JP2020190968A - Communication control program - Google Patents

Abstract

To provide a technique that efficiently realizes communication to communication request destinations.SOLUTION: When a communication request is made to a purpose server DS by an application 300 (S301), if the application 300 is an application that uses a destination control unit 230, the communication request is passed over from an OS 200 to a program 100 (communication control unit 130 as a local proxy) (S205), and a determination about a destination is made (S101). At this time, if the purpose server DS is a permitted domain, the destination is determined to be the purpose server DS (S105); if it is an unpermitted domain, communication interruption is determined (S113); and if it is not any of the permitted domain/unpermitted domain, the destination is determined to be a filtering server 30 (S121). Thus, communication for the permitted domain and the unpermitted domain does not go through the filtering server 30, and communication is directly performed for the permitted domain whereas communication to the unpermitted domain is interrupted inside, so that communication can be performed efficiently.SELECTED DRAWING: Figure 6

Description

The present invention relates to a communication control program that controls a destination of a communication request to the outside generated inside a computer.

Mobile devices such as smartphones are extremely effective in that they can be easily carried and communicated from anywhere at any time via a network, and are now widely used in the business scene. However, on the Internet, there are servers that have no problem communicating with each other and servers that do not, and more specifically, there are servers that have content that can be viewed without problems and servers that do not. In the case of having employees use mobile devices, it is required to control the server that has a problem to communicate with the server that has a problem while promptly communicating with the server that has no problem.

Here, conventionally, a technique for filtering in a server that relays communication between a computer and a server (destination server) with which the computer communicates is known. For example, Patent Document 1 discloses a technique in which an access control server performs filtering to determine whether or not access from a computer to a destination server is permitted, and transmits the determined information to the computer. Further, in Patent Document 2, the proxy server first acquires the resource data constituting the page for which the communication request has been made from the destination server, determines whether or not the page contains the prohibited content, and includes the data. A technique for replacing resource data on a proxy server is disclosed so that other contents are displayed in the part corresponding to the prohibited browsing contents when it is determined that the contents are prohibited.

JP 2015-141609 Japanese Unexamined Patent Publication No. 2014-56612

According to the former prior art, it is considered that communication to the problematic server can be blocked according to the response result from the access control server. Further, according to the latter prior art, it is considered that the display of prohibited content can be blocked. However, all of these prior arts assume that all communication to the outside of the computer goes through a predetermined server, so even when communicating to a server that is clear that there is no problem, it goes through a predetermined server. I have to let you. Therefore, the communication efficiency is poor, and it takes an extra time from the time when the communication request is made until the page is finally displayed.

Therefore, an object of the present invention is to provide a technique for efficiently performing communication to a communication request destination.

In order to solve the above problems, the present invention provides the following communication control program. The wording in parentheses below is merely an example, and the present invention is not limited thereto.

That is, the communication control program of the present invention is a communication control program that controls the destination of the communication request to the outside generated inside the computer, and the communication from the computer is permitted for the domain of the destination of the communication request. It is determined based on the predetermined setting information whether it corresponds to one domain, the second domain where communication from the computer is prohibited, or the third domain which does not correspond to the first domain or the second domain. Depending on the judgment function and the result of the judgment, if the destination domain corresponds to the first domain, the destination is decided to be maintained, and if it corresponds to the second domain, the destination is decided inside the computer. In the case of 3 domains, the computer is provided with a determination function of determining the destination to a predetermined server existing outside the computer and a transmission function of transmitting a communication request to the determined destination.

By controlling the destination of the communication request to the outside of the computer in this way, when the destination domain corresponds to the first domain, it is directly directed to the specified destination without going through a predetermined server. Can be communicated. Further, when the destination domain corresponds to the second domain, the communication to the designated destination can be interrupted inside the computer without going through a predetermined server. Then, only when the destination domain does not correspond to the first domain or the second domain, it is possible to perform communication via a predetermined server existing outside the computer.

Therefore, according to the communication control program, it is possible to minimize the number of communication requests generated inside the computer that pass through a predetermined server, and efficiently perform communication to a specified destination. .. As a result, it is possible to improve the communication efficiency and shorten the response time required from the occurrence of the communication request to the final return of the response result to the computer.

Preferably, in the communication control program, when the destination domain corresponds to the third domain, whether or not the transmission function permits communication to the destination of the communication request by transmitting the communication request to a predetermined server. Is determined by a predetermined server.

In the communication control program of this aspect, for a communication request for which it cannot be determined inside the computer whether or not communication should be permitted, it is determined by a predetermined server (for example, whether or not to permit communication to the destination). It is executed on the filtering server). Therefore, according to the communication control program of this aspect, the destination of the communication request generated inside the computer is controlled more finely in cooperation with a predetermined server, and the communication to the destination to which the communication should not be permitted is surely regulated. can do.

According to the present invention, it is possible to efficiently perform communication to a communication request destination.

It is a block diagram of the environment in which a communication control program operates. It is a block diagram which shows the functional structure in a device. It is a block diagram which shows the functional structure in a server related to a communication control program. It is a figure (1/2) which shows the structure of the setting file related to a communication control program. It is a figure (2/2) which shows the structure of the setting file related to a communication control program. It is a flowchart which shows the flow of a procedure as a whole until a communication request is sent to the outside of a device or is interrupted inside. It is a sequence diagram which shows the operation example when the communication request is made to the permission domain. It is a sequence diagram which shows the operation example when the communication request is made to the unauthorized domain. It is a sequence diagram which shows the operation example when the communication request is made to the domain which corresponds to neither the permitted domain nor the unauthorized domain. It is a sequence diagram which shows the operation example when a communication request is made by an application which does not use a destination control part. It is a figure which shows an example of the screen which is displayed when communication is interrupted inside a device.

Hereinafter, embodiments of the present invention will be described with reference to the drawings. The following embodiments are preferable examples, and the present invention is not limited to this example.

FIG. 1 is a configuration diagram of an environment in which the communication control program 100 operates.
The communication control program 100 is a program that controls the destination of the communication request generated inside the device 10, and is installed in the device 10. The device 10 is, for example, a mobile device such as a smartphone, a tablet terminal, or a notebook PC whose available functions are limited to applications such as a web browser, and can communicate via the Internet 20. On the Internet 20, there is a communication request destination web server (hereinafter, referred to as “target server DS”) with which the device 10 communicates. In addition, a filtering server 30, a communication regulation server 40, and a setting management server 50 are arranged on the Internet 20.

The filtering server 30 determines the destination of the communication request sent from the device 10 (hereinafter, this operation is referred to as "filtering"), and makes a communication request based on the determination result on the target server DS or the communication regulation server 40. Transfer to one of. Specifically, when the communication permission is determined, the communication request is transferred to the target server DS, and as a result, the content of the target server DS is displayed on the device 10. On the other hand, when the communication regulation is determined, the communication request is transferred to the communication regulation server 40, and as a result, the device 10 displays a screen indicating that the communication is restricted.

When a communication request to the target server DS is generated in the device 10, the destination of the communication request is controlled by the communication control program 100 based on whether communication to the target server DS is permitted or not permitted. As a result, the communication request generated by the device 10 is transmitted to the target server DS or the communication regulation server 40 via the first route (solid line arrow in the figure) directly transmitted to the target server DS and the filtering server 30. It is processed via one of three routes: a second route (long dashed arrow in the figure) to be executed, and a third route (short dashed arrow in the figure) interrupted in the device 10.

The setting management server 50 is a server for managing the settings for each user (for example, a company, a school, etc.) regarding the use of the filtering server 30, and is a setting file (program setting) required for using the communication control program 100. It is responsible for distributing the file). When the program setting file distributed from the setting management server 50 is installed on the device 10, the communication control program 100 starts to be used.

The specific method of control by the communication control program 100 will be described in detail later with reference to another drawing. Further, in the following description, the companies and schools that are the users of the filtering server 30 are collectively referred to as "user organizations", and the employees of the companies and the students of the schools that are the users of the communication control program 100 in the user organizations. Etc. will be collectively referred to as "members of the user organization".

FIG. 2 is a block diagram showing a functional configuration in the device 10. For convenience of explanation, the functional configurations other than the communication control program 100 show only those related to the passing of the communication request generated inside the device 10.

The operating system 200 is pre-installed on the device 10, and the communication control program 100 and various applications 300 are individually installed on the device 10 by the user of the device 10. Here, the operating system 200 is system software that controls the operation of the device 10, and examples thereof include iOS and Android. Further, the various applications 300 are applications for various purposes running on the operating system 200 (hereinafter, may be abbreviated as "applications"), for example, applications for web browsing and video playback. Applications, etc. fall under this category.

When various applications 300 make a communication request to the outside of the device 10, the communication request is received by the operating system 200. Due to the restrictions of the operating system 200, the communication control program 100 cannot directly acquire the communication requests from the various applications 300 (so-called "sandbox"). Therefore, the communication request is controlled by the communication control program 100 via the operating system 200. Will be done.

The operating system 200 has, for example, a related setting storage unit 210, a communication request reception unit 220, a destination control unit 230, a communication request transmission unit 240, and other controls as functional configurations related to the delivery of communication requests generated inside the device 10. The unit 250 is provided.

The related setting storage unit 210 stores settings related to the basic operation of the operating system 200 and settings related to various programs and applications installed on the operating system 200. The entity of the related setting storage unit 210 is, for example, a setting file described in the XML format. The related setting storage unit 210 stores a communication control setting file (“C1” in the figure) as a setting related to the communication control program 100, and at least a destination control setting as a setting related to the basic operation of the operating system 200. The file (“C2” in the figure) is stored. Further, although not shown, the related setting storage unit 210 appropriately stores settings related to various applications 300 in addition to these settings.

The communication request receiving unit 220 first receives the communication request transmitted from the various applications 300, and determines whether or not the various applications 300 that are the source of the communication request are the applications that use the destination control unit 230. Check based on the settings stored in 210. Then, when the various applications 300 are applications that use the destination control unit 230, the communication request is distributed to the destination control unit 230, while when the various applications 300 are applications that do not use the destination control unit 230, the communication request is distributed to the other control unit 250. Sort to.

The destination control unit 230 confirms the settings of the destination control setting file stored in the related setting storage unit 210, and if the settings for using the dynamic settings are not made, that is, if the settings are fixed, the destination control unit 230 confirms the settings. Destination control Controls the destination of the communication request based on the settings in the configuration file, while controlling the destination of the communication request based on the settings in the destination dynamic configuration file if it is not, that is, if it is set dynamically. To do. At this time, if the destination dynamic setting file has not yet been acquired (it is not stored in the related setting storage unit 210), the destination control unit 230 distributes the destination dynamic setting file to the communication control program 100. Is requested, and the destination dynamic setting file distributed from the communication control program 100 is stored in the related setting storage unit 210.

The destination control unit 230 controls the destination of the communication request distributed from the communication request receiving unit 220 to the communication control unit 130 of the communication control program 100 described later, and passes the communication request to the communication control unit 130. As a result, the communication control unit 130 functions as a local proxy and controls the destination (next delivery destination) of the communication request. Further, when the communication request is not normally passed to the communication control unit 130 and the setting is dynamic, the destination control unit 230 exceptionally sets the destination dynamic setting file. Control the destination of the communication request based on.

The communication request sending unit 240 finally sends a communication request whose destination is controlled to the outside of the device 10. Specifically, the communication request sending unit 240 sends out the communication request whose destination is controlled by the communication control program 100 and the communication request whose destination is controlled by the destination control unit 230 as it is to the outside of the device 10. To do.

The other control unit 250 determines whether or not to control a communication request whose source is an application that does not use the destination control unit 230, based on the setting contents of the communication control setting file stored in the related setting storage unit 210. To do. When the communication control setting file is set to delegate the control of the communication content to the communication control program 100, the other control unit 250 delegates the control of the communication request to the communication control program. Further, the other control unit 250 responds to the instruction from the communication control program 100 to the various applications 300 that are the transmission sources of the communication request to interrupt the communication.

Subsequently, the functional configuration of the communication control program 100 will be described.
The communication control program 100 includes at least a program setting storage unit 110, a dynamic setting distribution unit 120, a communication control unit 130, and a communication prohibition control unit 140.

The program setting storage unit 110 stores the settings required for the operation of the communication control program 100. The substance of the program setting storage unit 110 is, for example, a setting file described in the XML format. The program setting storage unit 110 stores a program setting file (“P” in the figure) distributed and installed from the setting management server 50 described above before the start of use of the communication control program 100.

The dynamic setting distribution unit 120 generates a destination dynamic setting file (“D” in the figure) in response to a request from the operating system 200, and distributes it to the operating system 200. At this time, the dynamic setting distribution unit 120 generates a destination dynamic setting file based on the setting contents of the communication control setting file.

The communication control unit 130 controls the destination of the communication request passed from the operating system 200. Specifically, the communication control unit 130 determines the destination of the communication request based on the setting contents of the communication control setting file, determines the next delivery destination of the communication request, and if necessary according to the result. Rewrite the destination of the communication request. Then, the communication request whose destination is rewritten or maintained as it is is transmitted.

The communication prohibition control unit 140 instructs the operating system 200 (other control unit 250) to give a response to interrupt the communication with respect to the communication request to which the control is delegated from the operating system 200 (other control unit 250). Do. Further, the communication prohibition control unit 140 appropriately confirms the existence of the program setting file, and if the program setting file does not exist, all communication is performed in order to prevent communication from being permitted due to an unintended operation. Suspend.

The specific contents of the program setting file, communication control setting file, destination control setting file, and destination dynamic setting file used in the control process will be described in detail later with reference to another drawing.

FIG. 3 is a block diagram showing a functional configuration in the filtering server 30, the communication regulation server 40, and the setting management server 50 arranged in relation to the communication control program 100.

First, the functional configuration of the filtering server 30 will be described.
The filtering server 30 includes at least a setting storage unit 31, a data storage unit 32, a request reception unit 33, a determination unit 34, and a request transfer unit 35.

The setting storage unit 31 stores settings related to filtering for each user organization that uses the filtering server 30. The entity of the setting storage unit 31 is, for example, a database. Specifically, the setting storage unit 31 sets the user account given to the user organization, the password for the user account, the category of the content for which access is permitted or restricted in the user organization, the domain, the URL, and the like for each user organization. I remember.

The data storage unit 32 stores the data analyzed for the website on the Internet necessary for filtering. The entity of the data storage unit 32 is, for example, a database. The data storage unit 32 stores and stores a huge amount of data corresponding to data items such as categories, URLs, protocols, ports, domain hierarchies, path hierarchies, and keywords hit in the website related to websites on the Internet. doing.

The request receiving unit 33 receives the communication request sent from the device 10.

The determination unit 34 sets the filtering of the current user (the user organization identified by the user account specified when communicating with the filtering server 30) with respect to the destination specified in the communication request received by the request reception unit 33. Based on this, it is determined whether or not to allow communication to the destination.

The request transfer unit 35 transfers the communication request according to the determination result by the determination unit 34. Specifically, the request transfer unit 35 transfers the communication request to the target server DS when the communication permission is determined, and transfers the communication request to the target server DS when the communication regulation is determined. Transfer to server 40.

Next, the functional configuration of the communication regulation server 40 will be described.
The communication regulation server 40 includes at least a regulation screen output unit 41.

The regulation screen output unit 41 outputs a screen indicating that communication to the target server DS is restricted to be displayed on the device 10 which is the request transmission source.

Subsequently, the functional configuration of the setting management server 50 will be described.
The setting management server 50 includes at least a setting management unit 51 and a program setting distribution unit 52. Further, the setting management server 50 can communicate with the setting storage unit 31 of the filtering server 30 via a network different from the Internet 20.

The setting management unit 51 provides a menu for managing settings related to filtering for each user organization that uses the filtering server 30. The administrator of the user organization registers or updates the settings related to filtering on the management menu provided by the setting management unit 51. The settings registered or updated on the management menu are stored in the setting storage unit 31 of the filtering server 30 via the network.

The program setting distribution unit 52 transmits the program setting file (“P” in the figure) required for the members of the user organization of the filtering server 30 to use the communication control program 100 to the user organization via the Internet 20. It is distributed to the device 10 used by the members.

4 and 5 are diagrams showing the configuration of a setting file used in connection with the communication control program 100. Each icon (“P”, “C1”, “C2” and “D” in the figure) representing the setting file shown in the following figures is shown in the block diagrams of FIGS. 2 and 3, respectively. It corresponds to the icon.

First, in the program setting file (“P” in the figure), information necessary for communicating with the filtering server 30 is set. Specifically, the user account assigned to the user organization of the filtering server 30, the password for the user account, the domain name of the filtering server 30, the listening port number of the filtering server 30, and whether or not to encrypt the communication to the filtering server 30. It has been set. The program setting file is used when the communication control unit 130 determines that the next delivery destination of the communication request is the filtering server 30.

Further, the program setting file is introduced into the device 10 by installing the file distributed from the setting management server 50 by the user of the device 10, that is, a member of the user organization, and stores the program setting as a part of the communication control program 100. It is stored in the unit 110.

Next, in the communication control setting file (“C1” in the figure), information and the like necessary for determining the next delivery destination of the communication request are set. Specifically, a list of domains that allow communication without going through the filtering server 30 (hereinafter, may be abbreviated as "permitted domain"), and disallowing communication without going through the filtering server 30. A list of domains (hereinafter, may be abbreviated as "unauthorized domain") and whether or not to delegate control of communication contents to the communication control program 100 are set. The communication control setting file is used when the dynamic setting distribution unit 120 generates a destination dynamic setting file, or when the communication control unit 130 determines the destination of a communication request.

Further, the communication control setting file is created exclusively for the communication control program 100, and after being created by the administrator of the user organization of the filtering server 30, mail, an MDM (Mobile Device Management) tool, or the like is used. By installing the distributed file on the device 10 used by the members of the user organization, the file is introduced into the device 10. The communication control setting file is stored in the related setting storage unit 210 as a part of the operating system 200 due to the restrictions of the operating system 200.

Subsequently, in the destination control setting file (“C2” in the figure), information necessary for the destination control unit 230 to control the destination of the communication request is set. Specifically, whether or not the destination control unit 230 uses the dynamic setting, the IP address and the standby port number of the communication control unit 130 as a local proxy are set. The destination control setting file is created for the operating system 200 (destination control unit 230), and like the communication control setting file, it is created by the administrator of the user organization of the filtering server 30, and then mail or MDM. The file distributed by using the tools and the like is installed in the device 10 by the user of the device 10 used by the members of the user organization. The destination control setting file is also stored in the related setting storage unit 210 as a part of the operating system 200 due to the restrictions of the operating system 200.

Then, in the destination dynamic setting file (“C3” in the figure), information necessary for the destination control unit 230 to use the dynamic setting is set. Specifically, the IP address and listening port number of the communication control unit 130 as a local proxy, the destination determination condition for each domain regarding the domain (permitted domain) that allows communication without going through the filtering server 30, and the filtering server 30 are set. Destination determination conditions for each domain are set for domains that disallow communication without going through (disapproved domains). The destination dynamic setting file is generated by the dynamic setting distribution unit 120 based on the setting contents of the communication control setting file in response to the request from the destination control unit 230, and is generated as a part of the operating system 200 by the related setting storage unit 210. Is remembered in.

In this way, four configuration files related to the communication control program 100 can be introduced into the device 10. Of these, the program setting file is distributed from the setting management server 50 to the members of the user organization of the filtering server 30, and the other three files are created by the administrator of the user organization. It is distributed to the members of the user organization (communication control setting file, destination control setting file), or created based on it (destination dynamic setting file). Therefore, by distributing these setting files and introducing them into the device 10, the members of the user organization can use the communication control program 100 with common settings in the user organization.

FIG. 6 is a flowchart showing the flow of the entire procedure executed by a plurality of subjects until the communication request generated inside the device 10 is sent to the outside or interrupted internally.

In order to facilitate the understanding of the invention, in FIG. 6, the step group executed by the communication control program 100 is indicated by a step number in the 100s, and the step group executed by the operating system 200 is indicated by a step number in the 200s. The step group executed by the various applications 300 will be indicated by step numbers in the 300s. In FIG. 6, the procedure is shown in a simplified manner, and the illustration of minute procedures and exceptional procedures that do not affect the overall flow is omitted. Further, the procedure shown in FIG. 6 is an example until it gets tired, and the procedure is not limited to this.

Step S301: The various applications 300 transmit a communication request to the target server DS.

Step S201: The operating system 200 receives communication requests from the various applications 300, and confirms the settings stored in the related setting storage unit 210 for the various applications 300.

Step S203: As a result of the confirmation in step S201, if the various applications 300 are applications that use the destination control unit 230 (step S203: Yes), the operating system 200 then executes step S205. On the other hand, when the various applications 300 are applications that do not use the destination control unit 230 (step S203: No), the operating system 200 then executes step S221.

Step S205: The operating system 200 passes the received communication request to the communication control program 100 (communication control unit 130 as a local proxy) based on the settings of the destination control setting file and the destination dynamic setting file.

Step S101: The communication control program 100 (communication control unit 130) determines the destination of the communication request delivered from the operating system 200 based on the setting contents of the communication control setting file.

Step S103: In the determination in step S101, if the target server DS designated as the destination of the communication request is the permitted domain (step S103: Yes), the communication control program 100 (communication control unit 130) is next. Step S105 is executed. On the other hand, if the target server DS is not a permitted domain (step S103: No), the communication control program 100 (communication control unit 130) then executes step S111.

Step S105: The communication control program 100 (communication control unit 130) determines the next delivery destination of the communication request to the target server DS. Since the target server DS is originally specified as the destination of the communication request, the communication control program 100 (communication control unit 130) transmits the communication request maintained as it is without rewriting the destination.

Step S211: The operating system 200 sends the communication request transmitted from the communication control program 100 to the outside of the device 10. As a result, the communication request is transmitted to the target server DS.

Step S111: In the determination in step S101, if the target server DS designated as the communication request destination is an unauthorized domain (step S111: Yes), the communication control program 100 (communication control unit 130) is next. Step S113 is executed. On the other hand, if the target server DS is not an unauthorized domain (step S111: No), the communication control program 100 (communication control unit 130) then executes step S121.

Step S113: The communication control program 100 (communication control unit 130) determines that the next delivery destination of the communication request should be the other control unit 250, that is, communication should be prohibited, and then step S115 is executed.

Step S121: The communication control program 100 (communication control unit 130) determines the next delivery destination of the communication request to the filtering server 30, rewrites the destination of the communication request according to the determination, and communicates to the filtering server 30. After setting the necessary credentials, etc., send the communication request.

Step S2411: The operating system 200 sends the communication request transmitted from the communication control program 100 to the outside of the device 10. As a result, the communication request is transmitted to the filtering server 30.

Step S221: When the various applications 300 that are the source of the communication request are applications that do not use the destination control unit 230 (step S203: No), the operating system 200 refers to the communication control setting file and the communication control program 100. Check if the setting to delegate the control of the communication contents is made to. As a result of the confirmation, if the communication control program 100 is set to delegate the control of the communication content (step S221: Yes), the operating system 200 delegates the control of the communication request to the communication control program 100. On the other hand, when the communication control program 100 is not set to delegate the control of the communication content (step S221: No), the operating system 200 does not delegate the control of the communication request to the communication control program 100, but separately. Control is performed by the means of. Since the subsequent control has nothing to do with the communication control program 100, the description thereof will be omitted.

Step S115: The communication control program 100 (communication prohibition control unit 140) instructs the operating system 200 (other control unit 250) to make a response to interrupt the communication.

Step S2311: The operating system 200 responds to the instruction from the communication control program 100 (communication prohibition control unit 140) to the various applications 300 that are the transmission sources of the communication request to interrupt the communication.

Step S311: Various applications 300 display screens according to the response result from the operating system 200.

In this way, the communication requests transmitted from the various applications 300 are passed from the operating system 200 to the communication control program 100, and then the communication control program 100 passes the next communication request based on the determination regarding the destination. The destination is determined to be one of the target server DS, the filtering server 30, or the other control unit 250, and the destination of the communication request is appropriately rewritten according to the determination result. Then, when the next delivery destination is determined by the target server DS or the filtering server 30, the communication request is transmitted to these servers, whereas when it is determined by the other control unit 250, the communication request is transmitted to these servers. The communication request is interrupted inside the device 10 without being sent to the outside of the device 10, and a response to that effect is made to the various applications 300 that are the transmission sources of the communication request.

FIG. 7 is a sequence diagram showing an operation example when a communication request is made to the permitted domain. In this operation example, it is assumed that various applications 300 that transmit communication requests are applications that use the destination control unit 230. The steps corresponding to protocol negotiation and session establishment performed in advance when transmitting and receiving packets between computers are general matters and will be omitted from the description (the same applies to FIGS. 8 and later). Hereinafter, an operation example will be described.

Step S11: Various applications 300 transmit a communication request to the target server DS.

Steps S13, S15: When the operating system 200 receives the communication request and confirms that the application uses the destination control unit 230 from the settings related to the various application 300s of the transmission source (step S13), the communication request is sent to the communication control program. Hand over to 100 (step S15).

Steps S16 to S19: The communication control program 100 determines that the target server DS specified as the destination of the delivered communication request is the permitted domain (step S16). Then, according to the determination result, the next delivery destination of the communication request is determined to the target server DS (step S17), and the communication request with the original destination maintained is transmitted (step S19).

Step S21: The operating system 200 sends the communication request transmitted from the communication control program 100 to the target server DS along the destination.

As described above, when the target server DS is the permitted domain, communication is directly performed with the target server DS without going through the filtering server 30.

FIG. 8 is a sequence diagram showing an operation example when a communication request is made to the unauthorized domain. Also in this operation example, it is assumed that the various applications 300 that transmit the communication request are the applications that use the destination control unit 230. Hereinafter, an operation example will be described.

Step S31: Various applications 300 transmit a communication request to the target server DS.

Steps S33 and S35: When the operating system 200 receives the communication request and confirms that the application uses the destination control unit 230 from the settings related to the various application 300s of the transmission source (step S33), the communication request is sent to the communication control program. Hand over to 100 (step S55).

Steps S36 to S39: The communication control program 100 determines that the target server DS specified as the destination of the delivered communication request is an unauthorized domain (step S36). Then, according to the determination result, it is determined that the next delivery destination of the communication request is the other control unit 250, that is, the communication should be prohibited (step S37), and the operating system makes a response to interrupt the communication. Instruct 200 (other control unit 250) (step S39).

Step S41: The operating system 200 responds to various applications 300 that are the source of the communication request to the effect that the communication is interrupted.

Step S43: The various applications 300 appropriately display screens according to the response result from the operating system 200.

As described above, when the target server DS is an unauthorized domain, the communication request is not sent to the outside of the device 10, and the communication is interrupted inside the device 10.

FIG. 9 is a sequence diagram showing an operation example when a communication request is made to a domain that does not correspond to either a permitted domain or a non-permitted domain. Also in this operation example, it is assumed that the various applications 300 that transmit the communication request are the applications that use the destination control unit 230. Hereinafter, an operation example will be described.

Step S51: Various applications 300 transmit a communication request to the target server DS.

Steps S53 and S55: When the operating system 200 receives the communication request and confirms that the application uses the destination control unit 230 from the settings related to the various application 300s of the transmission source (step S53), the communication request is sent to the communication control program. Hand over to 100 (step S55).

Steps S56 to S59: The communication control program 100 determines that the target server DS specified as the destination of the delivered communication request is neither a permitted domain nor a disallowed domain (step S56). Then, according to this determination result, the next delivery destination of the communication request is determined to be the filtering server 30, the destination is rewritten to the filtering server 30, and the qualification information required for communication to the filtering server 30 is set. (Step S57), the communication request with the rewritten destination is transmitted (step S59).

Step S61: The operating system 200 sends the communication request transmitted from the communication control program 100 to the filtering server 30 along the destination.

Steps S63 and S65: The filtering server 30 receives the communication request and determines whether to allow the communication request based on the setting related to the filtering of the user organization corresponding to the user account specified in the credential (step S63). ). When it is determined that the communication is permitted, the filtering server 30 transfers the communication request to the target server DS (step S65). If it is determined that the communication is restricted here, the communication request will be forwarded to the communication regulation server 40.

In this way, when the target server DS does not correspond to either the permitted domain or the disallowed domain, the communication request goes through the filtering server 30 and is based on the result of the determination made by the filtering server 30. Alternatively, it is transferred to one of the communication regulation servers 40.

FIG. 10 is a sequence diagram showing an operation example when a communication request is made by an application that does not use the destination control unit 230. In this operation example, various applications 300 that transmit communication requests are applications that do not use the destination control unit 230, and the communication control setting file is set to delegate control of communication contents to the communication control program 100. And. Hereinafter, an operation example will be described.

Step S71: Various applications 300 transmit a communication request to the target server DS.

Steps S73 and S75: The operating system 200 receives the communication request, and the application does not use the destination control unit 230 from the settings related to the various application 300s of the transmission source, and the control of the communication request is delegated to the communication control program 100. After confirming that the settings have been made (step S73), the communication request is passed to the communication control program 100 (step S75).

Steps S77 and S79: The communication control program 100 confirms that the program setting file exists (step S77), and then causes the operating system 200 (other control unit 250) to respond to the effect that the communication is interrupted. (Step S79).

Step S81: The operating system 200 responds to various applications 300 that are the source of the communication request to the effect that the communication is interrupted.

Step S83: The various applications 300 appropriately display screens according to the response result from the operating system 200.

In this way, when a communication request is made by an application that does not use the destination control unit 230, the communication request is not sent to the outside of the device 10 as in the case where the target server DS is an unauthorized domain. Communication is interrupted inside the device 10.

FIG. 11 is a diagram showing an example of screens of various applications 300 displayed when communication is interrupted inside the device 10.

When the various applications 300 are applications for web browsing (web browser), for example, a message "This site cannot be browsed because it is controlled by the application of XX" is displayed on the screen. To. Here, the "application of XX" refers to the communication control program 100, and a specific name is entered in "XX". In the explanation so far, in order to avoid confusion with various applications 300 that make communication requests, the term application (application) is not intentionally used in the explanation of the communication control program 100, but from the viewpoint of the user of the device 10. , Communication control program 100 also corresponds to an application. Therefore, in order for the user of the device 10 to recognize that the communication control program 100 controls the communication (browsing), the message "Application of XX" is displayed on the screen instead of the "communication control program". Be done.

By the way, as described above, when the communication is interrupted inside the device 10, the communication control program 100 gives a response instruction to the operating system 200 to interrupt the communication, and the operating system 200 responds to the instruction. Outputs a response to the effect that communication is interrupted. Shown in the illustrated web browser is HTML content output by the operating system 200 in response to an instruction from the communication control program 100.

On the other hand, when the various applications 300 are applications other than a web browser, for example, a video playback application, a file management application, etc., the displayed screens vary depending on the application specifications. It becomes. For example, the application may switch to an offline screen, a pop-up message may be displayed on the application, or a message to that effect may be displayed in a part of the screen. Alternatively, there may be an application in which no message is output or an application that keeps waiting for communication.

In any case, such a display is an operation according to the specifications of the various applications 300 that have made the communication request, and the mode of the screen of the application other than the web browser displayed when the communication is interrupted inside the device 10 The communication control program 100 is not involved at all.

[Advantage of Embodiment]
As described above, according to the communication control program 100 described above, the communication control unit 130 functions as a local proxy in the device 10 and controls the destination of the operating system 200 for communication requests from various applications 300 to the target server DS. Upon delivery from the unit 230, the communication control unit 130 determines the destination of the communication request based on the setting contents of the communication control setting file installed in advance, and controls the destination of the communication request according to the determination result. Specifically, the communication control unit 130 determines the next delivery destination of the communication request to the target server DS when the target server DS corresponds to the permitted domain, and prohibits communication when the target server DS corresponds to the unauthorized domain. If it is determined and neither the permitted domain nor the disallowed domain is applicable, the next delivery destination of the communication request is determined to the filtering server 30, and the destination of the communication request is rewritten if necessary according to the determined result. ..

By controlling the destination of the communication request in this way, it is possible to directly communicate with the permitted domain without going through the filtering server 30, and communication with the unauthorized domain is via the filtering server 30. It can be interrupted inside the device 10 without any. Then, the control of permission / regulation of communication can be entrusted to the filtering server 30 via the filtering server 30 only when neither the permitted domain nor the disallowed domain is applicable.

Therefore, according to the communication control program 100, it is possible to minimize the number of communication requests generated by the device 10 that pass through the filtering server 30, and to efficiently perform communication from the device 10 to the target server DS. As a result, it is possible to shorten the response time required from the communication request made by the various applications 300 to the final return of the response result to the various applications 300, and improve the response speed. From these points, the remarkable superiority of the above-described embodiment is clear.

The present invention can be variously modified and implemented without being restricted by the above-described embodiment. Further, the specific examples presented in relation to the embodiment are merely examples, and are not limited to the above-mentioned contents.

In the above-described embodiment, four setting files that can be introduced in connection with the communication control program 100 are a program setting file, a communication control setting file, a destination control setting file, and a destination dynamic setting file, and each setting file. Although the setting items in FIG. 4 are shown in FIG. 4, the types of setting files and the setting items in each setting file are not limited to this, and other setting items may be further set in each setting file, and other settings may be made. Further configuration files may be introduced.

In the above-described embodiment, the filtering server 30, the communication regulation server 40, and the setting management server 50 are provided separately, but as a configuration in which two or more of these three servers coexist in the same server. May be good. Further, although the setting management unit 51 is provided in the setting management server 50, it is also possible to provide the setting management unit 51 in the filtering server 30 instead. Furthermore, the entity (database, etc.) of the setting storage unit 31 and the data storage unit 32 does not necessarily have to be provided on the filtering server 30, but is provided on another server that can be connected via the network. Such resources may be used, or the data may be mounted on an external storage medium such as an external hard disk drive (HDD) connected to the filtering server 30 via various ports such as USB and SCSI.

In the above-described embodiment, an organization such as a company or a school is assumed as a user of the filtering server 30, but the usage mode is not limited to this. For example, the communication carrier may be the user of the filtering server 30, and the communication control program 100 may be used after applying common settings in the communication carrier to the devices 10 owned by the customers of the communication carrier. Alternatively, the individual user can become the user of the filtering server 30, and the communication control program 100 can be used based on the permitted domain / non-permitted domain and the filtering settings set by the individual user himself / herself.

In the above-described embodiment, due to the restrictions of the operating system 200, communication requests from various applications 300 are passed to the communication control program 100 via the operating system 200, but an operating system without such restrictions (for example, Windows). Etc.), it is possible to operate the communication control program by changing a part of the functional configurations in the communication control program. Specifically, for example, in addition to each function configuration provided in the communication control program 100 in the above-described embodiment, a function configuration for directly receiving communication requests from various applications 300 without going through the operating system 200 is provided, and this function is provided. The communication control program may be implemented so that the configuration receives communication requests from various applications 300 and passes them to the communication control unit, and the communication control unit controls the destination of the delivered communication requests.

10 Devices 20 Internet 30 Filtering server 40 Communication regulation server 50 Setting management server 100 Communication control program 200 Operating system 300 Various applications (applications)
P Program setting file C1 Communication control setting file C2 Destination control setting file D Destination dynamic setting file

Claims (4)

A communication control program that controls the destination of external communication requests that occur inside a computer.
Regarding the domain of the destination of the communication request, the first domain in which communication from the computer is permitted, the second domain in which communication from the computer is prohibited, or the second domain which does not correspond to the first domain or the second domain. A judgment function that determines whether or not it corresponds to any of the three domains based on predetermined setting information,
According to the result of the determination, if the domain of the destination corresponds to the first domain, the maintenance of the destination is determined, and if the domain corresponds to the second domain, the destination is determined inside the computer. , A decision function that determines the destination to a predetermined server existing outside the computer when the third domain is applicable.
A communication control program that allows a computer to realize a transmission function for transmitting the communication request to a determined destination. In the communication control program according to claim 1,
The transmission function
When the destination domain corresponds to the third domain, the communication request is transmitted to the predetermined server, so that the predetermined server determines whether or not to allow communication to the destination of the communication request. A communication control program characterized by this. In the communication control program according to claim 1 or 2.
The computer
At least the operating system and applications that can communicate with the outside are installed,
The judgment function is
A communication control program comprising determining a destination of the communication request generated from the application and passed from the operating system. In the communication control program according to claim 1 or 2.
Further provided with an acquisition means for acquiring an external communication request generated inside the computer.
The computer
At least an application that can communicate with the outside is installed,
The judgment function is
A communication control program comprising determining a destination of the communication request generated from the application and acquired by the acquisition means.