JP5659881B2 - Band control device, credit management server, and band control system - Google Patents

Description

  The present invention relates to a bandwidth control technique in a communication network system.

A large-scale communication network system serving as a social infrastructure includes measuring devices with communication functions such as smart meters (electric energy meters with communication functions).
In such a system, in particular, the information exchange performed with the measuring instrument with a communication function cannot be stopped. For example, the smart meter performs communication (meter reading communication) with a meter reading server at regular intervals, and transmits and receives data related to meter reading and the like. Therefore, communication between the smart meter and the meter-reading server must be continued.

  On the other hand, it is known that smart meters may also behave maliciously by being infected with malware such as bots (BOT). For example, a smart meter infected with a downloader (malware that only has a download function) after being attacked by an attacker downloads malware (malware that actually attacks) from a malicious download site by the downloader. Infected by Then, the malware receives a command from a malicious attack command site, and starts various attacks as an attacker according to the command. However, the above meter reading communication with the meter reading server is performed even for smart meters infected with malware.

  Under such circumstances, there is a need to manage the communication band for each smart meter, such as limiting the communication band while ensuring meter-reading communication for smart meters infected with malware.

  As a bandwidth control technique in a communication network system, for example, a device that performs communication bandwidth control in access to an access target from a terminal is known.

JP 2010-109428 A

  In order to manage the communication bandwidth for each smart meter, a description of an access control list (Access Control List, hereinafter simply referred to as “ACL”) for communication bandwidth control in peer-to-peer (Peer to Peer) Node description). However, since the number of nodes that are smart meters is very large, the amount of description of the ACL also becomes very large. Therefore, in order to reduce the amount of description of ACL as much as possible, it is unavoidable to substitute the description in units of networks (subnetwork units). However, in this case, since uniform bandwidth control is performed for all smart meters under the control, unnecessary bandwidth limitation is performed even for smart meters that are not infected with malware, for example. It will cause adverse effects such as

Such a problem can occur not only in the case of a smart meter but also in the case of another measuring device with a communication function.
In view of the above circumstances, an object of the present invention is to provide an apparatus, a method, a program, and a system that can reduce the amount of description of an ACL used for communication bandwidth control without any harmful effects.

According to one aspect of the device, the bandwidth control device performs bandwidth control of communication, and includes an inquiry unit, a calculation unit, a generation unit, and a band control unit. The inquiry means inquires the credit management server managing the credit of the node for the credit of the communication source node, and acquires the credit of the transmission source node from the credit management server. The calculation means calculates the bandwidth from the credit degree acquired by the inquiry means. Generating means, viewed contains the information of the calculated band from the credit level acquired by the inquiry unit, an access control list that does not include information identifying the source and destination nodes of the data communications, each said credit degree To do. Bandwidth control means, to the control target communication is the band control target, the source node of the control target communication among the generated access control list of information on credit degree obtained by the inquiry unit by generating means Band limitation is controlled according to the band information included in the access control list.

According to another aspect of the apparatus, it is a credit management server that manages the credit of a node, and includes an updating unit, a receiving unit, and a transmitting / receiving unit. The updating unit calculates the credit level of the node, and updates the node credit level list including the credit level information for each node according to the calculated credit level of the node. The receiving means receives a detection result from an intrusion detection system that detects unauthorized communication. Receiving means receives the node credit of the inquiry from the bandwidth control apparatus for performing bandwidth control communication, responds credit degree of the node to the band control device. The updating means, in accordance with a detection result from the intrusion detection system to calculate the credit of the node according to the fraud communication, and updates the node credit degree list according to the credit of the compute node, the communication function For a node that is an attached measuring device, if the credit level that is the result of the calculation is less than a predetermined value, the node credit level is set to the credit level for the node that is the measuring device with a communication function as the predetermined value. Update the list.

According to still another aspect of the apparatus, there is provided a bandwidth control system including a bandwidth control device that performs bandwidth control of communication, a credit management server that manages node credit, and an intrusion detection system that detects unauthorized communication. Thus, the bandwidth control device and the credit management server include the following configurations. The bandwidth control device includes inquiry means, calculation means, generation means, and bandwidth control means. The inquiry means inquires of the credit management server about the credit level of the communication source node, and acquires the credit level of the source node from the credit level management server. The calculation means calculates the bandwidth from the credit degree acquired by the inquiry means. Generating means, viewed contains the information of the calculated band from the credit level acquired by the inquiry unit, an access control list that does not include information identifying the source and destination nodes of the data communications, each said credit degree To do. Bandwidth control means, to the control target communication is the band control target, the source node of the control target communication among the generated access control list of information on credit degree obtained by the inquiry unit by generating means Band limitation is controlled according to the band information included in the access control list. The credit management server includes update means, reception means, and transmission / reception means. The updating unit calculates the credit level of the node, and updates the node credit level list including the credit level information for each node according to the calculated credit level of the node. The receiving means receives the detection result from the intrusion detection system. Receiving means receives the node credit of the inquiry from the band control device, responsive to credit degree of the node to the band control device. The updating means, in accordance with a detection result from the intrusion detection system, the credit of the node according to the unauthorized communication is calculated and updated node credit degree list according to the credit of the compute node.

  The disclosed apparatus, method, program, and system have an effect that the description amount of ACL used for communication bandwidth control can be reduced without any harmful effects.

It is a figure which shows the structural example of the band control system which concerns on one Example. It is a figure which shows the structural example of a credit router. It is a figure which shows an example of a node and credit list. It is a figure which shows an example of the credit and the band limitation rule memorize | stored in a credit and the band limitation rule storage part. It is a figure which shows the example of ACL used with a credit router compared with the example of ACL used with the conventional router. It is a figure which shows the structural example of a credit management server. It is a figure which shows an example of the black list memorize | stored in a black list memory | storage part. It is a figure which shows an example of the credit update rule stored in a credit update rule storage part. It is a figure which shows an example of the data structure of the detection result transmitted to ID management server from IDS. It is a figure which shows an example of the data structure of the inquiry of a credit transmitted from a credit router to a credit management server. It is a figure which shows an example of the data structure of the response with respect to the inquiry of a credit transmitted from a credit management server to a credit router. It is a figure explaining the outline | summary of operation | movement of the band control system which concerns on the present Example applied to the large-scale communication network system used as a social infrastructure. It is a flowchart which shows the operation | movement which concerns on the detection of an infected communication. It is a figure which shows typically the flow of the data in S105 thru | or 108 of FIG. It is a 1st flowchart which shows the operation | movement which concerns on detection of download communication. It is a 2nd flowchart which shows the operation | movement which concerns on detection of download communication. It is a 1st flowchart which shows the operation | movement which concerns on the detection of command communication. It is a 2nd flowchart which shows the operation | movement which concerns on the detection of command communication. It is a flowchart which shows the operation | movement which concerns on recovery of creditworthiness. It is a 1st flowchart which shows the operation | movement which concerns on control of meter-reading communication. It is a 2nd flowchart which shows the operation | movement which concerns on control of meter-reading communication. It is a figure which shows typically the data flow in S501 thru | or 503 of FIG. 20, and S508 thru | or S511 of FIG. It is a figure which shows typically an example of the band adjustment performed by S510 of FIG. It is a figure which shows the structural example of a computer system.

FIG. 1 is a diagram illustrating a configuration example of a bandwidth control system according to an embodiment.
As shown in FIG. 1, the bandwidth control system according to the present embodiment includes a credit router in which each of the smart meters 10a and 10b is connected to an intrusion detection system (hereinafter simply referred to as “IDS”) 30a. The structure connected to the internet 60 via 20a is included. Further, the credit management server 40 includes a configuration in which the credit management server 40 is connected to the Internet 60 via the credit router 20b connected to the IDS 30b. Moreover, the structure which the meter-reading server 50 is connected to the internet 60 via the credit router 20c connected with IDS30c is also included.

Although not shown, the bandwidth control system according to the present embodiment further includes one configuration in which one or more smart meters are connected to the Internet 60 via a credit router connected to the IDS. It can also be configured to include the above. Furthermore, it is possible to configure such that another server is connected to the Internet 60 via a credit router connected to the IDS. It is also possible to apply another type of measuring device with communication function in place of the smart meter, and it is also possible to apply a plurality of measuring devices with communication function of different types instead of a plurality of smart meters. Is possible.
As described above, the bandwidth control system according to the present embodiment includes a configuration in which the credit router 20 and the IDS 30 are provided in each sub-network.

  In the bandwidth control system according to the present embodiment shown in FIG. 1, each of the smart meters 10a and 10b communicates with the meter-reading server 50 at regular intervals to send and receive data related to meter-reading. For example, the measured meter reading data (meter reading data) is transmitted to the meter reading server 50, or a stop instruction, a reset instruction or the like is received from the meter reading server 50. When a stop instruction is received from the meter reading server 50, the operation is stopped, and when a reset instruction is received, the setting is reset. Hereinafter, the smart meters 10a and 10b and other smart meters (not shown) are also collectively referred to simply as the smart meter 10.

  Each of the credit routers 20a, 20b, and 20c performs bandwidth control of relayed communication according to the ACL. As will be described in detail later, for example, various inquiries such as an inquiry of credit to the credit management server 40, calculation of a bandwidth according to the credit, generation of an ACL according to the credit, and bandwidth control according to the ACL. Process. It also performs processing as a general router. In the following description, the credit routers 20a, 20b, and 20c and other credit routers not shown are collectively referred to simply as the credit router 20. Here, the credit router 20 is an example of a bandwidth control device.

  Each of the IDSs 30a, 30b, and 30c analyzes the content of communication relayed by the connected credit router 20 and detects unauthorized communication (malicious communication). When unauthorized communication is detected, the detection result is transmitted to the credit management server 40. The detection result includes information such as whether the detected unauthorized communication is infected communication, download communication, or command communication. Here, the infected communication is communication performed when malware (downloader) is infected. Download communication is communication performed when malware (malware that actually attacks) is downloaded from a node (download site) on a black list. Command communication is communication performed when a command is received from a node (attack command site) on a black list. Hereinafter, IDSs 30a, 30b, and 30c and other IDSs not shown are collectively referred to simply as IDS30.

  The credit management server 40 manages credit for each node. As will be described in detail later, for example, various processes such as a response to a credit inquiry from the credit router 20, reception of a detection result transmitted from the IDS 30, and calculation of credit are performed.

  The meter-reading server 50 communicates with each smart meter 10 at regular intervals to send and receive data related to meter-reading and the like. For example, meter reading data is received from the smart meter 10 or a stop instruction, a reset instruction, or the like is transmitted to the smart meter 10. In addition, management of meter reading data and management of each smart meter 10 are performed.

  In the present application, the credit level is a numerical value representing the credit level of a node given to each node. A high credit level is assigned to a node with high safety, and a low credit level is assigned to a node with low security. For example, when unauthorized communication such as infection communication, download communication, and command communication is performed, the credit given to a node (for example, a transmission source node and a transmission destination node) related to the communication decreases. However, when the node is the smart meter 10, a lower limit value is provided for the credit level to be given, and the credit level does not decrease below the lower limit value. The lower limit value corresponds to a minimum band necessary for the smart meter 10 to perform meter reading communication. On the other hand, even if a node is given a low credit rating, countermeasures against the cause of the low credit rating, such as removal of malware, are taken, and if the safety of the node is confirmed, the credit rating is Restores the maximum possible value of credit.

FIG. 2 is a diagram illustrating a configuration example of the credit router 20.
As shown in FIG. 2, the credit router 20 includes a node / credit list storage unit 21, a credit inquiry unit 22, a credit / band calculation unit 23, an ACL generation unit 24, and an ACL storage unit 25. And a credit / bandwidth limit rule storage unit 26, a communication control unit 27, an access control unit 28, and a control unit 29.

The node / credit list storage unit 21 stores a node / credit list in which credit is described for each node (including credit information for each node).
The credit inquiry unit 22 inquires the credit management server 40 about the credit of a node (for example, a communication transmission source node) and acquires the credit. Then, the node / credit list stored in the node / credit list storage unit 21 is updated in accordance with the acquired credit of the node, and the acquired credit of the node is reflected in the node / credit list. For example, if the acquired node credit level is not described in the node / credit list, the acquired node credit level is described in the node / credit list. Alternatively, if the credit level of the same node is already described in the node / credit level list, the description is changed to the credit level of the acquired node.

  The credit level / bandwidth calculation unit 23 calculates a bandwidth from the credit level acquired by the credit level query unit 22 in accordance with the credit level / bandwidth limit rule stored in the credit level / bandwidth limit rule storage unit 25.

  The ACL generation unit 24 generates an ACL corresponding to the credit level based on the credit level acquired by the credit level query unit 22 and the band calculated by the credit level / bandwidth calculation unit 23 from the credit level. However, if an ACL corresponding to the same credit level as that credit level has already been generated, an ACL corresponding to the credit level is not generated.

The ACL storage unit 25 stores the ACL generated by the ACL generation unit 24.
The credit / bandwidth limit rule storage unit 26 stores a credit / bandwidth limit rule that defines a rule when the credit / bandwidth calculation unit 23 calculates a band from the credit level.

The communication control unit 27 controls communication relayed by the credit router 20.
Under the control of the communication control unit 27, the access control unit 28 performs bandwidth control for communication relayed by the credit router 20 in accordance with the ACL stored in the ACL storage unit 25.

The control unit 29 controls the overall operation of the credit router 20.
In the credit router 20, the credit inquiry unit 22 is an example of an inquiry unit, the credit degree / bandwidth calculation unit 23 is an example of a calculation unit, and the ACL generation unit 24 is an example of a generation unit. The unit 28 is an example of band control means.

FIG. 3 is a diagram illustrating an example of the node / credit list.
The node / credit list shown in FIG. 3 is an example of a node / credit list stored in the node / credit list storage unit 21, and a node / credit list described later of the credit management server 40. It is also an example of a node / credit list stored in the storage unit 41.

  As shown in FIG. 3, in the node / credit list, a node name, a node credit, a node attribute, and the like are described for each node. For example, the node whose node name is “terminal B” indicates that the credit rating is “100” and the node attribute is “smart meter”.

FIG. 4 is a diagram illustrating an example of the credit / bandwidth restriction rule stored in the credit / bandwidth restriction rule storage unit 26.
The credit limit / bandwidth restriction rule shown in FIG. 4 is a rule that prescribes the value of credit as an integer from 0 to 100 and defines the credit value itself as a band. For example, if the credit value is 60, the bandwidth is 60%. In this case, the bandwidth to be used is limited to 60% of the whole.

FIG. 5 is a diagram illustrating an ACL example used in the credit router 20 in comparison with an ACL example used in a conventional router.
In FIG. 5, the left side shows an example of ACL used in the credit router 20, and the right side shows an example of ACL used in a conventional router.

  As shown on the right side of FIG. 5, the ACL used in the conventional router includes a description of bandwidth limitation for each description specifying the source and destination nodes. In this example, a description indicating that the bandwidth is limited to 50% for communication from the terminal #A having the IP (Internet Protocol) address “A” to the node having the IP address “D” is included. . In addition, a description indicating that the bandwidth is limited to 30% for communication from the terminal #B having the IP address “B” to the node having the IP address “D” is included. Furthermore, a description indicating that the bandwidth is limited to 30% for communication from the terminal #C having the IP address “C” to the node having the IP address “D” is included. With such an ACL description, communication from the terminal #A to the node having the IP address “D” is limited to a bandwidth of 50%, and communication from the terminal #B to the node having the IP address “D” is the bandwidth 30%. Thus, communication from the terminal #C to the node having the IP address “D” is limited to a bandwidth of 30%.

  On the other hand, as shown on the left side of FIG. 5, the credit router 20 generates an ACL for each credit level, such as an ACL for a credit level of 50 or an ACL for a credit level of 30. Each ACL includes a band limitation description (information) corresponding to the credit level, but does not include a description (information) for specifying a source node and a destination node. For example, although the ACL for the credit rating 50 includes a description indicating that the communication band is limited to 50% corresponding to the credit rating 50, the description for specifying the source and destination nodes is as follows. Not included. Similarly, although the ACL for the credit level 30 includes a description indicating that the communication band is limited to 30% corresponding to the credit level 30, the description specifying the source and destination nodes is included. Is not included. As a result, the communication from the terminal #A to which the credit level 50 is given is limited to a bandwidth of 50% according to the description of the ACL for the credit level 50 corresponding to the credit level 50. Further, the communication from the terminals #B and #C to which the credit level 30 is given is limited to 30% in bandwidth according to the description of the ACL for the credit level 30 corresponding to the credit level 30.

  As described above, the ACL used in the credit router 20 does not require a description for specifying a transmission source and a transmission destination node for performing bandwidth limitation. Further, even if communication is performed from different terminals (for example, terminals #B and #C), if the assigned credit levels are the same, the same ACL corresponding to the credit level (for example, ACL for credit level 30) The bandwidth can be limited according to the description of. Therefore, the ACL used in the credit router 20 can significantly reduce the amount of ACL description compared to the ACL used in the conventional router.

  The ACL for the credit rating 50 is based on, for example, the credit rating 50 of the node #A acquired by the credit query unit 22 and the bandwidth 50% calculated by the credit / bandwidth calculation unit 23 from the credit rating 50. , The ACL generated by the ACL generation unit 24. Further, the ACL for the credit level 30 is, for example, the credit level 30 of the node #B or #C acquired by the credit level inquiry unit 22, and the bandwidth 30% calculated by the credit level / bandwidth calculation unit 23 from the credit level 30. The ACL generated by the ACL generating unit 24 based on the above.

FIG. 6 is a diagram illustrating a configuration example of the credit management server 40.
As shown in FIG. 6, the credit management server 40 includes a node / credit list storage unit 41, a black list storage unit 42, an IDS communication unit 43, a credit calculation unit 44, and a credit update rule storage. Unit 45, credit transmission / reception unit 46, and control unit 47.

The node / credit list storage unit 41 stores a node / credit list in which credit is described for each node (including credit information for each node).
The black list storage unit 42 stores a black list in which malicious nodes are described (including malicious node information).

The IDS communication unit 43 communicates with the IDS 30. For example, the detection result from the IDS 30 is received.
The credit level calculation unit 44 calculates the credit level of the node in accordance with the credit level update rule stored in the credit level update rule storage unit 45. Then, the node / credit list stored in the node / credit list storage unit 41 is updated according to the calculated credit level, and the calculated credit level is reflected in the node / credit list. For example, if the calculated node credit is not described in the node / credit list, the calculated node credit is described in the node / credit list. Alternatively, if the credit level of the same node is already described in the node / credit list, the description is changed to the calculated credit level of the node.

The credit level update rule storage unit 45 stores a credit level update rule that defines a rule when the credit level calculation unit 44 calculates the credit level.
The credit transmission / reception unit 46 receives an inquiry from the credit router 20 and transmits a response to the inquiry to the credit router 20.

The control unit 47 controls the overall operation of the credit management server 40.
In the credit management server 40, the IDS communication unit 43 is an example of a receiving unit, the credit level calculating unit 44 is an example of an updating unit, and the credit level transmitting / receiving unit 46 is an example of a transmitting / receiving unit.

FIG. 7 is a diagram illustrating an example of a black list stored in the black list storage unit 42.
As shown in FIG. 7, the black list describes the server type, FQDN (Fully Qualified Domain Name), IP address, and the like for each malicious node. For example, a malicious node whose FQDN is “Download malware.com” and whose IP address is “121.24.XX.XX” indicates that the server type is “download site”.

FIG. 8 is a diagram illustrating an example of the credit update rule stored in the credit update rule storage unit 45.
As shown in FIG. 8, the credit update rule includes the following rules. If the detection result from the IDS 30 is a detection result indicating “infection communication”, a rule for setting the credit level value of the corresponding node to “−10” is included. Further, when the detection result from the IDS 30 is a detection result that indicates “download communication” or “command communication”, a rule that sets the credit level value of the corresponding node to “−20” is included. Further, when the node for which the credit level inquiry is made from the credit level router 20 is a “node on the black list”, a rule for setting the credit level value of the node to “−20” is included. In the node / credit list stored in the node / credit list storage unit 41, if there is a node for which the credit level has not been updated for a certain period, the credit level value of the node is set to “100”. (In this case, the maximum value of the credits that can be taken is 100). Note that this is the case when, for example, a countermeasure for the cause of the low credit rating is applied, such as by applying a patch for vulnerability repair to the node. .

FIG. 9 is a diagram illustrating an example of a data structure of a detection result transmitted from the IDS 30 to the credit management server 40.
As shown in FIG. 9, the data structure of the detection result includes the target address, the detected communication event, the IP address (From To) of the transmission source node and the transmission destination node of the communication, and the like. For example, in the example of the data structure of the detection result shown in the upper part of FIG. 9, the destination node whose IP address is “168.2.XX.XX” from the source node whose IP address is “192.168.XX.XX”. This indicates that the communication to is “infection communication” and the target address is the IP address of the transmission source node. In this example, when the communication event is “infection communication” and “download communication”, the target address is the IP address of the transmission source node, and when it is “command communication”, the target address is Becomes the IP address of the destination node.

FIG. 10 is a diagram illustrating an example of a data structure of a credit inquiry transmitted from the credit router 20 to the credit management server 40.
As shown in FIG. 10, the data structure of the credit inquiry includes the IP address and port number (FromIP: Port) of the transmission source node and the IP address of the transmission destination node in the communication relayed by the credit quality router 20. And port number (ToIP: Port). For example, in the example of the data structure of the inquiry about credit shown in the upper part of FIG. 10, the credit of the source node whose IP address: port number is “192.168.XX.XX: 1211” and the IP address: port number are This indicates that the credit level of the destination node “211.12.XX.XX: 1344” is to be queried.

FIG. 11 is a diagram illustrating an example of a data structure of a response to a credit inquiry transmitted from the credit management server 40 to the credit router 20.
As shown in FIG. 11, the data structure of the response to the credit inquiry includes the IP address and port number (FromIP: Port) of the transmission source node that has received the credit inquiry, and the IP address and port of the transmission destination node. It includes a number (ToIP: Port) and each credit level. However, the example shown in FIG. 11 shows a case where the credit levels of the transmission source node and the transmission destination node are the same value. In this case, only one credit level is included as the credit level of both. . For example, in the example of the data structure of the response to the inquiry about the credit degree shown in the upper part of FIG. 11, the credit degree of the source node having the IP address: port number “192.168.XX.XX: 1211” and the IP address: This indicates that the credit level of the destination node having the port number “211.12.XX.XX: 1344” is “50”.

Next, the operation of the bandwidth control system according to the present embodiment will be described.
Here, the operation of the bandwidth control system according to the present embodiment will be described by taking as an example a case where the bandwidth control system is applied to a large-scale communication network system serving as a social infrastructure.

FIG. 12 is a diagram for explaining the outline of the operation of the bandwidth control system according to the present embodiment applied to a large-scale communication network system serving as a social infrastructure.
In addition to the configuration shown in FIG. 1, the system shown in FIG. 12 further has a configuration in which a malicious attack command site 70 is connected to the Internet 60 via a credit router 20d connected to the IDS 30d. Including. Furthermore, a configuration in which a malicious download site 80 is connected to the Internet 60 via a credit router 20e connected to the IDS 30e is included.

  In the following description, it is assumed that the credit / bandwidth limit rule storage unit 26 of the creditworthiness router 20 stores the credit / bandwidth limit rule shown in FIG. Further, it is assumed that the credit update rule shown in FIG. 8 is stored in the credit update rule storage unit 45 of the credit management server 40.

In such a system, the bandwidth control system according to the present embodiment performs various operations such as detection of unauthorized communication, reflection of credit, and control of meter reading communication.
In the detection of unauthorized communication and the reflection of credit level, when unauthorized communication such as infected communication, download communication, command communication, etc. is detected, the credit level is reflected according to the unauthorized communication.

  For example, when the credit router 20a receives an infected communication performed by the smart meter 10a already infected with malware to the smart meter 10b (see arrow (a)), the communication is connected to the credit router 20a. IDS 30a analyzes. Then, the IDS 30a detects that the communication is an infected communication, and transmits the detection result (detection result that the communication from the smart meter 10a to the smart meter 10b is an infected communication) to the credit management server 40 ( Arrow (b)). Then, the credit management server 40 stores the node / credit list so as to lower the credit of the smart meter 10a which is the transmission source node of the infected communication and the credit of the smart meter 10b which is the transmission destination node. The node / credit list stored in the unit 41 is updated.

  Thereafter, for example, when the credit router 20e receives download communication (communication for downloading malware that actually attacks) the smart meter 10b infected with malware (downloader) to the download site 80 (arrow ( c)), the communication is analyzed by the IDS 30e connected to the credit router 20e. Then, the IDS 30e detects that the communication is download communication, and transmits the detection result (detection result that communication from the smart meter 10b to the download site 80 is malware download communication) to the credit management server 40. (See arrow (d)). Then, the credit management server 40 stores the node / credit list so as to lower the credit of the smart meter 10b which is the transmission source node of the download communication and the credit of the download site 80 which is the transmission destination node. The node / credit list stored in the unit 41 is updated.

  After that, for example, when the credit router 20d receives command communication (command communication for receiving the attack command) performed by the smart meter 10b infected with malware that actually attacks the attack command site 70, the communication is performed. The IDS 30d connected to the credit router 20d analyzes. The IDS 30d detects that the communication is command communication, and transmits the detection result (detection result that communication from the smart meter 10b to the attack command site 70 is command communication) to the credit management server 40. To do. Then, the credit management server 40 has a node / credit list to reduce the credit of the smart meter 10b that is the transmission source node of the command communication and the credit of the attack command site 70 that is the transmission destination node. The node / credit list stored in the storage unit 41 is updated.

  In addition, the credit management server 40, as described above, in the node / credit list stored in the node / credit list storage unit 41, when there is a node whose credit is not updated for a certain period of time. Updates the node / credit list to restore the credit level of the node to 100. Such processing is performed by the credit calculation unit 44 of the credit management server 40. As a result, even if a node is given a low credit rating, for example, a patch for vulnerability repair is applied to the node, so that a countermeasure for the cause of the low credit rating is taken. If applied, the credit level of the node can be restored to 100.

On the other hand, in the control of meter reading communication, the following operation is performed.
For example, when the credit router 20c receives meter reading communication performed by the smart meter 10b infected with malware that actually attacks the meter reading server 50 (see arrow (e)), the communication is sent to the credit router 20c. The connected IDS 30c analyzes. However, in this case, since the communication is not unauthorized communication, the IDS 30c does not detect unauthorized communication.

  The credit router 20c also inquires of the credit management server 40 about the credit of the transmission source node and the transmission destination node of the meter reading communication (see arrow (f)). On the other hand, the credit management server 40 responds to the credit router 20c with the credit received for the inquiry (see arrow (f)). If the ACL corresponding to the credit level is not stored in the ACL storage unit 25, the credit level router 20 c generates it and stores it in the ACL storage unit 25. Then, the bandwidth control of the meter reading communication is performed according to the ACL corresponding to the credit level of the transmission source node of the meter reading communication. At this time, since the transmission source node is the smart meter 10b, the value of the credit level of the transmission source node does not become less than the above lower limit value. Therefore, even in the smart meter 10b infected with malware, the minimum bandwidth necessary for meter reading communication is ensured and meter reading communication is performed (see arrow (g)).

Next, each operation described above will be described in more detail using a flowchart.
In the following description, the smart meter 10a is described as “terminal A” and the smart meter 10b is described as “terminal B”. The credit router 20a will be described as “credit router A”, the credit router 20e as “credit router B”, and the credit router 20d as “credit router C”.

FIG. 13 is a flowchart showing an operation relating to detection of the above-described infected communication.
As shown in FIG. 13, in this operation, first, when the credit router A receives a communication request from the terminal A to the terminal B (S101), the credit inquiry unit 22 of the credit router A The credit management server 40 is inquired about the credit level of the terminal B (S102).

  In response to this inquiry, the credit management server 40 does not have a description of the credit levels of the terminals A and B in the node / credit list stored in the node / credit list storage unit 41 at this time. The terminal B responds with the credit level of the terminal B as 100 (S103). At this time, the fact that the credit levels of both terminal A and terminal B are 100 is reflected in the node / credit list stored in the node / credit list storage unit 41.

  When the response from the credit management server 40 is received, the credit router A performs the following process (S104). First, the credit inquiry unit 22 reflects in the node / credit list stored in the node / credit list storage unit 21 that the credit levels of the terminals A and B are both 100. Next, the credit / bandwidth calculation unit 23 performs calculation according to the credit / bandwidth limit rule (see FIG. 4) stored in the creditworthiness / bandwidth limit rule storage unit 25, and calculates the bandwidth from the credit level 100 of the terminal A. Get 100%. Further, 100% of the bandwidth is obtained from the credit rating 100 of the terminal B. Next, the ACL generation unit 24 generates an ACL (ACL for the credit level 100) corresponding to the credit level 100 and including the description of the bandwidth limit 100%, and stores the ACL in the ACL storage unit 25. However, when the ACL for credit 100 is already stored in the ACL storage unit 25, the ACL is not generated.

  Next, under the control of the communication control unit 27, the access control unit 28 performs the communication requested in S101 according to the ACL for credit 100 corresponding to the credit 100 of the terminal A that is the transmission source node of the communication. Relay (S105). As a result, the communication requested in S101 is relayed with a bandwidth limit of 100%, and communication from terminal A to terminal B starts.

  Next, the IDS 30a connected to the credit router A analyzes the content of communication from the terminal A to the terminal B, and detects that the communication is an infected communication (S106). Then, a detection result that the communication is an infected communication is transmitted to the credit management server 40.

  When the detection result from the IDS 30a is received, the credit management server 40 performs the following processing. First, the credit calculation unit 44 performs the terminal A and the terminal B based on the detection result received by the IDS communication unit 43 according to the credit update rule (see FIG. 8) stored in the credit update rule storage 45. Is calculated (S107, S108). In this case, the credit levels of the terminal A and the terminal B described in the node / credit level list stored in the node / credit level list storage unit 41 are 100, respectively, and the detection result is an infected communication. Therefore, the credit levels of the terminal A and the terminal B are each decreased by -10. Therefore, the calculation results of the credit levels of the terminal A and the terminal B by the credit level calculation unit 44 are 100−10 = 90, respectively. The credit calculation unit 44 reflects the calculation result in the node / credit list stored in the node / credit list storage unit 41.

  By such an operation, for example, when an inquiry about the credit levels of the terminal A and the terminal B is next made to the credit management server 40, 90 is returned as the respective credit levels. .

FIG. 14 is a diagram schematically showing the data flow in S105 to S108 described above.
In FIG. 14, #A indicates the IP address of terminal A, and #B indicates the IP address of terminal B. A packet 101 indicates a packet of communication relayed from the terminal A to the terminal B in S105 described above. The signature 102 is a signature of an infected communication registered in the IDS 30a. The signature used when the IDS 30a detects an infected communication from the communication packet 101 relayed from the terminal A to the terminal B in S106. is there. The detection result information 103 is detection result information that the communication from the terminal A to the terminal B transmitted from the IDS 30 a to the credit management server 40 in S <b> 106 is an infected communication. The node / credit list 41a is a part of the node / credit list stored in the node / credit list storage unit 41 (the credits of the terminal A and the terminal B before the processing of S107 and S108 described above). Degree). The node / credit list 41b is a part of the node / credit list stored in the node / credit list storage unit 41 after the processing of S107 and S108 described above (terminal A and terminal B credit rating).

15 and 16 are flowcharts showing the operation related to the detection of the download communication described above.
As shown in FIG. 15, in this operation, first, when the credit router A receives a communication request from the terminal B to the download site 80 (S201), the credit inquiry unit 22 of the credit router A B and the download site 80 are inquired of the credit management server 40 (S202).

  In response to this inquiry, the credit management server 40 acquires the credit level 90 of the terminal B from the node / credit level list stored in the node / credit level list storage unit 41, and sets the credit level of the terminal B to 90, A response is made (S203).

Further, the credit management server 40 determines whether or not the download site 80 is included in the black list stored in the black list storage unit 42 (S204).
In this example, an example in which the determination result is Yes will be described below.

  If the determination result in S204 is Yes, the following processing is performed (S205). First, the credit level calculation unit 44 calculates the credit level of the download site 80 according to the credit level update rule (see FIG. 8) stored in the credit level update rule storage unit 45. At this time, since the credit level of the download site 80 is not described in the node / credit list stored in the node / credit list storage unit 41, the credit level becomes 100, but is −20 according to the credit level update rule. 100−20 = 80. Then, the credit level calculation unit 44 reflects the credit level 80 of the download site 80, which is the calculation result, in the node / credit level list stored in the node / credit level list storage unit 41. Further, the credit management server 40 responds with the credit of the download site 80 as 80.

  When the response from the credit management server 40 is received, the credit router A performs the following process (S206). First, the credit inquiry unit 22 indicates that the credit rating of the terminal B is 90 and the credit rating of the download site 80 is 80 in the node / credit list stored in the node / credit list storage unit 21. reflect. Next, the credit / bandwidth calculation unit 23 performs a calculation according to the credit / bandwidth limit rule (see FIG. 4) stored in the creditworthiness / bandwidth limit rule storage unit 25, and calculates the bandwidth from the credit level 90 of the terminal B 90% is obtained. Further, 80% of the bandwidth is obtained from the credit rating 80 of the download site 80. Next, the ACL generating unit 24 includes an ACL (ACL for credit 90) corresponding to the credit rating 90 and including a description of the bandwidth limit 90%, and an ACL including a description of the bandwidth limit 80% corresponding to the credit 80. (ACL for credit rating 80) is generated and stored in the ACL storage unit 25. However, when the ACL for credit 90 and the ACL for credit 80 are already stored in the ACL storage unit 25, the ACL is not generated for those already stored. Next, under the control of the communication control unit 27, the access control unit 28 performs the communication requested in S201 according to the ACL for credit 90 corresponding to the credit 90 of the terminal B that is the transmission source node of the communication. Relay. As a result, the communication requested in S201 is relayed with a bandwidth limit of 90%.

  Next, when the credit router B receives a communication request from the terminal B to the download site 80, basically, the process performed when the credit router A receives the communication request is as follows. (S207). First, the credit inquiry unit 22 of the credit router B inquires the credit management server 40 about the credit of the terminal B and the download site 80. Then, a response is received from the credit management server 40 in which the credit level of the terminal B is 90 and the credit level of the download site 80 is 80. The credit / bandwidth calculation unit 23 obtains 90% of the bandwidth from the creditworthiness 90 of the terminal B by calculation. Further, 80% of the bandwidth is obtained from the credit rating 80 of the download site 80. Next, the ACL generating unit 24 includes an ACL (ACL for credit 90) corresponding to the credit rating 90 and including a description of the bandwidth limit 90%, and an ACL including a description of the bandwidth limit 80% corresponding to the credit 80. (ACL for credit rating 80) is generated and stored in the ACL storage unit 25. However, when the ACL for credit 90 and the ACL for credit 80 are already stored in the ACL storage unit 25, the ACL is not generated for those already stored.

  Next, under the control of the communication control unit 27, the access control unit 28 performs the communication requested in S207 according to the ACL for credit 90 corresponding to the credit 90 of the terminal B that is the transmission source node of the communication. Relay (S208). Thus, the communication requested in S207 is relayed with a bandwidth limit of 90%, and communication from the terminal B to the download site 80 starts.

  Next, as shown in FIG. 16, the IDS 30e connected to the credit router B analyzes the communication from the terminal B to the download site 80 and detects that the communication is a download communication (S209). Then, a detection result that the communication is a download communication is transmitted to the credit management server 40.

  When the detection result from the IDS 30e is received, the credit management server 40 performs the following processing. First, the credit level calculation unit 44 performs the credit level of the terminal B based on the detection result received by the IDS communication unit 43 in accordance with the credit level update rule (see FIG. 8) stored in the credit level update rule storage unit 45. Is calculated (S210). In this case, since the credit level of the terminal B described in the node / credit level list stored in the node / credit level list storage unit 41 is 90 and the detection result is the download communication, the terminal B The credit level of -20 is reduced to -20. Therefore, the calculation result of the credit level of the terminal B by the credit level calculation unit 44 is 90-20 = 70. Then, the credit level calculation unit 44 determines whether or not the calculated credit level of the terminal B is 0 or more (S211). Here, when the determination result is Yes, the calculation result in which the credit rating of the terminal B is set to 70 is reflected in the node / credit list stored in the node / credit list storage unit 41 (S212). .

  On the other hand, when the determination result in S211 is No, it is determined whether or not the terminal B is the smart meter 10 (S213). Here, when the determination result is Yes, the credit rating of the terminal B is set to 10 which is the lower limit value, and this is reflected in the node / credit list stored in the node / credit list storage unit 41. (S214). By such processing, the minimum bandwidth necessary for meter reading communication is ensured for communication from the smart meter 10. On the other hand, when the determination result in S213 is No, the credit rating of the terminal B is set to 0, and this is reflected in the node / credit list stored in the node / credit list storage unit 41 (S215). By such processing, communication is blocked for communication from a node whose credit degree is 0.

In this example, the following description will be given assuming that the determination result in S211 is Yes.
Next, the credit calculation unit 44 determines the download site 80 based on the detection result received by the IDS communication unit 43 according to the credit update rule (see FIG. 8) stored in the credit update rule storage 45. The credit level is calculated (S216). In this case, since the credit level of the download site 80 described in the node / credit list stored in the node / credit list storage unit 41 is 80 and the detection result is download communication, the download is performed. The credit rating of the site 80 is -20. Therefore, the credit level calculation result of the download site 80 by the credit level calculation unit 44 is 80-20 = 60. Then, the credit level calculation unit 44 determines whether or not the calculated credit level of the download site 80 is 0 or more (S217). If the determination result is Yes, the calculation result with the credit level of the download site 80 being 60 is reflected in the node / credit list stored in the node / credit list storage unit 41 (S218). ).

  On the other hand, if the determination result in S217 is No, the credit rating of the download site 80 is set to 0, and this is reflected in the node / credit list stored in the node / credit list storage unit 41 (S219). .

In this example, the following description will be given on the assumption that the determination result in S217 is Yes.
By such an operation, for example, when the credit management server 40 is subsequently inquired of the credit quality of the terminal B and the download site 80, 70 is returned as the credit level of the terminal B, and the download is performed. 60 is returned as the credit rating of the site 80.

17 and 18 are flowcharts showing the operation related to the detection of the command communication described above.
This operation is basically the same as the operation related to detection of download communication described with reference to FIGS. 15 and 16 described above.

  As shown in FIG. 17, in this operation, first, when the credit router A receives a communication request from the terminal B to the attack command site 70 (S301), the credit inquiry unit 22 of the credit router A The credit management server 40 is inquired about the credit levels of the terminal B and the attack command site 70 (S302).

  In response to this inquiry, the credit management server 40 acquires the credit level 70 of the terminal B from the node / credit level list stored in the node / credit level list storage unit 41, and sets the credit level of the terminal B to 70. A response is made (S303).

Further, the credit management server 40 determines whether or not the attack command site 70 is included in the black list stored in the black list storage unit 42 (S304).
In this example, an example in which the determination result is Yes will be described below.

  If the determination result in S304 is Yes, the following processing is performed (S305). First, the credit level calculation unit 44 calculates the credit level of the attack instruction site 70 according to the credit level update rule (see FIG. 8) stored in the credit level update rule storage unit 45. At this time, since the credit level of the attack command site 70 is not described in the node / credit level list stored in the node / credit level list storage unit 41, the credit level becomes 100, but is −20 according to the credit level update rule. 100−20 = 80. Then, the credit calculation unit 44 reflects the credit 80 of the attack instruction site 70, which is the calculation result, in the node / credit list stored in the node / credit list storage unit 41. Further, the credit management server 40 responds with the credit of the attack command site 70 as 80.

  When the response from the credit management server 40 is received, the credit router A performs the following process (S306). First, the credit level inquiry unit 22 indicates that the credit level of the terminal B is 70 and the credit level of the attack command site 70 is 80. The node / credit level list stored in the node / credit level list storage unit 21 To reflect. Next, the credit / bandwidth calculation unit 23 performs calculation according to the credit / bandwidth limit rule (see FIG. 4) stored in the creditworthiness / bandwidth limit rule storage unit 25, and calculates the bandwidth from the credit level 70 of the terminal B. Get 70%. Further, 80% of the bandwidth is obtained from the credit rating 80 of the attack command site 70. Next, the ACL generating unit 24 includes an ACL (ACL for the credit limit 70) corresponding to the credit level 70 and including a description of the bandwidth limit 70%, and an ACL including a description of the bandwidth limit 80% corresponding to the credit level 80. (ACL for credit rating 80) is generated and stored in the ACL storage unit 25. However, when the ACL for the credit level 70 and the ACL for the credit level 80 are already stored in the ACL storage unit 25, the ACL is not generated for those already stored. In this example, as described above, since the ACL for credit 80 is already generated in S206 of FIG. 15, the ACL is not generated here. Next, under the control of the communication control unit 27, the access control unit 28 performs the communication requested in S301 in accordance with the ACL for credit 70 corresponding to the credit 70 of the terminal B that is the transmission source node of the communication. Relay. As a result, the communication requested in S301 is relayed with a bandwidth limit of 70%.

  Next, when the credit router C receives a communication request from the terminal B to the attack command site 70, basically, the credit router A performs the following processing similar to the processing performed when the credit router A receives the communication request. Such processing is performed (S307). First, the credit inquiry unit 22 of the credit router C inquires the credit management server 40 about the credit of the terminal B and the attack command site 70. Then, a response is received from the credit management server 40 in which the credit level of the terminal B is 70 and the credit level of the attack instruction site 70 is 80. The credit / bandwidth calculation unit 23 obtains a bandwidth of 70% from the creditworthiness 70 of the terminal B by calculation. Further, 80% of the bandwidth is obtained from the credit rating 80 of the attack command site 70. Next, the ACL generating unit 24 includes an ACL (ACL for the credit limit 70) corresponding to the credit level 70 and including a description of the bandwidth limit 70%, and an ACL including a description of the bandwidth limit 80% corresponding to the credit level 80. (ACL for credit rating 80) is generated and stored in the ACL storage unit 25. However, when the ACL for the credit level 70 and the ACL for the credit level 80 are already stored in the ACL storage unit 25, the ACL is not generated for those already stored.

  Next, under the control of the communication control unit 27, the access control unit 28 performs the communication requested in S307 according to the ACL for credit 70 corresponding to the credit 70 of the terminal B that is the transmission source node of the communication. Relay (S308). Thereby, the communication requested in S307 is relayed with a bandwidth limit of 70%, and communication from the terminal B to the attack command site 70 is started.

  Next, as shown in FIG. 18, the IDS 30d connected to the credit router C analyzes the communication from the terminal B to the attack command site 70 and detects that the communication is command communication (S309). . Then, a detection result that the communication is command communication is transmitted to the credit management server 40.

  When the detection result from the IDS 30d is received, the credit management server 40 performs the following processing. First, the credit level calculation unit 44 performs the credit level of the terminal B based on the detection result received by the IDS communication unit 43 in accordance with the credit level update rule (see FIG. 8) stored in the credit level update rule storage unit 45. Is calculated (S310). In this case, since the credit level of the terminal B described in the node / credit list stored in the node / credit level list storage unit 41 is 70 and the detection result is the command communication, the terminal B The credit level of -20 is reduced to -20. Therefore, the calculation result of the credit level of the terminal B by the credit level calculation unit 44 is 70−20 = 50. Then, the credit level calculation unit 44 determines whether or not the calculated credit level of the terminal B is 0 or more (S311). Here, when the determination result is Yes, the calculation result that the credit rating of the terminal B is 50 is reflected in the node / credit list stored in the node / credit list storage unit 41 (S312). .

  On the other hand, if the determination result in S311 is No, it is determined whether or not the terminal B is the smart meter 10 (S313). Here, when the determination result is Yes, the credit rating of the terminal B is set to 10 which is the lower limit value, and this is reflected in the node / credit list stored in the node / credit list storage unit 41. (S314). By such processing, the minimum bandwidth necessary for meter reading communication is ensured for communication from the smart meter 10. On the other hand, if the determination result in S313 is No, the credit rating of the terminal B is set to 0, and this is reflected in the node / credit list stored in the node / credit list storage unit 41 (S315). By such processing, communication is blocked for communication from a node whose credit degree is 0.

In this example, the following description will be given on the assumption that the determination result in S311 is Yes.
Next, the credit calculation unit 44 performs the attack command site 70 based on the detection result received by the IDS communication unit 43 in accordance with the credit update rule (see FIG. 8) stored in the credit update rule storage 45. Is calculated (S316). In this case, the credit level of the attack command site 70 described in the node / credit level list stored in the node / credit level list storage unit 41 is 80, and the detection result is command communication. The credit level of the attack command site 70 is set to -20. Therefore, the calculation result of the credit level of the attack command site 70 by the credit level calculation unit 44 is 80−20 = 60. Then, the credit level calculation unit 44 determines whether or not the calculated credit level of the attack command site 70 is 0 or more (S317). Here, when the determination result is Yes, the calculation result in which the credit rating of the attack command site 70 is 60 is reflected in the node / credit list stored in the node / credit list storage unit 41 ( S318).

  On the other hand, when the determination result in S317 is No, the credit rating of the attack command site 70 is set to 0, and this is reflected in the node / credit list stored in the node / credit list storage unit 41 (S319). ).

In this example, the following description will be given assuming that the determination result in S317 is Yes.
By such an operation, for example, when the credit management server 40 is subsequently inquired about the credit quality of the terminal B and the attack command site 70, 50 is returned as the credit level of the terminal B, 60 is returned as the credit rating of the attack instruction site 70.

FIG. 19 is a flowchart showing operations related to the above-described credit recovery.
As shown in FIG. 19, in this operation, the credit management server 40 updates the credit for a certain period in the node / credit list stored in the node / credit list storage unit 41. It is determined whether or not there is any node (S401). Here, when the determination result is Yes, assuming that the safety of the node is confirmed, the credit level of the node is restored to 100 (S402). That is, in the node / credit list stored in the node / credit list storage unit 41, the credit level of the node is updated to 100.

20 and 21 are flowcharts showing operations related to the above-described control of meter reading communication.
As shown in FIG. 20, in this operation, first, when the credit router C receives a communication request from the terminal B to the meter reading server 50 (S501), the credit inquiry unit 22 of the credit router C B and the meter reading server 50 are inquired of the credit management server 40 for credits (S502).

  In response to this inquiry, the credit management server 40 obtains the credit level 50 of the terminal B from the node / credit level list stored in the node / credit level list storage unit 41, and responds with the credit level of the terminal B as 50 (S503).

Further, the credit management server 40 determines whether the meter reading server 50 is included in the black list stored in the black list storage unit 42 (S504).
In this example, at this time, the meter reading server 50 is not included in the black list, and the credit of the meter reading server 50 is included in the node / credit list stored in the node / credit list storage unit 41. It is assumed that there is no description of the degree. Therefore, the determination result in S504 is No, and the credit management server 40 responds with the credit of the meter reading server 50 as 100 (S505). At this time, the fact that the credit level of the meter-reading server 50 is 100 is reflected in the node / credit list stored in the node / credit list storage unit 41.

  If the determination result in S504 is Yes, the credit calculation unit 44 determines the credit level of the meter-reading server 50 according to the credit level update rule (see FIG. 8) stored in the credit level update rule storage unit 45. Calculate (S505). Then, the credit level corresponding to the calculation result is returned as the credit level of the meter-reading server 50, and is reflected in the node / credit level list stored in the node / credit level list storage unit 41. .

  When the response from the credit management server 40 is received, the credit router C performs the following process (S506). First, the credit inquiry unit 22 indicates that the credit of the terminal B is 50 and the credit of the meter reading server 50 is 100 in the node / credit list stored in the node / credit list storage unit 21. reflect. Next, the credit / bandwidth calculation unit 23 performs calculation according to the credit / bandwidth limit rule (see FIG. 4) stored in the creditworthiness / bandwidth limit rule storage unit 25, and calculates the bandwidth from the credit level 50 of the terminal B. 50% is obtained (S507).

  Next, as shown in FIG. 21, the credit router C determines whether or not there is a bandwidth limitation competing in the credit router C (S508). Here, the competing bandwidth limitation means that the communication from the terminal B to the meter-reading server 50 is different from the bandwidth limitation (50% bandwidth limitation) performed in accordance with the ACL corresponding to the credit rating 50 later, and the credit router C This is the bandwidth limit that has already been set.

  If the determination result in S508 is Yes, the credit router C collects information on bandwidth limitation that competes in the credit router C (S509). Then, the already set bandwidth limit is calculated and adjusted so that 50% of the bandwidth can be used as a whole, and then the ACL generation unit 24 corresponds to the credit rating 50 and the bandwidth limit of 50%. An ACL including the description (ACL for credit rating 50) is generated and stored in the ACL storage unit 25 (S510). However, when the ACL for the credit rating of 50 is already stored in the ACL storage unit 25, the ACL is not generated.

  On the other hand, when the determination result in S508 is No, the ACL generation unit 24 generates an ACL (ACL for credit level 50) including the description of the bandwidth limit 50% corresponding to the credit level 50, and stores the ACL. Stored in the unit 25 (S511). However, when the ACL for the credit rating of 50 is already stored in the ACL storage unit 25, the ACL is not generated.

  Next, the ACL generating unit 24 generates an ACL (ACL for credit 100) corresponding to the credit 100 and including a description of the bandwidth limit 100%, and stores it in the ACL storage 25 (S512). However, if the ACL for credit 100 is already stored in the ACL storage unit 25, the ACL is not generated.

  Next, the access control unit 28 performs the communication requested in S501 under the control of the communication control unit 27 according to the ACL for credit 50 corresponding to the credit 50 of the terminal B that is the transmission source node of the communication. Relay (S513). Thus, the communication requested in S501 is relayed with a bandwidth limit of 50%, and communication from the terminal B to the meter reading server 50 is started.

FIG. 22 is a diagram schematically illustrating the data flow in the above-described S501 to S503 and S508 to S511.
22, #A indicates the IP address of the terminal B, #B indicates the IP address of the meter-reading server 50, #C indicates the IP address of the credit router C, and #D indicates the IP of the credit management server 40 Indicates an address. The packet 201 is a packet received by the credit router C in the above-described S501 and related to a communication request from the terminal B to the meter reading server 50. The packet 202 is an inquiry sent from the credit router C to the credit management server 40 when the credit router C inquires the credit management server 40 about the credits of the terminal B and the meter-reading server 50 in S502. It is a packet concerning. The node / credit list 41c is a part of the node / credit list stored in the node / credit list storage unit 41 (the terminal B and the meter-reading server 50) when the credit management server 40 receives the packet 202. Of credit). The packet 203 is a packet related to the response transmitted from the credit management server 40 to the credit router C when the credit management server 40 responds to the credit router C with the credit control of the terminal B in S503. is there. ACL # 1 for credit level 50 stored in the ACL storage unit 25 is an ACL including a description of the bandwidth limit 50% corresponding to the credit level 50 generated by the ACL generation unit 24 in the above-described S508 to S511. . The ACL 40 for credit 40 and the ACL # 3 for credit 30 stored in the ACL storage unit 25 were already stored before the ACL # 1 for credit 50 was stored in the ACL storage 25. It is an example of ACL.

FIG. 23 is a diagram schematically illustrating an example of band adjustment performed in S510 described above.
In FIG. 23, #A indicates the IP address of the terminal B, and #B indicates the IP address of the meter-reading server 50.

  In the example shown in FIG. 23, a bandwidth of 60% is set for communication from the terminal B to the meter-reading server 50 before the processing of S510 described above, and the remaining 40% of the bandwidth is a free bandwidth. It is an example. In this case, the bandwidth set for the communication is calculated and adjusted so that 50% of the bandwidth can be used for the communication as a whole. By such bandwidth adjustment, a bandwidth of 50% is set as a whole for the communication and 10% of the bandwidth is released, so that 50% of the bandwidth becomes a free bandwidth. As a result, the bandwidth limit 50% set in the credit router C after the bandwidth adjustment does not conflict with the bandwidth limit (50% bandwidth limit) performed in accordance with the ACL for credit quality 50 later. Is limited in bandwidth according to the ACL for the credit rating 50.

  In the band control system according to the present embodiment described above, when communication is relayed by a plurality of credit routers 20, the following processing can be performed. For example, when each of the plurality of credit routers 20 relays communication, the credit management server 40 may be inquired about the credit of the transmission source node and the destination node of the communication. Alternatively, each of one or more of the plurality of credit routers 20 may inquire the credit management server 40 about the credit of the source node and the destination node of the communication. In this case, for example, only the credit router 20 closest to the source node of the communication or only the credit router 20 closest to the destination node of the communication is credited to the source node and destination node of the communication. It is also possible to make an inquiry to the credit management server 40 for the degree. As described above, the credit level router 20 that has made an inquiry about the credit level performs ACL generation, bandwidth control according to the ACL, and the like as described above.

  Further, in the credit management server 40, when the credit calculation unit 44 calculates the credit of the node, when the node is the smart meter 10 and the calculation result is less than the above lower limit value, It is also possible to perform processing using the calculation result as the lower limit value.

  Further, when a measuring device with a communication function of a different type from the smart meter 10 is applied, the same processing as that performed for the smart meter 10 can be applied to the measuring device with a communication function. It is.

  As described above, according to the bandwidth control system according to the present embodiment, the credit level is assigned to each node, and the ACL used for the bandwidth control of the communication is generated according to the credit level. The amount of description can be reduced without any harmful effects.

  For example, when the IP address of each node is composed of 32 bits, the number of nodes is about 4.2 billion. In such a case, if the bandwidth limitation is described for each description specifying the communication source and destination nodes as in the conventional ACL, the amount of description of the ACL becomes enormous. On the other hand, in the bandwidth control system according to the present embodiment, ACLs are generated as much as possible values of the credit to be given to the nodes, and each ACL includes a description of the corresponding bandwidth limitation. An enormous description for specifying the source and destination nodes is unnecessary. In addition, it is not necessary to describe bandwidth limitation in units of networks, which is conventionally performed in order to reduce the description amount of ACL. Therefore, in the bandwidth control system according to the present embodiment, it is possible to reduce the amount of description of ACL overwhelmingly as compared with the conventional one without any harmful effects.

  Further, in the bandwidth control system according to the present embodiment, when the node is the smart meter 10, a credit level lower than the lower limit value corresponding to the minimum bandwidth necessary for meter-reading communication is not given. Therefore, even the smart meter 10 infected with malware can secure the minimum bandwidth necessary for meter reading communication.

  Note that the credit router 20 and the credit management server 40 included in the bandwidth control system according to the present embodiment may include, for example, the following computer system.

FIG. 24 is a diagram illustrating a configuration example of the computer system.
As shown in FIG. 24, this computer system includes a CPU 301, a ROM 302, a RAM 303, a communication interface 304, a storage device 305, an input / output device 306, a portable storage medium reading device 307, and all of these. A bus 308 is included. The CPU is a Central Processing Unit, the ROM is a Read Only Memory, and the RAM is a Random Access Memory.

As the storage device 305, various types of storage devices such as a hard disk and a magnetic disk can be used.
For example, when the credit router 20 includes this computer system, the storage device 305 or the ROM 302 stores programs for operations performed by the credit router 20 in the flowcharts of FIGS. 13 and 15 to 21. . The RAM 303 stores a node / credit list, ACL, credit / bandwidth restriction rule, and the like. The program is executed by the CPU 301 to realize the credit inquiry unit 22, the credit / bandwidth calculation unit 23, the ACL generation unit 24, the communication control unit 27, the access control unit 28, the control unit 29, and the like. Is done.

  Further, for example, when the credit management server 40 includes this computer system, a program for the operation performed by the credit management server 40 in the flowcharts of FIG. 13 and FIG. 15 to FIG. Is stored. The RAM 303 stores a node / credit list, a black list, a credit update rule, and the like. Then, by executing the program by the CPU 301, the IDS communication unit 43, the credit calculation unit 44, the credit transmission / reception unit 46, the control unit 47, and the like are realized.

  Such a program can be stored in, for example, the storage device 305 from the program provider 309 via the network 310 and the communication interface 304 and executed by the CPU 301. Further, it can be stored in a commercially available portable storage medium 311, set in the reading device 307, and executed by the CPU 301. As the portable storage medium 311, various types of storage media such as a CD-ROM, a flexible disk, an optical disk, a magneto-optical disk, a DVD disk, and a USB memory can be used.

  Although the embodiments have been described above, the present invention is not limited to the above-described embodiments, and various improvements and modifications can be made without departing from the gist of the present invention.

Regarding the above embodiment, the following additional notes are disclosed.
(Appendix 1)
A bandwidth control device that performs bandwidth control of communication,
Querying a credit management server managing the credit of the node for the credit of the transmission source node, and an inquiry means for acquiring the credit of the transmission source node from the credit management server,
Calculation means for calculating a bandwidth from the credit degree acquired by the inquiry means;
Generating means for generating an access control list corresponding to the credit rating, including information on performing bandwidth limitation using the bandwidth calculated by the calculating means;
Bandwidth control means for performing bandwidth control of the communication according to an access control list corresponding to the credit level of the communication source node;
A bandwidth control apparatus comprising:
(Appendix 2)
The calculating means calculates a bandwidth from the credit obtained by the inquiry means according to a credit bandwidth rule defining a rule for calculating a bandwidth from the credit.
The bandwidth control apparatus according to appendix 1, wherein
(Appendix 3)
A bandwidth control method performed by a bandwidth controller,
Queries the credit management server that manages the credit level of the node for the credit level of the communication source node,
Obtaining the credit level of the source node from the credit quality management server;
Calculate the bandwidth from the obtained credit rating,
Generating an access control list corresponding to the credit rating, including information on performing bandwidth limitation using the calculated bandwidth;
Performing bandwidth control of the communication according to an access control list corresponding to the credit level of the communication source node;
A bandwidth control method characterized by the above.
(Appendix 4)
The calculation of the bandwidth from the acquired credit quality is performed according to a credit bandwidth rule that defines a rule for calculating the bandwidth from the credit strength.
The bandwidth control method according to supplementary note 3, wherein:
(Appendix 5)
A bandwidth control program for a bandwidth controller,
Queries the credit management server that manages the credit level of the node for the credit level of the communication source node,
Obtaining the credit level of the source node from the credit quality management server;
Calculate the bandwidth from the obtained credit rating,
Generating an access control list corresponding to the credit rating, including information on performing bandwidth limitation using the calculated bandwidth;
Performing bandwidth control of the communication according to an access control list corresponding to the credit level of the communication source node;
A bandwidth control program that causes a computer to execute this process.
(Appendix 6)
The calculation of the bandwidth from the acquired credit quality is performed according to a credit bandwidth rule that defines a rule for calculating the bandwidth from the credit strength.
The bandwidth control program according to appendix 5, characterized in that:
(Appendix 7)
A credit management server that manages the credit level of a node,
Updating means for calculating a credit level of the node and updating a node credit level list including credit level information for each node according to the calculated credit level of the node;
Receiving means for receiving detection results from an intrusion detection system for detecting unauthorized communication;
A transmission / reception unit that receives an inquiry about the credit level of the node from the bandwidth control device that performs bandwidth control of communication, and responds to the bandwidth control device with the credit level of the corresponding node;
With
The update means calculates a credit level of a corresponding node according to a detection result from the intrusion detection system or a credit level node that has received the inquiry, and the node according to the calculated credit level of the node Update the credit list,
A credit quality management server.
(Appendix 8)
The updating means performs the calculation according to a credit calculation rule that defines a rule for calculating credit.
The credit management server according to appendix 7, which is characterized in that
(Appendix 9)
The credit calculation rule includes a rule for reducing the credit of a corresponding node when the detection result from the intrusion detection system is a detection result of unauthorized communication.
The credit management server according to appendix 8, characterized in that:
(Appendix 10)
The credit calculation rule includes a rule for lowering the credit level of a corresponding node when a node of the credit level that has received the inquiry is included in a black list including information of a malicious node.
The credit management server according to appendix 8 or 9, characterized by the above.
(Appendix 11)
If the credit level of the corresponding node is less than a predetermined value as a result of the calculation, and the node is a measuring device with a communication function, the updating unit performs processing with the credit level of the node as the predetermined value. Do,
The credit management server according to any one of appendices 7 to 10, characterized in that:
(Appendix 12)
When there is a credit level of a node that has not been updated for a certain period in the node credit level list, the updating unit sets the credit level of the node to the maximum value that the credit level can take. Update,
The credit management server according to any one of appendices 7 to 11, characterized in that:
(Appendix 13)
A credit management method performed by the credit management server,
When a detection result is received from an intrusion detection system that detects unauthorized communication, the credit rating of the corresponding node is calculated,
Updating a node credit list including credit level information for each node according to the calculated node credit level;
A credit management method characterized by the above.
(Appendix 14)
When an inquiry about the credit level of a node is received from a bandwidth control device that performs bandwidth control of communication, the credit level of the corresponding node is calculated,
Updating the node credit list in accordance with the calculated credit of the node;
Responding to the bandwidth controller with the calculated credit level of the node;
The credit management method according to supplementary note 13, characterized by:
(Appendix 15)
The calculation of the credit level is performed according to a credit level calculation rule that defines a rule for calculating the credit level.
15. The credit management method according to supplementary note 13 or 14, characterized in that:
(Appendix 16)
The credit calculation rule includes a rule for reducing the credit of a corresponding node when the detection result from the intrusion detection system is a detection result of unauthorized communication.
The credit management method according to supplementary note 15, characterized in that:
(Appendix 17)
The credit calculation rule includes a rule for lowering the credit level of a corresponding node when a node of the credit level that has received the inquiry is included in a black list including information of a malicious node.
The credit management method according to supplementary note 15 or 16, characterized in that:
(Appendix 18)
As a result of the calculation, if the credit level of the corresponding node is less than a predetermined value and the node is a measuring device with a communication function, the credit level of the node is processed as the predetermined value.
The credit management method according to any one of appendices 13 to 17, characterized in that:
(Appendix 19)
In the node credit list, if there is a credit level of a node that has not been updated for a certain period, the credit level of the node is updated to the maximum value that the credit level can take.
19. The credit quality management method according to any one of appendices 13 to 18, characterized in that:
(Appendix 20)
A credit management program for a credit management server,
When a detection result is received from an intrusion detection system that detects unauthorized communication, the credit rating of the corresponding node is calculated,
Updating a node credit list including credit level information for each node according to the calculated node credit level;
A credit management program that causes a computer to execute the process.
(Appendix 21)
When an inquiry about the credit level of a node is received from a bandwidth control device that performs bandwidth control of communication, the credit level of the corresponding node is calculated,
Updating the node credit list in accordance with the calculated credit of the node;
Responding to the bandwidth controller with the calculated credit level of the node;
The credit management program according to appendix 20, which causes the computer to further execute the process.
(Appendix 22)
The calculation of the credit level is performed according to a credit level calculation rule that defines a rule for calculating the credit level.
The credit quality management program according to appendix 20 or 21, characterized in that:
(Appendix 23)
The credit calculation rule includes a rule for reducing the credit of a corresponding node when the detection result from the intrusion detection system is a detection result of unauthorized communication.
The credit quality management program according to supplementary note 22, characterized by:
(Appendix 24)
The credit calculation rule includes a rule for lowering the credit level of a corresponding node when a node of the credit level that has received the inquiry is included in a black list including information of a malicious node.
24. The credit quality management program according to appendix 22 or 23, wherein
(Appendix 25)
As a result of the calculation, if the credit level of the corresponding node is less than a predetermined value and the node is a measuring device with a communication function, the credit level of the node is processed as the predetermined value.
25. The credit quality management program according to any one of appendices 20 to 24, wherein:
(Appendix 26)
In the node credit list, if there is a credit level of a node that has not been updated for a certain period, the credit level of the node is updated to the maximum value that the credit level can take.
The credit management program according to any one of appendices 20 to 25, further causing the computer to execute the process.
(Appendix 27)
A bandwidth control system including a bandwidth control device that performs bandwidth control of communication, a credit management server that manages the credit level of a node, and an intrusion detection system that detects unauthorized communication,
The bandwidth control device includes:
Inquiring means for querying the credit management server for the credit level of the transmission source node, and obtaining the credit level of the source node from the credit management server;
Calculation means for calculating a bandwidth from the credit degree acquired by the inquiry means;
Generating means for generating an access control list corresponding to the credit rating, including information on performing bandwidth limitation using the bandwidth calculated by the calculating means;
Bandwidth control means for performing bandwidth control of the communication according to an access control list corresponding to the credit level of the communication source node;
With
The credit management server is
Updating means for calculating a credit level of the node and updating a node credit level list including credit level information for each node according to the calculated credit level of the node;
Receiving means for receiving a detection result from the intrusion detection system;
A transmission / reception means for receiving an inquiry about the credit level of the node from the bandwidth control device and responding to the bandwidth control device with the credit level of the corresponding node;
With
The update means calculates a credit level of a corresponding node according to a detection result from the intrusion detection system or a credit level node that has received the inquiry, and the node according to the calculated credit level of the node Update the credit list,
A bandwidth control system characterized by that.

DESCRIPTION OF SYMBOLS 10 Smart meter 20 Credit router 21 Node / credit list storage unit 22 Credit inquiry unit 23 Credit / band calculation unit 24 ACL generation unit 25 ACL storage unit 26 Credit / band limitation rule storage unit 27 Communication control unit 28 Access Control unit 29 Control unit 30 IDS
40 credit management server 41 node / credit list storage unit 42 black list storage unit 43 IDS communication unit 44 credit calculation unit 45 credit update rule storage unit 46 credit transmission / reception unit 47 control unit

Claims (12)

A bandwidth control device that performs bandwidth control of communication,
Querying a credit management server managing the credit of the node for the credit of the transmission source node, and an inquiry means for acquiring the credit of the transmission source node from the credit management server,
Calculation means for calculating a bandwidth from the credit degree acquired by the inquiry means;
The viewing including the information of the calculated band from the credit level acquired by the inquiry unit, an access control list that does not include information identifying the source and destination nodes of the communications, generating means for generating for each said credit degree When,
To the control target communication which is the subject of bandwidth control, access control lists about the credit level acquired by the inquiry means for the transmission source node of said controlled object communication of the access control list generated by the generating means Bandwidth control means for performing bandwidth limitation control according to the bandwidth information contained in
A bandwidth control apparatus comprising: The calculating means calculates a bandwidth from the credit obtained by the inquiry means according to a credit bandwidth rule defining a rule for calculating a bandwidth from the credit.
The band control device according to claim 1. A bandwidth control method performed by a bandwidth controller,
Queries the credit management server that manages the credit level of the node for the credit level of the communication source node,
Obtaining the credit level of the source node from the credit quality management server;
Calculate the bandwidth from the obtained credit rating,
See contains the information of the bandwidth calculated from the acquired credit degree, an access control list that does not include information identifying the source and destination nodes of the communication, and generates for each said credit level,
To the control target communication which is the subject of band control in accordance with the generated said control target band information included in the access control list about the credit level acquired the transmission source node of the communication of the access control list, Perform bandwidth limit control,
A bandwidth control method characterized by the above. A bandwidth control program for a bandwidth controller,
Queries the credit management server that manages the credit level of the node for the credit level of the communication source node,
Obtaining the credit level of the source node from the credit quality management server;
Calculate the bandwidth from the obtained credit rating,
See contains the information of the bandwidth calculated from the acquired credit degree, an access control list that does not include information identifying the source and destination nodes of the communication, and generates for each said credit level,
To the control target communication which is the subject of band control in accordance with the generated said control target band information included in the access control list about the credit level acquired the transmission source node of the communication of the access control list, Perform bandwidth limit control,
A bandwidth control program that causes a computer to execute this process. A credit management server that manages the credit level of a node,
Updating means for calculating a credit level of the node and updating a node credit level list including credit level information for each node according to the calculated credit level of the node;
Receiving means for receiving detection results from an intrusion detection system for detecting unauthorized communication;
A transmission / reception unit that receives an inquiry about the credit level of a node from a bandwidth control device that performs bandwidth control of communication, and responds to the bandwidth control device with the credit level of the node;
With
The update unit according to the detection result from the intrusion detection system, the calculated credit of the node according to the unauthorized communication, updates the node credit degree list according to the credit of the compute node, the communication function For a node that is an attached measuring device, if the credit level that is the result of the calculation is less than a predetermined value, the node credit level is set to the credit level for the node that is the measuring device with a communication function as the predetermined value. Refresh the list,
A credit quality management server. The updating means performs the calculation according to a credit calculation rule that defines a rule for calculating credit.
The credit management server according to claim 5, wherein: The credit calculation rule includes a rule for reducing the credit of a corresponding node when the detection result from the intrusion detection system is a detection result of unauthorized communication.
The credit management server according to claim 6, wherein: The credit calculation rule includes a rule for lowering the credit level of a corresponding node when a node of the credit level that has received the inquiry is included in a black list including information of a malicious node.
The credit management server according to claim 6 or 7, characterized in that When there is a credit level of a node that has not been updated for a certain period in the node credit level list, the updating unit sets the credit level of the node to the maximum value that the credit level can take. Update,
The credit management server according to any one of claims 5 to 8 , wherein A credit management method performed by the credit management server,
When a detection result is received from an intrusion detection system that detects unauthorized communication, the credit rating of the node related to the unauthorized communication is calculated,
According to the calculated credit level of the node, update the node credit level list including credit level information for each node ,
For a node that is a measuring instrument with a communication function, if the credit level that is the result of the calculation is less than a predetermined value, the credit level for the node that is the measuring instrument with a communication function is set as the predetermined value to the node Update the credit list ,
A credit management method characterized by the above. A credit management program for a credit management server,
When a detection result is received from an intrusion detection system that detects unauthorized communication, the credit rating of the node related to the unauthorized communication is calculated,
According to the calculated credit level of the node, update the node credit level list including credit level information for each node ,
For a node that is a measuring instrument with a communication function, if the credit level that is the result of the calculation is less than a predetermined value, the credit level for the node that is the measuring instrument with a communication function is set as the predetermined value to the node Update the credit list ,
A credit management program that causes a computer to execute the process. A bandwidth control system including a bandwidth control device that performs bandwidth control of communication, a credit management server that manages the credit level of a node, and an intrusion detection system that detects unauthorized communication,
The bandwidth control device includes:
Inquiring means for querying the credit management server for the credit level of the transmission source node, and obtaining the credit level of the source node from the credit management server;
Calculation means for calculating a bandwidth from the credit degree acquired by the inquiry means;
The viewing including the information of the calculated band from the credit level acquired by the inquiry unit, an access control list that does not include information identifying the source and destination nodes of the communications, generating means for generating for each said credit degree When,
To the control target communication which is the subject of bandwidth control, access control lists about the credit level acquired by the inquiry means for the transmission source node of said controlled object communication of the access control list generated by the generating means Bandwidth control means for performing bandwidth limitation control according to the bandwidth information contained in
With
The credit management server is
Updating means for calculating a credit level of the node and updating a node credit level list including credit level information for each node according to the calculated credit level of the node;
Receiving means for receiving a detection result from the intrusion detection system;
In response to queries credit of the node from the bandwidth control apparatus, a transmitting and receiving means responsive to credit degree of the node to the band control device,
With
The update unit according to the detection result from the intrusion detection system, the calculated credit of the node according to the improper communication, updates the node credit degree list according to the credit of the compute nodes,
A bandwidth control system characterized by that.