JP6454224B2 - Communication device - Google Patents

Description

  The present invention relates to a communication device for transferring data.

  Currently, when using an IP (Internet Protocol) network, a widely used general-purpose product can be used. For this reason, when no restriction is imposed on the network device, not only the intended terminal but also various terminals can easily connect to the IP network. Then, if an unintended terminal is connected to the IP network, there is a possibility that illegal data may flow through the IP network or security may be violated.

  As a technique for preventing security infringement, there is a method of using a white list function described in JP-A-2009-239525 (Patent Document 1). The whitelist function registers information that identifies regular communication from the communication content information of regular communication (regular data) that flows through the network as a whitelist, and blocks non-regular communication that is not registered in the whitelist after registration is complete (discard) This is a function that increases the security level by restricting it.

  In Patent Literature 1, an identifier for identifying a transmission source terminal, such as a transmission source IP address or a transmission source MAC (Media Access Control) address of a packet received by the packet filtering device, is installed in the packet filtering device. It is disclosed that a white list is automatically or manually generated by registering a regular terminal in the white list.

  In addition, in JP-A-2015-050767 (Patent Document 2), in addition to a transmission source IP address and a transmission source MAC address, an arbitrary set of a transmission source port number, a destination IP address, a destination MAC address, a destination port number, and the like. A network switch is disclosed that stores a pre-manufactured whitelist that includes and monitors and blocks network traffic based on the whitelist.

JP 2009-239525 A JP 2015-050767

  The whitelist function increases the security level by restricting non-regular communication that is not registered in the whitelist, and prevents security infringement that is a threat. On the other hand, as another threat, there is a technique called a replay attack that is a technique for attacking a network. The replay attack is executed when the attacker intercepts the regular data flowing on the network by some method and retransmits the data as it is.

  Since the header information and data contents of the data used for replay attacks are exactly the same as the regular data, the number of parameters to be registered in the white list is increased by the conventional white list regardless of whether it is generated manually or automatically. However, there is a problem that the data of the replay attack disguised as regular data cannot be protected. The main purpose of the replay attack is DoS attack (Denial of Service attack), which increases the load on the network by throwing a lot of spoofed regular data, or increases the load on the server that is the destination of the data The service provided by the server is stopped.

  Some terminals and servers that are targeted for attack are equipped with functions that check the time information of data received as countermeasures against replay attacks, or have a sequence number inside the data to recognize it as illegal data. Although there is a large amount of data, reception processing such as time information confirmation and sequence number order confirmation is tight, and as a result, services may not be provided.

  Further, in the network switch of Patent Document 2, even when a conventional white list is automatically generated, an attack using data having the same header information as that of regular communication registered in the white list cannot be prevented.

  In order to solve the above problem, a communication device according to one embodiment of the present invention includes a port connected to a network and at least a part of header information included in data received during the first period via the port. When data is received during a second period after the first period via the storage unit that stores the white list to be stored, at least a part of header information included in the data is stored in the white list. If not, data is not permitted to be transferred to another destination via another port, at least a part of header information included in the data is stored in the white list, and reception of the data is in the first period When it is a time width related to communication control using a white list of at least some header information included in the data based on the reception history of the data received during When forwarding to other destinations via other ports is permitted, and at least a part of the header information included in the data is stored in the white list and the reception of the data is not time span, the data is sent to the destination. And a transfer unit that does not permit transfer through the other port.

  According to the present invention, it is possible to limit the timing at which data passes through a communication device and reduce the influence of an attack on the network.

It is a structural example of the whole network. It is an example of explanatory drawing which shows the detail of a white list storage memory. It is an example of explanatory drawing which shows the detail of a white list application switching memory. It is an example of explanatory drawing which shows the detail of a white list application switching memory. It is an example of explanatory drawing which shows the detail of a setting memory. It is an example of a sequence diagram showing an outline of operations at the time of receiving each state of a white list, a packet from a terminal group, and a state transition command from an input / output device. It is an example of the flowchart which shows detailed operation | movement of the packet transfer part at the time of a white list production | generation state. It is an example of the flowchart which shows the detailed operation | movement of the control part at the time of a white list production | generation state. It is an example of the flowchart which shows the process which the calculation process part in the white list application switching part at the time of a white list production | generation state and an operation state implements. It is an example of the flowchart which shows the detailed operation | movement of the packet transfer part at the time of an operation state. FIG. 6 is an example showing values of a valid hit counter, a invalid hit counter, and a valid bit counter in accordance with the reception status of a packet in an operation state with respect to one entry in the white list storage memory. FIG. 10 is an explanatory diagram illustrating details of a setting memory according to the second embodiment. 12 is an example of a flowchart illustrating a detailed operation of a packet transfer unit in a whitelist generation state according to the second exemplary embodiment. 12 is an example of a flowchart illustrating a detailed operation of a control unit in a white list generation state according to the second embodiment.

  Embodiments will be described below with reference to the drawings.

Example 1
FIG. 1 is a configuration example of the entire network. FIG. 1 is an explanatory diagram centered on a part for generating a network configuration and a data relay (transfer) / communication permission list (hereinafter also referred to as “white list”). In the following description, a packet is used as a specific data format, but it may be a frame.

  The packet relay apparatus 1 includes a terminal group 14-1 to 14 -n that repeatedly transmits a packet at regular intervals (periodically) via the network 13 and a terminal group 14-1 to 14-14 via the network 11. -N is connected to server groups 12-1 to 12-n that aggregate, store, and provide various services. The packet relay device 1 is a switch device or the like. The predetermined interval may be a certain time interval (for example, an interval of 10 minutes), or a combination of different time intervals in a certain time (for example, an interval of 10 minutes in one hour, and then 20 minutes) Interval, and then 30 minute intervals). In this embodiment, the repetition of a certain time interval is expressed as “periodically”.

  As representative examples of the terminal groups 14-1 to 14-n, the environment and physical conditions such as the temperature, humidity, and carbon dioxide concentration around the terminals are collected and collected in the aggregation device such as the server group 12 via the network 13. And a sensor that transmits the information (sensor information). In recent years, IoT (Internet of Things) technology that attaches sensors to various substances or organisms, monitors information collected by the sensors via a network, and controls based on the collected information has attracted attention. That is, the terminal groups 14-1 to 14-n may be things (Things) such as a surveillance camera, a machine, and a wearable device that have a communication function and are connected to a network by IoT technology. A network composed of sensor groups is called a sensor network, and is realized by interposing a plurality of wireless terminals with sensors in a space. Further, as another example of the terminal group 14-1 to 14-n, it is adopted in a TD-LTE (Time Division Long Term Evolution) technology that is a communication technology of a mobile phone, and the uplink (terminal → base station) and To perform downlink (base station → terminal) communication simultaneously, use the TDD (Time Division Duplex) technology that divides the same frequency band into extremely short unit times (time slots) and switches between uplink and downlink alternately. A terminal. The terminal is not limited to the above as long as it is a terminal that performs periodic packet transmission. In the present embodiment, the terminal groups 14-1 to 14-n are described as sensors that periodically transmit one packet.

  The packet relay device 1 is a communication device that relays (transfers) a packet. The packet relay apparatus 1 receives packets from a plurality of ports 2-1 to 2-6 that transmit and receive packets and receiving ports 2-1 to 2-6, determines a transfer destination, transfers the packet, and refers to a white list. A packet transfer unit 3 that performs packet transfer or discarding, a whitelist application switching unit 4 that switches application / non-application of a whitelist according to time, control of whitelist generation, and input / output described later A control unit 5 that transmits a device setting command from the device 10 to the packet transfer unit 3 to control the packet transfer unit 3, and a time management unit 6 that holds and manages the device time in the packet relay device 1.

  In the following description, when ports 2-1 to 2-6 are not distinguished, they are described as port 2. The same applies to the terminal group 14 and the server group 12. Further, the number of reception ports 2 is not limited to the number shown in FIG. Each of the terminal group 14 and the server group 12 may be one (terminal 14 and server 12).

  Here, application / non-application of the whitelist will be described. Application / non-application of the white list is a state in which the packet relay apparatus 1 determines whether transfer is permitted (transfer or discard) for a packet permitted by the white list among the packets received (determination of transfer permission non-permission). That is. That is, the application of the white list refers to a state in which when the packet transfer unit 3 receives a packet, the white list is referred to and communication of packets permitted by the white list is permitted (packet transfer is executed). Yes, the non-application of the white list refers to a state in which when the packet transfer unit 3 receives a packet, it refers to the white list and does not permit communication of packets permitted by the white list (does not execute packet transfer). It is. Note that transfer of packets that are not permitted in the white list among packets received by the packet relay device 1 is not permitted regardless of whether the white list is applied or not. That is, when the packet transfer unit 3 receives a packet, the packet transfer unit 3 refers to the white list and does not permit communication of packets not permitted in the white list.

  The switching of whitelist application / non-application is switching of communication control (permission or non-permission of communication) using a whitelist for a packet permitted in the whitelist. The application / non-application of the white list is also expressed as opening / closing the white list. In addition, white list application / non-application is also expressed as white list valid / invalid. The application / non-application of the white list is also expressed as whether the white list is valid. The application / non-application of the white list is also expressed as whether the white list is applied.

  As will be described later, whether or not the packet transfer unit 3 uses the white list to determine whether or not to transfer a packet depends on the state of the packet relay device 1. That is, in a state where a white list is generated (hereinafter also referred to as “learning period” or “learning state”), the packet relay device 1 dynamically switches between application and non-application of the white list. Performs packet forwarding regardless of whether the whitelist is applied or not. In the state after the generation of the white list is completed (hereinafter also referred to as “operation period” or “operation state”), the packet relay device 1 dynamically switches between application and non-application of the white list, The transfer unit 3 determines whether or not to permit the transfer of packets permitted by the white list according to the application / non-application of the white list that is dynamically switched, and the white list is applied regardless of whether the white list is applied or not. Do not allow forwarding of unauthorized packets.

  The packet relay device 1 has a connection port 8 with an external terminal, and is connected to an input / output device 10 that performs settings related to white list generation and displays information related to white list generation. In addition to the method using the connection port 8, the connection between the input / output device 10 and the packet relay device 1 includes connection to the port 2 and connection via a network using a conventional technique such as telnet. .

  The ports 2-4 to 2-6 are connected to the terminal group 14 and other packet relay apparatuses via the network 13 by metal or optical cables, and accommodate the terminal group 14 via the network 13. The ports 2-1 to 2-3 are connected to the server group 12 and other packet relay apparatuses via the network 11 by metal or optical cables, and are connected to the server group 12 via the network 11. In FIG. 1, the terminal group 14 and the server group 12 are connected via the networks 14 and 11, respectively, but they are directly connected to the ports 2-4 to 2-6 and the ports 2-1 to 2-3. It may be in the form. The network 13 and the network 11 may be the same network.

The packet transfer unit 3 includes a white list storage memory 310, a transfer destination determination unit 32, a transfer table memory 33, and a setting memory 340.
The white list storage memory 310 is a storage unit that stores information to be stored in a white list generated by the control unit 5 described later as a white list. Details of the white list storage memory 310 will be described with reference to FIG. The setting memory 340 is a storage unit that stores information related to white list settings. Details of the setting memory 340 will be described with reference to FIG.

  The transfer destination determination unit 32 controls whether or not packets can be transferred by searching (referring to) the whitelist storage memory 310, or transfers a packet by searching the transfer table memory 33 (port for transmitting a packet (hereinafter referred to as a packet transmission port) It is also provided with a function to execute the determination of 2) and packet transfer processing to the determined transfer destination (including updating of packet header information necessary for transfer). Specifically, a transfer destination is determined during a whitelist operation state (hereinafter also referred to as “operation state”), which is a state in which whether or not to transfer a packet is determined using a whitelist in which application / non-application is dynamically switched. When the unit 32 receives a packet from the port 2, the white list in the white list storage memory 310 is searched (referenced) using the header information of the received packet as a key to determine whether or not the packet can be transferred. The transfer destination determination unit 32 determines that a packet having header information that matches information registered (stored) in the white list, that is, a packet already registered in the white list (white list registration packet), can be transferred to the packet. The transfer table memory 33 is searched (referenced) using the header information as a key to determine the transfer destination, and the packet is transferred according to the determined transfer destination.

  In addition, when receiving a packet having header information that does not match information registered in the white list, that is, a packet not registered in the white list (a packet not registered in the white list), the transfer destination determining unit 32 rejects packet transfer. It is determined that this packet is discarded. In addition, the transfer destination determination unit 32 searches the transfer table memory 33 when a packet is received during a white list generation state (hereinafter also referred to as “generation state”), which is a state of generating a white list described later. Then, the packet is transferred, and the identifier (hereinafter referred to as “reception port identifier”) of the port (hereinafter also referred to as “reception port”) 2 that has received the packet that is the header information of the packet and the control information in the packet relay apparatus 1. Is also transmitted to the control unit 5.

Here, the header information is control information that is referred to when each device transmits and receives a packet.
Moreover, the information used as header information differs for every layer. For example, in the case of layer 2 header information (L2 header), the destination MAC address, source MAC address, ether type, etc. In the case of layer 3 header information (L3 header), version, destination IP address, source IP Address, protocol number, ToS (Type of Service) / VLAN (Virtual Local Area Network) ID, etc., and in the case of layer 4 header information (L4 header), TCP (ack, fin, psh, rst, syn, urg) Destination port number, transmission source port number), UDP (destination port number, transmission source port number), ICMP (Internet Control Message Protocol) (code message), and the like.

  The transfer table memory 33 is a storage unit that stores information about a packet transfer destination (packet header information and a transfer destination based on the header information). The forwarding table memory 33 is information necessary when a general packet relay device forwards a packet, such as a MAC Address Table for carrying out layer 2 communication, a routing table for carrying out layer 3 communication, etc. It is the memory comprised by. Further, when receiving the header information of the packet from the transfer destination determining unit 32, the transfer table memory 33 returns the search result to the transfer destination determining unit 32.

  Further, the control unit 5 includes a CPU (Central Processing Unit) (not shown) and a storage unit (memory) (not shown), and software programs such as white list generation and interval calculation processed by the CPU are stored in the memory. Stored (held, stored, recorded). As will be described later, the control unit 5 updates the information stored in the setting memory 340 and the white list storage memory 310. However, the control unit 5 may directly update the memory by controlling each memory, or the packet transfer unit 3 Includes a control unit (not shown), the control unit 5 transmits an instruction to control each memory to the control unit of the packet transfer unit 3, and the control unit of the packet transfer unit 3 that receives the instruction controls each memory. And may be updated.

  The white list is generated by the control unit 5 of the packet relay apparatus 1 in this embodiment when the packet is received via the packet receiving unit 2 and is automatically generated using the header information and the reception port identifier of the received packet. . From the packet header information, whitelist using any information in the header information of each layer such as packet source MAC address, destination MAC address, source IP address, destination IP address, source port number, destination port number, etc. However, for the sake of explanation, the source IP address in the header information is used as information used for generating the white list.

  In addition, in the packet relay device 1 of the present embodiment, the time when the packet is received for the first time and the time difference between the first reception of the packet and the reception of the packet for the second time (hereinafter also referred to as “interval”). Is used as whitelist application information. The packet relay device 1 calculates a packet reception timing based on the packet reception time and interval. The method for storing and using the packet reception time and interval will be described later.

  The white list application switching unit 4 includes a white list application switching memory 410 and a calculation processing unit 420. The whitelist application switching memory 410 stores whitelist control information that stores information related to communication control using the whitelist in the packet transfer unit 3 and information (application time information) regarding the time at which whitelist application / nonapplication is switched. It is a memory | storage part to memorize | store. The information related to communication control using the white list is information indicating application / non-application of the white list. Details of the white list application switching memory 410 will be described with reference to FIG.

  The calculation processing unit 420 acquires time information from the time management unit 6 and updates the information in the whitelist application switching memory 410, and updates the information in the whitelist storage memory 310 based on the updated information in the whitelist application switching memory 410. Update. The update of the white list storage memory 310 by the calculation processing unit 420 may be performed by the calculation processing unit 420 directly controlling the white list storage memory 310, or the calculation processing unit 420 may update the control unit of the packet transfer unit 3. Alternatively, an instruction to control the white list storage memory 310 may be transmitted, and the control unit of the packet transfer unit 3 that has received the instruction may control and update the white list storage memory 310.

  In the packet relay apparatus 1 according to the present embodiment, communication that is not registered in the white list (non-registered communication) is permitted for packets received via each port 2 by the white list stored in the white list storage memory 310. It can be discarded without. The whitelist application switching unit 4 can switch application / non-application of the whitelist according to the packet transmission timing. When the whitelist and the whitelist application switching unit 4 periodically transmit packets transmitted from the terminal group 14 even if the whitelist is not applied even if the communication is already registered in the whitelist (registered communication). Can be discarded without permission. Note that the packet relay apparatus 1 transfers a packet that is not permitted to be communicated by the white list to a specific transfer destination function unit or apparatus inside or outside the packet relay apparatus 1 different from the original packet transfer destination. May be. In this case, the transferred packet can be analyzed by a functional unit or device of a specific transfer destination.

  The network shown in FIG. 1 is a network system connected to a terminal 14 that transmits data at a predetermined interval and a server 12 that aggregates data transmitted by the terminal 14, and includes a packet relay device 1 that is a communication device. You may have.

  FIG. 2 is an example of an explanatory diagram showing details of the white list storage memory. The white list storage memory 310 stores a white list having an entry of information regarding a packet for which communication is permitted. Each entry in the white list storage memory 310 is stored in an entry number 317 indicating a number for identifying the entry, a reception port identifier 311 for storing the reception port identifier of the reception port that received the packet, and header information of the received packet. The source IP address 312 for storing the source IP address that is stored, the valid bit 313 for storing the valid bit that is the valid / invalid information indicating the validity / invalidity of the entry, and the whitelist storage during the whitelist operation state When the memory 310 is searched, the valid hit counter 314 incremented when the value of the valid bit 313 of the entry hits when valid, and when the white list storage memory 310 is searched during the white list operation state, When the value of the valid bit 313 of the entry is invalid It has an invalid hit counter 315 that is incremented when a hit occurs, and a valid bit counter 316 that indicates the number of times the valid bit 313 has become valid. The header number stored in the white list of the white list storage memory 310 is identified by the entry number 317.

  In the example of FIG. 2, the white list storage memory 310 is described as being capable of holding n entries (n is finite and arbitrary) of 1 to n. Further, an example of a white list relating to the packet receiving unit 2-1 (packet receiving unit # 1) is shown in the entry whose entry number 317 in FIG. 2 is “1”.

  In this embodiment, when the value of the valid bit 313 is “1”, it indicates a “valid” state, and when it is “0”, it indicates an “invalid” state, but is not limited thereto. The packet relay apparatus 1 switches application / non-application of the white list in units of entries by updating the value of the valid bit 313. The information (white list) in the white list storage memory 310 is extracted by the control unit 5 according to a command from the input / output device 10 and can be displayed on the input / output device 10.

  FIG. 3 is an example of an explanatory diagram showing details of the white list application switching memory. The whitelist application switching memory 410 is a memory that stores application time information that is whitelist control information and has the same number of entries as the whitelist storage memory 310. FIGS. 3A and 3B are diagrams for explaining a time change of the white list application switching memory 410. FIG.

  Each entry in the white list application switching memory 410 has an entry number 414 corresponding to the entry number 317 in the white list storage memory 310 and an entry number in the white list storage memory 310 that is the same value as the entry number 414 of the entry. The previous time 411 that stores the time when the value of the valid bit 313 of 317 was previously valid, and the time when the packet not registered in the white list storage memory 310 is received for the first time during the generation state of the white list and the second time It has an interval 412 for storing an interval when a packet is received, and a next time 413 for storing a time at which the value of the valid bit 313 of the whitelist storage memory 310 is next validated. The control unit 5 updates the previous time 411 and the interval 412, and the calculation processing unit 420 updates the next time 413.

  The calculation processing unit 420 calculates and stores the next time 413 based on the values stored in the previous time 411 and the interval 412. The calculation processing unit 420 switches between valid / invalid of the value of the valid bit 313 in the whitelist storage memory 310 based on the calculated next time and a whitelist application time width 342 described later. That is, the next time 413 is information for switching communication control using the white list. Details will be described with reference to FIG.

  Also, an example of information in the whitelist application switching memory 410 is shown in the entry whose entry number 414 in FIG. 3 is “1”. Information in the whitelist application switching memory 410 is extracted by the control unit 5 in accordance with a command from the input / output device 10 and can be displayed on the input / output device 10. Also, the whitelist control information stored in the whitelist application switching memory 410 is information based on the reception of a packet (time point, timing), not the time, and the packet relay device 1 receives a packet ( Each information of the white list control information may be calculated based on (time point, timing).

  For example, when receiving the first packet, the packet relay device 1 operates a counter to count up a value based on the number of seconds or the number of clocks. When the next packet is received, the timing at which the first and next packets are received respectively. The interval may be calculated from In this case, the packet relay device 1 calculates the next packet reception timing based on the previous packet reception timing and interval. Further, the whitelist application time width 342 of the setting memory 340 may be set in accordance with the unit (number of seconds or number of clocks) of the counter for calculating the interval.

  Further, based on the timing and interval at which the packet is received, a time width (time window) that may be received next packet, that is, a time width for switching the communication control using the white list may be calculated. . In this case, the white list control information includes a time width for switching communication control using the white list.

  Further, when calculating an interval from a packet received by repeating a combination of different time intervals within a certain time, a different time interval may be calculated from the timing of receiving a plurality of packets received during the generation state.

  FIG. 4 is an example of an explanatory diagram showing details of the setting memory. The setting memory 340 includes an in-device white list state 341 for storing the white list state as information relating to the white list setting, and a time for applying the white list when switching the white list between valid and invalid (white list application time). And a whitelist application time width 342 for storing the width of.

  The setting memory 340 includes, as an in-device white list state 341, an invalid state that does not use a white list, a generation state that generates a white list, and an operation state that performs communication based on the generated white list. Have. The initial state of the in-device white list state 341 is “invalid state”.

  In the invalid state, the packet relay apparatus 1 performs communication (packet transfer) based on the search result of the transfer table memory 33 as a general packet relay apparatus that does not use a white list. In other words, in the invalid state, the packet relay device 1 performs communication without determining whether or not communication is permitted for the received packet regardless of the registration status of the white list (whether there is an entry in the white list). In the operation state, the packet relay apparatus 1 uses the white list, determines communication permission / denial of the received packet according to the white list registration status, and performs communication. In other words, in the operational state, when the packet relay device 1 receives a non-whitelist registration packet, it does not allow communication regardless of whether the whitelist is applied or not, and when receiving a whitelist registration packet, the whitelist is applied. In the case of, communication is permitted, and when the white list is not applied, communication is not permitted. An outline of the operation of the packet relay apparatus 1 in the generation state and the operation state will be described with reference to FIG.

  The change of the state is performed by a state transition command that is a command for shifting the state of the white list from the input / output device 10. The state change command for changing the state is executed by the network administrator or the like from the input / output device 10 and is set in the setting memory 340 from the control unit 5 that has received the state transfer command.

  Further, in the operation state, the packet relay device 1 performs switching between application / non-application of the white list by the white list application switching unit 4. At the time of switching, a certain width can be given to the application time of the white list, and the width is held in the setting memory 340 as the white list application time width 342. The initial state is “1 second”, but is not limited to this.

  The change of the white list application time width 342 can be implemented by a change command from the input / output device 10. The calculation processing unit 410 in the whitelist application switching unit 4 uses the value stored at the next time 411 in the whitelist application switching memory 410 and the whitelist application time width 342 to determine the valid bit in the whitelist storage memory 310. By switching the validity / invalidity of 313, the decision of whether or not to transfer a packet executed by the packet transfer unit 3 is controlled.

  FIG. 5 is an example of a sequence diagram showing an outline of operations when receiving a packet from the terminal group and receiving a state transition command from the input / output device for each state of the white list.

  In the whitelist invalid state of the packet relay device 1 in which the in-device whitelist state 341 in the setting memory 340 of the packet relay device 1 is “invalid state”, a specific one of the terminal group 14 transmits a packet ( When the packet relay apparatus 1 receives the packet (S101), the packet forwarding process is performed (S102). The packet relay device 1 searches the transfer table memory 33 to determine the transfer destination of the received packet, performs packet transfer based on the search result (S102), and transmits the packet to the destination server 12 ( S103).

  When the packet relay device 1 is in the whitelist invalid state, the input / output device 10 is one of the state transition commands, and transmits a generation state transition command for shifting the whitelist state (S104). When receiving the generation state transition command, the setting memory 340 is updated (S105). The packet relay device 1 updates (switches) the in-device white list state 341 in the setting memory 340 from the invalid state to the generated state, and transmits the fact that the transfer is completed to the input / output device 10 as a transfer completion notification (S106). ).

  In the whitelist generation state of the packet relay device 1 in which the in-device whitelist state 341 in the setting memory 340 of the packet relay device 1 is “generation state”, one specific terminal in the terminal group 14 transmits a packet (S107). , S110, S113) When the packet relay apparatus 1 receives the packet, the packet relay apparatus 1 refers to the whitelist storage memory 33, and steps S108 to S109 and S111 to S112 according to the whitelist storage state of the received packet. , S114 to S115 are performed.

  Step S108 is processing when the header information of the received packet is not stored in the whitelist storage memory 33. The packet relay apparatus 1 performs the packet transfer process in the same manner as in step S102 (S108), transmits the packet to the destination server 12 (S109), and stores the header information of the received packet in the whitelist storage memory 33. Then, the white list is generated, the reception time of the packet is acquired from the time management unit 6, and stored in the previous time 411 of the white list application switching memory 410 (S108).

  Step S111 is processing when the header information of the received packet is stored in the whitelist storage memory 33 and the interval 412 is not stored in the whitelist application switching memory 410. The packet relay apparatus 1 performs the packet transfer process in the same manner as in step S102 (S111), transmits the packet to the destination server 12 (S112), and acquires the reception time of the received packet from the time management unit 6. Based on this reception time and the previous time 411 that is the time when the previous packet stored in the whitelist application switching memory 410 is received, the next time that is the time to apply the interval and the next whitelist is calculated. And stored in the interval 412 and the next time 413 of the whitelist application switching memory 410 (S111).

  Step S114 is processing when the header information of the received packet is stored in the whitelist storage memory 33 and the interval 412 is stored in the whitelist application switching memory 410. The packet relay apparatus 1 performs a packet transfer process as in step S102 (S114), and transmits the packet to the destination server 12 (S115). In this case, the packet relay apparatus 1 performs packet transfer processing regardless of whether the valid bit 313 of the whitelist storage memory 33 is “valid” or “invalid”.

  Also, in the whitelist generation state of the packet relay device 1, the input / output device 10 is one of the state transition commands, and transmits an operation state transition command for shifting the whitelist state to the operation state (S116). When the device 1 receives the operation state transition command, the setting memory 340 is updated (S117). The packet relay device 1 updates (switches) the in-device white list state 341 in the setting memory 340 from the generation state to the operation state, and transmits the fact that the transfer is completed to the input / output device 10 as a transfer completion notification (S118). ).

  In the whitelist operation state of the packet relay device 1 in which the in-device whitelist state 341 in the setting memory 340 of the packet relay device 1 is “operating state”, one specific terminal in the terminal group 14 transmits a packet (S119). , S122), when the packet relay device 1 receives the packet, the packet relay device 1 refers to the white list storage memory 33, and the received packet's white list storage state, or the white list storage state and the white list application state ( Depending on whether whitelist is applied or not, one of steps S120 and S123 is performed.

  Step S120 is processing when the header information of the received packet is stored in the whitelist storage memory 33 and the valid bit 313 of the whitelist storage memory 33 is “valid”. After searching the white list storage memory 33, the packet relay device 1 performs a packet transfer process as in step S102 (S121).

  In step S123, when the header information of the received packet is stored in the whitelist storage memory 33 and the valid bit 313 on the whitelist storage memory 33 is “invalid”, or the header information of the received packet Is a process in the case where is not stored in the white list storage memory 33. The packet relay device 1 searches the white list storage memory 33 and then performs a packet discarding process (S123).

  Detailed operations of steps S108, S111, S114, S117, S120, and S123 outlined in FIG. 5 will be described with reference to FIGS. In FIG. 5, general state transitions of the in-device white list state 341 are described. However, the in-device white list state 341 indicates that the current state is “invalid state”, “generation state”, “operation”. Any of the “states” can transition to any other two states.

FIG. 6 is an example of a flowchart showing the detailed operation of the packet transfer unit in the white list generation state.
In step S130, the packet transfer unit 3 receives a packet from the receiving port 2, or sends an operation state transition command for changing the in-device white list state 341 of the white list transmitted by the input / output device 10 to an operating state. Wait for 5 to receive. In step S130, there is a possibility of receiving an invalid state transition command which is one of the state transition commands and is a command for changing the in-device white list state 341 to an invalid state. Yes.

  When the packet transfer unit 3 receives the packet (S131: YES), the process proceeds to step S132, and the transfer destination determination unit 32 that has received the packet stores the white list using the packet header information and the reception port identifier as a key. In addition to searching the memory 310, a search in the transfer table memory 33 is performed using the packet header information as a key, and a process of determining a packet transfer destination and transferring the packet is also performed.

  Then, based on the search result of the white list storage memory 310, the packet transfer unit 3 determines whether there is an entry (an entry that matches the packet header information and the reception port identifier) that has already been registered in the white list storage memory 310. That is, it is confirmed whether the header information of the packet and the reception port identifier have been registered in the whitelist storage memory 310 (S133). If there is no entry (S133: NO), the packet relay apparatus 1 executes the process of step S108 in FIG. In this case, the packet transfer unit 3 extracts the transmission source IP address from the packet header information, transmits the transmission source IP address and the reception port identifier of the packet to the control unit 5 (S134), and returns to step S130. .

  If there is an entry in step S133 (S133: YES), the entry number 317 of the entry stored in the whitelist storage memory 310 is specified, and the whitelist application switching memory 410 having the same entry number as this entry number 317 is specified. It is checked whether or not the interval has already been registered (stored) in the interval 412 of the entry (S135).

  When the interval has already been registered (S135: YES), the packet relay device 1 executes the process of step S114 in FIG. In this case, the packet transfer unit 3 has already registered all the whitelist information related to the packet, and returns to step S130. If the interval has not been registered in step S135 (S135: NO), the packet relay device 1 executes the process of step S114 in FIG. In this case, the packet transfer unit 3 stores the entry number specified in step S135, that is, the packet header information and the reception port identifier entry in the whitelist storage memory 310. In 412, the entry number of an entry in which no interval is stored (hereinafter also referred to as “registered entry number”) is transmitted to the control unit 5 (S 136), and the process returns to step S 130.

  When the operation state transition command is received in step S130 (S131: NO), the packet relay apparatus 1 executes the process of step S117 in FIG. In this case, the packet transfer unit 3 updates the in-device white list state 341 of the setting memory 340 from “generation state” to “operation state” (S137), and the state of the packet relay device 1 shifts to the operation state. At that time, the values of the counters 314 to 316 in the white list storage memory 310 are cleared in step S137. By doing this, it is possible to count the number of received packets of a packet that hits the entry since the transition to the operation state and the number of valid bits applied to the entry.

FIG. 7 is an example of a flowchart showing the detailed operation of the control unit in the white list generation state.
In step S140, the control unit 5 waits for reception from the packet transfer unit 3 of any of the information described in step S134 or step S136 in FIG. That is, the control unit 5 waits for reception of the transmission source IP address and the reception port identifier or the registered entry number from the packet transfer unit 3.

  When the control unit 5 receives the transmission source IP address and the reception port identifier (S141: NO), the packet relay device 1 executes the process of step S108 in FIG. In this case, the control unit 5 generates information to be stored in the white list based on the received information (source IP address and reception port identifier), and acquires the current time of the packet relay device 1 from the time management unit 6 (S142).

  Then, the control unit 5 writes (stores) the information stored in the white list generated in step S142 into the empty entry in the white list storage memory 310 to generate a white list, and also acquires the current list acquired in step S142. The time is stored in the previous time 411 of the whitelist application switching memory 410 (S143), and the process returns to step S140. At this time, the entry number 414 of the white list application switching memory 410 that stores the current time is the same as the entry number 317 of the empty entry of the white list storage memory 310 that stores the information stored in the white list generated in step S142. Is used.

  If there is no empty entry in step S143, a control signal is sent from the control unit 5 to the input / output device 10 indicating that the device accommodation condition has been exceeded, or an entry that already exists. Various forms are possible, such as deleting the password and newly registering, but the operation when the accommodation condition is exceeded is omitted in the flowchart.

  When the control unit 5 receives the registered entry number in step S140 (S141: YES), the packet relay device 1 executes the process of step S111 in FIG. In this case, the control unit 5 acquires the current time from the time management unit 6 and acquires the previous time from the previous time 411 of the entry number 414 of the whitelist application switching memory 410 that matches the received registered entry number. Then, the control unit 5 calculates an interval from the acquired current time and the previous time (S144).

  Then, the control unit 5 writes (stores) the interval calculated in step S144 in the interval 412 of the entry number 414 of the whitelist application switching memory 410 that matches the registered entry number received in step S141, and acquires it in step S144. The current time is written into the previous time 411 of the entry number 414 of the whitelist application switching memory 410 that matches the registered entry number (S145). The control unit 5 notifies the calculation processing unit 420 of the registered entry number that has been written to the whitelist application switching memory 410 (S146), and returns to step S140.

FIG. 8 is an example of a flowchart illustrating processing performed by the calculation processing unit 420 in the white list application switching unit in the white list generation state and in the operation state.
Note that the flowchart of FIG. 8 shows the operation of the white list storage memory 310 and the white list application switching memory 410 in units of one entry.

  In step S150, the calculation processing unit 420 waits for reception of the registration entry number notification described in step S146 of FIG. Upon receiving the notification of the registered entry number, the calculation processing unit 420 proceeds to step S151. In step S151, the calculation processing unit 420 acquires information of the whitelist application switching memory 410 (S151). Specifically, the calculation processing unit 420 identifies the entry in the whitelist application switching memory 410 that matches the received registered entry number, and acquires the previous time 411 and interval 412 values of the identified entry (S151). ).

Next, the calculation processing unit 420 calculates the next time by the following calculation based on each value acquired in step S151 (S152).
Next time = previous time + interval The next time calculated by the above calculation is written in the next time 413 of the entry in the whitelist application switching memory 410 that matches the registered entry number (S153).

  The calculation processing unit 420 stores values in all areas of the entry in the whitelist application switching memory 410 by the processes in steps S151 to S153, and switches between valid / invalid of the valid bit 313 in the whitelist storage memory 310. Can be implemented. Further, the whitelist application switching memory 410 is in the state shown in FIG. 3A by the processing in step S153.

The calculation processing unit 420 monitors the time management unit 6, and the time before the whitelist application time width 342 minutes in the setting memory 340 from the time held by the next time 413 of the entry (hereinafter, “whitelist application start” It waits (it is also called "time") (S154). Step S153 will be specifically described with reference to an entry whose entry number 414 is “1” in the whitelist application switching memory 410 of FIG. 3A and the setting memory 340 of FIG. Since the next time 413 is “10:30:03” and the whitelist application time width 342 is set to “1 second”, the calculation processing unit 420 sets the whitelist application start time at 10:30. Wait until minutes 02 seconds (S154). That is, the whitelist application start time is calculated by the following calculation.
White list application start time = next time−white list application time width When the white list application start time comes, the calculation processing unit 420 updates the information in the white list storage memory 310 (S155). Specifically, the calculation processing unit 420 sets the value of the valid bit 313 of the entry number 317 of the whitelist storage memory 310 that matches the entry number 414 of the entry to “valid” and sets the value of the valid bit counter 316 to Increment (S155). When the calculation processing unit 420 sets the value of the valid bit 313 to “valid”, the packet relay apparatus 1 starts applying the white list entry set to “valid”.

  Next, the calculation processing unit 420 monitors the time management unit 6 and waits until the time held by the next time 413 of the entry (S156). The calculation processing unit 420 updates the information in the whitelist application switching memory 410 at the relevant time (S157). Specifically, the calculation processing unit 420 writes the value of the next time 413 of the entry in the whitelist application switching memory 410 to the previous time 411 and adds the value of the next time 413 and the value of the interval 412 to obtain the next time Write to 413 (S157). By the processing in step S157, the time when the valid bit 313 of the entry number 317 in the white list storage memory 310 that matches the entry number 414 of the entry is next validated is calculated. Further, the whitelist application switching memory 410 is brought into the state shown in FIG. 3B by the process of step S157.

Then, the calculation processing unit 420 monitors the time management unit 6, and the time after the 342 minutes of the whitelist application time width in the setting memory 340 from the value of the previous time 411 (hereinafter also referred to as “whitelist application end time”). ) (S158). Step S153 will be specifically described with reference to an entry whose entry number 414 is “1” in the whitelist application switching memory 410 in FIG. 3B and the setting memory 340 in FIG. Since the previous time 414 is “10:30:03” and the whitelist application time width 342 is set to “1 second”, the calculation processing unit 420 determines that the whitelist application end time is 10:30. Wait until 04 seconds (S158). That is, the whitelist application end time is calculated by the following calculation.
Whitelist application end time = previous time + whitelist application time width When the whitelist application end time comes, the calculation processing unit 420 updates the information in the whitelist storage memory 310 (S159). Specifically, the calculation processing unit 420 sets the valid bit 313 of the entry number 317 of the whitelist storage memory 310 that matches the entry number 414 of the entry to “invalid” (S159), and returns to step S154. When the calculation processing unit 420 sets the value of the valid bit 313 to “invalid”, the packet relay apparatus 1 ends the application of the white list entry set to “invalid”.

  By repeating steps S154 to S159, “valid” / “invalid” of the valid bit 313 can be switched in units of entries in the white list storage memory 310.

FIG. 9 is an example of a flowchart showing the detailed operation of the packet transfer unit in the operating state.
The packet transfer unit 3 receives the packet received from any of the reception ports 2 at the transfer destination determination unit 32 (S160).

  The transfer destination determination unit 32 that has received the packet from the reception port 2 extracts the source IP address from the header information of the packet, uses the reception port identifier and source IP address that received the packet as a search key, and performs whitelisting. The storage memory 310 is searched (S161). The transfer destination determination unit 32 determines whether an entry corresponding to the search key exists in the white list storage memory 310 (S162). If there is no entry corresponding to the search key (S162: NO), the packet relay apparatus 1 executes the process of step S123 of FIG. In this case, the transfer destination determination unit 32 discards the packet as a packet that is not registered in the white list (packet that is not registered in the white list) (S163), and returns to step S160.

  If an entry corresponding to the search key exists in the whitelist storage memory 310 (S162: YES), the transfer destination determination unit 32 determines whether the value of the valid bit 313 of the corresponding entry is “valid” or “invalid” Is determined (S164). When the value of the valid bit 313 is “invalid” (S164: NO), the packet relay apparatus 1 executes the process of step S123 of FIG. In this case, the transfer destination determination unit 32 increments the value of the invalid hit counter 315 of the entry, does not transfer the packet, discards the packet as an unregistered white list packet (S165), and step S160. Return to.

  When the value of the valid bit 313 is “valid” (S164: YES), the packet relay apparatus 1 executes the process of step S120 of FIG. In this case, the transfer destination determination unit 32 increments the value of the valid hit counter 314 of the entry and transfers the packet header information to the search key as a packet registered in the white list (white list registration regular packet). The table memory 33 is searched (S166). The transfer destination determination unit 32 performs processing necessary for packet transfer such as updating the packet header information according to the search result of the transfer table memory 33, and transfers the packet to one of the transmission ports 2 indicated by the search result. (S167) and the process returns to step S160.

  With the operations described with reference to FIGS. 6 to 9, the packet relay device 1 enables a terminal group that periodically transmits a packet to allow communication only during the periodic transmission time of the packet. . As a result, an attack packet having exactly the same header information as that registered in the white list, such as a replay attack, and received in the same receiving port 2 as the white list registered regular packet can pass through the packet relay apparatus 1 in absolute terms. The number can be limited only to the periodic transmission time of the packet, and the load on the entire network and the load on the server that is the destination of the attack can be greatly reduced.

  Even when the value of the valid bit 313 is “valid” and the whitelisted regular packet originally passes, since communication based on the whitelist is performed, it is possible to defend against general attack techniques other than replay attacks. . In the present embodiment, the control unit 5 and the white list application switching unit 4 are described separately for the sake of explanation. However, the control unit 5 includes the processing performed by the white list application switching unit 4 and the white list. The application switching unit 4 may not exist.

  Further, in the whitelist operation state of the packet relay device 1 of the present embodiment, the valid hit counter 314, invalid hit counter 315, and valid bit counter 316 in the whitelist storage memory 310 are used for packet registration with respect to registered entries. Packet reception status, such as whether the packet periodically arrives (receives), is under attack, or the packet arrives regularly but the arrival time deviates from the whitelist application time The relay apparatus 1 can automatically recognize and reconstruct the white list.

  FIG. 10 is an example showing the values of the valid hit counter, the invalid hit counter, and the valid bit counter according to the reception status of the packet in the operation state for one entry in the white list storage memory. With reference to FIG. 10, a description will be given of whether the packet received by the packet relay device 1 is normal or abnormal, that is, whether the packet is regularly received (received) or under attack. This determination is performed by, for example, the control unit 5 of the packet relay device 1, but may be performed by another functional unit.

  For the entry a in FIG. 10, the values of the valid hit counter 314 and the valid bit counter 316 match. In addition, since the invalid hit counter 315 is “0”, the packet is periodically received within the whitelist application time after shifting to the operation state, and all packets are received when invalid (when the whitelist is not applied). Not received. For the entry a, the packet relay apparatus 1 determines that communication based on the white list is possible without being attacked from the outside.

  Next, for the entry of b, as in the entry of a, the value of the invalid hit counter 315 is “0”, and the packet relay apparatus 1 determines that there is no possibility of an attack from the outside. The values of the hit counter 314 and the valid bit counter 316 do not match. This indicates the possibility that the terminal (communication device) corresponding to the entry b does not transmit a packet due to some event.

  In such a case, the packet relay device 1 outputs a warning packet to the outside, or the control unit 5 displays it on the screen of the input / output device 10 because there is a possibility that the terminal of the entry b is out of order. A warning can be displayed.

  For the entry c, the sum of the values of the valid hit counter 314 and the invalid hit counter 315 matches the valid bit counter 316. In such a case, the packet relay apparatus 1 determines that the periodic transmission timing of the packet from the terminal of the entry c is shifted, and returns to the whitelist generation state only for the entry, and periodically The learning of the reception time and interval from the packet transmitted to is automatically performed again, and the entry of the whitelist application switching memory 410 corresponding to the entry is automatically regenerated. In this case, the packet relay apparatus 1 does not relearn the reception port identifier 311 and the transmission source IP address 312 of the entry in the white list storage memory 310.

  For automatic execution of learning of the reception time and interval, the value of the valid hit counter 314 and the invalid hit counter 315 are added to obtain the valid bit counter 316, and the invalid bit counter 315 continues multiple times. In this embodiment, the value of the valid hit counter 314 and the invalid hit counter 315 are added to obtain the valid bit counter 316, and the invalid bit counter 315 has a certain threshold value. You may carry out at the timing beyond. In addition, from the viewpoint of security, the reception time and interval are not re-learned automatically when falling into the above state, a warning packet is output to the outside, or a warning is displayed on the screen of the input / output device 10 from the control unit 5 And the relearning of the reception time and interval may be implemented by a command from the input / output device 10.

  For the entry d, the value of the valid hit counter 314 and the value of the invalid hit counter 315 are far greater than the value of the valid bit counter 316. This is a characteristic way of increasing the counter when the packet relay apparatus 1 is subjected to a replay attack. In a conventional packet relay device that does not dynamically switch application / non-application of a white list in accordance with the periodic transmission timing of a packet of a terminal group that periodically transmits packets, the value of the effective hit counter 314 is set by the replay attack. Packets corresponding to the value of the invalid hit counter 315 pass through the packet relay apparatus and reach the attack target server, which imposes a great load on the entire network and the attack target server.

  On the other hand, the packet relay apparatus 1 according to the present embodiment discards packets received during the non-application time of the white list that is “invalid” (that is, packets corresponding to the value of the invalid hit counter 315). Most of it can be discarded.

  As described above, according to the first embodiment, the packet relay apparatus can dynamically increase / decrease the security level of a terminal that periodically transmits packets by dynamically switching application / non-application of the white list according to time. It is possible to limit the timing at which a packet passes through the packet relay device, and to reduce the influence of an attack on the network.

  In the case of a packet relay apparatus (L7 switch) having a DPI (Deep Packet Inspection) function, a white list may be generated by an application level protocol such as HTTP / FTP.

(Example 2)
The second embodiment is a modification of the packet relay apparatus 1 described in the first embodiment, and determines whether or not the value of the valid bit 313 is used as information stored in the white list for each reception port. In addition, the same reference number is attached | subjected to the location which has the same function as Example 1, or the same function, and the overlapping description is abbreviate | omitted and demonstrated.

FIG. 11 is an explanatory diagram illustrating details of the setting memory according to the second embodiment.
The setting memory 340 according to the second embodiment includes a reception port identifier in which terminals that regularly transmit packets are accommodated in addition to the in-device whitelist state 341 and the whitelist application time width 342 described in FIG. 4 according to the first embodiment. The periodic packet terminal accommodating port setting 343 for storing the setting in the bitmap format is held. In the initial state of the periodic packet terminal accommodation port setting 343, all the values of the bitmap are set to “0”, and the value of the bitmap corresponding to the port accommodating the terminal that periodically transmits the packet is set to “1”. By setting, it becomes possible to discriminate. In this embodiment, when the value of the bitmap of the regular packet terminal accommodation port setting 343 is “0”, a terminal that irregularly transmits packets is accommodated in the port corresponding to the bitmap. When the value of the bitmap is “1”, it indicates that a terminal that periodically transmits a packet is accommodated in the port corresponding to the bitmap, but is not limited thereto. In this embodiment, a time interval that is not regular is expressed as “irregular”. Irregularity is, for example, a case where a certain time interval is not repeated and a certain cycle (pattern) interval is not repeated within a certain time.

  The setting (updating) of the periodic packet terminal accommodation port setting 343 is performed by a setting instruction which is an instruction for changing the value of the periodic packet terminal accommodation port setting 343 from the input / output device 10. The setting command is executed by a network administrator or the like, and is set in the setting memory 340 from the control unit 5 that has received the setting command.

  In the second embodiment, at the time of generating the white list, by keeping the valid bit 313 always “1” for the entry having the information of the reception port identifier whose bitmap value of the periodic packet terminal accommodating port setting 343 is “0”, It enables packet transfer processing from a group of terminals that transmit packets irregularly.

  FIG. 12 is an example of a flowchart illustrating the detailed operation of the packet transfer unit in the whitelist generation state according to the second embodiment. The flowchart of FIG. 12 is a flowchart in which a step of confirming bitmap information of the regular packet terminal accommodating port setting 343 is added after step S133 of FIG.

  If the packet header information and the reception port identifier have already been registered in the whitelist storage memory 310 (S133: YES) in step S133, the packet transfer unit 3 proceeds to step S138. The packet transfer unit 3 refers to the periodic packet terminal accommodation port setting 343 in the setting memory 340 and confirms the bitmap information of the reception port identifier registered in the whitelist storage memory 310 (S138). Specifically, the packet transfer unit 3 confirms whether the value of the bitmap of the regular packet terminal accommodation port setting 343 corresponding to the reception port identifier is “1” (S138). If the value of the bitmap is “1” (S138: YES), the packet transfer unit 3 proceeds to step S135 as in the first embodiment. If it is “0” (S138: NO), the packet transfer unit 3 returns to step S130.

  FIG. 13 is an example of a flowchart illustrating the detailed operation of the control unit in the whitelist generation state according to the second embodiment. The flowchart of FIG. 13 is a flowchart in which a step of confirming bitmap information of the regular packet terminal accommodation port setting 343 is added after step S142 of FIG.

  In step S142, the control unit 5 creates information to be stored in the white list, acquires the current time of the packet relay device 1 from the time management unit 6 (S142), and confirms the bitmap information of the reception port identifier. (S147). Specifically, the control unit 5 confirms whether the bitmap value of the periodic packet terminal accommodation port setting 343 corresponding to the reception port identifier is “1” (S147). If the value of the bitmap is “1” (S147: YES), the process proceeds to step S143 as in the first embodiment. If it is “0” (S147: NO), the control unit 5 stores the information stored in the white list generated in step S142 in the empty entry of the white list storage memory 310 and the information stored in the white list. Is set to "valid" (S148), and the process returns to step S140.

  As described above, the packet relay apparatus 1 is still registered in the whitelist storage memory 310 from a terminal group that transmits packets at irregular intervals whose bitmap value of the regular packet terminal accommodation port setting 343 is “0”. When a packet that has not been received is received for the first time, a new entry is registered in the whitelist storage memory 310, and the valid bit 313 of the registered entry is set to “valid”, thereby transmitting the packet irregularly. Since no information is notified to the whitelist application switching unit 4 for packets received for the second time or later from the incoming terminal group, the entry in the whitelist storage memory 310 of the terminal group that transmits the packet irregularly For “”, the valid bit 313 is not switched between “valid” and “invalid”.

  As described above, according to the second embodiment, the packet relay apparatus separates the reception port to which the terminal that periodically transmits packets belongs and the reception port to which the terminal that transmits packets irregularly belongs. By managing in this manner, it is possible to accommodate a group of terminals that transmit packets irregularly in the packet relay device while increasing the security level of the terminals that transmit packets regularly.

  In this embodiment, a terminal that periodically transmits a packet for each receiving port and a terminal that transmits a packet irregularly are determined, but this is determined, for example, for each VLAN (Virtual Local Area Network). Alternatively, the condition may be divided and discriminated based on arbitrary information in the header information of the packet. In the present embodiment, the port in which the terminal that regularly transmits the packet is accommodated and the port in which the terminal that irregularly transmits the packet are accommodated are managed. Switching between “valid” and “invalid”, that is, switching between whitelist application and non-application, was performed, but whitelisting for a specific port was performed regardless of whether the packet transmission from the terminal was regular or irregular. When switching between applying and not applying the list is not performed, the value of the bitmap corresponding to this port is set to “0”, and switching between “valid” and “invalid” of the valid bit 313 (application of the white list) (Non-application switching) may not be performed.

Example 3
The third embodiment is a modification of the packet relay device 1 described in the first embodiment or the second embodiment, and the whitelist is applied / not applied to the terminal group 14 that periodically transmits a plurality of packets. Is switched dynamically according to the time. In addition, the same reference number is attached | subjected to the location which has the same function as Example 1, or the same function, and the overlapping description is abbreviate | omitted and demonstrated.

  The terminal group 14 described in the first embodiment is assumed to transmit one packet periodically for the sake of explanation. However, the packet relay apparatus 1 that accommodates the terminal group 14 that periodically transmits a plurality of packets. Has the number of packets received at a time as information (hereinafter also referred to as “periodic reception packet number”) in the setting memory 340, and the packet reception processing described in step S130 in FIG. Rather, it is performed in units of the number of packets based on the information in the setting memory 340 (the number of regularly received packets).

  In this case, the calculation processing unit 420 increments the value of the valid bit counter 316 in order to match the value of the valid hit counter 314 and the value of the invalid hit counter 315 with the value of the valid bit counter 316. Each time, the number of packets based on the information in the setting memory 340 (the number of regularly received packets) is added to the value of the valid bit counter 316.

  As described above, according to the third embodiment, the packet relay apparatus that accommodates a terminal group that periodically transmits a plurality of packets has effective bits based on the number of packets that the terminal group periodically transmits. By incrementing the counter value, it is possible to realize a dynamic switching according to whitelist application / non-application time for a terminal group that periodically transmits a plurality of packets, thereby increasing the security level. . Also, the packet relay device must manage the receiving port to which the terminal that regularly sends multiple packets belongs and the receiving port to which the terminal that sends multiple packets irregularly is separated. Thus, while increasing the security level of terminals that regularly transmit a plurality of packets, a group of terminals that transmit a plurality of packets irregularly can be accommodated in the packet relay apparatus.

  Further, in each embodiment of the present invention, for example, the time synchronization technology defined by IEEE 1588 may be adopted, and the packet relay device 1 and the terminal group 14 may be time synchronized. In this case, the port 2 that accommodates the terminal group 14 that periodically transmits packets can be called a time synchronization whitelist application port.

In addition, this invention is not limited to an above-described Example, Various modifications are included. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described. Further, a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. Further, it is possible to add, delete, and replace other configurations for a part of the configuration of each embodiment. In addition, each of the above-described configurations, functions, processing units, processing means, and the like are realized by hardware by designing a part or all of them with an integrated circuit such as a field-programmable gate array (FPGA). Also good. Each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by the processor. Information such as programs, tables, and files that realize each function is stored in memory, a hard disk, a recording device such as an SSD (Solid State Drive), or a recording medium such as an IC (Integrated Circuit) card, SD card, or DVD. be able to.
Moreover, although various information was demonstrated by the expression of "aaa table", various information may be expressed by data structures other than a table. In order to show that it does not depend on the data structure, the “aaa table” can be called “aaa information”. Further, the description has been given of recording each information in various tables in the expression “store”, but it may be expressed as “register” or “set”.

  Further, the control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.

DESCRIPTION OF SYMBOLS 1 ... Packet relay apparatus 2 ... Packet receiving part 3 ... Packet transfer part 4 ... White list application switching part 5 ... Control part 6 ... Time management part 32 ... Transfer destination determination part 33 ... Transfer table memory 310 ... White list storage memory 340 ... Setting memory 410 ... White list application switching memory 420 ... Calculation processing unit

Claims (8)

Multiple ports connected to the network;
White that stores at least a part of header information included in data received during the first period via the port, together with information indicating whether the entry is valid or invalid, as an entry of information on data for which communication is permitted. A storage unit for storing the list;
When data is received via the port during a second period after the first period, when at least part of header information included in the data is not stored in the white list, the data is addressed When at least a part of the header information included in the data is stored in the white list, the data is not sent to the destination. A transfer unit that allows transfer via,
A time management unit that holds and manages time;
When the transfer unit receives the data including the header information stored in the white list, the reception time is acquired from the time management unit to obtain the interval and the next reception time, and the entry corresponds to the next reception time of the entry. A whitelist application switching unit that stores the stored whitelist control information in the storage unit;
A control unit,
The control unit, for each entry of the white list control information, based on the next reception time of the entry and a predetermined application time width, during the predetermined application time width at the next reception time, A communication device characterized in that information indicating whether the entry in the list is valid or invalid is valid and is controlled to be invalid at other times ,
The whitelist is
The first information indicating whether the white list entry is valid or invalid, and the number of pieces of data including the at least some header information stored in the white list received when the first information is valid. Second information indicating, third information indicating the number of times the first information has been effectively updated, and at least a portion stored in the whitelist received when the first information is invalid And further storing, for each entry, fourth information indicating the number of pieces of data having header information of
During the second period,
The controller is
Updating the first information according to the next reception time of the whitelist control information and the predetermined application time width;
The transfer unit
When receiving the data having the at least part of header information stored in the white list via the port, when the first information is valid, the second information is updated and the data is updated. Forward to the destination,
The controller is
For each entry of the white list control information, when the next reception time is reached, the first information is updated from invalid to effective and the third information is updated.After the predetermined application time width, Update the first information from valid to invalid,
The transfer unit
When receiving data having at least a part of header information stored in the white list via the port, when the first information corresponding to at least a part of the header information included in the data is invalid , Updating the fourth information corresponding to at least a part of the header information included in the data, discarding the data,
The controller is
For each entry in the white list, if the sum of the second information and the fourth information matches the third information, the at least some header information stored in the white list Recalculating the corresponding whitelist control information interval based on the reception history of the data received during the second period;
Communication device. The communication device according to claim 1,
When the information indicating whether the entry in the white list is valid or invalid is valid, the control unit is configured to store the at least a part of the at least a part of the white list stored in the white list for a predetermined application time range at the next reception time. When the transfer unit controls the transfer unit so that the transfer unit transfers data having header information to the destination of the data, and the information indicating whether the entry in the white list is valid or invalid, the data is included in the white list. The transfer unit is controlled so that the transfer unit does not transfer the stored data having the at least part of header information to a destination of the data,
Communication device. The communication device according to claim 2,
During the first period,
The controller is
When the transfer unit receives data having header information not stored in the white list, the transfer unit stores at least a part of header information included in the data in the white list and generates the white list. Receives the data having the at least part of header information stored in the white list, the white list application switching unit obtains the reception time from the time management unit, and calculates the interval and the next reception time. A communication apparatus characterized by controlling the communication. The communication device according to claim 3,
During the first period,
The transfer unit
When data having the header information not stored in the white list is received, the header information included in the data is transmitted to the control unit, and the data is transferred to a destination.
The controller is
The at least part of header information received from the transfer unit is stored in the white list, and the time at which the at least part of header information is received from the transfer unit is acquired from the time management unit and the at least part Stored in the whitelist control information as the previous reception time corresponding to the header information of
The transfer unit
Upon receiving data having the at least part of header information stored in the white list, an entry number identifying the at least part of header information stored in the white list is transmitted to the control unit, and Transfer data to the destination,
The controller is
An interval is calculated based on the time when the entry number is received from the transfer unit and the previous reception time corresponding to the entry number, and the next reception time is calculated based on the previous reception time and the interval.
Communication device. The communication device according to claim 4,
During the second period,
The controller is
When the next reception time of the white list control information is reached, the next reception time is stored as the previous reception time of the white list control information, and the previous reception time of the white list control information storing the previous reception time and the Storing the next reception time calculated based on the interval as the next reception time of the whitelist control information and updating the whitelist control information;
Communication device. The communication device according to claim 1,
  A plurality of the ports;
  The whitelist is
  Port identification information for identifying each of the plurality of ports that receive data is further stored for each of the at least some header information,
  During the second period,
  The transfer unit
  When receiving data via any of the plurality of ports, at least one of port identification information of a port that has received the data and at least some header information included in the data is stored in the white list. When the reception of the data is within the predetermined application time width of the next reception time, the data is permitted to be transferred to the destination and included in the port identification information of the port that received the data and the data When at least one of the header information is stored in the white list and the reception of the data is not within the predetermined application time width of the next reception time, the data is transferred to the destination. Without permission, the port identification information of the port that received the data and at least a part of the data When none of the header information is not stored in the white list, it does not allow the transfer of the data to the destination,
  Communication device. The communication device according to claim 1,
  A plurality of the ports;
  Each of the plurality of ports is
  Either a first port that receives data periodically or a second port that receives data irregularly;
  During the second period,
  The transfer unit
  When data is received via the first port, at least a part of header information included in the data is stored in the white list, and information indicating whether the entry of the data is valid or invalid is valid. At some time, the data received via the first port is transferred to the destination, and at least a part of header information included in the data is stored in the white list, and the entry of the data is valid or invalid When the information indicating is invalid, the data received via the first port is not transferred to a destination, and the at least some headers stored in the whitelist via the second port When receiving data with information, transfer the data to the destination.
  Communication device. A network system connected to a terminal that transmits data at a predetermined interval and a server that aggregates data transmitted by the terminal,
  Having a communication device,
  The communication device
  A first port for receiving data transmitted by the terminal;
  A second port for transmitting data received from the terminal to the server;
  At least a part of header information included in data received during the first period via the first port is used as an entry for information on data that permits communication, together with information indicating whether the entry is valid or invalid. A storage unit for storing a white list to be stored;
  When data is received via the port during a second period after the first period, when at least part of header information included in the data is not stored in the white list, the data is addressed When at least a part of the header information included in the data is stored in the white list, the data is not sent to the destination. A transfer unit that allows transfer via,
  A time management unit that holds and manages time;
  When the transfer unit receives the data including the header information stored in the white list, the reception time is acquired from the time management unit to obtain the interval and the next reception time, and the entry corresponds to the next reception time of the entry. A whitelist application switching unit that stores the stored whitelist control information in the storage unit;
  A control unit,
  The control unit, for each entry of the white list control information, based on the next reception time of the entry and a predetermined application time width, during the predetermined application time width at the next reception time, Enable the information indicating whether the entry in the list is valid or invalid, and switch to disable at other times,
  The whitelist is
  The first information indicating whether the white list entry is valid or invalid, and the number of pieces of data including the at least some header information stored in the white list received when the first information is valid. Second information indicating, third information indicating the number of times the first information has been effectively updated, and at least a portion stored in the whitelist received when the first information is invalid And further storing, for each entry, fourth information indicating the number of pieces of data having header information of
  During the second period,
  The controller is
  Updating the first information according to the next reception time of the whitelist control information and the predetermined application time width;
  The transfer unit
  When receiving the data having the at least part of header information stored in the white list via the port, when the first information is valid, the second information is updated and the data is updated. Forward to the destination,
  The controller is
  For each entry of the white list control information, when the next reception time is reached, the first information is updated from invalid to effective and the third information is updated.After the predetermined application time width, Update the first information from valid to invalid,
  The transfer unit
  When receiving data having at least a part of header information stored in the white list via the port, when the first information corresponding to at least a part of the header information included in the data is invalid , Updating the fourth information corresponding to at least a part of the header information included in the data, discarding the data,
  The controller is
  For each entry in the white list, if the sum of the second information and the fourth information matches the third information, the at least some header information stored in the white list Recalculating the corresponding whitelist control information interval based on the reception history of the data received during the second period;
  Network system.

Images