WO2007034535A1 - Dispositif de réseau, procédé de relais de données et programme - Google Patents

Dispositif de réseau, procédé de relais de données et programme Download PDF

Info

Publication number
WO2007034535A1
WO2007034535A1 PCT/JP2005/017264 JP2005017264W WO2007034535A1 WO 2007034535 A1 WO2007034535 A1 WO 2007034535A1 JP 2005017264 W JP2005017264 W JP 2005017264W WO 2007034535 A1 WO2007034535 A1 WO 2007034535A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
information
received
network
predetermined
Prior art date
Application number
PCT/JP2005/017264
Other languages
English (en)
Japanese (ja)
Inventor
Takayuki Nishio
Original Assignee
Gideon Corp.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Gideon Corp. filed Critical Gideon Corp.
Priority to PCT/JP2005/017264 priority Critical patent/WO2007034535A1/fr
Priority to JP2007536356A priority patent/JP4526566B2/ja
Publication of WO2007034535A1 publication Critical patent/WO2007034535A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control

Definitions

  • Network device data relay method, and program
  • the present invention relates to an apparatus or a data relay method and program installed in a network having a plurality of lines, and in particular, checks information flowing on the network and transfers a packet received from a transmission source to a destination.
  • the present invention relates to a network device, a data relay method, and a program that perform a judgment of whether or not, and if necessary, notify a network administrator or the like of an alarm. Background art
  • Patent Document 2 proposes a technique for providing a staleness function that hides one's identity in the IP layer with respect to transmission and reception of information.
  • Patent Document 3 describes a technology related to a switch that detects illegal packets in transmission and reception of information within a LAN and between WANs.
  • Patent Document 1 Japanese Patent Laid-Open No. 10-320186
  • Patent Document 2 Japanese Patent Laid-Open No. 2002-366674
  • Patent Document 3 Japanese Patent Laid-Open No. 2003-348113 Disclosure of the Invention Problems to be Solved by the Invention
  • Patent Document 2 it is possible to hide one's presence without affecting the network in the IP layer, but it is not possible to extract a specific packet from all packets flowing on the network. Only when I make a transmission request to the other party, I can only steal a packet based on the preset IP address I used.
  • Patent Document 3 In the technique disclosed in Patent Document 3 that provides a switch with a virus check function, for example, when checking a file containing a virus attached to an e-mail, I could't say that it would be fast enough to buffer all the aisles. Moreover, it is not disclosed at all whether packet bitstream is monitored in real time.
  • the present invention has been made in view of a strong conventional problem, and monitors information transmitted / received not only in communication with outside of the network but also in communication between internal terminals, so that a predetermined value can be obtained.
  • the purpose is to extract a packet containing information that meets the conditions without affecting the network, discard the network power, or process it and return it to the network. It is also intended to provide a network device, a data relay method, and a program that will not affect the existing network no matter which network is installed.
  • a network device is a device that is installed between devices that communicate via a network and transparently relays data that is transmitted and received between the devices, A packet receiving unit that receives a packet addressed to another device from one device, an application identifying unit that determines an application type of a packet received using a predetermined application identifying method, and a determination by the application identifying unit A series of data is formed based on a plurality of packet groups received by the packet receiving means based on the determined application type, and when the data meets a predetermined condition, the plurality of packets Change at least one packet in the group and send it to the other device that is the destination. And, if otherwise, the predetermined condition is characterized in that and a packet content check means for transmitting a plurality of packets thus received the other device addressed is directly sent.
  • a packet that matches the application type identified based on the application identification method specified on the packet stream flowing on the network includes information corresponding to a predetermined condition, for example, a malicious virus, etc. If invalid data is found, the corresponding packet stream is discarded. Can be sent to the destination address without affecting the network.
  • the information corresponding to the predetermined condition can be extracted and discarded not only by the malicious virus but also by the specified content pattern or the packet including the predetermined information such as information.
  • the packet side check means normally sends a response on the transmission side to the packet, and receives it on the destination side.
  • the contents of the packet are modified according to the application that is used to make it appear that reception has failed, and the destination side is notified according to the application that the information corresponding to the predetermined condition has been received. Is also preferable.
  • the present invention when information corresponding to a predetermined condition is received, information can be extracted without being known to the transmission source by normally transmitting and receiving packets with the transmission source. wear. Also, if the packet is an illegal packet such as a virus, it is possible to modify the packet received at the destination so that it cannot be processed on the destination side. Furthermore, it is possible to give a sense of security to the destination terminal by transmitting to the destination side that the information corresponding to the predetermined condition has been found.
  • the packet content check means includes: a stream check process for checking a packet stream in real time based on a packet application type; and a post-assembly check process for checking after assembling the packet. It is preferable that the packet content is checked by at least one of the processes.
  • the present invention when checking the contents of a packet after assembling all the packets, a check with a high degree of completion is possible.
  • processing speed is required because buffering is required, and high functionality is required depending on the location in the network.
  • buffering is minimal, and if the information that meets the specified conditions cannot be found at the time of checking, the packets are immediately returned to the network, which speeds up the network. Avoiding a bottleneck.
  • information that meets certain conditions is found in the middle of data sent or received by an application such as e-mail or FTP, the previous packets are already returned to the network and arrive at the destination. Possible to wake up Leaving sex.
  • the remaining packets are processed and sent without being sent, so that an illegal packet such as a virus is not erroneously functioned on the destination side, and safety is guaranteed.
  • the packet receiving unit stores a destination address of the received packet
  • the packet content checking unit includes both the stream check process and the post-assembly check process.
  • the packet stream is missed by the real-time check and the destination Packets that have been sent to can be checked and discovered after the packet is assembled, and destinations that have already been sent can be notified that they have been found later, thus providing an extremely detailed service.
  • the packet content check means is configured to notify a predetermined specific destination address that the predetermined condition is met when it is determined that the predetermined condition is met. It is also preferable to do this.
  • the packet content check means is configured to activate a notification means that can be recognized by a person when information corresponding to a predetermined condition is identified.
  • Notification means include lighting of the lamp-blinking, sounding, generation of smell, etc., which can be notified by means that are easy for humans to understand.
  • the packet content check means notifies a predetermined destination address that is determined in advance, it is determined whether to use either the destination IP address of the received packet or the IP address that the packet has. It is also preferable to be able to select.
  • the IP address or destination that the device itself has is determined. Can be notified using the IP address. By using (speaking) the destination IP address, it can be hidden from the network. If you use the IP address that you have, you will suddenly show the presence by notifying the outside of the information
  • At least one of update information of the application identification method or the information corresponding to the predetermined condition and the packet content check means is acquired from a network.
  • the application identification method, the predetermined condition, or the packet content check means is registered in the network device from the beginning, the content can be acquired from the outside in order to cope with a change in the situation. By doing so, it becomes possible to deal with various situations.
  • At least one of the plurality of lines of the network device is configured to be connected to a network different from a network to which other lines are connected.
  • the line is notified as a destination for notifying that it has a specific line and has received information corresponding to the predetermined condition.
  • the packet content check means performs the content check of the received packet after it is assembled, it checks only at a predetermined interval or a predetermined position of the packet stream with respect to the packet stream. It is also preferable to configure so that
  • the present invention when checking a packet stream in real time, a method determined from a predetermined interval, a predetermined packet stream position, or the outside without checking all target packets. By deciphering the packet and making it possible to check, the load on this network device can be reduced.
  • the predetermined interval and the position of the packet stream can be determined for each application with a high possibility that information corresponding to a predetermined condition will appear.
  • At least one of the application identification method and information corresponding to a predetermined condition is provided for each line.
  • the network device when the network device has a plurality of lines, the contents of information corresponding to a predetermined condition can be set for each line, so that each line can be set. Different settings can be made.
  • the predetermined condition of the packet content check means includes a computer virus.
  • the pre-specified application includes POP, SMTP, FTP, HTTP, SM
  • the packet content check means when the predetermined application type is a mail protocol and a computer virus is detected by the packet content check means after assembling the packet, the packet content check means The MIME (Multipurpose Internet Mail Extensions) header is modified so that the attached file has a non-readable lifetime, the process of deleting all attached files, and a new header indicating that an illegal packet has been received. It is also preferable to execute at least one of the processes to be added, transmit the received packet to the destination address, and notify that a computer virus is detected at the predetermined destination address.
  • MIME Multipurpose Internet Mail Extensions
  • the MIME of an illegal attachment such as a virus received by mail is not readable, so that the corresponding executable file is not started by clicking with a mailer or the like.
  • deleting the attached file eliminates the possibility of problems, and it is possible to notify that invalid information has been received simply by adding a header without changing the attached information.
  • the mail protocol is POP, SMTP, IMAP, etc.
  • the packet content checking means transmits The transmission / reception of the packet between the original ends normally, the content of the packet to be transmitted to the destination is modified and transmitted, and the information corresponding to the predetermined condition is notified to the predetermined destination. It is also preferable to configure this.
  • the communication with the transmission source is normally terminated, and the communication with the destination is transmitted as information that does not affect the destination by modifying the information, and registered in advance. It is possible to notify the destination that the information corresponding to the predetermined condition has been received, and the information with the destination can be processed without any problem without affecting the communication with the transmission source. it can.
  • the packet received by the packet receiving means is a predetermined application.
  • packets or application data including predetermined predetermined information can be stored, so that it can be used for subsequent investigations.
  • the stored series of information may be configured to be accessible from an internal network.
  • a network device is a device that is installed between devices that communicate via a network, and that transparently relays data transmitted and received between the devices, from one device to another device
  • a packet receiving means for receiving a packet addressed thereto, an application identifying means for determining an application type of a packet received using a predetermined application identifying method, and a packet received by or received by the packet receiving means
  • the present invention for each application, it is possible to determine whether or not predetermined information is included in communication of the application and perform a predetermined operation for each application. If the file contains personal information, in-house confidential information, employee databases, etc., or if you are trying to obtain the above information via FTP or HTTP, stop sending the file, It is possible to identify and record IP etc. that perform FTP or HTTP, and to prevent leakage of personal information and confidential information.
  • the application type is a mail protocol
  • the relay of mail with the same mail source address and mail destination address as the predetermined operation is performed. It is also preferred to be configured to ban.
  • a data relay method is a method for transparently relaying data transmitted and received between devices connected via a network, from one device to another device.
  • Receiving the addressed packet determining the application type of the received packet using a predetermined application identification method, and determining the plurality of received packet groups based on the determined application type.
  • the above-mentioned other apparatus that forms a series of data and changes the at least one packet in the plurality of packet groups when the data meets a predetermined condition. If the predetermined condition is not met, the received plurality of packet groups are directly sent to the other device as the transmission destination.
  • a step of trust the characterized by containing Mukoto.
  • a data relay method is a method for transparently relaying data transmitted and received between the devices installed between devices communicating via a network, from one device to another.
  • a data relay program is installed between devices communicating via a network, and operates on a device that transparently relays data transmitted and received between the devices.
  • a process for receiving a packet addressed to another apparatus from one apparatus a process for determining an application type of a bucket received using a predetermined application identification method, and the determined application By type
  • a series of data is formed, and when the data meets a predetermined condition, at least one of the plurality of packet groups. If one packet is changed and sent to the other device that is the destination, and the predetermined condition is not met, the received plurality of packets are directly sent to the other device that is the destination. And a process of transmitting to the network.
  • a data relay program is installed between devices that communicate via a network and operates on a device that transparently relays data transmitted and received between the devices.
  • a process for receiving a packet addressed to another apparatus from one apparatus a process for determining an application type of a bucket received using a predetermined application identification method, the received packet, Alternatively, a process for monitoring whether or not predetermined information is included in a series of data formed based on the received packet, and if the predetermined information is included, the information is included. Storing a packet or a series of data and executing a predetermined operation based on the application type. .
  • an illegal packet is a file attached to an email, and the operation of the terminal depends on the OS, a program that executes the file, and a program that operates when the file is expanded. Such as a file that poses a threat.
  • SYN packets such as SYN floods and packets used in DOS (Denial Of Service) attacks that cause buffer overflow are also illegal packets.
  • the network device can be installed without affecting the network, and between the local terminal and the server in the network and between the local terminal and the WAN. Packet transmission that occurs on at least one of the Received information can be checked, and packets containing information that meets certain predetermined conditions can be extracted and processed.
  • FIG. 1 shows a connection configuration diagram in the network of the network device 1 according to the first embodiment of the present invention.
  • an internal network 9 is connected to an external network via a communication network 4 such as the Internet (registered trademark), and various information related to the network device 1 is stored in the external network.
  • the information storage server 7 is installed in a state where it can be connected to the network device 1.
  • routers 2 connected to the communication network 4 and controlling the transmission and reception of information between the internal devices and the devices connected to the external network.
  • the network device 1 can be installed between the router 2 and the switch 3.
  • the network device 1 monitors information between the router 2 and the switch 3 and monitors communication between the terminals in the LAN and the outside, and cannot monitor information between the terminals in the LAN. It can also be installed as switch 3, and in this case, all the packets flowing through switch 3 can be monitored even if they are information within the LAN of internal network 9.
  • the upper level switch 3 is connected to the next level switch 31, and the switching hub or shared hub 6 is connected to the lower level switch 31, and the PC or server 5 is connected to each of them.
  • the network device 1 can be installed as the next level switch 31 as described above. Furthermore, the network device 1 can be built in a line connected between the router 2 and the switch 3, for example, a cable represented by categories 5 and 6. As described above, the network device 1 is installed at the location indicated by the arrow between the switch 3, the router 2 and the switch 3, the switch 31, the router 2, the switch 3, 31 and the hub 6. All locations including cables that connect PC5.
  • FIG. 2 shows a functional block diagram of the network device 1.
  • the network device 1 includes a plurality of lines 12, a packet receiving unit 121 that processes packets received for each line, and a transmission packet.
  • a packet transmission unit 122 for processing packets a central processing unit 13 having various processing means therein, a storage unit 14 for storing data for performing various processes, and the network device 1
  • an input unit 15 that receives an input from an external input device and notifies the central processing unit 13 and a display unit 16 that has a function of displaying notification information from the central processing unit 13 and a display device
  • the notification dedicated line 17 which is the line to notify when the information is identified as the received packet or the packet to be transmitted, similarly the information corresponding to the specified condition is
  • the lamp / alarm device 18 that notifies when it is identified is composed of power.
  • the central processing unit 13 is composed of the following means having various functions. Receives and stores data such as system information, data related to the entire system, application information, and data that corresponds to the specified conditions from the input unit 15 or the network. Data input / output means 133 having the function of storing the information in the corresponding area of the unit 14 and retrieving the information from the storage unit 14 when necessary, the packet based on the information acquired from the application identification information file 145 to identify the packet type Application identification means 134 for identifying the packet, packet content checking means 135 having a function of checking the contents of the identified packet and searching for the predetermined information that meets the predetermined condition, and sending the received information to the destination.
  • Data input / output means 133 having the function of storing the information in the corresponding area of the unit 14 and retrieving the information from the storage unit 14 when necessary, the packet based on the information acquired from the application identification information file 145 to identify the packet type
  • Application identification means 134 for identifying the packet
  • packet content checking means 135 having a function of checking the contents of
  • Packet processing means 136 having a function to capture the processing of the packet contents
  • Receiving notification means 137 having a function of notifying a predetermined notification destination that predetermined information corresponding to the information has been received
  • a reception buffer 142 for storing information received by the packet transmission / reception processing means 131
  • a transmission buffer for transmission 141 and buffer control means 138 for controlling a buffer such as an assembly buffer 143 that is a buffer for assembling received packets into one message.
  • the storage unit 14 stores the transmission buffer 141, the reception buffer 142, the assembly buffer 143, and the MAC address that stores information related to connection between the destination MAC address and the line when the received packet is transmitted to the destination.
  • a buffer that is constantly rewritten during operation is stored in a RAM (Random Access Memory), and the storage unit 14 stores predetermined information 146, application identification information file 145, and system Z line.
  • Information such as the corresponding data 147 that needs to remain even when the power supply is cut off or momentary power is stored in a flash ROM (Read Only Memory) or hard disk.
  • the input unit 15 may be connected to a keyboard or may be provided with a serial interface so that a serial console can be connected.
  • the display unit 16 may have a monitor interface, or may be configured to notify information such as a message using the serial interface.
  • the default notification destination is a predetermined default notification destination that is notified when predetermined information is identified in the packet.
  • the notification dedicated line 17 may be designated.
  • the default update destination is the destination for updating application identification information and predetermined information, such as virus pattern files and inference engines.
  • the domain name is set at the time of factory shipment. .
  • the MAC address stores a MAC address unique to this network device. For example, set your own IP address to a fixed IP address such as “192.168. 10. 10” at the time of shipment from the factory, or you can obtain the address using DHCP (Dynamic Host Configuration Tool). And register the acquired IP address.
  • a column is provided so that ID and password information can be registered so that operations such as rewriting environment setting data by communicating with the network device 1 can be performed. For example, a default value such as admin / admin is entered.
  • the data corresponding to the line is shown in FIG.
  • a packet check method set either “real-time” or “after assembly” as the operation mode that can be set for the line.
  • Re Stream check processing is performed when checking in real time
  • post-assembly check processing is performed when checking after assembly.
  • “real time” is set as the default value.
  • the application list is for registering applications to be checked on the line. For example, POP, SMTP, FTP, HTTP, etc. are set as check targets as default values.
  • SMB, CIFS (port number 445), and other applications used for Windows (registered trademark) network sharing can be registered.
  • the system data and application data shown in Figs. 3 and 4 can be changed during power operation with default values such as when shipped from the factory.
  • FIG. 5 shows data corresponding to an application.
  • application such as P0P, SMTP, FTP, HTTP, etc.
  • Packet notification method For each application such as P0P, SMTP, FTP, HTTP, etc., specify "Packet notification method", “IP address used during communication”, and rules for operations when receiving and checking packets. “Regulation of operation”, “Information reception notification” and “Predetermined information” for registering a list of destinations to notify when predetermined information is identified in a packet can be registered.
  • the “packet notification method” is configured so that at least one of “packet discard”, “process and send”, “notify alarm device”, and “notify dedicated line for notification” can be selected.
  • IP address used during communication is configured to register an IP address used when the network device 1 communicates with the outside.
  • “Self IP address”, “Destination IP address”, “Source IP address”, “Specific IP address”, “Notification on notification private line”, etc. can be selected. Alternatively, it can be configured to have a Z-not flag used for the list, expressed as a list.
  • the "regulation of operation” includes "whether communication is normally terminated with the transmission destination", "power to notify the destination” that specifies whether the destination is notified that predetermined information has been received, information ⁇ Information modification method '' when sending data with modifications, and specifies the action to be taken when predetermined information is found in the post-assembly check process after assembly that was not detected in the real-time stream check process ⁇ Operation when not found in real time but found in assembly '' and ⁇ Thinning method for realtime detection '' that specify the method of thinning the check when performing real time check can be registered . “Real-time detection thinning method” Is not listed, but there is also an option of “Do n’t skip”. In “Information reception notification”, the notification destination is registered in a list as shown in FIG.
  • FIG. 6 shows the configuration of a file that stores MAC addresses of terminals connected to the line when packets are transmitted and received.
  • Figures 7 and 8 show the structure of the IP header and the structure of sent and received messages. Actual communication is performed using the MAC address, but the destination port number in the TCP data in the IP header is referenced to identify the application. For example, POP application uses port number 110, SMTP application uses 25, FTP application uses 20, 21 and HTTP application uses 80.
  • the data structure is divided into a physical layer, a data link layer, a network layer, and a transport layer according to the concept of layering the OSI reference model, and the entity wraps around sending data in each layer. It has become.
  • IP network layer
  • FCS Framework Check Sequence
  • the header information further includes information such as IP version, header length, service type that defines service priority, packet length, and the like. Since IP is a network layer, it contains the IP address of the sender and the destination IP address, etc., which specify the terminal to communicate with by IP address.
  • TCP which is a transport layer
  • TCP information between applications running terminals that communicate with each other is identified by the source port number and destination port number.
  • communication protocol communication protocol
  • the network device 1 is functionally configured as described above, and the operation thereof will be described below.
  • FIG. 21 shows an operation flow relating to registration of various data.
  • the network device 1 according to the present embodiment has a default value such as power system data having factory default values, data related to application information, data such as predetermined information, for example, serial line power, a system console, a keyboard, etc. Connected to the input section 15 or from the outside It is possible to change the contents by connecting with telnet or ssh (Secure SHell) via the communication network 4.
  • telnet or ssh Secure SHell
  • FIG. 21 is an operation flow diagram in which the maintenance person connected to the network device 1 changes the contents of the data by the above method.
  • the data registration operation will be described below with reference to FIG.
  • FIG. 21 is a diagram when the system console is connected through, for example, a serial line.
  • the network device 1 When the system console is connected, the network device 1 requests input of an ID and a password in order to change the environment setting data (S21 la). In this operation, if the connection is made via the communication network 4, some kind of encryption processing is required. In the case of ssh, it is encrypted, so the entered ID and password will not be stolen. In the case of the system console, since it is directly connected, the encryption process may be performed, but it is not particularly necessary.
  • the system console receives information for prompting the input of the ID and password (S21 lb), displays the information on the screen, and transmits the ID and password input by the maintenance person (S212b). At the time of this transmission, if communication is performed with the network device 1 using ssh or the like, encryption is performed. The network device 1 also needs to have an ssh function. Receiving the ID and password (S212a), the network device 1 compares the contents with the registered ID and password shown in FIG. 3 (S213a). If NG, create and send NG screen (S 21 4a), return to step S 21 la and repeat the process until the ID and password match. The system console that has received the NG screen displays the screen and returns to step S211b (S213b).
  • FIG. 9 shows an operation flow when the network device 1 receives a TCP packet, for example.
  • the hardware that performs reception or the firmware that operates on the hardware is periodically activated, and the packet delivered from the line is placed in the reception buffer 142 (S91).
  • the network device 1 uses the MAC address of the destination that uses its own MAC address to communicate with the source address in response to the application when performing processing such as packet response in the receive buffer 142 If the MAC address is not used, communication processing is performed using the destination MAC address (S93).
  • S94 use your own MAC address for communication processing
  • the network device 1 according to the present invention is installed in an existing network in an already configured network, the communication up to now and the future will be unrelated to the setting of the existing device. It is possible to communicate without affecting the communication.
  • the meaning of having no effect means that there is no effect when IP layer communication is performed, and that there is no effect even if the MAC address is used and the data link layer is not affected. There is a meaning.
  • Form means that packets other than registered applications such as POP, SMTP, FTP, HTTP, etc. can be passed through without modifying the MAC addresses of the source and destination. This means that the network device 1 takes in information and performs mediation for the application. However, it must operate without knowing that it is mediating. Therefore, transmission / reception processing of each application is performed “in correspondence with the application”.
  • the packet transmission process operates periodically, and the destination address is registered with reference to the address information shown in Fig. 6 in order to identify the line connected to the terminal indicated by the destination address.
  • the connected line is specified (S101).
  • the ability to use your own MAC address to send the information in the send buffer to the specified line ⁇ Determines whether to use the destination MAC address (S102) and does not use your own MAC address Transmits without changing the MAC address (S103).
  • communication processing is performed using its own MAC address (S104). By doing in this way, When mediating information in the same way as reception processing, the mediation can be performed without being known at the IP layer or data link layer.
  • the received packet is processed as shown in FIG. 9 and remains in the reception buffer 142.
  • Figure 11 shows the packet content check operation flow for selecting information from the receive buffer 142, which is described below.
  • the registered application information is obtained by reading the line correspondence data shown in FIG. 4 (SI 11).
  • the packet information received from the reception buffer 142 is read (SI 12).
  • the application is checked whether the application is registered by checking the TCP destination port number in the contents of the read packet (S113). For example, if POP, SMTP, FTP, HTTP, and CIFS are registered to be checked, the destination port number is 25 (POP), 110 (SMTP), 20 (for FTP data communication), 80 (HTTP), Check whether 445 (CIFS: Windows network share) is specified as the destination port number. If the application shown in Fig. 4 is not set for the destination port number and the value does not match, all the received packets are sent as they are to the line corresponding to the destination MAC address, and the receive buffer is cleared (SI 1A ).
  • Step S11 when assembly is complete
  • the force for which the predetermined information exists is determined from the return value (S 118). If the specified information is not included, the contents of the receive buffer 142 or the contents of the assembly buffer 143 are used as is for the destination MAC address. The transmission buffer is cleared and the reception buffer 142 or assembly buffer 143 is cleared (S11A). If the predetermined information is included, the “packet handling routine” is started (S119). The above operation is repeated for all lines (S 11 B).
  • the operation mode is a real-time check mode (S121).
  • the check target is the reception buffer 142 (S122).
  • the check target is set as the assembly buffer 143 (S123).
  • Predetermined information or information corresponding to the line and application is extracted from the predetermined information 146, and the check target buffer is searched for the acquired predetermined information (S124).
  • the check target is the reception notifier 142 (S132). If it is a post-assembly check rather than a real-time check, the check target is the assembly buffer 143 (S133). It is determined whether or not it is set to process and send the received content to the destination (S134).
  • the “processing transmission routine” is started (S 135), and then the process proceeds to step S 136. If it is not processing transmission, it is determined whether to discard the received content (S136). If it is set to be discarded, the contents of the reception buffer 142 or the assembly buffer 143 are discarded and the process proceeds to step S138. If not to be discarded, it is determined whether or not it is set to notify that predetermined information has been received (S138). In the case of notification, a “predetermined information reception notification routine” is started (S139), and the process is terminated. If not notified, the process ends. [0088] [5. Operation to check and send received information to destination]
  • a force that is a real-time check is determined (S141). If the post-assembly check is not real time, the process proceeds to step S 151 in FIG. The operation flow for checking after assembly will be described later.
  • a message to be sent to the destination corresponding to each application is acquired (S142). The message to be transmitted to the destination is obtained from the file showing the processing message shown in FIG.
  • a message corresponding to the application is acquired from the processing message file shown in FIG. 16, (S151), and then the processing is branched for each application (S153). Since the packet is assembled, all information such as messages or files exist in the assembly buffer 143, and various processing can be performed as processing.
  • the processing method shown in FIG. 17 is obtained (S154).
  • the processing method shown in FIG. 17 may be configured in a format linked from “processing and transmission” in the packet notification method for each application shown in FIG. In this embodiment, four types of processing methods are described. "Send all to destination”, "Send everything and add a header indicating that the specified information has been received", "Make mailer that received the MIME part of the attached file not clicked. “Change” and “Transmit everything and add header”.
  • the contents of the mail are processed according to the acquired processing method (S155) and sent to the destination mail address (S156).
  • the present embodiment performs the same processing as the real-time check (S157 to S15E are the same as S146 to S14D).
  • the IP address to be used is the “own IP address” fixed by the user or obtained by DHCP, the “destination IP address” specified by the sender, the “source IP address”, and other than the above Select from “specific IP address” specified by the user.
  • a notification method for notifying that predetermined information has been received is obtained from the file specifying the information reception notification method shown in FIG. 20 (S182).
  • the following four notification methods are described.
  • Method “Matched specified information itself and a series of all received packets including its contents.”
  • Method “Matched predetermined information itself and packets containing its contents. The method is registered.
  • a notification destination when predetermined information is received is acquired from the “information reception notifier list” shown in FIG. 20 (S183).
  • the present embodiment as shown in FIG. There are four destinations, and each information notification method is registered in “Information Notification Method”. For example, in the case of the administrator who is the registrant 1, the email address, [email protected], is registered, and the notification method is “1” as the matching specified information itself and its contents. “Send all received packets in a series including” is selected.
  • the information is notified by the notification method acquired to the destination to be notified.
  • the above operation is performed for all notification destinations (S185).
  • FIG. 22 shows a case where a function is mounted on a switch as a network device according to the present invention.
  • the network device 1 is a switch, a lamp or alarm device 91 for notifying a person when predetermined information is found in a packet, and a serial line 92 for connecting a line 12, for example, a system console.
  • a dedicated notification dedicated line 17 is provided to notify the content of the information.
  • the lamp 91, the serial 92, the notification dedicated line 17, and the line 12 are as described above.
  • FIG. 23 shows a network device according to the present invention in which functions are implemented in devices located between networks. As in the case of the switch, it is connected to the lamp or alarm device.
  • FIG. 24 shows a network device according to the present invention in which this function is implemented in a cable such as a power category 5, 6 that connects network devices.
  • the minimum necessary executable file and pattern file and information should be stored in the flash ROM, etc., and operation should be performed while constantly acquiring information from the network. Is also possible.
  • acquisition of information from the network may be performed at the moment when the work is automatically performed, or may be performed automatically and periodically.
  • the first embodiment of the present invention is configured and operates as described above.
  • a packet including predetermined information for example, a packet including a virus or the like is excluded from packets flowing on the network without affecting the network. It is possible to obtain and investigate packet information including a specific pattern to be investigated from information flowing in the network. In addition, when the registered information is identified from the packet, it is possible to activate a lamp or alarm device to notify the person. If the packet is an illegal packet such as a virus, it is not known to the sender. It is possible to change the information and notify the destination, or notify the registered destination such as an administrator.
  • the present network device can detect predetermined information without affecting the network regardless of which part of the network is connected, so the software is installed on the existing terminal. Or, it is easy to manage because there is no need to set up the terminal. In addition, since it has the above characteristics, it can be located anywhere in the network in Fig. 1 when it is made into a circuit (chip).
  • the second embodiment is different from the first embodiment in that the network device 1 has a function of identifying an application and storing a packet matching the predetermined information 146 as it is in the matching information storage data 148. Different Is a point.
  • the network device 1 opens the communication log stored using a file sharing protocol such as SAMBA or the matching information storage data 148 stored as matching information to a specific user for reference and modification. Etc. are possible. Use your own IP to share files over the network. At this time, it is possible to refer from a terminal in the network.
  • a file sharing protocol such as SAMBA or the matching information storage data 148 stored as matching information to a specific user for reference and modification. Etc. are possible. Use your own IP to share files over the network. At this time, it is possible to refer from a terminal in the network.
  • Information is stored in the match information storage data 148 in steps S13A and S13B of the flowchart shown in FIG. 29 showing the operation corresponding to FIG. 13 in the first embodiment.
  • the routine of FIG. 29 is a routine that operates when the contents registered in the predetermined information 146 match the received bucket or application information.
  • step S13A in the last part of the flowchart whether or not log information or packets are to be accumulated is registered in a system registration data not shown. If the content is checked with log information or multiple packets at step S13B, the check is performed after assembling the received packet or after assembling the packet. Stores the assembled application information in the match information storage data 148. When sharing data, the matching information storage data 148 portion is released to the network as shared data. It is desirable to manage IDs and passwords when sharing.
  • the second embodiment is configured and operates as described above.
  • the network device 1 obtains a log of all the mail and file sharing information including the acquired virus and information including a predetermined condition, and stores the file itself. This makes it easy to analyze later. It is also possible to store all mail itself. In this case, you can easily carry your mail by making it portable.
  • this network device 1 is accessed from the terminal side or the administrator side using a file sharing technology such as SAMBA to back up the file, retrieve the backed up file, or acquire a specific pattern. It is also possible to conduct surveys such as taking statistics of information, including USB ports, serial ports, etc. It is also possible to refer to and acquire a file acquired by using it.
  • a file sharing technology such as SAMBA
  • the network device 1 only identifies the application, and the application information check device 3 determines the application information to be transmitted / received, and the application based on the determination result. -It defines the operations to be performed on the information (data).
  • the external application information check device 3 checks the data communicated by the application, but the network device 1 can also have this function.
  • an e-mail or chat protocol is specified as an application, and the text of the mail, attached information, the text of the chat, and the contents of the transmission / reception information sent to the other party in the mail or chat are packetized. Is assembled, and the assembled application information is transmitted to the application check device 3.
  • the application information check device 3 determines that, for example, if personal information is included in the received application information, the transmission is impossible. Is sent to the network device 1, and the network device 1 performs the operation when it stops transmitting.
  • text information such as the above personal information and information that should not be disclosed outside the company such as an in-house information database can all be included, including the database.
  • FIG. 26 shows a block diagram of the network device 1 and the application information check device 3 according to the third embodiment.
  • the application information check device 3 is connected to the network device 1 via a LAN.
  • the application information check device 3 stores information by transmitting / receiving unit 32 that transmits / receives information to / from network device 1 via LAN, central processing unit 33 that processes information received by transmitter / receiver 32, and information.
  • Storage unit 34 a man-machine interface function, an input unit 35 having a function of inputting information to the application information check device 3 and displaying information from the abrasion information check device 3, a display unit 36 It is made up of [0115]
  • the central processing unit 33 is a transmission / reception processing means (function) 331 for transmitting / receiving information to / from the transmitting / receiving unit 32, information input between the central processing unit 13, the input unit 15, and the display unit 16.
  • Input / output processing means (function) 332 for performing output, and content check means (function) 333 for performing content check of information received from the network device 1 are configured.
  • the storage unit 34 further has a registration content 341 for registering the content
  • the application information check device 3 is added. Further, the network apparatus 1 is different in that the predetermined information 146 is not used in the present embodiment. Further, the match information accumulation data 148 leaves only information that is deemed necessary by the determination from the application information check device 3. However, there may be a setting that leaves all depending on the setting.
  • step S117 the contents of the packet are checked in network device 1, whereas in FIG. 27, the application information check device is obtained when the application information is assembled in step S277. Notify 3 of the information and wait for a decision.
  • step S118 the force step S278 that determines the “force in which the predetermined information exists” is determined as “the force that is transmitted as it is as a process”.
  • step S278 the operation shown in the flowchart of FIG. 12 is performed in the same manner as in FIG. 11 in step S119. In the present embodiment, the same operation as in FIG. 12 may be performed depending on the response from the external application information check device 3.
  • step S114 the force is described so that it can also be selected to notify information in real time.
  • FIG. 28 shows a flowchart of operations performed by the application information check apparatus 3. Since the “content check” described in the first embodiment is basically performed externally, FIG. 28 performs the same operation as FIG. The different points are the following three points (C) to (E).
  • the third embodiment is configured and operates as described above.
  • the present invention by identifying an application in advance as information transmitted from the company and registering it in the network device 1, when matching information passes, all the information is stored in an external device. It can be sent to the application information check device 3, and the application information check device 3 can filter the transmission / reception information. That can be prevented.
  • FIG. 1 is a network configuration diagram in which a network device according to the present invention is installed.
  • FIG. 2 is a functional block diagram of a network device according to an embodiment of the present invention.
  • FIG. 3 is a configuration diagram of system data included in a network device according to the present invention.
  • FIG. 4 is a configuration diagram of line correspondence data included in the network device according to the present invention.
  • FIG. 5 is a configuration diagram of application-compatible data included in the network device according to the present invention.
  • FIG. 6 is a configuration diagram of address information according to the present invention.
  • FIG. 7 is a configuration diagram of an IP header.
  • FIG. 8 is a configuration diagram of transmission / reception data using Ethernet and TCP / IP.
  • FIG. 9 is an operation flowchart of packet reception according to the embodiment of the present invention.
  • FIG. 10 is an operation flowchart of packet transmission according to the embodiment of the present invention.
  • FIG. 11 is an operation flowchart of a packet content check routine according to the embodiment of the present invention.
  • FIG. 12 is an operation flowchart of a content check routine according to the embodiment of the present invention.
  • FIG. 13 is an operation flowchart of a packet handling routine according to the present invention.
  • FIG. 14 is an operation flowchart of processing transmission (real-time check) according to the present invention.
  • FIG. 15 is an operation flowchart of processing transmission (check after assembly) according to the present invention.
  • FIG. 16 is a table of processing messages according to the present invention.
  • FIG. 17 is a diagram showing types of POP processing transmission (post-assembly check) method according to the present invention.
  • FIG. 18 is an operation flowchart of a predetermined information receiving routine according to the present invention.
  • FIG. 19 is a diagram showing an information reception notifier list according to the present invention.
  • FIG. 20 is a diagram showing an information reception notification method according to the present invention.
  • FIG. 21] is a diagram showing a sequence at the time of data registration according to the present invention.
  • FIG. 23 is a diagram when a function is implemented in a device installed between networks as a network device according to the present invention.
  • FIG. 25 A functional block diagram of a network device according to the second embodiment of the present invention.
  • FIG. 26] is a functional block diagram of a network device and an application information check device according to the third embodiment of the present invention.
  • FIG. 27 is a flowchart showing the operation of a packet content check routine according to the third embodiment of the present invention.
  • FIG. 29 is a flowchart showing the operation of a packet handling routine according to the second embodiment of the present invention.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

Le problème à résoudre dans le cadre de cette invention consiste à fournir un dispositif de réseau, un procédé de relais de données et un programme qui peut être installé sans influencer un réseau et qui extrait des informations prédéterminées telles qu’un motif spécifique parmi des informations devant circuler dans le réseau, afin de traiter les informations extraites et de les renvoyer dans le réseau, pour effacer les informations extraites ou pour informer une adresse prédéterminée de ces informations. La solution proposée consiste en ce qu’un paquet de données d’une application cible est spécifié puis mis en mémoire tampon pour en vérifier le contenu. Lorsque le paquet de données contenant des informations prédéterminées telles q’un motif spécifique est détécté, ces informations sont supprimées ou traitées puis renvoyées dans le réseau pour informer une adresse enregistrée par courriel ou autre de la réception des informations prédéterminées. Un voyant ou dispositif d’avertissement est allumé pour informer une ligne prédéterminée du contenu reçu. Le contenu est vérifié à l’aide de deux types de procédés : un procédé de vérification en temps réel et un procédé de vérification après assemblage de paquets.
PCT/JP2005/017264 2005-09-20 2005-09-20 Dispositif de réseau, procédé de relais de données et programme WO2007034535A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2005/017264 WO2007034535A1 (fr) 2005-09-20 2005-09-20 Dispositif de réseau, procédé de relais de données et programme
JP2007536356A JP4526566B2 (ja) 2005-09-20 2005-09-20 ネットワーク装置、データ中継方法およびプログラム

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2005/017264 WO2007034535A1 (fr) 2005-09-20 2005-09-20 Dispositif de réseau, procédé de relais de données et programme

Publications (1)

Publication Number Publication Date
WO2007034535A1 true WO2007034535A1 (fr) 2007-03-29

Family

ID=37888596

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2005/017264 WO2007034535A1 (fr) 2005-09-20 2005-09-20 Dispositif de réseau, procédé de relais de données et programme

Country Status (2)

Country Link
JP (1) JP4526566B2 (fr)
WO (1) WO2007034535A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017092755A (ja) * 2015-11-12 2017-05-25 サクサ株式会社 ネットワーク監視装置及びネットワーク監視装置におけるウイルス検知方法。

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11513153A (ja) * 1995-09-26 1999-11-09 トレンド・マイクロ,インコーポレイテッド コンピュータ・ネットワークの、ウイルス検出及び除去装置
JP2005128792A (ja) * 2003-10-23 2005-05-19 Trend Micro Inc 通信装置、プログラムおよび記憶媒体
JP2005222239A (ja) * 2004-02-04 2005-08-18 Fme:Kk ノード装置

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPH11513153A (ja) * 1995-09-26 1999-11-09 トレンド・マイクロ,インコーポレイテッド コンピュータ・ネットワークの、ウイルス検出及び除去装置
JP2005128792A (ja) * 2003-10-23 2005-05-19 Trend Micro Inc 通信装置、プログラムおよび記憶媒体
JP2005222239A (ja) * 2004-02-04 2005-08-18 Fme:Kk ノード装置

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
ODA K.: "Doreo Erabu? Virus Taisaku Seihin", UNIX USER, vol. 14, no. 1, 1 January 2005 (2005-01-01), pages 52 - 55, XP003010190 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017092755A (ja) * 2015-11-12 2017-05-25 サクサ株式会社 ネットワーク監視装置及びネットワーク監視装置におけるウイルス検知方法。

Also Published As

Publication number Publication date
JP4526566B2 (ja) 2010-08-18
JPWO2007034535A1 (ja) 2009-03-19

Similar Documents

Publication Publication Date Title
JP6086968B2 (ja) 悪意のあるソフトウェアに対するローカル保護をするシステム及び方法
US9094372B2 (en) Multi-method gateway-based network security systems and methods
US7359962B2 (en) Network security system integration
JP3954385B2 (ja) 迅速なパケット・フィルタリング及びパケット・プロセシングのためのシステム、デバイス及び方法
EP2194677B1 (fr) Dispositif de surveillance de réseau, procédé de surveillance de réseau, et programme de surveillance de réseau
US9392002B2 (en) System and method of providing virus protection at a gateway
US8321936B1 (en) System and method for malicious software detection in multiple protocols
JP4072150B2 (ja) ホストベースのネットワーク侵入検出システム
EP1817685B1 (fr) Détection d'intrusion dans un environnement de centre de données
CN113612784B (zh) 使用蜜罐的动态服务处理
US7796515B2 (en) Propagation of viruses through an information technology network
US20030097557A1 (en) Method, node and computer readable medium for performing multiple signature matching in an intrusion prevention system
JP2008516306A (ja) ネットワークベースのセキュリティプラットフォーム
GB2382754A (en) a network intrusion protection system (ips) which runs on a management node and utilises other nodes running ips software
WO2002013486A2 (fr) Systeme, procede et produit programme informatique, destines au traitement d'informations comptables de reseau
US20190005100A1 (en) Centralized state database storing state information
US11153350B2 (en) Determining on-net/off-net status of a client device
JP4526566B2 (ja) ネットワーク装置、データ中継方法およびプログラム
JP5393286B2 (ja) アクセス制御システム、アクセス制御装置及びアクセス制御方法
JP2007102747A (ja) パケット検知装置、メッセージ検知プログラム、不正メールの遮断プログラム
US11477241B2 (en) Selectively disabling anti-replay protection by a network security device
GB2403625A (en) Distributing security updates to select nodes on a network

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2007536356

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05785573

Country of ref document: EP

Kind code of ref document: A1