JP2003281003A - Support method for guaranteeing operation of system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To guarantee the operating property of communication or the like in a network system by suppressing the spreading of a computer virus even though no virus-disinfection tool is distributed. <P>SOLUTION: When a computer virus spreads, 'pass rejection' is stored in access control information 53 for a destination service number 1002 used by the computer virus in a communication packet as switching of access control of a pass service (S1406), and 'pass permission' is stored in access control information 55 for a substitute service number 54 (S1407). Thereby, the communication packet of the computer virus is interrupted and the communication packet of the substitute service number is filtered out. 'Substitute' showing selection of the substitute service number as a service number used by a normal application program is stored in service selection 74 as a switching operation to a substitute service (S1409). By doing this, a substitute service number 73 subjected to the 'pass permission' is thereafter used to perform communication. <P>COPYRIGHT: (C)2004,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a technique for suppressing the spread of computer viruses in a system consisting of electronic computers connected to a network and for guaranteeing the operability of communication and the like in the network system.

[0002]

2. Description of the Related Art In recent years, measures against dissemination of computer viruses such as worms in corporate information systems have become an important issue. BACKGROUND ART Conventionally, in order to prevent the spread of computer viruses such as worms, antivirus software provided by each company is used to detect and remove computer viruses, and to repair infections.

[0003]

As the information system using the Internet technology is used as the infrastructure for corporate activities, there is a demand for a network system capable of operating steadily even when a computer virus such as a worm spreads. Has been.

However, when a computer virus dissemination measure is taken using the above-mentioned conventional technique, the disinfection tool is distributed to prevent the dissemination by applying a corresponding computer virus disinfection tool. Cannot prevent the spread of. In addition, unless countermeasures are taken on all systems, the increase in traffic that accompanies the spread of computer viruses cannot be suppressed, and as a result, systems that are not affected by computer viruses cannot be used. There is a problem that it is not possible to guarantee the operability of.

The object of the present invention is to solve the above problems, to prevent the spread of computer viruses even if a computer virus removal tool is not distributed, and to guarantee the operability of communication and the like in the network system. And

[0006]

In order to solve the above-mentioned problems, the present invention uses the following means as a system operation guarantee support method for a network system composed of one or more devices using an electronic computer. It is achieved by (1) Detection of abnormal traffic Detects traffic generated by computer viruses such as worms. If a traffic pattern different from the normal state occurs above a threshold value, or if the traffic is identified from the initial analysis information related to the computer virus. (2) Switching of destination service number The destination service number used by the traffic detected in the first step is switched to the alternative service number used when a computer virus is spread. (3) Switching access control of passing service Only the traffic of the alternative service number selected in the second step is passed, and the traffic of the destination service number detected in the first step is stopped.

By these means, even when a computer virus such as a worm spreads in the target network system, the spread can be suppressed and the operability of the system can be secured.

According to the system operation guarantee support of the present invention,
Computer virus disinfection tools have been distributed because it stops traffic related to computer viruses such as worms and allows only traffic used by legitimate application programs to pass by simply switching the system operation guarantee support device to an alternative service state. It is possible to prevent the computer virus from spreading and to ensure the operability of communication in the network system.

[0009]

BEST MODE FOR CARRYING OUT THE INVENTION A first embodiment of the present invention will be described below with reference to the drawings.

FIG. 3 is a schematic diagram of a network system for system operation guarantee support to which this embodiment is applied. System operation guarantee support devices 31a and 31b, and server device 32
Computers such as a and the client device 32b are connected via the network 33a. The system operation guarantee support device 31b has a configuration in which the server device mechanism is incorporated into the device.

FIG. 1 is a schematic configuration diagram of a system operation guarantee support device 31. System operation guarantee support device 31 is CPU1
1, memory 12, external storage device 1 such as hard disk device 1
3, a communication device 14 connected to a network, an input device 15 such as a keyboard and a mouse, a display device 16 such as a display, access data to a portable storage medium such as an FD, a reader 17 and the above-mentioned components It can be built on an electronic computer provided with an interface 18 that controls data transmission and reception between them. The external storage device 13 stores a configuration information management program 133 for constructing the system operation guarantee support device 31 on an electronic computer, an application program 136 operating on the device, and the like.

The CPU 11 executes the configuration information management program 133 loaded on the memory to control the entire process of the operation guarantee support apparatus. Illegal packet monitoring unit
112 detects a packet that matches the database 131 in which the pattern information of the illegal packet is stored. Input control unit 1
Reference numeral 11 controls the input device 15 and the display device 16 to receive instructions from the administrator of the operation guarantee support device and display the output thereof. The configuration information management program 133 works in cooperation with the packet monitoring unit 112 and the input control unit 111 to extract the configuration information used when the computer virus spreads from the database 134 that stores the system configuration information when the computer virus spreads. Data transfer program 13
By setting the configuration information in 2, the traffic is controlled so as to prevent the spread of computer viruses.

FIG. 2 is a schematic configuration diagram of an electronic computer 32 that uses a network system such as a client device and a server device. Here, components having the same functions as those of the system operation guarantee support device 31 shown in FIG. 1 are designated by the same reference numerals. External storage device 13 of client / server device 32
An application program 136 that runs on the device and a configuration information management program 133 are stored in. The CPU 11 executes the configuration information management program 133 loaded on the memory to control the process of the entire client / server device, and executes the application program 136 under the process control, so that the individual server device 32a has To provide services.

FIG. 10 shows an example of a communication packet used in the network system of this embodiment, which is a packet format used when transmitting from the client device 32b to the server device 32a. A column 1001 stores a destination address which is a logical address of the server device 32a on the network, and a column 1003 stores a source address which is a logical address of the client device 32b on the network. A column 1002 is a destination service number, a number for uniquely identifying a service provided by the server application program on the server device 32a, and a column 10
A source service number 04 stores a number that uniquely identifies the service of the client application program on the client device 32b.

5 to 6 show a system operation guarantee support device 31.
An example of the configuration information database 134 regarding the access control information of the transit service used in a and 31b is shown.

FIG. 5 is a database in which the access control information of the transit service when the computer virus is not being spread is stored. In column 51a, the name and column that uniquely identify the service of the server application program
The service number in the same row is stored in 52a, and the identification number of the service that is used when the computer virus is not spreading is stored in the column 53a. Access control information for the default service number used in the service name in the same row is stored in column 53a. Since the virus is not spreading, "allow" indicating "permit to pass" is stored. This is the destination service number 100
It means that the passage of the communication packet in which the value “80” is stored in 2 is permitted. In column 54a, the service name in the same row is the identification number of the service used during computer virus spread, and in column 55a, the access control information for the alternative service number used by the service name in the same row is not spread. Therefore, "de
"ny" is stored. This means that the passage of the communication packet in which the value “9080” is stored in the destination service number 1002 is rejected.

FIG. 6 is a database that stores access control information of transit services when a computer virus is spreading using traffic related to the service name http. Each column of FIG. 6 is shown in FIG. Corresponds to each column. The column 53b is access control information for the default service number used by the service name in the same row. Service name
Since the computer virus is spreading using the traffic related to http, the access control for the default service number 52b used by http stores "deny" indicating "passage denied", and other default service numbers 52b.
The access control for b is "allow", which means "pass through"
Is stored.

The column 55b is access control information for the alternative service number 54b used by the service name in the same row. Since the computer virus has spread using the traffic related to http, the alternative service used by http Access control for number 54b is "passing permission"
Is stored, and access control for the other alternative service numbers 54b is "d", which indicates "rejection".
"eny" is stored. This means that the communication packet in which the value “80” is stored in the destination service number 1002 transmitted by the computer virus is blocked, and the communication packets of other application programs are passed.

FIG. 7 shows a system operation guarantee support device 31a, 31.
b and the configuration information database 134 regarding the service selection state used in the client / server devices 32a and 32b
An example is shown. FIG. 7 is a database that stores service numbers and service selection states used by application programs when a computer virus is spreading using traffic related to the service name http.

A column 71 is a name for uniquely identifying the service name of the server application program, a column 72 is a service number used when the service name in the same row is not being used for computer virus diffusion, and a column 73 is the same row. The service name is the alternative service number used during computer virus spread, column 74 stores the service selection state used by the service name in the same row, and the computer virus spreads using traffic related to the service name http. Therefore, "alternative" is stored as the service selection state value for the service name http, and "default" is stored as the service selection state value for other service names.

The service number corresponding to the service selection value 74 selected here is the destination service number 10 of the communication packet.
In the network system of this embodiment, the legitimate application program is the service name because it is stored in 02.
For http, the alternative service number "9080" is used as the destination service number 1002, and in https which is one of the other services, the default service number "443" is used as the destination service number 1002. However, since the configuration change information is not provided to the computer virus, the computer virus continues to use the value "80" as the destination service number 1002 of the communication packet for the service name http.

A system operation guarantee support device 31a having the above configuration,
The operation of 31b will be described.

FIG. 14 is a flow chart for explaining the operation of the system operation guarantee support devices 31a and 31b when a computer virus spreads. Along with the spread of computer viruses, it is determined whether to switch the service state to prevent the spread using the unauthorized packet monitoring unit 112 or by the administrator's judgment (step S1401).

When the spread of computer viruses is detected using the unauthorized packet monitoring unit 112, data packets are monitored (step S1402), and unauthorized packets similar to the patterns registered in the unauthorized packet pattern database 131 are detected for a certain period of time. If more than the threshold value is detected within the range, it is determined that the computer virus is spreading (step S140).
3), access control switching of transit service (step S14
05 to S1407) and switching to the alternative service (S1408 to S1409).

As a switching operation of the access control of the transit service, the destination service number 1002 used by the computer virus in the communication packet is searched from the default service number 52 of the access control information database of the transit service.
(Step S1405), stores "deny" indicating "passage refusal" in the access control information 53 for the default service number 52 in the corresponding row that matches the search result (step S1406), and stores it in the access control information 55 for the alternative service number 54. It stores "allow" indicating "passing permission" (step S1407). As a result, the system operation guarantee support devices 31a and 31b located between the client device 32b and the server device 32a block the communication packet in which the computer virus sets the default service number to the destination service number 1002, and the destination service number. Only communication packets for which the alternative service number is set in 1002 are passed.

Next, as a switching operation to the alternative service, the destination service number 1002 used by the computer virus in the communication packet is searched from the default service number 72 of the service selection state database (step S1408),
“Alternative” indicating the selection of the alternative service number is stored in the service selection 74 of the corresponding row that matches the search result (step S14).
09).

On the other hand, in step S1401, if the administrator selects "perform", the administrator manually performs switching (S1405).

FIG. 15 is a flow chart for explaining the operation of the system operation guarantee support devices 31a and 31b at the time of computer virus diffusion convergence.

When the computer virus is converged, it is determined whether the service state is switched to return the service state to the normal state by using the illegal packet monitoring unit 112 or by the administrator's judgment (step S1501). .

When detecting the convergence of the computer virus using the illegal packet monitoring unit 112, the data packet is monitored (step S1502), and the illegal packet similar to the pattern registered in the illegal packet pattern database 131 is detected for a predetermined time. When no more than the threshold value is detected within the range, it is determined to be converged (step S1503), the access control of the transit service is restored (step S1505), and the service is switched to the default service (S1506). As a return operation of the access control of the transit service, "allow" indicating "permit" is stored in the access control information 53 for the default service number 52,
The access control information 55 for the alternative service number 54 stores “deny” indicating “passage refusal”. Next, as a switching operation to the default service, “default” indicating the selection of the default service number is stored as the service selection 74. On the other hand, in step S1501, if the administrator selects to do so, the administrator will manually switch.
(S1504).

The client / server device 32a having the above configuration,
The operation of 32b will be described.

FIG. 16 is a flow chart for explaining the operation of the client / server devices 32a and 32b when a computer virus spreads. With the spread of the computer virus, it is determined whether the switching of the service state for suppressing the spread is performed using the notification from the system operation guarantee support devices 31a and 31b or by the user's judgment (step S1601).

When the service status is switched using the notifications from the system operation guarantee support devices 31a and 31b, the switching notification message is monitored (step S1602), and when the switching notification message is received, switching to the alternative service (S
1604 to S1605). In switching to the alternative service, the destination service number 1002 used by the computer virus in the communication packet is searched from the default service number 72 of the service selection status database (step S1604), and the service selection 74 of the corresponding row matching the search result is searched. "Alternative" indicating the selection of the alternative service number is stored as (step S160).
Five).

After the switching operation to the alternative service is completed, when the service of the regular application program is used thereafter, the system service guarantee support device 31a, 31a, instead of the default service number 72 in the destination service number 1002 of the communication packet. In step S1407 of 31b, the alternative service number 73 "passed" is set as the access control information 55 and communication is performed.

According to this embodiment, the following effects are obtained. (1) When the service state of the system operation guarantee support is switched to a state in which the spread of computer viruses is suppressed, communication packets used by computer viruses are blocked.
Therefore, the spread of the computer virus can be suppressed. (2) When the service status of the system operation guarantee support is switched to the status of suppressing the spread of computer viruses, the legitimate application program communicates using the alternative service number. Therefore, the communication packet used by the computer virus can be blocked, and the communication service of the legitimate application program can be guaranteed. (3) The system status guarantee support service status switching is linked to the malicious packet monitoring function such as the intrusion detection system. Therefore, automatic switching of service status can be realized, and early response to the spread of computer viruses becomes possible.

A second embodiment of the present invention will be described below with reference to the drawings. The second example is an example showing that only a specific application program can switch to an alternative service.

A schematic diagram of the network system of FIG. 3, a schematic configuration diagram of the system operation guarantee support device 31 of FIG. 1, a schematic configuration diagram of the electronic computer 32 of FIG. 2, a communication packet format of FIG. 10, and FIGS. System operation guarantee support device 31a, 31b
The database for access control information of transit service used in, the flow diagram for explaining the operation at the time of computer virus diffusion and convergence of FIGS.
Same as Example 1.

8 to 9 show a system operation guarantee support device 31.
An example of the configuration information database 134 used in a, 31b and client / server devices 32a, 32b is shown.

FIG. 8 shows a database in which applications that can use the system operation guarantee support mechanism are registered. A column 81 stores a name that uniquely identifies an application program that can use the system operation guarantee support mechanism of this embodiment.

FIG. 9 is a database in which service numbers used by application programs and service selection states are stored for each server. Computer viruses are spread to the testserv server 32a by using traffic related to the service name http. It is the setting when it is. A logical address on the network that uniquely identifies the server in column 91a, a name that uniquely identifies the service name of the server application program in column 92a, and a service name in the same row in column 93a that is not in the state of computer virus diffusion The service number used in the above, the column 94a stores the alternative service number used by the service name in the same row during computer virus spread, and the column 95a stores the service selection state used by the service name in the same row.

Service name htt for testserv server 32a
Because the computer virus is spreading using the traffic related to p, the service name http of the testserv server 32a is "alternative" as the service selection status value, and other servers and service names have the service selection status value "default". Is stored. The service number corresponding to the service selection value 74 selected here is stored in the destination service number 1002 of the communication packet, and the testserv server 32
The logical address on the network of a is the destination address 1001
In the network system of this embodiment, the alternative service number “9080” is used as the destination service number 1002 for the service name http of the testserv server 32a, and the destination service number 1002 is used for the service name http of other servers. The default service number "80" is used as. However, since the configuration change information is not provided to the computer virus, the computer virus continues to use the value “80” as the destination service number 1002 of the communication packet for the service name http of the testserv server 32a. Although http is taken as the service name in the present embodiment, other service names such as electronic mail and file transfer can be similarly processed.

The client / server device 32a having the above configuration,
The operation of 32b will be described.

FIG. 17 is a flow chart for explaining the communication operation using the alternative service numbers of the client / server devices 32a and 32b when the computer virus spreads. In the communication using the alternative service, first, in order to determine whether or not the support function by the application program can be used, it is confirmed whether or not the database 81 in which the application that can use the system operation guarantee support mechanism is registered is registered (step S1701). If registered, the system operation guarantee support mechanism can be used, the server 91a and the service name 92a with which the application program wants to communicate are searched for, and the selection value 95a of the service selection of the corresponding row that matches the search result is extracted (step S1702). ).

If the selected value 95a is "alternative", the destination service number 1002 of the communication packet is set to the alternative service number 94a of the corresponding line (step S1703), and the packet is transmitted (step S1705).

On the other hand, when the selected value 95a is "default", the default service number 93a of the relevant line is set as the destination service number 1002 of the communication packet (step S1704) and the packet is transmitted (step S1705).

On the other hand, an application that can use the system operation guarantee support mechanism is a database.
If it is not registered in 81, the default service number 93a of the corresponding line is set to the destination service number 1002 of the communication packet (step S1704), and the packet is transmitted (step S1705).

According to this embodiment, there are the following effects. (1) When the service state of system operation guarantee support is switched to a state in which the spread of computer viruses is suppressed, only pre-registered legitimate application programs communicate using the alternative service number. For this reason,
Computer viruses can be prevented from spreading using alternative service numbers.

A third embodiment of the present invention will be described below with reference to the drawings. The third embodiment is an embodiment in which a plurality of system operation guarantee support devices 31a and 31c are used in multiple stages.

A schematic configuration diagram of the system operation guarantee support device 31 of FIG. 1, a schematic configuration diagram of the electronic computer 32 of FIG. 2, a communication packet format of FIG. 10, a system operation guarantee support device 31a of FIGS. The database regarding the access control information of the transit service used in 31b, and the flowcharts for explaining the operations at the time of computer virus diffusion and convergence in FIGS. 14 to 15 are the same as those in the first embodiment.

FIG. 4 is a schematic diagram of a network system for system operation guarantee support to which this embodiment is applied. Computers such as devices 31a and 31c for supporting system operation guarantee, server devices 32c and 32e, and client device 32d are connected via networks 33b, 33c and 33d.

FIG. 11 shows an example of the configuration information database 134 used by the system operation guarantee support device 31c. Figure 11
When the system operation guarantee support devices are configured in multiple stages, the transfer destination server 1101, as a field in which the system operation guarantee support device to be transmitted next can be designated.
It is a database in which a service number used by an application program and a service selection state are stored for each server, to which a transfer destination service number 1102 is added. testserv
2 It is set when the computer virus is spreading to the server 32e by using the traffic related to the service name http.

A column 91b is a logical address on the network for uniquely identifying the server, and a column 92b is a name for uniquely identifying the service name of the server application program.
In column 93b, the service number in the same row is used when the computer virus is not being spread.In column 94b, the service name in the same row is an alternative service number used during computer virus spread. In the column 95b, the same line is used. The service selection state used by the service name of is stored, and when using the system operation guarantee support device configured in multiple stages,
“Transfer” is stored as the service selection state.

Service name ht for testserv2 server 32e
Since the computer virus is spreading using the traffic related to tp, the service selection state value of the service name http of the testserv2 server 32e is "Forward", and other servers and service names have the service selection state value of "Default". Is stored. When “transfer” is stored as the service selection status value in the column 95b, the server transferring the communication having the service name in the same row in the column 1101 and the column 1102 in the column 1101.
The service number for transferring the communication having the service name on the same line is stored in the.

When the system operation guarantee support device has a multi-stage configuration such as passing from 31c to 31a, in the client device 32d, the service name http of the testserv2 server 32e is "testserv2" as the destination server 1001 and the destination service number 1002. A communication packet in which the alternative service number "9080" is set is transmitted. For this communication packet, in the system operation guarantee support device 31c, the transfer destination server "map1" in the column 1101 is set to the destination address 1001 of the communication packet, and the transfer destination service number "80" in the column 1102 is set to the communication packet destination service number 1002. After setting “,” an encapsulation format is used in which the original communication packet transmitted by the client device 32d is stored in the data portion 1005 of the communication packet.

The communication packet on the network 2 (33c) is
The transfer destination server “map1” is set as the destination address 1001 and the transfer destination service number “80” is set as the destination service number 1002. This communication packet is further decapsulated in the system operation guarantee support device 31a to be an original communication packet. Network 3
The communication packet on (33d) shows "tes
tserv2 ”, and a communication packet in which the alternative service number“ 9080 ”is set as the destination service number 1002 is transmitted. However, since the configuration change information is not provided to the computer virus, the computer virus sends the communication packet destination address for the service name http of the testserv2 server 32e.
You will continue to use "testserv2" as 1001 and the value "80" as the destination service number 1002, network 2
(33c) will not be sent.

According to this embodiment, there are the following effects. (1) When the service status of the system operation guarantee support is switched to a status that suppresses the spread of computer viruses, and "rejection" is set as the access control for the alternative service number in network 2 (33c) Moreover, it is possible to block the communication packet used by the computer virus and guarantee the communication service of the legitimate application program.

A fourth embodiment of the present invention will be described below with reference to the drawings. The fourth embodiment is an embodiment showing that it is possible to switch to an alternative service by rewriting the URL.

A schematic diagram of the network system of FIG. 3, a schematic configuration diagram of the system operation guarantee support device 31 of FIG. 1, a schematic configuration diagram of the electronic computer 32 of FIG. 2, a communication packet format of FIG. 10, and FIGS. System operation guarantee support device 31a, 31b
The database for access control information of transit service used in, the flow diagram for explaining the operation at the time of computer virus diffusion and convergence of FIGS.
Same as Example 1.

FIG. 12 shows the system operation guarantee support devices 31a, 3a.
An example of the configuration information database 134 used in 1b is shown.
FIG. 12 is a database in which URL conversion information for each server is stored. In column 1201a, a default URL used when a computer virus is not being spread, and in column 1202a the same row
Alternate URL that the URL uses during computer virus spread,
A column 1203a stores a server that transfers the URL of the same row, and a column 1204a stores a service number that transfers the URL of the same row.

When a computer virus is spreading to the testserv server 32a by using the traffic related to http, in the client device 32b, the data part 1005
A communication packet in which "http: // testserv /" is set to is transmitted to the system operation guarantee support device 31a. This communication packet is transferred to the destination address 1001 of the communication packet in the system operation guarantee support device 31a at the transfer destination server "t" in the column 1203a.
"estserv" is stored and the communication packet destination service number 1
After storing the transfer destination service number “9080” in the column 1204a in 002, “http: // testserv: 9080 /” is stored in the data part 1005 and transmitted to the testserv server device 32a.

The system operation guarantee support device 31a having the above configuration,
The operation of 31b will be described.

FIG. 18 is a flow chart for explaining a communication operation using an alternative service by URL rewriting of the system operation guarantee support device 31a when a computer virus spreads. In communication using an alternative service, first, the data section
When a communication packet with "http: // testserv /" set in 1005 is received, this URL is set as the default for the URL conversion information database.
After searching the URL 1201a (step S1801) and extracting the alternative URL 1202a of the corresponding line that matches the search result, the data section 10
Store "http: // testserv: 9080 /" in 05 (step S1
802).

For the destination address 1001 of the communication packet, the transfer destination server “testserv” and the destination service number 1002 of the relevant line
Is set to the transfer destination service number "9080" of the relevant line and transmitted (step S1803).

However, since the configuration change information is not provided to the computer virus, the computer virus is tested.
For the service name http of the serv server 32a, "testserv" is continuously used as the destination address 1001 of the communication packet, and the value "80" is continuously used as the destination service number 1002.
It is not transmitted on the network (33a).

According to this embodiment, the following effects can be obtained. (1) When the system operation guarantee support service status is switched to a status that prevents the spread of computer viruses, the UR
To rewrite L, access URL and server device 32
It is possible to avoid the mismatch of service numbers provided by a. Therefore, it is possible to block the communication packet used by the computer virus and eliminate the service inconsistency of the URL to be accessed in the communication service of the legitimate application program. (2) The URL used by the client device 32b can continue to use the existing URL even when the system operation guarantee support service status is switched to the status that suppresses the spread of computer viruses. The communication packet used by the computer virus can be blocked and the communication service of the legitimate application program can be continuously provided without notifying the change.

A fifth embodiment of the present invention will be described below with reference to the drawings. The fifth example is an example showing that an alternative server can provide an alternative service by rewriting the URL.

A schematic diagram of the network system of FIG. 4, a schematic configuration diagram of the system operation guarantee support device 31 of FIG. 1, a schematic configuration diagram of the electronic computer 32 of FIG. 2, a communication packet format of FIG. 10, and FIGS. System operation guarantee support device 31a, 31b
The database for access control information of transit service used in, the flow diagram for explaining the operation at the time of computer virus diffusion and convergence of FIGS.
2 Same as Example.

FIG. 13 shows an example of the configuration information database 134 used by the system operation guarantee support device 31c. Figure 13
Is a database that stores URL conversion information for each server.In column 1201b, the default URL to be used when a computer virus is not spreading, and in column 1202b the same row URL
Alternate URL used by computer during computer virus spread, column 1
203b stores a server that transfers the URL of the same line, and column 1204b stores a service number that transfers the URL of the same line.

When the computer virus is spreading to the testserv2 server 32e by using the traffic related to http and the network 2 (33c) is under the heavy load traffic condition, the client device 32d has the data section 100
A communication packet in which "http: // testserv2 /" is set in 5 is transmitted to the system operation guarantee support device 31c. This communication packet stores the transfer destination server “alt-testserv2” in the column 1203b in the destination address 1001 of the communication packet and the transfer destination service number in the column 1204b in the communication packet destination service number 1002 in the system operation guarantee support device 31c. "9080"
After storing, the data section 1005 displays "http: // alt-testserv
2: 9080 ”is stored and transmitted to the alt-testserv2 server device 32c.

According to this embodiment, the following effects can be obtained. (1) When the system operation guarantee support service status is switched to a status that prevents the spread of computer viruses, the UR
By rewriting L, it can be transferred to the alt-testserv2 alternative server 32c. Therefore, the original testserv2 server 3
When the network 33c up to 2c is under a heavy traffic condition and performance cannot be ensured, a service considering performance can be provided by switching to the alt-testserv2 alternative server 32c. (2) The URL used by the client device 32b can continue to use the existing URL even when the system operation guarantee support service status is switched to the status that suppresses the spread of computer viruses. The communication packet used by the computer virus can be blocked and the communication service of the regular application program by the alternative server can be continuously provided without notifying of the change.

[0071]

According to the present invention, even if a computer virus removal tool is not distributed, it is possible to prevent the computer virus from spreading and to continue the communication of a legitimate application program in a network system. Become.

[Brief description of drawings]

FIG. 1 is a schematic configuration diagram of a system operation guarantee support device.

FIG. 2 is a schematic configuration diagram of a client / server device.

FIG. 3 is a schematic diagram of a system to which a system operation guarantee support device is applied in the embodiment.

FIG. 4 is a schematic diagram of a system to which the system operation guarantee support device is applied in the embodiment.

FIG. 5 is an example of a database in which access control information of transit services is stored.

FIG. 6 is an example of a database in which access control information of transit services is stored.

FIG. 7 is an example of a database in which service selection states are stored.

FIG. 8 is an example of a database in which an application supporting the operation support service is registered.

FIG. 9 is an example of a database in which server registration type service selection states are stored.

FIG. 10 shows an example of a data packet.

FIG. 11 is an example of a database in which service transfer type service selection states are stored.

FIG. 12 is an example of a database in which URL conversion information is stored.

FIG. 13 is an example of a database in which URL conversion information is stored.

FIG. 14 is an example of a startup flow of a support function in the system operation guarantee support device.

FIG. 15 is an example of a recovery flow of a support function in the system operation guarantee support device.

FIG. 16 is an example of a startup flow of a support function in a client.

FIG. 17 is an example of an activation flow of an application registration type support function in a client.

FIG. 18 is an example of a URL rewriting flow in the system operation guarantee support device.

[Explanation of symbols]

S1401: Judgment of switching mechanism of system operation support device S1402: Data packet monitoring step S1403: Illegal packet detection by data packet monitoring step S1404: Manual switching by administrator Step S1405: Searching default service number of access control information database Step S1406: Set "deny" as access control information for the default service number. Step S1407: Set "allow" as access control information for the alternative service number. Step S1408: Search for the default service number in the service selection state database. Step S1409. : Steps to set "alternative" to service selection status

   ─────────────────────────────────────────────────── ─── Continued front page    (72) Inventor Kiyoto Nagata             5030 Totsuka Town, Totsuka Ward, Yokohama City, Kanagawa Prefecture             Ceremony Company Hitachi Ltd. Software Division F-term (reference) 5B089 GA12 GA21 GB02 HA10 JB22                       KA12                 5K030 HC01 HD03 HD05 HD06

Claims (6)

[Claims] 1. A system comprising an electronic computer connected to a network, wherein a preset service number to be used when a computer virus is not being spread is provided, and traffic is stopped by access control to the preset service number while the computer virus is spreading. Characteristic system operation guarantee support method. 2. The system operation guarantee support method according to claim 1, wherein an alternative service number used during computer virus spread is provided, and traffic is passed by access control to the alternative service number during computer virus spread, A system operation guarantee support method characterized in that communication is performed using an alternative service number during diffusion. 3. The system operation guarantee support method according to claim 1, wherein the distribution of a computer virus is detected by monitoring unauthorized packets. 4. The system operation guarantee according to claim 2, wherein a database for associating the default service number and the alternative service number is searched and the default service number is switched to the alternative service number. How to help. 5. The system operation guarantee support method according to claim 2, wherein only a program registered in advance is set to communicate using the alternative service number, and the alternative service number is set only for a specific destination address. A system operation guarantee support method, characterized by enabling communication using the. 6. The system operation guarantee support method according to claim 2, wherein a specific URL is rewritten.