therefore, in order to prepare sufficient training data, humans need to be able to appropriately judge and attach annotations. However, it is difficult for humans to judge whether a user is an authorized user or an unauthorized user even by looking at individual behavior characteristics, and appropriate annotations cannot be attached. (Overview of the information processing system)
[0015] To address such problems, the information processing system according to this embodiment is a system for visualizing information for a user who uses an application program to identify whether the user is an authorized user or an unauthorized user.
[0016] Here, an authorized user refers to a user who uses an application program by a pre-supposed human operation. An unauthorized user is, for example, automatically accessing (logging in) a predetermined application program or using a predetermined application program by an automatic operation for the purpose of obtaining profit, attacking, causing nuisance, etc. For example, an unauthorized user obtains benefits (such as points or rights with monetary value) that can be obtained by automatically performing login or predetermined operations within a game in a game. Such an unauthorized user may also be referred to as a bot.
[0017] Figure 1 is a schematic diagram showing an example of the configuration of an information processing system. The information processing system 1 comprises an information processing device 10, an application server device 20, an annotator terminal 30, and an analysis device 40.
[0018] The information processing device 10, the application server device 20, the annotator terminal 30, and the analysis device 40 are connected to each other via a communication network 90 so that they can communicate with one another. The communication method may be wired or wireless.
[0019] The information processing device 10 is, for example, a server device used to identify whether a user using a predetermined application program is a legitimate user or an unauthorized user. Specifically, the information processing device 10 collects user information from the application server device 20, extracts users as a group, and receives instructions from the annotator terminal 30 to add annotations to the extracted group. The information processing device 10 transmits the data, including the added annotations, to the analysis device 40.
[0020] The application server device 20 is a device that provides services through a predetermined application program. The application server device 20 receives access to various APIs (Application Programming Interfaces) from terminals operated by users and stores information indicating the access history (hereinafter referred to as access history information). The application server device 20 also issues accounts for each user to use application programs and stores information indicating the account (hereinafter referred to as account information).
[0021] The annotator terminal 30 is a terminal used by the annotator. The annotator is a person who performs the task of adding annotations to training data, and may be, for example, a service operator or developer. The annotator terminal 30 is, for example, a client device that receives operations from the annotator, sends an information processing request to the information processing device 10, receives response information from the information processing device 10, and displays the information on the screen.
[0022] The analysis device 40 is a device for analyzing application programs, and may be, for example, an analysis database server provided by a cloud service. The analysis device 40 receives annotated data from the information processing device 10 and performs various analysis processes. The analysis device 40 may also have a function to determine whether each user is a legitimate user or an unauthorized user by using machine learning with the received data as training data. (Functions of information processing equipment)
[0023] Next, the functions of the information processing device 10 will be described.
[0024] Figure 2 is a schematic block diagram showing an example of the functions of an information processing device. The information processing device 10 comprises, as functional units, an access history information acquisition unit 11, a group extraction unit 12, a visualization information generation unit 13, and an annotation unit 14.
[0025] The access history information acquisition unit 11 acquires access history information from the application server device 20, which is information relating to the history of user access to the application program. Access history information may include, for example, the time of access, the time from access to logout (login time), access interval, number of accesses, time of logout, API endpoint, IP address, account ID, etc., and may include some or all of these.
[0026] The group extraction unit 12 extracts users with the same and / or similar behavioral characteristics as a group based on the access history information of a considerable number of users through clustering. Specifically, the group extraction unit 12 extracts feature quantities indicating behavioral characteristics from the access history information and extracts users with the same and / or similar behavioral characteristics as a group through unsupervised clustering based on these feature quantities.
[0027] For example, the group extraction unit 12 may extract feature quantities indicating behavioral characteristics from access time information, which is information about the user's access time included in the access history information. Access time information may be information indicating, for example, the time when the user accessed the system, the duration of the access (for example, the time and duration of using the application), etc. Also, for example, if the service provided by the application program is a social game, the access time information may be information indicating the start time of the game, or the time between the start time and end time of playing the game.
[0028] The group extraction unit 12 may calculate the user's access interval based on the access history information and extract features that indicate behavioral characteristics from the calculated access interval information. For example, the access interval information may be a numerical value (100-dimensional feature) obtained by dividing a 10-second period into 100ms intervals for the access history from one account, counting the cases where the access interval falls within one of the divided intervals, and converting it into a ratio.
[0029] By using access interval information as a feature, it is possible to capture characteristics of bots that access the system at fixed time intervals for each scenario, for example.
[0030] The group extraction unit 12 may calculate the number of times a user has accessed the same API based on the access history information, and may extract features that indicate behavioral characteristics from the access count information, which is information related to the calculated number of accesses. The access count information may also be a numerical value (100-dimensional feature) obtained by counting calls to 100 pre-configured APIs and converting them into a ratio.
[0031] The group extraction unit 12 may perform dimensionality reduction on the above-mentioned feature quantities using a dimensionality reduction algorithm such as UMAP (Uniform Manifold Approximation and Projection), and then extract groups by clustering using a clustering algorithm such as DBSCAN (Density-Based Spatial Clustering of Applications with Noise).
[0032] The visualization information generation unit 13 generates visualization information, which is information for displaying the extracted group in a visualized state so that it can be identified. The visualization information may be, for example, information showing an image representing the characteristics of the extracted group. The visualization information may also be information showing a graph image represented by two axes. For example, one axis of the two axes may represent user accounts, and the other axis may represent the access history for each account.
[0033] Figure 4 is the first diagram showing an example of visualization information. The vertical axis represents user accounts, and the horizontal axis represents the access transition patterns for each account. The transition pattern shows the history of accessed API endpoints in the order they were accessed. The image contains, for example, a color code (for example, RGB(0x3a,0xda,0x35)) obtained by extracting 3 bytes from a hashed value (for example, "3ada35...") of the URL (Uniform Resource Locator) representing the API endpoint (for example, " / api / hoge"), and placing it in the image. In this way, the same URL is always represented by the same color.
[0034] Figure 4 shows an example of visualization information representing a group of legitimate users. Since legitimate users access the system randomly, the image representing the group of legitimate users displays a random pattern.
[0035] Figure 5 is a second figure showing an example of visualization information. Similar to Figure 4, the vertical axis represents user accounts, and the horizontal axis represents the access transition patterns for each account. Figure 5 is an example of visualization information showing a group of bots. Since bots operate based on scenarios, the homogeneity of the access order is extremely high, so the image showing the group of bots displays a regular pattern.
[0036] Figure 6 is a third figure showing an example of visualization information. The vertical axis represents user accounts, and the horizontal axis represents the access time for each account. The image in Figure 6 is a visualization of accesses made during a specific 24-hour period, with one account represented by one dot per minute. In addition to the images in Figure 4 or Figure 5, the image in Figure 6 allows for a more detailed examination of the behavioral characteristics of the group. Specifically, the image in Figure 6 reveals the timing of bot activation and how many bots are running in parallel. This suggests that if a group exhibits a high degree of regularity, it is highly likely that the accounts are using bots that are controlled in parallel by a program.
[0037] Figure 7 is the fourth figure, showing an example of visualization information. The vertical axis represents user accounts, and the horizontal axis represents the access interval for each account. The colors in the graph image indicate the number of accesses, with varying shades of color. Figure 7 is an example of visualization information showing a group of regular users. Since regular users have random access intervals, the image showing the group of regular users displays a random pattern.
[0038] Figure 8 is the fifth figure, showing an example of visualization information. Similar to Figure 7, the vertical axis represents user accounts, and the horizontal axis represents the access interval for each account. Figure 8 is an example of visualization information showing a group of bots. Since bots operate based on scenarios, regularity tends to emerge in their access intervals, so the image showing the group of bots exhibits a regular pattern.
[0039] Figure 9 is the sixth figure, showing an example of visualization information. The vertical axis represents user accounts, and the horizontal axis represents the access ratio for each API. The colors in the graph image indicate the number of accesses, with varying shades of color. Figure 9 is an example of visualization information showing a group of regular users. Because regular users access various content based on their individual interests, the image displayed by the visualization information is less uniform compared to Figure 10.
[0040] Figure 10 is the seventh figure, showing an example of visualization information. Similar to Figure 9, the vertical axis represents user accounts, and the horizontal axis represents the access ratio for each API. Figure 10 is an example of visualization information showing a group of bots. Since bots act according to predetermined scenarios, the number of times they access each API is often constant, and the image showing a group of bots shows a clean vertical line.
[0041] Returning to Figure 2, the annotation unit 14 receives input from the annotator to assign annotations to the group based on the visualization information displayed on the annotator terminal 30.
[0042] Figure 11 is the first diagram showing an example of a visualization information display screen. The visualization information display screen 800 is an example of a screen in which annotator terminal 30 receives and displays visualization information generated by information processing device 10.
[0043] The visualization information display screen 800 includes a search area 810, an access destination list display area 820, a visualization image display area 830, and an account list display area 840.
[0044] The search area 810 is an area where input fields are displayed that accept the name of the application program, the access date to be displayed, the name of the extracted group, the switching of the visualization information image, and the account ID. The items displayed in the input fields may be increased or decreased according to the user's settings.
[0045] The access destination list display area 820 includes an input field for setting the background color of an image, and a display area for a list showing the URL indicating the API endpoint of the access destination, an icon indicating the color corresponding to each URL, and the total number of accesses to the URL and its ratio to the total number of accesses.
[0046] The visualization image display area 830 is an area for displaying images shown in the visualization information generated by the visualization information generation unit 13, and is capable of accepting selection of the range of accounts to which annotations will be added.
[0047] The account list display area 840 is an area that displays a list of account IDs included in the selected range. The account list display area 840 includes a button to transition to a screen for adding annotations to the selected accounts. The account list display area 840 also includes a checkbox that allows the user to choose whether to add annotations to all accounts included in the group.
[0048] Figure 12 shows an example of an annotation application screen. The annotation application screen 900 is a screen displayed on the annotator terminal 30 to accept the operation to apply annotations. The annotation application screen 900 displays the name of the application program, the target access date, the number of accounts selected as the target of the annotation, etc.
[0049] Furthermore, the annotation screen 900 includes radio buttons that accept the selection of annotations indicating whether the user is a legitimate or unauthorized user. The annotation options may be any information that identifies either a legitimate or unauthorized user, or they may be information that further classifies either of these. For example, legitimate users may be classified as "rerollers" and "players." Alternatively, rerollers may be treated as unauthorized users. That is, unauthorized users may be classified as "bots" and "rerollers."
[0050] The annotation unit 14 may accept annotation requests in other ways, such as by using an annotator to color, mark, or check non-regular users on the screen.
[0051] The annotation screen 900 also includes radio buttons for selecting text to indicate the reason for the selection, and a text area for entering additional information.
[0052] The annotation assignment screen 900 includes a send button. When the send button is pressed, the information processing device 10 sends information indicating the input or selected annotation, linked to information indicating the account selected as the recipient of the annotation, to the analysis device 40. (Hardware configuration of information processing equipment)
[0053] Figure 3 shows an example of the hardware configuration of an information processing device.
[0054] The information processing device 10 includes a processor 1001, a memory 1002, a storage device 1003, a communication interface 1004, and an input / output interface 1005.
[0055] The processor 1001, memory 1002, storage device 1003, communication interface 1004, and input / output interface 1005 are connected to each other so that they can send and receive data via a communication bus.
[0056] The processor 1001 is a processing unit composed of a CPU (Central Processing Unit), a GPU (Graphics Processing Unit), and the like. The processor 1001 reads the program stored in the storage device 1003 into the memory 1002 and executes it, thereby realizing each function described in the program.
[0057] Memory 1002 is a main memory unit composed of RAM (Random Access Memory) and other components. Memory 1002 functions as a workspace for the processor 1001.
[0058] Storage device 1003 is an auxiliary storage device composed of removable media such as HDDs (Hard Disk Drives), SSDs (Solid State Drives), memory cards, and ROMs (Read Only Memory).
[0059] The communication interface 1004 is an interface for connecting to a network. This network may be, for example, a LAN (Local Area Network) or a WAN (Wide Area Network). The method of connecting to the network may be wireless or wired.
[0060] The input / output interface 1005 is an interface for connecting to various input / output devices.
[0061] The application server device 20, the annotator terminal 30, and the analysis device 40 may have the same hardware configuration as the information processing device 10. (Operation of information processing device)
[0062] Next, the operation of the information processing device 10 will be described.
[0063] Figure 13 is a flowchart showing an example of the visualization process flow. The visualization process is the process by which the visualization information generation unit 13 generates visualization information.
[0064] In step S101, the access history information acquisition unit 11 acquires access history information by receiving it from the application server device 20.
[0065] In step S102, the group extraction unit 12 extracts users with the same and / or similar behavioral characteristics as a group by clustering based on the account information and access history information of a considerable number of users. In step S103, the visualization information generation unit 13 generates visualization information.
[0066] In step S104, the information processing device 10 transmits the generated visualization information to the annotator terminal 30 in response to a request from the annotator terminal 30. The annotator terminal 30 displays the visualized image based on the received visualization information.
[0067] Figure 14 is a flowchart showing an example of the annotation process. The annotation process is the process by which the annotation unit 14 receives input from the annotator for the purpose of applying annotations.
[0068] In step S201, when the annotation unit 14 receives the selection of the range of a group in the visualization information from the annotator, it displays an identifier indicating the account of a user belonging to the selected range of the group.
[0069] In step S202, the annotation unit 14 assigns annotations to users belonging to the selected group, identifying whether they are regular or unauthorized users. The information processing device 10 links the information indicating the assigned annotations to information indicating the account selected as the recipient of the annotations, and transmits it to the analysis device 40. (modified version)
[0070] The visualization information generation unit 13 may include the file size of the generated image as visualization information as a numerical value indicating the homogeneity (entropy) of user behavior. The generated image may be in a file format that has a high compression ratio when it contains consecutive pixels of the same color, for example, PNG (Portable Network Graphics) format. If there are many users performing the same behavior, the file size will be small compared to the image size, so displaying the file size makes it easier for the annotator to determine whether the group from which the annotator extracted are regular users or non-regular users. (Effects and Benefits)
[0071] According to the information processing device 10 of this embodiment, visualization information is generated, which is information for displaying extracted groups in a visualized state so that they can be identified. This makes it possible to visualize information for identifying whether a user using an application program is a legitimate user or an unauthorized user.
[0072] The information processing device 10 may extract groups based on information about the user's access time included in the access history information. This makes it possible to identify bots and other entities with regular access times as unauthorized users.
[0073] The information processing device 10 may calculate the user's access interval based on the access history information and extract groups based on the calculated access interval information. This makes it possible to identify bots and other entities with regular access intervals as unauthorized users.
[0074] The information processing device 10 may calculate the number of times a user has accessed the same API based on access history information, and may extract groups based on the calculated access count information. This makes it possible to identify bots and other entities that show regularity in the number of times they access the same API according to a scenario as unauthorized users.
[0075] The visualization information may be a graph image represented by two axes, where one axis represents a user account and the other axis represents the access history for each account. This makes it possible to present information that makes it easy to visually judge the characteristics of access.
[0076] The information processing device 10 may accept input from an annotator for assigning annotations to a group based on the displayed visualization information. This can support the annotator in inputting annotations.
[0077] When the information processing device 10 receives a selection of the range of a group in the visualization information from the annotator, it may display an identifier indicating the account of a user belonging to the selected range of the group. This allows the annotator to appropriately determine the target to which annotations should be applied.
[0078] The information processing device 10 may add annotations to users belonging to a selected range of groups to identify whether they are regular users or non-regular users. This can help generate data to be used as training data for training a trained model that identifies whether a user is a regular user or a non-regular user.
[0079] The embodiments described above with reference to the drawings are examples of the present invention, and various other configurations can also be adopted.
[0080] It should be noted that the flowcharts in this embodiment are merely one example. Without altering the spirit of the present invention, there may be processes other than those described in each figure, some of the processes described in each figure may be omitted, or the order of the processes may be changed.
[0081] While embodiments of the present invention have been described above, the embodiments disclosed herein should be considered in all respects to be illustrative and not restrictive. The scope of this invention is indicated not by the above description but by the claims, and all modifications within the meaning and scope of equivalents of the claims are intended to be included. [Explanation of Symbols]
[0082] 1. Information Processing System 10 Information Processing Devices 11. Access History Information Acquisition Unit 12. Group Sampling Section 13 Visualization information generation section 14 Annotation section 20 Application Server Devices 30 Annotator terminals 40 Analyzer 90 Communication Networks
Claims
1. An information processing device used to identify whether a user using a predetermined application program is a legitimate user or an unauthorized user, An access history information acquisition unit acquires access history information, which is information relating to the history of access by the user to the application program. A group extraction unit that extracts users with the same and / or similar behavioral characteristics as a group by clustering based on the access history information of a considerable number of users, The system includes a visualization information generation unit that generates visualization information, which is information for displaying the extracted group in a visualized state so that it can be identified, Information processing device.
2. The group extraction unit extracts the group based on the information regarding the user's access time included in the access history information. The information processing apparatus according to claim 1.
3. The group extraction unit calculates the user's access interval based on the access history information and extracts the group based on the calculated access interval information. The information processing apparatus according to claim 1.
4. The group extraction unit calculates the number of times a user has accessed the same API based on the access history information, and extracts the group based on the calculated information regarding the number of accesses. The information processing apparatus according to claim 1.
5. The aforementioned visualization information is information representing a graph image with two axes, where one axis represents a user's account and the other axis represents the access history for each account. The information processing apparatus according to claim 1.
6. The visualization information generation unit generates the visualization information by including the file size of the image generated as visualization information as a numerical value indicating the homogeneity of user behavior. The information processing apparatus according to claim 1.
7. The system further includes an annotation unit that receives input from an annotator for assigning annotations to a group based on the displayed visualization information. The information processing apparatus according to claim 1.
8. When the annotation unit receives a selection of the range of a group in the visualization information from the annotator, it displays an identifier indicating the account of a user belonging to the selected range of the group. The information processing apparatus according to claim 7.
9. The annotation unit assigns annotations that identify whether a user belonging to a selected group is a regular user or an unauthorized user. The information processing apparatus according to claim 7.
10. An information processing method performed by an information processing device used to identify whether a user using a predetermined application program is a legitimate user or an unauthorized user, The steps include: obtaining access history information, which is information regarding the history of access to the application program by the user; A step of extracting users with the same and / or similar behavioral characteristics as a group by clustering based on the access history information of a considerable number of users; The step of generating visualization information, which is information for displaying the extracted group in a visualized state so as to be identifiable, includes: Information processing methods.
11. An information processing device used to identify whether a user using a given application program is a legitimate user or an unauthorized user, The steps include: obtaining access history information, which is information regarding the history of access to the application program by the user; A step of extracting users with the same and / or similar behavioral characteristics as a group by clustering based on the access history information of a considerable number of users; A program for performing the steps of generating visualization information, which is information for displaying the extracted group in a visualized state so that it can be identified.