WO2007034535A1 - Network device, data relaying method, and program - Google Patents

Abstract

[Problems] To provide a network device, a data relaying method and a program, which can be disposed without influencing a network and which extracts predetermined information such as a specific pattern from the information to flow in the network, thereby to process the extracted information and feed it again to the network, to discard the extracted information, or to inform a predetermined address of that information. [Means for Solving the Problems] A packet of a target application is specified and buffered to check its contents. When the packet containing predetermined information such as a specific pattern is detected, that information is discarded or processed and is returned to the network, thereby to inform it to a registered address by a mail or other means that the predetermined information has been received. A lamp or a warning device is started to inform a predetermined line of the received contents. The contents are checked by two kinds of methods of a real time check and a check after the packet assembly.

Description

 Specification

 Network device, data relay method, and program

 Technical field

 [0001] The present invention relates to an apparatus or a data relay method and program installed in a network having a plurality of lines, and in particular, checks information flowing on the network and transfers a packet received from a transmission source to a destination. The present invention relates to a network device, a data relay method, and a program that perform a judgment of whether or not, and if necessary, notify a network administrator or the like of an alarm. Background art

 [0002] Conventionally, on an IP (Internet Protocol) network, sending and receiving mail using POP (Post Office Protocol), SMTP (Simple Mail Transfer Protocol), IMAP (Internet Message Access Protocol), etc., HTTP (Hyper Text Services such as Web browsing using Transfer Protocol (FTP) and file transfer using FTP (File Transfer Protocol) or FTP over HTTP can be used. In the above services, in order to deal with illegal information in the information sent and received, for example, malicious viruses, etc., virus check or removal software is installed individually on the terminal, virus check and removal on the mail server Install at least one of the countermeasures such as installing software for virus detection and removal at the gateway or router to which the terminal is connected as disclosed in Patent Document 1. It was.

 [0003] In addition, Patent Document 2 proposes a technique for providing a staleness function that hides one's identity in the IP layer with respect to transmission and reception of information.

 Patent Document 3 describes a technology related to a switch that detects illegal packets in transmission and reception of information within a LAN and between WANs.

 Patent Document 1: Japanese Patent Laid-Open No. 10-320186

 Patent Document 2: Japanese Patent Laid-Open No. 2002-366674

Patent Document 3: Japanese Patent Laid-Open No. 2003-348113 Disclosure of the Invention Problems to be Solved by the Invention

 [0004] However, in the conventional techniques described above, particularly virus check and removal, it is troublesome to install virus check software for each individual terminal, and it is difficult to uninstall the resources of the terminal such as CPU, memory, and hard disk. The use of the device will cause a heavy burden on the terminal, and various virus check software that depends on the OS of the terminal will need to be installed, which may make management difficult. Even if the measures are taken as described above, it was difficult to prevent the connection of the terminals that had not been installed with the virus check software brought in from the outside to the corporate network. Similarly, when installing virus check software on a mail server, it was impossible to prevent virus infection in the local network due to the connection of terminals brought in from outside.

 [0005] Also, to connect a network device having a function of checking information flowing on the network between devices such as routers or gateways, it is necessary to change the setting on the terminal side, which affects the existing network. It was difficult to do without giving.

 [0006] Furthermore, even when a virus check function is added to the gateway or router, it is not possible to check for local communications, so it was not possible to deal with viruses that exploited OS security holes. In addition, software that matches the OS on which the router and gateway operate was necessary, and it was not versatile. In addition, the technique disclosed in Patent Document 1 has the above-mentioned problems because the gateway or router itself has a virus check function as described above.

 [0007] In Patent Document 2, it is possible to hide one's presence without affecting the network in the IP layer, but it is not possible to extract a specific packet from all packets flowing on the network. Only when I make a transmission request to the other party, I can only steal a packet based on the preset IP address I used.

[0008] In the technique disclosed in Patent Document 3 that provides a switch with a virus check function, for example, when checking a file containing a virus attached to an e-mail, I couldn't say that it would be fast enough to buffer all the aisles. Moreover, it is not disclosed at all whether packet bitstream is monitored in real time.

 [0009] There is also a request for detecting specific information from a data stream flowing on the network and removing the detected packet from the network or processing and sending it to the network.

 [0010] The present invention has been made in view of a strong conventional problem, and monitors information transmitted / received not only in communication with outside of the network but also in communication between internal terminals, so that a predetermined value can be obtained. The purpose is to extract a packet containing information that meets the conditions without affecting the network, discard the network power, or process it and return it to the network. It is also intended to provide a network device, a data relay method, and a program that will not affect the existing network no matter which network is installed.

 Means for solving the problem

 [0011] In order to achieve the above object, a network device according to the present invention is a device that is installed between devices that communicate via a network and transparently relays data that is transmitted and received between the devices, A packet receiving unit that receives a packet addressed to another device from one device, an application identifying unit that determines an application type of a packet received using a predetermined application identifying method, and a determination by the application identifying unit A series of data is formed based on a plurality of packet groups received by the packet receiving means based on the determined application type, and when the data meets a predetermined condition, the plurality of packets Change at least one packet in the group and send it to the other device that is the destination. And, if otherwise, the predetermined condition is characterized in that and a packet content check means for transmitting a plurality of packets thus received the other device addressed is directly sent.

[0012] Thereby, a packet that matches the application type identified based on the application identification method specified on the packet stream flowing on the network includes information corresponding to a predetermined condition, for example, a malicious virus, etc. If invalid data is found, the corresponding packet stream is discarded. Can be sent to the destination address without affecting the network. Here, the information corresponding to the predetermined condition can be extracted and discarded not only by the malicious virus but also by the specified content pattern or the packet including the predetermined information such as information.

 [0013] In addition, when the packet content checking means identifies information corresponding to a predetermined condition, the packet side check means normally sends a response on the transmission side to the packet, and receives it on the destination side. The contents of the packet are modified according to the application that is used to make it appear that reception has failed, and the destination side is notified according to the application that the information corresponding to the predetermined condition has been received. Is also preferable.

 [0014] According to the present invention, when information corresponding to a predetermined condition is received, information can be extracted without being known to the transmission source by normally transmitting and receiving packets with the transmission source. wear. Also, if the packet is an illegal packet such as a virus, it is possible to modify the packet received at the destination so that it cannot be processed on the destination side. Furthermore, it is possible to give a sense of security to the destination terminal by transmitting to the destination side that the information corresponding to the predetermined condition has been found.

 [0015] In the network device, the packet content check means includes: a stream check process for checking a packet stream in real time based on a packet application type; and a post-assembly check process for checking after assembling the packet. It is preferable that the packet content is checked by at least one of the processes.

[0016] According to the present invention, when checking the contents of a packet after assembling all the packets, a check with a high degree of completion is possible. However, processing speed is required because buffering is required, and high functionality is required depending on the location in the network. Also, when checking packets in real time, buffering is minimal, and if the information that meets the specified conditions cannot be found at the time of checking, the packets are immediately returned to the network, which speeds up the network. Avoiding a bottleneck. However, for example, if information that meets certain conditions is found in the middle of data sent or received by an application such as e-mail or FTP, the previous packets are already returned to the network and arrive at the destination. Possible to wake up Leaving sex. However, once it is discovered, the remaining packets are processed and sent without being sent, so that an illegal packet such as a virus is not erroneously functioned on the destination side, and safety is guaranteed.

 [0017] Further, in the network device, preferably, the packet receiving unit stores a destination address of the received packet, and the packet content checking unit includes both the stream check process and the post-assembly check process. When the check is executed according to the above, the check by the stream check process does not determine that the predetermined condition is satisfied, but the check by the post-assembly check process determines that the predetermined condition is satisfied, the destination address It is also preferable to notify the user that the predetermined condition is met.

 [0018] Since information corresponding to a predetermined condition that can be checked in real time and information corresponding to a predetermined condition that can be checked after the packet is assembled are usually different, according to the present invention, the packet stream is missed by the real-time check and the destination Packets that have been sent to can be checked and discovered after the packet is assembled, and destinations that have already been sent can be notified that they have been found later, thus providing an extremely detailed service.

 [0019] Further, in the above network device, the packet content check means is configured to notify a predetermined specific destination address that the predetermined condition is met when it is determined that the predetermined condition is met. It is also preferable to do this.

 [0020] According to the present invention, it is possible to know that a packet having information corresponding to a predetermined condition has been received. For example, network administrators can effectively use this information, and network researchers can extract data that is transmitted and received on the network.

 [0021] More preferably, the packet content check means is configured to activate a notification means that can be recognized by a person when information corresponding to a predetermined condition is identified.

[0022] According to the present invention, it is possible to notify a person when information corresponding to a predetermined condition is found in information transmitted and received on a network. Notification means include lighting of the lamp-blinking, sounding, generation of smell, etc., which can be notified by means that are easy for humans to understand. [0023] Furthermore, when the packet content check means notifies a predetermined destination address that is determined in advance, it is determined whether to use either the destination IP address of the received packet or the IP address that the packet has. It is also preferable to be able to select.

 [0024] According to the present invention, when notifying a predetermined packet such as an administrator that information corresponding to a predetermined condition has been found in a received packet, for example, the IP address or destination that the device itself has is determined. Can be notified using the IP address. By using (speaking) the destination IP address, it can be hidden from the network. If you use the IP address that you have, you will suddenly show the presence by notifying the outside of the information

[0025] Further, it is preferable that at least one of update information of the application identification method or the information corresponding to the predetermined condition and the packet content check means is acquired from a network.

 [0026] Although the application identification method, the predetermined condition, or the packet content check means is registered in the network device from the beginning, the content can be acquired from the outside in order to cope with a change in the situation. By doing so, it becomes possible to deal with various situations.

 [0027] More preferably, at least one of the plurality of lines of the network device is configured to be connected to a network different from a network to which other lines are connected.

 [0028] Monitors information sent / received between devices in the LAN, between devices in the LAN and devices belonging to another network, or between external devices, and changes are made to the transmitted / received content. Packets or messages that contain information that meets the above conditions can be retrieved, or packets or messages that contain fraudulent or unintentional information can be deleted.

 [0029] Furthermore, it is preferable that the line is notified as a destination for notifying that it has a specific line and has received information corresponding to the predetermined condition.

[0030] When information corresponding to a predetermined condition is found in a packet or message flowing in the network, it can be notified to a specific line of the network device as its notification destination, so it was discovered without public knowledge Notify the content of information that meets certain conditions can do. After that, it is possible to analyze the information received on that specific line.

 [0031] Further, when the packet content check means performs the content check of the received packet after it is assembled, it checks only at a predetermined interval or a predetermined position of the packet stream with respect to the packet stream. It is also preferable to configure so that

 [0032] According to the present invention, when checking a packet stream in real time, a method determined from a predetermined interval, a predetermined packet stream position, or the outside without checking all target packets. By deciphering the packet and making it possible to check, the load on this network device can be reduced. The predetermined interval and the position of the packet stream can be determined for each application with a high possibility that information corresponding to a predetermined condition will appear.

 [0033] Further, it is preferable that at least one of the application identification method and information corresponding to a predetermined condition is provided for each line.

 [0034] According to the present invention, when the network device has a plurality of lines, the contents of information corresponding to a predetermined condition can be set for each line, so that each line can be set. Different settings can be made.

 [0035] Further, it is preferable that the predetermined condition of the packet content check means includes a computer virus.

 [0036] By providing pattern information that can identify a computer virus, a new algorithm, or the like as information corresponding to a predetermined condition, it becomes possible to find and remove the virus, or to notify the outside of the virus.

[0037] Further, the pre-specified application includes POP, SMTP, FTP, HTTP, SM

It is also preferable to configure it to be at least one of communication applications that perform mutual communication such as B and CIFS.

[0038] By registering several POP, SMTP, and other applications that are frequently used as applications for receiving information, packets and messages sent and received on those applications can be monitored. It is possible to discover and notify information that meets certain conditions such as viruses. [0039] Further, when the predetermined application type is a mail protocol and a computer virus is detected by the packet content check means after assembling the packet, the packet content check means The MIME (Multipurpose Internet Mail Extensions) header is modified so that the attached file has a non-readable lifetime, the process of deleting all attached files, and a new header indicating that an illegal packet has been received. It is also preferable to execute at least one of the processes to be added, transmit the received packet to the destination address, and notify that a computer virus is detected at the predetermined destination address.

 [0040] According to the present invention, the MIME of an illegal attachment such as a virus received by mail is not readable, so that the corresponding executable file is not started by clicking with a mailer or the like. Is possible. Also, deleting the attached file eliminates the possibility of problems, and it is possible to notify that invalid information has been received simply by adding a header without changing the attached information. At the same time, it is possible to notify a predetermined destination that information corresponding to a predetermined condition has been received. This operation works for both external mail reception and internal mail transmission. The mail protocol is POP, SMTP, IMAP, etc.

 [0041] Further, when the application power S-mail protocol specified in advance and the information corresponding to a predetermined condition is identified when the packet stream is checked in real time, the packet content checking means transmits The transmission / reception of the packet between the original ends normally, the content of the packet to be transmitted to the destination is modified and transmitted, and the information corresponding to the predetermined condition is notified to the predetermined destination. It is also preferable to configure this.

 [0042] According to the present invention, the communication with the transmission source is normally terminated, and the communication with the destination is transmitted as information that does not affect the destination by modifying the information, and registered in advance. It is possible to notify the destination that the information corresponding to the predetermined condition has been received, and the information with the destination can be processed without any problem without affecting the communication with the transmission source. it can.

[0043] Further, the packet received by the packet receiving means is a predetermined application. Means for determining whether or not the data corresponds to a type, and means for storing a series of data formed on the basis of the received packet group when corresponding to a predetermined application type.

It is also preferable that

[0044] According to the present invention, packets or application data including predetermined predetermined information can be stored, so that it can be used for subsequent investigations.

[0045] Further, the stored series of information may be configured to be accessible from an internal network.

 [0046] According to the present invention, it is possible to refer to a series of contents of information received from an administrator terminal or an information destination terminal in the internal network, so that the received information can be investigated. It becomes possible.

 A network device according to the present invention is a device that is installed between devices that communicate via a network, and that transparently relays data transmitted and received between the devices, from one device to another device A packet receiving means for receiving a packet addressed thereto, an application identifying means for determining an application type of a packet received using a predetermined application identifying method, and a packet received by or received by the packet receiving means A means for monitoring whether or not predetermined information is included in a series of data formed based on a packet group, and when predetermined information is included, a packet or Means for storing a series of data and executing a predetermined operation based on the application type. To.

 [0048] According to the present invention, for each application, it is possible to determine whether or not predetermined information is included in communication of the application and perform a predetermined operation for each application. If the file contains personal information, in-house confidential information, employee databases, etc., or if you are trying to obtain the above information via FTP or HTTP, stop sending the file, It is possible to identify and record IP etc. that perform FTP or HTTP, and to prevent leakage of personal information and confidential information.

[0049] Further, when the application type is a mail protocol, the relay of mail with the same mail source address and mail destination address as the predetermined operation is performed. It is also preferred to be configured to ban.

 [0050] According to the present invention, it is possible to block a mail from a sender who is sending an illegal mail, so that a mail user does not receive a harmful mail or an unnecessary mail. Can give the user a sense of security.

 [0051] In order to achieve the above object, a data relay method according to the present invention is a method for transparently relaying data transmitted and received between devices connected via a network, from one device to another device. Receiving the addressed packet, determining the application type of the received packet using a predetermined application identification method, and determining the plurality of received packet groups based on the determined application type. The above-mentioned other apparatus that forms a series of data and changes the at least one packet in the plurality of packet groups when the data meets a predetermined condition. If the predetermined condition is not met, the received plurality of packet groups are directly sent to the other device as the transmission destination. A step of trust, the characterized by containing Mukoto.

 [0052] A data relay method according to the present invention is a method for transparently relaying data transmitted and received between the devices installed between devices communicating via a network, from one device to another. A step of receiving a packet addressed to the device; a step of determining an application type of the received packet using a predetermined application identification method; and the received packet or the received packet. A step of monitoring whether or not the predetermined information is included in the series of data, and if the predetermined information is included, the packet or series including the information is included. And a step of executing a predetermined operation based on the application type.

[0053] In order to achieve the above object, a data relay program according to the present invention is installed between devices communicating via a network, and operates on a device that transparently relays data transmitted and received between the devices. A process for receiving a packet addressed to another apparatus from one apparatus, a process for determining an application type of a bucket received using a predetermined application identification method, and the determined application By type Based on the received plurality of packet groups, a series of data is formed, and when the data meets a predetermined condition, at least one of the plurality of packet groups. If one packet is changed and sent to the other device that is the destination, and the predetermined condition is not met, the received plurality of packets are directly sent to the other device that is the destination. And a process of transmitting to the network.

 [0054] In order to achieve the above object, a data relay program according to the present invention is installed between devices that communicate via a network and operates on a device that transparently relays data transmitted and received between the devices. A process for receiving a packet addressed to another apparatus from one apparatus, a process for determining an application type of a bucket received using a predetermined application identification method, the received packet, Alternatively, a process for monitoring whether or not predetermined information is included in a series of data formed based on the received packet, and if the predetermined information is included, the information is included. Storing a packet or a series of data and executing a predetermined operation based on the application type. .

 [0055] In the above contents, in the case of a mail protocol, an illegal packet is a file attached to an email, and the operation of the terminal depends on the OS, a program that executes the file, and a program that operates when the file is expanded. Such as a file that poses a threat. In addition, SYN packets such as SYN floods and packets used in DOS (Denial Of Service) attacks that cause buffer overflow are also illegal packets. Information used at the application level in a file after assembling a plurality of packets, such as an attached file of the above mail protocol. For example, if a virus is included, it is an illegal packet at the application level. It is considered. This is not limited to email, but there are illegal packets at various layers depending on the protocol such as network sharing.

 The invention's effect

[0056] As described above, according to the present invention, the network device according to the present invention can be installed without affecting the network, and between the local terminal and the server in the network and between the local terminal and the WAN. Packet transmission that occurs on at least one of the Received information can be checked, and packets containing information that meets certain predetermined conditions can be extracted and processed.

 BEST MODE FOR CARRYING OUT THE INVENTION

[0057] The best mode for carrying out the present invention will be described below. FIG. 1 shows a connection configuration diagram in the network of the network device 1 according to the first embodiment of the present invention. In FIG. 1, an internal network 9 is connected to an external network via a communication network 4 such as the Internet (registered trademark), and various information related to the network device 1 is stored in the external network. The information storage server 7 is installed in a state where it can be connected to the network device 1. Within the internal network 9, there are routers 2 connected to the communication network 4 and controlling the transmission and reception of information between the internal devices and the devices connected to the external network. The network device 1 can be installed between the router 2 and the switch 3. In this case, the network device 1 monitors information between the router 2 and the switch 3 and monitors communication between the terminals in the LAN and the outside, and cannot monitor information between the terminals in the LAN. It can also be installed as switch 3, and in this case, all the packets flowing through switch 3 can be monitored even if they are information within the LAN of internal network 9.

 [0058] Further, the upper level switch 3 is connected to the next level switch 31, and the switching hub or shared hub 6 is connected to the lower level switch 31, and the PC or server 5 is connected to each of them. Yes. The network device 1 can be installed as the next level switch 31 as described above. Furthermore, the network device 1 can be built in a line connected between the router 2 and the switch 3, for example, a cable represented by categories 5 and 6. As described above, the network device 1 is installed at the location indicated by the arrow between the switch 3, the router 2 and the switch 3, the switch 31, the router 2, the switch 3, 31 and the hub 6. All locations including cables that connect PC5.

FIG. 2 shows a functional block diagram of the network device 1. The network device 1 includes a plurality of lines 12, a packet receiving unit 121 that processes packets received for each line, and a transmission packet. A packet transmission unit 122 for processing packets, a central processing unit 13 having various processing means therein, a storage unit 14 for storing data for performing various processes, and the network device 1 As a man-machine interface function, an input unit 15 that receives an input from an external input device and notifies the central processing unit 13 and a display unit 16 that has a function of displaying notification information from the central processing unit 13 and a display device, When the information corresponding to the specified condition is received, the notification dedicated line 17, which is the line to notify when the information is identified as the received packet or the packet to be transmitted, similarly the information corresponding to the specified condition is The lamp / alarm device 18 that notifies when it is identified is composed of power. Further, the central processing unit 13 is composed of the following means having various functions. Receives and stores data such as system information, data related to the entire system, application information, and data that corresponds to the specified conditions from the input unit 15 or the network. Data input / output means 133 having the function of storing the information in the corresponding area of the unit 14 and retrieving the information from the storage unit 14 when necessary, the packet based on the information acquired from the application identification information file 145 to identify the packet type Application identification means 134 for identifying the packet, packet content checking means 135 having a function of checking the contents of the identified packet and searching for the predetermined information that meets the predetermined condition, and sending the received information to the destination. , Packet processing means 136 having a function to capture the processing of the packet contents Receiving notification means 137 having a function of notifying a predetermined notification destination that predetermined information corresponding to the information has been received, a reception buffer 142 for storing information received by the packet transmission / reception processing means 131, and a transmission buffer for transmission 141, and buffer control means 138 for controlling a buffer such as an assembly buffer 143 that is a buffer for assembling received packets into one message.

The storage unit 14 stores the transmission buffer 141, the reception buffer 142, the assembly buffer 143, and the MAC address that stores information related to connection between the destination MAC address and the line when the received packet is transmitted to the destination. Information table 144, application identification information file 145 for storing information used to identify which application the packet is used in, and bucket with predetermined information corresponding to a predetermined condition from the identified transmission / reception packet System Z line for storing predetermined information 146 for storing predetermined information necessary for further identification of the network, and for line-related data, which is system data used in the entire system and data used for line connection Corresponding data 147.

In addition, information such as a buffer that is constantly rewritten during operation is stored in a RAM (Random Access Memory), and the storage unit 14 stores predetermined information 146, application identification information file 145, and system Z line. Information such as the corresponding data 147 that needs to remain even when the power supply is cut off or momentary power is stored in a flash ROM (Read Only Memory) or hard disk. The input unit 15 may be connected to a keyboard or may be provided with a serial interface so that a serial console can be connected. Similarly, the display unit 16 may have a monitor interface, or may be configured to notify information such as a message using the serial interface.

 Next, data used and the like will be described below. Figure 3 shows the data used by the entire system. As a content, the default notification destination is a predetermined default notification destination that is notified when predetermined information is identified in the packet. For example, the notification dedicated line 17 may be designated. The default update destination is the destination for updating application identification information and predetermined information, such as virus pattern files and inference engines. For example, the domain name is set at the time of factory shipment. .

 [0063] The MAC address stores a MAC address unique to this network device. For example, set your own IP address to a fixed IP address such as “192.168. 10. 10” at the time of shipment from the factory, or you can obtain the address using DHCP (Dynamic Host Configuration Tool). And register the acquired IP address. In addition, a column is provided so that ID and password information can be registered so that operations such as rewriting environment setting data by communicating with the network device 1 can be performed. For example, a default value such as admin / admin is entered.

[0064] The data corresponding to the line is shown in FIG. As a packet check method, set either “real-time” or “after assembly” as the operation mode that can be set for the line. Re Stream check processing is performed when checking in real time, and post-assembly check processing is performed when checking after assembly. For example, “real time” is set as the default value. The application list is for registering applications to be checked on the line. For example, POP, SMTP, FTP, HTTP, etc. are set as check targets as default values. In addition, SMB, CIFS (port number 445), and other applications used for Windows (registered trademark) network sharing can be registered. As shown above, the system data and application data shown in Figs. 3 and 4 can be changed during power operation with default values such as when shipped from the factory.

FIG. 5 shows data corresponding to an application. For each application such as P0P, SMTP, FTP, HTTP, etc., specify "Packet notification method", "IP address used during communication", and rules for operations when receiving and checking packets. “Regulation of operation”, “Information reception notification” and “Predetermined information” for registering a list of destinations to notify when predetermined information is identified in a packet can be registered. Furthermore, the “packet notification method” is configured so that at least one of “packet discard”, “process and send”, “notify alarm device”, and “notify dedicated line for notification” can be selected.

The “IP address used during communication” is configured to register an IP address used when the network device 1 communicates with the outside. “Self IP address”, “Destination IP address”, “Source IP address”, “Specific IP address”, “Notification on notification private line”, etc. can be selected. Alternatively, it can be configured to have a Z-not flag used for the list, expressed as a list.

[0067] The "regulation of operation" includes "whether communication is normally terminated with the transmission destination", "power to notify the destination" that specifies whether the destination is notified that predetermined information has been received, information `` Information modification method '' when sending data with modifications, and specifies the action to be taken when predetermined information is found in the post-assembly check process after assembly that was not detected in the real-time stream check process `` Operation when not found in real time but found in assembly '' and `` Thinning method for realtime detection '' that specify the method of thinning the check when performing real time check can be registered . “Real-time detection thinning method” Is not listed, but there is also an option of “Do n’t skip”. In “Information reception notification”, the notification destination is registered in a list as shown in FIG.

 FIG. 6 shows the configuration of a file that stores MAC addresses of terminals connected to the line when packets are transmitted and received. Figures 7 and 8 show the structure of the IP header and the structure of sent and received messages. Actual communication is performed using the MAC address, but the destination port number in the TCP data in the IP header is referenced to identify the application. For example, POP application uses port number 110, SMTP application uses 25, FTP application uses 20, 21 and HTTP application uses 80.

 [0069] The data structure is divided into a physical layer, a data link layer, a network layer, and a transport layer according to the concept of layering the OSI reference model, and the entity wraps around sending data in each layer. It has become. In all layers, for example, IP (network layer), it consists of header information and information content and trailers (FCS (Frame Check Sequence) in Ethernet, etc.). The header information further includes information such as IP version, header length, service type that defines service priority, packet length, and the like. Since IP is a network layer, it contains the IP address of the sender and the destination IP address, etc., which specify the terminal to communicate with by IP address.

 [0070] TCP, which is a transport layer, has the same configuration. In TCP, information between applications running terminals that communicate with each other is identified by the source port number and destination port number. In this way, there is a communication protocol (communication protocol) for communication between network devices, and information is transmitted and received correctly according to the communication protocol.

 The network device 1 according to the present invention is functionally configured as described above, and the operation thereof will be described below.

 [0072] [Environment setting data registration process]

FIG. 21 shows an operation flow relating to registration of various data. The network device 1 according to the present embodiment has a default value such as power system data having factory default values, data related to application information, data such as predetermined information, for example, serial line power, a system console, a keyboard, etc. Connected to the input section 15 or from the outside It is possible to change the contents by connecting with telnet or ssh (Secure SHell) via the communication network 4.

 FIG. 21 is an operation flow diagram in which the maintenance person connected to the network device 1 changes the contents of the data by the above method. The data registration operation will be described below with reference to FIG. FIG. 21 is a diagram when the system console is connected through, for example, a serial line.

 [0074] When the system console is connected, the network device 1 requests input of an ID and a password in order to change the environment setting data (S21 la). In this operation, if the connection is made via the communication network 4, some kind of encryption processing is required. In the case of ssh, it is encrypted, so the entered ID and password will not be stolen. In the case of the system console, since it is directly connected, the encryption process may be performed, but it is not particularly necessary.

 [0075] The system console receives information for prompting the input of the ID and password (S21 lb), displays the information on the screen, and transmits the ID and password input by the maintenance person (S212b). At the time of this transmission, if communication is performed with the network device 1 using ssh or the like, encryption is performed. The network device 1 also needs to have an ssh function. Receiving the ID and password (S212a), the network device 1 compares the contents with the registered ID and password shown in FIG. 3 (S213a). If NG, create and send NG screen (S 21 4a), return to step S 21 la and repeat the process until the ID and password match. The system console that has received the NG screen displays the screen and returns to step S211b (S213b).

[0076] If the ID and password match, the screen is not displayed, but the setting data for the system unit, line unit, and application unit can be edited and a screen that can be set is created and sent to the system console (S214a) . The system console receives a screen on which data can be edited and set it on the screen (S214b). The contents input by the maintenance person are accepted and the input contents are transmitted to the network device 1 (S215b). The network device 1 receives the input information and performs registration (S215a). Although not shown, network device 1 will send an error screen if an incorrect content or an unacceptable content is entered. The input of the environment setting data is performed as described above. [0077] [2. Packet Transmission / Reception Processing]

 FIG. 9 shows an operation flow when the network device 1 receives a TCP packet, for example. The hardware that performs reception or the firmware that operates on the hardware is periodically activated, and the packet delivered from the line is placed in the reception buffer 142 (S91). Whether the network device 1 uses the MAC address of the destination that uses its own MAC address to communicate with the source address in response to the application when performing processing such as packet response in the receive buffer 142 If the MAC address is not used, communication processing is performed using the destination MAC address (S93). When using your own MAC address, use your own MAC address for communication processing (S94). By doing in this way, even if the network device 1 according to the present invention is installed in an existing network in an already configured network, the communication up to now and the future will be unrelated to the setting of the existing device. It is possible to communicate without affecting the communication. The meaning of having no effect means that there is no effect when IP layer communication is performed, and that there is no effect even if the MAC address is used and the data link layer is not affected. There is a meaning.

 [0078] "For application" means that packets other than registered applications such as POP, SMTP, FTP, HTTP, etc. can be passed through without modifying the MAC addresses of the source and destination. This means that the network device 1 takes in information and performs mediation for the application. However, it must operate without knowing that it is mediating. Therefore, transmission / reception processing of each application is performed “in correspondence with the application”.

[0079] Similarly, the packet transmission process operates periodically, and the destination address is registered with reference to the address information shown in Fig. 6 in order to identify the line connected to the terminal indicated by the destination address. The connected line is specified (S101). The ability to use your own MAC address to send the information in the send buffer to the specified line \ Determines whether to use the destination MAC address (S102) and does not use your own MAC address Transmits without changing the MAC address (S103). When using its own MAC address, communication processing is performed using its own MAC address (S104). By doing in this way, When mediating information in the same way as reception processing, the mediation can be performed without being known at the IP layer or data link layer.

 [0080] [3. Check operation of received packet contents]

 The received packet is processed as shown in FIG. 9 and remains in the reception buffer 142. Figure 11 shows the packet content check operation flow for selecting information from the receive buffer 142, which is described below. First, in order to determine whether the packet stored in the reception buffer 142 is a registered application packet, the registered application information is obtained by reading the line correspondence data shown in FIG. 4 (SI 11). Next, the packet information received from the reception buffer 142 is read (SI 12).

 [0081] Then, it is checked whether the application is registered by checking the TCP destination port number in the contents of the read packet (S113). For example, if POP, SMTP, FTP, HTTP, and CIFS are registered to be checked, the destination port number is 25 (POP), 110 (SMTP), 20 (for FTP data communication), 80 (HTTP), Check whether 445 (CIFS: Windows network share) is specified as the destination port number. If the application shown in Fig. 4 is not set for the destination port number and the value does not match, all the received packets are sent as they are to the line corresponding to the destination MAC address, and the receive buffer is cleared (SI 1A ).

If they match, it is a packet to be checked, and next, the operation mode for each line shown in FIG. 4 is referred to and it is determined whether it is a real-time check (S114). If it is not a real-time check, the contents of the reception buffer are assembled into one message in order to assemble them into one message (S115). This loading is repeated until one message is completed ( _{S 1 16} ). Step S11 when assembly is complete

Proceed to 7 “Activation of content check routine”. When the operation mode is real-time check, the content check routine is started (S117). The content check routine will be described later.

When the process returns from the “content check routine”, the force for which the predetermined information exists is determined from the return value (S 118). If the specified information is not included, the contents of the receive buffer 142 or the contents of the assembly buffer 143 are used as is for the destination MAC address. The transmission buffer is cleared and the reception buffer 142 or assembly buffer 143 is cleared (S11A). If the predetermined information is included, the “packet handling routine” is started (S119). The above operation is repeated for all lines (S 11 B).

The operation of the “content check routine” will be described with reference to FIG. First, it is determined whether or not the operation mode is a real-time check mode (S121). In the case of a real-time check, the check target is the reception buffer 142 (S122). In the case of checking after assembly, the check target is set as the assembly buffer 143 (S123). Predetermined information or information corresponding to the line and application is extracted from the predetermined information 146, and the check target buffer is searched for the acquired predetermined information (S124).

 [0085] It is determined whether or not there is predetermined information (S125). If found, "NG" is returned as a return value and the process is terminated (S126). If not found, the process is repeated until the contents of all the buffers are confirmed (S127), and the process returns to step S124. If all the buffers are searched and not found, “OK” is returned as a return value, and the process is terminated (S128).

 [0086] [4. Operation when a packet including predetermined information is received]

 Next, the “packet handling routine” will be described with reference to FIG. First, it is determined whether the real-time check is performed (S131). In the case of real-time check, the check target is the reception notifier 142 (S132). If it is a post-assembly check rather than a real-time check, the check target is the assembly buffer 143 (S133). It is determined whether or not it is set to process and send the received content to the destination (S134).

In the case of processing transmission, the “processing transmission routine” is started (S 135), and then the process proceeds to step S 136. If it is not processing transmission, it is determined whether to discard the received content (S136). If it is set to be discarded, the contents of the reception buffer 142 or the assembly buffer 143 are discarded and the process proceeds to step S138. If not to be discarded, it is determined whether or not it is set to notify that predetermined information has been received (S138). In the case of notification, a “predetermined information reception notification routine” is started (S139), and the process is terminated. If not notified, the process ends. [0088] [5. Operation to check and send received information to destination]

 Next, the “processing and transmission routine” in which information is transmitted to the destination will be described with reference to FIG. First, a force that is a real-time check is determined (S141). If the post-assembly check is not real time, the process proceeds to step S 151 in FIG. The operation flow for checking after assembly will be described later. In the case of real-time check, a message to be sent to the destination corresponding to each application is acquired (S142). The message to be transmitted to the destination is obtained from the file showing the processing message shown in FIG.

 When notifying the destination, processing is performed according to each application (S 143). In the case of a POP application, the message “Receiving was canceled because an invalid file was found” is set in the body part of the email (S 144) and sent to the destination email address (S 145). In the case of an SMTP application, a message “You are about to send an illegal message” is set in the body of the mail (S146) and sent to the mail address of the sender (S147). In the case of FTP application, set the message “Since an illegal part was found in the file you are trying to acquire and file acquisition was canceled” (S148), and set it to the terminal running FTP according to the FTP protocol. Send (S149). In the case of an HTTP application, the message “Acquiring information has been stopped because fraud has been found” is set according to the HTTP protocol (S14A) and sent to the terminal that is trying to receive the file via HTTP. (S14B). Various other processes can be performed by adding and registering various other applications (S14C, S14D).

An operation flow in the case of the post-assembly check will be described with reference to FIG. First, a message corresponding to the application is acquired from the processing message file shown in FIG. 16, (S151), and then the processing is branched for each application (S153). Since the packet is assembled, all information such as messages or files exist in the assembly buffer 143, and various processing can be performed as processing. In the case of a POP application, the processing method shown in FIG. 17 is obtained (S154). The processing method shown in FIG. 17 may be configured in a format linked from “processing and transmission” in the packet notification method for each application shown in FIG. In this embodiment, four types of processing methods are described. "Send all to destination", "Send everything and add a header indicating that the specified information has been received", "Make mailer that received the MIME part of the attached file not clicked. “Change” and “Transmit everything and add header”.

 The contents of the mail are processed according to the acquired processing method (S155) and sent to the destination mail address (S156). In the case of SMTP, FTP, HTTP application, and other applications, the present embodiment performs the same processing as the real-time check (S157 to S15E are the same as S146 to S14D).

 [0092] [6. Operation for notifying that a packet including predetermined information has been received]

 Next, an operation for notifying that a packet including predetermined information has been received will be described with reference to FIG. First, obtain the IP address to be used when performing the information reception notification to notify that the packet containing the predetermined information has been received from the “IP address used during communication” shown in Fig. 5, which is determined for each application. Determine (S181). The IP address to be used is the “own IP address” fixed by the user or obtained by DHCP, the “destination IP address” specified by the sender, the “source IP address”, and other than the above Select from “specific IP address” specified by the user.

 Although not shown in the drawing, it is possible to provide a flag in the IP address column and turn on the flag of the IP address to be used. In addition, it is assumed that the user can specify multiple IP addresses for “specific IP address”.

 Next, a notification method for notifying that predetermined information has been received is obtained from the file specifying the information reception notification method shown in FIG. 20 (S182). In this embodiment, the following four notification methods are described. First of all, a method of “sending the matched predetermined information itself and a series of all received packets including the contents”, “notifying only the matched predetermined information itself and packets including the contents” Method, “Matched specified information itself and a series of all received packets including its contents.” Method, “Matched predetermined information itself and packets containing its contents. The method is registered.

Next, a notification destination when predetermined information is received is acquired from the “information reception notifier list” shown in FIG. 20 (S183). In the present embodiment, as shown in FIG. There are four destinations, and each information notification method is registered in “Information Notification Method”. For example, in the case of the administrator who is the registrant 1, the email address, webmaster@aaa.bbb.ccc, is registered, and the notification method is “1” as the matching specified information itself and its contents. “Send all received packets in a series including” is selected.

 Next, using the IP address used for the determined notification, the information is notified by the notification method acquired to the destination to be notified. In the present embodiment, it is also possible to make a telephone call in cooperation with the power used for notification by e-mail, such as a telephone, and notify by voice (S184). The above operation is performed for all notification destinations (S185).

 FIG. 22 shows a case where a function is mounted on a switch as a network device according to the present invention.

 The network device 1 according to the present embodiment is a switch, a lamp or alarm device 91 for notifying a person when predetermined information is found in a packet, and a serial line 92 for connecting a line 12, for example, a system console. In addition, when a predetermined information is received, a dedicated notification dedicated line 17 is provided to notify the content of the information. The lamp 91, the serial 92, the notification dedicated line 17, and the line 12 are as described above.

 FIG. 23 shows a network device according to the present invention in which functions are implemented in devices located between networks. As in the case of the switch, it is connected to the lamp or alarm device.

 FIG. 24 shows a network device according to the present invention in which this function is implemented in a cable such as a power category 5, 6 that connects network devices. In this case, when it is necessary to reduce the installed memory size, etc., the minimum necessary executable file and pattern file and information should be stored in the flash ROM, etc., and operation should be performed while constantly acquiring information from the network. Is also possible. In addition, acquisition of information from the network may be performed at the moment when the work is automatically performed, or may be performed automatically and periodically.

 The first embodiment of the present invention is configured and operates as described above.

[0100] According to the present embodiment, a packet including predetermined information, for example, a packet including a virus or the like is excluded from packets flowing on the network without affecting the network. It is possible to obtain and investigate packet information including a specific pattern to be investigated from information flowing in the network. In addition, when the registered information is identified from the packet, it is possible to activate a lamp or alarm device to notify the person. If the packet is an illegal packet such as a virus, it is not known to the sender. It is possible to change the information and notify the destination, or notify the registered destination such as an administrator.

 [0101] As an illegal packet, it is possible to respond not only to viruses but also to DOS attacks and SPAM that cause SYN floods and buffer overflows. It is possible to reduce or reduce traffic to the terminal. This network device is stealth against attacks by unauthorized packets such as those mentioned above, and is attacked without being known to the attacking opponent by operating like a honeypot. It is possible to provide the best method for notifying the target terminal of this. Furthermore, since the matched information can be stored in the network device as it is as described above, it can be analyzed later.

 [0102] Since it is possible to obtain information on the application level that matches the pattern, etc., by providing information at the application level that you want to investigate not only with invalid packets, you can obtain any application level Information can be acquired, stored, and investigated.

 [0103] In addition, the present network device can detect predetermined information without affecting the network regardless of which part of the network is connected, so the software is installed on the existing terminal. Or, it is easy to manage because there is no need to set up the terminal. In addition, since it has the above characteristics, it can be located anywhere in the network in Fig. 1 when it is made into a circuit (chip).

 Furthermore, by checking packets after real-time or after assembly, in real-time, it is possible to operate so that there is no delay in the transmission / reception of information, and accurate checks can be performed after assembly.

[0104] Next, a second embodiment will be described. The second embodiment is different from the first embodiment in that the network device 1 has a function of identifying an application and storing a packet matching the predetermined information 146 as it is in the matching information storage data 148. Different Is a point.

 [0105] The network device 1 opens the communication log stored using a file sharing protocol such as SAMBA or the matching information storage data 148 stored as matching information to a specific user for reference and modification. Etc. are possible. Use your own IP to share files over the network. At this time, it is possible to refer from a terminal in the network.

 [0106] Information is stored in the match information storage data 148 in steps S13A and S13B of the flowchart shown in FIG. 29 showing the operation corresponding to FIG. 13 in the first embodiment. The routine of FIG. 29 is a routine that operates when the contents registered in the predetermined information 146 match the received bucket or application information.

 [0107] The difference from FIG. 13 in the first embodiment is that, in step S13A in the last part of the flowchart, whether or not log information or packets are to be accumulated is registered in a system registration data not shown. If the content is checked with log information or multiple packets at step S13B, the check is performed after assembling the received packet or after assembling the packet. Stores the assembled application information in the match information storage data 148. When sharing data, the matching information storage data 148 portion is released to the network as shared data. It is desirable to manage IDs and passwords when sharing.

 The second embodiment is configured and operates as described above.

 [0108] According to the present invention, the network device 1 obtains a log of all the mail and file sharing information including the acquired virus and information including a predetermined condition, and stores the file itself. This makes it easy to analyze later. It is also possible to store all mail itself. In this case, you can easily carry your mail by making it portable.

[0109] Further, this network device 1 is accessed from the terminal side or the administrator side using a file sharing technology such as SAMBA to back up the file, retrieve the backed up file, or acquire a specific pattern. It is also possible to conduct surveys such as taking statistics of information, including USB ports, serial ports, etc. It is also possible to refer to and acquire a file acquired by using it.

[0110] Next, a third embodiment will be described. In the third embodiment, the network device 1 only identifies the application, and the application information check device 3 determines the application information to be transmitted / received, and the application based on the determination result. -It defines the operations to be performed on the information (data). In the present embodiment, the external application information check device 3 checks the data communicated by the application, but the network device 1 can also have this function.

 [0111] In this embodiment, for example, an e-mail or chat protocol is specified as an application, and the text of the mail, attached information, the text of the chat, and the contents of the transmission / reception information sent to the other party in the mail or chat are packetized. Is assembled, and the assembled application information is transmitted to the application check device 3. The application information check device 3 determines that, for example, if personal information is included in the received application information, the transmission is impossible. Is sent to the network device 1, and the network device 1 performs the operation when it stops transmitting.

 [0112] As check information, text information such as the above personal information and information that should not be disclosed outside the company such as an in-house information database can all be included, including the database.

 The configuration of the application information check apparatus 3 will be described with reference to FIG. FIG. 26 shows a block diagram of the network device 1 and the application information check device 3 according to the third embodiment.

In FIG. 26, the application information check device 3 is connected to the network device 1 via a LAN. The application information check device 3 stores information by transmitting / receiving unit 32 that transmits / receives information to / from network device 1 via LAN, central processing unit 33 that processes information received by transmitter / receiver 32, and information. Storage unit 34, a man-machine interface function, an input unit 35 having a function of inputting information to the application information check device 3 and displaying information from the abrasion information check device 3, a display unit 36 It is made up of [0115] The central processing unit 33 is a transmission / reception processing means (function) 331 for transmitting / receiving information to / from the transmitting / receiving unit 32, information input between the central processing unit 13, the input unit 15, and the display unit 16. Input / output processing means (function) 332 for performing output, and content check means (function) 333 for performing content check of information received from the network device 1 are configured. The storage unit 34 further has a registration content 341 for registering the content to be checked.

 [0116] The apparatus according to the third embodiment is configured as described above, and the operation thereof will be described below with reference to FIGS.

 [0117] Comparing FIG. 26 and FIG. 25, it is found that the application information check device 3 is added. Further, the network apparatus 1 is different in that the predetermined information 146 is not used in the present embodiment. Further, the match information accumulation data 148 leaves only information that is deemed necessary by the determination from the application information check device 3. However, there may be a setting that leaves all depending on the setting.

 [0118] The operation when the network device 1 receives information will be described with reference to the flowchart of FIG. In FIG. 27, the differences from FIG. 11 are the following two parts (A) and (B).

 (A) In step S117, the contents of the packet are checked in network device 1, whereas in FIG. 27, the application information check device is obtained when the application information is assembled in step S277. Notify 3 of the information and wait for a decision.

 (B) As a result, in step S118, the force step S278 that determines the “force in which the predetermined information exists” is determined as “the force that is transmitted as it is as a process”.

 [0119] These are the above two points. If the “send as is” process is not selected in the predetermined step S278, the operation shown in the flowchart of FIG. 12 is performed in the same manner as in FIG. 11 in step S119. In the present embodiment, the same operation as in FIG. 12 may be performed depending on the response from the external application information check device 3.

[0120] In Fig. 27, in step S114, the force is described so that it can also be selected to notify information in real time. When checking application level information, if real-time properties are not required, Assemble the packet without checking in step 1 and obtain the application information. It is also possible to notify the information check device 3. Furthermore, when real-time performance is required, it is possible to notify the application information checking device 3 one by one and check the packets one by one as shown in the flowchart.

[0121] Next, the operation of the application information check apparatus 3 will be described. FIG. 28 shows a flowchart of operations performed by the application information check apparatus 3. Since the “content check” described in the first embodiment is basically performed externally, FIG. 28 performs the same operation as FIG. The different points are the following three points (C) to (E).

 (C) Partial force comparing information registered in predetermined information 146 in network device 1 in step S124 in FIG. 12 Registered in application information check device 3 in step S284 in FIG. The content being compared with registration content 341 is different.

 (D) The difference is that “NG” is returned in step S126 of FIG. 12, and “transmission stop” is notified in step S286 of FIG.

 (E) The place where “OK” is returned in step S128 of FIG. 13 is different from that of “transmission 図” in step S228 of FIG.

 Furthermore, as information in the network device 1, the operation when the above “transmission stop” is received as data used in the system is defined.

 The third embodiment is configured and operates as described above.

[0122] According to the present invention, by identifying an application in advance as information transmitted from the company and registering it in the network device 1, when matching information passes, all the information is stored in an external device. It can be sent to the application information check device 3, and the application information check device 3 can filter the transmission / reception information. That can be prevented.

[0123] Although details of CIFS have not been described in detail, if the CIFS port is registered as a specific application, the Windows sharer, spyware and adware that exploited the file sharing function of Windows will be used. And the like can be blocked. Similarly, in order to protect the network from new threats, it is possible to provide a firewall function that blocks applications not used in the network. Also, de Although it depends on the fault value, by setting the default value appropriately, it is only necessary to register a specific application, for example, to discard or block information sent / received by that application. It is possible to operate automatically without any problem. Industrial applicability

[0124] It can be used for an information network device.

 Brief Description of Drawings

 FIG. 1 is a network configuration diagram in which a network device according to the present invention is installed.

 FIG. 2 is a functional block diagram of a network device according to an embodiment of the present invention.

 FIG. 3 is a configuration diagram of system data included in a network device according to the present invention.

 FIG. 4 is a configuration diagram of line correspondence data included in the network device according to the present invention.

 FIG. 5 is a configuration diagram of application-compatible data included in the network device according to the present invention.

 FIG. 6 is a configuration diagram of address information according to the present invention.

 FIG. 7 is a configuration diagram of an IP header.

 FIG. 8 is a configuration diagram of transmission / reception data using Ethernet and TCP / IP.

 FIG. 9 is an operation flowchart of packet reception according to the embodiment of the present invention.

 FIG. 10 is an operation flowchart of packet transmission according to the embodiment of the present invention.

 FIG. 11 is an operation flowchart of a packet content check routine according to the embodiment of the present invention.

FIG. 12 is an operation flowchart of a content check routine according to the embodiment of the present invention.

 FIG. 13 is an operation flowchart of a packet handling routine according to the present invention.

 FIG. 14 is an operation flowchart of processing transmission (real-time check) according to the present invention.

 FIG. 15 is an operation flowchart of processing transmission (check after assembly) according to the present invention.

 FIG. 16 is a table of processing messages according to the present invention.

 FIG. 17 is a diagram showing types of POP processing transmission (post-assembly check) method according to the present invention.

 FIG. 18 is an operation flowchart of a predetermined information receiving routine according to the present invention.

 FIG. 19 is a diagram showing an information reception notifier list according to the present invention.

FIG. 20 is a diagram showing an information reception notification method according to the present invention. FIG. 21] is a diagram showing a sequence at the time of data registration according to the present invention.

22] This is a diagram when a function is installed in a switch or hub as a network device according to the present invention.

[23] FIG. 23 is a diagram when a function is implemented in a device installed between networks as a network device according to the present invention.

[24] This is a diagram when a function is mounted on a cable for connecting devices as a network device according to the present invention.

25] A functional block diagram of a network device according to the second embodiment of the present invention. FIG. 26] is a functional block diagram of a network device and an application information check device according to the third embodiment of the present invention.

27] is a flowchart showing the operation of a packet content check routine according to the third embodiment of the present invention.

28] This is a flowchart showing the operation of the application information check according to the third embodiment of the present invention.

FIG. 29] is a flowchart showing the operation of a packet handling routine according to the second embodiment of the present invention.

Explanation of symbols

 1 Network equipment

 2 routers

 3 switches

 4 Communication network

 5 PC (personal computer)

 6 Nove

 7 Information storage server

8 Network cable

9 Internal network

12 lines

121 Packet receiver 2 Packet transmitter

, 33 Central processing unit

1 Packet transmission / reception processing means

2, 332 I / O processing means

3 Data input / output means

4 Application identification means 5 Packet content check means 6 Packet processing means

7 Receipt notification means

8 Knuffer control means

, 34 Memory

1 Send buffer

2 Receive buffer

3 Assembly buffer

4 MAC address information table 5 Application identification information file 6 Predetermined information

7 System Z line compatible data 8 Matched information accumulation data

, 35 Input section

, 36 Display

 Notification line

 Lamp / alarm device

1 Transmission / reception processing means

3 Registration content check method

1 Registration details

Claims

The scope of the claims

 [1] A device that is installed between devices that communicate via a network and that transparently relays data transmitted and received between the devices,

 A packet receiving means for receiving a packet addressed to another apparatus from one apparatus; an application identifying means for determining an application type of a packet received using a predetermined application identifying method;

 Based on the application type determined by the application identification unit, a series of data is formed based on a plurality of packet groups received by the packet reception unit, and the data satisfies a predetermined condition. When at least one packet in the plurality of packet groups is changed and transmitted to the other device as a transmission destination, and when the predetermined condition is not met, the plurality of received packet groups And a packet content check means for transmitting the message as it is to the other device as the transmission destination.

[2] The packet content check means is at least one of a stream check process for checking a packet stream in real time based on a packet application type and a post-assembly check process for checking after assembling the packet. 2. The network device according to claim 1, wherein the content of the packet is checked by one process.

 [3] The packet receiving means stores a destination address of the received packet,

 The packet content checking means, when the check is executed by both the stream check process and the post-assembly check process, the force S, the assembly that is not determined to satisfy the predetermined condition in the check by the stream check process. 3. The network device according to claim 2, wherein when it is determined that a predetermined condition is met in the check by the post-check process, the destination address is notified that the predetermined condition is met.

 [4] The packet content check means according to claim 1, wherein, when it is determined that a predetermined condition is satisfied, the packet content check means notifies a predetermined destination address that the predetermined condition is satisfied, when the predetermined condition is satisfied. Network equipment.

[5] The packet content check means notifies a predetermined destination address in advance. 5. The network device according to claim 4, wherein the network device is configured to be able to select which one of the destination IP address of the received packet and its own IP address to use.

 6. The network device according to claim 6, wherein at least one of the plurality of lines of the network device is connected to a network different from a network connected to other lines.

The network device according to 1.

7. The network device according to claim 1, wherein the predetermined condition of the packet content checking means is detection of a computer virus.

[8] In the case where the predetermined application type is a mail protocol and a computer virus is detected by the packet content checking means after assembling the packet,

 The packet content checking means is a process that modifies the MIME (Multipmose Internet Mail Extensions) header of the received packet so that the attached file is unreadable, a process that deletes all the attached files, and an illegal packet received A request for notifying that a computer virus has been detected at a predetermined destination address while sending a received packet to the destination address by executing at least one of the processes of adding a new header indicating The network device according to Item 7.

 [9] Means for determining whether or not the packet received by the packet receiving means corresponds to a predetermined application type, and if the packet is applicable to a predetermined application type, the packet is formed based on the received packet group. 2. The network device according to claim 1, further comprising means for storing the series of data that is recorded.

 10. The network device according to claim 9, wherein the stored series of data is configured to be accessible from an internal network.

 [11] A device installed between devices communicating via a network and transparently relaying data transmitted and received between the devices,

 Packet receiving means for receiving packets addressed to another device from one device;

Application identification means for determining the application type of a packet received using a predetermined application identification method; A means for monitoring whether or not predetermined information is included in a packet received by the packet receiving means or a series of data formed based on the received packet group and a predetermined information is included. And a means for storing a packet or a series of data including the information and executing a predetermined operation based on the application type.

12. The relay device according to claim 11, wherein when the application type is a mail protocol, relaying of mails having the same mail source address and mail destination address is prohibited as the predetermined operation. Network equipment.

[13] A method for transparently relaying data transmitted and received between devices connected via a network,

 Receiving a packet addressed to another device from one device;

 Determining an application type of a received packet using a predetermined application identification method;

 A series of data is formed based on the received plurality of packet groups based on the determined application type, and when the data meets a predetermined condition, the plurality of packet groups If at least one of the packets is changed and transmitted to the other device that is the transmission destination, and the predetermined condition is not met, the received plurality of packets are directly transmitted to the other device that is the transmission destination. A data relay method comprising: transmitting to a device.

[14] A method for transparently relaying data that is installed between devices communicating via a network and transmitted and received between the devices,

 Receiving a packet addressed to another device from one device;

 Determining an application type of a received packet using a predetermined application identification method;

 Monitoring whether or not predetermined information is included in the received packet or a series of data formed based on the received packet;

If the specified information is included, the packet or series of information including that information is included. Storing the data and executing a predetermined operation based on the application type.

[15] A program that is installed between devices that communicate via a network and that operates on a device that transparently relays data transmitted and received between the devices,

 A process of receiving a packet addressed to another device from one device;

 A process for determining the application type of a received packet using a predetermined application identification method;

 Based on the determined application type, a series of data is formed based on the plurality of received packet groups, and when the data meets a predetermined condition, the plurality of data At least one packet in the packet group is changed and transmitted to the other device that is the transmission destination. When the predetermined condition is not met, the plurality of received packet groups are used as the transmission destination as they are A data relay program comprising: a process for transmitting to the other device.

[16] A program that is installed between devices that communicate via a network and that operates on a device that transparently relays data transmitted and received between the devices,

 A process of receiving a packet addressed to another device from one device;

 A process for determining the application type of a received packet using a predetermined application identification method;

 A process of monitoring whether or not predetermined information is included in the received packet or a series of data formed based on the received packet;

 Including a process for storing a packet or a series of data including the information and executing a predetermined operation based on the application type. A data relay program characterized by