JP2003348169A - Method and device for packet transfer - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a method and a device for packet transfer, which prevent passage of packets related to an illegitimate access, without user's setting for discriminating whether packets should be transferred or not. <P>SOLUTION: A packet sending mechanism 15 to which a packet has been delivered from a packet identifier adding mechanism 12 sends the packet on the basis of preliminarily set information and discriminates whether the packet is related to an illegitimate access or not. <P>COPYRIGHT: (C)2004,JPO

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a packet transfer apparatus and a packet transfer method for transferring packets between a plurality of network segments.

[0002]

2. Description of the Related Art Conventionally, in a packet transfer apparatus connected between a plurality of network segments and transferring packets between these segments, it is determined whether or not to transfer a packet for preventing unauthorized access. Is performed based on the destination / source network address, service number, and the like set by the user using the network or other setting means.

A means for preventing unauthorized access in the conventional packet transfer apparatus at this time will be described with reference to FIGS. FIG. 22 shows a configuration example of a conventional packet transfer device. Here, as components of the packet transfer apparatus 01, a packet receiving unit 02 that receives a packet from one of the network segments as a transmission source, and a packet filter unit 03 that performs filtering (selection) control of the packet received by the packet receiving unit 02. A packet transmitting unit 04 for transmitting a packet passing through the packet filter unit 03 to the other network segment serving as a destination, a rule setting unit for setting a destination / source network address and a service number for preventing unauthorized access 0
5. A rule holding unit 06 or the like that holds information such as the address set by the rule setting unit 05 and is referred to by the packet filter unit 03 is provided.

FIG. 23 shows an example of the configuration of a network system including the packet transfer device 01 having the above configuration, and FIG. 24 shows an example of the contents stored in the rule holding section 06 of the packet transfer device 01.

[0005] The user uses the function of the rule setting unit 05 to send a destination / address to the rule holding unit 06 via the network.
A source network address, a service number, identification information as to whether or not to permit the transfer, and the like are set in advance.

Here, a network system as shown in FIG. 23 is constructed using the packet transfer apparatus 01 having the configuration shown in FIG. 22, and the user uses the function of the rule setting unit 05 to create a network as shown in FIG. It is assumed that the setting content (rule) is stored in the rule storage unit 06 in advance.

In this state, for example, a host having a network address of [192.168.1.12] is changed to a H of a host having [192.168.0.31].
It is assumed that a packet to use the TTP service is received by the packet receiving unit 02.

[0008] The received packet is sent to the packet filter unit 03.

The packet filter unit 03 refers to a rule stored in the rule storage unit 06 and set by the user in advance as shown in FIG.

Here, the packet filter section 03
Referring to the rule shown in, the host having the network address [192.168.1.12]
HTTP of host with [192.168.0.31]
It is determined that access to use the service is permitted, and the packet is sent to the packet sending unit 04.
Then, the packet is transmitted from the packet transmission unit 04 to the host having the address of [192.168.0.31] as the network address, and the communication is completed.

For example, from a host having a network address of [192.168.1.13],
HTTP of host with [192.168.0.31]
Assuming that a packet to use a service is received by the packet receiving unit 02, the received packet is sent to the packet filter unit 03.

The packet filter unit 03 refers to the rule shown in FIG. 24 set by the user and stored in the rule holding unit 06.

Here, the packet filter unit 03 is configured as shown in FIG.
Referring to the rule shown in, a host having a network address of [192.168.1.13]
HTTP of host with [192.168.0.31]
It is determined that access to use the service is not permitted. Therefore, this packet is determined as an unauthorized access by the packet filter unit 03 and discarded, and the received packet is not transmitted from the packet transmission unit 04.

[0014] Similarly for the other destination / transmission source / service packets, the rule holding unit 0 shown in FIG.
Transmission / discarding is performed according to the contents (rules) of No. 6.

In the above-described conventional packet transfer apparatus, the means for preventing unauthorized access include destination / transmission source MAC (Me
dia Access Control) Just by determining whether to forward a packet based on an address, a destination / source address of a higher-order protocol, a service number, etc., an address or service number set to be forwarded is used. Unauthorized access cannot be prevented, and there is a problem that it is insufficient for the purpose of preventing packets related to unauthorized access from passing.

For example, a destination / source MAC address,
Even if the destination / source addresses and service numbers of higher-level protocols are all set correctly, a packet having data that is deemed to be an unauthorized access via the set source will not be transmitted. There has been a problem of reliability that data transferred and carried in the packet infringes an application or the like of a receiving system.

The setting of the destination / source MAC address for determining whether or not to transfer a packet, and the destination / source address and service number of a higher-order protocol are performed for each user and installation location. Therefore, it was necessary to perform the setting in accordance with the installation of the packet transfer device. However, this setting was relatively difficult, and there was also a problem that an incorrect setting was often made and an unauthorized access was permitted. .

Further, in order to perform setting via a network, a network address such as an IP address is required, which may be a target of an unauthorized access.

Even if a packet that is determined not to be transferred arrives based on the destination / source MAC address, the destination / source address of a higher-order protocol, the service number, etc., this is not necessarily called an unauthorized access. There is also a problem that even if the arrival of a packet determined not to be forwarded is displayed in some way, it does not indicate that an unauthorized access has been made.

[0020]

As described above, in the unauthorized access preventing means in the conventional packet transfer apparatus, the destination / source MAC address and the destination / source address of a higher-order protocol are used. Judgment of whether or not to forward a packet based on data or service number does not prevent unauthorized access using the address or service number set to be forwarded, and does not allow packets related to unauthorized access to pass Had a problem that it was insufficient.

The setting of the destination / source MAC address for determining whether or not to transfer a packet, and the destination / source address and service number of a higher-order protocol are performed for each user and installation location. Therefore, it was necessary to perform the setting in accordance with the installation of the packet transfer device. However, this setting was relatively difficult, and there was also a problem that an incorrect setting was often made and an unauthorized access was permitted. .

Further, in order to perform the setting via a network, a network address such as an IP address is required, which has a problem that it can be an object of unauthorized access.

Furthermore, even if a packet that is determined not to be transferred arrives based on the destination / source MAC address, destination / source address of a higher-order protocol, service number, etc., this is not necessarily called unauthorized access. There is also a problem that even if the arrival of a packet determined not to be forwarded is displayed in some way, it does not indicate that an unauthorized access has been made.

As described above, in the conventional packet transfer apparatus, there are various problems in terms of reliability with respect to the prevention of unauthorized access, and there is a problem that the work load on the user is large.

The present invention has been made in view of the above circumstances,
It is an object of the present invention to provide a packet transfer device and a packet transfer method capable of realizing a highly reliable function of preventing unauthorized access without imposing a large burden on a user.

Further, the present invention has a function of transmitting the contents of a packet (received packet) transferred from a transmission source and determining that the packet is not a packet related to unauthorized access, thereby ensuring the transfer of a packet related to unauthorized access. It is an object of the present invention to provide a packet transfer device and a packet transfer method capable of realizing a highly reliable function of preventing unauthorized access.

Further, the present invention can prevent unauthorized access that cannot be prevented only by judging whether or not to transfer a received packet based on a destination / source MAC address, a destination / source address of a higher-order protocol, a service number, and the like. A packet transfer mechanism that does not pass related packets, a packet transfer mechanism that does not allow the user to make settings to determine whether or not to transfer packets, and does not allow packets related to unauthorized access to pass through, and is subject to unauthorized access. It is an object of the present invention to provide a packet transfer device and a packet transfer method that can easily realize a packet transfer mechanism that can prevent the occurrence of unauthorized access, a packet transfer mechanism that can display that unauthorized access has been performed, and the like. I do.

[0028]

In order to achieve the above object, a packet transfer apparatus according to the present invention is provided between a plurality of network segments and monitors a packet transferred between the network segments. When transmitting a received packet received via the first network segment to the second network segment, the information of the received packet is added to the information of the second network segment based on a preset condition. A packet analyzing means for analyzing whether or not a factor causing a malfunction to software of the device connected to the device is provided; and when the analyzing means determines that the packet is an invalid packet having information including the factor causing the malfunction. Discards the illegal packet and only the received packet determined as a normal packet is Characterized by comprising and means for sending to the network segment.

The apparatus according to the present invention may be configured such that the apparatus is connected to at least the first and second network segments, and a packet transferred between the first and second network segments includes a packet causing an unauthorized access. Receiving means for receiving a packet from the first network segment, an identifier adding means for adding an identifier to a received packet received by the receiving means, And a packet holding queue for temporarily holding the received packet to which the received packet is added, and determine whether the received packet is an unauthorized access packet including a known malfunction condition set in advance, and determine that the packet is not a packet related to an unauthorized access. The packet analysis means that outputs the identifier of the received packet when the When receives the identifier output from the packet analyzing unit extracts the received packet with the identifier received from the packet hold queue,
Transmitting means for transmitting to the second network segment.

Further, the apparatus according to the present invention is connected to at least three or more network segments and, when a packet transferred between the plurality of network segments includes a packet which causes an unauthorized access, the packet for removing the unauthorized packet. In a transfer device, receiving means for receiving a packet from the network segment,
An identifier adding unit that adds an identifier to the received packet received by the receiving unit; a packet holding queue that temporarily holds the received packet to which the identifier has been added; and an illegal operation in which the received packet includes a preset known malfunction condition. It is determined whether the packet is an access packet, and when it is determined that the packet is not a packet related to an unauthorized access, a packet analyzing unit that outputs an identifier of the received packet, and the identifier output from the packet analyzing unit. Receiving, extracting a received packet having the received identifier from the packet holding queue, determining a network segment to be transmitted from a destination MAC address included in the received packet, and a transmitting segment determining unit; To the determined network segment Characterized by comprising the one or more delivery means for delivering a signal packet.

Further, the apparatus according to the present invention is connected to at least three or more network segments, and when a packet transferred between the plurality of network segments includes a packet causing an unauthorized access, the packet for removing the unauthorized packet is removed. In a transfer device, receiving means for receiving a packet from the network segment,
An identifier adding unit for adding an identifier to the received packet received by the receiving unit; a plurality of packet holding queues for temporarily holding the received packet with the identifier added for each destination network segment; Sending segment determining means for determining a destination network segment of the received packet from a destination MAC address included in the received packet, and transmitting the packet with the identifier added to the packet holding queue corresponding to the network segment; A packet for determining whether or not the received packet is an unauthorized access packet including a preset known malfunction condition, and outputting the identifier of the received packet when determining that the received packet is not a packet related to unauthorized access. Analysis means and the packet holding queue A plurality of sending units provided correspondingly, the receiving unit receiving the identifier output from the packet analyzing unit, and receiving the received packet from one or more packet holding queues holding the received packet having the identifier. Transmitting means for extracting a packet and transmitting the packet to the associated network segment.

Further, the apparatus according to the present invention is characterized in that it comprises a database storing character strings contained in packets related to unauthorized access received in the past.

Further, when the packet analyzing means determines that the packet is related to an unauthorized access, the apparatus of the present invention includes details including at least one of the presence, structure, format, reception time, and transmission source of the unauthorized packet. An unauthorized access history holding unit for acquiring and holding information, and an unauthorized access history display unit for displaying an unauthorized access history held by the unauthorized access history holding unit.

The apparatus according to the present invention further comprises transmitted packet holding means for storing a transmitted packet determined to be not an invalid packet by said packet analyzing means, wherein said packet analyzing means detects said transmitted packet when analyzing the invalid packet. It is characterized in that the transmitted packet held in the packet holding means is referred to.

The apparatus according to the present invention further comprises means for judging whether or not an option or a combination of parameters in the header portion of the received packet satisfies a preset known condition. Means for determining whether or not the length of the existing data or the combination of parameters specified by the data satisfies a preset known condition, the data structure of each packet, or the data content is Determining whether or not the packet is related to unauthorized access by at least one of means for determining whether or not the above condition is satisfied.

[0036] The apparatus of the present invention may further comprise a packet storage means for storing the received packet to which the identifier has been added, and a program storage for storing a packet analysis program in which a character string included in an unauthorized access packet is partially stored. Means, based on the packet analysis program, determine whether or not the received packet stored in the packet storage means is a packet for unauthorized access including a known malfunction condition, and determine that the packet is not a packet related to unauthorized access. A program execution means for outputting an identifier of the received packet when the determination is made.

Further, the apparatus of the present invention is characterized in that it comprises analysis program updating means for updating the packet analysis program stored in the program storage means.

[0038] The apparatus of the present invention is also characterized in that, in the packet transfer apparatus, a specific format indicating an analysis program update instruction is provided from a communication interface such as a serial interface or a network interface and data received via the communication interface. Analysis program update instruction format identification means for identifying that the above condition is satisfied, and the packet analysis is performed based on the data identified by the analysis program update instruction format identification means as the analysis program update instruction. It is characterized by loading or updating a program.

The apparatus according to the present invention also includes an analysis program update instruction format identification means for identifying, from a packet received by the reception means, data that satisfies a specific format indicating an instruction to update the packet analysis program. And loading or updating the packet analysis program based on the data of the received packet identified by the analysis program update instruction format identification means as the analysis program update instruction.

The apparatus of the present invention extracts the electronic signature information from the data in the packet, the data input through the serial interface, or the data input through the network interface. It is characterized in that it is determined whether or not the signature information is a valid signature. If the signature information is determined to be valid, the packet analysis program is loaded or updated.

In the apparatus of the present invention, when the packet analyzing means determines that the packet is related to unauthorized access, the presence, structure, format, reception time,
The apparatus further includes an in-apparatus information notifying unit that notifies other apparatus of detailed information including at least one of a transmission source and the like.

The apparatus according to the present invention may further include a source address used only for specific communication, which is communication for setting or updating the packet analysis program or for notifying the detailed information of an illegal packet to another apparatus. Communication address setting means for setting; communication address holding means for holding the communication address set by the communication address setting means; and a packet sent to the source address when the specific communication is not performed. And communication control means for receiving a packet addressed to the source address only when the specific communication is performed.

The apparatus of the present invention may further comprise: a source address used only for specific communication, which is communication for setting or updating the packet analysis program, or communication for notifying the detailed information of an illegal packet to another apparatus. Communication address selecting means for selecting one of the source addresses of packets received in the past from a network segment different from the destination network segment of the specific communication; and a source address selected by the communication address selecting means. And a packet stealer for stealing a packet related to the specific communication from the destination packets.

Further, the apparatus according to the present invention identifies the data that satisfies the specific format as the instruction to start the specific communication from the packet to be transferred, and sets the communication start instruction format to start the specific communication. It is characterized by comprising identification means.

In the apparatus according to the present invention, the communication start instruction format identifying means determines whether the electronic signature included in the data is a valid signature, and determines that the electronic signature is a valid signature. An electronic signature identifying means for identifying only the data as a communication start instruction is provided.

In order to achieve the above object, a packet transfer method according to the present invention is a packet transfer apparatus provided between a plurality of network segments for monitoring packets transferred between the network segments. When sending a received packet received from a second network segment to a second network segment, the information of the received packet is added to software of an apparatus connected to the second network segment based on a preset condition. It is determined whether or not it includes a factor that causes a malfunction, and when it is determined that the packet is an invalid packet having information including the factor that causes the malfunction, the invalid packet is discarded, and the reception is determined to be a normal packet. Sending a packet to the second network segment.

Further, the method according to the present invention is preferably arranged such that a packet which is connected to at least the first and second network segments and which causes unauthorized access is included in a packet transferred between the first and second network segments. Receiving a packet from the first network segment, adding an identifier to the received packet, and receiving the packet with the identifier added thereto. Temporarily holding the packet, analyzing the received packet to which the identifier is added, determining that the packet is not a packet related to unauthorized access, outputting the determined identifier of the determined normal received packet; Received, from among the received packets that are temporarily held, Taking out the received packet with the identifier signal, characterized by comprising a step of sending to the second network segment.

[0048] The method of the present invention is also directed to a method for connecting to at least three or more network segments and removing packets that cause unauthorized access when packets transferred between the plurality of network segments include illegal access. In the transfer method, receiving a packet from one of the network segments, adding an identifier to the received packet, temporarily holding the received packet with the identifier added, Analyzing the received packet with an identifier added thereto, determining that the packet is not a packet related to unauthorized access, outputting the identifier of the determined normal received packet, receiving the identifier, and temporarily suspending the packet; From the received packet, the received identifier is Extracting the received packet and determining a network segment to be transmitted from the MAC address included in the received packet; and transmitting the extracted received packet to the determined network segment. It is characterized by.

[0049] The method of the present invention is also directed to a method of connecting a network to at least three or more network segments, wherein, when a packet transferred between the plurality of network segments includes a packet that causes unauthorized access, the packet for removing the unauthorized packet is removed. In the transfer method, a step of receiving a packet from one of the network segments, a step of adding an identifier to the received packet, and a step of receiving the packet from the destination MAC address included in the received packet to which the identifier has been added. The destination network segment of the received packet is determined, and a temporary holding queue provided for each of the destination network segments is
Storing the received packet according to the determination; analyzing the received packet to which the identifier is added, determining that the packet is not a packet related to unauthorized access, and outputting the identifier of the determined normal received packet; Receiving the identifier, extracting the received packet having the received identifier from the received packets in the temporary hold queue, and sending the received packet to a corresponding network segment.

A packet transfer device connected to a plurality of network segments and transferring packets between segments by having a function of eliminating packets related to unauthorized access as described above has a destination / source MAC address. Address or destination of higher protocol /
It is possible to realize a packet transfer device that cannot prevent a packet related to unauthorized access from being passed, which cannot be prevented only by determining whether to transfer a packet based on a source address, a service number, or the like.

Further, it is possible to realize a packet transfer apparatus that does not allow a packet related to an unauthorized access to pass through without setting by a user to determine whether to transfer a packet.

Further, since there is no network address such as an IP address, it is possible to realize a packet transfer device which prevents itself from being subjected to unauthorized access and which does not pass packets related to unauthorized access.

Further, it is possible to realize a packet transfer device capable of displaying that unauthorized access has been performed.

[0054]

Embodiments of the present invention will be described below with reference to the drawings.

First, a first embodiment of the present invention will be described with reference to FIG.

FIG. 1 is a block diagram showing essential components of a packet transfer device according to the first embodiment of the present invention.
The first embodiment illustrated in FIG. 1 illustrates a configuration having a function of preventing a packet related to an unauthorized access from passing through only in one-way transfer of the packet transfer device.

In the packet transfer apparatus 10 shown in FIG. 1, the packet receiving unit 11 and the packet transmitting unit 14 are respectively different network segments (segment A-
Segment B) connected between each other. Here, an example is shown in which a packet is transferred from the network segment A to which the packet receiving unit 11 is connected to the network segment B to which the packet sending unit 14 is connected.

The packet receiving section 11 receives a packet on the network segment A. The packet identifier adding mechanism 12 adds an identifier to the received packet. The packet holding queue 13 temporarily holds the packet to which the identifier has been added until the packet analysis unit 15 determines that the packet is not a packet related to unauthorized access. The packet analyzing mechanism 15 sends out the received packet, and notifies the packet sending unit 14 of the identifier of the packet determined to be not a packet related to unauthorized access. Packet sending unit 1
4 extracts a received packet to which the same identifier as the identifier transmitted from the packet analysis mechanism 15 is added from the packet holding queue 13 and sends the packet to the network segment B.

Here, the first embodiment of the present invention will be described with reference to the above drawings.
The operation in the embodiment will be described.

In the packet transfer device 10 shown in FIG. 1, a packet receiving unit 11 sequentially receives packets transmitted from a transmitting side system (or terminal or device) connected to the network segment A.

The packet identifier adding mechanism 12 adds a unique identifier in the device to the received packet.
As the identifier at this time, for example, there is a method of sequentially numbering 1, 2, 3, and 4. There is also a method using the arrival time of a packet. Alternatively, there is a method of using the address of the storage device storing the packet.

The packet to which the identifier is added by the packet identifier adding mechanism 12 is stored in the packet holding queue 13.
And passed to the packet analysis mechanism 15.

The packet analysis mechanism 15 is provided with a database 150 in which determination information for identifying packets related to unauthorized access is stored in advance. This database 150 stores at least a character string (judgment information) included in a packet related to unauthorized access received in the past.

The packet analyzing unit 15 which has received the received packet from the packet identifier adding unit 12 determines whether or not the received packet is related to an unauthorized access based on the determination information stored in the database 150. The database 150 stores a list of character strings included in a packet related to unauthorized access as determination information.
The packet analyzing mechanism 15 sequentially compares the character strings included in the character string list stored in the database 150 with the received packet, and when any of the character strings included in the character string list is included in the received packet. It can be determined that the received packet is related to unauthorized access. If the packet analysis unit 15 determines that the received packet is not related to unauthorized access, the packet analysis unit 15 sends the identifier added to the received packet to the packet sending unit 1.
Tell 4

The packet sending unit 14 to which the identifier has been transmitted.
Retrieves the received packet having the identifier from the packet holding queue 13 and sends it to the receiving system (or terminal or device) via the network segment B.

The received packet determined to be a packet related to an unauthorized access by the packet analyzing mechanism 15 is left in the packet holding queue 13 and may be given an explicit instruction or an overflow from the packet holding queue 13. Destroyed by implicit means.

With this series of operations, it is possible to realize a packet transfer device that does not pass packets related to unauthorized access.

Since the determination information stored in the database 150 of the packet analysis unit 15 for identifying packets related to unauthorized access can include information related to the contents of packet data, /
It is possible to realize a packet transfer device that does not pass a packet related to an unauthorized access that cannot be prevented only by judging whether to transfer a packet based on a source MAC address, a destination / source address of a higher-order protocol, a service number, and the like. be able to.

The same determination information stored in advance in the database 150 of the packet analysis mechanism 15 for identifying packets related to unauthorized access can be used regardless of the user or the installation location. Therefore, it is possible to realize a packet transfer device that does not allow a packet related to an unauthorized access to pass without setting for a user to determine whether to transfer a packet.

Since the packet transfer device itself does not need to have any network address such as an IP address to perform its operation, the packet transfer device itself is prevented from being subject to unauthorized access, and the packet transfer device relating to the unauthorized access is prevented. Can be realized. Further, since the contents of the packet data can also be used as information for identifying a packet related to an unauthorized access, it is possible to clearly determine a packet related to an unauthorized access. For example, a packet that sends a character string that is abnormally long than specified to an application program can be clearly determined to be a packet related to unauthorized access. Further, when it is known that a specific data string causes a malfunction of the application program or the OS, the packet including the data string can also be clearly determined to be a packet related to unauthorized access. When a packet that can be clearly judged to be a packet related to unauthorized access is transmitted, it is possible to display to the user that the unauthorized access has been performed or that the unauthorized access has been performed. A packet transfer device can be realized.

Next, a second embodiment of the present invention will be described with reference to FIG.

FIG. 2 is a block diagram showing essential components of a packet transfer device according to a second embodiment of the present invention.

The second embodiment shown in FIG. 2 exemplifies a configuration provided with a function for preventing a packet related to an unauthorized access from passing through in the bidirectional transfer of the packet transfer apparatus.

The packet transfer device 20 shown in FIG.
It is possible to prevent a packet related to an unauthorized access from the network segment A to the network segment B from passing, and to prevent a packet related to an unauthorized access from the network segment B to the network segment A from passing.

That is, in the packet transfer device 20, the packet receiving section 21a receives one packet from the network segment A.

The packet identifier adding mechanism 22a adds a unique identifier in the apparatus to the received packet.

The received packet to which the identifier is added by the packet identifier adding mechanism 22a is stored in the packet holding queue 23a, and the packet analyzing mechanism 25
passed to a. In the database 250a of the packet analysis mechanism 25a, determination information for identifying a packet related to an unauthorized access is stored in advance.

The packet analyzing mechanism 25a, which has received the packet from the packet identifier adding mechanism 22a, analyzes the received packet based on the determination information stored in the database 250a, and determines whether or not the received packet relates to an unauthorized access. . When it is determined that the received packet is not related to the unauthorized access, the packet analysis mechanism 25a notifies the packet sending unit 24b of the identifier added to the received packet. The packet sending unit 24b that has received the identifier extracts the received packet having the identifier from the packet holding queue 23a and sends it to the network segment B.

The received packet determined by the packet analyzing mechanism 25a to be a packet related to an unauthorized access is left in the packet holding queue 23a, and is transmitted by an explicit instruction or overflow from the packet holding queue 23a. Destroyed by implicit means.

On the other hand, the packet receiving section 21b receives one packet from the network segment B. The packet identifier adding mechanism 22b adds a unique identifier in the device to the received packet.

The received packet to which the identifier is added by the packet identifier adding mechanism 22b is stored in the packet holding queue 23b, and the packet analyzing mechanism 25
b. In the database 250b of the packet analysis mechanism 25b, determination information for identifying a packet related to an unauthorized access is stored in advance.

The packet analyzing mechanism 25b, which has received the received packet from the packet identifier adding mechanism 22b, analyzes the received packet based on the determination information stored in the database 250b, and determines whether or not the received packet relates to an unauthorized access. I do. When determining that the received packet is not a packet related to unauthorized access, the packet analysis mechanism 25b transmits the identifier added to the received packet to the packet sending unit 24a.

The packet transmitting section 24a to which the identifier has been transmitted.
Extracts the received packet having the identifier from the packet holding queue 23b and sends it to the network segment A.

The received packet determined to be a packet related to an unauthorized access by the packet analyzing mechanism 25b is left in the packet holding queue 23b, and may be transmitted by an explicit instruction or overflow from the packet holding queue 23b. Destroyed by implicit means.

With such an operation, in any of the packet transfer from the network segment A to the network segment B and the packet transfer from the network segment B to the network segment A, the packet which does not allow the packet relating to the unauthorized access to pass through A transfer device can be realized.

Next, a third embodiment of the present invention will be described with reference to FIG.

FIG. 3 is a block diagram showing essential components of a packet transfer device according to a third embodiment of the present invention.

The third embodiment shown in FIG. 3 exemplifies a configuration provided with a function for preventing a packet related to an unauthorized access from passing in one-way transfer of the packet transfer apparatus.

The packet transfer device 30 shown in FIG.
This is a simplification of the configuration of the second embodiment shown in FIG. 2, in which packets relating to unauthorized access from the network segment A to the network segment B are prevented from passing therethrough. With regard to the packet transfer of (1), the configuration is such that the passage of the packet cannot be prevented. The packet transfer device 30 having the configuration shown in FIG. 3 is provided at a connection point with an external network (for example, a network system such as a premises capable of self-management in a system connected to the network segment B; In the case where the segment A is an external network system), the configuration can be simplified as compared with the packet transfer device 20 according to the second embodiment shown in FIG.

In the packet transfer device 30, the packet receiving section 31a receives one packet from the network segment A. The packet identifier adding mechanism 32 adds a unique identifier in the device to the packet received from the packet receiving unit 31a.

The received packet to which the identifier is added by the packet identifier adding mechanism 32 is stored in the packet holding queue 33 and passed to the packet analyzing mechanism 35. The database 350 of the packet analysis mechanism 35 stores in advance determination information for identifying packets related to unauthorized access.

The packet analyzing mechanism 35, which has received the received packet from the packet identifier adding mechanism 32, analyzes the received packet based on the identification information stored in the database 350, and determines whether or not the received packet relates to an unauthorized access. I do. When it is determined that the received packet is not a packet related to unauthorized access, the packet analysis mechanism 35 transmits the identifier added to the received packet to the packet sending unit 34b.

Packet transmitting section 34b to which the identifier has been transmitted
Extracts the received packet having the identifier from the packet holding queue 33 and sends it to the network segment B.

The packet determined by the packet analysis mechanism 35 to be a packet related to unauthorized access is:
The packet is left in the packet holding queue 33 and discarded by an explicit instruction or an implicit means such as an overflow from the packet holding queue 33.

On the other hand, when receiving one packet from the network segment B, the packet receiving section 31b passes the packet as it is (in the through mode) to the packet transmitting section 34a. The packet transmitting unit 34a transmits the packet received from the packet receiving unit 31b to the network segment A.

By such an operation, the packet transfer from the network segment A to the network segment B is strictly controlled so as not to pass the packet relating to the unauthorized access, and the transfer function in the reverse direction is protected against the unauthorized access. Can be realized.

Next, a fourth embodiment and a fifth embodiment of the present invention will be described with reference to FIGS.

FIG. 4 is a block diagram showing components of a main part of a packet transfer device according to a fourth embodiment of the present invention. FIG. 5 is a block diagram showing main components of a packet transfer device according to a fifth embodiment of the present invention. FIG. 3 is a block diagram showing components.

In each of the embodiments shown in FIGS. 4 and 5, in each case, when the network segment to be transmitted can be determined, the network segment is transmitted only to the determined network segment, and the determined network segment is transmitted. It is possible to reduce the traffic of other network segments.

When the packet transfer device according to the present invention transfers a packet between three or more network segments, there is a method of transmitting a packet received from a certain network segment to all network segments other than the network segment. . Also, the network segment to be transmitted is determined from the destination MAC address of the packet, and if it can be determined, the traffic is transmitted only to the determined network segment, thereby reducing the traffic of network segments other than the determined network segment. There are ways.

In the fourth embodiment shown in FIG. 4, the configuration of the packet transfer device 40 in which a packet holding queue is shared for each transmission segment is shown. Here, the packet analysis mechanism 45 determines whether a packet is involved in an unauthorized access and then determines a network segment to be transmitted.

The packet transfer device 4 having the configuration shown in FIG.
At 0, the received packet received by the packet receiving unit 41 and added with the identifier by the packet identifier adding mechanism 42 is stored in the packet holding queue 43 common to all transmission segments.

The packet analysis mechanism 45 has a database 45
Based on the determination information stored in "0", it is determined whether or not the received packet is related to unauthorized access. If it is determined that the received packet is not a packet related to unauthorized access, the identifier of the received packet is notified to the transmission segment determining mechanism 46. .

The sending-segment determining unit 46 notified of the identifier by the packet analyzing unit 45 takes out the received packet having the identifier from the packet holding queue 43, and
A network segment to be transmitted is identified from the destination MAC address of the received packet. If the network segment is identified, the received packet is received by at least one of the packet transmission units (44a to 44n) corresponding to the determined network segment. hand over. Then, the packet sending unit sends the received packet to the identified network segment. If the network segment cannot be identified, the received packet is sent to all the packet sending units 44a to 44n, and the received packet is sent to the network segments connected to the packet sending units 44a to 44n.

In the fifth embodiment shown in FIG. 5, a configuration of a packet transfer device 50 in which a unique packet holding queue is provided for each transmission network segment is shown. Here, the network segment to be transmitted is determined before the packet analysis mechanism 55 determines whether or not the received packet relates to an unauthorized access.

In FIG. 5, a received packet received by the packet receiving unit 51 and added with an identifier by the packet identifier adding unit 52 is sent to the transmission segment determining unit 56.
And passed to the packet analysis mechanism 55.

The transmission segment judging mechanism 56 identifies the network segment to be transmitted from the destination MAC address of the received packet received by the packet receiving section 51 and added with the identifier by the packet identifier adding mechanism 52, and identifies the identified network. The received packet is stored in the packet holding queue (any of 53a to 53n) corresponding to the segment.

The packet holding queues 53a to 53n temporarily hold the received packets stored by the transmission segment determining mechanism 56 until the packet analyzing mechanism 55 determines that the received packets are not packets related to unauthorized access. The packet sending units 54a to 54n are connected to the packet holding queues 53a to 53n, respectively.

The packet analyzing mechanism 55 has the database 5
Based on the determination information stored in 50, it is determined whether the received packet is related to unauthorized access, and if it is determined that the received packet is not a packet related to unauthorized access,
The identifiers of the received packets are stored in the packet sending units 54a to 54a.
4n.

The packet sending units 54a to 54n notified of the identifier from the packet analysis unit 55, when the received packet having the identifier exists in the corresponding connected packet holding queues 53a to 53n, transfer the received packet. And send it to the corresponding network segment.

When the network segment to be transmitted cannot be recognized, the transmission segment judging mechanism 56 stores the received packet in all the packet holding queues 53a.
To 53n. Then, it is determined by the packet analysis mechanism 55 that the received packet is not an unauthorized access, and the identifier of the received packet is determined by the packet sending units 54a to 54
n, the packet sending units 54a to 54n take out the received packets from the packet holding queues 53a to 53n and send the packets to all the corresponding network segments.

With such a configuration, the packet transmitting unit (54a to 54n) determines that the packet is not a packet related to an unauthorized access by the packet analyzing unit 55.
This has the effect of shortening the time required for transmission to the server.

According to the above-described fourth and fifth embodiments, when a network segment to be transmitted can be identified, the packet is transmitted only to the identified network segment, whereby the identified network segment is transmitted. It is possible to reduce traffic of network segments other than the network segment.

Next, a sixth embodiment of the present invention will be described with reference to FIGS.

FIG. 6 is a block diagram showing essential components of a packet transfer device according to the sixth embodiment of the present invention. FIGS. 7 and 8 are diagrams showing examples of unauthorized access display means in the sixth embodiment.

In the packet transfer device 60 of the sixth embodiment shown in FIG. 6, the packet analyzer 65 determines at least the presence, structure, format, reception time, and transmission source of a received packet determined to be a packet related to unauthorized access. It has a function to record and display detailed information including any of them as an unauthorized access history.

[0117] The unauthorized access history holding mechanism 66 transmits the packet analysis mechanism 6 to the packet analysis mechanism 6 for the presence information, the reception time, the transmission source and the like of the received packet determined by the packet analysis mechanism 65 to be a packet related to the unauthorized access.
5 and hold.

The unauthorized access history display mechanism 67 displays the unauthorized access history held by the unauthorized access history holding mechanism 66. FIGS. 7 and 8 show specific examples of the unauthorized access history display mechanism 67 at this time.

The packet transfer device 6 having the configuration shown in FIG.
At 0, the packet identifier adding mechanism 62 adds a unique identifier in the device to the received packet received by the packet receiving unit 61.

The received packet to which the identifier is added by the packet identifier adding mechanism 62 is stored in the packet holding queue 63 and passed to the packet analyzing mechanism 65.

The packet analyzing mechanism 65, which has received the received packet from the packet identifier adding mechanism 62, analyzes the packet based on the determination information stored in the database 650, and determines whether or not the received packet is involved in an unauthorized access.

Therefore, when a packet related to an unauthorized access is received via the packet receiving unit 61, the packet analysis mechanism 65 determines that the received packet is an unauthorized access. At this time, the packet analyzing mechanism 65 does not send the identifier of the received packet to the packet sending unit 64, and the packet related to the unauthorized access is not transferred to the receiving network segment, as in the above embodiments.

In the sixth embodiment, when the packet analysis mechanism 65 determines that the packet is related to unauthorized access, the presence of the unauthorized access in the unauthorized access history holding mechanism 66, the reception time, the transmission source, Information such as the destination and the type of injustice is sent out as unauthorized access history information.

The unauthorized access history holding mechanism 66 holds the unauthorized access history acquired from the packet analyzing mechanism 65 and holds it until the user performs the work of deleting the unauthorized access history.

The unauthorized access history display mechanism 67 stores the presence, reception time, transmission source, destination, and unauthorized information determined by the packet analysis mechanism 65 stored in the unauthorized access history storage mechanism 66. Displays the contents of the unauthorized access history information such as the type.

As a specific configuration example of the unauthorized access history display mechanism 67 at this time, as shown in FIG. 7, an unauthorized access display using an LED or the like provided in the casing of the packet transfer device 60, for example, The device 67A is turned on to notify the user of the presence of unauthorized access. Or, as shown in FIG. 8, the time of the unauthorized access, the source,
The destination, the type of fraud, and the like are displayed as characters on the unauthorized access display device 67B using, for example, an LCD, and the user is notified of detailed information such as the time of the illegal access, the source, the destination, and the type of fraud. Configuration. Further, a switch for displaying the history information retroactively may be provided so that the user can confirm the history information of the unauthorized access retroactively.

Next, a seventh embodiment of the present invention will be described with reference to FIGS.

FIG. 9 is a block diagram showing essential components of a packet transfer device according to the seventh embodiment of the present invention.

The packet transfer apparatus 70 of the seventh embodiment shown in FIG. 9 includes a transmitted packet holding mechanism 76 for storing transmitted packets referred to when analyzing a packet requiring a plurality of packets. Features.

The transmitted packet holding mechanism 76 is referred to when the packet analyzing mechanism 75 transmits a received packet, and has a function of holding the transmitted packet analyzed by the packet analyzing mechanism 75.

The packet analysis unit 75 includes a packet reception unit 71 for receiving a packet,
When analyzing the received packet to which the identifier has been added, in addition to the received packet, the transmitted packet transmitted before the received packet is referred to to determine whether the packet is related to an unauthorized access.

The packet transfer device 7 having the configuration shown in FIG.
At 0, the received packet received by the packet receiving unit 71 and added with the identifier by the packet identifier adding unit 72 is stored in the packet holding queue 73, passed to the packet analyzing unit 75, and simultaneously with the transmitted packet holding unit. 76.

When sending out the received packet passed from the packet identifier adding mechanism 72, the packet analyzing mechanism 75 determines the judgment information by a packet analyzing program (to be described later, which is incorporated in the apparatus). Reference may be made, and the packet transmitted before the received packet held in the transmitted packet holding mechanism 76 may be referred to (this reference indicates that the packet was determined to be a normal packet in the past). It is determined whether or not the received packet passed from the packet identifier adding mechanism 72 is a packet related to unauthorized access.

When the packet analyzing mechanism 75 determines that the received packet is a packet related to an unauthorized access based on the analysis of the packet analyzing program, the packet analyzing mechanism 75 determines whether the received packet (illegal access Packet). This allows
In the subsequent analysis, only the transmitted packet is referred to, thereby enabling more accurate analysis.

For example, a method of discarding the packets held in the transmitted packet holding mechanism 76 after a certain period of time after storing them, or a method of discarding a packet exceeding a specific data amount specified in advance for each destination. A mechanism is provided for preventing a new packet from being stored in the transmitted packet holding mechanism 76 by a method of discarding the packet in the arrival order.

The transmitted packet holding mechanism 76 includes:
For example, a function for extracting only a packet to a specific destination and a function for rearranging and extracting packets in the order of serial numbers included in the packet are provided so that the transmitted packet from the packet analysis mechanism 75 can be easily referred to. . As a result, a specific data string that is known to cause a bug in an application program, an OS, etc.
For example, in the case where a packet is transmitted over a plurality of packets, it is possible to find a packet related to an unauthorized access that may be overlooked if the received packet is determined separately.

FIG. 10 is a block diagram showing a configuration example of a packet analysis mechanism using the above-described packet analysis program. Here, the packet analysis mechanism 75 in the seventh embodiment shown in FIG. 9 is shown as an example, but instead of the database for illegal packet analysis shown in the above-described first to sixth embodiments, a packet analysis mechanism is used. A mechanism may be applied.

The packet analyzing mechanism 75 of the packet transfer apparatus shown in FIG. 10 realizes a processing function of determining a packet related to unauthorized access in the form of an execution program.

In the packet analysis unit 75 shown in FIG. 10, the packet storage unit 751 is a storage device accessed from the instruction execution unit 754 via the memory control unit 753, and an identifier is added by the packet identifier addition unit 72. Received packet and transmitted packet holding mechanism 7
6 is stored.

The execution instruction storage unit 752 stores the instruction execution unit 7
54 is a storage device for storing a packet analysis program required for operation.

The memory control mechanism 753 includes the instruction execution mechanism 7
The packet storage unit 75 based on the access request from
1 or an execution instruction storage unit 752 or another storage device and a function to transfer stored data between the instruction execution mechanism 754.

The instruction execution mechanism 754 includes the memory control mechanism 7
According to the packet analysis program passed from 53, a packet analysis process for determining whether or not the packet stored in the packet storage unit 751 is a packet related to unauthorized access is performed.

Based on the execution result of the instruction execution mechanism 754, it is determined whether or not the received packet is a packet related to unauthorized access. If the received packet is not a packet related to unauthorized access, the packet transmitting section 74 (or the transmission segment determining mechanisms 46 and 56 shown in FIGS. 4 and 5) transmits the received packet.
, The identifier of the received packet is transmitted.

Here, the processing operation in the packet analysis mechanism 75 having the configuration shown in FIG. 10 will be described based on the case where the packet transfer device 70 shown in FIG. 9 is applied.

The packet analyzing mechanism 75 having the configuration shown in FIG.
In the execution instruction storage unit 752, the instruction execution mechanism 7
A packet analysis program required for the operation of the packet 54 is stored in advance.

In the packet transfer device 70 shown in FIG. 9, a packet received by the packet receiving section 71 is added with an identifier by a packet identifier mechanism 72. The received packet to which the identifier is added is stored in the packet holding queue 73 and is also passed to the packet analysis mechanism 75, and is also stored in the transmitted packet holding mechanism 76. The packet passed to the packet analysis mechanism 75 is stored in the packet storage unit 751.

As a method of storing the received packet in the packet storage unit 751, a method of copying the received packet from the packet identifier adding mechanism 72 or the transmitted packet holding mechanism 76 is used. Alternatively, there is a method of sharing a storage device (packet storage unit 751) with the packet identifier adding mechanism 72 and the transmitted packet holding mechanism 76, and the like. When the transmitted packet holding mechanism 76 is provided, the transmitted packet held in the transmitted packet holding mechanism 76 may be stored in the packet storage unit 751.

When the storage of the packet in the packet storage unit 751 is completed, the operation of the instruction execution mechanism 754 is started. The instruction execution unit 754 sequentially reads the packet analysis program (execution program) stored in the execution instruction storage unit 752 from the head via the memory control unit 753, and executes transmission processing.

For example, when analyzing whether or not a received packet stored in the packet storage unit 751 contains a character string included in a packet related to unauthorized access, the packet analysis stored in the execution instruction storage unit 752 A part of the program includes a list of character strings included in the packet related to the unauthorized access, and the instruction execution mechanism 754
Via the memory control mechanism 753, sequentially compares the character string included in the character string list with the received packet, and if any of the character strings included in the character string list is included in the received packet, It is determined that the received packet is related to unauthorized access.

The instruction execution mechanism 754 has a function of extracting only a received packet to a specific destination, for example, a function of the transmitted packet holding mechanism 76 according to the packet analysis program stored in the execution instruction storage section 752. The packet storage unit 75 retrieves the transmitted packets from the transmitted packet holding mechanism 76 by utilizing a function of rearranging and extracting the packets in the order of the serial numbers included in the packet storage unit 75.
1 may be provided.

The instruction execution mechanism 754 executes the processing up to the end of the packet analysis program, and determines whether or not the received packet relates to an unauthorized access.

With such a structure having a function of judging a packet related to an unauthorized access, for example, a plurality of data strings that are only partially different from each other are known as specific data strings that are known to cause an OS malfunction. In some cases, the comparison of the common portion can be completed at once, and the determination as to whether or not it is related to unauthorized access can be performed at higher speed. Further, the instruction execution mechanism 75
4 is stopped, the execution instruction storage unit 752
When the next execution program is replaced, the analysis is started according to the newly replaced execution program when the next packet is received. Therefore, it is easy to update the unauthorized access analysis means of the packet analysis mechanism 75. Become.

The flowcharts of FIGS. 11 and 12 show a specific example of the procedure of the packet analysis program stored in the execution instruction storage unit 752 executed by the instruction execution unit 754 to determine the packet related to unauthorized access. .

In the determination process shown in FIGS. 11 and 12, the received packet stored in the packet storage unit 751 is determined in advance assuming that a header field option or parameter combination causes a malfunction in the packet transfer destination server. It is determined whether or not the set known condition is satisfied (step S1 in FIG. 11).
1). That is, a process is performed based on the header of the received packet to determine whether the packet is transmitted from a suspicious partner or is a suspicious packet having a different format.

If the above conditions are satisfied, the received packet is to be discarded (step S1 in FIG. 11).
5). On the other hand, if the above condition is not satisfied, it is next determined whether or not information of another packet, such as a fragmented packet or TPC, also needs to be determined (step S12 in FIG. 11).

If another packet is not required, it is determined in advance that the length of the data carried by the packet or the combination of the parameters specified by the data causes a malfunction in the application processing the data. It is determined whether or not the set known condition is satisfied (step S13 in FIG. 11).

If the above condition is satisfied, the received packet is to be discarded (step S1 in FIG. 11).
5). On the other hand, if the above condition is not satisfied, the received packet is regarded as a packet to be transmitted, and the packet
4 is instructed to transfer the received packet (step S14 in FIG. 11).

If it is determined in step S12 that information of another packet is also necessary, the packet holding mechanism 76 stores a fragmented packet and has already been transmitted.
It is determined whether or not a known condition set in advance as causing a malfunction in the server, such as an overlap of the data area with another fragmented packet extracted from the server, is satisfied (step S21 in FIG. 12).

If the above condition is satisfied, the received packet is to be discarded (step S2 in FIG. 12).
6). On the other hand, if the above condition is not satisfied, then T
It is determined whether the packet of the PC satisfies a known condition set in advance as causing a malfunction in the server, such as a data area overlapping with another packet of the same session extracted from the transmitted packet holding mechanism 76. It is determined (step S22 in FIG. 12).

If the above condition is satisfied, the received packet is to be discarded (step S2 in FIG. 12).
6). On the other hand, if the above condition is not satisfied, next, the necessary number of packets of the same session are extracted from the transmitted packet holding mechanism 76, and a data stream long enough to be transmitted is reconstructed (step in FIG. 12). S2
3) It is determined whether the length of the data carried by the TCP data stream or the parameter specified by the data satisfies a known condition preset as causing a malfunction (FIG. 12). Step S24).

If the above condition is satisfied, the received packet is discarded (step S2 in FIG. 12).
6). On the other hand, if the above condition is not satisfied, the packet transmission unit 74 is instructed to transfer the received packet (FIG. 1).
Two steps S25).

The above-described process of judging a packet related to an unauthorized access is sequentially executed for each of the received packets received by the packet receiving unit 71.

By having the function of eliminating packets related to unauthorized access as described above, the destination / source M
It is possible to realize a packet transfer mechanism that does not allow a packet related to unauthorized access to pass, which cannot be prevented only by judging whether to transfer a packet based on an AC address, a destination / source address of a higher-order protocol, a service number, or the like. Further, it is possible to realize a packet transfer mechanism that does not allow a packet related to an unauthorized access to pass through without setting by a user to determine whether to transfer a packet. In addition, since there is no network address such as an IP address, it is possible to realize a packet transfer mechanism that prevents itself from being subjected to unauthorized access and that does not pass packets related to unauthorized access.

The execution program (packet sending program) stored in the execution instruction storage unit 752 is
For example, it can be provided by various storage media or storage devices such as a hard disk, a CD-ROM, and a semiconductor memory.

Next, an eighth embodiment of the present invention will be described with reference to FIG.

FIG. 13 is a block diagram showing essential components of a packet transfer device according to the eighth embodiment of the present invention.

The packet transfer device 80 of the seventh embodiment shown in FIG. 13 is characterized in that a function of updating a packet analysis program via a serial interface 87 is added.

In the packet transfer device 80 shown in FIG. 13, the execution instruction storage unit 86 of the packet analysis mechanism 85 stores
An execution program for operating the instruction execution mechanism (see FIG. 10) is stored.

The serial interface 87 has a function of receiving an analysis program update instruction from the outside. The analysis program updating mechanism 88 is connected to the serial interface 8.
7 has a function of updating the execution program stored in the packet analysis mechanism 85 in accordance with the analysis program update instruction received. The update instruction format identification mechanism 89 has a function of determining whether or not the data received by the serial interface 87 is an analysis program update instruction, based on whether or not the received data satisfies a specific format.

The operation of the packet transfer device 80 shown in FIG. 13 will be described.

The data received via serial interface 87 is passed to analysis program updating mechanism 88. When the analysis program update mechanism 88 confirms by the update instruction format identification mechanism 89 that the data passed from the serial interface 87 is an analysis program update instruction that satisfies a specific format, the analysis program update mechanism 88 includes the data in the analysis program update instruction. Extract the executable program that is running.

Further, the analysis program updating mechanism 88 checks whether or not the instruction execution mechanism of the packet analysis mechanism 85 is operating, and if it is operating, waits for the operation to stop. When it is confirmed that the instruction execution unit of the packet analysis unit 85 is stopped, the execution program included in the analysis program update instruction is stored in the execution instruction storage unit 8 of the packet analysis unit 85.
6 is stored. As a result, the execution program for analyzing unauthorized access in the packet analysis mechanism 85 is updated.

Next, a ninth embodiment of the present invention will be described with reference to FIG.

FIG. 14 is a block diagram showing essential components of a packet transfer device according to the ninth embodiment of the present invention.

The packet transfer device 90 of the ninth embodiment shown in FIG. 14 is characterized in that a function of updating a packet analysis program via a network interface 97 is added. In the ninth embodiment, the serial interface 87 of the embodiment of FIG. 13 is replaced with a network interface 97, and the other configuration is the same as that of FIG.

Next, the packet transfer device 90 shown in FIG.
Will be described.

The data received via the network interface 97 is passed to the analysis program updating mechanism 98. The analysis program update mechanism 98 uses the update instruction format identification mechanism 99 to execute the network interface 97.
When it is confirmed that the data passed from is an analysis program update instruction that satisfies a specific format, the execution program included in the analysis program update instruction is extracted.

Further, the analysis program updating mechanism 98 confirms whether or not the instruction execution mechanism of the packet analysis mechanism 95 is operating, and if it is operating, waits for the operation to stop. If it is confirmed that the instruction execution unit of the packet analysis unit 95 is stopped, the execution program included in the analysis program update instruction is stored in the execution instruction storage unit 9 of the packet analysis unit 95.
6 is stored. As a result, the execution program for analyzing unauthorized access in the packet analysis mechanism 95 is updated.

Next, a tenth embodiment of the present invention will be described with reference to FIG.

FIG. 15 is a block diagram showing essential components of a packet transfer device according to the tenth embodiment of the present invention.

The packet transfer apparatus 100 according to the tenth embodiment shown in FIG. 15 is characterized by adding a function of updating an execution program (packet analysis program) using a packet.

In the packet transfer apparatus 100 shown in FIG.
Stores an execution program for operating the instruction execution mechanism (see FIG. 10).

The analysis program update mechanism 107 has a function of updating the execution program stored in the packet analysis mechanism 105 in accordance with the analysis program update instruction received by the packet receiving section 101. The update instruction format identification mechanism 108 in the analysis program update mechanism 107 has a function of determining whether or not a received packet is an analysis program update instruction based on whether or not data of an input packet satisfies a specific format. Have.

Next, the packet transfer device 10 shown in FIG.
The operation of 0 will be described.

The packet received by the packet receiving unit 101 is transferred to the analysis program updating unit 107 at the same time as being transferred to the packet identifier adding unit 102. Update instruction format identification mechanism 10 of analysis program update mechanism 107
8 judges that the input received packet satisfies a specific format indicating an analysis program update instruction. If the specific format is satisfied, it is determined that the received packet is not a packet to be transferred but an analysis program update instruction. As a result, the analysis program updating mechanism 107 extracts the execution program included in the received packet, sends it to the packet analysis mechanism 105, and stores the execution program in the execution instruction storage unit 106.

In each of the embodiments shown in FIGS. 13 to 15, the execution program stored in the execution instruction storage unit of the packet analysis mechanism is updated to prepare an environment in which the latest unauthorized access analysis program operates. Although
There is a possibility that the illegal access analysis program will be incorrectly updated by the illegal analysis program update instruction, and the packet analysis mechanism will not operate normally.

In order to prevent this, as shown in FIG.
It is also possible to provide an electronic signature identification mechanism in the update instruction format identification mechanism and add an electronic signature to the analysis program update instruction for authentication. Although the tenth embodiment shown in FIG. 15 is targeted here, the present invention can be similarly applied to the eighth embodiment shown in FIG. 13 and the ninth embodiment shown in FIG.

FIG. 16 shows the analysis program updating mechanism 107.
Is a block diagram showing the configuration of the update instruction format identification mechanism 108 in the analysis program update mechanism 107.
And an electronic signature identification mechanism 109 in the update instruction format identification mechanism 108.

That is, the digital signature identification mechanism 109 in the update instruction format identification mechanism 108 receives data from the serial interface (FIG. 13), the network interface (FIG. 14), or the packet receiving unit (FIG. 15). It is determined whether the electronic signature included in the data stored in the received packet is a valid signature. That is,
If the data indicating the analysis program update instruction satisfies a specific format and the electronic signature included in the data is a valid signature, it is determined that the instruction is a valid analysis program update instruction.

When the update instruction format identification mechanism 108 determines that the instruction is a valid analysis program update instruction, the analysis program update mechanism 107 outputs an unauthorized access analysis program included in the analysis program update instruction to the packet analysis mechanism 105. It has a function to do.

In the above configuration, the data passed to the analysis program update mechanism 107 satisfies a specific format indicating an analysis program update instruction, and
If the electronic signature included in the data is a valid signature by the electronic signature identification mechanism 109, the analysis program update mechanism 107 determines that the instruction is a valid analysis program update instruction, and analyzes the unauthorized access included in the data. The program is taken out and sent to the packet analysis mechanism 105. The packet analysis mechanism 105 stores the unauthorized access analysis program in the execution instruction storage unit 106. This allows
It is possible to realize a packet transfer device that can prevent the packet analysis mechanism from being improperly operated by an incorrect analysis program update instruction.

Next, an eleventh embodiment of the present invention will be described with reference to FIG.

FIG. 17 is a block diagram showing essential components of a packet transfer device according to the eleventh embodiment of the present invention. The packet transfer device 110 according to the eleventh embodiment
Has a function of setting a communication address in advance.

In the packet transfer apparatus 110 shown in FIG. 17, the communication address setting mechanism 114 stores the communication address obtained via a serial interface, a network interface or the like into the communication address holding mechanism 11.
5 is set. In the example shown in FIG. 17, a case where a communication address is set via the serial interface 113 is shown as an example.

The communication address holding mechanism 115 has a function of holding a communication address preset by the communication address setting mechanism 114.

The communication control mechanism 112 communicates with the update of the packet analysis program, and the in-device information notification mechanism 117
Is a device that controls communications for notifying other devices connected to the network segment (hereinafter, these communications are referred to as specific communications). Has the function of discarding the packet. Also, when performing the above specific communication,
It has a function of receiving a packet addressed to the communication address and passing data related to the specific communication stored in the packet to the execution program update mechanism 116 and the in-device information notification mechanism 117. In addition, it has a function of adding the communication address as a transmission source to data transmitted by the execution program updating mechanism 116 or the in-device information notification mechanism 117 at the time of data communication relating to the specific communication and transmitting the data to the network segment.

The packet transfer device 110 of this embodiment includes, for example, the unauthorized access history holding mechanism 66 shown in FIG.
Information notification mechanism 1 for notifying the unauthorized access history and other information inside the device held in the device to the outside
Seventeen. The in-device information notification mechanism 117 uses a serial interface or a notification network interface to notify information inside the device to the outside. The in-device information notification mechanism 117 is a packet transfer target for notifying the information inside the device to the outside.
The network segment to which the packet receiving unit / packet transmitting unit is connected can also be used.
You need a network address that you do not have during normal operation to prevent yourself from being the target of unauthorized access.

Next, the packet transfer device 11 shown in FIG.
The operation of 0 will be described.

The user sets the communication address setting mechanism 114
The communication address is set in the communication address holding mechanism 115 in advance by using. The configuration of FIG. 17 shows the case where the communication address setting mechanism 114 is used via the serial interface 113. However, the network segment to be transferred is used in the same manner as the network interface or the analysis program update instruction. , It is also possible to use the communication address setting mechanism 114.

When the specific communication is performed, the communication control mechanism 112 receives a packet addressed to the communication address from the network segment via the packet receiving unit 111 and receives the packet, and the packet is included in the received packet. Execution program update mechanism 11 for data related to communication
6 and the in-device information notification mechanism 117. Then, the execution program updating mechanism 116 and the in-device information notifying mechanism 117 send the transmission data related to the specific communication to the transmission source network segment indicated by the communication address. However, when the communication is not performed, the communication control mechanism 112 discards the packet addressed to the communication address to prevent the communication control mechanism 112 from being targeted for unauthorized access.

Next, a twelfth embodiment of the present invention will be described with reference to FIGS.

FIG. 18 is a block diagram showing essential components of a packet transfer device according to the twelfth embodiment of the present invention. The packet transfer apparatus 120 according to the twelfth embodiment shown in FIG. 18 is characterized in that it has a packet stealer 122.

In the packet transfer device 120 shown in FIG. 18, the communication address selecting mechanism 124 has an address / segment correspondence table 125 for holding the correspondence between the network address of the packet received in the past and the received network segment. And selecting any one of the source addresses of previously received packets as a communication address from a network segment different from the destination network segment of the packet related to the specific communication, and setting the selected communication address to It has a function to set the communication address holding mechanism 126.

At this time, address / segment correspondence table 12
FIG. 19 shows an example of No. 5.

The communication address holding mechanism 126 has a function of holding the communication address set by the communication address selecting mechanism 124.

When the specific communication is not performed, the packet stealer 122 passes the packet addressed to the communication address to the packet identifier adding mechanism (see FIGS. 1 to 6) to perform a normal transfer process. When performing a specific communication, it has a function of intercepting a packet addressed to a communication address without passing the packet to the packet identifier adding mechanism.

[0207] The communication control mechanism 123 is a mechanism for controlling the specific communication, and transfers data related to the communication included in the received packet to the execution program updating mechanism 127 and the in-device information notification mechanism 128. Further, it has a function of adding the communication address as a transmission source to data transmitted by the execution program update mechanism 127 or the in-device information notification mechanism 128 and transmitting the data to the network segment.

Next, the packet transfer device 12 shown in FIG.
The operation of 0 will be described.

The communication address selecting mechanism 124 refers to the built-in address / segment correspondence table 125 and selects one of the source addresses of packets received in the past from the network segment to which packets related to the specific communication are transmitted. Is selected as the communication address.

Here, address / segment correspondence table 12
It is assumed that the correspondence between the address and the received network segment held in No. 5 is, for example, the content shown in FIG. Here, the party performing the specific communication is [192.
168. 7.42], the network segment to which the packet relating to the specific communication is to be transmitted is the segment B.

Therefore, the network segment (segment B) to which the packet relating to the specific communication is to be transmitted is different from the network segment which is segment A.
And the communication address is [192.168.
0.21], or [192.168.8.334].
It is sufficient to select one of the following.

For example, address / segment correspondence table 12
If the segment A closest to the beginning of 5 is selected,
The address is [192.168.0.21]. At this time, if the network address of the other party performing the specific communication does not exist in the address / segment correspondence table 125, an address on each network segment is arbitrarily selected, and the address is set using the address. I do. As a result of this address setting, if a response packet for address setting can be received on any of the network segments, the address / segment correspondence table 125
Since the network address and the network segment of the communication partner are registered, the network address is selected again as the communication address.

By selecting a communication address in this way, a response packet in which the communication address is specified is transmitted to packet receiving section 121 of packet transfer apparatus 120. When the specific communication is not performed, the packet stealer 122 passes a packet addressed to the communication address of the segment A to the packet identifier adding mechanism and performs a normal transfer process. On the other hand, when the specific communication is performed, a packet addressed to the communication address of the segment A is intercepted so that the packet is not passed to the original owner of the communication address.

[0214] The packet stealing unit 122 is provided with the communication control mechanism 1
By intercepting only the response packet from the network segment for the packet transmitted by the H.23, it is possible to minimize the influence of the communication address on the communication of the original owner. In this case, the port number or the like used by the original owner of the communication address in the communication via the packet transfer device 120 according to this embodiment can be distinguished from the communication of the original owner of the communication address. It is necessary to prepare a mechanism for storing the communication address so that the communication address does not overlap with the communication address so that the communication address can be distinguished from the communication of the original owner of the communication address. By doing so, it is possible to prevent unauthorized access to itself, and perform communication accompanying the update of the analysis program, and specific communication for the in-device information notification mechanism to notify other devices of information inside the device. Becomes

By having the structure of each embodiment shown in FIG. 17 or FIG. 18, the communication accompanying the update of the analysis program and the in-device information notifying mechanism can transmit the information inside the device to another device. Since there is no network address except when a specific communication such as a communication for notification is performed, a packet transfer device that can prevent unauthorized access to itself can be realized.

Next, a thirteenth embodiment of the present invention will be described with reference to FIGS.

FIG. 20 is a block diagram showing essential components of a packet transfer device according to the thirteenth embodiment of the present invention. The packet transfer apparatus 130 according to the thirteenth embodiment shown in FIG. 20 includes a communication start instruction format identification mechanism 133.

The communication start instruction format identification mechanism 133 identifies that the packet received by the packet receiving section 131 is data that satisfies a specific format indicating the communication start instruction, and communicates with the communication control mechanism 134. Has a function to notify start.

Upon receiving the communication start notification from the communication start instruction format identification mechanism 133, the communication control mechanism 134 selects the communication address held in the communication address holding mechanism 136 or the communication address selection mechanism 135. It has a function to start communication using a communication address.

Next, the packet transfer device 13 shown in FIG.
The operation of 0 will be described.

When the packet transfer device having no network address is realized by the structure of each of the embodiments shown in FIGS. 17 and 18 except when the specific communication is performed, the packet transfer device of the above embodiment is realized. Although it is possible to start communication with another device from the other device, even if an attempt is made to start communication from the other device to the packet transfer device of the above-described embodiment, communication is impossible because the device does not have a network address. is there. Therefore, the packet transfer apparatus 130 of the thirteenth embodiment shown in FIG. 20 has a communication start instruction format identification mechanism 133 so that another apparatus can start communication with the packet transfer apparatus 130.

The packet received by the packet receiving section 131 is transferred to the packet identifier adding mechanism (see FIGS. 1 to 6) and the like, and at the same time, to the communication start instruction format identifying mechanism 133. Communication start instruction format identification mechanism 13
3 determines whether the format of the received packet satisfies a specific format indicating a communication start instruction.

If the specified format is satisfied, it is determined that the received packet is not a packet to be transmitted to the network segment but a communication start instruction to the packet transfer device 130, and the communication control mechanism 134 starts the communication. To instruct. In the example shown in FIG. 20, it is assumed that the communication control mechanism 134 starts communication using the communication address selected by the communication address selection mechanism 135.

In this manner, specific communication such as communication for updating the analysis program and communication for notifying the internal information of the apparatus to other apparatuses by the internal information notification mechanism 138 is performed. The packet transfer device 130 does not have a network address except when the packet transfer device 130 is operating, so that it is possible to prevent unauthorized access to itself and to start communication from another device to the packet transfer device 130. Can be realized.

In the above-described embodiment, when a function for starting communication from the outside is provided, there is a possibility that communication is started by an illegal communication start instruction, and that the terminal itself is targeted for unauthorized access. In order to prevent this, as shown in FIG. 21, an electronic signature identification mechanism 139 is provided in the communication start instruction format identification mechanism 133, and it is possible to authenticate by adding an electronic signature to the communication start instruction.

As shown in FIG. 21, an electronic signature identification mechanism 139 is provided in the communication start instruction format identification mechanism 133, and the electronic signature identification mechanism 139 stores the electronic signature included in the communication start instruction data. It is determined whether or not the signature is valid. If the electronic signature is a valid signature, the data is determined to be a valid communication start instruction, and the communication control mechanism 134 is notified of the start of communication.

Upon receiving the communication start notification from the communication start instruction format identification mechanism 133, the communication control mechanism 134 reads the communication address stored in the communication address holding mechanism 136,
Alternatively, communication using the communication address selected by the communication address selection mechanism 135 is started.

As a result, it is possible to realize a packet transfer apparatus that can prevent communication from being started by an unauthorized communication start instruction and being subject to unauthorized access.

The packet analysis programs handled in each of the embodiments shown in FIGS. 13 to 20 are individually stored in various storage media such as a hard disk, a CD-ROM, a semiconductor memory, or a storage device. It is also possible to provide.

According to the embodiment of the present invention as described above,
A packet transfer apparatus that does not allow a packet related to unauthorized access to pass cannot be prevented only by judging whether or not to transfer a packet based on a destination / source MAC address, a destination / source address of a higher-order protocol, a service number, and the like. Can be realized. Further, it is possible to realize a packet transfer device that does not allow a packet related to an unauthorized access to pass through without setting by a user to determine whether to transfer a packet. Further, since there is no network address such as an IP address, it is possible to realize a packet transfer device that prevents itself from being targeted for unauthorized access and that does not pass packets related to unauthorized access. Further, it is possible to realize a packet transfer device capable of displaying that unauthorized access has been performed.

Further, the functions of the above-described embodiment will be described with reference to FIG.
In combination with the existing unauthorized access prevention function described with reference to FIG. 24, a more reliable packet transfer prevention function relating to unauthorized access can be realized.

[0232]

As described above in detail, according to the present invention, a highly reliable function of preventing unauthorized access can be realized without imposing a large burden on the user. Furthermore, according to the present invention, by having a function of sending out the contents of a packet transferred from a transmission source and determining that the packet is not a packet related to unauthorized access, transfer of a packet related to unauthorized access can be reliably prevented, and A highly effective unauthorized access prevention function can be realized. That is, according to the present invention, the destination / source M
It is possible to realize a packet transfer device that does not allow a packet related to unauthorized access to pass, which cannot be prevented only by determining whether to transfer a packet based on an AC address, a destination / source address of a higher-order protocol, a service number, or the like. it can. Further, it is possible to realize a packet transfer device that does not allow a packet related to an unauthorized access to pass without setting by a user to determine whether to transfer a packet. Further, since there is no network address such as an IP address, it is possible to realize a packet transfer device that can prevent a packet related to an unauthorized access from passing, which can prevent itself from being targeted for unauthorized access. Further, it is possible to realize a packet transfer device capable of displaying that unauthorized access has been performed.

[Brief description of the drawings]

FIG. 1 is a block diagram showing essential components of a packet transfer device according to a first embodiment of the present invention.

FIG. 2 is a block diagram showing essential components of a packet transfer device according to a second embodiment of the present invention.

FIG. 3 is a block diagram showing essential components of a packet transfer device according to a third embodiment of the present invention.

FIG. 4 is a block diagram showing essential components of a packet transfer device according to a fourth embodiment of the present invention.

FIG. 5 is a block diagram showing essential components of a packet transfer device according to a fifth embodiment of the present invention.

FIG. 6 is a block diagram showing essential components of a packet transfer device according to a sixth embodiment of the present invention.

FIG. 7 is a view showing a first example of an unauthorized access display means in the sixth embodiment.

FIG. 8 is a diagram showing a second example of the unauthorized access display means in the sixth embodiment.

FIG. 9 is a block diagram showing essential components of a packet transfer device according to a seventh embodiment of the present invention.

FIG. 10 is a block diagram showing a configuration example of a packet analysis mechanism according to the seventh embodiment.

FIG. 11 is a flowchart showing a procedure of a process of determining a packet related to an unauthorized access in the seventh embodiment.

FIG. 12 is a flowchart showing a procedure of a process of determining a packet related to an unauthorized access in the seventh embodiment.

FIG. 13 is a block diagram showing essential components of a packet transfer device according to an eighth embodiment of the present invention.

FIG. 14 is a block diagram showing essential components of a packet transfer device according to a ninth embodiment of the present invention.

FIG. 15 is a block diagram showing essential components of a packet transfer device according to a tenth embodiment of the present invention.

FIG. 16 is a block diagram showing a configuration of an analysis program updating mechanism according to the tenth embodiment.

FIG. 17 is a block diagram showing essential components of a packet transfer device according to an eleventh embodiment of the present invention.

FIG. 18 is a block diagram showing essential components of a packet transfer device according to a twelfth embodiment of the present invention.

FIG. 19 is a diagram showing a configuration example of an address / segment correspondence table in the twelfth embodiment.

FIG. 20 is a block diagram showing essential components of a packet transfer device according to a thirteenth embodiment of the present invention.

FIG. 21 is a block diagram showing another configuration example of the communication start identification mechanism according to the thirteenth embodiment.

FIG. 22 is a block diagram showing a configuration of a conventional packet transfer device.

FIG. 23 is a block diagram showing a network configuration example of the conventional packet transfer device shown in FIG. 22;

FIG. 24 is a view showing an example of contents stored in a rule holding unit of the conventional packet transfer apparatus shown in FIG. 23;

[Explanation of symbols]

10, 20, 30, 40, 50, 60, 70, 80, 9
0, 100, 110, 120, 130... Packet transfer devices 11, 21a, 21b, 31a, 31b, 41, 51,
61, 71, 81, 91, 101, 111, 121, 1
31 ... Packet receiving units 12, 22a, 22b, 32, 42, 52, 62, 7
2, 82, 92, 102 ... packet identifier adding mechanism 13, 23a, 23b, 33, 43, 53a ... 53n,
63, 73, 83, 93, 103,..., Packet holding queues 14, 24a, 24b, 34a, 34b, 44a,.
n, 54a... 54n, 64, 74, 84, 94, 10
4,... Packet transmission units 15, 25a, 25b, 35, 45, 55, 65, 7
5, 85, 95, 105: Packet analysis mechanism 150, 250a, 250b, 350, 450, 55
0,650 ... Illegal packet analysis database 46, 56 ... Sending segment determination mechanism 66 ... Illegal access history holding mechanism 67 ... Illegal access history display mechanism 67A ... Illegal access display 67B ... Illegal access display device 76 ... Sent packet holding mechanism 86, 96, 106 execution instruction storage units 87, 113 serial interfaces 88, 98, 107 analysis program update mechanisms 89, 99, 108 update instruction format identification mechanism 97 network interfaces 109, 139 electronic signature identification mechanism 112 , 123, 134 ... communication control mechanism 114 ... communication address setting mechanism 115, 126, 136 ... communication address holding mechanism 116, 127, 137 ... execution program update mechanism 117, 128, 138 ... device information notification mechanism 122, 132 … Packet stealing unit 24,135 ... communication address selection mechanism 125 ... address / segment correspondence table 133 ... communication start instruction format identification mechanism 751 ... packet storage unit 752 ... execution command storage unit 753 ... memory controller 754 ... instruction execution mechanism

Claims (8)

[Claims] 1. A packet transfer device connected to at least a first and second network segment and monitoring a packet transferred between the first and second network segments, based on a preset condition. The received packet received via the first network segment
Packet analyzing means for analyzing whether or not a factor causing software of a device connected to the network segment to malfunction is included; and the packet analyzing means determines that the received packet is an invalid packet including the factor causing the malfunction. At this time, the illegal packet is discarded, and only the received packet determined to be a normal packet is transmitted to the second network segment by the packet transmitting unit and the packet analyzing unit. A sent packet holding means for holding a sent packet sent to the second network segment by a packet sending means, wherein the packet analyzing means holds the sent packet when the received packet is analyzed. See the sent packet Packet transfer apparatus according to claim Rukoto. 2. A packet transfer device connected to at least a first and second network segment and monitoring a packet transferred between the first and second network segments, wherein the packet transfer device includes: Packet receiving means for receiving a packet of the following; an identifier adding means for adding an identifier to the received packet received by the packet receiving means; a packet holding queue for temporarily holding the received packet to which the identifier has been added; It is determined whether the received packet received by the packet receiving means is an illegal packet including a factor that causes software of a device connected to the second network segment to malfunction, based on the condition, Is determined to be a normal packet that does not include In this case, the packet analyzing means for outputting the identifier of the received packet, receiving the identifier output from the packet analyzing means, extracting the received packet having the received identifier from the packet holding queue, A transmitted packet transmitted to the second network segment by the packet transmitting means and the packet analyzing means, which is determined by the packet transmitting means and the packet analyzing means to be a normal packet that does not include a factor causing the software to malfunction, and transmitted to the second network segment by the packet transmitting means. And a sent packet holding means for holding the received packet, wherein the packet analyzing means, when analyzing the received packet,
A packet transfer apparatus characterized in that the transmitted packet held by the transmitted packet holding means is referred to. 3. A packet transfer device connected to at least three or more network segments and monitoring packets transferred between the plurality of network segments, comprising: packet receiving means for receiving packets from the network segments. An identifier adding unit that adds an identifier to a received packet received by the packet receiving unit; a packet holding queue that temporarily holds the received packet to which the identifier has been added; and a packet receiving queue based on a preset condition. Determining whether the received packet received by the means is an illegal packet including a factor that causes software of a device connected to the network segment to malfunction, and determining that the packet is a normal packet that does not include a factor that causes the software to malfunction. The received packet, Packet analyzing means for outputting an identifier of the packet, receiving the identifier output from the packet analyzing means, extracting a received packet having the received identifier from the packet holding queue, and extracting the received packet from the destination MAC address included in the received packet. Sending segment determining means for determining a network segment to be sent; one or more sending means for sending the received packet extracted from the packet holding queue to the network segment determined by the sending segment determining means; And a transmitted packet holding means for holding the transmitted packet transmitted by the packet transmitting means which is determined by the analyzing means to be a normal packet which does not include a factor causing the software to malfunction. At the time of analysis of the received packet,
A packet transfer apparatus characterized in that the transmitted packet held by the transmitted packet holding means is referred to. 4. A packet transfer device connected to at least three or more network segments and monitoring packets transferred between the plurality of network segments, comprising: a receiving unit that receives a packet from the network segment; An identifier adding unit for adding an identifier to the received packet received by the receiving unit; a plurality of packet holding queues for temporarily holding the received packet to which the identifier is added for each destination network segment; Sending segment determining means for determining a destination network segment of the received packet from a destination MAC address included in the received packet, and storing the packet with the identifier added to the packet holding queue corresponding to the network segment; Set in advance And determining whether the received packet received by the packet receiving unit is an illegal packet including a factor that causes software of a device connected to the network segment to malfunction, based on the determined condition, and causing the software to malfunction. A packet analyzing unit that outputs an identifier of the received packet when it is determined that the packet is a normal packet that does not include a factor; and a plurality of sending units provided corresponding to the packet holding queue, wherein the packet analyzing unit Sending means for receiving the identifier output from the packet holding module, extracting the received packet from the packet holding queue holding the received packet having the identifier, and sending the received packet to the associated network segment; Includes factors that cause the software to malfunction Sent packet holding means for holding a sent packet sent by the packet sending means, which is determined to be a normal packet, wherein the packet analyzing means analyzes the received packet,
A packet transfer apparatus characterized in that the transmitted packet held by the transmitted packet holding means is referred to. 5. A packet transfer method which is connected to at least a first and second network segment and monitors a packet transferred between the first and second network segments, based on a condition set in advance. The second received packet received via the first network segment
Determining whether a factor that causes the software of the device connected to the network segment to malfunction is included, and when determining that the received packet is a malformed packet including the factor that causes the malfunction, Discarding and transmitting the received packet determined to be a normal packet to the second network segment, and holding the transmitted packet determined to be a normal packet and transmitted to the second network segment A packet transfer method, comprising: determining whether or not the received packet includes the cause of the malfunction by referring to the held transmitted packet. 6. A packet transfer method connected to at least first and second network segments and monitoring packets transferred between the first and second network segments, wherein a packet from the first network segment is provided. Receiving the received packet, adding an identifier to the received packet, temporarily holding the received packet to which the identifier is added, and adding the identifier to the received packet based on a preset condition. It is determined whether or not the packet is a fraudulent packet including a factor that causes the software of the device connected to the second network segment to malfunction, and when it is determined that the packet is a normal packet that does not include a factor that causes the software to malfunction, An analyzing step of outputting an identifier of the received packet; Receiving the output identifier, extracting a received packet having the received identifier from the temporarily received packets, and sending the received packet to the second network segment. Holding the transmitted packet transmitted to the second network segment. The analyzing step refers to the stored transmitted packet to determine the cause of the malfunction in the received packet. A packet transfer method characterized by determining whether or not the packet is included. 7. A packet transfer method for monitoring a packet connected to at least three or more network segments and transferred between the plurality of network segments, comprising: receiving a packet from one of the network segments. Adding an identifier to the received packet; temporarily holding the received packet to which the identifier has been added; connecting the received packet to the network segment based on a preset condition. It is determined whether or not the packet is a fraudulent packet that includes a factor that causes the software of the device to malfunction, and if it is determined that the packet is a normal packet that does not include the factor that causes the software to malfunction, the identifier of the received packet is output. An analysis step, and the output identifier Receiving and extracting the received packet having the received identifier from the temporarily-received received packet, and determining a network segment to be transmitted from a destination MAC address included in the received packet; Transmitting the extracted received packet to the determined network segment to be transmitted, and holding the transmitted transmitted packet determined to be a normal packet. A packet transfer method comprising: determining whether or not the received packet includes the cause of the malfunction by referring to the held transmitted packet. 8. A packet transfer method for monitoring packets transferred between a plurality of network segments connected to at least three or more network segments, comprising: receiving a packet from one of the network segments. Adding an identifier to the received packet; determining a destination network segment of the received packet from a destination MAC address included in the received packet to which the identifier is added; and determining the destination network segment according to the determination. Storing the received packet with the identifier added to a temporary holding queue provided for each segment; and software for a device connected to the network segment in the received packet based on a preset condition. Malfunction An analysis step of determining whether the packet is an illegal packet including a factor that causes the software to malfunction and, when determining that the packet is a normal packet not including a factor that causes the software to malfunction, outputting an identifier of the received packet; Receiving the identifier output from
Extracting the received packet from the packet holding queue holding the received packet having the identifier, and transmitting the received packet to the associated network segment; and the transmitted transmitted packet determined to be a normal packet. Holding the transmitted packet, and referring to the held transmitted packet to determine whether or not the received packet includes the cause of the malfunction. Method.