Systems, methods, and programs

By modifying login screen titles and recording log information for authorized and unauthorized operations, the system efficiently monitors and reduces information leakage from unauthorized cloud service access.

JP2026111389APending Publication Date: 2026-07-03NTT TECHNOCROSS CORP

Patent Information

Authority / Receiving Office
JP · JP
Patent Type
Applications
Current Assignee / Owner
NTT TECHNOCROSS CORP
Filing Date
2024-12-23
Publication Date
2026-07-03

AI Technical Summary

Technical Problem

Existing systems for monitoring unauthorized operations on terminals require manual checking of images or videos, which is time-consuming.

Method used

A system that modifies the login screen title and sets a predetermined account for cloud service access, recording log information with the modified title for legitimate operations and the original title for unauthorized ones, enabling efficient monitoring.

Benefits of technology

Facilitates efficient identification of unauthorized activities by recording and monitoring login operations using modified and original screen titles, reducing the risk of information leakage.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure 2026111389000001_ABST
    Figure 2026111389000001_ABST
Patent Text Reader

Abstract

To provide technology that can efficiently monitor specific fraudulent activities. [Solution] A system comprising one or more terminals, a control device that provides a login screen to a cloud service, and a management device that manages logs of the terminals, wherein when the terminal uses the cloud service, the control device changes the name of a first login screen provided by the cloud service and provides the terminal with a second login screen in which a predetermined account has been set for the first login screen, and when a login operation is performed on the first login screen or the second login screen by the terminal, the control device transmits a log including the name of the first login screen or the second login screen on which the login operation was performed to the management device.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This disclosure relates to systems, methods, and programs.

Background Art

[0002] Techniques for recording operations on a screen displayed on a terminal for the purpose of monitoring unauthorized operations on terminals such as personal computers (PCs) are known. For example, Patent Document 1 discloses a technique for recording operations on such a screen by capturing the screen displayed on the terminal as an image at predetermined time intervals and using a video composed of those images.

Prior Art Documents

Patent Documents

[0003]

Patent Document 1

Summary of the Invention

Problems to be Solved by the Invention

[0004] However, in the prior art, it is necessary for a person monitoring unauthorized operations or the like to check images or videos, and it may take time for such monitoring.

[0005] This disclosure has been made in view of the above points, and provides a technique capable of efficiently monitoring specific unauthorized operations.

Means for Solving the Problems

[0006] A system according to one aspect of the present disclosure includes one or more terminals, a control device that provides a login screen for a cloud service, and a management device that manages logs of the terminals, wherein when the terminal uses the cloud service, the control device changes the name of a first login screen provided by the cloud service and provides the terminal with a second login screen in which a predetermined account has been set for the first login screen, and when a login operation is performed on the first login screen or the second login screen, the control device transmits a log including the name of the first login screen or the second login screen on which the login operation was performed to the management device. [Effects of the Invention]

[0007] It can efficiently monitor specific fraudulent activities. [Brief explanation of the drawing]

[0008] [Figure 1] This figure shows an example of the overall configuration of the system according to this embodiment. [Figure 2] This figure shows an example of the functional configuration of the system according to this embodiment. [Figure 3] This sequence diagram shows an example of the process when logging into a cloud service using a pre-defined account. [Figure 4] This figure shows an example of a login screen for a certain cloud service. [Figure 5] This figure shows an example of a login screen for a certain cloud service after changing the title and setting up the account. [Figure 6] This sequence diagram illustrates an example of what happens when logging into a cloud service using an account other than the one predetermined. [Figure 7] This is a sequence diagram illustrating an example of the operation when saving log information. [Figure 8]This sequence diagram illustrates an example of how to monitor whether a login operation to a cloud service was performed using an account other than a pre-defined account. [Modes for carrying out the invention]

[0009] Hereinafter, one embodiment of the present invention will be described in detail with reference to the drawings. In the following embodiment, a specific fraudulent operation on a terminal such as a PC is assumed to be a login operation to a cloud service using an account other than a predetermined account (e.g., a personal account), and a case for efficiently monitoring such fraudulent operations will be described.

[0010] Here, a cloud service refers to a service provided by an external service provider via a communication network such as the internet. While cloud services are not limited to specific services, in the following discussion, we will primarily assume cloud services that provide at least storage resources. This is because, for example, if an employee logs into a cloud service using a company PC and a personal account, there is a risk of information leakage, as confidential information held on that PC may be stored on the storage resources provided by that cloud service.

[0011] <Example of overall system configuration> Figure 1 is a diagram showing an example of the overall configuration of the system according to this embodiment. As shown in Figure 1, the system according to this embodiment includes a plurality of user terminals 10, one or more administrator terminals 20, an access control device 30, a log management device 40, and a cloud service provision system 50. Each of these entities (user terminals 10, administrator terminals 20, access control device 30, log management device 40, cloud service provision system 50) is connected to communicate via a communication network 60, including the Internet. In the example shown in Figure 1, there are N user terminals 10, from user terminal 10-1 to user terminal 10-N, and each user terminal 10 and administrator terminal 20 are located in a system environment E such as an internal network. In the example shown in Figure 1, there is only one administrator terminal 20, but there may be multiple administrator terminals 20. Similarly, in the example shown in Figure 1, there is only one cloud service provision system 50, but there may be multiple cloud service provision systems 50.

[0012] The user terminal 10 is a type of terminal operated by users who utilize the cloud services provided by the cloud service provision system 50. While a PC is commonly used as the user terminal 10, it is not limited to this; for example, a smartphone, tablet, or wearable device may also be used.

[0013] The administrator terminal 20 is a terminal operated by a person (hereinafter referred to as the "administrator," but may also be called a "monitor," etc.) who monitors specific unauthorized operations on the user terminal 10 (i.e., login operations to cloud services using accounts other than predetermined accounts). The administrator terminal 20 is a PC, but is not limited to this; for example, a smartphone, tablet, wearable device, etc., may also be used.

[0014] The access control device 30 is a general-purpose server or a system composed of such servers that enables login operations to cloud services using predetermined accounts (e.g., corporate accounts).

[0015] The log management device 40 is a general-purpose server or a system composed of such servers that manages log information recorded on the user terminal 10.

[0016] The cloud service providing system 50 is an external system that provides cloud services (particularly, cloud services that provide at least storage resources).

[0017] Note that the overall configuration of the system shown in FIG. 1 is an example and is not limited thereto. For example, various entities other than the entities shown in FIG. 1 may be included.

[0018] <Functional configuration example of the system> FIG. 2 is a diagram showing a functional configuration example of the system according to the present embodiment.

[0019] ≪User terminal 10≫ As shown in FIG. 2, the user terminal 10 according to the present embodiment includes a UI providing unit 101 and a log recording unit 102. Each of these units is realized, for example, by processing executed by an arithmetic device such as a CPU (Central Processing Unit) of one or more programs installed in the user terminal 10. Further, the user terminal 10 according to the present embodiment includes a log temporary storage unit 103. The log temporary storage unit 103 is realized, for example, by a storage area of a storage device (e.g., HDD (Hard Disk Drive), SSD (Solid State Drive), flash memory, etc.) included in the user terminal 10.

[0020] The UI providing unit 101 displays various screens including a log-in screen to the cloud service on the display and accepts operations on these various screens. Note that the UI providing unit 101 can be realized, for example, using a web browser or the like.

[0021] The log recording unit 102 creates log information representing various logs from the user terminal 10 and stores it in the log temporary storage unit 103. Furthermore, when predetermined conditions are met, the log recording unit 102 transmits the log information stored in the log temporary storage unit 103 to the log management device 40 and deletes that log information from the log temporary storage unit 103. These predetermined conditions include, for example, a predetermined time, a predetermined amount of time elapsed since the previous transmission and deletion of log information, or the storage capacity of the log temporary storage unit 103 exceeding a predetermined capacity. The log recording unit 102 can be implemented, for example, using existing log recording software.

[0022] The temporary log storage unit 103 temporarily stores log information created by the log recording unit 102. The log information includes, for example, the date and time the log was recorded, user identification information that identifies the user of the user terminal 10 (e.g., username, user ID, terminal ID, etc.), and the log content. The log content refers to information that represents the subject of the log recording (e.g., operation, screen, etc.). Hereinafter, the subject of the log recording will include screens on which the user of the user terminal 10 has performed an operation (e.g., pressing a button, entering text, etc.), and the log content will include the title of the screen. The title of the screen may also be called, for example, "screen name" or "screen name." The screen may also be called, for example, "window."

[0023] ≪Administrator Terminal 20≫ As shown in Figure 2, the administrator terminal 20 according to this embodiment has a UI providing unit 201. The UI providing unit 201 is realized, for example, by having one or more programs installed on the administrator terminal 20 execute on a processing unit such as a CPU.

[0024] The UI provider unit 201 displays various screens on the display, including a log list screen that shows a list of log information acquired from the log management device 40, and accepts operations on these various screens. The UI provider unit 201 can be implemented using, for example, a web browser.

[0025] ≪Access Control Device 30≫ As shown in Figure 2, the access control device 30 according to this embodiment has an access control unit 301. The access control unit 301 is implemented by a process in which one or more programs installed on the access control device 30 are executed by a processing unit such as a CPU. The access control device 30 according to this embodiment also has an account storage unit 302. The account storage unit 302 is implemented, for example, by the storage area of ​​a storage device (e.g., HDD, SSD, flash memory, etc.) owned by the access control device 30. However, the account storage unit 302 may also be implemented, for example, by the storage area of ​​a storage device (e.g., a storage device owned by a database server) that is communicatively connected to the access control device 30.

[0026] The access control unit 301 changes the title of the login screen for the cloud service provided by the cloud service provision system 50 and sets the account stored in the account storage unit 302. The access control unit 301 also provides the user terminal 10 with the login screen after the title change and account setting.

[0027] The account storage unit 302 stores accounts for logging into the cloud services provided by the cloud service provision system 50. The accounts stored in the account storage unit 302 are accounts that users of the user terminal 10 are required to use when logging into the cloud services (or accounts that users of the user terminal 10 are permitted to use when logging into the cloud services). Hereinafter, as an example, an account will be assumed to be a pair of a user ID for the cloud service and its corresponding password. However, the representation of an account as a pair of user ID and password is just an example and is not limited to this; for example, an email address or telephone number may be used instead of a user ID. Furthermore, accounts stored in the account storage unit 302 will be referred to as "corporate accounts." On the other hand, accounts other than corporate accounts, including cloud service accounts acquired personally by users of the user terminal 10, will be referred to as "personal accounts."

[0028] Furthermore, if there are multiple cloud service provision systems 50 (i.e., if multiple cloud services are available), the account storage unit 302 stores a corporate account for logging into each cloud service, associated with the identification information of that cloud service.

[0029] ≪Log Management Device 40≫ As shown in Figure 2, the log management device 40 according to this embodiment has a log management unit 401. The log management unit 401 is implemented, for example, by having one or more programs installed on the log management device 40 execute a process on a processing unit such as a CPU. The log management device 40 according to this embodiment also has a log storage unit 402. The log storage unit 402 is implemented, for example, by the storage area of ​​a storage device (e.g., HDD, SSD, flash memory, etc.) owned by the log management device 40. However, the log storage unit 402 may also be implemented, for example, by the storage area of ​​a storage device (e.g., a storage device owned by a database server) that is communicatively connected to the log management device 40.

[0030] The log management unit 401 stores log information received from each user terminal 10 in the log storage unit 402, retrieves log information from the log storage unit 402, and transmits the log information retrieved from the log storage unit 402 to the administrator terminal 20.

[0031] The log storage unit 402 stores log information received from each user terminal 10.

[0032] <Example of how to log in to a cloud service using a corporate account> The following describes an example of how a user on user terminal 10 logs into a cloud service using a pre-determined corporate account, with reference to Figure 3.

[0033] The UI provision unit 101 of the user terminal 10 accesses the access control device 30 (step S101).

[0034] The access control unit 301 of the access control device 30 transmits a first top screen to the user terminal 10 in response to the user terminal 10's access (step S102). The first top screen is the screen displayed immediately after accessing the access control device 30. The first top screen displays, for example, one or more cloud service names for selection. The first top screen can be represented by screen definition information such as HTML (HyperText Markup Language).

[0035] The UI provision unit 101 of the user terminal 10 displays the first top screen received from the access control device 30 (step S103). This allows the user of the user terminal 10 to select the name of the cloud service they wish to use from the one or more cloud service names displayed on the first top screen. Hereinafter, it will be assumed that a certain cloud service name has been selected by the user on the first top screen.

[0036] The UI provision unit 101 of the user terminal 10 accepts the user's selection of a cloud service name (step S104).

[0037] The UI provision unit 101 of the user terminal 10 transmits the cloud service name to the access control device 30 (step S105). The cloud service name is an example of identification information that identifies the cloud service.

[0038] When the access control unit 301 of the access control device 30 receives a cloud service name, it accesses the cloud service provision system 50 that provides the cloud service with that cloud service name and obtains a login screen (step S106). Here, an example of a login screen obtained from the cloud service provision system 50 is shown in Figure 4. The login screen 1000 shown in Figure 4 is a login screen for the cloud service with the cloud service name "ABC", and includes a login screen title 1001, a user ID input field 1002, a password input field 1003, and an OK button 1004. On the login screen 1000 shown in Figure 4, you can log in to the cloud service with the cloud service name "ABC" by entering a valid user ID and password in the user ID input field 1002 and the password input field 1003, respectively, and then pressing the OK button 1004. Hereafter, the title of the login screen obtained from the cloud service provision system 50 (for example, title 1001 in the example shown in Figure 4) will be referred to as the "original title".

[0039] The access control unit 301 of the access control device 30 changes the title of the login screen obtained in step S106 (step S107). The access control unit 301 can change the title of the login screen according to a predetermined change method (rule), for example. Such a rule could be, for example, "Automatic Access" + "Cloud Service Name" + "-Login" (where "+" represents string concatenation). If this rule is used, for example, the original title "Cloud Service ABC Login" will be changed to "Automatic Access ABC-Login".

[0040] The access control unit 301 of the access control device 30 retrieves the corporate account corresponding to the cloud service name from the account storage unit 302 and then sets that corporate account on the login screen obtained in step S106 (step S108). That is, for example, the access control unit 301 retrieves the corporate account corresponding to the cloud service name "ABC" from the account storage unit 302 and then sets the user ID and password included in that corporate account in the user ID input field 1002 and password input field 1003, respectively.

[0041] Here, Figure 5 shows the login screen when steps S107 to S108 above are performed on the login screen 1000 shown in Figure 4. The login screen 1100 shown in Figure 5 includes the title 1101 changed in step S107, the user ID input field 1102 where the user ID was set in step S108, the password input field 1103 where the password was set in step S108, and the OK button 1104. Note that the password set in the password input field 1103 is replaced with characters such as asterisks and is not displayed.

[0042] The access control unit 301 of the access control device 30 transmits the login screen (e.g., the login screen 1100 shown in Figure 5) with the title changed and account settings configured in steps S107 to S108 above to the user terminal 10 (step S109).

[0043] The UI provision unit 101 of the user terminal 10 displays the login screen received from the access control device 30 (i.e., the login screen after title change and account settings) (step S110). Hereafter, it is assumed that the user has performed a login operation on the login screen (e.g., pressing the OK button 1104 on the login screen 1100 shown in Figure 5).

[0044] The UI provision unit 101 of the user terminal 10 accepts a login operation from the user (step S111).

[0045] The log recording unit 102 of the user terminal 10 creates log information that includes the title of the login screen where the login operation was performed, and stores this log information in the temporary log storage unit 103 (step S112). Note that the log information includes the title that was changed in step S107 above. Also note that in addition to the log content, the log information includes the date and time the log was recorded and the user identification information of the user of the user terminal 10.

[0046] The UI provision unit 101 of the user terminal 10 logs into the cloud service provided by the cloud service provision system 50 by sending the corporate account set on the login screen where the login operation was performed to the cloud service provision system 50 (step S113).

[0047] Thus, when a user on terminal 10 uses a cloud service with a corporate account, the title of the login screen for that cloud service is changed, and the corporate account is automatically set on the login screen. Therefore, log information containing the changed title is recorded on terminal 10. Furthermore, since the corporate account is automatically set on the login screen, there is no need to inform the user on terminal 10 of the password or other information for that corporate account, thus ensuring security.

[0048] <Example of how to log in to a cloud service using a personal account> The following describes an example of what happens when a user on user terminal 10 logs into a cloud service using a personal account other than a pre-determined account, with reference to Figure 6. Please note that logging into a cloud service using a personal account is an unauthorized operation.

[0049] The UI provision unit 101 of the user terminal 10 accesses the cloud service provision system 50 that provides the desired cloud service and obtains the login screen (step S201).

[0050] The UI provision unit 101 of the user terminal 10 displays the login screen obtained in step S201 above (step S202). For example, if the login screen is obtained from the cloud service provision system 50 that provides the cloud service named "ABC", the login screen 1000 shown in Figure 4 is displayed. Hereafter, it is assumed that the user has performed a login operation on the login screen (e.g., setting the user ID and password of the personal account in the user ID input field 1002 and password input field 1003 of the login screen 1000 shown in Figure 4, and then pressing the OK button 1004).

[0051] The UI provision unit 101 of the user terminal 10 accepts a login operation from the user (step S203).

[0052] The log recording unit 102 of the user terminal 10 creates log information that includes the title of the login screen where the login operation was performed, and stores this log information in the temporary log storage unit 103 (step S204). Note that the log information includes the title of the login screen obtained in step S201 above (i.e., the original title). Also note that in addition to the log content, the log information includes the date and time the log was recorded and the user identification information of the user of the user terminal 10.

[0053] The UI provision unit 101 of the user terminal 10 logs into the cloud service provided by the cloud service provision system 50 by sending the personal account set on the login screen where the login operation was performed to the cloud service provision system 50 (step S205).

[0054] Thus, when a user on user terminal 10 uses a cloud service with their personal account, log information is recorded that includes the original title of the login screen for that cloud service. This allows, for example, an administrator to identify a user who has performed an unauthorized operation by searching for log information that includes the original title.

[0055] <Example of operation when saving log information> The following describes an example of the operation when saving log information stored in the temporary log storage unit 103 of the user terminal 10 to the log storage unit 402 of the log management device 40, with reference to Figure 7.

[0056] The log recording unit 102 of the user terminal 10 transmits the log information stored in the log temporary storage unit 103 to the log management device 40 when predetermined conditions are met (step S301).

[0057] The log management unit 401 of the log management device 40 stores the log information received from the user terminal 10 in the log storage unit 402 (step S302).

[0058] The log recording unit 102 of the user terminal 10 deletes the log information sent to the log management device 40 in step S401 from the log temporary storage unit 103 (step S303).

[0059] <Example of operation when monitoring whether or not a login operation to a cloud service was performed using a personal account> The following describes an example of how to monitor whether or not a login operation to a cloud service was performed using a personal account, with reference to Figure 8.

[0060] The UI provider unit 201 of the administrator terminal 20 accesses the log management device 40 (step S401).

[0061] The log management unit 401 of the log management device 40 transmits a second top screen to the administrator terminal 20 in response to access from the administrator terminal 20 (step S402). The second top screen is the screen displayed immediately after accessing the log management device 40. The second top screen includes, for example, a search condition input field for entering search conditions for log information stored in the log storage unit 402. The second top screen can be represented by screen definition information such as HTML.

[0062] The UI provider unit 201 of the administrator terminal 20 displays the second top screen received from the log management device 40 (step S403). This allows the user (administrator) of the administrator terminal 20 to enter desired search conditions (e.g., "The original title of the login screen for the cloud service is included in the log content") into the search condition input field included in the second top screen. Hereinafter, it will be assumed that the user (administrator) has entered the search condition "The original title of the login screen for the cloud service is included in the log content" on the second top screen.

[0063] The UI provision unit 201 of the administrator terminal 20 accepts search criteria input from the user (administrator) (step S404).

[0064] The UI provision unit 201 of the administrator terminal 20 sends a search request containing the search conditions to the log management device 40 (step S405).

[0065] When the log management unit 401 of the log management device 40 receives a search request from the administrator terminal 20, it retrieves log information from the log storage unit 402 that satisfies the search conditions included in the search request (step S406). Specifically, the log management unit 401 retrieves log information from the log storage unit 402 that includes the original title of a login screen for a certain cloud service in its log content.

[0066] The log management unit 401 of the log management device 40 transmits the log information acquired in step S406 above to the administrator terminal 20 (step S407).

[0067] The UI provider unit 201 of the administrator terminal 20 displays a log list screen containing a list of log information received from the log management device 40 (step S408). This allows the administrator to check log information when a login operation to the cloud service is performed using a personal account. Therefore, the administrator can identify the user (user on the user terminal 10) who performed such an unauthorized operation.

[0068] <Variation> As one variation, for example, in step S302 of Figure 7, if log information that satisfies search conditions such as "the original title of the login screen to the cloud service is included in the log content" is stored in the log storage unit 402, the log management unit 401 of the log management device 40 may send a notification to the administrator terminal 20 that log information that satisfies the search conditions has been stored.

[0069] <Summary> As described above, in this embodiment, the title of the screen operated by the user terminal 10 is recorded as a log, and when using a cloud service, the title of the login screen to the cloud service is changed if a predetermined account is used. This makes it possible to treat the operation as legitimate if the changed title is recorded as a log, and as an unauthorized operation if the original title is recorded as a log, allowing for efficient monitoring of operations such as logging into a cloud service using a personally acquired account. Therefore, it is possible to reduce the list of information leaks, such as when an employee logs into a cloud service using a company PC and a personal account and saves confidential information held on that PC to the cloud service's storage resources.

[0070] The present invention is not limited to the embodiments specifically disclosed above, and various modifications, changes, and combinations with known technologies are possible without departing from the scope of the claims. [Explanation of symbols]

[0071] 10. User terminals 20 Administrator terminals 30 Access Control Device 40 Log Management Device 50 Cloud Service Provisioning Systems 60 Communication Networks 101 UI provision department 102 Log Recording Section 103 Log Temporary Storage Unit 201 UI provision department 301 Access Control Unit 302 Account Storage Unit 401 Log Management Department 402 Log Storage Unit

Claims

1. A system comprising one or more terminals, a control device that provides a login screen for a cloud service, and a management device that manages logs of the terminals, The control device is When the terminal uses a cloud service, the name of the first login screen provided by the cloud service is changed, and a second login screen is provided to the terminal with a predetermined account set for the first login screen. The aforementioned terminal is When a login operation is performed on the first login screen or the second login screen, a log including the name of the first login screen or the second login screen on which the login operation was performed is sent to the management device. system.

2. The control device is The system according to claim 1, wherein the name of the first login screen is changed according to a predetermined rule.

3. The aforementioned control device is The system according to claim 1 or 2, wherein when a log containing the name of the first login screen is received, a notification indicating that an unauthorized operation has occurred is sent to a predetermined administrator terminal.

4. A method used in a system that includes one or more terminals, a control device that provides a login screen for a cloud service, and a management device that manages logs of the terminals, The control device, When the terminal uses a cloud service, the name of the first login screen provided by the cloud service is changed, and a second login screen is provided to the terminal with a predetermined account set for the first login screen. The aforementioned terminal, When a login operation is performed on the first login screen or the second login screen, a log including the name of the first login screen or the second login screen on which the login operation was performed is sent to the management device. method.

5. A program used in a system that includes one or more terminals, a control device that provides a login screen for a cloud service, and a management device that manages the logs of the terminals, The control device, When the terminal uses a cloud service, the name of the first login screen provided by the cloud service is changed, and a second login screen is provided to the terminal with a predetermined account set for the first login screen. To the aforementioned terminal, When a login operation is performed on the first login screen or the second login screen, a log including the name of the first login screen or the second login screen on which the login operation was performed is sent to the management device. A program that executes a process.