JP2009157911A - Communication restriction system, communication restriction device, communication restriction method, and communication restriction program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To effectively restrict transmission of a file similar to a specified file in communication by a peer-to-peer type file transfer protocol. <P>SOLUTION: A communication restriction device 100 includes: a block check means 101 for checking a file block of a file transmission PDU by referring to block information including a file ID, a block number of the file block, and checksum; a pattern retrieval means 102 for performing pattern retrieval of the file block of the file transmission PDU by referring to a gray list including a pattern and an appearance location of the pattern; a file decision means 103 for discriminating whether the file block of the file transmission PDU is similar to the specified file by referring to specified file features including the pattern included in the specified file and the appearance location of the pattern; and a request decision means 104 for processing a file request PDU by referring to a black list including the file ID. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a communication restriction system, a communication restriction device, a communication restriction method, and a communication restriction program, and in particular, a communication restriction device that controls file transfer using a peer-to-peer file transfer protocol, a communication restriction method in the communication restriction device, and the communication restriction program The present invention relates to a communication restriction program that operates on a communication restriction device.

  The peer-to-peer (P2P) type file transfer protocol assumed by the present invention is a protocol having the following characteristics.

  Feature 1: A file request node that requests file transfer identifies a requested file by a file ID to the file providing node that provides the file, and a file request PDU (Protocol Data Unit: protocol data including the file ID). Request the desired file by sending (unit).

  Feature 2: File provision of a file provision node is performed by transmitting a requested file in units divided into one or more blocks. More specifically, this is performed by transmitting a file transmission PDU including one file block obtained by dividing a file and a block number indicating a configuration position in the file of the block to the file request node.

  Feature 3: File ID is globally unique. That is, the file request node can obtain a file block constituting a file having the same contents from the file transmission PDU for a file request PDU specifying the same file ID even if a request is made to a different file providing node.

  Winny is an example of P2P type file transfer software with such characteristics. Winny takes advantage of Feature 3 to send multiple file request PDUs to multiple file provider nodes when a file request node obtains a single file, and then transfer multiple parts of the file from multiple file provider nodes. A technique called download is available.

  In addition, the following features are commonly observed in a network that mediates PtoP communication using a P2P communication protocol from a node that communicates with such P2P type file transfer software.

  Feature 4: While being transferred to a plurality of nodes, the contents of the file may change due to human or node failure.

  As an apparatus for restricting the entire communication by such a P2P type file transfer protocol, there is a one-point wall (registered trademark) of Net Agent Corporation. Moreover, for example, the communication cutoff device described in Patent Document 1 can be cited.

JP 2003-111105 A

  However, a device that restricts all communications using the P2P file transfer protocol cannot selectively restrict only the transfer of specified files, and it also restricts other useful file transfers equally. There is. Therefore, a restriction device that restricts only the transmission of a designated file is desired. However, in order to realize this restriction device, there are the following problems.

  Problem 1: When the content of a file changes due to the phenomenon of feature 4 above, an information processing device that implements a restriction device recognizes that the file is similar to the specified file when the file is transferred difficult. In other words, even if the content of the information processing apparatus changes very little, the changed file is handled as another file.

  Problem 2: Also in the case of multiple downloads in which files are divided and sent from a plurality of file providing nodes, similarly, it is difficult for the information processing apparatus to recognize that the file is similar to the designated file.

  Problem 3: It is difficult to limit a file that has been found to be similar to the specified file before any file is transmitted.

  Problem 4: It is difficult to prevent useful file transfer from being restricted due to the influence of a malicious file providing node that creates a file transmission PDU.

  The present invention has been made in view of the above problems, and its main object is a communication restriction system and communication capable of effectively restricting transmission of a file similar to a specified file in communication using a peer-to-peer file transfer protocol. A restriction device, a communication restriction method, and a communication restriction program are provided.

  The communication restriction device of the present invention is a communication restriction device that is connected to a network and restricts peer-to-peer communication, and refers to block information including a file ID, a block number of a file block, and a checksum of the file block. Block check means for checking a file block of the file transmission PDU, pattern search means for pattern searching for a file block of the file transmission PDU with reference to a gray list including a character string pattern and an appearance position of the pattern, and A file determination means for determining whether a file block of the file transmission PDU is similar to the specified file with reference to a specified file characteristic including a pattern included in the specified file and an appearance position of the pattern, and a file ID Refer to the blacklist and process the file request PDU. And at least a request determination means for processing.

  A communication restriction system according to the present invention is a communication restriction system that is connected to a network and restricts peer-to-peer communication, and includes a PDU collection / separation unit that acquires PDUs that circulate in a network to be managed, and a session that specifies a communication session. A session restriction means for restricting communication of the communication session by designating information, a file block of the file transmission PDU obtained by the PDU collection and classification means, a file ID, a block number of the file block, and a checksum of the file block Block check means for checking by referring to block information including: pattern search means for searching for a file block of the file transmission PDU by referring to a gray list including a character string pattern and an appearance position of the pattern And the frame obtained by the PDU collection / sorting means. The file block of the file transmission PDU is determined by referring to the specified file characteristic including the pattern included in the specified file and the appearance position of the pattern, and the determination result is notified to the session restriction means. A file determination unit that determines whether to limit the file request PDU acquired by the PDU collection and classification unit with reference to a black list including a file ID, and notifies the session limitation unit of the determination result And at least.

  According to the communication restriction system, the communication restriction device, the communication restriction method, and the communication restriction program of the present invention, transmission of a file similar to a designated file can be effectively restricted in communication using a peer-to-peer file transfer protocol.

  There is a device that restricts all communications using the P2P type file transfer protocol used by a given PtoP file exchange software, but there is no device that effectively restricts the transfer of a specified file. In order to realize such a device, the above problems 1 to 4 must be solved.

  Therefore, in one embodiment of the present invention, a file transmission PDU is referred to a block that includes a file ID, a block number of a file block, and a checksum of the file block in a network that mediates communication using the peer-to-peer file transfer protocol. Included in the specified file, block check means for checking file blocks, pattern search means for pattern searching for file blocks of a file transmission PDU by referring to a gray list including a character string pattern and the appearance position of the pattern Refers to the specified file characteristics including the pattern to be displayed and the appearance position of the pattern, and refers to the file determination means for determining whether the file block of the file transmission PDU is similar to the specified file, and the black list including the file ID , Required to process the file request PDU A communication limiting device including at least a request determination unit.

  Then, the file determining means, when the ratio of the character string equivalent to the pattern included in the designated file feature appearing in the vicinity of the appearance position of the pattern in the file block included in the file transmission PDU is a predetermined value or more, It is determined that the file block is similar to the specified file, and a request is made to limit the session of the file transmission PDU, and control is performed to register the file ID of the file transmission PDU in the black list.

  Also, the pattern search means, when there is a character string equivalent to the pattern included in the gray list corresponding to the file ID of the file transmission PDU in the file block of the file transmission PDU, the pattern and the appearance position of the pattern To add to the greylist.

  Further, the block check means calculates the checksum of the file block of the file transmission PDU, and if the calculated checksum does not match the checksum of the block information, the file transmission PDU is regarded as a forged file. Control to delete the file ID of the transmission PDU from the black list.

  Further, the request determination unit performs control for requesting a session restriction of the file request PDU when the file ID of the file request PDU is included in the black list.

  Thereby, the said problems 1-4 can be solved, and transmission of the file similar to the designated file can be restrict | limited effectively in communication by peer to peer type file transfer software.

  The reason for the problem 1 is that the file determination means enumerates the designated file feature in the transferred file based on the designated file feature that is a set of pairs of the pattern characterizing the designated file and its appearance position. Since the transferred file is determined to be the specified file when it appears, the transferred file has changed except for the features listed in the specified file feature. This is because it can be recognized that the file is similar to the designated file.

  As for the problem 2, the pattern search means updates the gray list corresponding to the same file ID in the gray list storage means even when file transmission PDUs for sending the same file are input from different file providing nodes. This is because the file determination means that refers to the gray list can recognize a file similar to the designated file even during multiple download.

  As for the problem 3, a file that is found to be similar to the specified file is described in the black list stored in the black list storage unit by the file determination unit, and the file described in the black list When a file request PDU requesting a file with an ID is input, the request determination means requests the session restriction means to restrict the session of the PDU. In addition, it is impossible to make a file request, and it is possible to limit a file before it is transmitted.

  As for the problem 4, when the block check means calculates the checksum of the file block included in the file transmission PDU and does not match the checksum stored in the block information of the block information storage means Since the file transmission PDU is considered to be forged and the file ID of the file transmission PDU is deleted from the black list stored in the black list storage means, the file transmission PDU is affected by the malicious file providing node that forges the file transmission PDU. This is because useful file transfers are never restricted.

Next, another embodiment of the present invention will be described.
In the second embodiment of the present invention, a network that mediates communication using the peer-to-peer file transfer protocol is referred to block information including a file ID, a block number of a file block, and a checksum of the file block. Block check means for checking the file block of the transmission PDU, pattern search means for pattern searching for the file block of the file transmission PDU with reference to the gray list including the character string pattern and the appearance position of the pattern, and the specified file Refers to the specified file characteristics including the pattern included in the file and the appearance position of the pattern, and refers to the file determination means for determining whether the file block of the file transmission PDU is similar to the specified file, and the black list including the file ID Process the file request PDU A communication restriction device including at least a request determination unit is connected.

  Then, the file determination means, when the ratio of the character string equivalent to the pattern included in the designated file feature in the file block included in the file transmission PDU appears in the vicinity of the appearance position of the pattern is greater than or equal to a predetermined value, Judge that the file block is similar to the specified file, request the file transmission PDU session restriction, register the file ID of the file transmission PDU in the black list, and send it to another communication restriction device (communication restriction system) through the network. Control to notify that the file with file ID is similar to the specified file.

  Further, the file determination unit performs control for registering the file ID in the black list when notified from another communication restriction device (communication restriction system) that the file with the specific file ID is similar to the specified file. .

  Also, the pattern search means, when there is a character string equivalent to the pattern included in the gray list corresponding to the file ID of the file transmission PDU in the file block of the file transmission PDU, the pattern and the appearance position of the pattern To add to the greylist.

  Further, the block check means calculates the checksum of the file block of the file transmission PDU, and if the calculated checksum does not match the checksum of the block information, the file transmission PDU is regarded as a forged file. In addition to deleting the file ID of the transmission PDU from the black list, control is performed to notify another communication restriction device (communication restriction system) that the PDU has been created in the file with the file ID through the network.

  In addition, the block check means performs control to delete the file ID from the black list when notified from another communication restriction device (communication restriction system) that the PDU has been created with the file having the specific file ID. .

  Further, the request determination unit performs control for requesting a session restriction of the file request PDU when the file ID of the file request PDU is included in the black list.

  That is, the information described in the black list is shared with another communication restriction device (communication restriction system) that restricts peer-to-peer communication that can communicate with the communication restriction device via the network. Similarly, the block information may be shared between the communication restriction device and another communication restriction device (communication restriction system).

  Thus, the above problems 1 to 4 can be solved, and transmission of a file similar to a designated file can be effectively limited in communication by P2P file sharing software using a peer-to-peer file transfer protocol.

  In addition, in cooperation with other communication control systems, it is possible to more effectively restrict transmission of a file similar to the designated file.

  The reason for the problem 1 is that the file determination means enumerates the designated file feature in the transferred file based on the designated file feature that is a set of pairs of the pattern characterizing the designated file and its appearance position. Since the transferred file is determined to be the specified file when it appears, the transferred file has changed except for the features listed in the specified file feature. This is because it can be recognized that the file is similar to the designated file.

  As for the problem 2, the pattern search means updates the gray list corresponding to the same file ID in the gray list storage means even when file transmission PDUs for sending the same file are input from different file providing nodes. This is because the file determination means that refers to the gray list can recognize a file similar to the designated file even during multiple download.

  As for the problem 3, a file that is found to be similar to the designated file is described in the black list stored in the black list storage means by the file determination means, and other communication is performed through the network. The restriction device (communication restriction system) is notified that the file with the file ID is similar to the specified file, and the communication restriction device that has received the notification registers the file ID in the black list. When a file request PDU requesting a file with a file ID listed in the blacklist is input to the communication restriction device that has received the notification, the request determination means requests the session restriction means to restrict the session of the PDU. Therefore, a file that has been found to be a similar file cannot effectively be requested for a file, and can be restricted before any file is transmitted.

  As for the problem 4, when the block check means calculates the checksum of the file block included in the file transmission PDU and does not match the checksum stored in the block information of the block information storage means Since the file transmission PDU is considered to be forged and the file ID of the file transmission PDU is deleted from the black list stored in the black list storage means, the file transmission PDU is affected by the malicious file providing node that forges the file transmission PDU. This is because useful file transfers are never restricted.

Hereinafter, it will be described in detail with reference to the drawings.

  FIG. 1 is a block diagram showing the configuration of a communication restriction apparatus according to the present invention.

  The communication restriction apparatus 100 according to the present embodiment includes a block check unit 101 that checks a file block included in a file transmission PDU, a pattern search unit 102 that performs a pattern search for a file block, and whether the file is similar to a specified file. File determining means 103 for determining, request determining means 104 for determining and processing whether the file ID of the file request PDU is listed in the black list, block information storing means 106 for storing block information, and feature information of the designated file It comprises a gray list storage means 107 for storing a specified file feature and a gray list for each file ID, and a black list storage means 108 for storing a black list.

  The communication restriction device 100 receives the input of the PDU sorted from the PDU collection / sorting means 192 that collects and separates the file transmission PDU and the file request PDU from the communication data flowing through the network 191 and passes them to the communication restriction device 100, and also receives the communication session. When the session information for specifying the communication session is designated, the session information of the communication session to be restricted is output to the session restriction means 193 for restricting the communication of the communication session. Since the PDU collection / separation means 192 and the session restriction means 193 can be easily implemented by those skilled in the art, description thereof will be omitted. The peer-to-peer communication restriction system 190 is a system connected to a network 191 including a communication restriction device 100, a PDU collection / separation means 192, and a session restriction means 193.

  6, FIG. 7, FIG. 8, and FIG. 9 are diagrams showing data structures of block information, gray list, designated file feature, and black list, respectively.

  The block information 711 of this embodiment includes a file ID part including a file ID, a block number part including a block number indicating the position of the file block in the file, and a checksum part including a checksum. This is tabular data consisting of

  The gray list 721 and the specified file feature 731 of the present embodiment are obtained from a line including a pattern portion including a pattern that is a character string literal and an appearance position portion including an appearance position indicating a position where the pattern appears in the file. This is tabular data. The gray list storage means 107 stores a gray list corresponding to every file ID. The storage means stores one designated file feature and the same number of gray lists as the file ID.

  The black list 741 of the present embodiment includes a file ID part including a file ID and a deletion flag part including a deletion flag that qualifies whether or not the line is valid (in the case of a true value, invalid = not deleted). Data in a tabular format consisting of rows including

  10 and 11 are diagrams showing data structures of the file transmission PDU and the file request PDU, respectively.

  The file transmission PDU 610 of the present embodiment includes a session information unit 611 that includes session information that identifies a communication session, a file block unit 614 that includes a file block that is a part of the file, and a file ID of the file. File ID portion 612 and a block number portion 613 containing a block number indicating the position of the file block 614 in the file.

  The file request PDU 620 of this embodiment includes a session information unit 621 that includes session information that specifies a communication session, and a file ID unit 622 that includes a file ID that specifies a requested file.

  Next, the operation of the communication restriction device 100 configured as described above will be described.

  FIG. 2 is a flowchart for explaining the operation of the block check means 101 when a file transmission PDU is input to the communication restriction device 100 of this embodiment.

  When the file transmission PDU is input from the PDU collection and classification unit 192, the block check unit 101 first substitutes the file ID value included in the file ID unit 612 of the PDU for the variable F, and the block number of the PDU for the variable N. The block number value included in section 613 is substituted (step 201). Next, the checksum of the file block included in the file block unit 614 of the PDU is calculated, and the calculation result value is substituted for the variable S (step 202). In this checksum calculation process, the calculation result is calculated in the same format as the checksum value recorded in the block information.

  As a checksum calculation method, for example, CRC (Cyclic Redundancy Check), MD (Message Digest), SHA (Secure Hash Architecture), and other calculation methods generally used for checksum calculation can be used.

  Next, referring to the block information stored in the block information storage means 106, it is determined whether there is a row in which the file ID portion has the same value as the variable F and the block number portion has the same value as the variable N, If yes, go to Step 204, otherwise go to Step 205 (Step 203).

  When the processing proceeds to step 204, the value of the checksum portion of the row and the value of the variable S are compared for the row whose block number portion has the same value as the variable N in step 203. If not, the process proceeds to Step 206 (Step 204).

  When the process proceeds to step 205, the block information stored in the block information storage means 106 includes the file ID part as the value of the variable F, the block number part as the value of the variable N, and the checksum part as the value of the variable S. A new line is added (step 205), and the process proceeds to step 207.

  When the processing proceeds to step 207, the PDU is sent to the pattern search means 102 (step 207), and this processing operation is terminated.

When the process proceeds to step 206, the true value is set in the deletion flag part of the line where the file ID part of the black list stored in the black list storage means 108 is the same as the value of the variable F (step 206), and this operation is finished. To do.
In step 206, if there is no line in which the file ID portion of the black list stored in the black list storage means 108 is the same as the value of the variable F, the file ID portion is the value of the variable F, and the deletion flag portion is A new line that is a true value is added, and this operation is terminated.

  FIG. 3 is a flowchart for explaining the operation of the pattern search unit 102 when a file transmission PDU is sent to the pattern search unit 102 of this embodiment.

  When the file transmission PDU is input from the block check means 101, the pattern search means 102 first substitutes the file ID value included in the file ID part 612 of the PDU for the variable F, and the block number part of the PDU for the variable N. The block number value included in 613 is substituted (step 301).

  Next, the file block included in the file block portion 614 of the PDU is searched for whether there is an equivalent to the pattern included in the pattern portion of any row of the designated file feature stored in the gray list storage means 107. (Step 302).

  If an equivalent is found, the process proceeds to step 304; otherwise, the operation is terminated (step 303).

  When the process proceeds to step 304, the gray list of the file ID corresponding to the value of the variable F stored in the gray list storage means 107 is accessed, and the pattern part and the appearance position part of the gray list are equivalent to those in step 302. The pattern where the existence of the object is found and the position where the equivalent of the pattern appears in the file are additionally recorded as a new line (step 304).

  Next, the PDU is sent to the file determination means 103 (step 305), and this operation is terminated.

The operation in steps 301 to 305 will be described using a specific example. FIG. 12 shows an example of the contents of the file. The file ID of this file is “4452”, and the contents of block 8 which is one of the blocks constituting the file include “important customer name”. It is. Also, it is assumed that a file transmission PDU including the block 8 as a file block is sent to the pattern search unit 102 of the present embodiment.
The designated file feature stored in the gray list storage means 107 is the designated file feature 731 in FIG. 8, and the gray list corresponding to the file ID “4452” is the gray list 721 in FIG.
In the operation of the pattern search means 102 at this time, 4452 is substituted for the variable F and 8 is substituted for the variable N by the operation of step 301.

  Next, by the operation of step 302, the block 8 is searched for whether there is an equivalent pattern contained in the pattern portion of any row of the designated file feature stored in the gray list storage means 107.

  In this example, since there is a pattern of “important customer name” in block 8, it is found (matched), and the operation proceeds to step 304, corresponding to the file ID “4452” stored in the gray list storage means 107. For the gray list, that is, the gray list 721, the pattern portion is the pattern in which an equivalent is found in step 302, that is, “important customer name”, and the appearance position portion is the position where the equivalent of the pattern appears in the file. A new line (553378) is added, resulting in a gray list 751 in FIG.

  In this example, it is assumed that the file block length is fixed at 65536 bytes and the block number is 8. The position from the beginning of the file is 65536x8 bytes. Further, the position where the pattern “important customer name” appears in block 8 is found at the time of search, and it is found that it is the 29090th byte from the head of the block, so it is calculated as 65536 × 8 + 29090 = 553378.

  Next, by the operation of step 305, a file transmission PDU including block 8 as a file block is sent to the file determination unit 103, and the operation of the pattern search unit 102 ends.

  FIG. 4 is a flowchart for explaining the operation of the file determination unit 103 when a file transmission PDU is sent to the file determination unit 103 of this embodiment.

  When the file transmission PDU is input from the pattern search means 102, the file determination means 103 first substitutes the file ID value included in the file ID portion 612 of the PDU for the variable F (step 401).

  Next, the gray list stored in the gray list storage unit 107 and the corresponding file ID whose value is the value of the variable F is compared with the designated file feature stored in the gray list storage unit 107, and the number of lines equivalent in both is compared. Count (step 402).

  If the number of equivalent lines exceeds the specified value, or if it is greater than or equal to a specified percentage of the number of specified file feature lines, the file whose file ID is variable F is regarded as equivalent to the specified file, and step Proceed to 404, otherwise, end this operation (step 403).

  When the process proceeds to step 404, the session information in the session information unit 611 of the PDU is transmitted to the session restriction unit 193, and a restriction on the communication session specified by the session information is requested (step 404).

  Next, it is confirmed whether there is a row in which the file ID portion of the black list stored in the black list storage means 108 is the same as the value of the variable F. If there is a row, this operation is terminated. Proceed to 406 (step 405).

  When the process proceeds to step 406, a new line is added to the black list stored in the black list storage means 108 with the file ID part being the value of the variable F and the deletion flag part being a false value (step 406). Exit.

  The operation of step 402 will be supplemented with a specific example. The gray list whose corresponding file ID is the value of the variable F stored in the gray list storage unit 107 is the gray list 721 in FIG. 7, and the designated file feature stored in the gray list storage unit 107 is the designated file feature in FIG. When the number is 731, the number of lines that are the same for both is 2 (the line of top secret material, the line of xx Corporation).

  Further, the gray list whose corresponding file ID is the value of the variable F stored in the gray list storage unit 107 is the gray list 751 in FIG. 13, and the designated file feature stored in the gray list storage unit 107 is the designation in FIG. In the case of the file feature 731, the number of lines equivalent to both is also 2 (line of confidential material, line of xx corporation).

  However, if the slight difference in appearance position (553177 and 553378) is considered equivalent, the appearance position of the pattern “Important Customer Name” is equivalent, so the number of equivalent lines is 3 (the top secret material line, xx Corporation Line of important customer names).

  FIG. 5 is a flowchart for explaining the operation of the request determination unit 104 when a file request PDU is input to the communication restriction device 100 of this embodiment.

  When the file request PDU is input from the PDU collection / separation unit 192, the request determination unit 104 first substitutes the file ID value included in the file ID portion 622 of the PDU for the variable F (step 501).

  Next, it is checked whether there is a row in which the file ID portion of the black list stored in the black list storage means 108 is the same as the value of the variable F and the deletion flag portion is a false value. Proceed to 503, otherwise the operation ends (step 502).

  When the process proceeds to step 503, the session information of the session information unit 621 of the PDU is notified to the session restriction unit 193, and the restriction of the communication session specified by the session information is requested (step 503), and this operation is terminated. To do.

  As the communication restriction device 100 operates in this manner, the file determination unit 103 uses the specified file feature that is a set of pairs of patterns that characterize the specified file and their appearance positions to specify the specified file in the transferred file. When each of the patterns listed in the feature appears at a specific appearance position, the transferred file is determined to be a specified file, so even if the transfer file has other than the features listed in the specified file feature, It can be recognized that the file is similar to the specified file.

  Further, even when file transmission PDUs for transmitting the same file are input from different file providing nodes, the pattern search means 102 updates the gray list corresponding to the same file ID in the gray list storage means 107. The file determination unit 103 that determines whether the file is similar to the file specified by reference can recognize a file similar to the specified file even during multiple download.

  In addition, a file whose file ID is found to be similar to the specified file is described in the black list stored in the black list storage unit 108 by the file determination unit 103, and the file ID of the file ID described in the black list When a file request PDU requesting the PDU is input, the request determining unit 104 requests the session limiting unit 193 to limit the session of the PDU, so that the file that has been found to be similar to the specified file. Since, in effect, it becomes impossible to make a file request, it is possible to limit before a part of the file is transmitted.

  Further, the block check means 101 calculates the checksum of the file block included in the file transmission PDU, and if it does not match the checksum stored in the block information of the block information storage means 106, the file transmission PDU The file ID of the file transmission PDU is deleted from the black list stored in the black list storage unit 108 as if the file transmission PDU is forged. There is no restriction on transfer.

Next, another embodiment of the present invention will be described in detail with reference to the drawings.
FIG. 14 is a block diagram showing a communication restriction system including a communication restriction device according to the second embodiment of the present invention.

  The communication restriction systems 190a to 190d of this embodiment have the same configuration as the communication restriction system 190 of the first embodiment. However, each communication restriction device is connected to the network 194 and can communicate with each other. The networks 191a to 191d are connected to the upper network 195 and can communicate with each other. Note that a means for enabling a plurality of communication restriction devices to communicate with each other via the network 194 can be easily implemented by those skilled in the art, and a detailed description thereof will be omitted. Any network can be used as long as information for sharing information can be transmitted and received. The network 194 may be realized using the same network as 191a to 191d.

  The communication restriction devices 100a to 100d constituting the communication restriction systems 190a to 190d have the same configuration as that of the communication restriction device 100 of the first embodiment and perform the same operation except for some exceptions. An operation different from that of the first embodiment will be described.

  FIG. 15 is a flowchart for explaining the operation of the block check means 101 when a file transmission PDU is input to the communication restriction device of this embodiment. 2 is different from the operation described with reference to FIG. 2 in that step 208 is followed by step 208.

  In step 208, when a file in which a PDU is forged (data modification) is detected, the other communication restriction device is notified of the forged file. In other words, the control unit of the communication restriction device (for example, 100a) uses the block check unit to create a PDU for other communication restriction devices (for example, 100b to 100d) that can communicate via the network 194. The file ID (value) of the file block is transmitted together with the information to be notified (information relating to the update of the black list) (step 208).

  FIG. 16 shows the block check means 101 when the communication restriction device of this embodiment receives a notification (information) from another communication restriction device that a file ID has a designated value and that a PDU has been forged. It is a flowchart explaining operation | movement.

  When the notification is received, the communication restriction device uses the block check means 101 and first substitutes the file ID value designated by the notification for the variable F (step 210). Next, the processing operation of step 206 is executed, and this operation is terminated.

  FIG. 17 is a flowchart for explaining the operation of the file determination unit 103 when a file transmission PDU is sent to the file determination unit 103 of the present embodiment. The operation described with reference to FIG. 4 is different from the operation described in FIG.

  In step 407, when it is detected that the file whose file ID is the value of the variable F is equivalent to the designated file, it notifies the other communication restriction devices that it is equivalent. In other words, the control unit of the communication restriction device (for example, 100a) uses the file determination unit to make the PDU equivalent to other communication restriction devices (for example, 100b to 100d) that can communicate via the network 194. The file ID (value) of the file block is transmitted together with the information to be notified (information regarding the update of the black list) (step 407).

  FIG. 18 illustrates the operation of the file determination unit 103 when the communication restriction device of this embodiment receives a notification from another communication restriction device that a file having a specified file ID is equivalent to the designated file. It is a flowchart to do.

  When the notification (information) is received, the file determination unit 103 first substitutes the file ID value designated by the notification into the variable F (step 410). Next, it is confirmed whether there is a line in which the file ID portion of the black list stored in the black list storage means 108 is the same as the value of the variable F. Proceed to 406 (step 405).

  When the process proceeds to step 406, a new line in which the file ID part is the value of the variable F and the deletion flag part is false (value) is added to the black list stored in the black list storage unit 108 (step 406). This operation ends.

  As described above, when the file determining unit 103 adds a new line to the black list of the black list storage unit in one communication restriction device, the black list of the black list storage unit is also added to the other communication restriction device (communication restriction system). A new line with the same content is added.

  In addition, when the block check unit 101 deletes the blacklist row in the blacklist storage unit (invalidation: sets to true value) in one communication restriction device, the blacklist storage is also performed in the other communication restriction device (communication restriction system). Set to the same content of the blacklist of means. That is, the update of the black list is shared among a plurality of communication restriction devices. For this reason, if a similar file of a designated file is transferred and registered in the black list in a system that performs one peer-to-peer communication, the similar file is transferred for the first time in another system that performs peer-to-peer communication thereafter. Even in this case, since the file is already registered in the black list, it is practically impossible to make a file request, and it is possible to limit the similar file before it is partially transmitted.

That is, it becomes possible to share information described in the black list between communication restriction devices that can communicate.
Similarly, block information may be shared between communication restriction devices that can communicate.

  As described above, according to the present invention, it is possible to effectively limit transmission of a file similar to a designated file in communication using the peer-to-peer file transfer protocol.

  Note that the communication restriction device according to the present invention can be realized by an information processing device (computer) that implements various means using general software. Specifically, using a control unit, a storage unit such as a ROM, a RAM, etc., various input units, an output unit, a network interface unit, etc. that the communication restriction device has, based on a communication restriction program developed and used in the storage unit, A block check unit, a pattern search unit, a file determination unit, and a request determination unit are realized. That is, the communication restriction program causes the control unit to function as a block check unit, a pattern search unit, a file determination unit, and a request determination unit. Various table information (block information, gray list, specified file feature, black list) used for various means is also stored in the storage unit and used for arithmetic processing of the control unit. Note that the communication restriction program and various table information may be stored in an auxiliary storage device, a storage medium, or a network server and used in the information processing device to implement a communication restriction device.

  Various means may be realized using hardware, and when a part or all of the functions realized by the communication restriction program are replaced with hardware, it is possible to improve the processing capability.

  The present invention is not limited to the above-described embodiments, and can be appropriately changed without departing from the gist of the present invention.

  The present invention is not limited to peer-to-peer communication for file transfer, and can also be used for peer-to-peer communication that is not file transfer, such as voice communication.

It is a functional block diagram which shows the structure of the communication limiting apparatus which concerns on one Example of this invention. It is a flowchart explaining the operation | movement of a block check means when file transmission PDU is input into the communication restriction apparatus which concerns on one Example of this invention. It is a flowchart explaining operation | movement of a pattern search means when file transmission PDU is sent to the communication restriction apparatus which concerns on one Example of this invention. It is a flowchart explaining operation | movement of the file determination means when file transmission PDU is sent to the communication restriction apparatus which concerns on one Example of this invention. It is a flowchart explaining operation | movement of the request determination means when the file request PDU is input into the communication restriction apparatus based on one Example of this invention. It is a figure which shows the data structure of the block information which concerns on one Example of this invention. It is a figure which shows the data structure of the greylist which concerns on one Example of this invention. It is a figure which shows the data structure of the designation | designated file characteristic which concerns on one Example of this invention. It is a figure which shows the data structure of the black list which concerns on one Example of this invention. It is a figure which shows the data structure of the file transmission PDU which concerns on one Example of this invention. It is a figure which shows the data structure of the file request PDU which concerns on one Example of this invention. It is a figure which shows an example of the content of the file which concerns on one Example of this invention. FIG. 6 is a diagram illustrating a data structure of an updated gray list according to an embodiment of the present invention. It is a functional block diagram which shows the structure of the communication restriction | limiting system which concerns on another Example. It is a flowchart explaining the operation | movement of a block check means when file transmission PDU is input into the communication restriction apparatus which concerns on another Example. It is a flowchart explaining the operation | movement of a block check means when the communication restriction apparatus which concerns on another Example receives notification. It is a flowchart explaining operation | movement of the file determination means when file transmission PDU is sent to the communication restriction apparatus which concerns on another Example. It is a flowchart explaining operation | movement of the file determination means when the communication restriction apparatus which concerns on another Example receives notification.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Communication restriction apparatus 101 Block check means 102 Pattern search means 103 File determination means 104 Request determination means 106 Block information storage means 107 Gray list storage means 108 Black list storage means 190 Communication restriction system 191 Network 192 PDU collection and classification means 193 Session restriction means 194 network 195 backbone network 610 file transmission PDU
611 Session information part 612 File ID part 613 Block number part 614 File block part 620 File request PDU
621 Session information part 622 File ID part 711 Block information 721 Gray list 731 Specified file feature 741 Black list

Claims (26)

A communication restriction device connected to a network and restricting peer-to-peer communication,
Block check means for checking a file block of a file transmission PDU (Protocol Data Unit) with reference to block information including a file ID, a block number of the file block, and a checksum of the file block;
Pattern search means for pattern searching the file block of the file transmission PDU with reference to a gray list including a character string pattern and the appearance position of the pattern,
A file determining means for determining whether a file block of the file transmission PDU is similar to a specified file with reference to a specified file characteristic including a pattern included in the specified file and an appearance position of the pattern;
A communication restriction device comprising at least request determination means for processing a file request PDU with reference to a black list including a file ID.   The block check means calculates a checksum of a file block of the file transmission PDU, and if the calculated checksum does not match the checksum of the block information corresponding to the file ID of the file transmission PDU, The communication restriction apparatus according to claim 1, wherein the transmission PDU is regarded as a forged product and the file ID of the file transmission PDU is deleted from the black list.   The pattern search means, when there is a character string equivalent to the pattern included in the gray list corresponding to the file ID of the file transmission PDU in the file block of the file transmission PDU, the pattern and the appearance of the pattern The communication restriction device according to claim 1, wherein a position is added to the greylist.   The file determination means, when the ratio of a character string equivalent to the pattern included in the designated file feature appearing in the vicinity of the appearance position of the pattern in the file block included in the file transmission PDU is a predetermined value or more, The file block of the file transmission PDU is judged to be similar to the specified file, a session restriction of the file transmission PDU is requested, and the file ID of the file transmission PDU is registered in the blacklist. The communication restriction device according to any one of the above.   5. The request determination unit requests a session restriction of the file request PDU when a file ID of the file request PDU is included in the black list. 6. Communication restriction device. The block check means includes
When the checksum of the file block of the file transmission PDU is calculated, the calculated checksum is compared with the checksum of the block information corresponding to the file ID of the file transmission PDU, and the comparison result does not match, Assuming that the file transmission PDU is forged, deleting the file ID of the file transmission PDU from the blacklist,
6. A communication restriction device that is communicable over a network and that restricts peer-to-peer communication is notified that a PDU has been produced by file transmission of the file ID. The communication restriction device according to any one of the above. 7. The block check unit according to claim 1, wherein the file ID is deleted from the black list when receiving the notification that a PDU has been created in the file transmission of the file ID. The communication restriction device according to any one of the above. The file determination means includes
When the ratio of the character string equivalent to the pattern included in the specified file feature to the file block included in the file transmission PDU is greater than or equal to a predetermined appearance position, the file block of the file transmission PDU is the specified block Judging that it is similar to a file, requesting a session restriction of the file transmission PDU, registering the file ID of the file transmission PDU in the blacklist,
8. The communication device according to claim 1, wherein communication is possible via a network, and notifies another communication restriction device that restricts peer-to-peer communication that the file with the file ID is similar to the designated file. The communication restriction device according to claim 1. The file determination unit, when receiving the notification that the file with the file ID is similar to the specified file, registers the file ID in the blacklist. The communication restriction device according to any one of 1 to 8. A communication restriction method for restricting peer-to-peer communication using an information processing apparatus connected to a network,
A first step of checking a file block of a file transmission PDU with reference to block information including a file ID, a block number of the file block, and a checksum of the file block;
A second step of searching for a file block of the file transmission PDU with reference to a gray list including a character string pattern and an appearance position of the pattern;
A third step of determining whether a file block of the file transmission PDU is similar to the specified file with reference to a specified file characteristic including a pattern included in the specified file and an appearance position of the pattern;
A communication restriction method comprising at least a fourth step of processing a file request PDU with reference to a black list including a file ID.   In the first step, a file block checksum of the file transmission PDU is calculated, and when the calculated checksum and the checksum of the block information corresponding to the file ID of the file transmission PDU do not match, the file The communication restriction method according to claim 10, wherein the transmission PDU is considered to be forged and the file ID of the file transmission PDU is deleted from the black list.   In the second step, when there is a character string equivalent to the pattern included in the gray list corresponding to the file ID of the file transmission PDU in the file block of the file transmission PDU, the pattern and the appearance of the pattern 12. The communication restriction method according to claim 10, wherein a position is added to the greylist.   In the third step, when the ratio of a character string equivalent to the pattern included in the designated file feature appearing in the vicinity of the appearance position of the pattern in the file block included in the file transmission PDU is greater than or equal to a predetermined value, the file transmission PDU 13. The file block is determined to be similar to the specified file, a session restriction of the file transmission PDU is requested, and the file ID of the file transmission PDU is registered in the black list. The communication restriction method according to any one of the above.   The said 4th step WHEREIN: When the file ID of the said file request PDU is contained in the said black list, the restriction | limiting of the session of the said file request PDU is requested. Communication restriction method. There is a communication restriction program for operating an information processing apparatus that is connected to a network and restricts peer-to-peer communication,
Information processing device
Block check means for checking a file block of a file transmission PDU with reference to block information including a file ID, a block number of the file block, and a checksum of the file block;
A pattern search means for pattern searching the file block of the file transmission PDU with reference to the gray list including the pattern of the character string and the appearance position of the pattern,
A file determination means for determining whether a file block of the file transmission PDU is similar to a specified file with reference to a specified file characteristic including a pattern included in the specified file and an appearance position of the pattern;
A communication restriction program that functions as a request determination unit that processes a file request PDU with reference to a black list including a file ID.   The block check means calculates a checksum of a file block of the file transmission PDU, and if the calculated checksum does not match the checksum of the block information corresponding to the file ID of the file transmission PDU, 16. The communication restriction program according to claim 15, wherein the transmission PDU is considered to be forged, and the file ID of the file transmission PDU is deleted from the black list.   When there is a character string equivalent to the pattern included in the gray list corresponding to the file ID of the file transmission PDU in the file block of the file transmission PDU, the pattern search means, and the appearance position of the pattern The communication restriction program according to claim 15 or 16, characterized by adding to the greylist.   The file determination means, when the ratio of a character string equivalent to the pattern included in the designated file feature appearing in the vicinity of the appearance position of the pattern in the file block included in the file transmission PDU is a predetermined value or more, The file block is determined to be similar to the designated file, and a request is made to limit the session of the file transmission PDU, and the file ID of the file transmission PDU is registered in the blacklist. The communication restriction program according to any one of the above.   19. The request determination unit requests a session restriction of the file request PDU when the file ID of the file request PDU is included in the black list. Communication restriction program. The block check means includes
When the checksum of the file block of the file transmission PDU is calculated, the calculated checksum is compared with the checksum of the block information corresponding to the file ID of the file transmission PDU, and the comparison result does not match, Assuming that the file transmission PDU is forged, deleting the file ID of the file transmission PDU from the blacklist,
20. The communication restriction device that is communicable via a network and restricts peer-to-peer communication is notified that a PDU has been produced by file transmission of the file ID. The communication restriction program according to any one of the above. 21. The block check unit according to claim 15, wherein the block check unit deletes the file ID from the black list when receiving the notification that a PDU has been forged in the file transmission of the file ID. The communication restriction program according to any one of the above. The file determination means includes
When the ratio of the character string equivalent to the pattern included in the specified file feature to the file block included in the file transmission PDU appears in the vicinity of the appearance position of the pattern is a predetermined value or more, the file block of the file transmission PDU is Judging that it is similar to a file, requesting a session restriction of the file transmission PDU, registering the file ID of the file transmission PDU in the blacklist,
The communication device according to any one of claims 15 to 21, wherein communication is possible via a network, and notifies other communication restriction devices that restrict peer-to-peer communication that the file with the file ID is similar to the designated file. The communication restriction program according to any one of the above. 23. The file determination unit according to claim 15, wherein the file determination unit registers the file ID in the black list when the notification that the file with the file ID is similar to the specified file is received. The communication restriction program according to any one of the above. A communication restriction system connected to a network and restricting peer-to-peer communication,
PDU collection and classification means for acquiring PDUs that circulate in the network to be managed;
Session restriction means for restricting communication of the communication session by designating session information for identifying the communication session;
Block check means for checking the file block of the file transmission PDU acquired by the PDU collection and classification means with reference to block information including a file ID, a block number of the file block, and a checksum of the file block;
Pattern search means for pattern searching the file block of the file transmission PDU with reference to a gray list including a character string pattern and the appearance position of the pattern,
Determine whether the file block of the file transmission PDU acquired by the PDU collection and classification means is similar to the specified file by referring to the specified file characteristics including the pattern included in the specified file and the appearance position of the pattern. File determination means for notifying the session restriction means of the result;
A request determination unit that determines whether or not to limit the file request PDU acquired by the PDU collection and classification unit with reference to a blacklist including a file ID, and notifies the session limitation unit of the determination result. A communication restriction system characterized by. The communication restriction system according to claim 24, wherein
A communication restriction system that shares information on a blacklist with another communication restriction system that is communicable via the network and restricts peer-to-peer communication. The communication restriction system according to claim 24 or 25,
A communication restriction system, which is capable of communicating via the network and shares block information with another communication restriction system that restricts peer-to-peer communication.

Images