JP2016152549A - Gateway system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To protect, when receiving a cyber attack, a server connected to an inner network, without intermediary of the determination and the operation of a system administrator, to enable packet reception from a specific sender.SOLUTION: A gateway system includes: a packet count device 5 which counts the number of packets input from an external part network 1 to a gateway device 4; a threshold table 6 in which a packet reception count in a predetermined time is registered as a threshold; a determination device 7 which determines to be a cyber attack or the like, when the number of packets counted by the packet count device 5 exceeds the threshold registered in the threshold table 6; and an exceptional person name registration table 8 in which the IP address of an exceptional person to whom an incoming packet is not filtered. When the determination device 7 determines to be a cyber attack or the like, the gateway device 4 transfers a packet transmitted from a person having an IP address, which is registered in the exceptional person name registration table 8, to an internal network 2 without filtering.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a gateway system that connects an external network and an internal network.

  The gateway system connects an external network such as the Internet and an internal network such as an in-house network, and enables communication by mutually converting data having different protocols. The gateway system generally has a filtering function, a proxy function, a user authentication function, a protocol filtering function, and the like. Furthermore, security is improved by applying a firewall, an intrusion detection system (IDS), and an encryption technology for transmission / reception data.

  In the gateway system, it is important to protect devices and information assets connected to the internal network from cyber attacks and hacking from the external network. As a technique for that purpose, for example, techniques described in Patent Document 1 and Patent Document 2 are known. These technologies determine whether the gateway system has automatically received a cyberattack when it becomes a cyberattack or excessive reception state sent from an unspecified source in a short period of time. Protect your network.

JP 2004-274444 A JP-T-2006-504178

  According to the above prior art, it is possible to protect the internal network by automatically determining that the gateway system has received a cyber attack, but on the other hand, receiving a high priority packet with a very low probability of malicious communication. Will be eliminated. For this reason, protection of the server from cyber attacks may be delayed, and the received packet processing in the internal network may exceed the server's processing capacity, increasing the risk of server down. Further, in the conventional technology, when malicious transmissions are concentrated from a specific domain or sender, the system administrator is required to register the sender in the exclusion name registration table provided in the gateway system. is there. Such an operation is troublesome, and there is a problem that it is difficult for an ordinary user who has a low network management technology to respond immediately.

  An object of the present invention is to provide a gateway system that protects a server connected to an internal network without receiving a system administrator's judgment or operation and can receive a packet from a specific sender when receiving a cyber attack. It is to provide.

According to a preferred example, the gateway system according to the present invention is a gateway system that connects a first network and a second network via a gateway device.
A packet counting device that counts the number of packets input from the first network to the gateway device, a threshold table that registers the number of packet receptions during a predetermined time as a threshold, A judgment device that judges a cyber attack or an excessive reception state when the threshold value registered in the threshold value table is exceeded, and a special person name registration table that registers unique information of a special person who does not filter incoming packets;
When the determination device determines that the attack device is in a cyber attack or excessive reception state, the gateway device does not filter packets transmitted from a person having the specific information registered in the special person name registration table to the second network. It is configured as a gateway system characterized in that it controls to forward and transmit packets transmitted from persons other than the specific information registered in the special person name registration table.

According to another preferred example, the gateway system according to the present invention is a gateway system that connects the first network and the second network via a gateway device.
A packet counting device that counts the number of packets input from the first network to the gateway device, a threshold table that registers the number of packet receptions in a predetermined time as a threshold, and the number of packets counted by the packet counting device are: A judgment device that judges a cyber attack or an excessive reception state when the threshold value registered in the threshold value table is exceeded, and a remover name registration table that registers unique information of a special person that filters incoming packets;
When the determination device determines that the attack device is in a cyber attack or excessive reception state, the gateway device filters packets transmitted from a person having specific information registered in the excluder name registration table and forwards them to the second network. It is configured as a gateway system that controls so as not to.

  According to the present invention, when a cyber attack is received, it is possible to protect a server connected to the internal network without receiving the judgment or operation of a system administrator and to receive a packet from a specific sender.

It is a figure which shows the structural example of the gateway system in one Example (Example 1). It is a figure which shows the structural example of the frame of a packet. It is a figure which shows the structural example of a packet count table. It is a figure which shows the structural example of the threshold value table which judges whether it considers that it is a cyber attack. It is a figure which shows the structural example of ID table. It is a figure which shows the structural example of a special person name registration table. It is a figure which shows the structural example of the gateway system in Example 2. FIG. It is a figure which shows the structural example of an excluder name registration table. It is a figure which shows the structural example of the gateway system in Example 3. FIG. It is a figure which shows the structural example of the gateway system in Example 4. FIG.

  Hereinafter, preferred embodiments of the present invention will be described with reference to the drawings.

FIG. 1 shows a configuration example of a gateway system in a network system.
The gateway system 3 connects an external network (first network) 1 such as the Internet network to which the sender home device 18 is connected and an internal network (second network) 2 such as an in-house network. A mail server 10, a main server 11, and an internal server 12 are connected to the internal network 2. The sender home device 18 may be a device provided by an Internet service provider such as an ONU, or may be software on a personal computer.

  The gateway system 3 connects the external network 1 and the internal network 2 to convert a communication protocol and has a filtering function, and a packet counting device 5 that counts the number of packets input to the gateway device 4. A threshold table 6 for registering in advance the number of access times serving as a threshold for considering a cyber attack or an excessive reception state (hereinafter referred to as a cyber bar attack or the like) when a certain number of accesses are made, and a packet counting device 5 Based on the count value and the threshold value registered in the threshold value table 6, a determination device 7 that determines a cyber attack and the like, and a specific sender name that does not filter incoming packets even if the determination device 7 determines a cyber attack, etc. Special person name registration table 8 to be registered and permission The ID table 16 registering in advance the ID of the sender that is, the sender configured to include the packet count table 17 for registering a count of the number of packets per IP address (source), a. Each of the tables is formed in a storage unit (not shown) such as a memory included in the gateway system 3. The configuration of each table will be described later with reference to FIGS.

  In the gateway system 3, the packet counting device 5 counts the number of packets input to the gateway device 4. The count is performed for each combination of the IP address and the ID of the specific area of the packet. It may be counted for each domain name or for each sender.

The judging device 7 compares the count value of the packet counting device 5 that is sequentially added with the threshold value registered in the threshold value table 6 so that when a packet from a certain sender ID exceeds the threshold value, a cyber attack or the like The second network is protected from the cyber attack by determining and filtering the packet by the gateway device 4. On the other hand, a packet based on a combination of an IP address registered in the special person name registration table 8 and an ID embedded in a specific area passes through the gateway device 4 and is sent to the internal network 2.
The determination device 7 may be provided as an individual hardware device in configuration, or may be realized by software (program) installed in the gateway device 4.

  As shown in FIG. 3, the packet count table 17 stores the IP address acquired from the received packet and its corresponding ID in pairs according to the memory address. The count value stores the number of packets having the IP address and ID (cumulative value) counted by the packet counter 5.

  As shown in FIG. 4, the threshold table 6 sets the upper limit value of the number of receptions as a threshold for each IP address of a packet received (or possibly received) in a predetermined time. In addition to the threshold value, a measurement time for determining a cyber attack may be added.

  As shown in FIG. 5, the ID table 16 registers the IDs of packets that the gateway system 3 permits reception.

  As shown in FIG. 6A, the special person name registration table 17 sequentially registers the IP addresses of specific senders that are permitted to receive a packet according to the memory address even when the determination device 7 determines that it is a cyber attack. . As another example, as shown in FIG. 6B, the special person name registration table 17 may register the domain name or mail address of the specific sender.

FIG. 2 shows a configuration example of a packet frame.
There are two types of packets, IPv4 shown in (A) and IPv6 shown in (B). Since the frame format of each packet is defined, the position in the frame of the received packet regarding the bit where the IP address is written, the IPv4 option part, and the IPv6 extension header storage location is determined in advance. ing.

  A method for creating an IP address table for registering the number of received packets for each combination of an IP address and an ID of a specific area of the packet will be described. The bit in which the IP address is written is read, and the received IP address is registered in the IP address table. In the case of an IPv4 packet, the bit in which the ID is written is read and collated with the ID recorded in the ID table 16. As a result of the collation, if the packet has an ID registered in the ID table 16, the ID is registered in the packet count table 17 together with the IP address of the packet. On the other hand, if the ID of the received packet is not registered in the ID table 16, the IP address of the packet is registered in the packet count table as a packet having no ID. Here, the IP address table is a table formed in the storage unit of the gateway system 3, and for example, it may be understood that the ID in the ID table of FIG. 5 has been changed to the IP address.

Next, a method for counting the number of packets for each IP address will be described. Every time a packet is received, the number of receptions is added for each IP address in the IP address table, and the total number of packets received within a predetermined time is registered in the “count value” in association with the IP address for each memory address. To do. In the first and third embodiments, the total number of packets received within a predetermined time may be measured without counting the number of receptions for each IP address. In the second embodiment, the number of received packets is counted for each combination of source IP address and ID. In the fourth embodiment, the number of received packets is counted for each source IP address.
Note that this count value is cleared at predetermined time intervals for determining whether or not there is a cyber attack. In order to eliminate the occurrence of an error due to omission of count processing within the clear processing time, it is possible to cope with this by creating a plurality of IP address tables.

  According to the first embodiment, since it is possible to determine a cyber attack or the like without involving a system administrator's determination or operation, it is possible to deal with a cyber attack or the like in a short time, and a server in the internal network The possibility of going down can be reduced. In addition, even when filtering incoming receptions for cyber attacks, etc., IP addresses or domain names registered in the special person name registration table or packets from senders can be received normally. , Can reduce the decline in normal business functions. In addition, since a packet from a sender that is not in the ID table can be discarded as an unnecessary packet, an attack due to spoofing of the IP address can be prevented.

Example 2 will be described with reference to FIGS. 7 and 8.
The first embodiment is an example in which the specific person registered in the special person name registration table 8 is not filtered when it is determined as a cyber attack or the like. On the other hand, in the second embodiment, the gateway system 3 has an excluder name registration table 9 as shown in FIG. As shown in FIG. 8, the excluder name registration table 9 registers the IP address of the sender to be filtered, and the gateway device 4 uses the IP address registered in the excluder name registration table 9 as follows: Control to filter. Other configurations are the same as those in the first embodiment. Note that a domain name and a sender name may be registered in the excluder name registration table 9 in addition to the IP address.

  The determination device 7 compares the count value of the packet counting device 5 that is sequentially added with the threshold value registered in the threshold value table 6, and if a packet with the same IP address is received more than the threshold number of times within a predetermined time, the cyber attack The IP address or domain name or sender name is registered in the excluder name registration table.

  Then, the gateway device 4 performs control so that the received packet of the IP address registered in the excluder name registration table 9 is filtered and discarded (not transmitted) to the internal network 2. Specifically, the transmission source IP address in the reception packet frame (see FIG. 2) is compared with the IP address registered in the remover name registration table 9, and the reception packet when it matches is discarded. As another modification, when filtering by domain name, a received packet is discarded with a partial match of an arbitrary numerical value in the IP address registered in the excluder name registration table 9. In this way, by filtering the sender having the domain name, the number of cyber attacks can be reduced, and the deterioration of normal business functions can also be reduced.

  According to the second embodiment, the IP address or domain or sender such as junk mail can be automatically registered in the excluded person name registration table 9 without the judgment and operation of the system administrator. Even a general user who has no problem can easily use the gateway system 3 without any problem.

Embodiment 3 will be described with reference to FIG.
In the third embodiment, the gateway system 3 has a thinning rate table 13. Other configurations are the same as those in the first or second embodiment. The thinning rate table 13 sets a ratio (thinning rate) as to whether or not the number of packets received by the gateway device 4 may be transferred to the internal network 2 when it is determined that the attack is a cyber attack. (For convenience of explanation, both registration tables are depicted in FIG. 9, but since either the first or second embodiment is assumed, only one of them is sufficient.)
In the case of a cyber attack, the packet of a special person managed by the special person name registration table 8 is communicated to the internal network 2 (Example 1), or in the case of a cyber attack, It is assumed that the packet is discarded (Example 2). In addition, in the case of a cyber attack, the gateway device 4 performs control so that the received packet is thinned and transferred to the internal network 2 in accordance with the ratio registered in the thinning table 13.

  That is, when the determination device 7 determines that a cyber attack has been received, the amount of packets that pass through the gateway device 4 within a predetermined time is thinned with reference to the thinning rate table 13 and transferred to the internal network 2. For example, when “30%” is set in the thinning rate table, three packets are passed through the internal network 2 for every ten packets received within a predetermined time. As a result, the amount of packets that pass through the gateway device 4 can be limited to an amount that can be processed by the servers 10 to 12 connected to the internal network 2, so that server down can be avoided.

Example 4 will be described with reference to FIG.
In the fourth embodiment, on the premise of the gateway system 3 described in the first to third embodiments, a function for monitoring the reception status of packets is further added. In FIG. 10, the special person name registration table 8, the excluder name registration table 9, the thinning rate table 13, and the like in the first to third embodiments (FIGS. 1, 7, and 9) are omitted. .

  In FIG. 10, the packet counting device 5 counts the number of received packets for each destination IP address of the received packet frame (see FIG. 2), and the status monitoring device 14 monitors the reception status of the counted packets. The communication device 15 notifies the reception status to the user device of the corresponding destination IP address.

  When the determination device 7 determines that the count value of the number of received packets corresponding to the IP address counted by the packet counting device 5 exceeds the threshold value registered in the threshold value table 6 (excess reception state), a cyber attack, etc. The monitor device 14 monitors the situation, and the communication device 15 notifies the user device corresponding to the destination IP address of the received packet of an alarm about the reception status of the packet.

  According to the fourth embodiment, the number of received packets can be monitored for each destination IP address, and the cyber attack status for each user company (destination IP address) can be notified. In addition to the effects of the first to third embodiments, , User companies can take measures against cyber attacks as soon as possible.

The fifth embodiment is an example in which an internal network is protected by recognizing a cyber attack or the like by paying attention to the number of received mails having the same title.
On the premise of the gateway system 3 described in the first or second embodiment, the packet counting device 5 counts the number of received packets for each mail title of the received packet frame (see FIG. 2). In the threshold table, the number of receptions of packets including the same title within a predetermined time is set as a threshold. The determination device 7 determines a cyber attack or the like by comparing the number of received packets counted by the packet counter device 5 with the threshold values registered in the threshold value table 6.

When the determination device 7 determines that the attack is a cyber attack, the gateway device 4 filters the received packets other than the IP address or domain name or sender registered in the special person name registration table 8 and registers them in the special person name registration table 8. The IP address or domain name or the sender's packet is passed to the internal network 2.
In the case of a cyber attack in which the original mail is copied and the mail for attack is propagated, the common title is often included in the mail title, so this embodiment is effective as a protection means for the cyber attack.

  Although several embodiments have been described above, the present invention is not limited to the above embodiments, and can be implemented with various modifications or applications. In the above embodiment, the predetermined processing is performed when the determination device determines that the attack is a cyber attack. For example, as a modified example of the third embodiment, there is a case where an excessive amount of packets are received during a disaster such as a Christmas or New Year greeting mail other than a cyber attack. In such a case, the determination device can determine the excessive packet amount, apply the thinning rate set in the thinning rate table, and limit the amount of packets received thereafter. As a result, server overload in the internal network can be prevented and server down can be avoided.

1: External network 2: Internal network 3: Gateway system 4: Gateway device 5: Packet count device 6: Threshold table 7: Judgment device 8: Exclusion name registration table 9: Special name registration table 10: Mail server 11: Main Server 12: Internal server 13: Decimation rate table 14: Status monitoring device 15: Communication device 16: ID table 17: Packet count table 18: Sender's home device

Claims (5)

In a gateway system that connects a first network and a second network via a gateway device,
A packet counting device for counting the number of packets input from the first network to the gateway device;
A threshold table for registering the number of packet receptions in a predetermined time as a threshold;
A determination device that determines a cyber attack or an excessive reception state when the number of packets counted by the packet counting device exceeds the threshold value registered in the threshold value table;
A special person name registration table for registering specific information of a special person who does not filter incoming packets, and
When the determination device determines that the attack device is in a cyber attack or excessive reception state, the gateway device does not filter packets transmitted from a person having the specific information registered in the special person name registration table to the second network. A gateway system that controls to filter packets that are forwarded and transmitted from a person other than the specific information registered in the special person name registration table. In a gateway system that connects a first network and a second network via a gateway device,
A packet counting device for counting the number of packets input from the first network to the gateway device;
A threshold table for registering the number of packet receptions in a predetermined time as a threshold;
A determination device that determines a cyber attack or an excessive reception state when the number of packets counted by the packet counting device exceeds the threshold value registered in the threshold value table;
It has an excluder name registration table for registering specific information of a special person who filters incoming packets.
When the determination device determines that the attack device is in a cyber attack or excessive reception state, the gateway device filters packets transmitted from a person having specific information registered in the excluder name registration table and forwards them to the second network. A gateway system characterized by being controlled so as not to. And a thinning rate table for setting a ratio (thinning rate) of how many packets the gateway device can receive to the second network.
When the determination device determines that it is in a cyber attack or excessive reception state, the gateway device transfers packets corresponding to the thinning rate to the second network according to the thinning rate specified by the thinning rate table, and The gateway system according to claim 1 or 2, wherein packets that exceed the rate are controlled to be discarded. Furthermore, a status monitoring device that monitors the reception status of packets for each IP address as the specific information;
A communication device for notifying the user device corresponding to the destination IP address of the received packet of the reception status of the packet,
When the determination device determines that it is a cyber attack or an excessive reception state, the state monitoring device monitors the reception state of the packet,
4. The gateway system according to claim 1, wherein the communication device notifies the reception status of the packet to a user device corresponding to the destination IP address of the received packet. 5. The packet counting device counts the number of packets for each title of the packet,
The threshold table registers the number of receptions of packets containing the same title in a predetermined time as a threshold,
The determination device is characterized by determining a cyber attack or an excessive reception state by comparing the number of packets for each same title counted by the packet counter device with a threshold value registered in the threshold value table. 4. The gateway system according to any one of items 1 to 3.

Images