JP2022147898A - Illegal access monitoring system and illegal access monitoring method - Google Patents

Abstract

To provide an illegal access monitoring system and an illegal access monitoring method that can protect equipment under network control against illegal access.SOLUTION: There is provided an illegal access management system that includes: a gateway which is connected to a router connected to an external network; one or a plurality of controllers which are connected to the router; and one or a plurality of apparatuses which are connected to the gateway, wherein the gateway includes: an apparatus management function which manages the one or the plurality of apparatuses connected to the gateway, the apparatus management function managing an apparatus list related to apparatuses existing among the one or the plurality of apparatuses, and false apparatuses not existing among the one or the plurality of apparatuses; and a communication function which responds, when receiving a control request to an apparatus included in the apparatus list, to the control request to transmit and receive data.SELECTED DRAWING: Figure 1

Description

The present invention relates to an unauthorized access monitoring system and an unauthorized access monitoring method, and more particularly to monitoring unauthorized access to a network such as a home network.

With the development of HEMS (Home Energy Management System) and smart speakers, IoT (Internet of Things) systems in homes are rapidly developing. However, unlike corporate IT systems, residential IoT systems have barriers such as introduction costs, maintenance costs, and support skills. As a result, sufficient security measures are taken compared to corporate IT systems. In many cases, residents continue to use IoT systems in a vulnerable state.

For example, security software may be installed on the personal computers and smart devices of residents. is difficult to maintain. Furthermore, in security measures for home appliances and in-home networks, it is necessary to understand the internal structure of home appliances and basic knowledge of networks before taking measures. is difficult. In addition, depending on the wireless environment such as Wi-Fi (Wireless Fidelity) (Wi-Fi is a registered trademark), weak radio waves can leak outside the house, making it possible to attack from outside the house. It is also a factor that the security risk of the home environment cannot be reduced because it is not possible to strictly prohibit people from bringing unauthorized devices into the home.

A protocol called ECHONET Lite (registered trademark) is an example of a protocol used in a residential IoT system. This protocol assumes the use of home Wi-Fi routers, and is a protocol in which when a controller broadcasts to search for a device, the device returns its own information in unicast. After the unicast response from the device, unicast communication is performed between the controller and the device, and a state acquisition signal and a control instruction signal are exchanged. FIG. 9 shows a network of home 201 having such a configuration. The network in FIG. 9 includes a router 211 connected to the Internet (registered trademark) as an example of an external network, a controller 212 connected to the router 211 , and a device 213 connected to the router 211 . Controllers and devices conforming to ECHONET Lite must respond to broadcasts according to regulations, and will follow responses to malicious controllers and control instructions, making the protocol vulnerable in terms of security. The mechanism of authentication is not specified in the protocol, and it is necessary to take countermeasures for each application. In addition, there are many controllers such as AiSEG, Panasonic's HEMS controller, smartphone applications, computer terminals, embedded devices, etc. The IoT system used can be introduced.

In addition, not only ECHONET Lite, but most communication devices in homes prioritize connectivity with other devices. As a result, it is difficult to guarantee the security level.

Patent Literature 1 relates to a power management system, and proposes to always exchange messages including authentication information between controllers and devices in order to increase the security level of ECHONET Lite. In Patent Document 1, if a message has a low security level, for example, a message without authentication information, the device is protected by limiting the controllable range. It has been proposed to install a decoy server that acts as a decoy to accept unauthorized access from a computer, and to detect signs of unauthorized access when a download request for downloading a program is sent from the decoy server.

JP 2017-038515 A JP 2010-198386 A

However, the unauthorized access monitoring described above has the following problems.

End-to-end authentication, as in Patent Document 1, generally improves the security level. However, products and services that have already been released cannot be safely used and operated without additional authentication processing. In other words, an increase in development costs due to the addition of authentication processing and an increase in local firmware update costs for devices that are not compatible with remote firmware updates. As a result, there is a problem that the devices for which the technology proposed in Patent Document 1 cannot be easily introduced must be operated with a low security level. In addition, in the case of a protocol such as ECHONET Lite, there is also the problem that the location of the device can be specified by a malicious attacker by responding to the broadcast (detected by the discovery protocol). As a result, there is a possibility that duplicate accesses will be made to pairs other than the correct controller and device pairs that are originally intended for communication, leading to cyberattacks from attackers.

For example, consider a situation in which a resident invites a friend to a house, and the friend leaves a malware-infected smartphone at the house. A smartphone infected with malware first tries to access the home network, and then begins unauthorized access to the Wi-Fi router. After that, the home network is scanned, and after identifying the home devices, unauthorized access to the home devices is started. If security measures are not implemented and access rights to the device are acquired, device information (including authentication information) may be illegally extracted and the device may be controlled illegally. , economic loss to the occupants, and potentially life-threatening danger.

In addition, since PCs (Personal Computers) and smart devices are devices on which applications can be installed relatively easily, it is easy to introduce applications for smart homes, but it is also easy to introduce unauthorized applications including malware. In particular, recent malware has been cleverly disguised as a legitimate application, and ordinary users cannot detect that it is a malicious application, and residents continue to use it unintentionally. Loss and even life may be endangered.

Therefore, we consider a configuration in which a gateway is introduced between controllers such as smart devices and PCs and equipment such as air conditioners and lighting, and the gateway separates the network under the router such as a Wi-Fi router from the network to which the equipment to be protected belongs. It is assumed that this gateway has the function of managing the devices under it and communicating with the controller on behalf of the devices. When such a gateway is introduced, regardless of whether the device has an authentication function, communication between the gateway and the device can be performed on a secure network. It is possible to perform access control such as blocking communication with However, even in the case of such a configuration, when using a protocol such as ECHONET Lite, the number of subordinate devices and the information itself must be answered by the gateway to the controller according to the rules, and the device information cannot be hidden. There is Furthermore, even if direct communication to the device can be avoided, there is the problem that it is difficult to detect an unauthorized controller.

If the IoT system is operated in the house while such security vulnerabilities are left unattended, it will be difficult for the resident to turn off the lights while moving in the house, set the water temperature to an abnormal value when taking a bath, and illegally unlock the entrance. Failure to protect the safety of residents' lives and property.

In addition, the technique of installing a decoy server as in Patent Document 2 has the problem that it can only deal with attacks that use the target's vulnerability. In addition, when the method proposed in Patent Document 2 is applied, a decoy server is installed for each device to be protected, which poses a problem that the configuration becomes large-scale.

SUMMARY OF THE INVENTION An object of the present invention is to provide an unauthorized access monitoring system and an unauthorized access monitoring method capable of protecting devices under a network from unauthorized access.

To achieve the above object, an unauthorized access monitoring system according to the present invention comprises a gateway connected to a router connected to an external network, one or more controllers connected to the router, and a controller connected to the gateway. 1. An unauthorized access control system for a network comprising:
The above gateway is
A device management function that manages one or more devices connected to the gateway, and relates to a device that actually exists in the one or more devices and a pseudo device that does not actually exist in the one or more devices. A device management function that manages the device list,
and a communication function for transmitting and receiving data in response to the control request when receiving a control request to the devices included in the device list.

An unauthorized access monitoring method according to the present invention includes a gateway connected to a router connected to an external network, one or more controllers connected to the router, and one or more devices connected to the gateway. and an unauthorized access control method for a network comprising:
The above gateway is
A device list that manages one or more devices connected to the gateway and relates to devices that actually exist in the one or more devices and pseudo devices that do not actually exist in the one or more devices. manage the
When receiving a control request to a device included in the device list, data is transmitted and received in response to the control request.

According to the present invention, it is possible to provide an unauthorized access monitoring system and an unauthorized access monitoring method capable of protecting devices under a network from unauthorized access.

1 is a block diagram for explaining an unauthorized access management system according to an embodiment of a higher concept; FIG. 1 is a block diagram for explaining an unauthorized access management system according to one embodiment; FIG. 3 is a block diagram for explaining a more detailed configuration of the gateway 10 of FIG. 2; FIG. It is a table showing an example of a device list. FIG. 11 is a flowchart for explaining device list notification processing; FIG. It is a table showing an example of a controller list. FIG. 10 is a flowchart for explaining a controller's degree of risk determination processing; FIG. FIG. 11 is a flowchart for explaining device list update processing; FIG. FIG. 4 is a conceptual diagram for explaining a situation when an attacker makes unauthorized access; FIG. 2 is a conceptual diagram illustrating a situation when an attacker has made unauthorized access to the unauthorized access management system according to the embodiment of the present invention; FIG. 2 is a conceptual diagram illustrating a situation when an attacker has made unauthorized access to the unauthorized access management system according to the embodiment of the present invention;

[Outline of the present invention]
In the unauthorized access monitoring system and unauthorized access monitoring method of the present invention, for example, pseudo devices are generated separately from the actual devices under the control of the gateway. The gateway then notifies the controller of the existence of the pseudo device as if it were actually there. Since a malicious controller repeats and exhaustively accesses including a pseudo device, the gateway detects a controller that communicates with a pseudo device as a malicious controller. Furthermore, the gateway access-controls communications from targets detected as malicious controllers. Preferred embodiments of the present invention will now be described in detail with reference to the drawings.

[Embodiment of higher level concept]
First, an unauthorized access monitoring system and an unauthorized access monitoring method according to embodiments of the broader concept of the present invention will be described. FIG. 1 is a block diagram for explaining an unauthorized access control system according to an embodiment of the general concept of the present invention.

The unauthorized access control system of this embodiment includes a gateway connected to a router connected to an external network, one or more controllers connected to the router, and one or more devices connected to the gateway. is an unauthorized access control system for networks including: The gateway 50 of the unauthorized access control system of FIG. 1 is a device management function that manages one or more devices connected to the gateway 50. Alternatively, it includes a device management function 51 that manages a device list related to pseudo devices that do not actually exist in a plurality of devices. Further, the gateway 50 of the unauthorized access control system of FIG. 1 includes a communication function 52 for transmitting and receiving data in response to the control request when receiving a control request for the devices included in the device list.

In the unauthorized access control method of this embodiment, the gateway 50 manages one or more devices connected to the gateway 50, and the one or more devices actually exist, and the one or more It manages a device list related to pseudo devices that do not actually exist in a plurality of devices. Further, when the gateway 50 receives a control request to the devices included in the device list, it transmits and receives data in response to the control request.

In the unauthorized access control system and unauthorized access control method of this embodiment, the one or more devices connected to the gateway 50 and the pseudo devices that do not actually exist in the one or more devices are monitored by the device list. Then, when receiving a control request for a device included in the device list, it transmits and receives data in response to the control request. The device list may also include pseudo devices that do not exist in one or more devices, thereby partially hiding real devices from unauthorized access. In addition, by including such a non-existent pseudo device in the device list, it is possible to automatically detect the sender of the control request and deal with the sender with appropriate access control. An unauthorized access monitoring system and an unauthorized access monitoring method according to specific embodiments will be described below.

[One embodiment]
Next, an unauthorized access monitoring system and an unauthorized access monitoring method according to one embodiment of the present invention will be described. FIG. 2 is a block diagram for explaining an unauthorized access control system according to one embodiment of the present invention. FIG. 3 is a block diagram for explaining a more detailed configuration of the gateway 10 of FIG. 2. As shown in FIG.

A detection method in the case where there are a plurality of controllers inside a house (House 1) and one of the controllers is an attacker will be described. A home network inside a house (house 1) includes a router 11, one or more controllers 12, a gateway 10, and a plurality of appliances 13. FIG.

The router 11 is connected to the Internet (registered trademark), which is an example of an external network, so that terminals in the home 1 can communicate with the Internet. Although not shown in the figure, a terminal such as an ONU (Optical Network Unit), a switching hub, a router, a firewall, a load balancer, and a proxy may be included between the Internet and the router 11 in terms of configuration.

Router 11 is also connected to one or more controllers 12 and gateway 10 . The router 11 assigns a communicable address such as an IP (Internet Protocol) address to each terminal, and sets it in each terminal. Both dynamic and static address settings for terminals are possible. Furthermore, if the address is an IP address, both IPv4 and IPv6 are possible. The router also routes communications from one or more controllers 12 and gateways 10 as appropriate. Routing by the router 11 enables communication between the controller 12 and the controller 12, between the controller 12 and the gateway 10, between the controller 12 and the Internet, and between the gateway 10 and the Internet. Furthermore, settings such as enable/disable of the NAT (Network Address Translation) function and NAPT (Network Address Port Translation) function of the router 11 do not affect the embodiment of this configuration.

The controller 12 is a computer terminal such as a PC (Personal Computer), smart phone, tablet, or smart device. Also included here are computer terminals capable of communicating with terminals such as HEMS controllers. Microcomputers and single board computers are also included. Applications for communicating with devices, referring to information, and controlling devices are installed on these computer terminals. At this time, whether or not this application has an authentication function for communication does not affect the embodiment of this configuration. Also, the application of the controller 12 may operate passively based on a manual operation from the resident, or may operate actively without the operation of the resident.

The device 13 is installed in a house and is used in the lives of residents. Any device that can return information in response to a request from the controller 12 is the device 13 . For example, home appliances such as air conditioners, floor heaters, water heaters, lighting equipment, televisions, TV (Television) recorders, media players, radios, smart speakers, personal computers, smartphones, tablets, and smart devices are also devices 13 . Devices 13 also include monitoring cameras, motion sensors, animal monitoring sensors, temperature sensors, humidity sensors, smoke sensors, window opening/closing sensors, window lock/opening sensors, and other sensors installed in houses. Furthermore, the device 13 includes an electric lock, an electric shutter, and the like. Similar to the controller, the device 13 is loaded with an application for returning information in response to an information reference request or device control request. At this time, the application may or may not have an authentication function for communication.

(Detailed configuration of gateway 10)
Next, the detailed configuration of the gateway 10 of this embodiment will be described with reference to FIG.

The gateway 10 has a communication function 110, an equipment management function 120, a controller management function 130, and a pseudo equipment management function 140, as shown in FIG.

The communication function 110 of the gateway 10 has a communication interface management function 111, a communication rejection function 112, and a communication content analysis/statistical processing function 113. FIG.

The communication interface management function 111 is a function for the gateway 10 to communicate with other computer terminals other than the gateway 10 . A computer terminal includes one or more controllers and one or more devices. Communication interface management function 111 sends or receives data via network interfaces to communicate with one or more controllers and one or more devices.

Also, the gateway 10 is connected to one or a plurality of devices, and the communication interface management function 111 assigns a communicable address such as an IP address to each terminal and sets it in each device. However, the address setting for the device can be set dynamically or statically. Furthermore, if the address is an IP address, either IPv4 or IPv6 can be set. However, IPv4 or IPv6 cannot be selected for each device, and if even one of the gateway 10 and the device 13 is IPv4, IPv4 must be set for the others as well. Similarly, if at least one of the gateway 10 and the device 13 is IPv6, the others need to be set to IPv6 as well. It is assumed that the network segment between controller 12 and gateway 10 does not match the network segment between gateway 10 and device 13 .

The communication rejection function 112 processes or discards data received by the communication interface management function 111 . When the controller listed in the controller list 131 of the controller management function 130 is the transmission source, the communication refusal function 112 refers to the corresponding risk level in the controller list 131, and discards the data if the risk level is refusal. is other than rejection, process the data.

The communication content analysis/statistical processing function 113 analyzes the data received by the communication interface management function 111 . The communication content analysis/statistical processing function 113 analyzes the content such as the address of the controller that sent the data and what kind of reference request or control request the content of the data is from the header information of the data. Also, the data reception frequency is measured for each controller.

The device management function 120 of the gateway 10 has a device list 121 , a device control function 122 and a device information reference function 123 .

As shown in FIG. 4, the device list 121 is a list that manages the device address of the device 13 with which the gateway 10 communicates, the device type, and information indicating whether the device is a generated pseudo device. In the example of FIG. 4, addresses A and B are device addresses of real devices, but addresses C and D are device addresses of generated pseudo devices. The device type of addresses A and C is "air conditioner", and the device type of addresses B and D is "water heater".

The contents of the device list 121 are notified to the controller 12 at an arbitrary timing, as shown in the flow chart of the device list notification process in FIG. 5 (S1). Notifications to controller 12 may be unicast, broadcast, multicast, or a combination thereof.

The device control function 122 is a function for the gateway 10 to control the device 13 . Upon receiving a device control request signal from the controller 12, the device control function 122 determines whether the object to be controlled is a pseudo device. If the object to be controlled is an “existing device”, a device control request signal is transmitted to the device 13 . When the device 13 responds to the device control request signal from the gateway 10 , the content of the response is returned to the controller 12 . If the device 13 did not respond, the gateway 10 would likewise not respond to the controller 12 . If the target is a “pseudo device”, the device response generation function 143 of the pseudo device management function 140 generates data and returns the generated data to the controller 12 .

The device information reference function 123 is a function for the gateway 10 to refer to device information. Upon receiving an information reference request signal from the controller 12, the device information reference function 123 determines whether the reference target is a "pseudo device". If the reference target is the device 13 that actually exists, an information reference signal is transmitted to the device 13 . When the device 13 responds to the information reference signal from the gateway 10 , the content of the response is returned to the controller 12 . If the device 13 does not respond, the gateway 10 likewise does not respond to the controller. If the target is a “pseudo device”, the device response generation function 143 of the pseudo device management function 140 generates data and returns the generated data to the controller 12 .

The controller management function 130 of the gateway 10 has a controller list 131 and manages access from the controller 12 to the devices 13 under the gateway 10 .

As shown in FIG. 6, the controller list 131 includes the controller address of the controller 12 with which the gateway 10 communicates, the degree of risk for determining whether the controller 12 is an attacker, and how many times the controller 12 has accessed the gateway 10. is a list for managing statistical information for determining In the example of FIG. 6, "permission", "restriction", or "rejection" is held as the degree of risk. Here, it is assumed that the degree of risk is higher in the order of "allowed", "restricted", and "rejected". In the example of FIG. 6, "low frequency", "medium frequency", or "high frequency" are held as statistical information. In the example of FIG. 6, addresses a and d are determined to be controllers communicating within a realistic range of use, addresses b and e are being determined to be attackers, and address c is an attack controller. Indicates that the person was determined to be a person.

The controller management function 130 checks the communication status between the controller 12 and the gateway 10 by the communication content analysis/statistical processing function 113 of the communication function, and determines the degree of danger of the controller 12 . The flow for determining the degree of risk of the controller 12 is as shown in the flow chart of the controller degree of risk determination process in FIG. The determination of the degree of danger of the controller 12 is performed, for example, at the timing when the gateway 10 receives data from the controller 12 .

The pseudo device management function 140 of the gateway 10 has a device generation function 141 , a device discard function 142 and a device response generation function 143 .

The device generation function 141 is a function for generating pseudo devices. As shown in FIG. 8, when the device generation function 141 generates a pseudo device, the device list 121 adds the address and device type of the pseudo device and information indicating that it is a pseudo device to the device list 121 . As the address of the pseudo device, an address different from the address set to the actual device is registered. At this time, by setting an address band that is different from the address of the device that actually exists, the resident of the house 1 can easily identify the pseudo address from the address of the device 13 . The timing for generating a pseudo device is the timing at which an existing device is added to the device list 121, the timing after an arbitrary period of time has passed, or the timing at which the user manually adds the device. The timing at which the existing device 13 is added to the device list 121 is when the gateway 10 is searched by the communication interface management function 111 at regular intervals, or when data is received from the device 13 that does not exist in the device list 121, or manually by the user. There may be additional timings, combinations thereof. If the device type is an existing type, it is set randomly, or if it is generated at the timing of adding the device, the same type as the added device is set.

The device discarding function 142 is a function for discarding pseudo devices. When the device discarding function 142 discards a pseudo device, the device list 121 deletes the address of the pseudo device and the information indicating that it is a pseudo device from the device list 121 . The timing of discarding the pseudo device is the timing when the actual device is deleted from the device list 121, the timing after an arbitrary period of time has passed, or the timing of manual deletion by the user. The timing at which an existing device is deleted from the device list 121 is when there is no response from the existing device in the device list 121 as a result of searching by the communication interface management function 111 of the gateway 10 at regular intervals, or when the device list is deleted by the user. 121, or a combination thereof.

The device response generation function 143 is a function for generating pseudo device data. The device response generation function 143 generates data in response to requests from the controller 12 . When receiving a control request from the controller 12, the device response generation function 143 generates data indicating the control result of the pseudo device. The device response generation function 143 generates pseudo device information when an information reference request is received from the controller 12 .

Here, update processing of the device list in FIG. 8 will be described. A device is searched (S30) and compared with the current device list 121 (S31). When the searched device 13 exists in the device list 121 in S31, the updating process is terminated. If it does not exist in the device list 121 in S31, it connects to the device 13 (S32) and adds the device information to the device list 121 (S33). Furthermore, a pseudo device is generated (S34), and the device information of the pseudo device is added to the device list 121 (S35).

Here, the processing for determining the degree of risk of the controller in FIG. 7 will be described. The gateway 10 receives requests such as control requests and information reference requests from the controller 12 to the device 13 (S10). The gateway 10 refers to the controller list 131 to check the degree of risk of the controller 12 (S11). When the risk level in the controller list 131 is set to "reject", the judgment process is terminated after rejecting the communication with the controller 12 (S12). When the risk level in the controller list 131 is set to "permit" or "restrict", the communication statistical information is updated (S13). Further, the communication frequency and parameters from the controller 12 are checked (S14). If an attacker tries to illegally control the device 13, the control parameters may not be within the specification range of the device 13 and may be out of range. Therefore, in S14, the frequency of communication from the controller 12 and parameters are checked. When the frequency of communication from the controller 12 and the parameter are out of the predetermined range in S14, the degree of risk is set to "restrict" or "reject" (S15), and then the process proceeds to S16. When the frequency of communication from the controller 12 and the parameter are within the predetermined range in S14, the process proceeds to S16. In S16, when the risk is "rejected" or when the risk is "restricted" and the control process is performed (Yes in S16), the process proceeds to S12 to reject communication with the controller 12 (S12). finish. If No in S16, it is checked whether the target device is a real device or a pseudo device (S17). When the target device is an existing device in S17, information reference processing and control processing for the device are performed (S19), and then the processing result is returned to the controller 12 (S20). When the target device is a pseudo device in S17, the processing result generated for the pseudo device is returned to the controller 12 (S18).

(Operation of embodiment)
Next, the operation of the unauthorized access monitoring system and the unauthorized access monitoring method according to this embodiment will be described. Specifically, the flow of determining the controller 12 that attempted to refer to the information of the device 13 as the attacker and the flow of determining the controller 12 that attempted to control the device 13 as the attacker will be described. First, the flow of determining the controller 12 that attempted to refer to information to the device 13 as an attacker will be described.

(1) The gateway 10 searches for devices that actually exist and creates a device list 121 First, the gateway 10 searches for devices 13 that actually exist and creates a device list 121 . A resident places the device 13 in the house 1 and sets the network so that the gateway 10 and the device 13 can communicate with each other. The gateway 10 uses its communication interface management function 111 to broadcast to the device 13 and search for the device 13 . A real device 13 responds to the gateway 10 . The communication interface management function 111 receives data from the existing device 13 and uses the communication content analysis/statistical processing function 113 to extract address information and device type from the data. The address information and device type extracted by the device management function 120 are added to the device list 121 shown in FIG. At this time, a value indicating that the real device 13 is not a pseudo device is registered in the list. The pseudo device management function 140 uses the device creation function 141 to create pseudo devices by the number added to the device list 121 . The device management function 120 adds the generated pseudo device to the device list 121 .

(2) Controller 12 searches for device 13 Next, controller 12 searches for device 13 . In order for the controller 12 to search for the device 13 , it broadcasts to the network under the router 11 . The communication interface management function 111 receives data from the controller 12 and uses the communication content analysis/statistical processing function 113 to extract address information from the data. The address information extracted by the controller management function 130 is added to the controller list 131 . At this time, the risk level is registered in the list as a value indicating "allowed" and the statistical information as a value indicating "low frequency".

(3) Gateway 10 returns the information of the device list 121 to the controller 12 Next, the gateway 10 returns the information of the device list 121 to the controller 12 . The communication interface management function 111 returns information on the device list 121 . At this time, the information of the device list 121 is not sent all at once, but is sent for each device. That is, the communication interface management function 111 first transmits the device information of the address A to the controller 12 . Next, the device information of address B, address C, and address D are sent to the controller in order.

(4) Controller 12 Refers to Device 13 for Information Next, the controller 12 refers to the device 13 for information. Since the controller 12 has acquired the device information from the gateway 10 , the controller 12 makes an information acquisition request to the gateway 10 . The controller 12 unicasts data indicating an information acquisition request to the gateway 10 .

(5) Gateway 10 Determines Degree of Risk of Controller 12 Next, the gateway 10 determines the degree of risk of the controller 12 . The communication interface management function 111 of the gateway 10 receives data indicating the information acquisition request. The controller management function 130 identifies the controller to which the communication content analysis/statistical processing function 113 has sent data. In the corresponding controller 12, the risk level is "permitted" and the statistical information is "low frequency" in the initial state, so the device information reference function 123 unicasts a device information acquisition request to the target device. The information acquired by the communication interface management function 111 is returned to the controller 12 .

(6) Gateway 10 rejects communication from controller 12 The operation when the controller 12 repeatedly acquires information from the device 13 in a short period of time will be described. In this case, the communication interface management function 111 receives data indicating an information acquisition request. The controller management function 130 uses the communication content analysis/statistical processing function 113 to identify the controller 12 that has transmitted the data. The communication content analysis/statistical processing function 113 sets the statistical information in the controller list 131 to "medium frequency". Since the statistical information of the corresponding controller in the controller list 131 of the controller management function 130 is "medium frequency", the controller management function 130 sets the degree of risk to "restricted". The device information reference function 123 unicasts a device information acquisition request to the target device. The information acquired by the communication interface management function 111 is returned to the controller 12 .

Next, the operation when the controller 12 continues to acquire information to the device in a short period of time will be described. In this case, the communication interface management function 111 receives data indicating an information acquisition request. The controller management function 130 identifies the controller 12 to which the communication content analysis/statistical processing function 113 has transmitted data. The communication content analysis/statistical processing function 113 sets the statistical information in the controller list 131 to "high frequency". Since the statistical information of the corresponding controller in the controller list 131 of the controller management function 130 is "frequent", the controller management function 130 sets the risk level to "reject".

The operation when the gateway 10 rejects communication from the controller 12 will be described. As described above, when the controller 12 continues to acquire information from the device 13 in a short period of time, the risk level of the corresponding controller 12 in the controller list 131 of the controller management function 130 is "rejected". In this case, the device information is not acquired, and the communication rejection function 112 discards the data from the controller 12 . After that, communication from the controller 12 is discarded. In this way, the device 13 under the gateway 10 is protected from an attempt by an attacker to refer to information on the device 13 .

Next, the flow of determining the controller 12 that attempted to control the device 13 as an attacker will be described.

(1) Gateway 10 searches for devices 13 that actually exist and creates device list 121 First, gateway 10 searches for devices 13 that actually exist in home 1 and creates device list 121 . The search for the device 13 that actually exists and the creation of the device list 121 are the same as the flow of information reference described above, so description thereof is omitted.

(2) Controller 12 searches for device 13 Next, controller 12 searches for device 13 . Since this search for the device 13 is the same as the information reference flow described above, the description is omitted.

(3) Gateway 10 returns the information of the device list 121 to the controller 12 Next, the gateway 10 returns the information of the device list 121 to the controller 12 . Since the return of the information of the device list 121 is the same as the flow of information reference described above, the explanation is omitted.

(4) Controller 12 Controls Pseudo Equipment Next, the controller 12 controls the pseudo equipment. Since the controller 12 has acquired the device information from the gateway 10 , the controller 12 issues a device control request to the gateway 10 . The controller 12 unicasts data indicating the device control request to the gateway 10 .

(5) Gateway 10 Determines Degree of Risk of Controller 12 In response to the unicast of the data indicating the device control request, the communication interface management function 111 of the gateway 10 receives the data indicating the device control request. The controller management function 130 of the gateway 10 uses the communication content analysis/statistics processing function 113 to identify the controller 12 that has transmitted the data. Since the corresponding controller 12 is in the initial state, the risk level is "permitted" and the statistical information is "low frequency", so the device response generation function 143 generates the control result of the corresponding pseudo device. The communication interface management function 111 returns control results to the controller 12 .

Here, the operation when the controller 12 repeats device control to the device 13 in a short time will be described. In this case, the communication interface management function 111 receives data indicating the device control request. The controller management function 130 uses the communication content analysis/statistical processing function 113 to identify the controller 12 that has transmitted the data. The communication content analysis/statistical processing function 113 sets the statistical information in the controller list 131 to "medium frequency". Since the statistical information of the corresponding controller in the controller list 131 of the controller management function 130 is "medium frequency", the controller management function 130 sets the degree of risk to "restricted". When the device control target is a pseudo device, the device response generation function 143 generates a control result for the corresponding pseudo device. The communication interface management function 111 returns the control result to the controller 12 .

Here, the operation when the controller 12 continues the device control of the device 13 for a short period of time will be described. In this case, the communication interface management function 111 receives data indicating the information control request. The controller management function 130 uses the communication content analysis/statistical processing function 113 to identify the controller 12 that has transmitted the data. Further, the communication content analysis/statistical processing function 113 sets the statistical information in the controller list 131 to "high frequency". Since the statistical information of the corresponding controller 12 in the controller list 131 of the controller management function 130 is "frequent", the controller management function 130 sets the risk level to "reject".

(6) The gateway 10 rejects the communication from the controller 12 Next, since the risk level of the corresponding controller 12 in the controller list 131 of the controller management function 130 is "rejected", the device control is not performed and the communication is performed. Reject function 112 discards data from controller 12 . After that, communication from the controller 12 is discarded. In this way, the device 13 under the gateway 10 is protected from an attempt by an attacker to control the device 13 .

As shown in FIG. 10A, a gateway 10 connected to a router 11 connected to the Internet, a controller 12 connected to the router 11, and one or more devices connected to the gateway 10, such as a device A ( The case of a network including device 13a) and device B (device 13b) will be described again. Device A is a device with an authentication function, and device B is a device without an authentication function. Gateway 10 holds a device list including device A, device B, pseudo device C, pseudo device D, and pseudo device E for device A and device B connected to gateway 10 . When receiving a control request or the like from the controller 12 to a device connected to the gateway 10, the existence of the device is notified based on the device list including the pseudo devices C to E. FIG. The proxy authentication function of gateway 10 allows authentication communication between controller 12 and gateway 10, authentication communication between gateway 10 and device A, and authentication communication between gateway 10 and device B. . In the network of FIG. 10A, when an attacker attempts to refer to information on a device or control a device, as in FIG. 10B, for example, if an attacker attempts to access a pseudo device, it is detected as an unauthorized controller and this access is restricted. Or control such as refusal. According to this embodiment, regardless of whether the device connected to the gateway 10 is a device with an authentication function such as the device A or a device without an authentication function such as the device B, the gateway 10 Connected devices can be protected from unauthorized access.

(Effect of Embodiment)
According to the unauthorized access monitoring system and unauthorized access monitoring method of the present embodiment, the device 13 under the network can be protected from unauthorized access, and one or more devices connected to the gateway 10 can be protected from unauthorized access. can do. The reason is that the gateway 10 manages a device list of pseudo devices that do not exist in the one or more devices, in addition to the devices that actually exist in the one or more devices. This is because the device can be partially hidden.

This makes it possible to safely operate the IoT system in the home 1 . In addition, since the device 13 in the home 1 includes a mixture of real devices and pseudo devices, the real devices can be partially hidden. Also, it is possible to automatically detect the controller 12 that has made unauthorized access to the pseudo device and to control access.

Also, it is possible to automatically detect and control access to a controller 12 that was initially normal and mutated into an unauthorized controller due to malware infection or the like after operation. The detection of this unauthorized controller 12 can be ascertained from the number of accesses by the controller 12 (a large number of accesses in a short period of time) and the contents of access (unauthorized control parameters).

Further, according to the unauthorized access monitoring system and unauthorized access monitoring method of the present embodiment, the in-home IoT system can be safely utilized without changing the implementation on the controller 12 side and the device side as the equipment 13 . Further, according to the unauthorized access monitoring system and unauthorized access monitoring method of this embodiment, even if the number of devices connected to the gateway 10 increases and the number of devices to be protected increases, can be counteracted and protected from unauthorized access by attackers.

[Other embodiments]
Although the preferred embodiments of the present invention have been described above, the present invention is not limited thereto. For example, in the above-described embodiment, information acquisition and device control are separately described for the sake of explanation. ”, the data will be discarded regardless of the content of communication.

Also, when the degree of danger becomes "restricted", the control request from the controller 12 may be discarded and only the information reference request may be communicated. Furthermore, when the risk level is changed to "restricted", the information acquisition communication may also be discarded periodically.

In addition, when increasing the risk of accessing an actual device and a pseudo device, the pseudo device may be weighted so that the risk is more likely to increase than the actual device. .

The risk is flexibly changed according to statistical information. Further, in the above-described embodiment, an example in which the state is changed in stages has been described, but the statistical information is always changed according to the network usage, and the degree of risk is set and changed according to the statistical information. For example, if the statistical information is changed such that communication does not occur for a certain period of time even if the risk level becomes "rejected" or "restricted", change the statistical information to "medium frequency" or "low frequency". , lowering the risk, for example changing the risk to "allowed" or "restricted".

Regarding the change of the risk level, not only the communication frequency but also the risk level can be increased regardless of the statistical information when the controller 12 transmits data specifying that the setting parameter to the pseudo device is out of range. and

Furthermore, in the above-described embodiment, an example has been described in which the gateway 10 blocks communication from the controller 12 determined as an attacker. At this time, it is assumed that it is also possible to notify the detection of the attacker to the terminals inside the home 1 and outside the home.

Some or all of the above-described embodiments can also be described in the following supplementary remarks, but are not limited to the following.
(Appendix 1) Network including a gateway connected to a router connected to an external network, one or more controllers connected to the router, and one or more devices connected to the gateway An unauthorized access control system for
The gateway is
A device management function that manages one or more devices connected to the gateway, and relates to a device that actually exists in the one or more devices and a pseudo device that does not actually exist in the one or more devices. A device management function that manages the device list,
a communication function for transmitting and receiving data in response to a control request to a device included in the device list, when receiving the control request;
Unauthorized access monitoring system.
(Appendix 2) The gateway is a controller that holds information about the controller that sent the control request when the control request to the device included in the device list is from the one or more controllers. further includes a controller management function to manage the list,
The unauthorized access monitoring system according to appendix 1.
(Appendix 3) The controller list of the controller management function holds information on data reception frequency for each controller and information on the risk of unauthorized access determined by the reception frequency.
The unauthorized access monitoring system according to appendix 2.
(Appendix 4) The information held by the controller list is updated each time a control request to the devices included in the device list is received from the one or more controllers.
The unauthorized access monitoring system according to appendix 3.
(Appendix 5) When the control request is from the one or more controllers, the gateway refers to the information on the risk of unauthorized access in the controller list to determine handling.
The unauthorized access monitoring system according to appendix 3 or appendix 4.
(Appendix 6) When the control request is for a pseudo device that does not actually exist in the one or more devices in the device list, the gateway generates data and sends the generated data to the source of the control request. send to
The unauthorized access monitoring system according to any one of appendices 1 to 5.
(Appendix 7) The gateway generates a pseudo device that does not exist in the one or more devices, and the control request is for a pseudo device that does not exist in the one or more devices in the device list. sometimes further comprising a pseudo-device management function that generates said data;
The unauthorized access monitoring system according to appendix 6.
(Appendix 8) Network including a gateway connected to a router connected to an external network, one or more controllers connected to the router, and one or more devices connected to the gateway An unauthorized access control method for
The gateway is
A device management function that manages one or more devices connected to the gateway, and relates to a device that actually exists in the one or more devices and a pseudo device that does not actually exist in the one or more devices. Manage your equipment list,
when receiving a control request to a device included in the device list, transmitting and receiving data in response to the control request;
Unauthorized access monitoring method.
(Appendix 9) When a control request to a device included in the device list is from the one or more controllers, the gateway is a controller that holds information about the controller that sent the control request. manage the list,
The unauthorized access monitoring method according to appendix 8.
(Appendix 10) The controller list of the controller management function holds information on data reception frequency for each controller and information on the risk of unauthorized access determined by the reception frequency.
The unauthorized access monitoring method according to appendix 9.
(Appendix 11) The information held by the controller list is updated each time a control request to the devices included in the device list is received from the one or more controllers.
The unauthorized access monitoring method according to appendix 10.
(Appendix 12) When the control request is from the one or more controllers, the gateway refers to the information on the risk of unauthorized access in the controller list to determine handling.
The unauthorized access monitoring method according to appendix 10 or appendix 11.
(Additional Note 13) When the control request is for a pseudo device that does not actually exist in the one or more devices in the device list, the gateway generates data and transfers the generated data to the source of the control request. send to
The unauthorized access monitoring method according to any one of appendices 8 to 12.
(Appendix 14) The gateway generates a pseudo device that does not exist in the one or more devices, and the control request is for a pseudo device that does not exist in the one or more devices in the device list. when generating said data;
The unauthorized access monitoring method according to appendix 12.

1 home 10 gateway 11 router 12 controller 13, 13a, 13b device 110 communication function 111 communication interface management function 112 communication refusal function 113 communication content analysis/statistical processing function 120 device management function 121 device list 122 device control function 123 device information reference function 130 Controller Management Function 131 Controller List 140 Pseudo Device Management Function 141 Device Generation Function 142 Device Discard Function 143 Device Response Generation Function

Claims (10)

Unauthorized access for a network comprising a gateway connected to a router connected to an external network, one or more controllers connected to said router, and one or more devices connected to said gateway a management system,
The gateway is
A device management function that manages one or more devices connected to the gateway, and relates to a device that actually exists in the one or more devices and a pseudo device that does not actually exist in the one or more devices. A device management function that manages the device list,
a communication function for transmitting and receiving data in response to a control request to a device included in the device list, when receiving the control request;
Unauthorized access monitoring system. The gateway manages a controller list that retains information about the controller that sent the control request when the control request to the device included in the device list is from the one or more controllers. Further includes controller management functions,
An unauthorized access monitoring system according to claim 1. The controller list of the controller management function holds information on data reception frequency for each controller and information on the risk of unauthorized access determined by the reception frequency.
An unauthorized access monitoring system according to claim 2. The information held by the controller list is updated each time a control request to a device included in the device list is received from the one or more controllers.
An unauthorized access monitoring system according to claim 3. When the control request is from the one or more controllers, the gateway refers to the information on the risk of unauthorized access in the controller list to determine handling.
An unauthorized access monitoring system according to claim 3 or 4. The gateway generates data and transmits the generated data to a source of the control request when the control request is for a pseudo device that does not actually exist in the one or more devices in the device list.
An unauthorized access monitoring system according to any one of claims 1 to 5. The gateway generates a pseudo device that does not exist in the one or more devices, and when the control request is for a pseudo device that does not exist in the one or more devices in the device list, the further including a pseudo-device management function that generates data,
An unauthorized access monitoring system according to claim 6. Unauthorized access for a network comprising a gateway connected to a router connected to an external network, one or more controllers connected to said router, and one or more devices connected to said gateway A management method comprising:
The gateway is
A device list for managing one or more devices connected to the gateway and relating to devices existing in the one or more devices and pseudo devices not existing in the one or more devices manage the
when receiving a control request to a device included in the device list, transmitting and receiving data in response to the control request;
Unauthorized access monitoring method. The gateway manages a controller list that retains information about the controller that sent the control request when the control request to the device included in the device list is from the one or more controllers. ,
The unauthorized access monitoring method according to claim 8. The controller list holds information on data reception frequency for each controller and information on the risk of unauthorized access determined by the reception frequency.
The unauthorized access monitoring method according to claim 9.

Images