JP6623702B2 - A network monitoring device and a virus detection method in the network monitoring device. - Google Patents

Description

The present invention relates to a network monitoring device and a virus detection method in the network monitoring device.

  UTM (Unified Threat Management), in which multiple security functions such as virus detection are housed in one case, is installed at the boundary between a corporate LAN (Local Area Network) and an external network such as the Internet, for example. And a network monitoring device used as a security gateway.

  By the way, there are two types of virus detection systems. One is a method called a proxy method, which constructs a file from a packet and performs virus detection. The other method is called a stream method, which is a method of detecting a virus on a packet basis.

  The proxy method performs virus detection on a file-by-file basis, and thus has a high virus detection rate. However, since a file is constructed after buffering packets once, a large amount of memory resources are required and the time required for virus detection is long. On the other hand, the stream method performs virus detection on a packet-by-packet basis, so virus detection of a large amount of data can be performed in a short time. On the other hand, it functions as a virus that extends between packets, that is, a virus when a file is constructed. Virus cannot be detected.

  For this reason, the conventional network monitoring device has to operate in either one of the setting of the proxy method with priority on security or the setting of the proxy method with priority on performance such as processing speed. . Thus, either security or performance is sacrificed.

  For this reason, for example, Patent Document 1 proposes a reproducing apparatus that can change a security level according to a user's intention and that can efficiently check a virus when executing general-purpose software or the like.

JP-A-2006-85816

  According to the technology disclosed in Patent Literature 1, a playback device capable of performing a virus check in a plurality of stages is described. However, a user sets the security level and stores the security level in advance in the playback device. When executing the set software, an authentication operation according to the set security level is performed. Therefore, the security level cannot be dynamically changed according to the usage scene.

  The present invention has been made to solve the above-described problem, and has as its object to provide a network monitoring device capable of dynamically changing a security level according to a use scene and a virus detection method in the network monitoring device.

  In order to solve the above problems, a network monitoring device and a virus detection method in the network monitoring device of the present invention provide the following solutions.

(1) A first aspect according to the present invention is a network monitoring device, wherein a storage unit for storing a plurality of access destinations, and a category to which content provided by the plurality of access destinations belongs is restricted and access is prohibited. A first determining unit that determines whether or not access has been performed by referring to the storage unit or an external server connected via a network, and an access destination that has been determined by the first determining unit that access is not prohibited. Receiving the content provided by the second determination unit and determining whether the category to which the content belongs is dangerous or safe, and a third determination unit determining the file type of the content determined to be safe by the second determination unit When, determined file type by the content or the third judging unit belonging to the determined risk category by the second determination unit Is provided with a detection unit for detecting a virus of the content, the detection unit, the detection method of the virus, a switchable first detection system and the second detection method, the access by the second determination unit If the category to which the previous content belongs is determined to be dangerous, or if the third determination unit determines that the file type of the content to be accessed does not require real-time property, the virus is detected by the first detection method. When the third determination unit determines that real-time processing is required, the detection is performed by the second detection method .

(2) The present invention also provides the network monitoring device according to (1) , wherein the first detection method is a proxy method of constructing a file from a packet to detect a virus, and the second detection method is performed in packet units. And a stream system for detecting viruses.

(3) Further , according to the present invention, in the network monitoring device according to (1) or (2) , the third determination unit provides the access destination when the file type of the access destination is a moving image or a sound. It is characterized in that it is determined that the content has real-time properties.

(4) A second aspect according to the present invention relates to a virus detection method in a network monitoring device , wherein a category to which contents provided by a plurality of access destinations stored in a storage unit belong is restricted and access is prohibited. A first step of determining whether or not the access is made by referring to an external server connected via the storage unit or the network; and an access destination for which it is determined that the access is not prohibited in the first step. A second step of receiving the content to be provided and determining whether the category to which the content belongs is dangerous or safe; and a third step of determining the file type of the content determined to be safe in the second step. The content belonging to the category determined to be dangerous in the second step or the file in the third step. And a fourth step of detecting a virus of the content whose type has been determined, wherein the fourth step is capable of switching the detection method of the virus between a first detection method and a second detection method. If the category to which the content of the access destination belongs is determined to be dangerous in the second step, or if the file type of the content of the access destination does not require real-time processing in the third step, Is detected by the first detection method, and when it is determined in the third step that real-time processing is required, the detection is performed by the second detection method.

  According to the present invention, it is possible to provide a network monitoring device capable of dynamically changing a security level according to a use scene and a virus detection method in the network monitoring device.

FIG. 1 is a diagram showing a configuration of a system including a network monitoring device according to an embodiment of the present invention and an operation sequence thereof. 5 is a flowchart showing a basic processing flow of the network monitoring device according to the embodiment of the present invention. FIG. 1 is a block diagram illustrating a configuration of a network monitoring device according to an embodiment of the present invention. 5 is a flowchart illustrating a detailed processing flow of the network monitoring device according to the embodiment of the present invention. It is the operation | movement conceptual diagram quoted for demonstrating the procedure of the virus check by a proxy system, and the virus check by a stream system.

  Hereinafter, an embodiment for carrying out the present invention (hereinafter, referred to as an embodiment) will be described in detail with reference to the accompanying drawings. Note that the same elements are denoted by the same reference numerals throughout the description of the embodiments.

(Configuration of the embodiment)
As shown in FIG. 1, the network monitoring system includes a network monitoring device (UTM10) according to the present embodiment, a plurality of user terminals (PCs 20), and an access destination URL (Uniform Resource Locator) stored in the UTM10. It comprises a plurality of content servers 40 and an external server 50 that performs a category check of the content provided by the content server 40. The UTM 10, the plurality of content servers 40, and the external server 50 are all connected to the Internet 30 (network), and the PC 20 is connected to the Internet 30 via the UTM 10 functioning as a security gateway.

  The schematic operation sequence and basic operation flow of the network monitoring system will be described with reference to FIGS.

  First, when the PC 20 connects to the Internet using HTTP (Hyper Text Transfer Protocol), the UTM 10 performs virus detection (a in FIG. 1). In response to this, the UTM 10 acquires the URL of the access destination with reference to the built-in DB (storage unit 100 described later), and performs a category check of the URL of the access destination by the implemented URL filtering function (FIG. 2). Step S10). Here, if the content is provided by a site whose access is restricted, such as a site that is not related to the business of the company in which the UTM 10 is installed, such as an adult, a gambling game, or the like, the access is terminated.

  The UTM 10 further requests the category check of the URL of the access destination using the external server 50 (b in FIG. 1), and receives the result of the category check of the URL of the access destination from the external server 50 (c in FIG. 1). , Step S20 in FIG. 2). Here, if the URL of the access destination belongs to the prohibited category, the access is terminated. Subsequently, the UTM 10 accesses the content server 40 of the URL of the access destination by HTTP (Hyper Text Transfer Protocol) (d in FIG. 1 and step S30 in FIG. 2), and receives the requested content from the corresponding content server 40 ( In step e40 of FIG. 1, the category and file type of the received content are determined (step S40 in FIG. 2).

  Finally, when the category of the URL of the access destination is determined to be dangerous, and when it is determined that the security and the content do not require real-time properties, the UTM 10 selects a proxy method for building a file from a packet and detecting a virus. On the other hand, if it is determined that the content is a content that requires security and real-time property, a virus check method based on a stream method for detecting a virus in packet units is selected (step S50 in FIG. 2). Then, a virus check is performed according to each method, and based on the result, the content and the virus detection result are provided to the PC 20 (f in FIG. 1).

  As shown in FIG. 3, the UTM 10 according to the present embodiment has, for example, a microprocessor as a control center, implements a peripheral LSI for data transmission and reception including a memory, and the microprocessor operates according to a program stored in the memory. The basic processing contents shown in FIG. 2 are executed by controlling the LSI. For this reason, the UTM 10 includes a storage unit 100, a first determination unit 101, a second determination unit 102, a third determination unit 103, and a detection unit 104.

  The storage unit 100 stores a plurality of access destination URLs. The first determination unit 101 is connected via the storage unit 100 and / or the network (the Internet 30) in FIG. 1 as to whether or not the category of the content provided by the plurality of access destinations (the content server 40) is a restriction target. The determination is made with reference to the external server 50.

  The second determination unit 102 receives the content provided by the access destination determined by the first determination unit 101 not to be restricted, and determines whether the category to which the content belongs is dangerous or safe. If the category of the access destination is adult or criminal, the second determination unit 102 determines that the access destination is dangerous.

  The third determination unit 103 determines the file type of the content determined to be safe by the second determination unit 102, and determines whether the content is real-time content. The third determination unit 103 determines that the content provided by the access destination has a real-time property when the file type of the access destination is a moving image or a sound.

  The detection unit 104 detects a virus of the content determined to be accessible by the second determination unit 102 or the third determination unit 103. The detection unit 104 determines a virus detection method according to a category and / or a file type of a content provided by an access destination, a proxy method (a first detection method) for building a file from a packet and detecting a virus, and a packet detection method. Switch to the stream method (second detection method) that detects viruses on a per-unit basis.

  The detection unit 104 detects the virus by the proxy method when the category of the access destination is determined to be dangerous by the second determination unit 102, and further determines the access destination by the third determination unit 103 when it is determined to be safe. The file type is determined. If it is determined from the determined file type that real-time property is required, detection is performed by the stream method. If it is determined that real-time property is not required, detection is performed by the proxy method.

  Note that the first determination unit 101 may store the content provided by the access destination determined to be the restriction target for a certain period of time, and thereafter, may prohibit the detection unit 104 from detecting the virus for the content for a certain period of time.

(Operation of the embodiment)
Hereinafter, the operation of the UTM 10 according to the present embodiment illustrated in FIG. 2 will be described in detail with reference to the flowchart in FIG. 4 and the operation conceptual diagram in FIG.

  In the UTM 10, first, the first determination unit 101 acquires the URL information of the access destination stored in the storage unit 100 (step S101), and corresponds to the URL of the access destination by referring to the storage unit 100 (in-apparatus DB). A category check of the content provided by the content server 40 to be performed is performed (step S102). Here, when it is determined that the content belongs to the category of the access restriction target (step S103 “YES”), the UTM 10 thereafter prohibits the access to the content server 40, and informs the user (PC 20) that the access is prohibited. ) (Step S114).

  On the other hand, when it is determined that the access destination does not belong to the category (step S103 “NO”), the first determination unit 101 further refers to the external server 50 to check the category of the URL of the access destination (step S103). S104). Upon receiving the result of the category check of the URL of the access destination from the external server 50, the first determination unit 101 determines whether the content provided by the content server 40 corresponding to the URL of the access destination belongs to the category of the access restriction target. Is determined (step S105).

  Here, when it is determined that the content belongs to the category of the access restriction (step S105 “YES”), the first determination unit 101 subsequently prohibits the access to the content server 40, and prohibits the access. Is notified to the user (PC 20) (step S114). On the other hand, if it is determined that the content does not belong to the category of the access restriction (step S105 “NO”), the first determination unit 101 performs an HTTP connection to the corresponding content server 40 using the URL of the access destination, The corresponding content is received (step S106).

  Here, the UTM 10 transfers the control from the first determination unit 101 to the second determination unit 102. The second determination unit 102 determines whether the category of the received content is dangerous (step S107). The second determination unit 102 determines that the access destination is dangerous when the content category provided by the content server 40 corresponding to the access destination URL is adult or criminal. Here, when it is determined that there is danger (“YES” in step S107), the control is transferred to the detection unit 104. The detection unit 104 executes a virus detection by a security-oriented proxy method that constructs a file from a packet and detects a virus according to the determination result (belonging to a dangerous category) of the second determination unit 102 (step S110).

  On the other hand, if the category of the received content does not belong to the adult type or the criminal type and is determined to be safe (“NO” in step S107), the UTM 10 causes the second determination unit 102 to control the third determination unit 103. Move. The third determination unit 103 checks the file type of the received content, and determines from the file type whether the content is real-time content such as, for example, moving image content or audio content (step S108). Here, if it is determined that the content has real-time properties (“YES” in step S108), the control is transferred to the detection unit 104.

  The detecting unit 104 executes a virus check method based on a stream system that emphasizes performance, in which a virus is detected in packet units for the content determined to have real-time properties by the third determining unit 103 (step S109). For the content determined not to have the real-time property (“NO” in step S108), a virus check is executed by a security-oriented proxy method that detects a virus by constructing a file from a packet (step S110). .

  FIG. 5 (a) shows the procedure of virus check (step S110) by the proxy method, and FIG. 5 (b) shows the concept of operation of the virus check (step S109) by the stream method. In any method, a memory and a search engine are required as hardware resources for the detection unit 104 to perform a virus check.

  As shown in FIG. 5A, according to the proxy method, the detecting unit 104 decomposes the packet from the file (Step S110a), stores the packet in a predetermined amount of memory (Step S110b), and reconstructs the packet. (Step S110c). Then, the search engine performs a virus check on the file (step S110d), breaks it down into packets, and transmits them (step S110e). For this reason, there are disadvantages that a lot of resources are required for reconstructing the packet, and the size of the file that can be checked is limited. However, the security performance is higher than the stream method.

  On the other hand, as shown in FIG. 5B, according to the stream method, the file is decomposed into packets (step S109a), and the packets are sequentially stored in the memory (step S109b), and the search engine reads the packets read from the memory in units. Then, a virus check is performed (step S109c) and transmitted (step S109d). For this reason, there is an advantage that a virus check independent of a file size can be performed, there are many protocols to be checked, and a check speed is high. However, the security performance is lower than the proxy method.

  The description returns to the flowchart of FIG. As a result of the virus check by the stream method or the proxy method by the detection unit 104, it is determined whether or not the received content contains a virus. If a virus is not detected (step S111 “NO”), the detection unit 104 transmits the content to the PC 20 (step S112). If a virus is detected (step S111 “YES”), the detection unit 104 transmits the content to the PC 20. Is prohibited, and the user is notified that a virus has been detected (step S113).

  Although not shown in the flowcharts of FIGS. 2 and 4, the first determination unit 101 stores the content (index) provided by the access destination determined to be the restriction target in the storage unit 100 for a certain period of time. Alternatively, a learning process of prohibiting virus detection by the detection unit 104 on the content for a certain period may be performed. As a result, unnecessary processing for virus detection by the detection unit 104 can be omitted, and resources can be effectively used. In addition, according to the network monitoring device (UTM10) according to the present embodiment, contents belonging to adult or criminal are classified as dangerous categories, but can be sorted by the domain of the URL of the access destination.

(Effects of the embodiment)
As described above, according to the network monitoring device (UTM10) according to the present embodiment, it is determined whether or not a category of a URL of a plurality of access destinations is a restriction target, and an access determined to be not a restriction target is determined. When the content provided by the destination is received and the category to which the content belongs is determined to be safe, the content is switched between the first detection method (proxy method) and the second detection method (stream method) based on the file type of the content. Specifically, in the case of real-time content such as video and audio, a virus detection method that prioritizes performance and a proxy method that detects a virus by building a file from packets are selected, and real-time characteristics are not required. In this case, switch to the stream method that detects viruses on a packet basis.

  Therefore, according to the network monitoring device (UTM10) according to the present embodiment, the virus detection method can be dynamically switched according to the usage scene, and the security level is changed according to whether the site is safe or not. A secure site can detect viruses relatively quickly. In particular, a site that required a lot of time to actually start processing video content that requires real-time playback and download of content with a relatively large file size was changed to a secure site. Only when is the stress applied to the user can be eliminated.

  As described above, the present invention has been described using the embodiment, but it is needless to say that the technical scope of the present invention is not limited to the scope described in the above embodiment. It is apparent to those skilled in the art that various changes or improvements can be made to the above embodiment. It is apparent from the description of the claims that the embodiments with such changes or improvements can be included in the technical scope of the present invention. In the above embodiments, the network monitoring system (UTM10) has been described with the present invention as a product invention, but the present invention can also be considered as a method invention (a virus detection method in a network monitoring device).

  In this case, for example, the virus detection method is applied to the network monitoring device (UTM10) shown in FIGS. 1 and 2 and the plurality of access destinations stored in the storage unit 100 are used as shown in the flowchart of FIG. First Step (Steps S102 and S104) of Determining Whether the Category of the Provided Content Is Restricted with Reference to the Storage Unit 100 or the External Server 50 Connected via the Network (Internet 30) Receiving a content provided by the access destination determined not to be restricted in the first step, and determining whether a category to which the content belongs is dangerous or safe (step S107); A third step of determining a file type of the content determined to be safe in the second step; (Step S108), and a fourth step (Step S111) of detecting a virus of the content determined to be accessible in the second step or the third step. Switches the detection method of the virus between a first detection method and a second detection method according to a category and / or a file type of the content provided by the access destination (step S109, step S110). I do.

  According to the virus detection method in the network monitoring device according to the present embodiment, the security level can be dynamically changed according to the usage scene.

  Reference Signs List 10 network monitoring device (UTM), 20 user terminal (PC), 30 network (Internet), 40 content server, 50 external server, 100 storage unit, 101 first determination unit, 102 second determination unit, 103 third determination unit , 104 detector

Claims (4)

A network monitoring device,
A storage unit for storing a plurality of access destinations,
A first determination unit that determines whether a category to which the content provided by the plurality of access destinations belongs is restricted and access is prohibited by referring to the storage unit or an external server connected via a network; ,
A second determination unit that receives a content provided by an access destination determined that access is not prohibited by the first determination unit and determines whether a category to which the content belongs is dangerous or safe;
A third determination unit that determines a file type of the content determined to be safe by the second determination unit;
A detection unit that detects a virus of the content belonging to a category determined to be dangerous by the second determination unit or a virus of the content whose file type is determined by the third determination unit,
The detection unit, the detection method of the virus, a switchable to the first detection method and a second detecting method, when the category of the content belongs in the access destination by the second determination unit determines that dangerous or said When the third determining unit determines that the file type of the content of the access destination does not require real-time property, the virus is detected by the first detection method, and the third determining unit determines that the real-time property is required. If detected , the network monitoring device detects by the second detection method . 2. The method according to claim 1, wherein the first detection method is a proxy method for detecting a virus by constructing a file from a packet, and the second detection method is a stream method for detecting a virus in a packet unit. The network monitoring device according to the above. 3. The method according to claim 1, wherein the third determination unit determines that the content provided by the access destination has real-time properties when the file type of the access destination is a moving image or a sound . 4. Network monitoring device. A method for detecting a virus in a network monitoring device, comprising:
  It is determined with reference to the storage unit or an external server connected via a network whether or not the category to which the content provided by the plurality of access destinations stored in the storage unit belongs is a target to be restricted and access is prohibited. A first step;
Receiving the content provided by the access destination determined that the access is not prohibited in the first step, and determining whether the category to which the content belongs is dangerous or safe;
A third step of determining a file type of the content determined to be safe in the second step;
A fourth step of detecting a virus of the content belonging to the category determined to be dangerous by the second step or a virus of the content whose file type is determined by the third step.
In the fourth step, the detection method of the virus can be switched between a first detection method and a second detection method, and when the category to which the content of the access destination belongs is determined to be dangerous by the second step, Alternatively, if it is determined in the third step that the file type of the content of the access destination does not require the real-time property, the virus is detected by the first detection method, and the real-time property is required in the third step. A method for detecting a virus in a network monitoring device, wherein if the determination is made, detection is performed by the second detection method.

Images