JP2015170023A - Information processing apparatus, information processing system, and control program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve security for the use of an information processing device in a situation where a plurality of information processing devices can be used.SOLUTION: An information processing device includes an operation instruction reception part for receiving an operation instruction from a user authenticated according to a predetermined authentication system, an unauthorized operation determination part for determining whether the received operation instruction is an unauthorized operation, a fraudulence prevention processing part for performing processing for preventing the information processing device from being unauthorizedly used in the case that the authenticated user is specified unauthorized user list information in which a user determined to have performed a fraudulent operation is specified or that the fraudulent operation is determined, an unauthorized use information output part for outputting unauthorized use information showing that the operation instruction of the authenticated user is an unauthorized operation in the case that the unauthorized operation is determined, and an unauthorized user list information update part for acquiring the unauthorized use information outputted from another processing device to update the unauthorized user list information.

Description

  The present invention relates to an information processing apparatus, an information processing system, and a control program, and more particularly to processing that takes security into consideration for use of a plurality of information processing apparatuses.

  In an information processing apparatus that performs data processing, in order to prevent a malicious user from operating the apparatus illegally, when the user uses the information processing apparatus, the user authority is entered by inputting a user ID, a password, and the like. User authentication processing is performed to authenticate that there is.

  However, if a malicious user steals a password or acquires a password due to information leakage, the malicious user is authenticated using the password illegally, and the information processing apparatus can be used. Therefore, there are cases where such user authentication processing alone is insufficient in terms of security.

  In order to solve such a problem, when the access time to the server (information processing apparatus) exceeds a predetermined value, authentication data different from the authentication data used for using the server is provided. There has been proposed a method for re-authenticating a user (see, for example, Patent Document 1).

  In the technique disclosed in Patent Document 1, it is determined whether or not to perform re-authentication processing for each information processing device used when accessing the server. Request re-authentication. When a malicious user tries to operate an information processing device illegally and fails to re-authenticate, he or she gives up using the information processing device and tries another operation using another information processing device. There is a case. In such a case, when the technique disclosed in Patent Document 1 is used, if the re-authentication condition is not satisfied in another information processing apparatus, the user re-authentication process is not performed. Inappropriate operations are performed in the apparatus, which is insufficient in terms of security.

  The present invention has been made to solve such a problem, and an object of the present invention is to improve security for use of an information processing device in a situation where a plurality of information processing devices can be used.

  In order to solve the above-described problem, an aspect of the present invention is an information processing apparatus that permits a user who has been authenticated in accordance with a predetermined authentication scheme to use the apparatus, wherein the predetermined authentication scheme is An operation command receiving unit that receives an operation command from a user who is authenticated according to the above, an unauthorized operation determination unit that determines whether the received operation command is an unauthorized operation, and an unauthorized operation is determined. Preventing unauthorized use of the information processing apparatus when the authenticated user is identified in the unauthorized user list information in which the user is identified or when the operation command is determined to be an unauthorized operation Fraud prevention processing unit for performing processing for performing fraud, and unauthorized use information indicating that the operation command of the authenticated user is an illegal operation when the operation command is determined to be an illegal operation An unauthorized use information output unit for outputting, and an unauthorized user list information update unit for acquiring the unauthorized use information output from another information processing apparatus and updating the unauthorized user list information .

  ADVANTAGE OF THE INVENTION According to this invention, the security with respect to utilization of an information processing apparatus can be improved in the condition which can use several information processing apparatus.

It is a figure which shows the operation | use form of the image processing system which concerns on embodiment of this invention. It is a block diagram which shows the hardware constitutions of the image processing apparatus which concerns on embodiment of this invention. It is a block diagram which shows the function structure of the image processing apparatus which concerns on this embodiment of this invention. It is a block diagram which shows the function structure of the main control part which concerns on embodiment of this invention. It is a figure which illustrates the unauthorized use information stored in the unauthorized use DB which concerns on embodiment of this invention. It is a flowchart which shows the operation | movement which concerns on prevention of unauthorized use by the main control part which concerns on embodiment of this invention. It is a figure which shows the example of the information stored in user DB which concerns on embodiment of this invention. It is a figure which illustrates job history information stored in job history DB concerning an embodiment of the present invention. It is a figure which shows the aspect of the face authentication process which concerns on embodiment of this invention. It is a figure which illustrates the table with which the authentication method which concerns on embodiment of this invention and the fraud degree were linked | related. It is a block diagram which shows the function structure of the main-control part 130 which concerns on the 2nd Embodiment of this invention. It is a figure which illustrates the aspect of the information addition process which concerns on the 2nd Embodiment of this invention. It is a block diagram which shows the function structure of the main-control part which concerns on the 3rd Embodiment of this invention. It is a figure which illustrates job history information stored in job history DB concerning a 3rd embodiment of the present invention.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. In the present embodiment, an example of an information processing apparatus that performs data processing is an image processing apparatus. A user who is authenticated by a predetermined authentication method is permitted to use the image processing apparatus, and a PC (Personal Computer). A system for operating the image processing apparatus via the client terminal or the display panel of the image processing apparatus will be described.

  FIG. 1 is a diagram illustrating an example of an operation mode of the image processing system according to the present embodiment. As shown in FIG. 1, the image processing system according to this embodiment includes n image processing apparatuses 1-1 to 1-n (n is an integer equal to or greater than 1. Hereinafter, “image processing apparatus 1” is generally referred to). The client terminal 2 and the management server 3 are connected via a network such as the Internet or a LAN (Local Area Network).

  The image processing apparatus 1 is an MFP (Multi Function Peripheral) that can be used as a printer, a facsimile, a scanner, and a copier by providing an imaging function, an image forming function, a communication function, and the like. The client terminal 2 is an information processing terminal operated by a user, and is realized by an information processing apparatus such as a PC. The client terminal 2 according to the present embodiment generates, for example, a print job in response to a user operation, and causes the image processing apparatus 1 to execute image forming output via a network. 1 to send. The management server 3 manages various types of information such as information such as IP (Internet Protocol) addresses of n image processing apparatuses and information regarding installation locations of the image processing apparatuses.

  Next, hardware constituting each device of the image processing apparatus 1, the client terminal 2, and the management server 3 included in the image processing system according to the present embodiment will be described. FIG. 2 is a block diagram illustrating a hardware configuration of the image processing apparatus 1 according to the present embodiment. Although FIG. 2 shows the hardware configuration of the image processing apparatus 1, the same applies to other apparatuses.

  As shown in FIG. 2, the image processing apparatus 1 according to the present embodiment has the same configuration as an information processing apparatus such as a general PC (Personal Computer) or a server. That is, the image processing apparatus 1 according to this embodiment includes a CPU (Central Processing Unit) 10, a RAM (Random Access Memory) 20, a ROM (Read Only Memory) 30, an HDD (Hard Disk Drive) 40, and an I / F 50. 80 is connected. Further, an LCD (Liquid Crystal Display) 60 and an operation unit 70 are connected to the I / F 50.

  The CPU 10 is a calculation unit and controls the operation of the entire image processing apparatus 1. The RAM 20 is a volatile storage medium capable of reading and writing information at high speed, and is used as a work area when the CPU 10 processes information. The ROM 30 is a read-only nonvolatile storage medium and stores a program such as firmware. The HDD 40 is a non-volatile storage medium that can read and write information, and stores an OS (Operating System), various control programs, application programs, and the like.

  The I / F 50 connects and controls the bus 80 and various hardware and networks. The LCD 60 is a visual user interface for the user to check the state of the image processing apparatus 1. The operation unit 70 is a user interface for a user to input information to the image processing apparatus 1 such as a keyboard, a mouse, various hard buttons, and a touch panel. When the management server 3 is operated as a server, these user interface devices can be omitted.

  In such a hardware configuration, the software control unit is configured by the CPU 10 performing calculations in accordance with a program stored in the ROM 30 or a program read into the RAM 20. Functional blocks for realizing the functions of the image processing apparatus 1, the client terminal 2, and the management server 3 included in the image processing system according to the present embodiment by combining the software control unit configured as described above and hardware. Composed.

  Next, functions of the image processing apparatus 1 according to the present embodiment will be described. FIG. 3 is a block diagram showing a functional configuration of the image processing apparatus 1 according to the present embodiment. As shown in FIG. 3, the image processing apparatus 1 according to the present embodiment includes a controller 100, an ADF (Auto Document Feeder) 110, a scanner unit 111, a paper discharge tray 112, a display panel 113, and a paper feed table. 114, a print engine 115, a paper discharge tray 116, a network I / F 117, and a near field communication I / F 118.

  The controller 100 includes a main control unit 130, an engine control unit 101, an input / output control unit 102, an image processing unit 103, and an operation display control unit 104. As shown in FIG. 3, the image processing apparatus 1 according to the present embodiment is configured as a multifunction machine having a scanner unit 111 and a print engine 115. In FIG. 3, the electrical connection is indicated by solid arrows, and the flow of paper is indicated by broken arrows.

  The display panel 113 is an output interface that visually displays the state of the image processing apparatus 1, and an input when the user directly operates the image processing apparatus 1 or inputs information to the image processing apparatus 1 as a touch panel. It is also an interface (operation unit). The network I / F 117 is an interface for the image processing apparatus 1 to communicate with other devices such as an administrator terminal via the network, and an interface such as Ethernet (registered trademark) or USB is used.

  The short-range communication I / F 118 is an interface for the image processing apparatus 1 to communicate with other devices by short-range wireless communication, such as Bluetooth (registered trademark), Wi-Fi (Wireless Fidelity), FeliCa (registered trademark), and the like. The interface is used.

  The controller 100 is configured by a combination of software and hardware. Specifically, a software control unit and an integrated circuit configured by loading a control program such as firmware stored in a non-volatile storage medium such as the ROM 30 or the HDD 40 into the RAM 20 and performing an operation by the CPU 10 according to the program. The controller 100 is configured by hardware such as the above. The controller 100 functions as a control unit that controls the entire image processing apparatus 1.

  The main control unit 130 plays a role of controlling each unit included in the controller 100 and gives a command to each unit of the controller 100. The engine control unit 101 serves as a driving unit that controls or drives the print engine 115, the scanner unit 111, and the like. The input / output control unit 102 inputs signals and commands input via the network I / F 117 and the short-range communication I / F 118 to the main control unit 130. The main control unit 130 also controls the input / output control unit 102 to access other devices via the network I / F 117, the near field communication I / F 118, and the network.

  The image processing unit 103 generates drawing information based on image information to be printed out under the control of the main control unit 130. The drawing information is information for drawing an image to be formed in the image forming operation by the print engine 115 as an image forming unit. The image processing unit 103 processes image data input from the scanner unit 111 and generates image data. This image data is information stored in the image processing apparatus 1 as a result of the scanner operation or transmitted to another device via the network I / F 117 or the short-range communication I / F 118. The operation display control unit 104 displays information on the display panel 113 or notifies the main control unit 130 of information input via the display panel 113.

  When the image processing apparatus 1 operates as a printer, first, the input / output control unit 102 receives a print job via the network I / F 117. The input / output control unit 102 transfers the received print job to the main control unit 130. When receiving the print job, the main control unit 130 controls the image processing unit 103 to generate drawing information based on document information or image information included in the print job. When drawing information is generated by the image processing unit 103, the engine control unit 101 executes image formation on a sheet conveyed from the paper feed table 114 based on the generated drawing information. As a specific mode of the print engine 115, an image forming mechanism using an ink jet method, an image forming mechanism using an electrophotographic method, or the like can be used. A document on which an image is formed by the print engine 115 is discharged to a discharge tray 116.

  When the image processing apparatus 1 operates as a scanner, the operation display control unit 104 or input / output control is performed in accordance with a user operation on the display panel 113 or a scan execution instruction input from an external device via the network I / F 117. The unit 102 transfers the scan execution signal to the main control unit 130. The main control unit 130 controls the engine control unit 101 based on the received scan execution signal. The engine control unit 101 drives the ADF 110 and conveys the document to be imaged set on the ADF 110 to the scanner unit 111. Further, the engine control unit 101 drives the scanner unit 111 and images a document conveyed from the ADF 110. If no original is set on the ADF 110 and the original is directly set on the scanner unit 111, the scanner unit 111 captures the set original under the control of the engine control unit 101. That is, the scanner unit 111 operates as an imaging unit.

  In the imaging operation, an imaging element such as a CCD included in the scanner unit 111 optically scans the document, and imaging information based on the optical information is generated. The engine control unit 101 transfers the imaging information generated by the scanner unit 111 to the image processing unit 103. The image processing unit 103 generates image information based on the imaging information received from the engine control unit 101 under the control of the main control unit 130. Image information generated by the image processing unit 103 is stored in a storage medium attached to the image processing apparatus 1 such as the HDD 40. The image information generated by the image processing unit 103 is stored in the HDD 40 or the like as it is according to a user instruction, or is transmitted to an external device by the input / output control unit 102 via the network I / F 117 and the short-range communication I / F 118. Sent.

  Further, when the image processing apparatus 1 operates as a copying machine, the image processing unit 103 generates drawing information based on imaging information received from the scanner unit 111 by the engine control unit 101 or image information generated by the image processing unit 103. To do. Based on the drawing information, the engine control unit 101 drives the print engine 115 as in the case of the printer operation.

  In such a system configuration, the image processing system according to the present embodiment, when determining whether or not an operation command by a user authenticated by a predetermined authentication method is an unauthorized operation, When information indicating that the user's operation command is an illegal operation is received from the processing device 1, the operation command is regarded as an illegal operation, and processing for preventing unauthorized use is performed. Hereinafter, as a configuration according to the first embodiment, a functional configuration related to prevention of unauthorized use in a plurality of image processing apparatuses 1 among functions of the main control unit 130 according to the first embodiment will be described.

  FIG. 4 is a block diagram illustrating a functional configuration related to prevention of unauthorized use in the plurality of image processing apparatuses 1 among the functions of the main control unit 130 according to the first embodiment of the present invention. As shown in FIG. 4, the main control unit 130 according to the first embodiment includes an unauthorized use information receiving unit 131, an unauthorized use information updating unit 132, an unauthorized use DB 133, an authentication processing unit 134, a user DB 135, and a job receiving unit 136. , An unauthorized operation determination unit 137, an unauthorized use information output unit 138, a re-authentication processing unit 139, a job processing unit 140, and a job history DB 141.

  The unauthorized use information receiving unit 131 receives unauthorized use information (described later with reference to FIG. 5) output from another image processing apparatus 1 included in the image processing system, and sends the unauthorized use information update unit 132 to the unauthorized use information updating unit 132. Output. The unauthorized use information updating unit 132 updates the unauthorized use information stored in the unauthorized use DB 133 with the unauthorized use information input from the unauthorized use information receiving unit 131.

  FIG. 5 is a diagram illustrating the unauthorized use information stored in the unauthorized use DB 133. As illustrated in FIG. 5, the unauthorized use DB 133 is configured as a table in which “user ID” and “illegal use flag” are associated, for example, and each record of the table is unauthorized use information. “User ID” is an identifier for identifying the user of the image processing apparatus 1 and corresponds to a user ID used for authentication processing in the authentication processing unit 134 described later.

  Whether the operation command by the user of “user ID” associated with the “illegal use flag” is determined as an illegal operation in any of the image processing apparatuses 1 included in the image processing system This is information indicating whether or not. For example, when the “unauthorized use flag” is “ON”, the state is determined as an unauthorized operation, and when it is “OFF”, the state is determined not to be an unauthorized operation.

  That is, the unauthorized use DB 133 is unauthorized user list information in which users who are determined to have performed unauthorized operations are specified. In such unauthorized user list information, the user of “user ID” whose “user flag” is “ON” is identified as the user who is determined to have performed an unauthorized operation. That is, the unauthorized use information updating unit 132 functions as an unauthorized user list information updating unit that acquires the unauthorized use information received by the unauthorized use information receiving unit 131 and updates the unauthorized user list information.

  Hereinafter, each component shown in FIG. 4 will be described with reference to FIG. FIG. 6 is a flowchart illustrating the processing of each component shown in FIG. As shown in FIG. 6, the authentication processing unit 134 first performs user authentication processing by a predetermined authentication method based on the input user information and information stored in the user DB 135 (S600).

  The user DB 135 is a storage medium that stores information used for user authentication processing. FIG. 7 shows an example of information stored in the user DB 135. As illustrated in FIG. 7, the user DB 135 has a table configuration in which, for example, “user ID”, “authentication information”, “re-authentication information”, and “login date / time” information are associated.

  “User ID” corresponds to “user ID” of the unauthorized use information stored in the unauthorized use DB 133 shown in FIG. “Authentication information” is information used for user authentication processing for the user to use the image processing apparatus 1. For example, when authentication using a user ID and a password is used as a predetermined authentication method, the “authentication information” is a password. “Re-authentication information” is information used when performing re-authentication processing. Details of the “re-authentication information” and the re-authentication process will be described later.

  “Login date / time” is a history of the date / time when the user of the associated “user ID” was authenticated by the authentication processing unit 134 (that is, logged into the image processing apparatus 1). The “login date” is used for processing of an unauthorized operation determination unit 137 described later. Details will be described later.

  For example, when authentication using a user ID and password is used as a predetermined authentication method, an authentication screen for prompting input of the user ID and password is displayed on the display panel 113 or the like. The authentication processing unit 134 acquires the user ID and password input via the authentication screen displayed on the display panel 113 or the like. The authentication processing unit 134 refers to the user DB 135 and authenticates the user when the “authentication information” (here, the password) associated with the acquired user ID matches the acquired password.

  If the user authentication fails (S601 / NO), the authentication processing unit 134 performs the user authentication process again based on the user information input again (S600). If the user cancels the authentication (for example, presses the “cancel” button included in the authentication screen) or if the user authentication fails for a predetermined number of times, the authentication processing unit 134 performs the processing. You may make it complete | finish.

  On the other hand, if the user authentication is successful (S601 / YES), the authentication processing unit 134 stores the date and time when the authentication process was performed as “login date and time” information stored in the user DB 135 shown in FIG. The job receiving unit 136 receives a job input via the display panel 113 or the client terminal 2 (S602). The job is an operation command for causing the image processing apparatus 1 to perform processing. For example, the job is a print job indicating a print command, a copy job indicating a copy command, a scan job indicating a scan command, or a fax job indicating a fax command. . In other words, the job reception unit 136 functions as an operation command reception unit that receives operation commands.

  In addition, the job reception unit 136 outputs the received job to the job processing unit 140. When the job is a print job, the job reception unit 136 receives a print job transmitted from the client terminal 2 or the like by the user before the user authentication processing, and then performs user authentication processing by the authentication processing unit 134. When the user authentication process is successful, a process related to determination of an unauthorized operation thereafter may be performed.

  The unauthorized operation determination unit 137 determines whether or not the operation command that is the job received by the job reception unit 136 is an unauthorized operation (S603, S604). The unauthorized operation is, for example, an operation on the image processing apparatus 1 performed by a malicious user who has been obtained by stealing another user's password and has been unauthorized and authenticated. Note that the determination by the unauthorized operation determination unit 137 that the operation is an unauthorized operation includes a case where it is determined that the operation is likely to be an unauthorized operation.

  First, the unauthorized operation determination unit 137 refers to the unauthorized use DB 133 shown in FIG. 5 and the “unauthorized use flag” associated with the “user ID” of the user authenticated by the authentication processing unit 134 is “ON”. It is determined whether or not there is (S603). When the “unauthorized use flag” is “ON” (S603 / YES), the unauthorized operation determination unit 137 does not perform the determination process of S604 described later, and the operation command received by the job reception unit 136 is an unauthorized operation. Consider it. Then, the re-authentication processing unit 139 performs re-authentication processing (S607). The re-authentication process will be described later.

  On the other hand, when the “unauthorized use flag” is “OFF” (S603 / NO), the unauthorized operation determination unit 137 determines that the operation command received by the job reception unit 136 is invalid based on the information stored in the user DB 135. It is determined whether the operation is an incorrect operation (S604).

  Specifically, the unauthorized operation determination unit 137 determines the number of times of authentication of the user who has performed the operation command so far (the number of logins to the image processing apparatus 1) from the history information of “login date” stored in the user DB 135. Is calculated. The unauthorized operation determination unit 137 determines that the received operation command is an unauthorized operation when the number of authentications satisfies a predetermined condition.

  For example, when the number of times of authentication of the user who has issued the operation command is abnormally high, there is a high possibility that a malicious user is trying to perform an unauthorized operation of the image processing apparatus 1. Therefore, for example, when the predetermined condition is “100 times or more” and the number of authentications acquired so far from the information stored in the user DB 135 is “150 times”, the unauthorized operation determination unit 137 The operation command received by the job receiving unit 136 is determined to be an illegal operation.

  The unauthorized operation determination unit 137 may determine whether the operation command is an unauthorized operation based on the authentication frequency. The authentication frequency is obtained by calculating the number of authentications within the latest predetermined time (for example, within the last one hour) from the history information of “login date” stored in the user DB 135. The unauthorized operation determination unit 137 determines that the operation command is an unauthorized operation when the calculated authentication frequency is equal to or greater than a predetermined number of times (for example, 10 times per hour).

  If it is determined that the operation command received by the job receiving unit 136 is an unauthorized operation (YES in S604), the unauthorized use information updating unit 132 uses the unauthorized use information stored in the unauthorized use DB 133 as an authentication processing unit. The information is updated to the unauthorized use information including the user ID of the user authenticated in 134 and the “unauthorized use flag” set to “ON” (S605).

  In addition, the unauthorized use information output unit 138 converts the unauthorized use information including the user ID of the user authenticated by the authentication processing unit 134 and the “unauthorized use flag” set to “ON” to other image processing included in the image processing system. It outputs with respect to the apparatus 1 (S606). As a result, the unauthorized use information receiving unit 131 of the other image processing apparatus 1 receives the unauthorized use information output in S606, and as described above, the unauthorized use information updating unit 132 causes the other image processing apparatus to receive the unauthorized use information. The unauthorized use information stored in one unauthorized use DB 133 is also updated.

  The unauthorized use information output unit 138 acquires, for example, the IP addresses of all the image processing apparatuses 1 in the image processing system managed by the management server 3, and uses the acquired IP addresses to obtain other image processing apparatuses. 1 shows illegal use information.

  The re-authentication processing unit 139 is input when the “unauthorized use flag” is “ON” (S603 / YES) or when the operation command is determined to be an unauthorized operation (S604 / YES). Based on the user information and the information stored in the user DB 135, the user re-authentication process is performed by an authentication method different from the authentication method used in the authentication processing unit 134 (S607).

  For example, when authentication using a password (second password) different from the authentication method used in the authentication processing unit 134 is used as the re-authentication method, “re-authentication information” stored in the user DB 135 illustrated in FIG. Is the second password. In this case, an authentication screen prompting the user ID and the second password to be input is displayed on the display panel 113 or the like.

  The re-authentication processing unit 139 acquires the user ID and the second password input via the authentication screen displayed on the display panel 113 or the like. The re-authentication processing unit 139 refers to the user DB 135 and authenticates the user when the “re-authentication information” associated with the acquired user ID matches the acquired second password.

  In FIG. 6, after the unauthorized use information is updated by the unauthorized use information update unit 132 and the unauthorized use information output unit 138 outputs the unauthorized use information, the re-authentication processing unit 139 performs user re-authentication processing. However, the processing order may be changed.

  If the user re-authentication fails (S608 / NO), the re-authentication processing unit 139 performs the user re-authentication process again based on the user information input again (S607). As in the case of the authentication process, when the authentication cancellation process is performed by the user, or when the user re-authentication has failed a predetermined number of times, the re-authentication processing unit 139 may end the process. Good.

  On the other hand, when it is determined that the operation command received by the job reception unit 136 is not an unauthorized operation (S604 / NO) or when the user re-authentication is successful (S608 / YES), the job processing unit 140 The job (operation instruction) input from 136 is executed (S609). For example, when the job input from the job reception unit 136 is a print job, the job processing unit 140 controls the engine control unit 101 to execute print processing. That is, the job processing unit 140 functions as an operation command processing unit that performs processing based on an operation command.

  Further, when the job processing ends, the job processing unit 140 stores job history information in the job history DB 141. FIG. 8 is a diagram illustrating job history information stored in the job history DB 141. As illustrated in FIG. 8, the job history information has a table configuration in which, for example, “user ID”, “job type”, “execution number”, “start date / time”, and “end date / time” are associated. That is, each record is a job history when one job is executed.

  “User ID” corresponds to the user ID used for the authentication processing in the authentication processing unit 134. “Job type” indicates the type of job executed. The “executed number” is the number of pages processed by the executed job. “Start date and time” and “End date and time” are the date and time when the job was started and completed.

  In addition, the unauthorized use information update unit 132 measures the elapsed time from the time when the user is re-authenticated by the re-authentication processing unit 139, and if the elapsed time exceeds a predetermined time (for example, 5 minutes), the unauthorized use information update unit 132 The “illegal use flag” associated with the re-authenticated user ID stored in the usage DB 133 is updated to “OFF”. In other words, the unauthorized use information update unit 132 excludes the re-authenticated user information from the information of the user determined to have performed an unauthorized operation in the unauthorized user list information that is the unauthorized use DB 133. In this case, when the job reception unit 136 next receives a job from the user with this user ID, the unauthorized operation determination unit 137, based on the information stored in the user DB 135, as described in S604. Perform illegal operation determination processing.

  As described above, in the first embodiment, when the “illegal use flag” associated with the user ID of the user authenticated by the authentication processing unit 134 is “OFF”, the operation performed on this user The image processing system includes the unauthorized use information in which the “unauthorized use flag” is set to “ON” when it is determined that the instruction is an unauthorized operation. Output to another image processing apparatus 1. On the other hand, when the “unauthorized use flag” is “ON”, the re-authentication processing unit 139 performs the re-authentication process without performing the process of determining whether or not the operation command issued by the user is an unauthorized operation. Is done.

  With such a configuration, information on a user who is determined to have performed an illegal operation in any of the image processing apparatuses 1 included in the image processing system is also shared in the other image processing apparatuses 1, and the other image processing apparatuses 1, the re-authentication process can be performed on the basis of the shared information on the assumption that the user has performed an unauthorized operation. Therefore, even though a malicious user fails to re-authenticate in a certain image processing apparatus 1, an unauthorized operation is performed without satisfying the conditions for performing re-authentication processing in another image processing apparatus 1. Therefore, in a situation where a plurality of information processing apparatuses such as the image processing apparatus 1 can be used, it is possible to improve security for the use of the information processing apparatus.

  In the present embodiment, the case where the second password is used as the authentication method used for the re-authentication process has been described as an example. However, this is only an example, and biometric authentication such as face authentication and fingerprint authentication may be used, or card authentication using an IC (Integrated Circuit) card or the like, or a mobile terminal such as a user's mobile phone may be used. Terminal authentication by transmitting user information via the short-range communication I / F 118 by approaching the Felica reader of the image processing apparatus 1 may be used.

  FIG. 9 is a diagram illustrating an example of face authentication processing. As shown in FIG. 9, for example, when a message prompting the user to shoot a user's face is displayed on the face authentication screen, the user brings his / her face close to the display panel 113, so that an imaging device 119 such as a camera installed therein. Thus, the user's face is photographed. In this case, “re-authentication information” in the user DB 135 is the feature amount of the user's face image, and the feature amount of “re-authentication information” associated with the input user ID is the feature amount of the captured face image. If they match, the user is re-authenticated. The feature amount of the face image is calculated using, for example, a Gabor filter that extracts the feature of the image.

  In the case of fingerprint authentication, “re-authentication information” is a feature amount of a user's fingerprint image, and in the case of card authentication or terminal authentication, it is information (for example, a password) included in an IC card or a mobile terminal. These authentication methods may be used as a predetermined authentication method used in the authentication processing unit 134, and an authentication method used in the authentication processing unit 134 and an authentication method used in the re-authentication processing unit 139 may be used. It only has to be different.

  Further, in the present embodiment, an example of a case where the unauthorized operation determination unit 137 determines whether or not the operation command is an unauthorized operation based on the “login date / time” history information stored in the user DB 135. explained. However, this is merely an example, and an unauthorized operation determination process may be performed based on job execution history information stored in the job history DB 141.

  Specifically, for example, the unauthorized operation determination unit 137 determines, based on the job history information illustrated in FIG. 8, the total number of jobs input so far by the user who has performed the operation command, and the total number of jobs output so far. The number of pages, the average execution time (the execution time is the required time from the start date to the end date), etc., of the predetermined number of jobs that have been completed most recently (for example, the number of jobs completed within the last hour) are calculated. . Then, the unauthorized operation determination unit 137 determines that the received operation command is an unauthorized operation when the number and the average execution time satisfy the predetermined conditions (for example, exceed a predetermined threshold). judge. Note that any one of the above-described number and average execution time may be used for the determination process, or two or more of the above-described numbers and average execution time may be combined and used for the determination process.

  Further, the unauthorized operation determination unit 137 calculates the total number of jobs, the total number of pages, and the average execution time for each job type from the job history information illustrated in FIG. Based on the job type information received by the receiving unit 136, it may be determined whether the operation is an unauthorized operation.

  In addition, the unauthorized operation determination unit 137 may perform an unauthorized operation determination process based on the usage environment information. The usage environment information includes, for example, timing information indicating the timing (time, date, day of the week, etc.) when the image processing apparatus 1 receives a job, installation location information indicating a place where the image processing apparatus 1 that received the job is installed, and a job This is the number of people who are present when a job is received at a place where the image processing apparatus 1 that has received is installed. For example, when the usage environment information indicates the time when a job is received, the unauthorized operation determination unit 137 determines that the operation command is incorrect when the time when the job is received satisfies a predetermined condition (for example, 22:00 to 7:00). It is determined that the operation is incorrect.

  In the present embodiment, the unauthorized operation determination unit 137 takes an example of a case where the unauthorized operation determination process is performed based on the number of times of successful authentication (logged in) from the history information of “login date”. In addition, the unauthorized operation determination unit 137 may perform determination processing based on the number of times including not only the number of successful authentications but also the number of failed authentications. Thereby, even when user authentication has failed many times, it can be determined that a malicious user is performing an unauthorized operation.

  In the present embodiment, the number of authentications is calculated from the history information of “login date” stored in the user DB 135, but the number of authentications itself may be stored in the user DB 135 in association with the user ID. Good. Further, the number of times of authentication so far may be reset (that is, 0 times) by executing the re-authentication process by the re-authentication processing unit 139.

  Further, the unauthorized operation determination process is performed by combining the history information related to the use of the image processing apparatus 1 such as the authentication history information of “login date” stored in the user DB 135 described above, job execution history information, usage environment information, and the like. May be performed. In addition, a fraud level indicating a fraud level is set in advance for each of these pieces of information, and the fraudulent operation determination unit 137 has a predetermined total fraud level obtained by summing the fraud levels set for information satisfying the conditions. The determination process may be performed based on whether or not the threshold value is exceeded.

  In addition, when the total fraud degree exceeds a predetermined threshold, it is not determined that the received operation command is an illegal operation, but a re-authentication method selection unit (not shown) A re-authentication method may be selected. For example, the re-authentication method selection unit refers to a table in which authentication methods and fraud levels are associated with each other as illustrated in FIG. The re-authentication processing unit 139 uses the authentication method selected by the re-authentication method selection unit for the re-authentication process. In this case, the unauthorized operation determination unit 137 determines that the received operation command is an unauthorized operation when either history information or usage environment information satisfies a condition.

  Further, when the “unauthorized use flag” is “ON”, the re-authentication method selection unit may select the authentication method having the highest degree of fraud with reference to the table shown in FIG. In addition, the re-authentication method selection unit may use an authentication method with a degree of fraud closest to the degree of fraud of the re-authentication method used in the other image processing apparatus 1 that has output the fraudulent use information whose “unauthorized use flag” is “ON”. Or an authentication method with a higher fraud level than the fraud level of the re-authentication method used in another image processing apparatus 1 may be selected. In this case, information on the re-authentication method used together with the unauthorized use information and the degree of fraud are output from the unauthorized use information output unit 138 of the other image processing apparatus 1.

  Further, in the present embodiment, the case where the unauthorized use information output unit 138 outputs the unauthorized use information to all the image processing apparatuses 1 included in the image processing system has been described as an example. In addition, the unauthorized use information output unit 138 has another image processing device installed at a location within a predetermined distance from the location where the image processing device 1 determined that the operation command is an unauthorized operation. The unauthorized use information may be output for only one. Even with such a configuration, it is possible to improve security against the use of another image processing apparatus 1 that can be used by a user who has performed an unauthorized operation. Further, since it is not necessary to output unauthorized use information to all the image processing apparatuses 1, it is possible to reduce the load of unauthorized use information output processing.

  Further, in this embodiment, the unauthorized use information update unit 132 sets the “illegal use flag” stored in the unauthorized use DB 133 to “OFF” when a predetermined time has elapsed from the time when the re-authentication process is performed. The case of updating to "" has been described as an example. In addition, the unauthorized use information updating unit 132 illegally uses the unauthorized use information in which the “illegal use flag” is updated to “OFF” when a predetermined time elapses from the time when the re-authentication process is performed. You may output with respect to the information output part 138. FIG.

  Then, the unauthorized use information output unit 138 outputs the unauthorized use information input from the unauthorized use information update unit 132 to another image processing apparatus 1. As a result, the unauthorized use information update unit 132 of the other image processing apparatus 1 acquires the unauthorized use information in which the “illegal use flag” is updated to “OFF”, and the correspondence of the unauthorized use DB 133 of the other image processing apparatus 1 Therefore, the timing of updating the “illegal use flag” to “OFF” can be synchronized with other image processing apparatuses 1.

  In the present embodiment, the unauthorized use information update unit 132 updates the “illegal use flag” to “OFF” when a predetermined time has elapsed from the time when the re-authentication process is performed. explained. However, this is only an example, and when a predetermined time has elapsed from the start time or completion time of the job processing received from the user whose “unauthorized use flag” is “ON”, or the re-authentication processing is predetermined. If the information indicating the status of processing in the image processing apparatus 1 satisfies a predetermined condition, such as when the processing is performed more than once, the unauthorized use flag “” may be updated to “OFF”.

  Further, in the present embodiment, the unauthorized use information output unit 138 acquires the IP address of the other image processing apparatus 1 managed by the management server 3, and the other image processing apparatus 1 based on the acquired IP address. An example in which unauthorized use information is output has been described. However, this is only an example, and it is only necessary that the unauthorized use information can be output to the other image processing apparatus 1 by some method, such as outputting the unauthorized use information to the other image processing apparatus 1 via the management server 3. .

  Further, in the present exemplary embodiment, the case where the re-authentication process is performed before starting the job process when the operation command is determined to be an illegal operation has been described as an example. In addition, when it is determined that the operation command is an illegal operation, the number of pages processed in the received job (for example, the number of sheets output by copy processing in the case of a copy job) is a predetermined number of pages. When the number of pages is 10 or more (for example, 10 pages), the re-authentication process is performed after a predetermined ratio of the number of pages processed in the job (for example, half of the total number of pages) is processed. May be. This makes it possible to perform re-authentication processing even during job processing.

  Next, a second embodiment will be described. In the first embodiment, when the operation command (job) received by the job receiving unit 136 is determined to be an illegal operation, or because the “unauthorized use flag” is “ON”, the operation is illegal. The case where the re-authentication processing unit 139 performs the re-authentication process of the user when it is regarded as an example has been described. In the second embodiment, when the operation command received by the job receiving unit 136 is determined to be an illegal operation, or because the “unauthorized use flag” is “ON”, it is regarded as an illegal operation. In this case, processing is performed to add information that serves as a deterrent to unauthorized operations to the job processing result.

  Hereinafter, when it is determined that the operation instruction received by the job reception unit 136 is an illegal operation or when the “invalid use flag” is “ON”, the operation instruction is regarded as an illegal operation. It is simply described as “when the operation command is determined to be an illegal operation”.

  FIG. 11 is a block diagram illustrating a functional configuration of the main control unit 130 in the second embodiment. As shown in FIG. 11, the main control unit 130 has a configuration in which the re-authentication processing unit 139 shown in FIG. Only the components different from those shown in FIG. 4 will be described below.

  The information addition control unit 142 is configured to add a predetermined information to the result data output or generated by the processing based on the operation command when the operation command is determined to be an illegal operation. 140 is controlled. Specifically, for example, when the operation command is a copy job, the information addition control unit 142 prints a copy-forgery-inhibited pattern that can be secondarily copied on a printed sheet. 140 is controlled.

  Under the control of the information addition control unit 142, for example, the job processing unit 140 prints “COPY” background pattern as additional information in addition to an image printed in a hatched area as shown in FIG. Process the job to

  In addition, for example, when the operation command is a print job, the information addition control unit 142 can determine who printed when and when the copy-forgery-inhibited pattern (for example, the user ID authenticated by the authentication processing unit 134 and the date when the job was executed). The job processing unit 140 is controlled to print the printed background pattern) on the printed paper.

  When the operation command is a scan job or a fax job, the information addition control unit 142 adds the user ID and the date and time as described above to the read image generated by the reading process or the image to be faxed. The job processing unit 140 is controlled to superimpose information. Also, when the operation command is a copy job, such additional information may be printed instead of the characters “COPY”. Such a copy-forgery-inhibited pattern may be printed on the header area or footer area of the paper or image.

  As described above, in the second embodiment, when it is determined that the operation command is an illegal operation, it is a secondary copy for the job processing result data, and who executed it when. This information is added, so that it becomes a deterrent to unauthorized operation by a malicious user, and it is possible to improve security for use of each information processing apparatus such as the image processing apparatus 1.

  In the second embodiment, the case has been described as an example in which additional information is superimposed in a visible state on a printed sheet, a read image, a transmission target image, and the like. However, this is only an example, and when additional information is superimposed on a recording medium such as a paper to be printed, the additional information is superimposed on the paper by ink or the like that displays the additional information by applying light of a specific wavelength. May be. In addition, when information is added to image data such as a read image or a transmission target image, the additional information may be added to the read image or the transmission target image as metadata. Further, such metadata may be assigned to each page of the image. Thus, by allowing metadata to be assigned to each page, it is possible to perform processing for preventing unauthorized use even during job processing.

  Also in the second embodiment, similarly to the case described in the first embodiment, the unauthorized operation determination unit 137 may perform determination processing by combining a plurality of pieces of history information. The determination process may be performed based on the determination process.

  Next, a third embodiment will be described. In the third embodiment, processing for storing information related to execution of job processing in a storage medium is performed. FIG. 13 is a block diagram illustrating a functional configuration of the main control unit 130 in the third embodiment. As shown in FIG. 13, the main control unit 130 is configured by replacing the re-authentication processing unit 139 shown in FIG. 4 with a storage processing unit 143. Only the components different from those shown in FIG. 4 will be described below.

  The storage processing unit 143 determines that the operation command received by the job reception unit 136 is an illegal operation or if the operation command is regarded as an illegal operation because the “unauthorized use flag” is “ON”. In addition, the image used for job processing and the still image and moving image of the user who performs job processing are stored in the job history DB 141.

  Hereinafter, when it is determined that the operation instruction received by the job reception unit 136 is an illegal operation or when the “invalid use flag” is “ON”, the operation instruction is regarded as an illegal operation. It is simply described as “when the operation command is determined to be an illegal operation”.

  FIG. 14 is a diagram illustrating job history information stored in the job history DB 141 in the third embodiment. As shown in FIG. 13, the job history information in the third embodiment is associated with “data storage destination”, “still image storage destination”, and “moving image storage destination” in addition to the job history information shown in FIG. Table structure.

  The “input data storage destination”, “still image storage destination”, and “moving image storage destination” are respectively input data used when processing a job, a storage area in which a still image and a moving image of a user who executed the job are stored (for example, , File path).

  For example, when the job is a copy job, a scan job, or a fax job, the storage processing unit 143 reads and processes an input document (for example, a document to be copied in the case of a copy job) used when processing these jobs. The read image generated in this manner is stored in the storage area as input data, and information indicating the storage area in which the read image is stored is stored in the “input data storage destination” associated with the job execution history.

  When the job is a print job, the storage processing unit 143 stores the output target image in the storage area as input data, and stores the output target image in the “input data storage destination” associated with the execution history of the job. The stored storage area is stored. However, the storage process of the output target image in the storage area is not essential, and if the storage process of the output target image in the storage area is not performed, the “input data storage destination” may be blank.

  Further, when executing the job, the storage processing unit 143 stores a still image or a moving image obtained by photographing the face of the user who executes the job in the storage area, and stores the “still image storage” associated with the execution history of the job. Information indicating a storage area in which a still image or a moving image is stored is stored in “destination” or “moving image storage destination”.

  For example, when a message prompting the user to shoot a face is displayed on the display panel 113 when executing a job, the user's face is brought closer to the display panel 113, so that the camera shown in FIG. A still image or a moving image of the user's face is taken by the imaging device 119 such as the above. The job processing unit 140 may not start job processing until a still image or a moving image of the user's face is stored in the storage area.

  As described above, in the third embodiment, when it is determined that the operation command is an illegal operation, the image of the input data used when executing the job or the user who executes the job is recorded. If an illegal operation is performed by recording an image, it is easy to track the user who has performed the operation and the operated data, and thus security for the use of the information processing apparatus such as the image processing apparatus 1 is ensured. It becomes possible to improve. In addition, when the user knows that such data is recorded, it also serves as a deterrent to unauthorized operation, so it is possible to improve security against the use of an information processing apparatus such as the image processing apparatus 1. .

  In the third embodiment, an example in which an image of input data used for job processing is stored in a storage area has been described as an example, but this input data is data that has been subjected to OCR (Optical Character Reader) processing. Also good. In this case, since the input data can be searched by the character string, the manager of the image processing apparatus 1 can easily find the necessary input data.

  In the third embodiment, the case where the input data used for job processing and the user's image are recorded has been described as an example. However, any one of predetermined data may be recorded. Also in the third embodiment, similarly to the case described in the first embodiment, the unauthorized operation determination unit 137 may perform determination processing by combining a plurality of pieces of history information. The determination process may be performed based on the determination process. Further, the storage processing unit 143 may determine which data is to be recorded or whether the input data and the user image are to be recorded based on the total degree of fraud.

  The re-authentication processing unit 139 in the first embodiment, the information addition control unit 142 in the second embodiment, and the storage processing unit 143 in the third embodiment determine that the operation command is an illegal operation. When it is done, it functions as a fraud prevention processing unit that performs processing for preventing unauthorized use of the image processing apparatus 1.

  And you may combine two or more processes in these 1st to 3rd embodiments which function as a fraud prevention processing part. For example, the re-authentication process in the first embodiment may be performed, and the process of adding information to the result data in the second embodiment may be performed. Further, a combination of processes may be determined according to the above-described total fraud degree. Further, a combination of processes used in another image processing apparatus 1 that has output unauthorized use information whose “unauthorized use flag” is “ON” may be used. Further, the combination of processes may be determined according to the fraud degree higher than the fraud degree calculated in the other image processing apparatus 1 that has output the fraudulent use information whose “illegal use flag” is “ON”. .

  In the first to third embodiments, the image processing apparatus 1 has been described as an example of the information processing apparatus. However, this is merely an example, and the present invention performs data processing in accordance with an operation command such as an operation command to copy data to another device connected via a network or an operation command to send text data by e-mail. The present invention can be applied to an information processing apparatus such as a PC that performs the above and an information processing system including these information processing apparatuses.

DESCRIPTION OF SYMBOLS 1 Image processing apparatus 2 Client terminal 3 Management server 10 CPU
20 RAM
30 ROM
40 HDD
50 I / F
60 LCD
70 Operation Unit 80 Bus 100 Controller 101 Engine Control Unit 102 Input / Output Control Unit 103 Image Processing Unit 104 Operation Display Control Unit 110 ADF
111 Scanner Unit 112 Paper Discharge Tray 113 Display Panel 114 Paper Feed Table 115 Print Engine 116 Paper Discharge Tray 117 Network I / F
118 Short range communication I / F
119 Imaging Device 130 Main Control Unit 131 Unauthorized Use Information Receiving Unit 132 Unauthorized Use Information Update Unit 133 Unauthorized Use DB
134 Authentication processing unit 135 User DB
136 Job reception unit 137 Unauthorized operation determination unit 138 Unauthorized use information output unit 139 Re-authentication processing unit 140 Job processing unit 141 Job history DB
142 Information Addition Control Unit 143 Storage Processing Unit

JP-A-2005-107712

Claims (10)

An information processing apparatus that allows a user who has been authenticated according to a predetermined authentication method to use the apparatus,
An operation command receiving unit that receives an operation command from a user who is authenticated in accordance with the predetermined authentication method;
An unauthorized operation determination unit that determines whether or not the received operation command is an unauthorized operation;
When the authenticated user is specified in the unauthorized user list information in which the user determined to have performed an unauthorized operation is specified or when the operation command is determined to be an unauthorized operation, A fraud prevention processing unit for performing processing for preventing unauthorized use of the information processing apparatus;
An unauthorized use information output unit that outputs unauthorized use information indicating that the authenticated user's operation command is an unauthorized operation when the operation command is determined to be an unauthorized operation;
An information processing apparatus comprising: an unauthorized user list information update unit that acquires the unauthorized use information output from another information processing apparatus and updates the unauthorized user list information. The unauthorized use information output unit outputs the unauthorized use information to another information processing apparatus installed within a predetermined distance from a place where the information processing apparatus is installed. The information processing apparatus according to claim 1. The unauthorized user list information update unit is authenticated from the information of the user specified in the unauthorized user list information when the information indicating the processing status in the information processing apparatus satisfies a predetermined condition. The information processing apparatus according to claim 1, wherein user information is excluded. The information processing apparatus according to any one of claims 1 to 3, wherein the fraud prevention processing unit performs an authentication process on the user according to an authentication method different from the predetermined authentication method. . The fraud prevention processing unit adds predetermined information to information acquired as a result of processing based on the received operation command. The information processing apparatus according to item. The information processing apparatus according to claim 1, wherein the fraud prevention processing unit stores image information related to processing based on the received operation command in a storage medium. The unauthorized operation determination unit determines whether the operation command is an unauthorized operation based on history information indicating the number of times the authenticated user is authenticated according to the predetermined authentication method. The information processing apparatus according to any one of claims 1 to 6. The unauthorized operation determination unit determines whether the operation command is an unauthorized operation based on history information of a process based on the operation command from the authenticated user. The information processing apparatus according to any one of 1 to 7. An information processing system that permits a user who has been authenticated in accordance with a predetermined authentication method to use the information processing apparatus,
An authentication processing unit for processing whether to authenticate a user of the information processing apparatus according to a predetermined authentication method;
An operation command receiving unit that receives an operation command from a user who is authenticated in accordance with the predetermined authentication method;
An unauthorized operation determination unit that determines whether or not the received operation command is an unauthorized operation;
When the authenticated user is specified in the unauthorized user list information in which the user determined to have performed an unauthorized operation is specified or when the operation command is determined to be an unauthorized operation, A fraud prevention processing unit for performing processing for preventing unauthorized use of the information processing apparatus;
An operation command processing unit for performing processing based on the operation command;
An unauthorized use information output unit that outputs unauthorized use information indicating that the authenticated user's operation command is an unauthorized operation when the operation command is determined to be an unauthorized operation;
An information processing system comprising: an unauthorized user list information update unit that acquires the unauthorized use information output from another information processing apparatus and updates the unauthorized user list information. A control program for controlling an information processing apparatus that permits a user who has been authenticated according to a predetermined authentication method to use the apparatus,
Receiving an operation command from a user authenticated in accordance with the predetermined authentication method;
Determining whether the received operation command is an illegal operation;
When the authenticated user is specified in the unauthorized user list information in which the user determined to have performed an unauthorized operation is specified or when the operation command is determined to be an unauthorized operation, Performing a process for preventing unauthorized use of the information processing apparatus;
Outputting the unauthorized use information indicating that the authenticated user's operation command is an unauthorized operation when the operation command is determined to be an unauthorized operation;
A control program that causes the information processing apparatus to execute the step of acquiring the unauthorized use information output from another information processing apparatus and updating the unauthorized user list information.