JP7041506B2 - Communication device protection program - Google Patents

Description

The present invention relates to a communication device protection program that protects communication devices connected to an insecure network.

With the progress of information and communication technology, IoT (Internet of Things), which connects devices such as sensors and actuators installed in fields such as farms, factories, and homes to a network to monitor and control them, is becoming widespread. The field system server on the cloud communicates with the device to collect the information acquired by the sensor and control the actuator.

When the device and the field system server communicate directly with each other, there may be a problem that communication delay occurs and communication cost increases. In order to solve such a problem, a form of edge computing in which a gateway (edge server) is installed in the field where the device is installed and the device is managed via the gateway is also attracting attention. The gateway reports the operating status of the device to the field system server, aggregates the data acquired by the sensor and sends it to the field system server, and translates the instructions from the field system server into the instructions of each actuator and sends them. ..

Since communication devices such as devices and gateways are connected to the Internet, they may be subject to cyber attacks such as DoS (Denial of Service) attacks and virus infections. Firewalls and antivirus software are widely used as countermeasures against cyber attacks on Internet servers and personal computers (see Non-Patent Document 1).

Information-technology Promotion Agency, Japan, "Countermeasures against targeted cyber attacks," February 10, 2014, [online], [Search on November 6, 2017], Internet <URL: https://www.ipa.go .jp / security / event / 2013 / isec-semi / documents / 2013videosemi_targeted_cyber_attacks_v1a.pdf ＞

Since communication devices are installed in the field, the operating environment such as power supply, temperature, and dust is significantly different from existing servers and personal computers, and it is expected that embedded devices will be adopted. For this reason, there are large restrictions on resources such as the CPU (Central Processing Unit) and storage capacity, and it is difficult to introduce countermeasures against existing cyber attacks.
In addition, since the types of devices are diverse, the gateways that communicate with the devices are also diverse, and when trying to introduce security measures for each communication device (OS (Operating System) and application (communication specifications) of the communication device). However, there is a problem that the introduction cost and the introduction period increase.

The present invention has been made in view of such a background, and it is an object of the present invention to provide a communication device protection program that supports various communication devices and enables countermeasures against cyber attacks.

In order to solve the above-mentioned problems, the invention according to claim 1 operates a first virtual machine that communicates with a computer provided with a physical communication controller that transmits / receives data to / from a network with an external device connected to the network. The hypervisor functions as a second virtual machine operating on the hypervisor, and the hypervisor is used to transfer communication data from the first virtual machine to the external device from the first virtual machine to the second virtual machine. As a virtual switch that relays to a virtual machine and relays communication data from the external device to the first virtual machine from the second virtual machine to the first virtual machine after the second virtual machine receives the communication data. The second virtual machine is made to function, and the communication data from the first virtual machine relayed by the virtual switch to the external device is directly output to the physical communication controller without going through the hypervisor. A communication device protection program for functioning as a virtual network control unit that receives communication data from an external device to the first virtual machine directly from the physical communication controller without going through the hypervisor and outputs it to the virtual switch. did.

According to the present invention, it is possible to provide a communication device protection program that supports various communication devices and enables countermeasures against cyber attacks.

It is a figure which illustrates the whole structure of the remote control system including the device which concerns on this embodiment. It is a figure which shows the data structure example of the outgoing communication accumulation amount table which concerns on this embodiment. It is a figure which shows the data structure example of the outward communication average value table which concerns on this embodiment. It is a figure which shows the data structure example of the inward communication accumulation amount table which concerns on this embodiment. It is a figure which shows the data structure example of the inward communication average value table which concerns on this embodiment. It is a sequence diagram which shows the process when the communication data is transmitted from the user system which concerns on this embodiment to a field system server. It is a sequence diagram which shows the process when the communication data is transmitted from the field system server which concerns on this embodiment to a user system. It is a flowchart of DoS attack response processing executed by the monitoring unit which concerns on this embodiment. It is a flowchart of the user system monitoring process executed by the state management unit which concerns on this embodiment. It is a sequence diagram which shows the process when the user system which concerns on this embodiment transitions to an abnormal state. It is a flowchart of the remote maintenance process by the instruction from the management system executed by the encrypted communication part, the maintenance part, and the time synchronization part which concerns on this embodiment. It is a sequence diagram which shows the user system start process which concerns on this embodiment. It is a sequence diagram which shows the user system stop processing which concerns on this embodiment. It is a sequence diagram which shows the system information collection processing which concerns on this embodiment. It is a sequence diagram which shows the user system update process which concerns on this embodiment. It is a sequence diagram which shows the security system update process which concerns on this embodiment.

≪Overall configuration of remote control system≫
Hereinafter, the device according to the embodiment (embodiment) for carrying out the present invention will be described. FIG. 1 is a diagram illustrating an overall configuration of a remote control system including the device 100 according to the present embodiment. The remote control system includes a device 100 connected by an external network 500 and a management system 300. The remote control system prevents a cyber attack from the external network 500 against the user system 120 operating as a virtual machine on the device 100, and also performs maintenance such as system update.

The management system 300 is a system that manages the entire remote control system, and monitors the operating status of the user system (first virtual machine) 120 and the security system (second virtual machine) 140, which will be described later, and updates the system (system update). (Farm update) is instructed.
The device 100 is installed in the field and operates the user system 120 as a virtual machine. Further, the device 100 maintains the user system 120 by executing the start and stop of the user system 120, reporting the operation status to the management system 300, updating the system, and the like according to the instruction from the management system 300. The number of devices 100 is not limited to one, and a plurality of devices may be installed in the field.

≪Overall configuration of field system≫
The field system includes a field system server 350 and a user system 120 of a virtual machine operating on the device 100. If there are a plurality of devices 100, the field system includes a plurality of user systems 120. A device that communicates with the user system 120, including the field system server 350, is referred to as an external device. External devices may include devices not intended by other devices or field system administrators. The field system server 350 and the device 100 are connected by an external network 500. The field system server 350 may be the same device as the management system 300.

The field system server 350 is a server that manages the entire field system, and acquires data from the sensor 150 described later via the user system 120. When an actuator is connected instead of the sensor 150, the field system server 350 controls the actuator via the user system 120.
The user system 120 acquires data from the sensor 150 and transmits it to the field system server 350, aggregates the acquired data and transmits the aggregated result to the field system server 350, or receives an instruction from the field system server 350. It controls the sensor 150. The same applies even if the sensor 150 is an actuator.

≪Overall configuration of device≫
The device 100 as hardware includes a CPU 112, a sensor 150, a physical NIC (Network Interface Card) 111, a secure storage 113, an RTC (Real-Time Clock) 119, a RAM (Random Access Memory) (not shown), and a ROM (Read Only). Memory) (not shown) and flash memory (not shown) are included. The RAM, ROM, and flash memory form a storage unit 200. The storage unit 200 includes a security system virtual storage unit 210 which is a storage unit of the security system 140 and a user system virtual storage unit 270 which is a storage unit of the user system 120.

The sensor 150 is connected to the device 100 and is controlled by the sensor control unit 121 of the user system 120 described later. In FIG. 1, the sensor 150 is externally attached to the device 100 and directly connected by a cable, but may be built in the device 100. In this embodiment, the sensor 150 is connected to the device 100, but it may be an actuator or other device.

The physical NIC (physical communication controller) 111 is controlled by the security system 140 described later, and transmits / receives communication data to / from the external network 500. Communication destinations include an external device including a field system server 350 with which the user system 120 communicates, and a management system 300 with which the security system 140 communicates.
The CPU 112 is a control unit that makes the device 100 function by executing a program in the storage unit 200. In FIG. 1, the number of CPUs is one, but there may be a plurality of CPUs.

The secure storage 113 stores the root key 114, the signature verification key 115, the signature key 116, the decryption key 117, and the encryption key 118, and is accessible only from the security system 140. The root key 114 is a key for protecting the update data of the signature verification key 115, the signature key 116, the decryption key 117, and the encryption key 118, and includes the signature verification key and the decryption key. The signature verification key 115 is a key for verifying the digital signature of the communication data from the management system 300. The signature key 116 is a key for generating a digital signature of communication data to the management system 300. The decryption key 117 is a key for decrypting the communication data from the management system 300. The encryption key 118 is a key for encrypting communication data to the management system 300.

The secure storage 113 can be accessed only from the security system 140, and the key stored in the secure storage 113 cannot be accessed from the user system 120 described later. Therefore, even if a cyber attack occurs on the user system 120, the remote maintenance process (see FIG. 11) described later and the notification to the management system 300 can be safely executed, and the remote control system is instructed to be remote. No maintenance processing, unauthorized system updates, or unauthorized notifications occur.

The RTC119 is a clock built in the device 100, and can acquire the current date and time (current time) in milliseconds or microseconds. The hypervisor 130 and the security system 140, which will be described later, can acquire the current time from the RTC 119 and can further set the current time.
On the other hand, the user system 120 described later can acquire the current time from the RTC 119, but cannot set the current time. Therefore, even if a cyber attack occurs on the user system 120, the current time of the RTC 119 cannot be changed, and the hypervisor 130 and the security system 140 can obtain an accurate current time.

Logically, the device 100 includes a user system 120, a security system 140, and a hypervisor 130. The communication device protection program (not shown) is stored in the storage unit 200 to function the security system 140 and the hypervisor 130.
The hypervisor 130 operates on the CPU 112 and causes the user system 120 and the security system 140 as virtual machines to function. The hypervisor 130 includes a virtual switch 131 that mediates communication between the user system 120 and the security system 140.

The user system (first virtual machine) 120 is a virtual machine running on the hypervisor 130, and is a virtual CPU (not shown) that virtualizes the CPU 112, a virtual NIC 123, and a user system virtual storage unit 270 (in FIG. 1). Described as a component of the storage unit 200). The virtual NIC 123 transmits / receives communication data to / from an external device including a field system server 350 via a virtual switch 131, a security system 140, and a physical NIC 111. The user system virtual storage unit 270 stores data and programs of the user system 120. The user system 120 further includes an HB transmission unit 122 that transmits an HB (Heart Beat) to the security system 140 at a predetermined timing, and a sensor control unit 121 that controls the sensor 150.

The security system (second virtual machine) 140 is a virtual machine running on the hypervisor 130, and is a virtual CPU (not shown) that virtualizes the CPU 112, a physical NIC 111, an encrypted communication unit 141, a monitoring unit 142, and a state management. It includes a unit 143, a maintenance unit 144, a time synchronization unit 145, a virtual network control unit 146, a virtual NIC 147, and a security system virtual storage unit 210 (described as a component of the storage unit 200 in FIG. 1). The security system virtual storage unit 210 includes an outward communication cumulative amount table 220 (see FIG. 2), an outward communication average value table 230 (see FIG. 3), an inward communication cumulative amount table 240 (see FIG. 4), and an inside, which will be described later. It includes a direction communication average value table 250 (see FIG. 5), a user system state 261 and a state transition time 262, and an HB reception time table 263.

The encrypted communication unit 141 transmits / receives communication data to / from the management system 300, verifies and decrypts the digital signature of the received data using the signature verification key 115 and the decryption key 117, and uses the signature key 116 and the encryption key 118. It is used to generate a digital signature and encrypt the transmitted data.
The monitoring unit 142 receives the HB transmitted by the HB transmission unit 122 of the user system 120, and records the reception time in the HB reception time table 263. Further, the monitoring unit 142 determines whether or not there is a DoS attack by referring to the inward communication cumulative amount table 240 described later.

The state management unit 143 updates the outward communication average value table 230 (see FIG. 3 below) with reference to the outward communication cumulative amount table 220 (see FIG. 2 described later), and updates the inward communication cumulative amount table 240 (see FIG. 2 described later). The inward communication average value table 250 (see FIG. 5 described later) is updated with reference to FIG. 4 described later. Further, the state management unit 143 monitors the operating status of the user system 120 with reference to the outward communication average value table 230, the inward communication average value table 250, and the HB reception time table 263, and stops, operates, or quasi-abnormally. And manage the transition state consisting of abnormalities. The current state is stored in the user system state 261 and the time when the state transitions is stored in the state transition time 262.

The maintenance unit 144 executes the control command received from the management system 300. The control command is encrypted with the digital signature of the management system 300, and is decrypted by the encrypted communication unit 141, verified by the digital signature, and output to the maintenance unit 144.
The time synchronization unit 145 exchanges communication data including the time with the management system 300, and executes a time synchronization process for adjusting the time of the RTC 119. The method of exchanging communication data is the same as that of Simple Network Time Protocol (SNTP). The time synchronization process is executed at a predetermined timing in addition to when the security system 140 is activated or when an instruction is given from the management system 300.

The virtual network control unit 146 relays transmission / reception of communication data between the user system 120 and the external device including the field system server 350. Specifically, the virtual network control unit 146 receives the communication data transmitted from the virtual NIC 123 by the user system 120 via the virtual switch 131 and the virtual NIC 147, outputs the communication data to the physical NIC 111, and transmits the communication data to the external device. Further, the virtual network control unit 146 receives the communication data transmitted by the external device and received by the physical NIC 111 and outputs the communication data to the virtual NIC 147, and the output communication data passes through the virtual switch 131 and the virtual NIC 123. , The user system 120 receives.

FIG. 2 is a diagram showing a data configuration example of the outward communication cumulative amount table 220 according to the present embodiment. The outward communication cumulative amount table 220 is tabular data, and one line (record) shows the cumulative value of the transmission data from the user system 120 to one address, and the destination name 221 and the destination address 222. , Includes columns (attributes) with a start time of 223, a cumulative data amount of 224, and a cumulative number of frames of 225.

The destination name 221 is the name of the destination (external device). The destination address 222 is a destination address. In addition, one destination may have a plurality of addresses. The start time 223 is the time when the cumulative value is started. The cumulative data amount 224 is the cumulative amount of communication data size since the start time 223, and the cumulative frame number 225 is the number of communication data since the start time 223.

The records of the outgoing communication cumulative amount table 220 are divided for each destination address 222 and for each cumulative period of a predetermined time length (also referred to as cumulative time, FIG. 2 shows an example of cumulative time of 2 minutes). In record 228 and record 229, the destination is the field system server 350 (denoted as FSS in FIG. 2), the same destination address 222 (IP (Internet Protocol) address is 193.3.2.2, and the port number. Is a record with 343), but record 228 is the latest record (starting at 12:33:34 on October 17, 2017), and record 229 is one before record 228 (October 2017). It is a record (2 minutes from 12:31:34 on the 17th).

When relaying communication data from the user system 120 to the destination, the virtual network control unit 146 adds the cumulative data amount 224 of the latest record of the corresponding destination address 222 by the communication data size, and the cumulative number of frames. Add 225 by 1. If the start time 223 is before the cumulative time, a new record is added and updated.

FIG. 3 is a diagram showing a data configuration example of the outward communication average value table 230 according to the present embodiment. The outward communication average value table 230 is tabular data, and one row (record) is within a period of a predetermined time length from the user system 120 to one address (FIG. 3 is an example of 10 minutes). The average value of the transmission data of is shown, and includes columns (attributes) of a destination name 231, a destination address 232, a start time 233, an average data amount 234, an average interval 235, and a total number of frames 236.

The destination name 231 is the name of the destination, and the destination address 232 is the address of the destination, which corresponds to the destination name 221 and the destination address 222 of the outward communication cumulative amount table 220, respectively. The start time 233 is the start time of the period indicated by the record. The average data amount 234 is the average value of the communication data size during the period indicated by the record, the average interval 235 is the average value of the communication intervals, and the total number of frames 236 is the number of communication data.

The records in the outward communication average value table 230 are divided for each destination address 232 and for each period of a predetermined time length. Records 238 and 239 are records whose destination is the field system server 350 (denoted as FSS in FIG. 3) and has the same destination address 232, but record 238 is the latest record (October 17, 2017). (10 minutes from 12:23:34 on the day), and the record 239 is the record immediately before the record 238 (10 minutes from 12:13:34 on October 17, 2017).

The state management unit 143 updates the outward communication average value table 230 with reference to the outward communication cumulative amount table 220 at a predetermined timing (10-minute interval in this embodiment). Specifically, the state management unit 143 aggregates five records from the newest among the records in the outward communication cumulative total table 220 for each destination address 222, and aggregates the average data amount 234, the average interval 235, and the total number of frames 236. Is calculated. Subsequently, the state management unit 143 adds a record to the outward communication average value table 230 and stores the calculated result. Here, the five records are aggregated because one record in the outward communication cumulative amount table 220 is the cumulative amount for two minutes, and the record in the outward communication average value table 230 is the average value for 10 minutes. be.

FIG. 4 is a diagram showing a data configuration example of the inward communication cumulative amount table 240 according to the present embodiment. FIG. 5 is a diagram showing a data configuration example of the inward communication average value table 250 according to the present embodiment. The inbound communication cumulative amount table 240 has the same configuration as the outward communication accumulated amount table 220, except that the destination is changed to the source, and the inbound communication average value table 250 has the outward communication average value. It has the same configuration as the table 230, and stores the amount of communication from the source (external device) to the user system 120.

≪Data transmission from user system to field system server≫
FIG. 6 is a sequence diagram showing a process when communication data is transmitted from the user system 120 according to the present embodiment to the field system server 350 (denoted as FSS in FIG. 6). With reference to FIG. 6, the process in which the communication data transmitted from the user system 120 is transmitted to the field system server 350 via the hypervisor 130, the security system 140, and the external network 500 will be described.

In step S101, the sensor control unit 121 of the user system 120 acquires data from the sensor 150.
In step S102, the user system 120 outputs the communication data for the field system server 350 (data acquired in step S101) to the virtual switch 131 of the hypervisor 130 via the virtual NIC 123.
In step S103, the virtual switch 131 of the hypervisor 130 outputs the communication data to the virtual NIC 147 of the security system 140.

In step S104, the virtual NIC 147 of the security system 140 outputs the communication data to the virtual network control unit 146, and subsequently, the virtual network control unit 146 updates the outward communication cumulative amount table 220. Specifically, the virtual network control unit 146 searches for a record in the outward communication cumulative amount table 220, which has the latest start time 223 and whose destination address 222 matches the destination address of the communication data. Next, the virtual network control unit 146 adds the size of the communication data to the cumulative data amount 224 of the search result record, and adds 1 to the cumulative number of frames 225.

If the start time 223 of the search result record is earlier than the cumulative time compared to the current time acquired from RTC119, the virtual network control unit 146 adds a new record to the outward communication cumulative amount table 220. Therefore, the size of the communication data is stored in the cumulative data amount 224, and 1 is stored in the cumulative number of frames 225. Further, even if there is no record whose destination address 222 matches the destination address of the communication data, the virtual network control unit 146 adds a new record to the outward communication cumulative amount table 220 and the cumulative data amount 224. The size of the communication data is stored in 225, and 1 is stored in the cumulative number of frames 225.
In step S105, the virtual network control unit 146 of the security system 140 outputs the communication data to the physical NIC 111 to output the communication data to the external network 500. The communication data output to the external network 500 is transmitted to the destination field system server 350.

≪Data transmission from the field system server to the user system≫
FIG. 7 is a sequence diagram showing a process when communication data is transmitted from the field system server 350 (described as FSS in FIG. 7) according to the present embodiment to the user system 120. A process in which communication data transmitted from the field system server 350 is transmitted to the user system 120 via the external network 500, the security system 140, and the hypervisor 130 will be described with reference to FIG. 7.

In step S111, the virtual network control unit 146 of the security system 140 receives the communication data (control command of the sensor 150) for the user system 120 transmitted by the field system server 350 from the physical NIC 111.
In step S112, the virtual network control unit 146 updates the inward communication cumulative amount table 240. The content of the update is the same as in step S104, except that the destination is changed to the source.

In step S113, the virtual network control unit 146 outputs the communication data for the user system 120 to the virtual switch 131 of the hypervisor 130 via the virtual NIC 147.
In step S114, the virtual switch 131 of the hypervisor 130 outputs the communication data to the virtual NIC 123 of the user system 120.
In step S115, the sensor control unit 121 of the user system 120 controls the sensor 150 based on the instruction included in the received communication data.

≪Characteristics of data communication between user system and field system server≫
When the user system 120 and the field system server 350 communicate with each other, the security system 140 relays the communication data. In order to monitor the amount of data, the communication interval, and the number of communications, the virtual network control unit 146 of the security system 140 determines the cumulative amount of the size and number of communication data when relaying the communication data to the outward communication cumulative amount table 220. And stored in the inward communication cumulative amount table 240. This cumulative amount is referred to for determining the presence or absence of a DoS attack and determining the state of the user system 120, which will be described later. The communication data transmission (relay) process shown in FIGS. 6 and 7 is the same even in the case of communication with an external device other than the field system server 350.

In the existing hypervisor, the output of the virtual machine to the NIC at the time of communication data transmission becomes the output to the virtual NIC, and is output to the physical NIC via the hypervisor. The same applies to the reception of communication data from the NIC of the virtual machine, via the hypervisor.

On the other hand, when the security system 140, which is a virtual machine, transmits communication data to the external network 500, it directly outputs the communication data to the physical NIC (physical communication controller) 111. Further, when receiving communication data from the external network 500, it is received directly from the physical NIC 111. By directly exchanging communication data with the physical NIC 111 without going through the hypervisor 130, the security system 140 has the effect of reducing the load on the entire device 100 and enabling efficient communication. The effect is particularly large when the device 100 is composed of resource-limited hardware such as an embedded device.

Among the communication data received by the device 100, only the communication data whose transmission destination is the user system 120 is relayed to the user system 120. Therefore, even if the communication data is received by the physical NIC 111, if the data format, destination address, etc. are invalid, the data is not relayed to the user system 120, and the user system 120 is protected from cyber attacks. ..

≪DoS attack response processing≫
FIG. 8 is a flowchart of the DoS attack response process executed by the monitoring unit 142 according to the present embodiment. With reference to FIG. 8, the processing of network disconnection and resumption when a DoS attack is detected will be described.
In step S201, the monitoring unit 142 stands by for a predetermined time.

In step S202, the monitoring unit 142 determines whether or not a DoS attack has occurred, and if it has occurred, the process proceeds to (S202 → Y) step S203, and if it has not occurred, the step (S202 → N). Return to S201. The monitoring unit 142 determines whether or not a DoS attack has occurred with reference to the inward communication cumulative amount table 240. Specifically, the monitoring unit 142 searches for the latest record of each source address 242, and the total of the cumulative data amount 244 and the cumulative number of frames 245 is predetermined as compared with the predetermined standard value (first standard value). When it is larger than the threshold value (first threshold value), it is determined that a DoS attack has occurred. Further, the monitoring unit 142 searches for the latest record, and the number of records in the search result (that is, the number of source addresses) is a predetermined threshold value (first threshold value) as compared with a predetermined standard value (first standard value). ), It may be determined that a DoS attack has occurred. The amount of data, the number of frames, the number of source addresses, the number of destination addresses, etc. are collectively referred to as communication volume.

In step S203, the monitoring unit 142 notifies the management system 300 of the occurrence of a DoS attack. The message to be notified is digitally signed by the encryption communication unit 141 with the signature key 116, encrypted with the encryption key 118, output to the physical NIC 111, and transmitted to the management system 300 via the external network 500. ..
In step S204, the monitoring unit 142 disconnects the physical NIC 111 from the external network 500. Specifically, the monitoring unit 142 outputs a stop request for transmission / reception processing to the physical NIC 111. Further, the monitoring unit 142 notifies the user system 120 of the network disconnection, and instructs the user system 120 to stop transmission to the external device including the field system server 350.

In step S205, the monitoring unit 142 stands by for a predetermined time.
In step S206, the monitoring unit 142 connects the physical NIC 111 to the external network 500. Specifically, the monitoring unit 142 outputs a request for starting transmission / reception processing to the physical NIC 111. Further, the monitoring unit 142 notifies the user system 120 of the resumption of the network, and instructs the resumption of communication with the external device.
In step S207, the monitoring unit 142 stands by for a predetermined time.
In step S208, the monitoring unit 142 determines whether or not a DoS attack has occurred in the same manner as in step S202, and if it has occurred, returns to step S203 (S208 → Y), and if it has not occurred, it returns to step S203. (S208 → N) Return to step S201. Upon returning to step S201, the monitoring unit 142 may notify the management system 300 that the DoS attack has stopped.

≪Characteristics of DoS attack response processing≫
In the loop of steps S201 to S202, the monitoring unit 142 determines whether or not there is a DoS attack at predetermined time intervals (waiting time in step S201). When the monitoring unit 142 determines that there is a DoS attack, it notifies the management system 300 and stops the network. After that, the monitoring unit 142 restarts the network after a predetermined time (waiting time in step S205) has elapsed, and determines whether or not there is a DoS attack again. If the DoS attack continues, the monitoring unit 142 repeats the processing after the notification to the management system 300, and if the DoS attack stops, it returns to the repeated state of steps S201 to S202, which is a normal state.

When a DoS attack is detected, by stopping the network, it is possible to reduce the load on the entire device 100 without executing unnecessary communication processing. Further, by restarting the network after a predetermined time has elapsed, the user system 120 can restart the communication with the external device when the DoS attack ends.

≪User system monitoring process≫
FIG. 9 is a flowchart of the user system monitoring process executed by the state management unit 143 according to the present embodiment. The user system monitoring process is executed at a predetermined timing (for example, a predetermined time interval), and transitions to a state including a stop, an operation, a quasi-abnormality, and an abnormality depending on the situation of the user system 120. When transitioning to the abnormal state, the user system 120 is forcibly terminated and the management system 300 is notified.

In step S301, the state management unit 143 updates the outward communication average value table 230 (see FIG. 3) and the inward communication average value table 250 (see FIG. 5). Specifically, the state management unit 143 refers to the record of the outward communication accumulated amount table 220 (see FIG. 2) including the accumulated amount since the previous user system monitoring process for each destination address 222, and sets the average value. Obtain and add a record to the outward communication average value table 230. For example, if the cumulative time of the outward communication cumulative amount table 220 is 2 minutes and the elapsed time from the previous user system monitoring process (hereinafter, also referred to as the elapsed time from the previous process) is 10 minutes, the outward communication is outward. The average value can be obtained from the five records in the cumulative communication amount table 220.

The destination name 231 of the record added to the outgoing communication average value table 230 is the destination name 221 of the outward communication accumulated amount table 220 of the outward communication accumulated amount table 220, and the destination address 232 is the destination address 222. Is. The start time 233 is the oldest start time 223 among the records of the outgoing communication cumulative amount table 220 to be referred to. The average data amount 234 is a quotient obtained by dividing the total of the cumulative data amount 224 in the record of the reference outward communication cumulative amount table 220 by the elapsed time from the previous processing. The average interval 235 is a quotient obtained by dividing the elapsed time from the previous processing by the total number of frames 236 described later. The total number of frames 236 is the total number of cumulative frames 225 in the record of the referenced outward communication cumulative amount table 220.
The inward communication average value table 250 is also updated with reference to the inward communication cumulative amount table 240, as in the outward communication average value table 230.

In step S302, the state management unit 143 proceeds to step S303 if the user system state 261 indicating the state of the user system 120 is operation (S302 → operation), and if it is abnormal or stopped, the user (S302 → abnormality or stop). The system monitoring process is terminated, and if it is quasi-abnormal, the process proceeds to step S308 (S302 → quasi-abnormal). If a DoS attack is detected and the network is in a stopped state, the user system 120 is regarded as a stopped state and the user system monitoring process is terminated.

In step S303, the state management unit 143 determines the state of the network and the HB. Specifically, the state management unit 143 has added the average data amount (234, 254), average interval (235, 255) of the records added to the outward communication average value table 230 and the inward communication average value table 250 in step S301, and The difference between the total number of frames (236, 256) and each predetermined standard value (second standard value) is calculated. Further, the state management unit 143 refers to the HB reception time table 263 to obtain the difference between each HB reception interval from the previous user system monitoring process to the present and a predetermined standard value (second standard value). Calculate the average value.

The state management unit 143 determines that the above seven calculated values are normal if they are less than the respective normal threshold values (third threshold value), and abnormal if any difference is greater than or equal to the quasi-abnormal threshold value (second threshold value). If it is neither normal nor abnormal, it is determined to be quasi-abnormal. The difference is a difference as an absolute value and is a positive number.
In step S304, if the state management unit 143 determines in step S303 that it is abnormal (S304 → abnormal), it proceeds to step S305, and if it determines that it is normal (S304 → normal), it ends the user system monitoring process and is quasi-abnormal. If it is determined that (S304 → quasi-abnormality), the process proceeds to step S306.

In step S305, the state management unit 143 executes the abnormal state transition process (see FIG. 10) described later.
In step S306, the state management unit 143 notifies the management system 300 that the user system 120 is in a quasi-abnormal state. Specifically, the state management unit 143 creates a notification including the value that is the basis for determining the quasi-abnormality in step S303 and the current time acquired from the RTC 119, and transmits the notification to the management system 300. The notification is digitally signed and encrypted in the same manner as in step S203.

In step S307, the state management unit 143 changes the user system state 261 to a quasi-abnormal state, and stores the current time acquired from the RTC 119 in the state transition time 262.
Step S308 is the same process as step S303.
In step S309, the state management unit 143 proceeds to step S310 if it is determined to be abnormal in step S308 (S309 → abnormal), and proceeds to step S311 if it is determined to be quasi-abnormal (S309 → quasi-abnormal), and is determined to be normal. If so, the process proceeds to step S314 (S309 → normal).

In step S310, the state management unit 143 executes the abnormal state transition process (FIG. 10) described later.
In step S311, the state management unit 143 obtains the difference between the state transition time 262 and the current time, and calculates the duration of the quasi-abnormal state.
In step S312, the state management unit 143 proceeds to step S313 if the duration of the quasi-abnormal state calculated in step S311 is equal to or greater than a predetermined threshold value (S312 → Y), and proceeds to step S313 if it is less than the threshold value (S313 → N). End the process.

In step S313, the state management unit 143 executes the abnormal state transition process (FIG. 10) described later.
In step S314, the state management unit 143 notifies the management system 300 that the user system 120 is in the operating state. The notification includes the current time and is digitally signed and encrypted in the same manner as in step S203.
In step S315, the state management unit 143 changes the user system state 261 to operation and stores the current time in the state transition time 262.

Subsequently, the details of the abnormal state transition processing in steps S305, S310, and S313 will be described. FIG. 10 is a sequence diagram showing a process when the user system 120 according to the present embodiment transitions to an abnormal state.
In step S331, the state management unit 143 of the security system 140 outputs a forced stop command of the user system 120 to the hypervisor 130. One method of outputting a forced stop command is to call a hypervisor call.
In step S332, the hypervisor 130 forcibly stops the user system 120 (turns the power off).

In step S333, the hypervisor 130 notifies the security system 140 that the user system 120 has been forcibly stopped. Notification methods include interrupts and hypervisor call return values.
In step S334, the state management unit 143 of the security system 140 changes the user system state 261 abnormally and stores the current time in the state transition time 262.

In step S335, the state management unit 143 notifies the management system 300 that the user system 120 is in an abnormal state and has been forcibly stopped. Specifically, the state management unit 143 creates a notification including the current time and the value that is the basis for determining the abnormality or the threshold value or more in steps S303, S308, or S312, and transmits the notification to the management system 300. Notifications are digitally signed and encrypted.

≪Characteristics of user system monitoring process≫
As described above, any of the differences between the amount of communication data transmitted and received by the user system 120, the number of communication data, and the reception interval of HB from the standard value (second standard value) is the quasi-abnormal threshold value (first). If it is 2 thresholds or more, it is determined to be abnormal, and if it is normal threshold (third threshold) or more, it is determined to be quasi-abnormal. If it is determined to be abnormal, or if the quasi-abnormality continues for a predetermined period, the user system 120 is forcibly stopped and transitions to an abnormal state. Even if it is in a quasi-abnormal state, if it is determined to be normal within a predetermined period, it returns to the operating state.

In this way, the user system 120 is monitored using the amount of communication data, the number of communication data, and the reception interval of HB, and if it is in an abnormal situation, it is forcibly stopped to perform abnormal communication with an external device, a field. It becomes possible to prevent unauthorized communication with a device that is neither the system server 350 nor another device, unauthorized use of resources of the device 100, and the like.

≪Remote maintenance process≫
FIG. 11 is a flowchart of a remote maintenance process according to an instruction from the management system 300 executed by the encrypted communication unit 141, the maintenance unit 144, and the time synchronization unit 145 according to the present embodiment. The remote maintenance process by the control command transmitted by the management system 300 and received by the security system 140 will be described with reference to FIG. A part of the remote maintenance process will be described with reference to FIGS. 12 to 16.
In step S401, the encrypted communication unit 141 decodes the received control command using the decryption key 117, verifies the digital signature given by the signature verification key 115, and outputs the digital signature to the maintenance unit 144. If the decryption or signature verification fails, the cryptographic communication unit 141 determines that the command is invalid and notifies the management system 300.

In step S402, the maintenance unit 144 forces the user system in step S403 if the type of control command is user system startup (S402 → user system startup), or in step S404 if the user system is stopped (S402 → user system stop). Security system update in step S405 if stopped (S402 → forced stop of user system), step S406 if system information is collected (S402 → system information collection), and step S407 if user system is updated (S402 → user system update). If so, the process proceeds to (S402 → security system update) step S408, if the key is updated, the process proceeds to (S402 → key update) step S409, and if time synchronization occurs, the process proceeds to step S410 (S402 → time synchronization).

In step S403, the maintenance unit 144 executes the user system activation process (see FIG. 12) described later.
In step S404, the maintenance unit 144 executes the user system stop processing (see FIG. 13) described later.
Step S405 is the same process as the abnormal state transition process (see FIG. 10), and is executed by the maintenance unit 144 instead of the state management unit 143.

In step S406, the maintenance unit 144 executes the system information collection process (see FIG. 14) described later.
In step S407, the maintenance unit 144 executes the user system update process (see FIG. 15) described later.
In step S408, the maintenance unit 144 executes the security system update process (see FIG. 16) described later.

In step S409, the maintenance unit 144 executes the key update process. Specifically, the maintenance unit 144 decodes the data included in the control command with the decryption key included in the root key 114, verifies the digital signature given by the signature verification key included in the root key 114, and decrypts or verifies it. If fails, the management system 300 is notified. If the decryption and verification were successful, the maintenance unit 144 obtained the signature verification key 115, the signature key 116, the decryption key 117, and the encryption key 118 stored in the secure storage 113 as a result of the decryption and the verification of the signature. Replace with signature verification key, signature key, decryption key, and encryption key, respectively.

In step S410, the maintenance unit 144 instructs the time synchronization unit 145 to execute the time synchronization process. The time synchronization unit 145 executes the same process as SNMP using the management system 300 as the time server to acquire the current time, and corrects the deviation from the time of RTC119. The difference between the current time acquired by one correction and the time of RTC119 may be eliminated, or if the deviation is larger than a predetermined value, it may be corrected multiple times at a predetermined interval to gradually eliminate the deviation. You may do it.
Subsequently, the contents of each process of steps S403 to S408 will be described.

≪Remote maintenance process: User system startup≫
FIG. 12 is a sequence diagram showing a user system activation process according to the present embodiment. The processing content of step S403 will be described with reference to FIG.
In step S421, the maintenance unit 144 of the security system 140 outputs an activation command of the user system 120 to the hypervisor 130.

In step S422, the hypervisor 130 activates the user system 120 (turns the power on).
In step S423, the hypervisor 130 notifies the security system 140 that the user system 120 has been activated.
In step S424, the user system 120 executes the startup process.

In step S425, the HB transmission unit 122 of the user system 120 transmits the HB to the security system 140. As one of the transmission methods, there is a method in which the hypervisor 130 is instructed to transmit the HB by using the hypervisor call, and the hypervisor 130 generates an interrupt in the security system 140.
In step S426, the maintenance unit 144 of the security system 140 changes the user system state 261 to operation after confirming the reception of the HB, and stores the current time in the state transition time 262.
In step S427, the maintenance unit 144 notifies the management system 300 that the user system 120 has transitioned to the operating state. The notification is digitally signed, encrypted and transmitted to the management system 300.

≪Remote maintenance process: Stop user system≫
FIG. 13 is a sequence diagram showing a user system stop process according to the present embodiment. The processing content of step S404 will be described with reference to FIG.
In step S431, the maintenance unit 144 of the security system 140 outputs a stop command of the user system 120 to the hypervisor 130.
In step S432, the hypervisor 130 causes the user system 120 to generate a shutdown interrupt.

In step S433, the user system 120 receives an interrupt and executes a shutdown process.
In step S434, the user system 120 calls the power-off hypervisor call at the end of the shutdown process.
In step S435, the hypervisor 130 notifies the security system 140 that the user system 120 has been stopped.

In step S436, the maintenance unit 144 of the security system 140 changes the user system state 261 to stop and stores the current time in the state transition time 262.
In step S437, the maintenance unit 144 notifies the management system 300 that the user system 120 has transitioned to the stopped state. The notification is digitally signed, encrypted and transmitted to the management system 300.

≪Remote maintenance processing: System information collection≫
FIG. 14 is a sequence diagram showing the system information collection process according to the present embodiment. The processing content of step S406 will be described with reference to FIG.
In step S441, the maintenance unit 144 of the security system 140 outputs a system information acquisition command to the hypervisor 130. The instruction is given an address of virtual memory (not shown) for storing system information.
In step S442, the hypervisor 130 stores the system information in the virtual memory area of the address specified in step S441. The system information includes the usage status of the virtual CPUs of the user system 120 and the security system 140.

In step S443, the maintenance unit 144 aggregates the communication status of the user system 120 from the outward communication average value table 230 and the inward communication average value table 250.
In step S444, the maintenance unit 144 reports to the management system 300 the system information acquired in step S442 and the communication status aggregated in step S443. The report is digitally signed, encrypted and transmitted to the management system 300.

≪Remote maintenance process: User system update≫
FIG. 15 is a sequence diagram showing a user system update process according to the present embodiment. The processing content of step S407 will be described with reference to FIG. When the user system update process is executed, the user system 120 is in a stopped state or an abnormal state.

In step S451, the maintenance unit 144 of the security system 140 outputs an update command of the user system 120 to the hypervisor 130. The instruction includes an address and a size on the security system virtual storage unit 210 (see FIG. 1) in the area where the update file (update data) is stored.

In step S452, the hypervisor 130 updates (farm update) the user system virtual storage unit 270 (see FIG. 1), which is the storage unit of the user system 120, using the update file specified in step S451.
In step S453, the hypervisor 130 notifies the security system 140 that the user system 120 has been updated.
In step S454, the maintenance unit 144 notifies the management system 300 that the update of the user system 120 is completed. The notification is digitally signed, encrypted and transmitted to the management system 300.

≪Remote maintenance process: Security system update≫
FIG. 16 is a sequence diagram showing a security system update process according to the present embodiment. The processing content of step S408 will be described with reference to FIG.
In step S461, the maintenance unit 144 of the security system 140 notifies the hypervisor 130 of the address and size on the security system virtual storage unit 210 of the area in which the update file (update data) of the security system 140 is stored.

In step S462, the security system 140 executes the shutdown process.
In step S463, the security system 140 calls the power-off hypervisor call at the end of the shutdown process.
In step S464, the hypervisor 130 updates (farm update) the security system virtual storage unit 210 (see FIG. 1), which is the storage unit of the security system 140, using the update file specified in step S461.

In step S465, the hypervisor 130 activates the security system 140 (turns the power on).
In step S466, the security system 140 executes the activation process.
In step S467, the maintenance unit 144 notifies the management system 300 that the update of the security system 140 is completed. The notification is digitally signed, encrypted and transmitted to the management system 300.

≪Characteristics of remote maintenance processing≫
By issuing an instruction to the security system 140 using a control command, the management system 300 can remotely update the user system 120 or the security system 140 (firm update). This makes it possible to add new functions and fix defects without having to go to the field where the device 100 is installed.
Further, the user system 120 may operate on the hypervisor 130, and remote maintenance is possible for various user systems 120 regardless of the OS and communication specifications thereof. This also applies to the DoS attack response process (see FIG. 8) and the user system monitoring process (see FIG. 9).

<< Modification example: Network status judgment >>
When determining the network status of the user system 120 in steps S303 and S308 (see FIG. 9), the status management unit 143 referred to the amount of data, the communication interval, and the number of communications. In addition to this, the field system server 350, which is the original communication partner, and addresses other than other devices were included with reference to the destination address 232 (see FIG. 3) and the source address 252 (see FIG. 5). In that case, it may be determined that it is abnormal. Further, although the communication address is assumed to be IP, it may be an Ethernet (registered trademark) address or another address.

<< Modification example: DoS attack judgment >>
Further, in the determination of the DoS attack in steps S202 and S208, if the communication data other than the original communication partner is included in a predetermined number or more, it may be determined as a DoS attack. Furthermore, in addition to the amount of communication data and communication interval for the user system 120, the amount of communication data for the security system 140 or the device 100, the number of frames, and TCP (Transmission Control Protocol) SYN packets are used for DoS attacks. The presence or absence of a DoS attack may be determined by referring to the number of communication data (number of frames) used. In this case, as in the inward communication cumulative amount table 240, the communication cumulative amount of the communication data for the security system 140 or the device 100 is recorded and determined.

<< Modification example: Communication data relay processing between the user system and an external device >>
In updating the outward communication cumulative amount table 220 (see FIG. 2) in step S104 (see FIG. 6), the number of the latest records (records whose start time 223 is within the cumulative time compared to the current time) is a predetermined standard. If it is larger than a predetermined threshold value (fourth threshold value) as compared with the value (fourth standard value), the virtual network control unit 146 determines that the state is abnormal and notifies the state management unit 143, and the state management unit 143. May execute the abnormal state transition process (see FIG. 10). In this case, the state management unit 143 may notify the management system 300 that the number of records has increased abnormally and the destination address 222 included in the latest record.

Further, in the record updated in step S104, if the cumulative data amount 224 or the cumulative number of frames 225 is larger than the predetermined threshold value (fourth threshold value) as compared with the predetermined standard value (fourth standard value), the virtual network control is performed. The unit 146 may determine that it is an abnormal state and notify the state management unit 143 so that the state management unit 143 executes the abnormal state transition process. In this case, the state management unit 143 may notify the management system 300 of the destination address 222 of the record, the cumulative data amount 224, and the cumulative number of frames 225.

In the update of the inward communication cumulative amount table 240 in step S112 (see FIG. 7), the virtual network control unit 146 also updates the latest record in the same manner as the update of the outward communication cumulative amount table 220 in step S104 described above. If any of the number, the cumulative data amount 244, and the cumulative number of frames 245 is larger than the predetermined standard value (fourth standard value), the state management unit 143 is notified and the state is notified. The management unit 143 may execute the abnormal state transition process.

By detecting the abnormal state in this way, the virtual network control unit 146 waits for the DoS attack response process (see FIG. 8) (see S201) and during the execution of the user system monitoring process (see FIG. 9). However, it will be possible to respond to abnormal conditions immediately. For example, if a DoS attack occurs, the user system 120 is infected with a virus and starts a cyber attack, or an abnormality occurs in the sensor 150 or the user system 120 and the user system 120 runs out of control, the effect of being able to respond immediately. There is.

≪Variation example: Others≫
In the transmission (relay) processing of the communication data in steps S104 to S105 (see FIG. 6) and S112 to S113 (see FIG. 7), the virtual network control unit 146 refers to the size of the communication data and accumulates outward communication. The table 220 and the inward communication cumulative amount table 240 were updated. In order to prevent communication between the field system server 350, which is the original communication partner, and other than other devices, filtering may be performed by referring to the transmission destination or transmission source of the communication data. Further, the content of the communication data may be inspected and if the data is invalid, it may be filtered. Even if the communication data is filtered, the cumulative amount of outward communication table 220 and the cumulative amount of inward communication table 240 are updated to determine the presence or absence of a DoS attack and the network status in the DoS attack response process and the user system monitoring process. It will be referred to when.

The information collected in the system information collection process (see FIG. 14) includes the usage status of the virtual CPU, but other information may be included. For example, it may be information included in the user system virtual storage unit 270 (information on a file or RAM of the user system 120). Further, the control command may include a file name and an address so that the information to be collected can be specified.
In the present embodiment, the device of the field system is protected from cyber attacks, but the gateway may also be protected so that the user system has a function as a gateway. Further, it is not limited to the device of the field system, and any communication node that can operate as a virtual machine can be protected.

100 devices (communication equipment)
111 Physical NIC (Physical Communication Controller)
120 User system (communication device, first virtual machine)
122 HB (Heart Beat) Transmitter 123 Virtual NIC
130 Hypervisor 131 Virtual Switch 140 Security System (Second Virtual Machine)
141 Cryptographic communication unit 142 Monitoring unit 143 Status management unit 144 Maintenance unit 145 Time synchronization unit 146 Virtual network control unit 147 Virtual NIC
200 Storage 210 Security system Virtual storage 220 Outward communication cumulative table 230 Outward communication average table 240 Inward communication cumulative table 250 Inward communication average table 270 User system Virtual storage 300 Management system 350 Field system server (External device)

Claims (4)

A computer equipped with a physical communication controller that sends and receives data to and from the network
A communication protection program for operating a user system including a function of communicating with an external device connected to the network as a first virtual machine and functioning as a hypervisor for operating a security system as a second virtual machine. ,
The hypervisor is
Communication data from the user system to the external device is relayed from the user system to the security system , and communication data from the external device to the user system is received by the security system and then from the security system to the user system . Including the function as a relay virtual switch
The security system includes the physical communication controller and
Communication data from the user system relayed by the virtual switch to the external device via the physical communication controller is directly output to the physical communication controller without going through the hypervisor, and the physical communication controller is output from the external device. A virtual network control unit that receives communication data to the user system via the user system directly from the physical communication controller without going through the hypervisor and outputs the communication data to the virtual switch.
Communication device protection program. In claim 1,
The security system monitors the communication amount of communication data received by any of the user system, the security system , and the computer, and the communication amount is larger than a predetermined first standard value, and the communication amount and the communication amount are described. When the difference from the first standard value is larger than a predetermined first threshold value, a monitoring unit that controls the physical communication controller to disconnect the computer from the network is included.
Communication device protection program. In claim 1,
The security system monitors the user system communication amount indicating the communication amount of the communication data transmitted and received by the user system, and the difference between the user system communication amount and the predetermined second standard value is larger than the predetermined second threshold value. In this case, or when the state in which the difference between the user system communication volume and the second standard value is larger than the predetermined third threshold value continues for a predetermined time, the state management unit for forcibly stopping the user system is included.
Communication device protection program. In any one of claims 1 to 3,
The security system responds to a control command from a management system connected to the network.
The user system start process, stop process, forced stop process, system update process,
The system update process of the security system ,
A maintenance unit that executes any of the information collection processing of the computer and the time synchronization processing with the management system.
Communication device protection program.

Images