JP2007266960A - Communication control apparatus, communication control program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To place a limit on only the communication, associated with an infection activity by an infected terminal, when an infected terminal is detected. <P>SOLUTION: After a communication control apparatus acquires the communication address of a network layer of the infected terminal 1 from a worm detector 35 and a management unit 36, when the worm interruption apparatus 2 receives a sender address of a received communication packet and the sender address is the IP address of the infected terminal 1; and when the communication control apparatus discriminates that information contained in the communication packet includes information that match preset security policy, the communication control apparatus stops the transfer of the communication packet to its destination. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a communication control device and a communication control program for controlling communication of a terminal in order to prevent the infection from being spread to other terminals when it is detected that the terminal is infected with a worm. About.

  Conventionally, as virus detection technology, data that describes characteristic information called definition file for a known virus is prepared in advance, and a file that may be infected with a virus is pattern-matched with the definition file. It has been known. This definition file is a file that contains the characteristics of a computer virus-infected file or a worm program that repeats itself over the network, and is defined by anti-virus software (vaccine software) to detect computer viruses and worms. Each virus pattern recorded in the file is compared with the file to be inspected, and if a match with the pattern is found, it is determined that the file is infected with the virus.

Moreover, as a worm countermeasure which is a kind of conventionally known viruses, for example, those described in Non-Patent Document 1 below can be cited.
http://www.nttdata.co.jp/netcom/pdf/nc04_ss_03.pdf

  However, when it is detected that the terminal is infected with a worm, it is necessary to block or limit the communication of the infected terminal in order to prevent the spread of infection to other terminals in the network. At the same time, if all communication of the infected terminal is blocked, the work of the user of the infected terminal is hindered.

  In addition, when an infected terminal is detected, there is a technology that blocks / limits the communication of the infected terminal by a firewall, but a general firewall blocks / limits all packets that pass, High processing capacity is required.

  Therefore, the present invention has been proposed in view of the above-described circumstances, and when detecting an infected terminal, a communication control device and a communication control program capable of restricting only communication related to infection activity by the infected terminal The purpose is to provide.

  The present invention is a communication control device that controls communication of a communication terminal when the communication terminal connected to the network detects that the communication terminal is connected illegally by the unauthorized communication detection unit that detects unauthorized communication. In order to solve the above-described problem, the network layer address acquisition unit that acquires the communication address of the network layer of the communication terminal that performed the unauthorized communication from the unauthorized communication detection unit, and the source address of the received communication packet Is a network layer communication address acquired by the network layer address acquisition means, and the determination means for determining whether the information included in the communication packet includes information that matches a preset security policy And the determining means determines that the information included in the communication packet matches the security policy. The case, and a communication limiting means for stopping the transfer to the destination of the communication packet.

  In the present invention, when an unauthorized communication detection module for detecting unauthorized communication detects that a communication terminal connected to the network has performed unauthorized communication, a function for controlling communication of the communication terminal is implemented in a computer. In order to solve the above-described problem, a communication control program for acquiring a network layer address acquisition function for acquiring a communication address of a network layer of a communication terminal that has performed the unauthorized communication from the unauthorized communication detection module, and received When the transmission source address of the communication packet is a network layer communication address acquired by the network layer address acquisition function, the information included in the communication packet includes information that matches a preset security policy. Included in the communication packet by the determination function and the determination function Distribution is if it meets the security policy, thereby implementing the communication limiting and stopping the transfer to the destination of the communication packet to the computer.

  According to the communication control device and the communication control program according to the present invention, the transmission source address of the received communication packet is the communication address of the communication terminal that performed unauthorized communication, and the information included in the communication packet matches the security policy. In this case, since the transfer of the communication packet to the destination is stopped, when a communication terminal that performs unauthorized communication is detected, only communication related to infection activity by the communication terminal that performed unauthorized communication is restricted. Can do.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  As shown in FIG. 1, the present invention can intercept predetermined types of communication such as HTTP (HyperText Transfer Protocol) communication, POP3 (Post Office Protocol Version 3) communication, and SMTP (Simple Mail Transfer Protocol) communication by the communication terminal 1, As shown in FIG. 2, in a communication system in which a communication terminal 1 communicates with a server group 34 such as a mail server or web server outside a segment via a switch 31, a router 32, and a switch 33, the communication terminal 1 is infected with a worm. In contrast, the present invention is applied to the worm blocking device 2 that restricts communication of the infected communication terminal 1 (hereinafter referred to as the infected terminal 1). As shown in FIG. 1, the worm blocking device 2 is provided between the infected terminal 1 and the Web server 3, the POP3 server 4, and the SMTP server 5, and includes a Web server 3 that is a server group 34 of the infected terminal 1, Communication with the POP3 server 4 and the SMTP server 5 can be intercepted. Note that the worm blocking device 2 may be configured to be able to guide communication of the infected terminal 1 as will be described later, even if not all of the communication packets of the infected terminal 1 can be intercepted.

  In the communication system shown in FIG. 2, the worm blocking device 2 acquires the IP address, which is the network layer communication address of the infected terminal 1 that has performed the unauthorized communication, from the management device 36 and intercepts the communication. If the source address of the packet is the IP address of the infected terminal 1, it is determined whether the information included in the communication packet includes information that matches a preset security policy. In this case, communication restriction is performed to stop the transfer of the communication packet to the destination. The security policy includes the type of application, the destination, the type of file data, and the like, and parameters are set to expand the infection activity by the worm.

  For example, the worm blocking device 2 sets the type of application to stop communication as a security policy, and when the IP address of the infected terminal 1 is notified from the management device 36, the source address is the IP of the infected terminal 1. When the port number (identifier) that specifies the application type is detected from the information of the transport layer header included in the communication packet that is the address, and the application type is a preset application type, The transfer of the communication packet is stopped. Further, the worm blocking device 2 sets the destination of the communication packet as the security policy, that is, the communication partner of the infected terminal 1, and when the IP address of the infected terminal 1 is notified from the management device 36, the transmission destination address is set. When the destination IP address included in the communication packet that is the IP address of the infected terminal 1 is a preset IP address, the transfer of the communication packet is stopped. Furthermore, the worm blocking device 2 sets the type of file data for which communication is to be stopped as a security policy, and the file transmitted and received by the infected terminal 1 when the IP address of the infected terminal 1 is notified from the management device 36. When the data is preset file data, the transfer of the communication packet is stopped. As a result, the worm blocking device 2 restricts only predetermined communication among communication of the infected terminal 1.

  In this communication system, the worm operation of the infected terminal 1 includes port scan for the server group 34, transmission of an illegal packet to the server group 34, etc., transmission of an illegal mail including a virus as an attached file to other communication terminals. Can be mentioned.

  For example, the unauthorized communication data S1 transmitted from the infected terminal 1 is transmitted to the server group 34 via the switch 31, the router 32, and the switch 33 with the IP address of the server group 34 as the destination. Then, the worm detection device 35 acquires the communication data S2 obtained by copying the communication data S1 passing through the switch 33, and determines whether or not the copied communication data S2 is unauthorized communication data. The worm detection device 35 detects whether or not the infected terminal 1 is infected with the worm by detecting the specific behavior of the infected terminal 1 from the copied communication data S2. For example, when the communication data S2 including the MX record that receives the name service directly from the infected terminal 1 is detected, or when the communication data S2 including the destination that is not transmitted is detected if the communication terminal is not infected, The infected terminal 1 that has transmitted the communication data S2 is detected. Then, the worm detection device 35 acquires the IP address included in the communication data S2, and notifies the management device 36 of the worm detection report message S3 including the IP address of the infected terminal 1.

  Specifically, the worm detection device 35 acquires a port number that specifies the type of application data included in the communication data S2, and the port number indicates a name service application that converts a host name into a network layer address. In addition, when the application data of the communication data S2 includes data inquiring about the network layer address of the server group 34, the infected terminal 1 trying to access the server group 34 illegally can be detected. As another specific example, the worm detection device 35 sets a dummy setting in addition to the normal setting information in advance to the infected terminal 1 in order to detect that unauthorized communication data is distributed due to a computer virus. When information is stored and communication data is created and transmitted using dummy setting information by the operation of the worm, it can be determined that the infected terminal 1 is infected with the worm.

  The management device 36 is a server operated by a network administrator, receives the worm detection report message S3 from the worm detection device 35, accumulates the IP address of the infected terminal 1 included in the worm detection report message S3, and The worm blocking device 2 is notified. The management device 36 notifies the worm cutoff device 2 of a communication cutoff command S4 including the IP address of the infected terminal 1 in response to receiving the worm detection report message S3.

  As shown in FIG. 3, the worm blocking device 2 includes a basic software processing unit 11 and a communication restriction application processing unit 12 by installing basic software and a communication restriction application. ing.

  The basic software processing unit 11 includes a communication interface unit 21 connected to a network and a TCP (Transmission Control Protocol) / IP (Internet Protocol) communication control unit 22. When the communication interface unit 21 receives communication data from the network via the switch 31, the router 32, or the like, the basic software processing unit 11 performs communication restriction application processing according to the port number of the TCP header by the TCP / IP communication control unit 22. The communication data is passed to the unit 12. Further, when the application data is passed from the communication restriction application processing unit 12, the basic software processing unit 11 adds a TCP header and an IP header to the application data by the TCP / IP communication control unit 22, and the communication interface unit 21. To send to the network.

  The worm blocking device 2 is arranged to copy and intercept the communication data passing through the switch 31 in FIG. 2. When the communication data from the infected terminal 1 is intercepted, the communication data is received by the basic software processing unit 11. It can be received. Further, the TCP / IP communication control unit 22 passes the communication cutoff command S4 from the management device 36 of the external network to the communication restriction application processing unit 12.

  The communication restriction application processing unit 12 performs communication restriction that stops only communication that matches a preset security policy among the communication of the infected terminal 1. The communication restriction application processing unit 12 includes a communication restriction module 23, an infected terminal information receiving unit 24, a communication restriction policy information storage unit 25, and an infected terminal information list 26.

  When the basic software processing unit 11 receives the communication cutoff command S4 from the management device 36, the communication restriction application processing unit 12 receives the communication cutoff command S4 at the infected terminal information receiving unit 24. When receiving the communication cutoff command S4, the infected terminal information receiving unit 24 adds the IP address of the infected terminal 1 included in the communication cutoff command S4 to the infected terminal information list 26.

  The infected terminal information list 26 is list data stored in a storage medium, and is a list of IP addresses included in the communication cutoff command S4. The infected terminal information list 26 may also store correspondence between the IP address and MAC address of the infected terminal 1, mail address, time information, and the like for communication with the infected terminal 1.

  When the IP address of the infected terminal 1 is stored in the infected terminal information list 26 as described above, the communication restriction module 23 communicates with the IP address of the infected terminal 1 whose transmission source IP address matches the predetermined security policy. Monitor packets. When the communication restriction module 23 detects a communication packet whose source IP address is transmitted with the IP address of the infected terminal 1, the communication restriction module 23 determines whether the communication packet includes information that matches the security policy. . The security policy information is stored in advance in the communication restriction policy information storage unit 25 by a network administrator or the like.

  In the communication restriction policy information storage unit 25, as a security policy for stopping communication, a port number indicating the type of application for which transfer to the server group 34 is stopped, the IP address of the server group 34 serving as a core server, and the mail transmission time The deletion of the attached file and the type of file data are stored. The security policy information may include information on conditions that may be transferred to the server group 34 even if the transmission source IP address is the infected terminal 1, and may be information on the security policy that substantially stops communication. .

  Then, when the transmission source IP address of the communication packet from the basic software processing unit 11 is registered in the infected terminal information list 26, the communication restriction module 23 refers to the communication restriction policy information storage unit 25 and refers to the communication restriction module 23. It is determined whether or not the packet contains information that matches the security policy. If the communication packet includes information that matches the security policy, the communication restriction module 23 controls the basic software processing unit 11 so as not to transfer the communication packet. On the other hand, if the communication packet does not contain information that matches the security policy, the basic software processing unit 11 is controlled to transfer the communication packet. As a result, the communication restriction module 23 blocks only communication packets that increase infection from among communication packets in which the IP address of the infected terminal 1 is the source IP address.

  Thus, when the communication restriction application processing unit 12 detects the infected terminal 1, it can restrict only communication related to the infection activity by the infected terminal 1. Therefore, it is possible to avoid stopping the user's business completely without interrupting all communication at the same time when the terminal is infected. Further, it is possible to prevent the spread of the infection activity without requiring high processing capability without blocking / restricting all communication transmitted from the infected terminal 1.

  Further, when the communication of the infected terminal 1 after receiving the communication cutoff command S4 by the worm cutoff device 2 is guided to other than the server group 34, the communication restriction application processing unit 12 causes the infected terminal 1 to be a DNS (Domain Name System) server. A process for obtaining an IP address from the host name of the communication partner by accessing (not shown), and using the ICMP Redirect message in the ICMP (Internet Control Message Protocol) mechanism, the infected terminal 1 is optimal from the IP address of the communication partner. The communication packet of the infected terminal 1 is guided by either the process of acquiring the IP address of the router on the route or the process of acquiring the MAC address from the IP address of the communication partner using the ARP (Address Resolution Protocol) mechanism. To block unauthorized communication. That is, when a DNS inquiry is received from the infected terminal 1, the IP address of the worm blocking device 2 is returned as the IP address that the infected terminal 1 wants to know, and the worm blocking device is responded to the ICMP Redirect message from the infected terminal 1. 2 disguises that it is the gateway router of the optimum route, and returns an ARP reply including the MAC address of the worm blocking device 2 to the ARP request from the infected terminal 1. As a result, the worm blocking device 2 can guide a communication packet including information matching the predetermined security policy from the infected terminal 1 to itself.

  The above-described embodiment is an example of the present invention. For this reason, the present invention is not limited to the above-described embodiment, and various modifications can be made depending on the design and the like as long as the technical idea according to the present invention is not deviated from this embodiment. Of course, it is possible to change.

  That is, the above-described worm blocking device 2 has been shown to be connected to the switch 31, but not limited to this, as shown in FIG. 4, the switch 51, the bridge device 52, the router 53, and the horizontal device 54 are Even if a communication control program for implementing the same function as that of the worm blocking device 2 is installed, it is possible to exert an effect that only the communication related to the infection activity by the infected terminal 1 is stopped. In particular, a lateral device that is connected to a communication line that connects communication devices or a relay device such as a switch that relays communication data communicated between the communication devices, and monitors communication data that passes through the communication line or relay device. In the case where the worm blocking device 2 is configured, it is possible to reduce the cost of introducing into the system a function for stopping only the communication related to the infection activity of the communication terminal that performed unauthorized communication.

  In addition, the function of stopping only the communication related to the infection activity of the infected terminal 1 in the above-described embodiment can be applied to a home network in which household electrical appliance groups are connected to a network, an equipment network in which equipment groups are connected to a network, and the like. . For example, even when a home appliance that is connected to a home network and has a web function or a mail function as an application is infected with a worm, unauthorized communication by the home appliance can be prevented.

  Here, as a technology for constructing a home network, in addition to the ECHO network, an embedded network technology called EMIT (Embedded Micro Internetworking Technology) can be used. This embedded network technology has a function of incorporating EMIT middleware into a network device and connecting it to a network, and is called EMIT technology.

  More specifically, the worm blocking device 2, the management device 36 having the function of stopping only the communication related to the infection activity of the infected terminal 1 described above, and EMIT software that realizes the EMIT technology in network devices such as switches and routers A center server provided on the Internet with a communication terminal, a management device 36, and a worm blocking device 2 mounted with the EMIT software, and a user device for remotely controlling or monitoring the terminal, the relay device, and the horizontal device A communication connection is made via (not shown). This user device is, for example, an external terminal (not shown) such as a mobile phone, a PC (Personal Computer), a PDA (Personal Digital Assistant), or a PHS (Personal Handy phone System).

It is a block diagram which shows the structure of the communication system containing the worm | warm cutoff device to which this invention is applied. It is a block diagram which shows another example of a structure of the communication system containing the worm interruption device to which the present invention is applied. It is a block diagram which shows the internal structure of the worm | warm cutoff device to which this invention is applied. It is a figure for demonstrating the other form by which the worm | warm cutoff device to which this invention is applied is mounted.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Infected terminal 2 Worm blocker 3 Web server 4 POP3 server 5 SMTP server 11 Basic software processing part 12 Communication restriction application processing part 21 Communication interface part 22 TCP / IP communication control part 23 Communication restriction module 24 Infected terminal information receiving part 25 Communication Restricted policy information storage unit 26 Infected terminal information list 31 switch 32 router 33 switch 34 server group 35 worm detection device 36 management device

Claims (6)

A communication control device that controls communication of the communication terminal when it is detected by the unauthorized communication detection means that detects unauthorized communication that the communication terminal connected to the network has performed unauthorized communication,
Network layer address acquisition means for acquiring the communication address of the network layer of the communication terminal that performed the unauthorized communication from the unauthorized communication detection means;
When the transmission source address of the received communication packet is the network layer communication address acquired by the network layer address acquisition unit, the information included in the communication packet includes information that matches a preset security policy. A determination means for determining whether it is included;
A communication control apparatus comprising: a communication restriction unit that stops transfer of a communication packet to a destination when the determination unit determines that information included in the communication packet matches a security policy.   The discriminating unit detects an identifier designating an application type from information of a transport layer header included in a communication packet whose communication address acquired by the network layer address acquiring unit is a source address. The communication control apparatus according to claim 1, wherein when the type is a preset application type, it is determined that the information included in the communication packet matches the security policy.   The discriminating means, when the destination information included in the communication packet whose source address is the communication address acquired by the network layer address acquiring means is a preset destination, the information included in the communication packet is security The communication control device according to claim 1, wherein the communication control device is determined to match the policy.   When the file data type included in the communication packet in which the communication address acquired by the network layer address acquisition unit is a source address is a preset file data type, the determination unit The communication control apparatus according to claim 1, wherein it is determined that the included information matches a security policy.   It is connected to a communication line connecting the communication terminals or a relay device that relays communication packets communicated between the communication terminals, and includes a side device that monitors communication packets passing through the communication line or the relay device. The communication control device according to any one of claims 1 to 4, wherein A communication control program that, when an unauthorized communication detection module that detects unauthorized communication detects that a communication terminal connected to the network has performed unauthorized communication, implements a function for controlling communication of the communication terminal on the computer. Because
A network layer address acquisition function for acquiring a network layer communication address of a communication terminal that has performed the unauthorized communication from the unauthorized communication detection module;
When the transmission source address of the received communication packet is the network layer communication address acquired by the network layer address acquisition function, the information included in the communication packet includes information that matches a preset security policy. A discriminating function to discriminate whether it is included;
A communication control program for causing a computer to implement a communication restriction function for stopping transfer of a communication packet to a destination when information included in the communication packet matches a security policy by the determination function.

Images