JP2005025679A - Virus isolation system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To find out virus without requiring the registration of a pattern file and surely arrest its spread into a network. <P>SOLUTION: The virus isolation system comprises virus monitoring parts 18 provided on personal computers 10-1, 10-2 and 10-3 connected to the network 14 through a network device 16-1 which monitor the using state of resources, and determine and externally report virus infection when the use of the resources is suddenly increased; and an interruption part 34 provided on the network device 16-1 which interrupts on receipt of a report from the virus monitoring part 18 the personal computer of the reporting source from the network. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

The present invention relates to a virus quarantine system, method, and program for isolating a virus by blocking a virus-invaded device from a network, and more particularly, a virus quarantine for detecting and isolating a virus intrusion without requiring a virus pattern file. About the system.

  Conventionally, a computer connected to a local network such as a LAN has a high risk of being damaged by a virus that has entered from the outside such as the Internet. In particular, a virus that distributes a large amount of mail or creates a file eats up the resources of a computer in the network and causes the entire network system to stop functioning.

In the conventional anti-virus measures, anti-virus software is installed on each computer connected to the network, and a virus is found by comparing with a pre-registered virus pattern and captured.
JP-A-11-161517

  However, when such conventional anti-virus software is used, there is a risk that the virus will spread before the pattern file is registered when a new type of virus occurs. In addition, prior to rapid virus propagation, each administrator had to manually prevent the spread of the virus.

It is an object of the present invention to provide a virus quarantine system, method, and program capable of detecting a virus and reliably preventing its spread in a network without requiring registration of a pattern file.

  The present invention provides a virus isolation system. This virus quarantine system is provided in an information processing device connected to a network via a network device, monitors the usage status of resources, and determines that a virus infection occurs when the usage of resources increases rapidly. A virus monitoring unit that notifies the outside, and a blocking unit that is provided in the network device and shuts off the information processing apparatus that is a notification source from the network when receiving a notification from the virus monitoring unit.

  As described above, the present invention is not a collation based on an existing virus pattern, but detects the occurrence of a virus based on a sudden change in the usage status of hardware resources (resources), which is a symptom of virus damage. Also effective against. Moreover, since the infected device can be blocked from the network when a virus is detected, the spread of the virus can be prevented.

  Here, the virus monitoring unit divides the resources of the information processing apparatus into a plurality of types and monitors the usage status for each resource, and if the usage amount increases rapidly in at least one of the plurality of resources, Determine and notify the outside.

  In addition, the virus monitoring unit determines the virus infection for each of the multiple types of resources used in the information processing device, and determines that the virus is infected when the usage of a plurality of resources corresponding to a predetermined combination increases rapidly. And notify.

  Specifically, the virus monitoring unit classifies the resources of the information processing apparatus into network resources, CPU resources, and input / output resources, and uses the resource usage as the data transfer amount of the network resources, the load of the CPU resources, and the input / output resources. When the resource usage exceeds a predetermined threshold and continues for a predetermined time, it is determined that the virus is infected and is notified to the outside. In this way, by monitoring anomalies due to virus infections for a plurality of types of resource usage, it is possible to reliably detect infections corresponding to the nature of viruses such as mail delivery viruses and hard disk occupation viruses.

  The virus monitoring unit is characterized by pre-registering a resource to be monitored by the information processing apparatus and a resource to be excluded from the virus monitoring target. Since the present invention determines the occurrence of a virus based on a rapid change in resources, a process that may be mistaken for a virus may be included in the general process. And prevent mistaking the general process as a virus infection.

  Further, the virus monitoring unit of the information processing device periodically performs monitoring processing to notify normal use when the virus infection is not determined, and the blocking unit of the network device receives a regular notification of normal use from the information processing device. When it is cut off, it is determined that the virus is infected and the network connection of the corresponding information processing apparatus is cut off. For this reason, even if the personal computer or server being managed becomes inoperable due to a virus infection, the regular normal use notification is interrupted, so that it is considered virus infection and the connection with the network is blocked. Can be isolated.

The present invention provides a virus isolation method, and this virus isolation method includes:
A virus monitoring step of monitoring the resource usage status of the information processing device connected to the network via the network device, and determining that the virus has been infected and notifying the outside when the resource usage has rapidly increased;
When receiving a virus infection notification from the network device, a blocking step of blocking the information processing device that is the notification source from the network;
It is provided with.

  In the virus isolation method, the virus monitoring step periodically performs monitoring processing to notify normal use when a virus infection is not judged, and the blocking step is performed when the regular notification of normal use is cut off. Then, it is determined that the virus is infected, and the network connection of the corresponding information processing apparatus is blocked.

The present invention provides a program executed by an information processing apparatus for virus isolation. This program is stored in a computer connected to the network via a network device.
A pre-registration step for pre-registering resources to be monitored and resources to be excluded from monitoring in the computer;
When the usage status of the monitored resources is monitored regularly, and when the resource usage increases rapidly, it is determined that the virus is infected, the network device is notified of a network shutdown request, and the virus infection is not determined Includes a virus monitoring step to notify normal use,
Is executed.

The present invention provides a program executed on a network device of a network for virus isolation. This program is stored in the computer of the network device that connects the information processing device to the network.
A first blocking step of blocking a network connection of an information processing apparatus as a transmission source when receiving a virus infection notification based on a rapid increase in resource usage from the information processing apparatus;
A second blocking step of periodically receiving a resource normal use notification from the information processing apparatus and determining that the virus is infected and blocking the network connection of the corresponding information processing apparatus when the periodic normal use notification is cut off When,
Is executed.

The details of the virus isolation method and program in the present invention are basically the same as those of the virus isolation system.

  According to the present invention, since the occurrence of a virus is detected based on a sudden change in resource usage in a computer or server, which is a virus damage symptom, rather than collation based on an existing virus pattern, Appropriate responses can be made.

  In addition, when a virus is detected, the connection of the infected personal computer or server is blocked by the network device, and the virus spreads from the infected device to other devices via a network such as a LAN, and the entire network system functions. It is possible to reliably prevent a situation where the vehicle is stopped.

  In the present invention, since the occurrence of a virus is determined based on a rapid change in resources, a process that may be mistaken for a virus may be included in a general process. In response to this, by performing registration processing that excludes resources that are mistakenly recognized as possible due to pre-registration from the monitoring target, only rapid changes in resources due to the occurrence of viruses can be determined to ensure virus infection. Can be detected.

  In addition, when a virus is not detected by periodic virus monitoring processing in an information processing device such as a personal computer, a normal use notification is sent to the network device, and the information processing device becomes inoperable due to virus infection. Since it will no longer be possible to receive regular normal use notifications, the network device can recognize this and reliably identify the information processing device to be monitored that has become unable to operate due to a virus and shut it off from the network. .

Furthermore, by specifying in advance the combination conditions of the resources to be monitored according to the characteristics of the virus, for example, only viruses that have a large external impact via the network can be selected and isolated by blocking from the network it can.

  FIG. 1 is an explanatory diagram of a network configuration to which the virus isolation process of the present invention is applied. In FIG. 1, personal computers 10-1 to 10-6 and a server 12 used as information processing apparatuses are connected to a network such as a LAN 14 by network apparatuses 16-1 to 16-3.

  Network switches and routers are used as the network devices 16-1 to 16-3. In this example, the personal computers 10-1 to 10-4 are connected to the network device 16-1, the personal computer 10-5 is connected to the network device 16-2, and the personal computer 10-6 is connected to the network device 16-3. A server 12 is connected. Of course, the LAN 14 is connected to the external Internet via a system (not shown).

  FIG. 2 is a block diagram showing a functional configuration for virus isolation processing of the present invention provided in the personal computer and network device of FIG. In this example, personal computers 10-1 to 10-3 connected to the network device 16-1 are taken as an example. As representatively shown for the personal computer 10-1, there are a virus monitoring unit 18 and a pre-registration unit. 28, a monitoring condition definition file 30, and a measurement data file 32 are provided.

  The personal computer 10-1 includes a resource 20 based on its hardware configuration. In the virus isolation processing of the present invention, the personal computer resource 20 is divided into a network resource 22, a CPU resource 24, and an input / output resource ( (I / O resource) 26 is divided into three resources for monitoring.

  On the other hand, the network device 16-1 that connects the personal computer 10-1 to the LAN 14 is provided with a blocking unit 34 and a virus determination unit 36. The virus monitoring unit 18 provided in the personal computer 10-1 monitors the usage status of the resource 20, determines that the virus has been infected when the usage of the resource is rapidly increased, and alerts the network device 16-1 to a virus occurrence. To be notified.

  When receiving a virus infection notification from the virus monitoring unit 18 of the personal computer 10-1, the blocking unit 34 provided in the network device 16-1 blocks the personal computer 10-1 serving as a notification source from the LAN 14.

  In this embodiment, the virus monitoring unit 18 divides the resource 20 into three, that is, a network resource 22, a CPU resource 24, and an input / output resource 26, and monitors the resource usage state, and suddenly uses at least one of them. When the amount increases, it is determined that there is a virus infection, and a virus infection warning notification is transmitted to the network device 16-1.

  The monitoring of the network resource 22 by the virus monitoring unit 18 monitors the data transfer amount per unit time, determines that an abnormality occurs when the data transfer amount exceeds a predetermined threshold, and the abnormality is determined for a predetermined time determined by the monitoring cycle. When it is continued, it is determined that the virus is infected, and a virus infection warning is transmitted to the network device 16-1.

  The virus monitoring unit 18 monitors the CPU load (%) for the CPU resource 24, and determines that the virus is infected when the CPU load exceeds a predetermined threshold and continues for a predetermined time determined by a monitoring cycle. Then, a virus infection warning notification is transmitted to the network device 16-1.

  Furthermore, the virus monitoring unit 18 monitors the number of inputs / outputs as a load per unit time of the input / output resource 26. When the number of inputs / outputs exceeds a predetermined threshold and continues for a certain time determined by the monitoring cycle, the virus monitoring unit 18 It is determined that there is an infection, and a virus infection warning is notified to the network device 16-1.

  The virus warning notification from the virus monitoring unit 18 to the network device 16-1 may be sent by the blocking unit 34 to send a control command of the network device 16-1 for blocking the connection of the port to the personal computer LAN or a specific message. , The message may be decoded on the network device 16-1 side, and a control command for shutting off the port connection may be executed.

  Here, the virus monitoring unit 18 executes a monitoring process for determining the usage status of the resource 20 at a predetermined monitoring period, for example, at intervals of 3 seconds. When the virus infection is not determined, the network device 16- 1 is notified.

  The virus determination unit 36 of the network device 16-1 receives a regular use notification from the personal computer 10-1, and resets and starts a timer provided for each personal computer.

  If the personal computer 10-1 becomes inoperable due to virus infection and cannot send a regular normal use notification, the virus determination unit 36 will send a regular normal use notification based on the timeout due to the elapse of the set time of the timer. Assuming that the disconnected personal computer 10-1 is infected with a virus and cannot operate normally, a virus infection warning notification is sent to the blocking unit 34, and the personal computer 10-1 is blocked from the LAN 14.

  Further, the pre-registration unit 28 provided in the personal computer 10-1 registers in advance the resources to be monitored by the personal computer 10-1 and the resources to be excluded from the virus monitoring targets. This is created as a monitoring condition definition file 30.

  For this reason, the virus monitoring unit 18 executes virus monitoring processing for each resource of the resource 20 in accordance with the definition information of the monitoring condition definition file 30 set by the pre-registration unit 28.

  Such a virus monitoring function of the present invention in the personal computer 10-1 is also provided in the other personal computers 10-2 to 10-6 and the server 12 in FIG.

  The personal computers 10-1 to 10-6 and the server 12 in FIG. 1 are realized by hardware resources of a computer as shown in FIG. 3, for example.

  In the computer of FIG. 3, the bus 101 of the CPU 100 includes a RAM 102, a hard disk controller (software) 104, a floppy disk driver (software) 110, a CD-ROM driver (software) 114, a mouse controller 118, a keyboard controller 122, a display controller 126, A communication board 130 is connected.

  The hard disk controller 104 is connected to the hard disk drive 106 and is loaded with a program for executing the virus monitoring process of the present invention. A necessary program is called from the hard disk drive 106 when the computer is started, and is loaded on the RAM 102. Execute.

  A floppy disk drive (hardware) 112 is connected to the floppy disk driver 110 and can read and write to the floppy disk (R). A CD drive (hardware) 116 is connected to the CD-ROM driver 114, and data and programs stored on the CD can be read.

  The mouse controller 118 transmits an input operation of the mouse 120 to the CPU 100. The keyboard controller 122 transmits the input operation of the keyboard 124 to the CPU 100. The display controller 126 performs display on the display unit 128. The communication board 130 uses a communication line 132 including radio and communicates with a device in the network or an external device on the Internet via the LAN 14.

  FIG. 4 is an explanatory diagram of the monitoring condition definition file 30 provided in the personal computer 10-1 of FIG. In FIG. 4, the monitoring condition definition file 30 is divided into three as a monitoring target: a network resource, a CPU resource, and an I / O resource. For the network resource, port number 25 is set as the monitoring target port as shown in the setting example as the monitoring item “monitoring port”.

The TCP-IP port with port number 25 is a mail address use port. For the mail port number 25 set as the monitoring port, (1) measurement unit time is set as the monitoring item, and the unit time for measuring the network transfer amount X is set, for example, 1 second.
(2) An abnormality determination threshold value.
Network transfer per unit time.
(3) Number of times of warning determination threshold value The threshold number of times Cth1 for setting the number of times of network transfer X exceeding the abnormality determination threshold value Xth in the monitoring cycle as a warning target is set, for example, Cth1 = 3 times.
(4) Monitoring cycle A time interval for executing the monitoring process is set. For example, 3 seconds is set as the monitoring cycle.

  Following such setting items to be monitored, in this example, it is possible to set three monitoring excluded ports. As shown in the setting example, the telnet port with port number 23 and the ftp port with port number 21 are monitored. It is an excluded port.

As for the next CPU resource, as in the case of port number 25 to be monitored by the network resource,
(1) Measurement unit time The unit time for measuring the CPU load Y (%) is set. For example, 1 second is set.
(2) Abnormality determination threshold value A threshold value Yth (%) for determining that the CPU load Y (%) per unit time is abnormal is set. For example, a threshold Yth = 90% is set.
(3) Number of times of warning determination threshold The threshold number of times Cth2 is set to determine how many times the CPU load Yth exceeding the abnormality determination threshold Yth in the monitoring cycle is to be a warning target. For example, the threshold number Cth2 = 3 is set.
(4) Monitoring period This is a time interval setting for executing the monitoring process, for example, 3 seconds.

The following four monitoring items are also set for the next I / O resource.
(1) Measurement unit time The unit time for measuring the I / O load Z (number of inputs and outputs) is set to 1 second, for example.
(2) Abnormality determination threshold A threshold Zth for determining that the I / O load Z per unit time is abnormal is set. For example, the threshold value Zth = 200 times is set.
(3) Number of times of warning determination threshold The threshold number of times Cth3 is set to determine how many times the I / O load exceeding the abnormality determination threshold Zth is continued in the monitoring cycle. In this example, Cth3 = 3 times.
(4) Monitoring cycle This is to set the time interval for executing the monitoring process, for example, 3 seconds.

  FIG. 5 is an explanatory diagram of the measurement data file 32 provided in the personal computer 10-1 of FIG. The measurement data file 32 has three network resources, a CPU resource and an I / O resource as monitoring targets, and each has an acquisition time and measurement data contents.

  The contents of the measurement data file 32 are performed according to the settings of the monitoring condition definition file 30 in FIG. That is, for the network resource, the network transfer amount X (Mbps) per unit time of port number 25 is measured and stored at intervals of 3 seconds set as the monitoring cycle. The port number 25 to be monitored is shown on the left side of the numerical value of the network transfer amount.

  As for the CPU resource, the CPU load Y (%) value created every 3 seconds of the monitoring cycle is stored. Further, for the I / O resource, an I / O load Z (times / s) per second, which is also measured at a monitoring period of 3 seconds, is stored.

  FIG. 6 is an explanatory diagram of the resource usage status determination table 38 in which the determination result about the sudden increase in the usage amount is stored from the measurement data contents of the measurement data file 32 of FIG.

  The resource usage status determination table 38 measures the network resource, the CPU resource, and the I / O resource to be monitored in FIG. 5 using the abnormality determination threshold values Xth, Yth, and Zth set in the monitoring condition definition file 30 in FIG. The determination result by comparison with the measurement data content of the data file 32 is registered.

  For example, taking a network resource as an example, in FIG. 5, the measurement results exceeding the abnormality determination threshold value Xth = 4.0 Mbps per unit time are continuous for four periods. Therefore, “4 times” is stored in the abnormality counter of the resource usage status determination table 38 as the value of the abnormality determination result counter with the abnormality determination threshold Xth = 4.0 Mbps, that is, the value of the abnormality counter.

  Assuming that the value of the abnormality counter is C1, the resource status flag indicates that the resource count flag is set to resource count when the counter count C = 4 exceeds the warning determination threshold count Cth1 = 3 set in the monitoring condition definition file 30 of FIG. Sets an abnormal flag as a status flag.

  In the next CPU resource, from the measurement data contents of the measurement data file 32 in FIG. 5, the measurement result exceeding the abnormality determination threshold Yth = 90% is one time, and this becomes the counter value C2 of the abnormality counter, which is abnormal. Since the counter value C2 is less than the warning determination threshold number Cth2 set in the monitoring condition definition file 30 of FIG. 4, the normal flag is set as the resource state flag.

  In the next I / O resource, the measurement data contents in the measurement data file 32 of FIG. 5 are all less than the abnormality determination threshold Zth = 200 times / s set in the monitoring condition data file 30 of FIG. Since the abnormality counter value C3 of C3 = 0 times, of course, the warning determination threshold number Cth3 = 3 times has not been reached, and the normal flag is registered as the resource state flag.

  For this reason, at the time of the monitoring time “2003.01.101.00:12” in the measurement data file 32 of FIG. 5, the abnormality flag of the resource usage status determination table 38 of FIG. 6 is set. It is determined that a virus infection has occurred in the network resource, a virus occurrence warning is notified to the network device 16-1, and the connection with the network is cut off.

FIG. 7 is a flowchart of the basic process of the virus monitoring process in the personal computer of the present invention, and comprises the following processing procedure.

Step S1: As shown in the registered contents of the monitoring condition definition file 30 as shown in FIG. 4, the resource to be monitored and the resource to be excluded from the monitoring target are registered, and the unit of measurement and abnormality determination are made for the resource to be monitored. Pre-register conditions such as threshold, number of warning judgment thresholds, and monitoring cycle.
Step S2: It is determined whether or not the monitoring period set in the monitoring condition definition file 30 has been reached.
Step S3: Measure the monitoring parameters of the resource to be monitored, for example, the network transfer amount if it is a network resource, the CPU load if it is a CPU resource, and the number of inputs / outputs per unit time if it is an I / O resource.
Step S4: It is determined whether or not there is a sudden change in resources. If there is a sudden change, the process proceeds to step S5, and if not, the process proceeds to step S7.
Step S5: It is determined whether or not a rapid change in resources continues. If it is continued, the process proceeds to step S6, and if not continued, the process proceeds to step S7.
Step S6: This is a case where a sudden change in resources is determined and continued, and a virus occurrence warning is notified to the network device connected to the network.
Step S7: This is a case where there is no sudden change in the resource, and the normal use of the resource is notified to the network device connected to the network.

8 and 9 are flowcharts showing the detailed processing procedure of the virus monitoring process according to the present invention. The contents of this flowchart are installed in the personal computers 10-1 to 10-6 and the server 12 shown in FIG. As a virus monitoring program. The details of the virus monitoring process are performed according to the following processing procedure.

Step S1: The monitoring conditions are pre-registered as in the monitoring condition definition file 30 of FIG.
Step S2: It is determined whether or not the monitoring period is reached, and if the monitoring period is reached, the process proceeds to step S3.
Step S3: Measure resource monitoring parameters.
Step S4: An abnormality determination of the network transfer amount X in the network resource is performed. That is, it is determined whether or not the network transfer amount X is equal to or greater than the abnormality determination threshold value Xth, and if so, the process proceeds to step S5, and if less than Xth, the process proceeds to step S8.
Step S5: The abnormality counter C1 provided for the network resource is incremented by one.
Step S6: Determine abnormal continuation. That is, it is determined whether or not the value C1 of the abnormality counter is greater than or equal to the warning determination threshold number Cth1. If it is greater than or equal to the warning determination threshold number Cth1, the process proceeds to step S7, and if not, the process proceeds to step S8.
Step S7: Abnormally set the resource status flag of the network resource.
Step S8: A measurement result of the CPU load Y is acquired.
Step S9: An abnormality determination of the CPU load Y (%) is performed. That is, it is determined whether or not the CPU load Y (%) is equal to or greater than the abnormality determination threshold Yth (%). If it is equal to or greater than Yth, the process proceeds to step S10, and if not, the process proceeds to step S13 in FIG.
Step S10: Count up one abnormality counter C2 provided corresponding to the CPU resource.
Step S11: The value C2 of the abnormality counter is compared with the warning determination threshold number Cth2, and if it is greater than or equal to the warning determination threshold number Cth2, the process proceeds to step S12, and if less than Cth, the process proceeds to step S13 in FIG.
Step S12: Set the resource status flag of the CPU resource to the abnormality flag.
Step S13: The measurement result of the input / output load Z is acquired.
Step S14: It is determined whether or not the input / output load Z is equal to or greater than the abnormality determination threshold Zth. If it is equal to or greater than Zth, the process proceeds to step S15; otherwise, the process proceeds to step S18.
Step S15: The value of the abnormality counter C3 corresponding to the input / output resource is incremented by one.
Step S16: It is determined whether or not the value C3 of the abnormality counter is greater than or equal to the warning determination threshold number Cth3.
Step S17: The resource status flag of the input / output resource is set to an abnormality flag.
Step S18: In the process up to step S17, it is determined whether or not there is an abnormality flag in the resource status flag. If there is an abnormality flag, the process proceeds to step S19.
Step S19: A virus warning is notified to the network device connected to the network.
Step S20: Notify the normal use of the resource to the network device connected to the network.

FIG. 10 is a flowchart of the processing of the network device according to the present invention, and the content of this flowchart corresponds to the content of the program executed on the network device side. The processing procedure of this network device is as follows.

Step S1: The presence / absence of event reception is checked. If there is reception, the process proceeds to step S2.
Step S2: Recognize the transmission source of the received event.
Step S3: It is determined whether or not the received content is a resource normal use notification. If it is not a normal use notification, the process proceeds to step S4, and if so, the process proceeds to step S6.
Step S4: It is determined whether or not the received content is a virus occurrence warning notification. If so, the process proceeds to step S5, and if not, the process proceeds to step S7.
Step S5: Since this is a virus occurrence warning notification, a blocking process for disconnecting the transmission source from the network is performed.
Step S6: Since it is a notification of normal use of resources, the transmission source allocation timer is reset and started.
Step S7: It is determined whether any timer that has already started resetting has timed out. If there is, the process proceeds to step S8, and if not, the process returns to step S1.
Step S8: Since the transmission source of the allocation timer that has timed out cannot send the resource normal use notification periodically due to virus infection, it is determined that the transmission is a virus infection, and a blocking process for separating the transmission source from the network is executed.

  FIG. 11 is an explanatory diagram of a combination condition table 42 for monitoring a virus infection by combining a plurality of types of resources. That is, in the resource usage status determination table 38 of FIG. 6, when an abnormality is set in the resource status flag independently for each of the network resource, the CPU resource, and the I / O resource, a virus is immediately generated based on this. The network device is notified of the virus occurrence and shuts off from the network. However, in order to reliably determine the virus infection from the nature of the virus, if the virus infection is determined by a combination of different resources, the virus The accuracy of infection determination can be increased.

This is because some viruses distribute a large amount of mail and the hard disk drive is occupied by frequent file copying. For example, in order to determine the nature of such viruses, the resource combination shown in FIG. In the condition table 42,
(1) Network resource and CPU resource (2) CPU resource and I / O resource (3) Combination conditions such as network resource and I / O resource are set.

  Then, in the virus monitoring process for such two types of resources, when an abnormality flag is assigned to the resource state flag for both the combined resources, an abnormality is set in the combination resource state flag of the resource combination condition table 42, Notify the network device side of the virus occurrence warning and block it from the network.

FIG. 12 is a flowchart of the virus monitoring process following FIG. 8 according to the resource combination condition table of FIG. In FIG. 12, steps S13 to S18 are the same as those in FIG. 9, but the subsequent processing is unique processing according to the resource combination condition table 42 as follows.

Step S19: The warning resource combination condition is acquired from the resource combination condition table 42 of FIG.
Step S20: If there is an abnormality flag in all the resource status flags of the combination resource, the process proceeds to step S21, and if not, the process proceeds to step S22.
Step S21: Notifying a virus occurrence warning to the network device side.
Step S22: Notify the network device side of normal use of the resource.

  In the resource combination condition table 42 of FIG. 11, an abnormal counter is counted for each resource as shown in FIG. 6, and when the counter value exceeds the warning determination threshold number, the abnormal flag is displayed as the resource status flag. Based on this result, the resource combination condition is obtained, but when both measured values corresponding to the warning resource combination condition exceed the abnormality determination threshold, the abnormality counter is counted up, and the value of the abnormality counter When the number of times exceeds the warning determination threshold number, virus infection may be determined and notified to the network device side.

  The present invention is not limited to the above-described embodiments, and includes appropriate modifications that do not impair the objects and advantages thereof. The present invention is not limited by the numerical values shown in the above embodiments.

Here, the features of the present invention are enumerated as follows.
(Appendix)
(Appendix 1)
A virus monitoring unit provided in an information processing apparatus connected to a network via a network device, monitoring a resource usage state, and determining that a virus infection has occurred when a resource usage amount has increased rapidly;
Provided in the network device, and when receiving a notification from the virus monitoring unit, a blocking unit that blocks the information processing apparatus that is a notification source from the network;
A virus isolation system comprising: (1)

(Appendix 2)
In the virus isolation system according to attachment 1, the virus monitoring unit determines virus infection for each of a plurality of types of resources used in the information processing apparatus, and the usage amount of a plurality of resources corresponding to a predetermined combination is determined. A virus isolation system characterized by notifying that a virus infection has occurred when there is a rapid increase. (2)

(Appendix 3)
The virus isolation system according to appendix 1, wherein the virus monitoring unit pre-registers a resource to be monitored by the information processing apparatus and a resource to be excluded from the virus monitoring target. (3)

(Appendix 4)
A virus monitoring step of monitoring the resource usage status of the information processing device connected to the network via the network device, and determining that the virus has been infected and notifying the outside when the resource usage has rapidly increased;
When receiving a virus infection notification from the network device, a blocking step of blocking the information processing device that is the notification source from the network;
A virus isolation method comprising:

(Appendix 5)
To a computer connected to the network via a network device,
A pre-registration step for pre-registering a resource to be monitored and a resource to be excluded from the monitoring target in the computer;
Regularly monitor the usage status of the monitored resources. If the resource usage increases rapidly, it is determined that the virus is infected, and the network device is notified of a network disconnection request, and the virus infection is not determined. A virus monitoring step to notify normal use, and
A program characterized by having executed.

Explanatory diagram of a network configuration to which the present invention is applied The block diagram which showed the function structure for the virus isolation of this invention provided in the personal computer and network apparatus of FIG. Block diagram of computer hardware resources used in the personal computer of FIG. Explanatory drawing of the monitoring condition definition file provided in the personal computer of FIG. Explanatory drawing of the measurement data file provided in the personal computer of FIG. Explanatory drawing of the resource usage condition determination table determined from the measurement data of FIG. Flow chart of virus monitoring process in the present invention The flowchart which showed the detailed procedure of the virus monitoring process in this invention Flow chart of virus monitoring processing following FIG. Flowchart of network side processing in the present invention Explanatory drawing of combination condition table that monitors virus infection by combining multiple types of resources Flowchart of virus monitoring processing following FIG. 8 according to the resource combination condition of FIG.

Explanation of symbols

10-1 to 10-6: Personal computer 12: Server 14: LAN
16-1 to 16-3: Network device 18: Virus monitoring unit 20: Resource 22: Network resource 24: CPU resource 26: Input / output resource 28: Pre-registration unit 30: Monitoring condition definition file 32: Measurement data file 34: Blocking Unit 36: Virus determination unit 38: Resource usage status determination table 40: Resource combination condition table

Claims (3)

A virus monitoring unit provided in the information processing apparatus connected to the network via the network apparatus, for monitoring a resource usage state, and determining that a virus infection has occurred and notifying the outside when a resource usage amount has rapidly increased; ,
Provided in the network device, and when receiving a notification from the virus monitoring unit, a blocking unit that blocks the information processing apparatus that is a notification source from the network;
A virus isolation system characterized by comprising.
2. The virus isolation system according to claim 1, wherein the virus monitoring unit determines a virus infection for each of a plurality of types of resources used in the information processing apparatus, and uses a plurality of resources corresponding to a predetermined combination. Virus isolation system, characterized by notifying that a virus infection is detected when the number of viruses increases rapidly.
  2. The virus isolation system according to claim 1, wherein the virus monitoring unit pre-registers a resource to be monitored by the information processing apparatus and a resource to be excluded from the virus monitoring target.

Images