JP6220709B2 - COMMUNICATION CONTROL DEVICE, COMMUNICATION CONTROL METHOD, AND PROGRAM - Google Patents

Description

  The present invention relates to a communication control device, a communication control method, and a program.

  There is an attack that attempts to illegally acquire information by accessing a communication device such as a computer terminal connected via a network. For example, information is transmitted from an external network to a communication device connected to an internal LAN (Local Area Network) of an organization such as a company, and the internal LAN status, information on the communication device, etc. are illegally analyzed by the response. Can be considered. As countermeasures against such attacks, for example, a communication device that becomes a trap in the internal LAN is prepared and the communication device is attacked, and the attacking communication is analyzed, or an important part in the internal LAN is attacked. There is a technique called a honeypot or the like that turns away the eyes so as not to let them go (see, for example, Patent Document 1).

JP 2012-212391 A

  However, although the above-described method is effective to some extent as a countermeasure against access from outside to inside, it is not a countermeasure against access from inside to outside. For example, the above-described method is applied as it is to an attack in which a malicious program such as spyware is installed in a communication device in the internal LAN and the external communication device is accessed externally by the malicious program. I can't. In recent years, such malicious programs do not send internal LAN information to the outside at once, but send transmission information that seems to be normal communication to the outside for a long time. Some attacks continue. Therefore, it is desirable to take effective measures against transmission of unintended transmission information from the internal communication device to the outside.

  The present invention has been made in view of such circumstances, and an object thereof is to provide a communication control device, a communication control method, and a program capable of taking countermeasures against unauthorized communication.

  In order to solve the above problem, in one embodiment of the present invention, the response speed between the transmission source computer apparatus and the transmission destination computer apparatus is faster than the response speed between the transmission source computer apparatus and the transmission destination computer apparatus. A packet detection unit that monitors TCP packets communicated over a network and detects communication packets communicated between at least two computer devices connected via the network When the packet detection unit detects the communication packet, a pseudo packet generated so as to invalidate the reply packet from the transmission destination computer apparatus for the communication packet is directed to the transmission source computer apparatus. A communication control device comprising a control unit for transmission.

  Further, according to one aspect of the present invention, in the communication control device described above, when the control unit starts transmission of the pseudo packet when establishing a connection between the two computer devices, the sequence number is The pseudo packet generated differently from the reply packet from the transmission destination computer apparatus is transmitted to the transmission source computer apparatus.

  Further, according to one aspect of the present invention, in the communication control device, when the control unit starts transmission of the pseudo packet after establishing a connection between the two computer devices, the number of payload data is The pseudo packet generated differently from the reply packet from the transmission destination computer apparatus is transmitted to the transmission source computer apparatus.

  Further, according to one aspect of the present invention, in the communication control device, the two computer devices include an attacked computer device and an attacking computer device, and the control unit includes the attacked computer device. Generating a first pseudo packet so as to invalidate the first reply packet from the attacking computer device in response to the first communication packet transmitted from the attacking computer device to the attacking computer device; The generated first pseudo packet is transmitted to the attacked computer apparatus to establish a first connection between the own apparatus and the attacked computer apparatus, and the attacking computer A second reply from the attacked computer device to a second communication packet transmitted from the device to the attacked computer device A second pseudo packet is generated so as to invalidate the packet, and the generated second pseudo packet is transmitted to the attacking computer device so that the own device and the attacking computer device And establishing a second connection between them.

  According to another aspect of the present invention, in the communication control apparatus, the control unit establishes the first connection and the second connection, and then establishes the attacked computer apparatus using the first connection. The payload of the third communication packet transmitted from the network is changed to dummy data, and the third communication packet is changed to the sequence number and the acknowledgment number in the second connection, After the first connection and the second connection are established, the payload of the fourth communication packet transmitted from the attacking computer apparatus by the second connection is changed to dummy data. At the same time, the fourth communication packet is sent to the first connection. Change the sequence number and acknowledgment number, characterized in that said causing transmitted to the computer apparatus of the attacker.

  Further, according to one aspect of the present invention, in the communication control apparatus, after the first connection and the second connection are established, the third communication packet and the second connection are determined based on a predetermined rule. 4 includes a determination unit that determines whether or not to change the payload of each of the four communication packets to dummy data, and the control unit, based on the determination result determined by the determination unit, the third communication packet and the It is characterized by switching whether or not each payload of the fourth communication packet is changed to dummy data.

  Further, according to one aspect of the present invention, communication is arranged such that a response speed between the transmission source computer apparatus and the own apparatus is faster than a response speed between the transmission source and the transmission destination computer apparatuses. A packet detection step in which a control device monitors a TCP packet communicated over a network and detects a communication packet communicated between at least two computer devices connected via the network; and the communication control device comprises: When the communication packet is detected in the packet detection step, the pseudo packet generated so as to invalidate the reply packet from the transmission destination computer apparatus for the communication packet is transmitted to the transmission source computer apparatus. A communication control method including a control step.

  Further, according to one aspect of the present invention, communication is arranged such that a response speed between the transmission source computer apparatus and the own apparatus is faster than a response speed between the transmission source and the transmission destination computer apparatuses. A packet detection step of monitoring a TCP packet communicated over a network to a computer of a control device and detecting a communication packet communicated between at least two computer devices connected via the network; and the packet detection step A control step of transmitting a pseudo packet generated so as to invalidate a reply packet from a transmission destination computer device to the communication packet to the transmission source computer device when the communication packet is detected at Is a program for executing

  According to the present invention, it is possible to take measures against unauthorized communication.

It is a functional block diagram which shows an example of the communication control apparatus by 1st Embodiment. It is a figure which shows the example of data of the detection target memory | storage part in 1st Embodiment. It is a figure which shows the example of data of the sequence management information storage part in 1st Embodiment. It is a figure which shows an example of the operation | movement which the communication control apparatus in 1st Embodiment establishes a connection with an attacked computer apparatus. It is a figure which shows an example of the operation | movement which the communication control apparatus in 1st Embodiment establishes a connection with the attacking computer apparatus. It is a figure which shows an example of operation | movement of the communication control apparatus in 1st Embodiment. It is a figure which shows an example of operation | movement in case the communication control apparatus in 1st Embodiment transfers dummy data. It is a figure which shows an example of operation | movement in case the communication control apparatus in 1st Embodiment transfers raw data. It is a functional block diagram which shows an example of the communication control apparatus by 2nd Embodiment. It is a figure which shows an example of operation | movement of the communication control apparatus in 2nd Embodiment. It is a functional block diagram which shows an example of the communication control apparatus by 3rd Embodiment. It is a figure which shows an example of operation | movement of the communication control apparatus in 3rd Embodiment.

Hereinafter, a communication control apparatus according to an embodiment of the present invention will be described with reference to the drawings.
[First Embodiment]
FIG. 1 is a functional block diagram illustrating an example of a communication control device 1 according to the first embodiment.
As shown in this figure, the communication control device 1 according to the present embodiment includes an attacked computer device 2 that is an attacked computer device and an attacking computer that is an attacking computer device via a network device 4. It is connected to the device 3.

  The attacked computer device 2 is a computer device to be monitored by the communication control device 1. The attacked computer device 2 is, for example, a PC (Personal Computer) connected to an internal LAN (Local Area Network) in an organization such as a company. Here, although one attacked computer apparatus 2 is illustrated and described, a plurality of attacked computer apparatuses 2 may be connected to the internal LAN, and the communication control apparatus 1 may be connected to a plurality of attacked computer apparatuses 2. The attacking computer device 2 may be a monitoring target. Further, here, a malicious program (for example, malware) is installed in the attacked computer apparatus 2 by some method, and the malicious program is connected via the network NW such as the Internet. Transmission information (for example, a communication packet) is transmitted with 3 as a destination.

  The network device 4 is a transfer device on the communication path between the attacked computer device 2 and the attacking computer device 3. For example, a switching hub or a router can be applied as the network device 4. For example, the network device 4 connects an internal LAN to which the attacked computer device 2 is connected and an external network NW to which the attacking computer device 3 is connected.

  The attacking computer apparatus 3 receives a communication packet transmitted via the network NW from the attacked computer apparatus 2 in which the malicious program is installed, and the attacked computer apparatus 2 or the attacked computer apparatus 2 This is a computer device that attempts to illegally obtain information about the internal LAN to be connected.

  The communication control device 1 includes a communication unit 10, a storage unit 20, and a control unit 30. The communication control device 1 and the network device 4 are arranged on a communication path between the attacked computer device 2 and the attacking computer device 3. That is, the communication control device 1 requires a longer time for communication between the communication control device 1 and the attacked computer device 2 than a time required for communication between the attacking computer device 3 and the attacked computer device 2. It is assumed that they are arranged so as to be short. Here, as a method for shortening the time required for communication (that is, to be able to respond quickly), for example, the response speed on the communication line between the attacking computer apparatus 3 and the attacked computer apparatus 2 is higher. There is a method of determining the bandwidth of the line and the arrangement position in the network so that the response speed on the communication line between the communication control apparatus 1 and the attacked computer apparatus 2 is increased. The communication control device 1 hijacks a connection (for example, a TCP connection) between the attacked computer device 2 and the attacking computer device 3, and between the attacked computer device 2 and the attacking computer device 3. It is an information collection device that collects information from both sides without performing direct communication.

  By the way, as a method for the communication control device 1 to monitor the communication between the attacking computer device 3 and the attacked computer device 2, for example, the network device 4 has a monitoring function, and the attacking computer device 3 Communication information including communication with the attacked computer apparatus 2 may also be sent to the communication control apparatus 1. As another method, the communication control device 1 may be installed on the path between the attacking computer device 3 and the attacked computer device 2 (similar to the network device 4). Specifically, the network device 4 is a shared hub or a network tap, or when the network device 4 is a switching hub, communication between the attacked computer device 2 and the attacking computer device 3 is controlled. There is a method of setting port mirroring in the switching hub so that it is also transferred to the apparatus 1.

  The communication control device 1 “takes over the connection” is executed according to the procedure described below. First, the communication control device 1 detects that a certain computer device (transmission source) has transmitted a request packet (“SYN” packet) for establishing a TCP connection toward another computer device (transmission destination). Then, the communication control apparatus 1 transmits an “SYN + ACK” packet including an arbitrary sequence number and having the source address of the IP address of the destination computer apparatus to the transmission source computer. The “SYN + ACK” packet arrives at the transmission source computer device earlier than the response from the transmission destination computer device due to the difference in response speed depending on the arrangement of the communication control device 1 and the line.

Further, it is determined that the procedure for establishing the TCP connection with the transmission destination computer apparatus has advanced in the transmission source computer apparatus, and the TCP communication partner is determined between the communication control apparatus 1 and the transmission source computer apparatus. An IP address, a port number, and a sequence number for specifying are shared. For this reason, the communication control device 1 is in a state where it can accept “a packet sent from the transmission source computer device to the transmission destination computer device based on the TCP procedure” based on the TCP procedure. However, since the sequence number is not shared between the transmission destination computer apparatus and the transmission source computer apparatus, even if a packet is sent from the transmission source computer apparatus to the transmission destination computer apparatus based on the TCP procedure, the transmission is performed. The previous computer apparatus does not receive a packet. That is, a packet sent from a transmission source computer apparatus to a transmission destination computer apparatus is treated as an invalid packet based on the TCP procedure.
Thus, although the packet sent from the transmission source computer device to the transmission destination computer device is invalid, the communication control device 1 is transmitted from the transmission source computer device to the transmission destination computer device. The state in which the TCP packet can be received is expressed as “the communication control device has taken over the connection (connection) established based on the connection request from the transmission source to the transmission destination computer device”.

Further, in addition to the above-described hijacking, the communication control device 1 can hijack a response to a connection request from the transmission source to the transmission destination computer device.
Specifically, the communication control apparatus 1 detects a “SYN + ACK” packet that is a response from the transmission destination computer apparatus to the transmission source computer apparatus, and the source address is transmitted to the transmission destination computer apparatus. Returns a response with the IP of the computer device. Next, for communication from the transmission destination computer apparatus to the transmission source computer apparatus, an IP address, a port number, and the like for specifying a TCP communication partner between the communication control apparatus 1 and the transmission destination computer apparatus, And the sequence number are shared.

For this reason, the communication control device 1 is in a state where it can accept “a packet sent from the transmission destination computer device to the transmission source computer device based on the TCP procedure” based on the TCP procedure. However, since the sequence number is not shared between the transmission source computer apparatus and the transmission destination computer apparatus, even if packets are sent from the transmission destination computer apparatus to the transmission source computer apparatus based on the TCP procedure, the transmission source computer apparatus The device does not receive a packet. That is, a packet sent from a transmission destination computer apparatus to a transmission source computer apparatus is treated as an invalid packet.
In the following description, the expression simply “takeover” indicates both a case where a connection (connection) established based on a connection request from a transmission source to a transmission destination computer apparatus is taken over, and a case where a response is also taken over. Shall.

  The communication unit 10 communicates with the attacked computer device 2 and the attacking computer device 3 via the network device 4. The communication unit 10 communicates with the attacked computer apparatus 2 and the attacking computer apparatus 3 using, for example, a TCP (Transmission Control Protocol) / IP (Internet Protocol) packet.

  The storage unit 20 stores information used for various processes executed by the communication control device 1. The storage unit 20 includes a detection target storage unit 21, a determination rule storage unit 22, a sequence management information storage unit 23, and a communication history storage unit 24.

  The detection target storage unit 21 stores information on the attacked computer apparatus 2 and the attacking computer apparatus 3 that are detection (monitoring) targets. Specifically, the detection target storage unit 21 stores the IP address of the attacked computer device 2 and the IP address of the attacking computer device 3 in association with each other. Here, an example of data stored in the detection target storage unit 21 will be described with reference to FIG.

FIG. 2 is a diagram illustrating an example of data in the detection target storage unit 21 in the present embodiment.
In this figure, the detection target storage unit 21 stores “attacking IP” and “attacked IP” in association with each other. Here, “attacking IP” indicates the IP address of the attacking computer apparatus 3, and “attacked IP” indicates the IP address of the attacking computer apparatus 2.
In the example shown in FIG. 2, the “attacking IP” is “192.168.0.1”, and the “attacked IP” that is the attack target of the attacking computer device 3 corresponding to this IP address is “XXX”. .0.0 "and" XXX.0.0.4 ". That is, the computer device corresponding to each of “XXX.0.0.3” and “XXX.0.0.0.4” is the attacked computer device 2.

Returning to the description of FIG. 1, the determination rule storage unit 22 stores rule information for determining a received packet. The determination rule storage unit 22 stores, for example, the contents of the received packet (for example, the contents of the header part and the contents of the payload) and the processing for the received packet in association with each other. The determination rule storage unit 22 includes, for example, an IP address of the transmission source, hash data calculated based on part or all of the payload data in order to identify the contents of the payload, and identification information for identifying the corresponding processing May be stored. Further, in order to identify the contents of the payload, hash data and payload size information may be used.
Here, the payload refers to a data portion to be originally transferred, excluding a header portion, in a TCP packet. The “corresponding process” is a process executed by the communication control apparatus 1 on the received packet. For example, the process of changing the payload data to dummy data and transferring it, and the payload data as it is For example, processing to transfer.
The determination rule storage unit 22 may store predetermined rule information, or may store rule information based on a communication history stored in a communication history storage unit 24 described later.

The sequence management information storage unit 23 stores connection information that the communication control apparatus 1 takes over the connection with the attacked computer apparatus 2 or the attacking computer apparatus 3. When both the connection from the transmission source and the connection from the transmission destination are hijacked, the sequence management information storage unit 23 stores information on the two hijacked connections in association with each other. The sequence management information storage unit 23 stores, for example, attacked management information and attacking management information. Here, the attacked side management information is management information used for a connection (first connection) with the attacked computer apparatus 2.
Here, the connection is a TCP connection. In the following description, “TCP connection” is simply referred to as “connection”. The sequence management information storage unit 23 includes, for example, the IP address and port number of the attacked computer device 2, the sequence number (N) of the attacked computer device 2, and the sequence number of the communication control device 1 in the first connection. (DM) is associated and stored as attacked side management information.

In a TCP packet transmitted from the communication control device 1 to the attacked computer device 2, the sequence number (DM) is used as a sequence number, and the sequence number (N) is used as an acknowledgment number. In the TCP packet transmitted from the attacked computer apparatus 2 to the communication control apparatus 1, the sequence number (N) is used as the sequence number, and the sequence number (DM) is used as the confirmation response number.
The “sequence number” indicates the leading number of data on the transmission side (source) in the TCP protocol. The “acknowledgment response number” indicates the head number of data scheduled to be received next with respect to the transmission destination. “Sequence number” and “acknowledgment number” are included in the header part of the TCP packet, and whether or not this is a valid TCP packet for which a connection has been established is determined by this “sequence number” and “acknowledgment number” Determined using.

The attack side management information is management information used for a connection (second connection) with the attack side computer device 3. The sequence management information storage unit 23, for example, the IP address and port number of the attacking computer device 3, the sequence number (M) of the attacking computer device 3, and the sequence number (DN) of the communication control device 1 in the second connection. ) Is stored as attack side management information.
In a TCP packet transmitted from the communication control device 1 to the attacking computer device 3, the sequence number (DN) is used as a sequence number, and the sequence number (M) is used as an acknowledgment number. In the TCP packet transmitted from the attacking computer apparatus 3 toward the communication control apparatus 1, the sequence number (M) is used as the sequence number, and the sequence number (DN) is used as the confirmation response number.

Here, an example of data stored in the sequence management information storage unit 23 will be described with reference to FIG.
FIG. 3 is a diagram illustrating a data example of the sequence management information storage unit 23 in the present embodiment.
In this figure, the sequence management information storage unit 23 stores “attacked side management information” in which “IP”, “port number”, “SeqNO (N)”, and “SeqNO (DM)” are associated with each other. To do. In addition, the sequence management information storage unit 23 stores “attack management information” in which “IP”, “port number”, “SeqNO (M)”, and “SeqNO (DN)” are associated with each other.

  Here, “IP” and “port number” of “attacked side management information” indicate the IP address and port number of the attacked computer apparatus 2, and “IP” and “port number” of “attacked side management information”. "Indicates the IP address and port number of the attacked computer apparatus 2. “SeqNO (N)” indicates a sequence number in TCP of the attacked computer apparatus 2, and “SeqNO (DM)” is a first number used when the communication control apparatus 1 impersonates the attacking computer apparatus 3. The sequence number in connection 1 is shown. “SeqNO (M)” indicates a sequence number in TCP of the attacking computer device 3, and “SeqNO (DN)” is a first number used when the communication control device 1 impersonates the attacked computer device 2. 2 shows a sequence number in the connection 2.

In the example illustrated in FIG. 3, “IP” and “port number” of “attacked side management information” are “XXX.0.0.3” and “YY”. In addition, “SeqNO (N)” of the attacked computer apparatus 2 corresponding to “IP” in the “Attached side management information” is “2” and “SeqNO (DM)” is “100”. Is shown.
In addition, “IP” and “port number” of “attack side management information” are “192.168.0.1” and “ZZ”. Further, “SeqNO (M)” of the attacking computer apparatus 3 corresponding to “IP” of the “attacking management information” is “200”, and “SeqNO (DN)” is “10”. ing.

  Returning to the description of FIG. 1 again, the communication history storage unit 24 communicates communication packets between the attacked computer apparatus 2 and the communication control apparatus 1 and communication between the communication control apparatus 1 and the attacking computer apparatus 3. The packet is stored as a communication history. Here, since the communication history storage unit 24 stores the communication history, it is possible to analyze the operation of the unauthorized program of the attacking computer apparatus 3 and the attacked computer apparatus 2.

The control unit 30 is, for example, a processor including a CPU (Central Processing Unit) and the like, and comprehensively controls the communication control device 1. For example, when establishing a connection between the attacked computer apparatus 2 and the attacking computer apparatus 3, the control unit 30 takes over the connection and establishes a connection between the own apparatus and the attacked computer apparatus 2. 1 connection and a second connection between the own apparatus and the attacking computer apparatus 3 are established.
Specifically, the TCP sequence number is normally shared between the terminals at both ends where the TCP connection is established, that is, between the attacking computer apparatus 3 and the attacked computer apparatus 2, but the communication control apparatus 1 When the computer hijacks the session, another sequence number is shared between the attacking computer apparatus 3 and the communication control apparatus 1 and between the attacked computer apparatus 2 and the communication control apparatus 1. That is, the sequence number is not shared between the terminals at both ends.

  For example, the sequence number shared between the attacking computer apparatus 3 and the communication control apparatus 1 is DM, and the sequence number shared between the attacked computer apparatus 2 and the communication control apparatus 1 is DN. In this case, the terminals at both ends cannot communicate directly because the TCP sequence numbers are not shared, but the attacked computer apparatus 2 and the communication control apparatus 1 are connected between the attacking computer apparatus 3 and the communication control apparatus 1. The sequence number is shared with each other. Therefore, for example, the communication control apparatus 1 can return a response to a TCP packet transmitted from the attacking computer apparatus 3 to the attacked computer apparatus 2. Further, the communication control apparatus 1 can respond to the TCP packet transmitted from the attacked computer apparatus 2 to the attacking computer apparatus 3 by using the shared sequence number. When the sequence number of the received TCP packet is a value different from the shared sequence number, the received TCP packet is treated as an invalid packet.

In this way, the control unit 30 prohibits direct communication with the attacking computer device 3 with the attacked computer device 2 while maintaining the communication state of the attacked computer device 2 and the attacking computer device 3.
The control unit 30 includes a packet detection unit 31, a packet determination unit 32, and a pseudo response control unit 33.

  The packet detection unit 31 (determination unit) monitors TCP packets communicated over a network (for example, in an internal LAN), and detects communication packets communicated between at least two computer devices connected via the network. To do. Here, the two computer devices are, for example, the attacked computer device 2 and the attacking computer device 3. The packet detection unit 31 receives a TCP packet via the network device 4 and the communication unit 10, and among the received TCP packets, for example, based on information stored in the detection target storage unit 21, a detection (monitoring) target A communication packet is detected. Here, the communication packet includes a TCP packet transmitted from the attacked computer apparatus 2 toward the attacking computer apparatus 3 and a TCP packet transmitted from the attacking computer apparatus 3 toward the attacked computer apparatus 2. And are included.

  In the following description, a TCP packet transmitted from the attacked computer apparatus 2 to the attacking computer apparatus 3 before establishing the first connection and the second connection is referred to as a first communication packet. Sometimes. A TCP packet transmitted from the attacking computer apparatus 3 toward the attacked computer apparatus 2 before establishing the first connection and the second connection may be referred to as a second communication packet. Further, after establishing the first connection and the second connection, the TCP packet transmitted from the attacked computer apparatus 2 toward the attacking computer apparatus 3 may be referred to as a third communication packet. The TCP packet transmitted from the attacking computer apparatus 3 toward the attacked computer apparatus 2 after establishing the first connection and the second connection may be referred to as a fourth communication packet.

The packet determination unit 32 determines the communication packet detected by the packet detection unit 31 based on the rule information stored in the determination rule storage unit 22, and determines processing according to the determination result. For example, before establishing the first connection and the second connection described above, the packet determination unit 32 hijacks the connection between the attacked computer apparatus 2 and the attacking computer apparatus 3, and performs the first connection and the second connection. It is determined whether or not the communication packet is a predetermined communication packet for starting the process of establishing the connection. In the present embodiment, the packet determination unit 32 performs the above-described predetermined communication when the communication packet is a “SYN” packet for establishing a connection between the attacked computer apparatus 2 and the attacking computer apparatus 3. Judge that it is a packet.
The packet determination unit 32 determines whether to change the payload of the communication packet to dummy data based on the rule information stored in the determination rule storage unit 22 after establishing the first connection and the second connection. judge. That is, after establishing the first connection and the second connection, the packet determination unit 32 converts each payload of the third communication packet and the fourth communication packet into dummy data based on a predetermined rule. Determine whether to change.

  When the packet detection unit 31 detects a communication packet, the pseudo response control unit 33 (control unit) is generated so as to invalidate the reply packet from the transmission destination computer device for the communication packet (that is, the pseudo response control unit 33). The pseudo packet (including the sequence number uniquely generated by the response control unit 33) is transmitted to the transmission source computer device earlier than the reply packet. The communication control device 1 is installed so that the response speed between the communication control device 1 and the transmission source computer device is faster than the response speed between the transmission destination computer device and the transmission source computer device. ing. For this reason, the pseudo packet generated by the communication control device 1 arrives at the transmission source computer device earlier than the response from the transmission destination computer device. Here, the pseudo packet is a reply packet pretending to be a destination computer device, and the communication control device 1 uses the pseudo packet to cause an attack between the attacked computer device 2 and the attacking computer device 3. Take over the connection.

  For example, the pseudo response control unit 33 invalidates the first reply packet from the attacking computer device 3 with respect to the first communication packet transmitted from the attacked computer device 2 to the attacking computer device 3. A first pseudo packet is generated. Here, the pseudo response control unit 33 generates a first pseudo packet including a sequence number uniquely generated. Then, the pseudo response control unit 33 causes the generated first pseudo packet to be transmitted to the attacked computer apparatus 2, so that the first response between the own apparatus (communication control apparatus 1) and the attacked computer apparatus 2 is transmitted. 1 connection is established. Note that the communication control apparatus 1 is set so that the response speed between the communication control apparatus 1 and the attacked computer apparatus 2 is faster than the response speed between the attacking computer apparatus 3 and the attacked computer apparatus 2. It is installed. Therefore, the first pseudo packet arrives at the attacked computer apparatus 2 earlier than the response (first reply packet) from the attacking computer apparatus 3.

  Further, the pseudo response control unit 33 invalidates, for example, the second reply packet from the attacked computer apparatus 2 with respect to the second communication packet transmitted from the attacking computer apparatus 3 to the attacked computer apparatus 2. Thus, the second pseudo packet is generated. Here, the pseudo response control unit 33 generates a first pseudo packet that is a valid TCP packet for the attacking computer apparatus 3. The pseudo response control unit 33 transmits the generated second pseudo packet to the attacking computer device 3 to establish a second connection between the own device and the attacking computer device 3. The communication control apparatus 1 is installed so that the response speed between the communication control apparatus 1 and the attacking computer apparatus 3 is faster than the response speed between the attacking computer apparatus 3 and the attacked computer apparatus 2. doing. Therefore, the second pseudo packet arrives at the attacked computer apparatus 2 earlier than the response from the attacked computer apparatus 2 (second reply packet).

In the present embodiment, the pseudo response control unit 33 starts transmission of a pseudo packet when establishing a connection between two computer devices (the attacked computer device 2 and the attacking computer device 3). In this case, the pseudo response control unit 33 causes the pseudo packet generated so that the sequence number is different from the reply packet from the transmission destination computer apparatus to be transmitted to the transmission source computer apparatus.
When establishing a connection, each of the two computer devices generates a sequence number uniquely. Therefore, for example, if the pseudo response control unit 33 generates a sequence number using a random number and generates a pseudo packet including the generated sequence number, the pseudo number is set so that the sequence number is different from the reply packet from the transmission destination computer device. Packets can be generated. Since the probability that the sequence number generated by the original computer device and the sequence number generated by the pseudo response control unit 33 collide is extremely low, there is no problem even if the pseudo response control unit 33 generates a sequence number arbitrarily. .

In addition, the pseudo response control unit 33, after establishing the first connection and the second connection, impersonates the attacked computer device 2 and the attacking computer device 3 while maintaining communication between the attacked side and the attacked side. Control to extract information from the computer apparatus 2 and the attacking computer apparatus 3 is performed.
For example, the pseudo response control unit 33 causes the communication history storage unit 24 to store, as a communication history, the third communication packet transmitted from the attacked computer device 2 to the attacking computer device 3 through the first connection. . Then, the pseudo response control unit 33 changes the third communication packet to the sequence number and confirmation response number for the second connection based on the management information stored in the sequence management information storage unit 23, and The packet is transmitted (transferred) to the attacking computer apparatus 3 as a transfer packet. The pseudo response control unit 33 changes the payload of the third communication packet to dummy data and transfers it.

Similarly, the pseudo response control unit 33 stores a communication history by using, for example, a fourth communication packet transmitted from the attacking computer apparatus 3 to the attacked computer apparatus 2 through the second connection as a communication history. Store in the unit 24. Then, the pseudo response control unit 33 changes the fourth communication packet to the sequence number and the confirmation response number for the first connection on the basis of the management information stored in the sequence management information storage unit 23, The packet is transmitted (transferred) to the attacked computer apparatus 2 as a transfer packet. The pseudo response control unit 33 changes the payload of the third communication packet to dummy data and transfers it.
Note that the first transfer packet and the second transfer packet are collectively referred to as a transfer packet.

Note that the pseudo response control unit 33, for example, if the content of the payload is known to be safe or if information is extracted from the attacked computer apparatus 2 and the attacking computer apparatus 3, Transfer the communication packet payload without changing it to dummy data. If there is a possibility that the attacked computer apparatus 2 and the attacking computer apparatus 3 detect that the self apparatus is impersonating, the pseudo response control unit 33 performs the third response at a predetermined frequency. The payload of the communication packet may be transferred without changing to dummy data.
Here, whether or not to change the payload to dummy data is determined by the packet determination unit 32 based on the rule information stored in the determination rule storage unit 22. That is, the pseudo response control unit 33 switches whether to change the payload of each of the third communication packet and the fourth communication packet to dummy data based on the determination result determined by the packet determination unit 32.

Further, the pseudo-response control unit 33 changes the communication control device 1 to the attacked computer device 2 or the attacking computer device 3 in order to maintain communication with both the attacked computer device 2 and the attacking computer device 3. A predetermined transmission packet is transmitted. Further, the pseudo response control unit 33 transmits a communication packet received from the attacked computer apparatus 2 or the attacking computer apparatus 3 to maintain communication with both the attacked computer apparatus 2 and the attacking computer apparatus 3. On the other hand, a predetermined reply packet is transmitted from the communication control device 1 to the transmission source.
The pseudo response control unit 33 includes a response generation unit 331 and a transmission control unit 332.

  The response generation unit 331 generates TCP packets to be transmitted from the communication control device 1 to other devices such as the above-described pseudo packet, transfer packet, transmission packet, and reply packet. For example, the response generation unit 331 generates a TCP packet including a TCP header portion based on the attack side management information or the attacked side management information stored in the sequence management information storage unit 23. For example, when the response generation unit 331 generates a TCP packet directed to the attacked computer apparatus 2 through the first connection, the sequence number based on the attacked management information stored in the sequence management information storage unit 23 And a TCP packet including an acknowledgment number. In addition, when the response generation unit 331 generates a TCP packet directed to the attacking computer device 3 through the second connection, the response generation unit 331 confirms the sequence number and confirmation based on the attacking management information stored in the sequence management information storage unit 23. A TCP packet including a response number is generated.

Further, the response generation unit 331 generates TCP packets such as a pseudo packet, a transfer packet, and a reply packet based on the determination result of the packet determination unit 32. Further, when generating the transfer packet, the response generation unit 331 switches whether to change the payload to dummy data based on the determination result of the packet determination unit 32, and generates the transfer packet.
In addition, the response generation unit 331, for example, in order to collect information of the attacked computer apparatus 2 and the attacking computer apparatus 3, based on a command from an administrator who manages the communication control apparatus 1, TCP such as a transmission packet Generate a packet.
Note that the response generation unit 331 determines the payload of the TCP packet so that the difference between the sequence number (DM) for the first connection and the sequence number (M) for the second connection is equal to or greater than a predetermined threshold. The TCP packet may be generated by adjusting the number of data. In addition, the response generation unit 331 sets the payload of the TCP packet so that the difference between the sequence number (N) for the first connection and the sequence number (DN) for the second connection is equal to or greater than a predetermined threshold value. The TCP packet may be generated by adjusting the number of data.

  The transmission control unit 332 performs control to transmit the TCP packet generated by the response generation unit 331 to the attacked computer device 2 or the attacking computer device 3 via the communication unit 10.

Next, the operation of the communication control apparatus 1 according to the present embodiment will be described with reference to the drawings.
FIG. 4 is a diagram illustrating an example of an operation in which the communication control device 1 according to the present embodiment establishes a connection with the attacked computer device 2.
In this figure, when establishing a connection between the attacked computer apparatus 2 and the attacking computer apparatus 3, the communication control apparatus 1 hijacks the connection to be established, and the communication control apparatus 1 and the attacked computer apparatus are attacked. An example of establishing a first connection with the side computer device 2 is shown.
In FIG. 4, “SegNO” indicates a TCP sequence number, and “Ack” indicates a TCP acknowledgment number.

  As shown in (1) of FIG. 4, first, the attacked computer apparatus 2 transmits a “SYN” packet (SegNO = n) to the attacking computer apparatus 3 (step S101).

  Next, in response to the “SYN” packet (SegNO = n), the communication control device 1 transmits an “SYN + ACK” packet (SeqNO (= DM) = dm, Ack = n + 1) to the attacked computer device 2. (Step (102) in FIG. 4, step S102). That is, the communication control device 1 receives this “SYN” packet (SeqNO = n) via the network device 4. The pseudo response control unit 33 of the communication control device 1 associates “IP” and “port number” of the attacked computer device 2 included in the received “SYN” packet with “SeqNO (N = n)”. And stored in the sequence management information storage unit 23.

Further, the pseudo response control unit 33 generates a sequence number (DM) based on, for example, a random number generated by a random number generator (illustrated). The pseudo response control unit 33 generates the sequence number (DM) based on a random number so as not to match the sequence number (M) of the attacking computer device 3. Here, the initial value of the sequence number of each device is “dm” for “SeqNO (DM)”, “n” for “SeqNO (N)”, “m” for “SeqNO (M)”, and “ The description will be made assuming that “SeqNO (DN)” is “n”.
The pseudo response control unit 33 stores the generated sequence number (DM) in the sequence management information storage unit 23 as “SeqNO (DM)”. Then, the response generation unit 331 of the pseudo response control unit 33 generates a “SYN + ACK” packet (SeqNO (= DM) = dm, Ack = n + 1) including the generated sequence number (DM) as a pseudo packet.

The transmission control unit 332 of the pseudo response control unit 33 causes the “SYN + ACK” packet (SeqNO (= DM) = dm, Ack = n + 1) to be transmitted to the attacked computer apparatus 2 via the communication unit 10. The “SYN” packet (SeqNO = n) is transmitted to the attacking computer apparatus 3, but the transmission control unit 332 is earlier than the reply packet (“SYN + ACK” packet) transmitted by the attacking computer apparatus 3. First, the “SYN + ACK” packet (SeqNO (= DM) = dm, Ack = n + 1) is transmitted to the attacked computer apparatus 2. That is, the pseudo response control unit 33 generates a pseudo packet generated so that the sequence number is different from the “SYN + ACK” packet ((4) in FIG. 5, step S201) from the attacking computer device 3 to be described later. 3 is transmitted to the attacked computer apparatus 2 before 3.
Note that, since the communication control device 1 generates a sequence number (DM) based on a random number, for example, the probability that the number matches the sequence number (M) generated by the attacking computer device 3 is extremely low. Therefore, the communication control device 1 is not substantially hindered. Further, when the communication control apparatus 1 transmits the generated pseudo packet to the attacked computer apparatus 2, the communication control apparatus 1 places the pseudo packet ahead of the response (reply packet) from the attacking computer apparatus 3 due to the arrangement of the communication control apparatus 1. Arrives at the attacking computer device 3.

  Next, the attacked computer apparatus 2 transmits an “ACK” packet (SeqNO = n + 1, Ack = dm + 1) in response to the “SYN + ACK” packet ((3) in FIG. 4, step S103). This “ACK” packet is received by the communication control device 1 and a first connection is established. This “ACK” packet is also received by the attacking computer apparatus 3, but is different from the sequence number (M = m), and therefore a connection is established between the attacked computer apparatus 2 and the attacking computer apparatus 3. Cannot be established. That is, the communication control device 1 takes over the connection between the attacked computer device 2 and the attacking computer device 3 and establishes the first connection.

FIG. 5 is a diagram illustrating an example of an operation in which the communication control device 1 according to the present embodiment establishes a connection with the attacking computer device 3.
In this figure, when establishing a connection between the attacked computer apparatus 2 and the attacking computer apparatus 3, the communication control apparatus 1 hijacks the connection to be established, and the communication control apparatus 1 and the attacking side are taken over. An example of establishing a second connection with the computer apparatus 3 is shown. Here, the process following the process of step S101 shown in FIG. 4 is shown.

  As shown in (4) of FIG. 5, in response to the “SYN” packet (SegNO = n) ((1) in FIG. 4, step S101), the attacking computer apparatus 3 changes the “SYN + ACK” packet (SeqNO = m , Ack = n + 1) is transmitted to the attacked computer apparatus 2 (step S201).

  In response to this “SYN + ACK” packet (SeqNO = m, Ack = n + 1), the communication control device 1 directs the “ACK” packet (SeqNO (= DN) = n + 1, Ack = m + 1) to the attacking computer device 3. Transmit ((5) in FIG. 5, step S202). That is, the communication control device 1 receives this “SYN + ACK” packet (SeqNO = m, Ack = n + 1) via the network device 4. The pseudo response control unit 33 of the communication control device 1 includes “IP” and “port number”, “SeqNO (M = m)”, “SeqNO” of the attacking computer device 3 included in the received “SYN + ACK” packet. (DN = n + 1) ”is stored in the sequence management information storage unit 23 in association with each other. Here, the pseudo response control unit 33 stores the received sequence number (DN = n + 1) in the sequence management information storage unit 23 as “SeqNO (DN)”. Then, the response generation unit 331 of the pseudo response control unit 33 generates an “ACK” packet (SeqNO (= DN) = n + 1, Ack = m + 1) including the generated sequence number (DN) as a pseudo packet.

The transmission control unit 332 of the pseudo response control unit 33 sends the “ACK” packet (SeqNO (= DN) = n + 1, Ack = m + 1) generated by the response generation unit 331 to the attacking computer device 3 via the communication unit 10. To send. When the communication control device 1 transmits the generated pseudo packet (“ACK” packet (SeqNO (= DN) = n + 1, Ack = m + 1)) to the attacking computer device 3, the communication control device 1 uses the arrangement of the communication control device 1. The pseudo packet arrives at the attacked computer apparatus 2 before the response (reply packet) from the attacked computer apparatus 2. The attacking computer device 3 receives the “ACK” packet (SeqNO (= DN) = n + 1, Ack = m + 1) from the communication control device 1, whereby the second connection is established.
In this way, the communication control device 1 takes over the connection between the attacked computer device 2 and the attacking computer device 3 and establishes the second connection.

  Note that after establishing the first connection and the second connection, the transmission control unit 332 determines the sequence number (N) of the sequence management information storage unit 23 according to the communication through the first connection and the second connection. The sequence number (DM), the sequence number (M), and the sequence number (DN) are updated.

Next, with reference to FIG. 6, the operation of the communication control apparatus 1 from connection takeover to subsequent communication will be described.
FIG. 6 is a diagram illustrating an example of the operation of the communication control device 1 in the present embodiment.
In this figure, first, the attacked computer apparatus 2 transmits a “SYN” packet (SeqNO = n) to the attacking computer apparatus 3 (step S101). This “SYN” packet (SeqNO = n) is received by the communication control device 1 and the attacking computer device 3.

Next, as described in FIG. 4 above, the communication control device 1 sends a “SYN + ACK” packet (SeqNO (= DM) = dm, Ack = n + 1) to the “SYN” packet (SeqNO = n). Transmission is performed toward the attacked computer apparatus 2 before the attacking computer apparatus 3 (step S102).
The attacked computer apparatus 2 transmits an “ACK” packet (SeqNO = n + 1, Ack = dm + 1) to the “SYN + ACK” packet (SeqNO (= DM) = dm, Ack = n + 1) (step S103). When the communication control device 1 receives this packet, the first connection is established. As a result, the communication control device 1 can communicate with the attacked computer device 2 while impersonating the attacking computer device 3.

On the other hand, the attacking computer apparatus 3 receives the “SYN + ACK” packet (SeqNO = m, Ack = n + 1) as described in FIG. 5 with respect to the “SYN” packet (SeqNO = n). It transmits toward the attacking computer apparatus 2 (step S201).
Next, as described with reference to FIG. 5 above, the communication control device 1 performs the “ACK” packet (SeqNO (= DN) = n + 1, Ack) with respect to the “SYN + ACK” packet (SeqNO = m, Ack = n + 1). = M + 1) is transmitted to the attacking computer apparatus 3 before the attacked computer apparatus 2 (step S202). When the attacking computer apparatus 3 receives this packet, the second connection is established. As a result, the communication control device 1 can communicate with the attacking computer device 3 while impersonating the attacking computer device 3.

  Further, the attacked computer apparatus 2 sends an “RST + ACK” packet (SeqNO = n + 1, Ack = m + 1) to the attacking computer with respect to the “SYN + ACK” packet (SeqNO = m, Ack = n + 1) transmitted in step S201. It transmits toward the apparatus 3 (step S104). That is, the attacked computer apparatus 2 determines that the “SYN + ACK” packet (SeqNO = m, Ack = n + 1) from the attacking computer apparatus 3 that has not established a connection is an invalid packet, and the “RST + ACK” packet (SeqNO). = N + 1, Ack = m + 1) is transmitted to the attacking computer apparatus 3. The attacking computer apparatus 3 discards the “RST + ACK” packet since the connection with the attacked computer apparatus 2 is not established (not connected).

  Further, the attacking computer apparatus 3 sends an “RST + ACK” packet (SeqNO = m + 1, Ack = n + 1) to the attacked computer in response to the “ACK” packet (SeqNO = n + 1, Ack = dm + 1) transmitted in step S103. It transmits towards the apparatus 2 (step S203). That is, the attacking computer apparatus 3 determines that the “ACK” packet (SeqNO = n + 1, Ack = dm + 1) from the attacked computer apparatus 2 that has not established a connection is an invalid packet, and the “RST + ACK” packet (SeqNO). = M + 1, Ack = n + 1) is transmitted to the attacked computer apparatus 2. Since the attacked computer device 2 is in a state where the connection with the attacking computer device 3 is not established (not connected), the “RST + ACK” packet is discarded.

  Next, an example in the case of transmitting X-byte data from the attacked computer apparatus 2 will be described. In this case, the attacked computer apparatus 2 transmits an “ACK” packet (SeqNO = n + 1, Ack = m + 1, X bytes) through the first connection (step S105). In this case, the “ACK” packet includes X-byte data in the payload.

  For the “ACK” packet (SeqNO = n + 1, Ack = m + 1, X byte), the communication control device 1 performs the “ACK” packet (SeqNO (= DM) = dm + 1, Ack (= N) by the first connection. = N + 1 + X) is transmitted to the attacked computer apparatus 2 (step S106). That is, the pseudo response control unit 33 of the communication control device 1 stores the received “ACK” packet (SeqNO = n + 1, Ack = m + 1, X bytes) in the communication history storage unit 24 as a communication history. Further, the pseudo response control unit 33 updates the attack side management information in the sequence management information storage unit 23 based on the received “ACK” packet (SeqNO = n + 1, Ack = m + 1, X bytes).

  Then, the response generation unit 331 of the pseudo response control unit 33 generates the generated “ACK” packet (SeqNO (= DM) = dm + 1, Ack (= N) = n + 1 + X) including the TCP header portion based on the attacked management information. ) Is generated. The transmission control unit 332 of the pseudo response control unit 33 directs the “ACK” packet (SeqNO (= DM) = dm + 1, Ack (= N) = n + 1 + X) generated by the response generation unit 331 to the attacked computer apparatus 2. Send it.

  Further, the attacking computer apparatus 3 receives the “RST + ACK” packet (SeqNO = m + 1, Ack = n + 1) with respect to the “ACK” packet (SeqNO = n + 1, Ack = m + 1, X bytes) transmitted in step S105. It transmits toward the attacking computer apparatus 2 (step S204). The attacked computer apparatus 2 discards the “RST + ACK” packet because the connection with the attacking computer apparatus 3 is not established (not connected).

  Next, an example of transmitting Y-byte data from the attacking computer device 3 will be described. In this case, the attacking computer apparatus 3 transmits an “ACK” packet (SeqNO = m + 1, Ack = n + 1, Y byte) through the second connection (step S205). In this case, the “ACK” packet includes Y-byte data in the payload.

  For the “ACK” packet (SeqNO = m + 1, Ack = n + 1, Y byte), the communication control apparatus 1 performs the “ACK” packet (SeqNO (= DN) = n + 1, Ack (= M) through the second connection. = M + 1 + Y) is transmitted to the attacking computer apparatus 3 (step S206). That is, the pseudo response control unit 33 of the communication control device 1 stores the received “ACK” packet (SeqNO = m + 1, Ack = n + 1, Y byte) in the communication history storage unit 24 as a communication history. Further, the pseudo response control unit 33 updates the attack side management information in the sequence management information storage unit 23 based on the received “ACK” packet (SeqNO = m + 1, Ack = n + 1, Y byte).

  Then, the response generation unit 331 of the pseudo response control unit 33 generates the “ACK” packet (SeqNO (= DN) = n + 1, Ack (= M) = m + 1 + Y) including the TCP header portion based on the attack side management information. Is generated. The transmission control unit 332 of the pseudo response control unit 33 transmits the “ACK” packet (SeqNO (= DN) = n + 1, Ack (= M) = m + 1 + Y) generated by the response generation unit 331 to the attacking computer apparatus 3. Let

  Further, the attacked computer apparatus 2 sends an “RST + ACK” packet (SeqNO = n + 1 + X, Ack = dm + 1) to the “ACK” packet (SeqNO = m + 1, Ack = n + 1, Y byte) transmitted in step S205. It transmits toward the attacking computer apparatus 3 (step S107). The attacking computer apparatus 3 discards the “RST + ACK” packet because the connection with the attacked computer apparatus 2 is not established (not connected).

Thus, after establishing the first connection and the second connection, the communication control device 1 performs communication between the attacked computer device 2 and the communication control device 1, and communication control with the attacking computer device 3. Control of communication with the apparatus 1 is performed.
In the example shown in FIGS. 4 to 6 described above, the case where the connection establishment is started from the attacked computer apparatus 2 has been described. However, the case where the connection establishment is started from the attacking computer apparatus 3 is also described. It is the same. However, in that case, the communication control device 1 generates a sequence number (DN) in the second connection in the pseudo packet.

Next, with reference to FIG. 7, an example in which the communication control apparatus 1 transfers data by replacing the data with dummy data between the attacked computer apparatus 2 and the communication control apparatus 1 will be described.
FIG. 7 is a diagram illustrating an example of an operation when the communication control device 1 according to the present embodiment transfers dummy data.
In this figure, the state after the first connection and the second connection are established, and the initial value of the sequence number of each device is “dm + 1” for “SeqNO (DM)” and “SeqNO (N)”. In the following description, it is assumed that “n + 1”, “SeqNO (DN)” is “n + 1”, and “SeqNO (M)” is “m + 1”.

  In FIG. 7, the attacking computer device 3 first transmits an “ACK” packet (SeqNO = m + 1, Ack = n + 1, DATA1) through the second connection (step S211). In this case, it is assumed that the “ACK” packet includes, for example, α-byte data (DATA1).

  Next, with respect to the “ACK” packet (SeqNO = m + 1, Ack = n + 1, DATA1), the communication control device 1 uses the first connection to transmit the “ACK” packet (SeqNO (= DM) = dm + 1, Ack (= N) = n + 1, DMYD1) is transmitted (transferred) to the attacked computer apparatus 2 (step S111). That is, the pseudo response control unit 33 of the communication control device 1 changes the payload of the received “ACK” packet (SeqNO = m + 1, Ack = n + 1, DATA1) to dummy data (DMYD1), and the sequence in the first connection The transfer packet changed to the number and the acknowledgment number is transmitted to the attacked computer apparatus 2. The pseudo response control unit 33 switches whether to change the payload to dummy data based on the determination result determined by the packet determination unit 32. The size of the dummy data (DMYD1) is equal to the data (DATA1) and is α bytes.

  In this case, since the communication control device 1 transmits the harmless dummy data (DMYD1) to the attacked computer device 2, it prevents the attacking computer device 3 from operating the attacked computer device 2 illegally. be able to.

  The attacked computer apparatus 2 attacks the “RST + ACK” packet (SeqNO = n + 1, Ack = dm + 1) against the “ACK” packet (SeqNO = m + 1, Ack = n + 1, DATA1) transmitted in step S211. It transmits toward the side computer apparatus 3 (step S112). The attacking computer apparatus 3 discards the “RST + ACK” packet because the connection with the attacked computer apparatus 2 is not established (not connected).

  Further, the attacked computer apparatus 2 uses, for example, the first connection to the “ACK” packet (SeqNO (= DM) = m + 1, Ack (= N) = n + 1, DMYD1) transmitted in step S111. , An “ACK” packet (SeqNO = n + 1, Ack = dm + 1 + α, DATA2) is transmitted to the attacking computer apparatus 3 (step S113). In this case, it is assumed that the “ACK” packet includes, for example, β-byte data (DATA2).

  Next, for the “ACK” packet (SeqNO = n + 1, Ack = dm + 1 + α, DATA2), the communication control device 1 uses the second connection to transmit the “ACK” packet (SeqNO (= DN) = n + 1, Ack (= M) = m + 1 + α, DMYD2) is transmitted (transferred) to the attacking computer apparatus 3 (step S212). That is, the pseudo response control unit 33 of the communication control device 1 changes the payload of the received “ACK” packet (SeqNO = n + 1, Ack = dm + 1 + α, DATA2) to dummy data (DMYD2) and the sequence in the second connection. The forwarding packet changed to the number and the acknowledgment number is transmitted to the attacking computer device 3. The pseudo response control unit 33 switches whether to change the payload to dummy data based on the determination result determined by the packet determination unit 32. The size of the dummy data (DMYD2) is equal to the data (DATA2) and is β bytes.

  In this case, since the communication control device 1 transmits the harmless dummy data (DMYD2) to the attacking computer device 3, the confidential information is prevented from leaking from the attacked computer device 2 to the attacking computer device 3. be able to.

  Further, the attacking computer apparatus 3 is attacked by the “RST + ACK” packet (SeqNO = m + 1, Ack = n + 1) with respect to the “ACK” packet (SeqNO = n + 1, Ack = dm + 1 + α, DATA2) transmitted in step S113. It transmits toward the side computer apparatus 2 (step S213). The attacked computer apparatus 2 discards the “RST + ACK” packet because the connection with the attacking computer apparatus 3 is not established (not connected).

  Further, the attacking computer device 3 uses, for example, the second connection to the “ACK” packet (SeqNO (= DM) = n + 1, Ack (= M) = m + 1 + α, DMYD2) transmitted in step S212. An “ACK” packet (SeqNO = m + 1 + α, Ack = n + 1 + β) is transmitted to the attacked computer apparatus 2 (step S214).

Next, an example in which the communication control device 1 transfers raw data between the attacked computer device 2 and the communication control device 1 will be described with reference to FIG.
FIG. 8 is a diagram illustrating an example of an operation when the communication control device 1 according to the present embodiment transfers raw data.
In this figure, the state after the first connection and the second connection are established, and the initial value of the sequence number of each device is “dm + 1” for “SeqNO (DM)” and “SeqNO (N)”. In the following description, it is assumed that “n + 1”, “SeqNO (DN)” is “n + 1”, and “SeqNO (M)” is “m + 1”.

  In FIG. 8, first, the attacking computer device 3 transmits an “ACK” packet (SeqNO = m + 1, Ack = n + 1, DATA1) through the second connection (step S221). In this case, it is assumed that the “ACK” packet includes, for example, α-byte data (DATA1).

  Next, with respect to the “ACK” packet (SeqNO = m + 1, Ack = n + 1, DATA1), the communication control device 1 uses the first connection to transmit the “ACK” packet (SeqNO (= DM) = dm + 1, Ack (= N) = n + 1, DATA1) is transmitted (transferred) to the attacked computer apparatus 2 (step S121). That is, the pseudo response control unit 33 of the communication control device 1 converts the received “ACK” packet (SeqNO = m + 1, Ack = n + 1, DATA1) into a transfer packet obtained by changing the sequence number and the confirmation response number in the first connection. It transmits toward the attacked computer apparatus 2.

  Further, the attacked computer apparatus 2 attacks the “RST + ACK” packet (SeqNO = n + 1, Ack = dm + 1) against the “ACK” packet (SeqNO = m + 1, Ack = n + 1, DATA1) transmitted in step S221. It transmits toward the side computer apparatus 3 (step S122). The attacking computer apparatus 3 discards the “RST + ACK” packet because the connection with the attacked computer apparatus 2 is not established (not connected).

  Further, the attacked computer apparatus 2 uses, for example, the first connection to the “ACK” packet (SeqNO (= DM) = dm + 1, Ack (= N) = n + 1, DATA1) transmitted in step S121. , “ACK” packet (SeqNO = n + 1, Ack = dm + 1 + α, DATA2) is transmitted to the attacking computer apparatus 3 (step S123). In this case, it is assumed that the “ACK” packet includes, for example, β-byte data (DATA2).

  Next, for the “ACK” packet (SeqNO = n + 1, Ack = dm + 1 + α, DATA2), the communication control device 1 uses the second connection to transmit the “ACK” packet (SeqNO (= DN) = n + 1, Ack (= M) = m + 1 + α, DATA2) is transmitted (transferred) to the attacking computer apparatus 3 (step S222). That is, the pseudo response control unit 33 of the communication control device 1 changes the received “ACK” packet (SeqNO = n + 1, Ack = dm + 1 + α, DATA2) to the transfer packet obtained by changing the sequence number and the confirmation response number in the second connection. It transmits toward the attacking computer apparatus 3.

  Further, the attacking computer apparatus 3 is attacked by the “RST + ACK” packet (SeqNO = m + 1, Ack = n + 1) with respect to the “ACK” packet (SeqNO = n + 1, Ack = dm + 1 + α, DATA2) transmitted in step S123. It transmits toward the side computer apparatus 2 (step S223). The attacked computer apparatus 2 discards the “RST + ACK” packet because the connection with the attacking computer apparatus 3 is not established (not connected).

Further, the attacking computer device 3 uses, for example, the second connection to the “ACK” packet (SeqNO (= DM) = n + 1, Ack (= M) = m + 1 + α, DATA2) transmitted in step S222. An “ACK” packet (SeqNO = m + 1 + α, Ack = n + 1 + β) is transmitted to the attacked computer apparatus 2 (step S224).
As described above, when the content of the payload is previously known to be safe, or when extracting information from the attacked computer device 2 and the attacking computer device 3, the communication control device 1 uses the packet payload. Transfer raw data without changing to dummy data.

As described above, the communication control apparatus 1 according to the present embodiment has a higher response speed between the transmission source computer apparatus and the own apparatus than the response speed between the transmission source and transmission destination computer apparatuses. The packet detection unit 31 and the pseudo response control unit 33 are provided. The packet detection unit 31 monitors TCP packets communicated over the network and communicates between at least two computer devices (for example, the attacked computer device 2 and the attacking computer device 3) connected via the network. Detects communication packets. When the packet detection unit 31 detects a communication packet, the pseudo response control unit 33 transmits a pseudo packet generated so as to invalidate a reply packet from the transmission destination computer device to the communication packet. Is sent earlier than the reply packet.
As a result, the communication control apparatus 1 according to the present embodiment can invalidate the TCP connection between the two computer apparatuses and establish a TCP connection with the transmission source computer apparatus. Therefore, the communication control device 1 according to the present embodiment can collect information while maintaining the connection state between the two computer devices. Therefore, the communication control apparatus 1 according to the present embodiment can take measures against unauthorized communication.

For example, an unauthorized program such as spyware is installed in the attacked computer apparatus 2 in the internal LAN, and the attacker is illegally accessed by accessing the external attacking computer apparatus 3 from the internal attacked computer apparatus 2. The case where it acquires is considered. The communication control apparatus 1 according to the present embodiment is capable of communicating with both the attacked computer apparatus 2 and the attacking computer apparatus 3 while prohibiting direct communication between the attacked computer apparatus 2 and the attacking computer apparatus 3. Therefore, even in such a case, information can be collected while ensuring safety.
In other words, the communication control device 1 according to the present embodiment takes over the connection between the attacked computer device 2 and the attacking computer device 3 and constitutes both the attacked computer device 2 and the attacking computer device 3. Thus, effective information regarding the attack can be collected from both sides. Further, since direct communication between the attacked computer apparatus 2 and the attacking computer apparatus 3 is prohibited, the communication control apparatus 1 according to the present embodiment allows the attacked computer apparatus 2 infected with a malicious program to be connected to the internal LAN. It is possible to prevent attacks on other computer devices.

In this embodiment, when the pseudo response control unit 33 starts transmission of a pseudo packet when establishing a connection between two computer devices, the pseudo response control unit 33 receives a reply packet from the destination computer device. The pseudo packets generated differently are transmitted to the computer apparatus of the transmission source.
Thereby, the communication control device 1 according to the present embodiment can invalidate the connection between the two computer devices by using a simple technique, and can be configured as both of the two computer devices. In addition, since the communication control device 1 according to the present embodiment invalidates the connection when establishing the connection, it can collect information while ensuring safety from the start of communication between the two computer devices. .

In the present embodiment, the two computer devices include the attacked computer device 2 (the attacked computer device) and the attack computer device 3 (the attacking computer device). Then, the pseudo response control unit 33 invalidates the first reply packet from the attacking computer device 3 with respect to the first communication packet transmitted from the attacked computer device 2 to the attacking computer device 3. A first pseudo packet is generated. The pseudo response control unit 33 transmits the generated first pseudo packet to the attacked computer apparatus 2 and establishes a first connection between the own apparatus and the attacked computer apparatus 2. Further, the pseudo response control unit 33 invalidates the second reply packet from the attacked computer apparatus 2 in response to the second communication packet transmitted from the attacking computer apparatus 3 to the attacked computer apparatus 2. The second pseudo packet is generated. The pseudo response control unit 33 transmits the generated second pseudo packet to the attacking computer device 3 to establish a second connection between the own device and the attacking computer device 3.
As a result, the communication control device 1 according to the present embodiment can take over the connection between the attacked computer device 2 and the attacking computer device 3 and impersonate both computer devices.

In the present embodiment, the pseudo response control unit 33 establishes the first connection and the second connection, and then the payload of the third communication packet transmitted from the attacked computer apparatus 2 through the first connection. Is changed to dummy data, and the third communication packet is changed to the sequence number and the confirmation response number in the second connection, and transmitted to the attacking computer apparatus 3. In addition, after establishing the first connection and the second connection, the pseudo response control unit 33 changes the payload of the fourth communication packet transmitted from the attacking computer device 3 through the second connection to dummy data. At the same time, the fourth communication packet is changed to the sequence number and the confirmation response number in the first connection and transmitted to the attacked computer apparatus 2.
Thereby, the communication control apparatus 1 according to the present embodiment can maintain the communication state with the attacked computer apparatus 2 and the attacking computer apparatus 3 while making the content of the payload harmless. Therefore, the communication control apparatus 1 according to the present embodiment can collect information while ensuring further safety.

In addition, the communication control device 1 according to the present embodiment includes a packet determination unit 32. After establishing the first connection and the second connection, the packet determination unit 32 changes the payload of each of the third communication packet and the fourth communication packet to dummy data based on a predetermined rule. It is determined whether or not. Then, based on the determination result determined by the packet determination unit 32, the pseudo response control unit 33 determines whether or not to change each payload of the third communication packet and the fourth communication packet described above to dummy data. Switch to process.
As a result, the communication control device 1 according to the present embodiment is generated in both the attacked computer device 2 and the attacking computer device 3 when the contents of the payload are known to be safe in advance. Data can be transferred. Therefore, the communication control device 1 according to the present embodiment can reduce the probability that both computer devices detect that the communication control device 1 has taken over the connection.
Note that the communication control device 1 according to the present embodiment may transfer raw data to both computer devices, for example, at a predetermined frequency or less that can ensure safety.

Moreover, in this embodiment, the packet determination part 32 determines the content of a payload based on the determination rule which the determination rule memory | storage part 22 memorize | stores, after establishing a 1st connection and a 2nd connection. Then, the pseudo response control unit 33 changes the content of the payload based on the determination result determined by the packet determination unit 32.
Thereby, the communication control apparatus 1 according to the present embodiment can appropriately generate a pseudo packet, a transfer packet, a transmission packet, a reply packet, and the like according to the contents of the payload.

Further, the communication control device 1 according to the present embodiment includes a communication history storage unit 24 that stores a communication history.
As a result, the communication control apparatus 1 according to the present embodiment can record the communication between the two computer apparatuses. Therefore, the communication control device 1 according to the present embodiment can efficiently take measures against unauthorized communication by analyzing the communication history stored in the communication history storage unit 24.

The communication control method according to the present embodiment includes a packet detection step and a control step. In the packet detection step, the communication control device 1 monitors TCP packets communicated over the network, and detects communication packets communicated between at least two computer devices connected via the network. Then, in the control step, when the communication control device 1 detects a communication packet in the packet detection step, a pseudo packet generated so as to invalidate a reply packet from the transmission destination computer device for the communication packet. The packet is transmitted earlier than the reply packet toward the transmission source computer apparatus.
As a result, the communication control method according to the present embodiment can collect information while maintaining the connection state between the two computer devices in the same manner as the communication control device 1 described above. It can be carried out.

[Second Embodiment]
Next, a communication control device 1a according to the second embodiment will be described with reference to the drawings.
FIG. 9 is a functional block diagram illustrating an example of the communication control device 1a according to the second embodiment.
As shown in FIG. 9, the communication control device 1a includes a communication unit 10, a storage unit 20, and a control unit 30a. Note that the communication control device 1a and the network device 4 are arranged on a communication path between the attacked computer device 2 and the attacking computer device 3, as in the first embodiment.

In this figure, the same components as those shown in FIG. 1 are denoted by the same reference numerals, and the description thereof is omitted.
In the communication control device 1 of the first embodiment described above, the connection start timing is when the connection is established, whereas in the communication control device 1a of the present embodiment, the connection is established. The point which starts after is different. That is, in this embodiment, some functions of the control unit 30a are different from the control unit 30 of the first embodiment, and different functions will be described below.

The control unit 30a is, for example, a processor including a CPU and the like, and comprehensively controls the communication control device 1a. The control unit 30a includes a packet detection unit 31, a packet determination unit 32, and a pseudo response control unit 33a.
The pseudo response control unit 33a has the same function as the pseudo response control unit 33 of the first embodiment, except that the timing at which connection takeover starts is different. For example, when the pseudo-response control unit 33a starts transmission of a pseudo packet after establishing a connection between two computer devices, the pseudo-response control unit 33a generates the payload data number so that it is different from the reply packet from the destination computer device The pseudo packet is transmitted to the transmission source computer apparatus.

  For example, the pseudo response control unit 33a responds to the communication between the attacked computer apparatus 2 and the attacking computer apparatus 3 before starting the takeover of the connection, and the sequence number (N ), The sequence number (DM), the sequence number (M), and the sequence number (DN) are stored and updated. In this case, since it is before the start of connection takeover, the sequence number (DM) and the sequence number (M) are stored in the same value, and the sequence number (N) and the sequence number (DN) are equal. The value is stored. Then, the pseudo response control unit 33a receives the pseudo packet in which the number of payload data is changed so that the sequence number (DM) and the sequence number (M) become different values when starting takeover of the connection. Transmission is performed toward the attacking computer apparatus 2. Further, the pseudo response control unit 33a attacks a pseudo packet in which the number of payload data is changed so that the sequence number (N) and the sequence number (DN) become different values when starting the takeover of the connection. To the side computer device 3.

Specifically, the pseudo response control unit 33a transmits the pseudo packet payload data addressed to the attacked computer apparatus 2 to, for example, “8 bytes” and transmits the pseudo packet addressed to the attacking computer apparatus 3. The number of payload data is set to, for example, “4 bytes” and transmitted.
The pseudo response control unit 33a may generate a TCP packet by adjusting the number of payload data so that the difference between the sequence number (DM) and the sequence number (M) is equal to or greater than a predetermined threshold value. Good. Also, the pseudo response control unit 33a may generate a TCP packet by adjusting the number of payload data so that the difference between the sequence number (N) and the sequence number (DN) is equal to or greater than a predetermined threshold value. Good.

The pseudo response control unit 33 a includes a response generation unit 331 a and a transmission control unit 332.
The response generation unit 331a generates a TCP packet such as the above-described pseudo packet in addition to the function of the response generation unit 331 of the first embodiment.

Next, the operation of the communication control device 1a according to the present embodiment will be described with reference to FIG.
FIG. 10 is a diagram illustrating an example of the operation of the communication control device 1a in the present embodiment.
In this figure, after establishing a connection between the attacked computer apparatus 2 and the attacking computer apparatus 3, the communication control apparatus 1a performs the connection between the attacked computer apparatus 2 and the attacking computer apparatus 3. An example of hijacking is shown. That is, in this figure, after establishing a connection between the attacked computer apparatus 2 and the attacking computer apparatus 3, the communication control apparatus 1a is connected to the communication between the communication control apparatus 1a and the attacked computer apparatus 2. 1 shows an example of establishing a first connection and a second connection between the communication control device 1 a and the attacking computer device 3.

In FIG. 10, the attacked computer apparatus 2 and the attacking computer apparatus 3 first establish a connection.
The attacked computer apparatus 2 transmits a “SYN” packet (SeqNO = n) to the attacking computer apparatus 3 (step S301).
Next, in response to the “SYN” packet (SeqNO = n), the attacking computer apparatus 3 transmits an “SYN + ACK” packet (SeqNO = m, Ack = n + 1) to the attacked computer apparatus 2 (step) S401).

Next, the attacked computer apparatus 2 transmits an “ACK” packet (SeqNO = n + 1, Ack = m + 1) to the attacking computer apparatus 3 (step S302).
Thereby, a connection between the attacked computer apparatus 2 and the attacking computer apparatus 3 is established.
During this period, the communication control device 1a determines the sequence number (N) of the sequence management information storage unit 23 based on the TCP packet communicated between the attacked computer device 2 and the attacking computer device 3. The number (DM), sequence number (M), and sequence number (DN) are stored and updated.

Next, the communication control device 1a starts the connection hijacking when a predetermined condition for starting the connection hijacking is satisfied. The predetermined condition for starting the hijacking of the connection may be, for example, when a predetermined TCP packet determined in advance is received, or based on a command from an administrator who manages the communication control device 1a. You may start taking over.
In the example shown in this figure, it is assumed that the attacked computer apparatus 2 starts after transmitting an “ACK” packet (SeqNO = n + 1, Ack = m + 1).

  The attacked computer apparatus 2 transmits an “ACK” packet (SeqNO = n + 1, Ack = m + 1) to the attacking computer apparatus 3 (step S303). This “ACK” packet (SeqNO = n + 1, Ack = m + 1) is received by the communication control device 1a and the attacking computer device 3.

  Next, in response to the “ACK” packet (SeqNO = n + 1, Ack = m + 1), the communication control device 1a determines that the “ACK” packet (SeqNO (= DM) = m + 1, Ack (= N) = n + 1, 8 bytes) Is transmitted to the attacked computer apparatus 2 before the attacking computer apparatus 3 (step S304). This “ACK” packet (SeqNO (= DM) = m + 1, Ack (= N) = n + 1, 8 bytes) includes 8 bytes of data in the payload.

  Next, the attacked computer apparatus 2 responds to the “ACK” packet (SeqNO (= DM) = m + 1, Ack (= N) = n + 1, 8 bytes) with respect to the “ACK” packet (SeqNO = n + 1, Ack = m + 9) is transmitted (step S305). When the communication control device 1a receives this packet, the first connection is established. As a result, the communication control device 1 a can communicate with the attacked computer device 2 while impersonating the attacking computer device 3.

On the other hand, the attacking computer apparatus 3 sends an “ACK” packet (SeqNO = m + 1, Ack = n + 1) to the attacking computer apparatus 2 in response to the “ACK” packet (SeqNO = n + 1, Ack = m + 1). The data is transmitted (step S402).
Next, the communication control device 1a responds to the “ACK” packet (SeqNO = m + 1, Ack = n + 1) with respect to the “ACK” packet (SeqNO (= DN) = n + 1, Ack (= M) = m + 1, 4 bytes). Is transmitted to the attacking computer apparatus 3 before the attacked computer apparatus 2 (step S403). When the attacking computer apparatus 3 receives this packet, the second connection is established. As a result, the communication control device 1 a can communicate with the attacking computer device 3 while impersonating the attacking computer device 3.

  Further, the attacked computer apparatus 2 sends an “RST + ACK” packet (SeqNO = n + 1, Ack = m + 9) to the attacking computer in response to the “ACK” packet (SeqNO = m + 1, Ack = n + 1) transmitted in step S402. It transmits toward the apparatus 3 (step S306). The attacking computer apparatus 3 discards the “RST + ACK” packet since the connection with the attacked computer apparatus 2 is not established (not connected).

Further, the attacking computer apparatus 3 sends an “RST + ACK” packet (SeqNO = m + 1, Ack = n + 5) to the attacked computer in response to the “ACK” packet (SeqNO = n + 1, Ack = m + 9) transmitted in step S305. It transmits toward the apparatus 2 (step S404). Since the attacked computer device 2 is in a state where the connection with the attacking computer device 3 is not established (not connected), the “RST + ACK” packet is discarded.
Further, since the subsequent processing is the same as that of the communication control device 1 in the first embodiment, the description thereof is omitted here.

  In the example illustrated in FIG. 10 described above, the case where connection hijacking is started with respect to the TCP packet from the attacked computer apparatus 2 is described. However, the connection hijacking is started with respect to the TCP packet from the attacking computer apparatus 3. The same applies to the case where it is performed.

As described above, the communication control device 1a according to the present embodiment includes the pseudo response control unit 33a. When the pseudo response control unit 33a starts transmission of the pseudo packet after establishing the connection between the two computer devices, the pseudo response control unit 33a generates the pseudo packet generated so that the reply packet from the destination computer device and the number of payload data are different. The packet is transmitted to the transmission source computer apparatus.
As a result, the communication control device 1a according to the present embodiment can take measures against unauthorized communication as in the first embodiment. Further, the communication control device 1a according to the present embodiment can invalidate the connection between the two computer devices by a simple method and can be configured as both of the two computer devices. Further, the communication control device 1a according to the present embodiment can invalidate the connection even when the connection has already been established.

In this embodiment, the pseudo response control unit 33a determines that the difference between the sequence number (DM) of the communication control device 1a in the first connection and the sequence number (M) of the attacking computer device 3 is a predetermined threshold value. As described above, a TCP packet is generated by changing (adjusting) the number of payload data. Further, the pseudo response control unit 33a causes the difference between the sequence number (N) of the attacked computer apparatus 2 and the sequence number (DN) of the communication control apparatus 1a in the second connection to be equal to or greater than a predetermined threshold value. In addition, a TCP packet is generated by adjusting the number of payload data.
As a result, the communication control device 1a according to the present embodiment can reduce the possibility that the attacked computer device 2 and the attacking computer device 3 will accidentally establish a connection. Therefore, the communication control device 1a according to the present embodiment can collect information while further ensuring safety.

[Third Embodiment]
Next, a communication control device 1b according to a third embodiment will be described with reference to the drawings.
FIG. 11 is a functional block diagram showing an example of the communication control device 1b according to the third embodiment.
As illustrated in FIG. 11, the communication control device 1b includes a communication unit 10, a storage unit 20, and a control unit 30b. Note that the communication control device 1b and the network device 4 are arranged on a communication path between the attacked computer device 2 and the attacking computer device 3, as in the first and second embodiments.

In this figure, the same components as those shown in FIG. 1 are denoted by the same reference numerals, and the description thereof is omitted.
The communication control device 1b of the present embodiment is different in that it starts after a connection is established. That is, in the present embodiment, some functions of the control unit 30b are different from the control unit 30 of the first embodiment, and different functions will be described below.

  The control unit 30b is, for example, a processor including a CPU and the like, and comprehensively controls the communication control device 1b. In addition, the control unit 30a includes a packet detection unit 31, a packet determination unit 32, a pseudo response control unit 33, and a removal processing unit 34. In addition, the control part 30b in this embodiment differs from the control part 30 in 1st Embodiment in the point provided with the process part 34 for removal.

The removal processing unit 34 executes a process of isolating the attacked computer apparatus 2 and removing the malicious program when a dangerous sign of the unauthorized program of the attacked computer apparatus 2 is detected. The removal processing unit 34, for example, if the content of the TCP packet from the attacked computer apparatus 2 to the attacking computer apparatus 3 includes “GET / HTTP / 1.1”, a dangerous sign of a malicious program It is determined that The removal processing unit 34 determines whether or not “GET / HTTP / 1.1” is included in the content of the packet based on the determination result of the packet determination unit 32.
When “GET / HTTP / 1.1” is included, the removal processing unit 34 transmits a TCP packet including “HTTP / 1.1 301 Moved Permanently” to the attacked computer apparatus 2. As a result, the attacked computer apparatus 2 is isolated by forcibly connecting to a secure server apparatus in the internal LAN, for example. Further, the removal processing unit 34 transmits a TCP packet including “GET / HTTP / 1.1” to the attacking computer device 3 through the second connection, for example, collects malicious content and performs communication. The history storage unit 24 stores the communication history.

  Next, the operation of the communication control device 1b in the present embodiment will be described with reference to FIG. Since the basic operation of the communication control apparatus 1b in the present embodiment is the same as that of the communication control apparatus 1 in the first embodiment, the description thereof is omitted here. Here, an example of an operation when the communication control device 1b detects a dangerous sign of the attacked computer device 2 will be described.

FIG. 12 is a diagram illustrating an example of the operation of the communication control device 1b in the present embodiment.
In this figure, it is the state after establishing the first connection and the second connection.
In the example shown in FIG. 12, the attacked computer apparatus 2 first transmits an “ACK” packet (GET / HTTP / 1.1 HOST: evik.example.com) to the attacking computer apparatus 3 (step S501). . Here, the attacked computer apparatus 2 is in a state of trying to connect to “evik.example.com” which is a dangerous Web site.

  Next, in response to the “ACK” packet (GET / HTTP / 1.1 HOST: evik.example.com), the communication control device 1 b receives the “ACK” packet (HTTP / 1.1 301 Moved Permanently Location: www.example.com). Is transmitted to the attacked computer apparatus 2 through the first connection (step S502). That is, the communication control device 1b transfers and isolates the attacked computer device 2 to a server device (www.example.com) in a secure internal LAN. Here, it is possible for the server device (www.example.com) to remove the malicious program by causing the attacked computer device 2 to download the malicious program removal software, for example.

Further, the communication control device 1b transmits an “ACK” packet (GET / HTTP / 1.1 HOST: evik.example.com) to the attacking computer device 3 through the second connection (step S601).
The attacking computer device 3 transmits an “ACK” packet (HTTP / 1.1 200 OK) through the second connection (step S602), and further transmits an “ACK” packet (malicious content) through the second connection. (Step S603).

  The communication control device 1b receives the “ACK” packet (malicious content) from the attacking computer device 3 through the second connection, and collects the malicious content.

As described above, when the communication control device 1b according to the present embodiment detects a dangerous sign of a malicious program of the attacked computer device 2, the computer on which the attacked computer device 2 is confirmed to be safe in advance. A disinfection processing unit 34 is provided that is connected to the apparatus for isolation.
Thereby, since the attacked computer apparatus 2 is isolated safely, the communication control apparatus 1b according to the present embodiment can collect information from the attacking computer apparatus 3 while ensuring further safety.

The present invention is not limited to the above embodiments, and can be modified without departing from the spirit of the present invention.
For example, in each of the above-described embodiments, the case where each of the embodiments is implemented alone has been described. However, the present invention is not limited to this, and a plurality of the above-described embodiments may be combined and implemented. May be.

In each of the above embodiments, the communication control device 1 (1a, 1b) is connected to the network via the network device 4. However, the communication control device 1 (1a, 1b) is connected to the network device 4. The structure containing these may be sufficient.
Further, in each of the above-described embodiments, the communication control device 1 (1a, 1b) has described an example in which communication between one attacked computer device 2 and one attacking computer device 3 is controlled. However, the present invention is not limited to this. For example, the communication control device 1 (1a, 1b) may control communication between the plurality of attacked computer devices 2 and the plurality of attacking computer devices 3.

  In each of the above-described embodiments, the communication control device 1 (1a, 1b) has been described with an example in which the packet detection unit 31 and the packet determination unit 32 are provided separately from the pseudo response control unit 33 (33a). The pseudo response control unit 33 (33a) may include one or both of the packet detection unit 31 and the packet determination unit 32. Similarly, the pseudo response control unit 33 may include a removal processing unit 34. Further, the communication control device 1 (1a, 1b) may be configured by distributing each functional unit to a plurality of devices (for example, a plurality of computer devices).

  Further, in each of the above embodiments, when the TCP packet changed to dummy data is transferred, the example of changing to dummy data having the same size as the data before the change has been described, but the communication control device 1 (1a, 1b) However, the present invention is not limited to this. For example, the dummy data may have a different size from the data before the change. In this case, the dummy data includes the case of 0 bytes (no data).

Each configuration included in the above-described communication control device 1 (1a, 1b) has a computer system therein. And the program for implement | achieving the function of each structure with which the communication control apparatus 1 (1a, 1b) mentioned above is provided is recorded on a computer-readable recording medium, and the program recorded on this recording medium is read into a computer system. The processing in each configuration included in the communication control device 1 (1a, 1b) described above may be performed by executing. Here, “loading and executing a program recorded on a recording medium into a computer system” includes installing the program in the computer system. The “computer system” here includes an OS and hardware such as peripheral devices.
Further, the “computer system” may include a plurality of computer devices connected via a network including a communication line such as the Internet, WAN, LAN, and dedicated line. The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. As described above, the recording medium storing the program may be a non-transitory recording medium such as a CD-ROM.

  The recording medium also includes a recording medium provided inside or outside that is accessible from the distribution server in order to distribute the program. It should be noted that after the program is divided into a plurality of parts and downloaded at different timings, the combination of the respective components included in the communication control device 1 (1a, 1b) and the distribution server that distributes each of the divided programs are different. May be. Furthermore, the “computer-readable recording medium” holds a program for a certain period of time, such as a volatile memory (RAM) inside a computer system that becomes a server or a client when the program is transmitted via a network. Including things. The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

  Moreover, you may implement | achieve part or all of the function mentioned above as integrated circuits, such as LSI (Large Scale Integration). Each function described above may be individually made into a processor, or a part or all of them may be integrated into a processor. Further, the method of circuit integration is not limited to LSI, and may be realized by a dedicated circuit or a general-purpose processor. Further, in the case where an integrated circuit technology that replaces LSI appears due to progress in semiconductor technology, an integrated circuit based on the technology may be used.

1, 1a, 1b Communication control device 2 Attacked computer device 3 Attacking computer device 4 Network device 10 Communication unit 20 Storage unit 21 Detection target storage unit 22 Judgment rule storage unit 23 Sequence management information storage unit 24 Communication history storage unit 30 , 30a, 30b Control unit 31 Packet detection unit 32 Packet determination unit 33, 33a Pseudo response control unit 34 Disinfection processing unit 331, 331a Response generation unit 332 Transmission control unit

Claims (8)

A communication control device arranged such that the response speed between the transmission source computer device and the own device is faster than the response speed between the transmission source and the transmission destination two computer devices,
A packet detector that monitors TCP packets communicated over a network and detects communication packets communicated between at least two computer devices connected via the network;
When the packet detection unit detects the communication packet, the pseudo packet generated so as to invalidate the reply packet from the transmission destination computer apparatus for the communication packet is transmitted to the transmission source computer apparatus. A communication control device comprising: a control unit. The controller is
When starting transmission of the pseudo packet when establishing a connection between the two computer devices, the pseudo packet generated so that a sequence number is different from the reply packet from the destination computer device, The communication control device according to claim 1, wherein transmission is performed toward the transmission source computer device. The controller is
When the transmission of the pseudo packet is started after establishing a connection between the two computer devices, the pseudo packet generated so that the number of payload data is different from the reply packet from the destination computer device. The communication control apparatus according to claim 1, wherein the communication control apparatus is configured to transmit to the transmission source computer apparatus. The two computer devices include an attacked computer device and an attacking computer device,
The controller is
In order to invalidate the first reply packet from the attacking computer device for the first communication packet transmitted from the attacked computer device to the attacking computer device, the first pseudo packet is Generating and transmitting the generated first pseudo packet toward the attacked computer device to establish a first connection between the own device and the attacked computer device,
A second pseudo packet so as to invalidate a second reply packet from the attacked computer device in response to a second communication packet transmitted from the attacking computer device to the attacked computer device; And the second pseudo packet thus generated is transmitted to the attacking computer apparatus to establish a second connection between the own apparatus and the attacking computer apparatus. The communication control device according to any one of claims 1 to 3. The controller is
After establishing the first connection and the second connection, the payload of the third communication packet transmitted from the attacked computer device by the first connection is changed to dummy data, and the first connection 3 communication packet is changed to the sequence number and the acknowledgment number in the second connection, and sent to the attacking computer device,
After establishing the first connection and the second connection, the payload of the fourth communication packet transmitted from the attacking computer apparatus by the second connection is changed to dummy data, and the fourth connection The communication control apparatus according to claim 4, wherein the communication packet is changed to a sequence number and an acknowledgment number in the first connection and transmitted to the attacked computer apparatus. Whether the payload of each of the third communication packet and the fourth communication packet is changed to dummy data based on a predetermined rule after establishing the first connection and the second connection. A determination unit for determining whether or not
The controller is
The switching of whether to change each payload of said 3rd communication packet and said 4th communication packet to dummy data based on the determination result which said determination part determined is characterized by the above-mentioned. The communication control device described. A communication control device arranged so that a response speed between the transmission source computer apparatus and the own apparatus is faster than a response speed between the transmission source and the transmission destination two computer apparatuses is communicated over the network. A packet detection step of monitoring a TCP packet and detecting a communication packet communicated between at least two computer devices connected via the network;
When the communication control device detects the communication packet in the packet detection step, a pseudo packet generated so as to invalidate a reply packet from a destination computer device for the communication packet A communication control method comprising: a control step of transmitting the information to a computer device. A computer of a communication control device arranged so that the response speed between the transmission source computer apparatus and the own apparatus is faster than the response speed between the transmission source and the transmission destination two computer apparatuses;
A packet detection step of monitoring a TCP packet communicated over a network and detecting a communication packet communicated between at least two computer devices connected via the network;
When the communication packet is detected in the packet detection step, the pseudo packet generated so as to invalidate the reply packet from the transmission destination computer apparatus for the communication packet is transmitted to the transmission source computer apparatus. And a program for executing the control step.

Images