JP2001256045A - Method and device for checking computer virus - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a computer virus check system capable of reducing damages of infection due to computer virus via a network. SOLUTION: A storage device to temporarily store packet data to be transferred between a ZC station 10 and the Internet 1 and a gateway 14 with a function to assemble plural pieces of the packet data stored in the storage device in file data by making them correspond to IP addresses in the Internet 1 and local IP addresses in the network 20, to judge whether or not the computer virus exist in the assembled data and to transfer the data in which no computer virus is judged to exist to a subscriber terminal are installed for each user ID of each subscriber terminal in the ZC station 10 connected with GC stations 30, 40 to store plural subscriber terminals (101, 200, 301, 400) to be connected with the Internet 1.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a computer virus check method and apparatus for performing a computer virus check on packet data transferred via a network.

[0002]

2. Description of the Related Art In recent years, the number of personal computers shipped has increased, and the opportunity for individuals to use a worldwide network such as the Internet using personal computers has increased. For this reason, the utilization rate of the network is increasing, and the worldwide network such as the Internet is expanding. With the expansion of this network, the problem of computer virus flooding through the network has arisen. 2. Description of the Related Art In a company, with the spread of a company LAN (Local Area Network), a computer virus check is performed in units of a plurality of terminals in a predetermined device such as an end user terminal or a gateway in the LAN. ing. Also, with the rapid increase of novice users, the lack of awareness of crisis management for network problems such as computer viruses has become a problem at each individual level.

When accessing a network such as the Internet, a terminal connected to a public network or the like, for example,
An ISP (Internet Service Provider) that provides connection to a network via a public network (access network) and P
By connecting with PP (Point-to-Porint Protocol), I
A connection to a network using P (Internet Protocol) can be made. In this case, each user has subscribed to one of a plurality of ISPs that provide different services. Among the users, users who have an interest in and awareness of anti-virus measures use computer software for anti-virus measures to perform computer virus checks on a user-by-user basis.

[0004]

[0005] Computer virus checking software (anti-virus software) sequentially updates the contents of a definition file that defines computer virus identification information, and refers to data in the definition file. Discover new or changed new types of computer viruses. Therefore, when the definition file is updated less frequently, the latest virus may not be found and may be omitted from the inspection. Normally, only a passively transmitted virus is checked, but not actively tracking the source of the virus. In addition, there is a risk that a file infected with a virus may be unintentionally spread via a network or the like. In particular, there is concern about the security of Internet data that is sequentially transferred through the Internet via a plurality of servers. On the other hand, those with a LAN configuration generally perform only a virus check on a mail server and have no flexibility.

[0005] Each individual needs to install anti-virus software on a personal computer and periodically update and check definition files. Therefore, the purchase cost of antivirus software is required. In addition, those who cannot install, set, or repair anti-virus software in the event of a failure could not check for viruses. Furthermore, an installation area for anti-virus software and its definition file is required on the hard disk. Due to the trend of paying for the definition file update, there is a cost for updating the definition file.

In each company, it is necessary for each person in the company to install anti-virus software and periodically update and check the definition file, or check it with a check server. Therefore, in any case, an antivirus software purchase cost is required. Even if checking is performed by a check server provided in the company network (NW), everyone connected to the company network installs anti-virus software on each terminal and unconsciously downloads the virus unless the definition file is updated. Risk of dissemination within. When performing a virus check on a server, if the server is infected, the terminals of all employees are at risk of being infected with the virus. Also, an installation area for anti-virus software and its definition file is required on the hard disk of the check server or each terminal. Similarly to the above, the definition file update is charged, and the definition file update cost is incurred.

An object of the present invention is to solve the above-mentioned various problems in the conventional computer virus check method. More specifically, the present invention is more applicable to data transfer via a network than in the prior art. It is an object of the present invention to provide a computer virus check method and device that can reduce the damage caused by computer virus infection.

[0008]

In order to solve the above-mentioned problems, the invention according to claim 1 provides a first communication network for performing communication using a plurality of first network addresses, and a first network address and a first network address. Is one of a plurality of second network addresses having different assignment forms, and is assigned between a communication terminal that communicates with the first communication network and a communication terminal that communicates with the first communication network. A computer virus check method in a communication system comprising an intervening second communication network that performs communication using a second network address, wherein the plurality of divided data transferred in the second communication network are A first step of temporarily storing the divided data corresponding to the first and second network addresses serving as transfer destinations or transfer sources of the divided data, and a plurality of divided data stored in the first step in the first and second networks. Second process of assembling according to the network address A third step of determining whether a computer virus is present in the assembly data assembled in the second step, and a division corresponding to the assembly data determined to be free of a computer virus in the third step. And a fourth step of transferring data to a transfer destination.

The invention according to claim 2 is characterized in that the second network address is determined for each user identification code assigned to each user of the communication terminal. The invention according to claim 3 is that, in the first step,
When temporarily storing the plurality of divided data, an arrangement of the divided data and a type of a communication protocol of the divided data in the first communication network are stored together. The invention according to claim 4 is that, in the first step,
The type of the communication protocol of the divided data in the first communication network is detected, and the second to fourth steps are executed only when the detected type is a predetermined type. According to a fifth aspect of the present invention, when it is determined that a computer virus is present in the third step, the transfer destination or transfer source communication terminal of the divided data is notified of the fact and the computer virus is determined to exist. A fifth step of performing a process of discarding, temporarily storing, or transferring after performing a computer virus removal process on the divided data and the assembled data corresponding to the assembled data. Features.

According to a sixth aspect of the present invention, there is provided a first communication network for performing communication using a plurality of first network addresses, and a plurality of second network addresses different in assignment form from the first network address. A communication terminal that is assigned to one of them and communicates with the first communication network, and is interposed between the first communication network and the communication terminal and communicates using the second network address. A computer virus check apparatus in a communication system comprising a second communication network and a plurality of divided data to be transferred in the second communication network, the first and second data being a destination or a transfer source of the divided data. Storage means for temporarily storing the divided data stored in correspondence with the second network address; assembling means for assembling the plurality of divided data stored in the storage means in correspondence with the first and second network addresses; Assembly A determination means for determining whether or not a computer virus is present in the data, and a transfer means for transferring the divided data corresponding to the assembly data determined to be free of the computer virus by the determination means to a transfer destination. Features.

[0011]

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS Hereinafter, an embodiment of a computer virus check method and apparatus according to the present invention will be described with reference to the drawings. FIG. 1 is a block diagram showing an example of an embodiment of a virus check system according to the present invention. In FIG. 1, the Internet 1 is connected via a plurality of Internet Service Providers (ISPs) 2 to a ZC station (zone center station) 10 which is an upper-level switching center in a digital network 20. Z
C station 10 is a GC station (group center station) 30, which is a lower-level switching center accommodating a plurality of subscriber terminals,
40 and a plurality of other GC stations (not shown) are connected by digital transmission lines (relay lines) such as optical fibers.

In the configuration shown in FIG. 1, ZC station 10
Routers (or exchanges) 11, 12, and 13 connected to each ISP in the P group 2 by a dedicated line, respectively;
It is connected to a gateway (or gateway server) 14 connected to the routers 11, 12, and 13 and to a router 16 via an internal network 15 on the network 20 side. The GC station 30 includes a router 31 connected to the router 16 of the ZC station 10 via a digital trunk line, and routers 33 and 34 connected to the router 31 via an internal line network 32, respectively. Have been. The GC station 40 includes a router 41 connected to the router 16 of the ZC station 10 via a digital trunk line, a router 43 connected to the router 41 via an internal line network 42,
44.

The router 33 of the GC station 30 is connected via a switching line (public network) 50 such as an ISDN (Integrated Services Digital Communication Network) or a high-speed data communication network, for example, via a LAN 102 in a company 100 as one subscriber. Communication terminals 101, 101, such as a plurality of personal computers,
It is connected to 101. The switching line 50 further includes:
The communication terminal 200 and the SOHO (Small Office Home Offi
ce) and other subscribers 300 are connected to a plurality of communication terminals 301, 301, 301 connected via a LAN 302. On the other hand, the router 34 has an optical line terminal 60
Is connected to the communication terminal 400 via a direct line (dedicated line) 70 constituted by an optical fiber.
Note that the routers 43 and 44 of the GC station 40 are also connected to the GC station 30.
It is assumed that a plurality of subscriber lines (not shown) are accommodated in the same manner as each of the routers 33 and 34 described above.

In the configuration shown in FIG. 1, communication using a global IP address is performed on the Internet 1. On the other hand, in the digital network 20, communication is performed using a regional IP address (regional IP address) different from the global IP address used in the Internet 1. The regional IP address is G
An address set corresponding to each subscriber line accommodated by the C stations 30 and 40, which is dynamically or statically associated with a global IP address used in the Internet 1. For each subscriber line accommodated by the GC stations 30, 40, a telephone number, ISDN
A subscriber identification code (user ID) such as a number is assigned. Therefore, in the digital network 20, the address information of both the global IP address and the regional IP address is included in each packet data to be transferred as address information of a data transfer destination or a transfer source.
Alternatively, it is provided in a plurality of packet data units.

Next, the configuration and functions of the gateway 14 shown in FIG. 1 (or gateways 35 and 36 shown in FIG. 2 to be described later) will be described with reference to FIGS.
FIG. 3 is a block diagram showing a basic configuration of a gateway 500 corresponding to the gateway 14 shown in FIG.
Is a system flow diagram showing the operation. The gateway 500 shown in FIG. 3 refers to a packet capture 501 for inputting packet data, a virus pattern database (DB) 502 for storing and managing computer virus definition information, and virus definition information in the virus pattern DB 502. The collation is performed, and the storage
4, a known virus checker 503 for checking whether the file data is infected with a defined known virus, the packet data input from the packet capture 501, and the packet data before packet division. The storage device 504 for temporarily storing the file data assembled (restored) in the format described above and the information for inferring the unknown virus stored and managed in the unknown virus analogy DB 506 are referred to and collated. Unknown virus checker 505 for inferring and confirming whether the file data stored in the file is infected with an unknown virus, and unknown virus analogy DB 506
And a packet transfer (part) 507 for transferring the packet data stored in the storage device 504.

In the above configuration, the packet capture 5
1, the packet data transferred from the router 11 to 13 or the router 16 is input in the configuration of FIG. 1, and the packet transfer 507 is
The packet data is transferred to the router 16 or the routers 11 to 13. At this time, the packet capture 501 converts the input plurality of packet data into a packet array of the packet data, a destination and a source IP address of the packet data, a communication protocol of the packet data on the Internet, and each subscription. The user line is associated with the user ID of the user line (100, 200, 300, 400 in FIG. 1) and stored in the storage device 504. The communication protocol stored here includes at least, for example, WW
HTTP (HyperText Tran), a protocol for communication between W (World Wide Web) clients and servers
sfer Protocol), FTP (File Transfer Protocol) which is a protocol for performing file transfer, and POP which is a protocol for downloading e-mail
(Post Office Protocol), SMTP (Simple Mail Transfer P), a protocol for sending e-mail
rotocol) and other information that defines information transfer control in the application layer such as various protocols used for moving image distribution. In addition, the known virus checker 50
3 and the unknown virus checker 505 check the communication protocol of each file when performing a virus check. For example, for an e-mail, the virus check is performed on the body and the attached file. Has a selection function of selecting execution / non-execution of a virus check by a communication protocol such as not performing a virus check.

Next, referring to FIG.
The operation of 0 will be described. FIG. 4 shows the Internet 1
FIG. 3 is a system flow diagram showing processing when packet data is transferred from a server (not shown) to each subscriber (100, 200, 300, and 400 in FIG. 1).
First, in the packet capture 501, input processing of the transferred packet data is performed to confirm a user ID, a packet arrangement, and a communication protocol corresponding to each packet data (S601), and temporarily stored in a buffer such as a semiconductor memory. After the saving, the information is saved in the storage device 504 for each user ID (S602). Next, the storage device 5
When the packet data stored in the packet data 04 is associated with the source and destination IP addresses and the user ID assigned to the packet data, and by referring to the packet array of the packet data, the image file , An executable file, a script file, or the like (S603). Next, the known virus checker 503 and the unknown virus checker 505
Performs a virus matching process on the assembled file to check whether or not the file is affected by a virus (S604). Here, with respect to the file confirmed not to be affected by the virus, the corresponding packet data is transferred to the user ID destination in the packet transfer 507 (S605). On the other hand, if a file is found to be affected by a virus, the file is forcibly destroyed, temporarily saved, or removed according to the user's pre-registered processing settings. Is performed (S606).
When the forced destruction is performed, the file is destroyed, and a notification that the file is destroyed is sent to the user ID destination (S607). When performing temporary storage, the file is temporarily stored in the storage device 504 as it is, or the file is temporarily stored again in another area, and the user ID is stored.
A notification that the file has been temporarily saved is given first (S6).
07). In this case, according to the instruction from the user ID source,
Processing such as discarding, virus removal and transfer is further performed. When the virus removal is performed, after the virus removal is performed, a notification to the effect that the virus removal has been performed is performed to the user ID destination (S609), and the file data after the removal is transmitted to the user ID destination in a packet. Is transferred (S61
0).

According to the above operation, according to the gateway 500 of FIG. 3, for example, in the system shown in FIG. 1, each of the subscribers 100, 200, and 200 connected to the Internet 1 through the ISP group 2 using the local IP. 300,4
00, each subscriber 100,
It is possible to provide a service for performing a virus check in the digital network 20 on file data transferred to the packets 200, 300, and 400. Each subscriber (reference numerals 100, 200, 30 in FIG. 1)
(0,400), the virus check is performed on the file data transferred from the packet to the Internet 1 in steps S605 and S6 in FIG.
The transfer destination of the 10 packet data is changed to a server or a client in the Internet 1.

Next, a modification of the embodiment of the virus check system shown in FIG. 1 will be described with reference to FIG. 1 and 2 are given the same reference numerals and description thereof is omitted. In the embodiment of the virus check system shown in FIG. 2, the ZC station 10a (the ZC station 10 in FIG. 1) is used.
Instead of providing a gateway having a virus check function (corresponding to gateway 14 in FIG. 1) in GC stations 30a and 40a (GC stations 30 and 4 in FIG. 1).
Gateways 35 and 45 having a virus check function are additionally provided in all other GC stations. The gateways 35 and 45 have a basic configuration for virus checking as shown in FIG. 3 as a gateway 500. The gateway 35 is provided between the router 31 and the internal network 32. It is provided between the router 41 and the internal network 42. In the embodiment shown in FIG. 2, a gateway for anti-virus is installed in all the GC stations in the digital network 20.
It is possible to provide a virus check service to all users connected to the server.

The configuration of the embodiment of the present invention is not limited to the above-described one. For example, a virus countermeasure gateway is provided in the ZC station, and a part of a plurality of GC stations connected to the ZC station has a virus. It is possible to appropriately change the configuration such as including a gateway for countermeasures (the gateway 500 in FIG. 3), or changing the configuration of the gateway 500 to a configuration in which the virus check portion is performed in another server. Further, when a virus is found, it may be possible to further save information on the address of the transfer source of the packet data. This can be used, for example, when tracking a virus source. The functions of the gateway 500 described with reference to FIGS. 3 and 4 can be realized by a computer and a software program. In this case, the software program includes a computer-readable recording medium or a communication line. It is possible to distribute via.

According to the above embodiments, the following effects can be obtained. For example, an access network such as a regional network (digital network 20) regardless of the ISP to join
All users who use the service will be able to receive the virus-checked communication service. Further, the check rate of the NW distribution data is dramatically increased as compared with the conventional case. Because virus definition files are always updated, unique services can be provided to all users. The possibility of systematic service provision and tracking of virus sources is increased. Virus check is performed at the time of transmission as well as at the time of reception.
The next damage can be stopped. The emergence of secure NWs will further accelerate the expansion of the Internet. Virus checking is performed on access network parts other than the mail server, and the scalability to other applications is wide. Since virus intrusion from NW has been checked, there is no need to install anti-virus software or to periodically update definition files, except in the case of intrusion from media such as FD (floppy (registered trademark) disk). The labor, cost, and storage area for installation are reduced or unnecessary. In addition, there is no need to check for viruses or update definition files for viruses from outside the network, and users in LANs that do not check for viruses are not at risk of infection and may become a source of infection without their knowledge. Lower. N
Since virus intrusion from W has been checked, there is no need to install anti-virus software, and no server or area is required except in the case of intrusion from a medium such as FD.

[0022]

According to the present invention, a second communication which is interposed between a first communication network (Internet 1) and a communication terminal and performs communication using a second network address (area IP address). Since the computer virus can be checked on the network (digital network 20), it is possible to reduce the damage caused by the computer virus via the network as compared with the related art.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a system configuration of an embodiment of a computer virus system according to the present invention.

FIG. 2 is a block diagram showing a system configuration of another embodiment of the computer virus system according to the present invention.

FIG. 3 shows a gateway 50 corresponding to the gateway 14 shown in FIG. 1 and the gateways 35 and 45 shown in FIG.
FIG. 3 is a block diagram showing a configuration of a 0.

FIG. 4 is a system flow diagram for explaining an operation of the gateway 500 of FIG.

[Explanation of symbols]

1 Internet 10 ZC station 20 Digital network 30, 40, 30a, 40a GC station 14, 35, 45, 500 Gateway (with virus check function)

 ──────────────────────────────────────────────────続 き Continuing on the front page (72) Inventor Fumihiko Soma 3-19-2 Nishishinjuku, Shinjuku-ku, Tokyo East Japan Nippon Telegraph and Telephone Corporation (72) Inventor Yoko Ushikawa 3-19 Nishishinjuku, Shinjuku-ku, Tokyo No. 2 Tonichi Nippon Telegraph and Telephone Co., Ltd. Nishi-Shinjuku 3-chome 19-2 Tohoku Nippon Telegraph and Telephone Corporation (72) Inventor Masanobu Hosokawa 3-19-2 Nishi-Shinjuku, Shinjuku-ku, Tokyo Tohoku Nippon Telegraph and Telephone Corporation F-term (reference) 5B076 FD08 FD09 5B089 GA31 GB01 KA17 KB13 KC47 5K030 GA12 HD03 JA10 KA02 LD11 9A001 CC03 CC06 CZ08 JJ25 LL04

Claims (6)

[Claims] 1. A first communication network for performing communication using a plurality of first network addresses, and a plurality of second communication networks having different allocation forms from the first network addresses.
Assigned to one of the network addresses
And a second communication network interposed between the first communication network and the communication terminal and communicating using a second network address. The computer virus check method according to claim 1, wherein the plurality of divided data transferred in the second communication network are:
First and second transfer destinations or transfer sources of the divided data
A first step of temporarily storing the divided data stored in the first step in association with the first and second network addresses; a second step of assembling the plurality of divided data stored in the first step in correspondence with the first and second network addresses. A third step of determining whether or not a computer virus is present in the assembled data assembled in the step of transferring the divided data corresponding to the assembled data determined to be free of the computer virus in the third step And a fourth step of transferring the data to a destination. 2. The computer virus check method according to claim 1, wherein the second network address is determined for each user identification code assigned to each user of the communication terminal. 3. In the first step, when temporarily storing the plurality of divided data, an array of the divided data and a type of a communication protocol of the divided data in a first communication network are stored together. The computer virus check method according to claim 1 or 2, wherein 4. In the first step, a type of a communication protocol of the divided data in a first communication network is detected,
3. The computer virus check method according to claim 1, wherein the second to fourth steps are performed only when the detected type is a predetermined type. 5. When it is determined in the third step that a computer virus is present, a notice is sent to a transfer destination or transfer source communication terminal of the divided data, and the assembly is determined to be present. A fifth step of performing any one of processing of discarding, temporarily storing, or performing computer virus removal processing on the divided data and the assembled data corresponding to the data is performed. Any one of claims 1 to 3
Computer virus check method described in section. 6. A first communication network for performing communication using a plurality of first network addresses, and a plurality of second communication networks having different allocation forms from the first network addresses.
Assigned to one of the network addresses
And a second communication network interposed between the first communication network and the communication terminal and communicating using a second network address. A plurality of divided data transferred in the second communication network,
First and second transfer destinations or transfer sources of the divided data
Storage means for temporarily storing a plurality of divided data stored by the storage means in association with the first and second network addresses; and assembly data assembled by the assembly means. Determining means for determining whether or not a computer virus is present in the apparatus; and transferring means for transferring the divided data corresponding to the assembled data determined to be free of the computer virus to the transfer destination by the determining means. Computer virus checker.