JP7150552B2 - Network protection devices and network protection systems - Google Patents

Description

The present disclosure relates to network protection devices and network protection systems for monitoring communication networks and controlling communications.

In recent years, with the development of network technology, various devices have come to be connected to networks. Along with this, the damage caused by attacks such as malware infection and malware intrusion from the outside has increased, and security measures have become extremely important.

Generally, security measures include a method of monitoring network boundaries to protect against access from external networks, a method of monitoring and protecting terminals themselves, and the like. Specifically, security devices such as FW (Fire Wall), IDS (Intrusion Detection System), IPS (Intrusion Prevention System), and UTM (Unified Threat Management) are installed at the boundary between the Internet and LAN (Local Area Network). Things are mentioned. In addition, installing anti-malware software on the terminals installed in the LAN and applying the latest security patches to the operating system and application software are examples.

However, in networks in facilities, factories, etc., terminals for which general countermeasures are difficult, such as terminals that require uninterrupted operation, terminals that are strict about delays in production operation and do not allow any addition or change of software, etc. are increasingly connected to networks. Such terminals cannot be protected against security, are easily invaded by malware, and have a high risk of being exposed to threats such as malware infection. Therefore, when malware intrudes into the LAN, the infection spreads further, causing various troubles within the LAN. Therefore, new security measures are required to prevent such spread of infection.

Conventionally, a countermeasure device capable of communicating with a plurality of computers including a first computer and a second computer, and by installing the countermeasure device inside a LAN, the countermeasure device acquires communication data at an arbitrary time, It is determined whether to transmit the acquired communication data to the first computer or the second computer. As described above, the countermeasure device discloses a technique of restricting communication services between a first computer and a second computer (see, for example, Japanese Patent Application Laid-Open No. 2002-200016).

Further, a technique is disclosed in which communication data passing through a switch device is sent to a security device having a promiscuous mode and monitored, and communication is controlled by an SDN (Software Defined Network) switch device (for example, Patent Document 2). reference).

Japanese Patent No. 4082613 Japanese Patent No. 6364255

Wang, Ke, and Salvatore J.; Stolfo. "Anomalous payload based network intrusion detection." RAID. Vol. 4.2004.

However, in Patent Document 1, in order to monitor the entire LAN interior and eliminate security threats, it is necessary to import all communication data inside the LAN into a countermeasure device. In order to realize this with the countermeasure device of Patent Document 1, it is necessary to keep sending communication control packets to all combinations of all terminals, and the number of pairs that need to be controlled in the square order increases. In this case, since communication is concentrated on the countermeasure device, the communication becomes tight and the load on the countermeasure device increases. For this reason, there is a problem that a terminal that is strict about delay as described above is adversely affected.

In addition, in situations such as when the frequency of transmission of control communication packets for importing communication data into the countermeasure device is insufficient, the communication data may not be reliably imported into the countermeasure device. There is also the issue of not being able to

In addition, in Patent Document 2, a security device that monitors threats within a LAN restricts communication by controlling an SDN switch device. is delayed.

In addition, since all communication data related to the terminal detected by the security device is restricted, including communication data with normal content, depending on the details of the threat detected, sudden communication cutoff etc. There is the problem of having a negative impact.

Furthermore, since only a single security device is used for detection, there is concern that normal communications may be adversely affected by false or false detections.

An object of the present disclosure is to improve the security level while realizing non-stop operation of terminals constituting a communication network and minimization of communication delay.

A network protection device according to an aspect of the present disclosure includes a plurality of LAN (Local Area Network) ports, and transmits at least information on a source terminal and information on a destination terminal flowing through a switch that connects communication networks. a communication data acquisition unit that acquires communication data including the connecting the source terminal and the destination terminal via the threat removal unit through a first communication path that connects the source terminal and the destination terminal without going through the threat removal unit; a route changing unit that operates the switch to change the communication route to a second communication route that is different from the first communication route; Eliminate communication data threats.

In addition, these general or specific aspects may be realized by a system, method, integrated circuit, computer program, or a recording medium such as a computer-readable CD-ROM. and any combination of recording media.

According to the above aspect, the security level is improved while realizing the non-stop operation of the terminals constituting the communication network and the minimization of the communication delay.

FIG. 1 is a diagram showing the overall configuration of a communication network to which a network protection device according to Embodiment 1 belongs. FIG. 2 is a diagram showing the structure of communication data according to the first embodiment. 3 is a diagram showing a configuration of a communication analysis unit according to Embodiment 1. FIG. FIG. 4 is a diagram showing the structure of terminal communication information according to Embodiment 1. As shown in FIG. FIG. 5 is a diagram showing a configuration of a switch operating unit according to Embodiment 1. FIG. FIG. 6 is a diagram showing the configuration of switch initial setting information according to the first embodiment. 7 is a diagram showing a configuration of switch information according to Embodiment 1. FIG. 8 is a diagram showing a configuration of a terminal management unit according to Embodiment 1. FIG. 9 is a diagram showing a configuration of threat score information according to Embodiment 1. FIG. 10 is a diagram showing the configuration of terminal temporary information according to Embodiment 1. FIG. 11 is a diagram showing a configuration of terminal update information according to Embodiment 1. FIG. 12A is a diagram showing a configuration of terminal information according to Embodiment 1. FIG. 12B is a diagram showing a configuration of terminal information according to Embodiment 1. FIG. 13A is a diagram showing a logical network configuration of the overall network configuration according to Embodiment 1. FIG. 13B is a diagram showing a logical network configuration of the overall network configuration according to Embodiment 1. FIG. 14 is a flow chart showing the operation of the network protection device according to Embodiment 1. FIG. 15 is a flowchart showing the operation of updating the threat score according to Embodiment 1. FIG. 16 is a flowchart showing an operation of updating terminal information according to Embodiment 1. FIG. 17A is a diagram showing the overall configuration of another communication network to which a network protection device belongs according to Modification 1 of Embodiment 1. FIG. 17B] FIG. 17B is a diagram illustrating a case where the transmission source terminal and the transmission destination terminal communicate with each other in the quarantine system network in Modification 1 of Embodiment 1. [ FIG. 17C] FIG. 17C is a diagram illustrating a case where the transmission source terminal and the transmission destination terminal communicate with each other in the normal network in Modification 1 of Embodiment 1. [ FIG. FIG. 18 is a diagram showing the overall configuration of still another communication network to which the network protection device in Modification 2 of Embodiment 1 belongs. FIG. 19 is a diagram showing the overall configuration of a communication network to which a network protection device belongs according to the second embodiment. FIG. 20 is a diagram showing the structure of communication data according to the second embodiment. 21 is a diagram showing a configuration of terminal communication information according to Embodiment 2. FIG. FIG. 22 is a diagram showing the configuration of switch initial setting information according to the second embodiment. 23 is a diagram showing a configuration of switch information according to Embodiment 2. FIG. 24A is a diagram showing a configuration of terminal information according to Embodiment 2. FIG. 24B is a diagram showing a configuration of terminal information according to Embodiment 2. FIG. 25A is a diagram showing a logical network configuration of the entire network configuration according to Embodiment 2. FIG. 25B is a diagram showing a logical network configuration of the overall network configuration according to Embodiment 2. FIG. 26 is a flow chart showing the operation of the network protection device according to Embodiment 2. FIG. 27 shows a configuration of a packet rewriting unit according to Embodiment 2. FIG. FIG. 28 is a diagram showing the overall configuration of another communication network to which the network protection device belongs according to Modification 1 of Embodiment 2. In FIG. FIG. 29 is a diagram showing the overall configuration of still another communication network to which the network protection device belongs according to Modification 2 of Embodiment 2. In FIG.

(Findings on which this disclosure is based)
Control terminals such as industrial equipment in factories and the like may have been designed and implemented a long time ago, and connection to the Internet may not have been taken into consideration. Such control terminals do not have any countermeasures against security threats from the Internet.

In addition, such control terminals are strongly required to be highly available, and it is necessary to prevent delays in production operations and stoppages as much as possible. Not allowed.

However, at present, industrial equipment networks including such control terminals are exposed to security threats because they are connected to the Internet.

Therefore, it is necessary to monitor the security threats of the entire industrial equipment network and prevent delays and stoppages of production operations, while also preventing malware attacks from harming and expanding damage. Techniques for monitoring communication network data, detecting attacks, and rendering them harmless are disclosed in, for example, the above-mentioned Patent Literatures 1 and 2. However, it does not assume the prevention of delay increases and outages, which are required for industrial equipment networks, and the adverse effects on control due to sudden communication interruptions.

Accordingly, an object of the present disclosure is to achieve non-stop operation of terminals required for a control system network such as a factory, minimize communication delay, and improve the security level.

(One aspect of the present disclosure)
A network protection device according to an aspect of the present disclosure includes a plurality of LAN (Local Area Network) ports, and at least information on a source terminal and information on a destination terminal flowing through a switch that connects communication networks. a communication data acquisition unit that acquires communication data including the connecting the source terminal and the destination terminal via the threat removal unit through a first communication path that connects the source terminal and the destination terminal without going through the threat removal unit; a route changing unit that operates the switch to change the communication route to a second communication route that is different from the first communication route; Eliminate communication data threats.

With this configuration, a threat can be detected by continuously monitoring a copy of communication data passing through the switch with the communication analysis unit. When a threat is detected, the route changing unit logically separates the communication network to which the source terminal that may contain the threat belongs and the communication network to which the destination terminal belongs by changing the setting of the switch, and the communication network that may contain the threat. Change the path between the source terminal and the destination terminal to logically connect the threat remover. In this way, threats can be removed from the communication data transmitted by the source terminal that may contain threats. As a result, communication can be performed without stopping the operation of the terminal (without adversely affecting normal communication), and threats can be monitored to prevent the spread of malware and the like.

Also, in order to continue normal communication between the communication network to which the source terminal belongs and the communication network to which the destination terminal belongs, the communication analysis section that detects threats and the threat removal section that removes threats are separated. That is, since the communication analysis unit and the threat removal unit are separated as different processing units, the processing load on each processing unit can be minimized. This allows the communication analysis unit to detect a threat by search behavior or the like before it reaches the threat, and then remove the threat by the threat removal unit. As a result, security threats can be dealt with more quickly.

Therefore, this network protection device can improve the security level while realizing non-stop operation of the terminals constituting the communication network and minimization of communication delay. In particular, non-stop operation of existing equipment can be realized without affecting the existing equipment.

A network defense system according to an aspect of the present disclosure includes a plurality of LAN ports, and communication data including at least information on a source terminal and information on a destination terminal flowing through a switch that connects communication networks, a communication data acquisition unit that acquires via the switch in promiscuous mode; a threat detection unit that detects a threat in the communication data; a threat elimination unit; and the destination terminal, and a second communication path different from the first communication path connecting the source terminal and the destination terminal via the threat removal unit and a route changing unit that operates the switch to change the communication route, the threat removing unit removes the threat of the communication data after the route changing unit changes the communication route.

This network protection system also has the same effects as described above.

In the network protection device according to an aspect of the present disclosure, the switch includes a first LAN port connected to the source terminal, a second LAN port connected to the threat detection unit, and a third LAN port connected to the threat detection unit. A LAN port and a fourth LAN port connected to the destination terminal, and when the threat detection unit detects no threat, the route change unit connects to the first LAN port. setting the first communication path from the source terminal connected to the fourth LAN to the destination terminal connected to the port of the fourth LAN to a first VLAN (Virtual Local Area Network), When a threat is detected by the threat detection unit, the route change unit changes a signal from the transmission source terminal connected to the first LAN port included in the second communication route to the second LAN port. a second VLAN different from the first VLAN, and from the threat removal unit connected to the port of the third LAN to the fourth LAN A route to the destination terminal connected to the port is set to the first VLAN.

According to this, when the threat detection unit detects no threat, the first VLAN (first communication path) is set from the source terminal to the destination terminal. When the threat detection unit detects a threat, the route from the source terminal to the threat removal unit is set to the second VLAN, and the route from the threat removal unit to the destination terminal is set to the first VLAN (first VLAN). VLAN and the second VLAN serve as a second communication path). By doing so, when a threat is detected, the threat removal unit can be interposed between the transmission source terminal and the transmission destination terminal.

A network protection device according to an aspect of the present disclosure further includes a rewriting unit that rewrites VLAN information of a communication network included in the communication data that has passed through the threat removal unit, and the switch is connected to the source terminal. a fifth LAN port connected to the threat removal unit; a sixth LAN port connected to the threat removal unit; and a seventh LAN port connected to the destination terminal; is not detected, the route changing unit changes the source terminal connected to the fifth LAN port and the destination terminal connected to the seventh LAN port to the first VLAN, and when the threat detection unit detects a threat, the route change unit changes the transmission source terminal connected to the port of the fifth LAN included in the second communication route to the second communication route. and the destination terminal connected to the seventh LAN port is set to the first VLAN, and the rewriting unit is configured to set the transmission source terminal connected to the seventh LAN port to the first VLAN. VLAN information indicating the second VLAN to which the terminal belongs is rewritten to VLAN information indicating the first VLAN to which the destination terminal belongs, and the rewritten communication data is output to the switch.

Thus, when the threat detection unit detects a threat of communication data, the source terminal is set to the second VLAN, and the destination terminal is set to the first VLAN. The threat removal unit removes threats contained in the communication data acquired through the sixth port. The rewriting unit rewrites the VLAN information of the communication network included in the threat-removed communication data. In other words, since the VLAN information indicating the first VLAN and the VLAN information indicating the second VLAN are different, the rewriting unit adapts the VLAN information included in the communication data to the seventh port to which the destination terminal is connected. Rewrite the VLAN information so that As a result, even communication data passing through different VLANs can be transmitted from the source terminal to the destination terminal.

In the network protection device according to one aspect of the present disclosure, the first VLAN is a normal network that does not involve the threat elimination unit, and the second VLAN is configured so that the threat elimination unit detects a threat of the communication data. When the threat detection unit detects a threat, the route change unit changes part of the first VLAN from the normal network to the quarantine network.

According to this, when a threat is detected, the network is changed from the normal system to the quarantine system, so the threat included in the communication data output by the source terminal can be removed before it reaches the destination terminal. can.

In the network protection device according to an aspect of the present disclosure, when the threat elimination unit eliminates the threat of the communication data, the route change unit changes the quarantine network, which has been changed from the normal network, to Return to the normal system network.

Even after the threat of the communication data is removed, if the threat removal unit is interposed between the communication path between the source terminal and the destination terminal, a communication delay occurs between the two. However, in this network protection device, once the threat of communication data is removed, the quarantine system network is returned to the normal system network. Therefore, it is possible to suppress the occurrence of communication delay between the source terminal and the destination terminal.

In the network protection device according to an aspect of the present disclosure, the communication data acquisition unit acquires a copy of the communication data, and the threat detection unit monitors the copy of the communication data in promiscuous mode.

For example, if a threat detection unit is placed between the communication path between the source terminal and the destination terminal, the threat detection unit monitors all communication data, resulting in a communication delay between the two. However, since this network protection device copies communication data on the communication path and monitors it in promiscuous mode, it is possible to suppress the occurrence of communication delays between the source terminal and the destination terminal.

In the network protection device according to one aspect of the present disclosure, the threat removal unit removes unnecessary data including threats from the threat-detected communication data.

According to this, the communication data from which unnecessary data including threats are removed from the communication data and the threats removed is transmitted to the destination terminal, so that the amount of communication data can be reduced.

In the network defense device according to an aspect of the present disclosure, the threat detection unit gives a score to the source terminal in which the threat is detected according to the content of the detected threat, and the route change unit performs the threat detection unit exceeds a first value, the switch is caused to change the communication route so that the communication data relating to the transmission source terminal to which the score is assigned passes through the threat elimination unit.

According to this, by classifying the threats in stages according to the scores, it is possible to pass only the communication data that is highly likely to contain the threat to the threat elimination unit. Therefore, it is possible to prevent communication data with a low possibility of containing a threat from passing through the threat elimination unit. As a result, the amount of communication data that passes through the threat removal unit is reduced, so that it is possible to suppress the occurrence of communication delays between the communication paths between the source terminal and the destination terminal.

In the network defense device according to an aspect of the present disclosure, the threat detection unit subtracts a predetermined value from the given score after a predetermined time has elapsed, and the score of the detected threat is reduced to a second value. If it falls below, the route changing unit causes the switch to change the communication route so that the connection between the source terminal and the destination terminal does not go through the threat removal unit.

According to this, it is possible to accurately correct the content (score) of the threat detected from the communication data. As a result, the number of communication data items that pass through the threat removal unit is reduced over time, so that it is possible to suppress the occurrence of communication delays in the communication path between the source terminal and the destination terminal.

In the network defense device according to an aspect of the present disclosure, when the score of the detected threat exceeds a third value larger than the first value, the score is do not subtract

According to this, communication data with a very high probability of containing threats is considered to have a low probability of false positives. to maintain Therefore, it is possible to suppress the occurrence of erroneous detection and reliably remove the detected threat by the threat removal unit.

It should be noted that each of the embodiments described below is a specific example of the present invention. These generic or specific aspects may be embodied in systems, methods, integrated circuits, computer programs or computer readable recording media, and any combination of systems, methods, integrated circuits, computer programs or recording media. may be implemented with Numerical values, shapes, components, steps, order of steps, and the like shown in the following embodiments are examples and are not intended to limit the present invention. In addition, among the constituent elements in the following embodiments, constituent elements that are not described in independent claims representing the highest concept will be described as arbitrary constituent elements. Moreover, each content can also be combined in all the embodiments.

(Embodiment 1)
This embodiment will be described with reference to the drawings. The same symbols are used for the same components in each drawing.

1. Overall Configuration of Communication Network FIG. 1 is a diagram showing the overall configuration of a communication network to which a network protection device according to this embodiment belongs. In the communication network of the present embodiment, a terminal can be used for applications such as TCP (Transmission Control Protocol)/IP (Internet Protocol) and UDP (User Datagram Protocol)/IP on Ethernet (registered trademark) defined by IEEE802.3. Depending on the situation, communication is performed using an appropriate protocol.

As shown in FIG. 1, in the communication network, a network protection device 10, a destination terminal 301, and a source terminal 302 are connected to an intelligent switch 20 by LAN cables. In this embodiment, for the sake of convenience, the destination of communication data 1010 in FIG. As defined in terminal 302, the destination terminal can also be the source terminal and vice versa.

The intelligent switch 20 has a plurality of LAN ports (0 to 7) for connecting terminals. In the following description, LAN ports are simply referred to as ports. In the intelligent switch 20, the numerical value written at the connection point between the intelligent switch 20 and the LAN cable indicates the number of the port to which the LAN cable is connected. In the following, when simply referred to as a "terminal", the source terminal 302 and the destination terminal 301 are collectively referred to.

The intelligent switch 20 also has a function of setting a logical network called VLAN for each port. In the intelligent switch 20, the port 0 has a mirror function capable of outputting a copy of the communication data 1010 passing through the intelligent switch 20. FIG. Ports 1-7 behave like ports of a general switching hub. Ports (LAN ports) may include not only physical ports but also logical software ports. However, software ports need not include ports such as TCP/IP.

Ports 0-2 of the intelligent switch 20 are connected to the network protection device 10 via LAN cables, respectively. A destination terminal 301 is connected to port 4 of the intelligent switch 20 . Furthermore, a source terminal 302 is connected to port 7 of the intelligent switch 20 . Port 7 is an example of a first port. Port 4 is an example of a fourth port.

2. Configuration of Network Protection Device Next, details of the network protection device 10 will be described.

The network protection device 10 includes a communication data acquisition unit 101 , a communication analysis unit 102 , a switch operation unit 103 , a terminal information management unit 104 and a threat elimination unit 105 .

The communication data acquisition unit 101 acquires communication data 1010 flowing through the intelligent switch 20 having a plurality of ports in promiscuous mode. The communication data acquisition unit 101 has a function of receiving (acquiring) the communication data 1010 communicated between the source terminal 302 and the destination terminal 301 from port 0 and outputting it to the communication analysis unit 102. .

Communication analysis unit 102 analyzes communication data 1010 output from communication data acquisition unit 101 . The communication analysis unit 102 has a function of outputting information indicating analysis results (terminal communication information described later) to the terminal information management unit 104 . The terminal port number is the numerical value of the port to which the terminal is connected to the intelligent switch 20 .

The switch operation unit 103 has a function of acquiring information (switch information described later) in which the terminal port number and the terminal address held by the intelligent switch 20 are associated with each other, and notifying the terminal information management unit 104 of the acquired information. Further, the switch operation unit 103 switches (changes) the VLAN of the intelligent switch 20 from VLAN1 to VLAN2 or from VLAN2 to VLAN1 based on information (terminal information described later) output from the terminal information management unit 104. . That is, the switch operation unit 103 has a function of instructing the intelligent switch 20 to switch between VLAN1 and VLAN2. Here, VLAN1 is a normal system network, and VLAN2 is a quarantine system network. VLAN1 is an example of a first VLAN, and VLAN2 is an example of a second VLAN.

Terminal information management section 104 integrates information indicating analysis results output from communication analysis section 102 and information output from switch information acquisition section 1032 of switch operation section 103, which will be described later, and manages them as terminal information. The terminal information management unit 104 has a function of notifying the switch operation unit 103 of this terminal information.

The threat removal unit 105 has a function of acquiring the communication data 1010 transmitted from the destination terminal 301 and removing the threat from the acquired communication data 1010 . In other words, the threat removal unit 105 has a function of removing unnecessary data including threats from the threat-detected communication data 1010 . The threat elimination unit 105 also has a function of outputting communication data after threat elimination to the destination terminal 301 . If the communication data 1010 itself is a threat, the threat removal unit 105 removes the communication data 1010. If, for example, a character string contained in the communication data 1010 is a threat, the threat removal unit 105 removes the character string from the communication data 1010. output to the intelligent switch 20;

Here, a threat is a computer program that causes harmful or unwanted effects, such as damage, destruction, or access denial, to destination terminal 301 and information stored on destination terminal 301; For example, malware, virus, or spyware.

2-1. Configuration of Communication Data FIG. 2 is a diagram showing the configuration of communication data 1010 in this embodiment. As shown in FIG. 2 , communication data 1010 includes at least source address information 1011 , destination address information 1012 and payload 1013 .

The source address information 1011 includes at least source MAC (Media Access Control) address information 10111 , source IP address information 10112 , and source port information 10113 . Source address information 1011 is an example of information on the source terminal 302 .

The destination address information 1012 includes at least destination MAC address information 10121 , destination IP address information 10122 and destination port information 10123 . The destination address information 1012 is an example of information on the destination terminal.

3. Configuration of Communication Analysis Unit Next, the details of the communication analysis unit 102 will be described.

FIG. 3 is a diagram showing the configuration of communication analysis section 102 in this embodiment. As shown in FIG. 3 , communication analysis section 102 includes terminal address confirmation section 1020 , communication flow information analysis section 1021 , and communication data analysis section 1022 .

Communication analysis unit 102 acquires communication data 1010 from communication data acquisition unit 101, and uses terminal address confirmation unit 1020, communication flow information analysis unit 1021, and communication data analysis unit 1022 to analyze communication data 1010, respectively. . Communication analysis unit 102 outputs terminal communication information 1023 in which threat detection information from terminal address confirmation unit 1020 , communication flow information analysis unit 1021 , and communication data analysis unit 1022 is summarized to terminal information management unit 104 . The communication analysis unit 102 is an example of a threat detection unit.

3-1. Configuration of Terminal Address Verification Unit As shown in FIGS. 10112. Based on the acquired source address information 1011, the terminal address confirmation unit 1020 checks the MAC address information and IP address information of the source terminal 302 whose access is prohibited, the source MAC address information 10111 and the source IP address information. 10112, and outputs threat detection information that is the result of the determination.

3-2. Configuration of Communication Flow Information Analysis Section Communication flow information analysis section 1021 generates threat detection information based on destination address information 1012 included in communication data 1010 . Communication flow information analysis unit 1021 determines whether there is a threat based on destination address information 1012, and outputs threat detection information as a result of the determination. Communication flow information analysis section 1021 includes blacklist communication detection section 10211 , non-whitelist communication detection section 10212 , IP scan detection section 10213 , and port scan detection section 10214 . Note that the communication flow information analysis unit 1021 may not include all of the detection units described above, may include a part of the detection units, or may include another detection unit.

The blacklist communication detection unit 10211 determines whether or not the transmission destination address information for which access is prohibited matches the transmission destination address information 1012, and detects a security abnormality if they match.

The non-whitelist communication detection unit 10212 determines whether or not the transmission destination address information permitted to access matches the transmission destination address information 1012, and detects a security abnormality if they do not match.

The IP scan detection unit 10213 determines from the destination IP address information 10122 included in the destination address information 1012 whether there is an attempt to access multiple IP addresses within the communication network. The IP scan detection unit 10213 detects a security abnormality when there is such an access attempt.

The port scan detection unit 10214 determines from the destination port information 10123 included in the destination address information 1012 whether there is an attempt to access a number of ports for a specific IP address within the communication network. The port scan detection unit 10214 determines security abnormality when there is such an access attempt.

The communication flow information analysis unit 1021 may use detection units other than the blacklist communication detection unit 10211 , non-whitelist communication detection unit 10212 , IP scan detection unit 10213 , and port scan detection unit 10214 . For example, using machine learning, the detection unit evaluates whether the access destination is appropriate or not, and determines that the access destination has a certain score or more as a security abnormality, and the terminal with the highest score to the next few security anomaly.

3-3. Configuration of Communication Data Analysis Unit In communication analysis unit 102 , communication data analysis unit 1022 generates threat detection information based on payload 1013 included in communication data 1010 . Communication data analysis unit 1022 determines whether there is a threat based on payload 1013, and outputs threat detection information as a result of the determination. Communication data analysis unit 1022 includes vulnerability attack detection unit 10221 , malware detection unit 10222 , and authentication failure detection unit 10223 .

The communication data analysis unit 1022 may not include all of the vulnerability attack detection unit 10221, the malware detection unit 10222, and the authentication failure detection unit 10223, and may include another detection unit.

The vulnerability attack detection unit 10221 determines whether there is a pattern in the payload 1013 that attacks the vulnerability of the software installed in the terminal. The vulnerability attack detection unit 10221 detects a security abnormality when the communication data 1010 has a pattern of attacking software vulnerability.

The malware detection unit 10222 determines whether the payload 1013 contains a pattern indicating malware. The malware detection unit 10222 detects a security abnormality when a pattern indicating malware is included.

The authentication failure detection unit 10223 acquires authentication attempt information for a terminal, and determines whether authentication attempts and authentication failures have repeatedly occurred for a specific terminal within a certain period of time. The authentication failure detection unit 10223 detects a security abnormality when authentication failures occur repeatedly.

Communication data analysis unit 1022 may use another detection unit other than vulnerability attack detection unit 10221 , malware detection unit 10222 , and authentication failure detection unit 10223 . Another detection unit, for example, as disclosed in Non-Patent Document 1, a part of the bit pattern of the payload 1013 is scored using machine learning, or obtained by decoding the contents of the payload 1013 A detection unit that evaluates information using machine learning, etc., detects a security anomaly if the score exceeds a certain level, and a detection unit that detects several patterns with the highest scores as a security anomaly. be done.

3-4. Configuration of Terminal Communication Information Next, details of the terminal communication information 1023 will be described. FIG. 4 is a diagram showing the configuration of terminal communication information 1023 in this embodiment.

As shown in FIGS. 3 and 4 , terminal address confirmation section 1020 , communication flow information analysis section 1021 , and communication data analysis section 1022 analyze communication data 1010 and use the analysis result as terminal communication information 1023 . As shown in FIG. 4, the terminal communication information 1023 is composed of a terminal number 10230, IP address information 10231, MAC address information 10232, update time information 10233, and threat detection content 10234. FIG.

Terminal address confirmation section 1020 sets source IP address information 10112 as IP address information 10231 and source MAC address information 10111 as MAC address information 10232 . Further, the determination result of the communication flow information analysis unit 1021 and the communication data analysis unit 1022 is regarded as threat detection content 10234 . The time when the IP address information 10231 and the transmission source MAC address information 10232 are acquired is the update time information 10233 .

4. Configuration of Switch Operation Unit Next, the details of the switch operation unit 103 will be described. FIG. 5 is a diagram showing the configuration of switch operation unit 103 in this embodiment.

As shown in FIG. 5, the switch operation unit 103 stores switch initial setting information 1031, which is setting information regarding the intelligent switch 20. FIG. The switch operation unit 103 has a switch information acquisition unit 1032 and a route change unit 1033 .

The switch information acquisition section 1032 acquires the switch information 10320 held by the intelligent switch 20 based on the switch initial setting information 1031 and outputs the switch information 10320 to the terminal information management section 104 .

The route changing unit 1033 changes the VLAN setting of each port of the intelligent switch 20 based on the notification from the switch initial setting information 1031 and the terminal information managing unit 104 .

4-1. Configuration of Switch Initial Setting Information Next, details of the switch initial setting information 1031 will be described. FIG. 6 is a diagram showing the configuration of the switch initial setting information 1031 according to this embodiment. As shown in FIG. 6, the switch initial setting information 1031 includes a switch identification information table 10310 in which the switch identification information 10311 and the switch control IP address 10312 correspond, and a VLAN information table 10314 in which the VLAN information 10314 and the VLAN network type 10315 correspond. It is composed of an identification information table 10313 .

The switch identification information 10311 is information for identifying individual intelligent switches 20 .

The switch control IP address 10312 is used when controlling the intelligent switch 20 through port 1 of the intelligent switch 20 using SNMP (Simple Network Management Protocol).

The VLAN information 10314 is information for specifying (identifying) a VLAN, and VLAN1 and VLAN2 exist in this embodiment.

The VLAN network type 10315 is associated with VLAN information 10314 . For example, for VLAN1, the VLAN network type 10315 indicates a normal network, and for VLAN2, the VLAN network type 10315 indicates a quarantine network.

A normal network is a network in which the threat removal unit 105 is not interposed between the source terminal 302 and the destination terminal 301 .

The quarantine system network is a network in which the threat removal unit 105 is interposed between the source terminal 302 and the destination terminal 301 .

4-2. Configuration of Switch Information Next, the details of the switch information 10320 will be described. FIG. 7 is a diagram showing the configuration of switch information 10320 in this embodiment. Switch information 10320 is generated by switch information acquisition section 1032 . The switch information acquisition unit 1032 sets the switch identification information 10311 acquired from the switch initial setting information 1031 as the switch identification information 10321, and obtains the connection port information 10322 corresponding to the switch identification information 10321, VLAN information 10323, and MAC address information 10324 is acquired.

The connection port information 10322 is information indicating the port number of the intelligent switch 20 to which the terminal is connected.

5. Configuration of Terminal Information Management Unit Next, details of the terminal information management unit 104 of the network protection device 10 will be described. FIG. 8 is a diagram showing the configuration of terminal information management section 104 in this embodiment. As shown in FIG. 8, the terminal information management unit 104 manages terminal information 10410, which is information about terminals existing in the communication network to be managed. The terminal information management unit 104 includes a terminal information storage unit 1041 that stores terminal information 10410, a terminal information update unit 1042, and a terminal management setting unit 1043a.

The terminal information update unit 1042 updates the terminal communication information 1023 of FIG. 4 obtained from the communication analysis unit 102, the switch information 10320 of FIG. 7 obtained from the switch operation unit 103, and the threat addition score information 10430 of FIG. Based on this, terminal temporary information 1040 is generated. Terminal information update section 1042 generates terminal update information 10420 based on terminal temporary information 1040 and terminal information 10410 stored in terminal information storage section 1041 . Terminal information update section 1042 notifies terminal update information 10420 to route change section 1033 of switch operation section 103 . Furthermore, the terminal information update unit 1042 updates the terminal information 10410 stored in the terminal information storage unit 1041 based on the terminal update information 10420 .

The terminal management setting section 1043a is a storage section that stores the terminal management section setting information 1043 .

5-1. Configuration of Terminal Management Unit Setting Information Next, details of the terminal management unit setting information 1043 will be described. FIG. 9 is a diagram showing the configuration of terminal management unit setting information 1043 in this embodiment. As shown in FIG. 9, the terminal manager setting information 1043 includes threat addition score information 10430 and terminal manager reference value information 10431 required to change the VLAN settings of each port based on the threat score.

Threat addition score information 10430 includes detection content identification information 104301 , detection content 104302 , judgment 104303 , and threat addition score 104304 .

The detection content identification information 104301 is information indicating the result of determination by any of the terminal address confirmation unit 1020, the communication flow information analysis unit 1021, the communication data analysis unit 1022, etc. of the communication analysis unit 102. FIG. The detection content identification information 104301 is represented by the code of each processing unit, and the code described in the drawing is an example.

Note that the detection content identification information 104301 may be anything as long as it can identify which processing unit has determined the result. You may make it identify by .

The detection content 104302 indicates the detection content associated with the detection content identification information 104301 . The detection content 104302 is, for example, "1020" of the detection content identification information 104301 indicates that "a new IP address and MAC address appear" that are not included in the terminal information storage unit 1041 of the new source address information 1011. show.

The determination 104303 is black when the detection result indicated by the detection content 104302 is determined to be a threat, and is gray when there is a possibility of a threat but it cannot be clearly determined whether it is a threat, and there is no possibility of a threat. Define the case as white.

Note that the determination 104303 is not limited to defining the detection results in three levels as described above, but may use additional determination levels as necessary, or define two levels of black and white. You may

Note that the added threat score information 10430 is not limited to the above items, and may include other items, or may use only some of the items. Moreover, the detection content 104302 of the additional threat score information 10430 may be used in combination. Further, the added threat score 104304 of the added threat score information 10430 does not need to be the same for all terminals, and different values may be set according to roles and types.

Terminal management unit reference value information 10431 includes reference value content 104311 and reference value 104312 . Reference value content 104311 includes "time t0 until threat score subtraction", "threat score value X when changing from VLAN1 to VLAN2", "threat score value Y when changing from VLAN2 to VLAN1", "score value Z that changes the threat level determination from gray to black". Threat score value X is an example of a first value. The threat score value Y is an example of a second value. The score value Z is an example of a third value.

Note that the reference value content 104311 of the terminal management unit reference value information 10431 is not limited to the above content, and may include items other than the above content. good too. Instead of using "time t0 until threat score subtraction", for example, "communication capacity M0", "fixed number of communication packets P0", "fixed number of TCP sessions S0", etc. may be used. When the reference value content 104311 is "communication capacity M0" and "communication packet number P0", the amount of transmission from the destination terminal 301 may be measured from the communication capacity and the number of communication packets. The amount of transmission/reception from the destination terminal 301 may be measured.

In addition, in the reference value content 104311, any two or more of "time t0 until threat score subtraction", "communication capacity M0", "fixed number of communication packets P0" and "fixed number of TCP sessions S0" They may be used in combination. Also, the value of the reference value 104312 of the terminal management unit reference value information 10431 does not need to be the same for all terminals, and different values may be set according to the role and type.

The terminal management unit setting information 1043 needs to be set at the start of operation of the communication network, but may be changed according to the situation after the start of operation of the communication network. Although not shown, the terminal information updating unit 1042 may be provided with an information display unit and an input unit for setting. 104312 may be changed.

5-2. Configuration of Terminal Temporary Information Next, details of the terminal temporary information 1040 will be described. FIG. 10 is a diagram showing the configuration of terminal temporary information 1040 in this embodiment. As shown in FIG. 10, terminal temporary information 1040 is managed by terminal information management section 104 in FIG. Terminal temporary information 1040 includes switch identification information 10401 , connection port information 10402 , VLAN information 10403 , MAC address information 10404 , IP address information 10405 , update time information 10406 , and added threat score 10407 .

5-3. Configuration of Terminal Update Information Next, details of the terminal update information 10420 will be described. FIG. 11 is a diagram showing the configuration of terminal update information 10420 in this embodiment. FIG. 11 shows information after the threat from source terminal 302 is detected. The terminal update information 10420 is managed by the terminal information management section 104 and held by the terminal information update section 1042 .

Terminal update information 10420 includes switch identification information 10421, connection port information 10422, VLAN information 10423, MAC address information 10424, IP address information 10425, update time information 10426, and threat score 10427. Threat score 10427 indicates the degree of threat of communication data 1010 calculated based on the added threat score in FIG. A threat score of 10427 is an example of a score.

5-4. Configuration of Terminal Information Next, details of the terminal information 10410 will be described. 12A and 12B are diagrams showing the configuration of terminal information 10410 in this embodiment. Terminal information 10410 in FIG. 12A indicates information before the threat from source terminal 302 is detected, and terminal information 10410 in FIG. 12B indicates information after the threat from source terminal 302 is detected. there is

As shown in FIGS. 12A and 12B, the terminal information 10410 is managed by the terminal information management section 104 and stored in the terminal information storage section 1041. FIG. Terminal information 10410 includes management ID information 10411, switch identification information 10412, connection port information 10413, VLAN information 10414, MAC address information 10415, IP address information 10416, update time information 10417, and threat score 10418. including.

The management ID information 10411 assigns one ID for identifying a set of switch identification information 10412, connection port information 10413, VLAN information 10414, and MAC address information 10415 from other sets.

6. Logical Network Configuration Before Threat Detection and After Threat Detection Next, the details of the entire network configuration before and after the threat from the source terminal 302 is detected will be described. 13A and 13B are diagrams showing the logical network configuration of the entire network configuration in this embodiment. 13A shows the logical overall network configuration before the threat from source terminal 302 is detected, and FIG. 13B shows the logical network configuration after the threat from source terminal 302 is detected. . As shown in FIGS. 13A and 13B, the threat remover 105 is connected via port 1 of the intelligent switch 20 included in VLAN1 and connected via port 2 of the intelligent switch 20 included in VLAN2. there is 13A and 13B omit the LAN cable connecting port 0 of the intelligent switch 20 and the network protection device 10 for convenience.

FIG. 13A shows the normal network before or after the threat from source terminal 302 is detected and after the abnormal state changes to the normal state. Destination terminal 301 and source terminal 302 are both included in VLAN 1 and communicate without intervention of threat removal section 105 . 13A, the destination terminal 301 and the source terminal 302 are connected via the intelligent switch 20, and constitutes a normal network in which threat removal is not performed on the communication data 1010. FIG. A change from an abnormal state to a normal state means recovery from an abnormal state to a normal state.

Source terminal 302, ports 7 and 4 of intelligent switch 20, and destination terminal 301 are an example of a first communication path and belong to VLAN1. The path of source terminal 302, port 7 and port 4 of intelligent switch 20, and destination terminal 301 is in a normal state before detection.

FIG. 13B shows a logical abnormal network after the threat from source terminal 302 is detected and before the abnormal state changes to the normal state.

The destination terminal 301 is connected to the threat elimination unit 105 while being connected to VLAN1, and the transmission source terminal 302 is switched from VLAN1 to VLAN2 and connected to the threat elimination unit 105 . As a result, source terminal 302 communicates with destination terminal 301 via threat removal unit 105 . The threat removal unit 105 removes the threat from the communication data 1010 related to the transmission source terminal 302 and transmits the communication data after the threat removal, ie, the corrected communication data, to the transmission destination terminal 301 via the intelligent switch 20 .

Source terminal 302, port 7 and port 2 of intelligent switch 20, threat remover 105 belonging to VLAN 2, and threat remover 105, port 1 and port 4 of intelligent switch 20, and destination terminal 301 belonging to VLAN 1 are , is an example of a second communication path. Source terminal 302, port 7 and port 2 of intelligent switch 20, threat remover 105, and the route of threat remover 105, port 1 and port 4 of intelligent switch 20, and destination terminal 301 belonging to VLAN 1 is detected It is the previous abnormal state. Port 1 and port 2 are examples of second and third ports.

Then, the switch operation unit 103 of the network protection device 10 changes the abnormal system network in the abnormal state to the normal system network in the normal state as shown in FIG. 13A. The source terminal 302 then performs normal communication with the destination terminal 301 .

7. Operation of Network Protection Device Next, the operation of the network protection device 10 will be described in detail. FIG. 14 is a flow chart showing the operation of the network protection device 10 according to this embodiment.

As shown in FIG. 14 and the like, the network protection device 10 acquires communication data 1010 communicated between the source terminal 302 and the destination terminal 301 (step S001). Specifically, network protection device 10 obtains a copy of communication data 1010 in promiscuous mode via a LAN cable connected to port 0 of intelligent switch 20 .

The communication data acquisition unit 101 of the network protection device 10 outputs the communication data 1010 acquired on the monitored communication network to the communication analysis unit 102 .

Communication analysis unit 102 analyzes communication data 1010 (step S002). The communication analysis unit 102 uses the terminal address confirmation unit 1020, the communication flow information analysis unit 1021, and the communication data analysis unit 1022 based on the communication data 1010 to determine threat detection information, which is the result of each determination. to generate Communication analysis unit 102 generates terminal communication information 1023 based on each piece of threat detection information.

Terminal address confirmation section 1020 extracts terminal communication information 1023 of transmission source terminal 302 from communication data 1010 and identifies IP address information 10231 , MAC address information 10232 and update time information 10233 of transmission source terminal 302 .

In the communication flow information analysis unit 1021, the blacklist communication detection unit 10211 detects a security abnormality when the transmission destination address information 1012 matches a transmission destination to which access is prohibited. Also, the non-whitelist communication detection unit 10212 detects a security abnormality when the destination address information 1012 does not match the destination to which access is permitted. Furthermore, the IP scan detection unit 10213 detects a security abnormality when there are attempts to access a large number of IP addresses within the network based on the destination IP address information. Also, the port scan detection unit 10214 detects a security abnormality when there are many port access attempts to a specific IP address inside the network from the destination port information.

In the communication data analysis unit 1022, the vulnerability attack detection unit 10221 detects a security abnormality when the payload 1013 includes a pattern that attacks the vulnerability of the software installed in the destination terminal 301. FIG. The malware detection unit 10222 detects a security abnormality when the payload 1013 includes a pattern indicating malware. The authentication failure detection unit 10223 detects a security abnormality when a specific terminal that requires authentication repeats numerous authentication attempts and failures within a certain period of time.

Communication analysis section 102 then transmits terminal communication information 1023 to terminal information management section 104 .

Terminal information update unit 1042 generates terminal temporary information 1040 from terminal communication information 1023 , terminal information 10410 , and added threat score information 10430 of terminal management unit setting information 1043 .

The MAC address information 10232 of the terminal communication information 1023 is used for the MAC address information 10404, the IP address information 10231 of the terminal communication information 1023 is used for the IP address information 10405, and the update time information 10233 of the terminal communication information 1023 is used for the update time information 10406.

Terminal information update unit 1042 searches terminal information 10410 for a combination including MAC address information 10404 and IP address information 10405 . If there is such a combination, the terminal information updating unit 1042 sets the switch identification information 10401 as the switch identification information 10412, the connection port information 10402 as the connection port information 10413, and the VLAN information 10403 as the VLAN information 10414. Based on the added threat score information 10430, the terminal management setting unit 1043a sets the added threat score 10407 to the added threat score 104304 corresponding to the detected content 104302 that matches the detected threat content 10234 (step S021).

Terminal information update unit 1042 searches terminal information 10410 for a combination including MAC address information 10404 and IP address information 10405 . If there is no corresponding combination, the terminal information update unit 1042 updates the threat addition score 104304 corresponding to the detection content 104302 "new IP: MAC appearance" indicated by the threat addition score information 10430 of the terminal management unit setting information 1043 " 1000" as a threat addition score 10407 (step S021). Here, the switch identification information 10401, the connection port information 10402, and the VLAN information 10403 remain undetermined.

The communication analysis unit 102 determines whether or not a threat has been detected (branch B003). Specifically, if the communication data 1010 includes a pattern that attacks software vulnerability, the malware detection unit 10222 detects a pattern indicating malware, and the authentication failure detection unit 10223 detects an authentication failure. is detected as a security anomaly.

If no threat is detected (N in branch B003), that is, if the threat score is less than score value Z, terminal information management unit 104 generates terminal update information 10420, step is determined.

Terminal information management section 104 generates terminal update information 10420 based on terminal temporary information 1040 and terminal information 10410 . At this time, the switch identification information 10421 becomes the switch identification information 10401, the connection port information 10422 becomes the connection port information 10402, the VLAN information 10423 becomes the VLAN information 10403, the MAC address information 10424 becomes the MAC address information 10404, and the IP address information 10425 becomes IP address information 10405 and update time information 10426 become update time information 10406 . The terminal information management unit 104 calculates a threat score 10427 by adding the threat score 10418 to the added threat score 10407 .

The terminal information update unit 1042 of the terminal information management unit 104 determines whether or not the threat score 10427 of the terminal update information 10420 is greater than 0 (branch B030). If the threat score 10427 is 0 (N at branch B030), the terminal information updating unit 1042 returns to step S001 and acquires the next communication data 1010. FIG. If the threat score 10427 is greater than 0 (Y in branch B030), the terminal information updating unit 1042 determines that the threat score 10427 changes the threat level determination from gray to black with a score value Z (hereinafter referred to as score A value Z) is determined (branch B031).

If the threat score 10427 is greater than or equal to the score value Z (N in branch B031), the terminal information update unit 1042 determines the threat level to be black, returns to step S001, and acquires the next communication data 1010. If the threat score 10427 is less than the score value Z (Y in branch B031), the terminal information updating unit 1042 determines that the threat level is gray, and updates the update time information 10417 of the terminal information 10410 and the terminal update information 10420. The time information 10426 is compared to determine whether time t0 has passed since the previous update time (branch B032).

Here, the time t0 is the same as that defined in the reference value content 104311 of the terminal management unit reference value information 10431, and is a value that must be determined before starting communication. The time t0 may be a fixed value such as 5 minutes, or may be changed by setting some criteria according to changes in the situation after the communication is started.

Also, instead of the determination of branch B032, for example, the communication capacity M0, the fixed number of communication packets P0, and the fixed number of TCP sessions S0 may be used for the determination. In the case of the communication capacity M0 and the number of communication packets P0, the communication capacity and the number of communication packets may measure the amount of transmission from the source terminal 302, or measure the amount of transmission and reception from the source terminal 302 and the destination terminal 301. You may

Also, in the determination of branch B032, time t0, communication capacity M0, fixed number of communication packets P0 and fixed number of TCP sessions S0 may be used in combination. Also, the value of the reference value 104312 of the terminal management unit reference value information 10431 is an example, and different values may be set depending on the role.

If the time t0 has not elapsed (N in branch B032), the terminal information updating unit 1042 returns to step S001 and acquires the next communication data 1010. FIG. If time t0 has passed since the previous update time (Y in branch B032), the terminal information updating unit 1042 subtracts 1 from the threat score 10427 of the terminal update information 10420 from the threat score 10427 of the terminal information 10410. value (step S033).

Here, the value to be subtracted is 1, but the value to be subtracted may be changed according to the type of threat detected and the role of the terminal. Not limited.

When a threat is detected (Y in branch B003), that is, when the threat score is equal to or greater than the score value Z, the switch information acquisition unit 1032 of the switch operation unit 103 obtains the latest switch information 10320 from the intelligent switch 20. is obtained (step S004). The switch information acquisition section 1032 outputs the latest switch information 10320 to the terminal information management section 104 . The terminal information update unit 1042 updates the switch identification information 10421, the connection port information 10422, and the VLAN information 10423 of the terminal update information 10420. FIG.

Here, the switch information acquisition unit 1032 can acquire the latest switch information 10320 through the port 1 of the intelligent switch 20 by, for example, SNMP (Simple Network Management Protocol). Note that the switch information acquisition unit 1032 may acquire the latest switch information 10320 using a dedicated communication line, etc., other than SNMP.

The terminal information update unit 1042 determines whether the VLAN information 10423 of the terminal update information 10420 is VLAN1 (branch B005). If the VLAN is VLAN2 (N at branch B005), proceed to branch B006, and if the VLAN is VLAN1 (Y at branch B005), proceed to branch B007.

The terminal information update unit 1042 determines whether the threat score 10427 of the terminal update information 10420 is greater than the threat score value Y when changing from VLAN2 to VLAN1 (branch B006).

If the threat score 10427 is greater than the threat score value Y (Y in branch B006), the route changing unit 1033 proceeds to step S008 without switching the VLAN to which the connection port information 10422 belongs, and the threat score 10427 becomes the threat score value Y. In the following cases (N at branch B006), the process proceeds to step S061.

The terminal information updating unit 1042 determines whether or not the threat score 10427 of the terminal update information 10420 is smaller than the threat score value X when switching from VLAN1 to VLAN2 (branch B007). If the threat score 10427 is smaller than the threat score value X (Y in branch B007), proceed to step S008. If the threat score 10427 is greater than or equal to threat score value X (N in branch B007), proceed to step S071. .

Here, threat score value X and threat score value Y used in branch B006 and branch B007 may be the same value or different values.

As shown in FIGS. 5, 11 and 14, based on the VLAN information 10423 of the terminal update information 10420, the path changing unit 1033 switches the VLAN to which the connection port information 10422 belongs from VLAN2 to VLAN1 (step S061). Step S061 is the process of returning source terminal 302, which was subject to quarantine, from the quarantine system network to the normal system network. be.

13A shows a state before the threat from the transmission source terminal 302 is detected, and the threat score of the terminal management unit reference value information 10431 is lower than the threat score value X in FIG. 9, or the terminal management unit reference value The logical network after the threat score of the information 10431 changes from the threat score value Y of FIG. 9 to the threat score value Y or less.

The path change unit 1033 can set the VLAN of the switch port through the port 1 of the intelligent switch 20 by, for example, SNMP. Note that the route changing unit 1033 may be set using a dedicated communication line or the like other than SNMP.

Based on the VLAN information 10423 of the terminal update information 10420, the route changing unit 1033 switches the VLAN to which the connection port information 10422 belongs from VLAN1 to VLAN2 (step S071).

Step S071 is a process of switching the source terminal 302 belonging to the normal system network so that it belongs to the quarantine system network, and switching from VLAN1 to which the source terminal 302 of FIG. 13A belongs to VLAN2 of FIG. 13B. is.

FIG. 13B is after the threat from the transmission source terminal 302 is detected, and the threat score of the terminal management unit reference value information 10431 changes from below the threat score value X in FIG. 9 to above the threat score value X. state, and the logical network remains above the threat score value Y of FIG.

The terminal information update unit 1042 updates the terminal information 10410 based on the terminal update information 10420 (step S008). Specifically, the terminal information update unit 1042 converts the switch identification information 10412 and the switch identification information 10421, the connection port information 10413 into the connection port information 10422, the VLAN information 10414 into the VLAN information 10423, and the MAC address information 10415 into the MAC address. It is confirmed whether the information 10424 and the IP address information 10416 match the IP address information 10425 respectively. When all of these match, the terminal information updating unit 1042 updates the update time information 10417 and the threat score 10418 of the management ID having the matching combination to the update time information 10426 and the threat score 10427, respectively. On the other hand, if all of these do not match, the terminal information update unit 1042 assigns a new management ID, replaces the switch identification information 10412 with the switch identification information 10421, the connection port information 10413 with the connection port information 10422, and the VLAN information 10414 with the VLAN information. The MAC address information 10415 is set to the MAC address information 10424, the IP address information 10416 to the IP address information 10425, the update time information 10417 to the update time information 10426, and the threat score 10418 to the threat score 10427 in the information 10423. After updating in this way, the terminal information updating unit 1042 returns to step S001 and acquires the next communication data 1010 . FIG. 12B shows a case where terminal information 10410 in the state of FIG. 12A is updated by terminal update information 10420 of FIG. Then, the terminal information updating unit 1042 returns the process to step S001.

7-1. Threat Score Update Operation Next, the details of the threat score update operation will be described. FIG. 15 is a flowchart showing processing for updating the threat score in this embodiment. FIG. 15 shows update processing of the threat score 10427 of the terminal update information 10420 in branch B003 of FIG.

As shown in FIG. 15 and the like, the terminal information updating unit 1042 confirms whether or not the switch identification information 10412 and the switch identification information 10421 all match. This confirmation is performed by the following loop processing in which the terminal information updating unit 1042 repeats steps S102 to S106 (S101). Specifically, the terminal information updating unit 1042 updates the switch identification information 10401, the connection port information 10402, the VLAN information 10403, the MAC address information 10404, and the IP address of the terminal temporary information 1040 for all management IDs of the terminal information 10410. Check whether the combination with the information 10405 is included.

The terminal information update unit 1042 determines whether the switch identification information 10401 and the switch identification information 10412 match (step S102). If they do not match (N in step S102), it indicates that there is no management ID included, that is, the terminal temporary information 1040 is not included in the terminal information 10410. FIG. The terminal information update unit 1042 sets the added threat score 10407 to the threat score 10427 of the terminal update information 10420 (step S108). Then, the terminal information updating unit 1042 terminates the processing.

If they match (Y in step S102), the terminal information updating unit 1042 determines whether the switch identification information 10402a and the switch identification information 10413a match (step S103). If they do not match (N in step S103), the terminal information updating unit 1042 proceeds to step S108.

If they match (Y in step S103), the terminal information updating unit 1042 determines whether the switch identification information 10403a and the switch identification information 10414a match (step S104). If they do not match (N in step S104), the terminal information updating unit 1042 proceeds to step S108.

If they match (Y in step S104), the terminal information updating unit 1042 determines whether the switch identification information 10404a and the switch identification information 10415a match (step S105). If they do not match (N in step S105), the terminal information updating unit 1042 proceeds to step S108.

If they match (Y in step S105), the terminal information updating unit 1042 determines whether the switch identification information 10405a and the switch identification information 10416a match (step S106). If they do not match (N in step S106), the terminal information updating unit 1042 proceeds to step S108.

If they match (Y in step S106), the terminal information updating unit 1042 updates the sum of the threat score 10418 of the corresponding management ID and the added threat score 10407 of the terminal temporary information 1040 to the terminal update information 10420. The threat score is set to 10427 (step S107). Then, the terminal information updating unit 1042 terminates the processing.

7-2. Terminal Information Update Operation Next, the operation of updating the terminal information 10410 will be described in detail. FIG. 16 is a flowchart showing processing for updating terminal information in this embodiment. FIG. 16 shows update processing of the terminal information 10410 in S009 of FIG. The same reference numerals are given to the same processing as in FIG. 15, and the description thereof will be omitted as appropriate.

As shown in FIG. 16 and the like, the terminal information updating unit 1042 performs the following loop processing that repeats steps S102 to S106 (S101). In the processing from step S102 to step S106, if all of the management IDs of the terminal information 10410 match (Y in step S106), the terminal information updating unit 1042 updates the update time information 10417 of FIG. It updates based on the update time information 10426, and updates the threat score 10418 in FIG. 12A based on the threat score 10427 (step S117). Then, the terminal information updating unit 1042 terminates the processing.

When there is no management ID included (when the terminal temporary information 1040 is not included in the terminal information 10410), the terminal information updating unit 1042 adds a new management ID and registers the terminal update information (step S118). ). Then, the terminal information updating unit 1042 terminates the processing.

8. Operation of Threat Remover The threat remover 105 is connected to both VLAN1 and VLAN2. The threat removal unit 105 removes communication data 1010 containing threats from communication between the destination terminal 301 belonging to VLAN1 and the transmission source terminal 302 belonging to VLAN2. Alternatively, the threat removal unit 105 removes the harmful portion of the communication data 1010 from the communication between the transmission destination terminal 301 belonging to VLAN1 and the transmission source terminal 302 belonging to VLAN2 to render the communication data 1010 including the threat harmless. It has a function of passing normal communication data 1010 that has been discarded or rewritten to harmless data.

The threat removal unit 105 may be configured in a mode called transparent mode in which the threat removal unit 105 behaves as if it does not exist as a terminal on the communication network. can continue.

Alternatively, the network protection device 10 may act as a router between VLAN1 and VLAN2. The threat elimination unit 105 may act like the terminal 301 when communicating from the source terminal 302 to the destination terminal 301 . Specifically, an ARP command may be used.

9. Effect of the Embodiment According to the present embodiment, a threat can be detected by continuously monitoring a copy of the communication data 1010 passing through the intelligent switch 20 with the communication analysis unit 102 . Further, when a threat is detected, the switch operation unit can logically separate the communication network (VLAN2) to which the destination terminal 301, which may contain a threat, belongs to and the communication network (VLAN1) to which the source terminals 302 and 304 belong. can. In other words, the threat removal unit 105 is logically connected to the boundary between the VLAN 2 to which the source terminals 302 and 304 that may contain a threat belong and the VLAN 1 to which the destination terminal 301 belongs. Thus, threats can be removed from communication data 1010 transmitted by source terminals 302, 304 that may contain threats. As a result, it is possible to prevent security anomalies from spreading without adversely affecting normal communications.

In order to continue normal communication between the communication network to which source terminals 302 and 304 belong and the communication network to which destination terminal 301 belongs, communication analysis section 102 for detecting threats and threat removal section 105 for removing threats are provided. Separated. Therefore, the processing load on each processing unit can be minimized. Accordingly, the threat removal unit 105 can remove the threat after the communication analysis unit 102 detects the threat by search behavior or the like before it reaches the threat. As a result, security threats can be dealt with more quickly.

Therefore, it is possible to realize non-stop operation of terminals and minimization of communication delay required for a control system network such as a factory. In addition, by monitoring threats within the communication network and suppressing the spread of threats, the security level can be improved.

10. Other Modifications of Embodiment 1 Although the present disclosure has been described based on the above embodiment, the present disclosure is not limited to Embodiment 1 above, and the following modifications of Embodiment 1 1. Modification 2 of Embodiment 1 is also included in the present disclosure.

Modification 1 (hereinafter, this modification) of Embodiment 1 will be described. As the overall configuration of the network, in FIG. 1, one intelligent switch 20 is connected to the network protection device 10, but it may be configured to connect a plurality of intelligent switches. FIG. 17A is a diagram showing the overall configuration of the communication network to which the network protection device 10 belongs in this modified example.

As shown in FIG. 17A, the communication network includes network protection device 10, intelligent switch 20, destination terminal 301, source terminal 302, intelligent switch 21, destination terminal 303, and source terminal 304 connected by LAN cables. configured.

In this communication network, port 3 of intelligent switch 20 and port 0 of intelligent switch 21 are connected via a LAN cable. In this communication network, the network protection device 10 is connected to ports 1 and 3 of the intelligent switch 21 via LAN cables.

Intelligent switch 21 connects port 0, port 4, and port 7 of intelligent switch 21 to VLAN 1, port 1 to VLAN 2, and network protection device 10 at the start of communication operation between source terminal 304 and destination terminal 303. Set the port 3 that has been connected to the mirror function. The communication data acquisition unit 101 also acquires communication data 1010 from port 3 of the intelligent switch 21 . For example, commands for controlling the intelligent switch 21 are communicated between the network protection device 10 and the port 1 of the intelligent switch 21 .

When the transmission source terminal 304 and the transmission destination terminal 303 communicate with each other in the normal system network, the process is the same as in FIG. 13A described above. When the communication analysis unit 102 detects a threat from the communication data 1010, communication is performed through the quarantine system network as shown in FIG. 17B. FIG. 17B is a diagram showing a case where a transmission source terminal and a transmission destination terminal communicate with each other in a quarantine system network in this modified example. The switch operation unit 103 logically separates the communication network (VLAN2) to which the transmission source terminal 304 that may contain a threat belongs and the communication network (VLAN1) to which the transmission destination terminal 303 belongs.

More specifically, the switch operation unit 103 connects the VLAN 2 to which the source terminal 304 is connected to the threat elimination unit 105 of the network protection device 10 via ports 7 and 1 of the intelligent switch 21, and the threat elimination unit 105 of the network protection device 10. The VLAN 1 is switched so that the unit 105 is connected to the destination terminal 303 via the ports 2 and 3 of the intelligent switch 20 and the ports 0 and 4 of the intelligent switch 21 . Thus, the source terminal 304 communicates with the destination terminal 303 via ports 7 and 1 of the intelligent switch 21, the network protection device 10, ports 2 and 3 of the intelligent switch 20, and ports 0 and 4 of the intelligent switch 21. Connected.

17C, when the transmission source terminal 304 and the transmission destination terminal 301 communicate with each other on the normal network, the transmission source terminal 304 connects to port 7 and port 0 of the intelligent switch 21 and port 3 of the intelligent switch 20. , port 4 to the destination terminal 301 . 17C] FIG. 17C is a diagram illustrating a case where the transmission source terminal and the transmission destination terminal communicate with each other in the normal network in Modification 1 of Embodiment 1. [ FIG. Although not shown, when the source terminal 304 and the destination terminal 301 communicate with each other in a quarantine system network, the switch operation unit 103 causes the source terminal 304 to connect to ports 7 and 0 of the intelligent switch 21 and ports 0 of the intelligent switch 20. VLAN2 is connected to the threat removal unit 105 of the network protection device 10 via ports 3 and 2, and the threat removal unit 105 of the network protection device 10 is connected to the destination terminal 301 via ports 0 and 4 of the intelligent switch 20. Switch to VLAN1 to be connected.

By adopting such a configuration, the network protection device 10 of this modification realizes non-stop operation of the terminals constituting the communication network, It is possible to improve the security level while minimizing the communication delay between a plurality of terminals.

A route indicated by a thick solid line in FIG. 17B is an example of a second communication route, and a route indicated by a thick solid line in FIG. 17C is an example of a first communication route.

Modification 2 (hereinafter, this modification) of Embodiment 1 will be described. The overall configuration of the communication network may be different from that shown in FIG. 17A in which a plurality of intelligent switches are connected to the network protection device 10 . FIG. 18 is a diagram showing the overall configuration of a communication network to which the network protection device 10 belongs according to this embodiment.

As shown in FIG. 18, the communication network includes network protection device 10, intelligent switch 20, destination terminal 301, source terminal 302, intelligent switch 21, destination terminal 303, and source terminal 304 connected by LAN cables. configured.

In this communication network, port 3 of intelligent switch 20 and port 0 of intelligent switch 21 are connected via a LAN cable. If necessary, a port that is not connected to the intelligent switch 21 may be set as a mirror function and connected to the network protection device 10 .

The intelligent switch 21 sets the port 3 of the intelligent switch 20 and the port 0 of the intelligent switch 21 as a trunk line at the start of communication operation between the source terminal 304 and the destination terminal 303, and sets the port 4 of the intelligent switch 21 to the port 0 of the intelligent switch 21 as a trunk line. 7 is set to VLAN1.

When the transmission source terminal 304 and the transmission destination terminal 303 communicate with each other in the normal system network, the process is the same as in FIG. 13A described above. When communicating in a quarantine system network, the switch operation unit 103 selects VLAN 2 (indicated by a thick solid line) in which the transmission source terminal 304 is connected to the threat removal unit 105 of the network protection device 10 via ports 7 and 0 of the intelligent switch 21. ), the threat elimination unit 105 of the network protection device 10 switches to VLAN 1 connected to the destination terminal 303 via ports 1 and 3 of the intelligent switch 20 and ports 0 and 4 of the intelligent switch 21. . A route as shown in FIG. 18 is an example of the first communication route.

By adopting such a configuration, the network protection device 10 can protect a communication network connected to a plurality of intelligent switches (intelligent switches 20 and 21 in this embodiment).

(Embodiment 2)
[Constitution]
Other configurations in the present embodiment are the same as those in the first embodiment unless otherwise specified, and the same configurations are denoted by the same reference numerals, and detailed description of the configurations will be omitted.

21. Overall Configuration of Communication Network Network protection device 10 further includes packet rewriting section 106 in addition to communication data acquisition section 101, communication analysis section 102, switch operation section 103, terminal information management section 104, and threat elimination section 105. .

Port 0 of intelligent switch 20 has a mirror function capable of outputting a copy of communication data 1010 passing through intelligent switch 20 . Port 1 has a tag port function that adds tag information for distinguishing VLAN groups to communication data 1010 . Ports 2 to 7 are normal ports that behave like ports of a general switching hub. Port 1 is an example of a sixth port.

The network protection device 10 is also connected to ports 0 and 1 of the intelligent switch 20 . A destination terminal 301 is connected to port 4 , a source terminal 302 is connected to port 7 , a destination terminal 303 is connected to port 5 , and a source terminal 304 is connected to port 6 . Port 7 is an example of a fifth port. Port 4 is an example of a seventh port.

Also, from source terminal 302 to port 4 and port 7 of intelligent switch 20 and destination terminal 301 belong to VLAN 1a. Source terminal 304 to port 5, port 6, and destination terminal 301 belong to VLAN1b, which is different from VLAN1a. Source terminals 302 and 304 and destination terminals 301 and 303 are connected to the same intelligent switch 20, but cannot communicate between different VLANs, that is, between VLAN1a and VLAN1b.

A communication path connecting port 1 of the intelligent switch 20 and the network protection device 10 is a trunk line, and communication data 1010 is transmitted and received by distinguishing between a plurality of VLAN groups, eg, VLAN1a and VLAN1b. Tag information specifying a VLAN group is inserted into this communication data 1010 . In this embodiment, port 2 of intelligent switch 20 and network protection device 10 are not connected.

When the intelligent switch 20 receives the communication data 1010 at ports 4 to 7, which are normal ports, the destination terminal 301 of the address included in the communication data 1010 is the same as the VLAN to which the port belongs (hereinafter referred to as the assigned VLAN). , the tag information indicating the VLAN to which the destination terminal 301 belongs is added to the communication data 1010, and the communication data 1010 is transmitted from port 1, which is the tag port.

Also, when port 1, which is a tag port, receives the communication data 1010, the intelligent switch 20 refers to the tag information indicating the assigned VLAN included in the communication data 1010, and selects a normal port belonging to the VLAN group corresponding to the tag information. do. The intelligent switch 20 removes the tag information from the communication data 1010 and transmits the communication data 1010 to the destination terminal 301 via the port connected to the destination terminal 301 .

22. Configuration of Network Protection Device Next, details of the network protection device 10 will be described.

When switching the VLAN of the port, the switch operation unit 103 switches, for example, from VLAN1a or VLAN1b to VLAN2a or VLAN2b (shown later in FIGS. 25A and 25B), or from VLAN2a or VLAN2b to VLAN1a or VLAN1b. Here, VLAN1a and VLAN1b are normal networks, and VLAN2a and VLAN2b are quarantine networks. For example, the destination terminal 301 belongs to VLAN1a, the source terminal 302 belongs to VLAN2a, the destination terminal 303 belongs to VLAN1b, and the source terminal 304 belongs to VLAN2b.

The threat removal unit 105 has a function of receiving communication data 1010 related to terminals belonging to VLAN2a or VLAN2b, removing threats from the communication data 1010, and outputting the data to the original destination terminal 301 or destination terminal 303. FIG.

The packet rewriting unit 106 rewrites the VLAN information of the communication network included in the threat-removed communication data that has passed through the threat removal unit 105 . Specifically, the packet rewriting unit 106 converts the belonging VLAN information 1011a of the threat-removed communication data input from the port 1 and passed through the threat removal unit 105 from VLAN1a or VLAN1b to VLAN2a or VLAN2b, or from VLAN2a or VLAN2b. Rewrite (change) to VLAN1a or VLAN1b. After rewriting in this manner, the packet rewriting unit 106 transmits the rewritten communication data to the port 1 of the intelligent switch 20 again. Packet rewrite unit 106 is an example of a rewrite unit.

22-1. Configuration of Communication Data FIG. 20 is a diagram showing the configuration of communication data 1010 in this embodiment. Communication data 1010 includes at least affiliated VLAN information 1011 a , source address information 1011 , destination address information 1012 and payload 1013 .

The affiliated VLAN information 1011a is, for example, tag information defined by IEEE802.1Q, which is inserted into an Ethernet frame and used to identify the VLAN.

23. Configuration of Terminal Communication Information Next, details of the terminal communication information 1023 will be described. FIG. 21 is a diagram showing the configuration of terminal communication information 1023 in this embodiment.

As shown in FIG. 21, the terminal communication information 1023 is composed of a terminal number 10230, IP address information 10231, MAC address information 10232, VLAN information 10232a, update time information 10233, and threat detection content 10234.

The affiliated VLAN information 1011a acquired from the terminal address confirmation unit 1020 is used as the VLAN information 10232a. The time when the IP address information 10231, the source MAC address information 10232, and the VLAN information 10232a are acquired is used as update time information 10233. FIG.

24. Configuration of Switch Initial Setting Information Next, details of the switch initial setting information 1031 will be described. FIG. 22 is a diagram showing the configuration of switch initial setting information 1031 in this embodiment.

As shown in FIG. 22, the switch initial setting information 1031 includes a switch identification information table 10310 corresponding to the switch identification information 10311 and the switch control IP address 10312, VLAN information 10314, VLAN group information 10314a, and VLAN network type 10315. are composed of a VLAN identification information table 10313 corresponding to each.

The VLAN information 10314 defined in the VLAN identification information table 10313 is set for the trunk line which is the port 1 of the intelligent switch 20 as the VLAN to which the communication data 1010 is to be output.

The VLAN group information 10314a is information indicating groups to which VLAN1a, VLAN1b, VLAN2a, and VLAN2b belong. The VLAN group information 10314a is associated with the VLAN information 10314 previously assigned to the network.

Note that the VLAN group information 10314a may be information detected by the communication analysis unit 102 with different detection contents. Further, the communication analysis unit 102 may be set so as to detect threats only in specific VLAN group information 10314a.

Terminal management unit reference value information 10431 includes reference value content 104311 and reference value 104312 . Reference value contents 104311 include "time t0 until threat score subtraction", "threat score value X when VLAN network type is changed from normal system to quarantine system", and "VLAN network type is changed from quarantine system to normal system. "threat score value Y when changing to a system network" and "score value Z when changing the threat level determination from gray to black".

25. Configuration of Terminal Information Next, details of the terminal information 10410 will be described. 24A and 24B are diagrams showing the configuration of terminal information 10410 in this embodiment. Terminal information 10410 in FIG. 24A indicates information before the threat from source terminal 302 is detected, and terminal information 10410 in FIG. 24B indicates information after the threat from source terminal 302 is detected. there is

26. Logical Network Configuration Before Threat Detection and After Threat Detection Next, the details of the entire network configuration before and after the threat from the source terminal 302 is detected will be described. 25A and 25B are diagrams showing the logical network configuration of the entire network configuration in this embodiment. 25A shows the logical network configuration before the threat from source terminal 302 is detected, and FIG. 25B shows the logical network configuration after the threat from source terminal 302 is detected. As shown in FIGS. 25A and 25B, threat remover 105 and packet rewriter 106 are connected via port 1 of intelligent switch 20 set to trunk line TRUNK1. 25A and 25B, for the sake of convenience, the LAN cable connecting port 0 of intelligent switch 20 and network protection device 10 is omitted.

FIG. 25A shows a state before a threat from source terminal 302 or source terminal 304 is detected, and the threat score of terminal management unit reference value information 10431 is lower than threat score value X in FIG. 9, or FIG. 10 shows a logical network after the threat score of the terminal management unit reference value information 10431 has changed from a state exceeding the threat score value Y in FIG. 9 to a state equal to or less than the threat score value Y. FIG. The destination terminal 301, port 4, port 7, and source terminal 302 are all included in VLAN 1a, and the destination terminal 303, port 5, port 6, and source terminal 304 are all included in VLAN 1b. communication is performed without going through the threat elimination unit 105 and the packet rewriting unit 106.

The destination terminal 301 remains connected to the VLAN1a. When the switch operation unit 103 switches the port 7 connected to the intelligent switch 20 from VLAN1a to VLAN2a, the source terminal 302 is connected to VLAN2a. Destination terminal 301 and source terminal 302 communicate via threat removal section 105 and packet rewriting section 106 .

Also, the destination terminal 303 remains connected to the VLAN1b. By switching the port 6 connected to the intelligent switch 20 from VLAN1b to VLAN2b, the source terminal 304 is connected to VLAN2b. Destination terminal 303 and source terminal 304 communicate via threat removal section 105 and packet rewriting section 106 .

A thick solid line path and a thick dashed line path in FIG. 25A are examples of the first communication path.

As shown in FIGS. 20 and 25B, when the port VLAN setting is switched, the intelligent switch 20 inserts belonging VLAN information 1011a into the communication data 1010 input from port 7 or port 6 (tagging). ) and output from port 1 to the network protection device 10 via the trunk line TRUNK1.

The threat removal unit 105 of the network protection device 10 removes threats from the communication data 1010 relating to the source terminals 302 and 304 . After removing the threat, the packet rewriting unit 106 refers to the VLAN identification information table 10313 for the belonging VLAN information 1011a of the communication data after removal of the threat, and converts VLAN1a to VLAN2a, VLAN2a to VLAN1a, or VLAN1b to VLAN2b or VLAN2b to VLAN1b. For example, the VLAN information is rewritten from the normal system network to the quarantine system network or from the quarantine system network to the normal system network.

Communication data with rewritten VLAN information returns to port 1 of intelligent switch 20 through trunk line TRUNK1. The intelligent switch 20 refers to the assigned VLAN information 1011a of the rewritten communication data, determines the destination port of the rewritten communication data, and deletes the assigned VLAN information 1011a from the rewritten communication data. The intelligent switch 20 transmits communication data from which the assigned VLAN information 1011a has been deleted from the transmission destination port.

A thick solid line path and a thick dashed line path in FIG. 25B are examples of the second communication path.

As described above, the transmission source terminal 302 and the transmission destination terminal 301 can perform normal communication, and the transmission source terminal 304 and the transmission destination terminal 303 can perform normal communication without changing the processing on the terminal side.

In this embodiment, the case where threats from source terminal 302 and source terminal 304 are simultaneously detected has been described, but the present invention is not limited to this. For example, when a threat from either source terminal 302 or source terminal 304 is detected, the logical network configuration may be changed.

27. Operation of Network Protection Device Next, the operation of the network protection device 10 will be described in detail. FIG. 26 is a flow chart showing the operation of the network protection device according to this embodiment.

The operation of FIG. 26 is the same as that of FIG. 14 of Embodiment 1, and the same processing as that of FIG.

As shown in FIG. 26, the network protection device 10 acquires communication data 1010 (step S001). Communication analysis unit 102 analyzes communication data 1010 (step S002). The terminal information management unit 104 calculates the threat score 10427 (step S021). The communication analysis unit 102 determines whether or not a threat has been detected (branch B003).

When a threat is detected (Y at branch B003), the switch information acquisition unit 1032 acquires the latest switch information 10320 from the intelligent switch 20 (step S004). Then, the process proceeds to branch B105.

If no threat is detected (N in branch B003), the terminal information management unit 104 determines whether the threat score 10427 is greater than 0 (branch B030). If the threat score 10427 is 0 (N at branch B030), the process returns to step S001. If the threat score 10427 is greater than 0 (Y in branch B030), the terminal information updating unit 1042 determines that the threat score 10427 changes the threat level determination from gray to black with a score value Z (hereinafter referred to as score A value Z) is determined (branch B031).

If the threat score 10427 is greater than or equal to the score value Z (N at branch B031), the process returns to step S001. If threat score 10427 is less than score value Z (Y in branch B031), terminal information update unit 1042 determines whether or not time t0 has passed since the previous update time (branch B032).

If the time t0 has not elapsed (N at branch B032), the process returns to step S001. If time t0 has passed since the previous update time (Y at branch B032), the terminal information update unit 1042 subtracts 1 from the threat score 10427 (step S033).

The terminal information updating unit 1042 determines whether the VLAN network type is a normal network from the VLAN information 10423 and the VLAN identification information table 10313 (branch B105).

If it is a quarantine network (N at branch B105), proceed to branch B006, and if the VLAN network type is a normal network (Y at branch B105), proceed to branch B007.

The terminal information update unit 1042 determines whether or not the threat score 10427 is greater than the threat score value Y when switching from the quarantine network to the normal network (branch B006).

If the threat score 10427 is greater than the threat score value Y (Y in branch B006), the route changing unit 1033 proceeds to step S008 without switching the VLAN to which the connection port information 10422 belongs, and the threat score 10427 becomes the threat score value Y. In the following cases (N at branch B006), the process proceeds to step S161.

The terminal information updating unit 1042 determines whether the threat score 10427 is smaller than the threat score value X when switching from the normal network to the quarantine network (branch B007). If threat score 10427 is smaller than threat score value X (Y in branch B007), proceed to step S008; if threat score 10427 is greater than or equal to threat score value X (N in branch B007), proceed to step S171. .

From the VLAN information 10423 of the terminal update information 10420, based on the VLAN information 10314 corresponding to the VLAN group information 10314a of the VLAN identification information table 10313, the packet rewriting unit 106 converts the VLAN information to which the connection port information 10422 belongs to the normal network VLAN. Rewrite to information (step S161).

Step S161 is a process of returning the quarantine target transmission source terminals 302 and 304 from the quarantine system network to the normal system network. Step S161 is a process of rewriting the VLAN information to which the port of the intelligent switch 20 to which the transmission source terminal 302 is connected in FIG. 25B belongs from VLAN2a to VLAN1a in FIG. 25A. Alternatively, step S161 is a process of rewriting the VLAN information to which the port of the intelligent switch 20 to which the transmission source terminal 304 is connected in FIG. 25B belongs from VLAN2b so that it belongs to VLAN1b as in FIG. 25A.

From the VLAN information 10423 of the terminal update information 10420, based on the VLAN information 10314 corresponding to the VLAN group information 10314a of the VLAN identification information table 10313, the packet rewriting unit 106 converts the VLAN to which the connection port information 10422 belongs to the VLAN information of the quarantine system network. (step S171).

Step S171 is a process of rewriting the source terminal 304 belonging to the normal system network so that it belongs to the quarantine system network. is rewritten so that it belongs to VLAN2a in FIG. 25B from VLAN1a. Alternatively, step S171 is a process of rewriting the VLAN information to which the port of the intelligent switch to which the source terminal 304 is connected in FIG. 25B belongs from VLAN1b to VLAN2b as in FIG. 25B.

The terminal information update unit 1042 updates the terminal information 10410 (step S008). Then, the terminal information updating unit 1042 returns the process to step S001.

28. Operation of Threat Remover The threat remover 105 is connected via a trunk line. The threat elimination unit 105 removes threats from communication between the destination terminal 301 belonging to VLAN1a and the transmission source terminal 302 belonging to VLAN2a, and between the transmission destination terminal 303 belonging to VLAN1b and the transmission source terminal 304 belonging to VLAN2b. , removes threat communication data 1010 and allows normal communication data 1010 to pass.

The threat removal unit 105 may behave in a so-called transparent mode as if the threat removal unit 105 does not exist as a terminal on the communication network. In this case, even if the VLANs of source terminal 302 and source terminal 304 are switched, communication can be continued.

Alternatively, the threat removal unit 105 may behave as a router between the normal system network and the quarantine system network. In this case, when the destination terminal 301 communicates with the transmission source terminal 302, the threat elimination unit 105 acts like the transmission source terminal 302, and when the transmission source terminal 302 communicates with the transmission destination terminal 301, the threat removal unit 105 behaves like the transmission source terminal 302. The removal unit 105 behaves like the destination terminal 301 , or when the destination terminal 303 communicates with the source terminal 304 , the threat removal unit 105 behaves like the source terminal 304 and sends from the source terminal 304 When communicating with the destination terminal 303 , the threat removal unit 105 should behave like the destination terminal 303 . Specifically, an ARP command may be used.

29. Operation of Packet Rewrite Unit Next, the configuration of the packet rewrite unit 106 will be described in detail. FIG. 27 is a diagram showing the configuration of packet rewriting section 106 in this embodiment.

As shown in FIG. 27, the packet rewriting unit 106 is provided between the trunk line TRUNK1 of the port 1 of the intelligent switch 20 and the threat elimination unit 105. has a function to rewrite

In packet communication data 1010 input to the threat removal unit 105, belonging VLAN information differs between the normal network VLAN information and the quarantine network VLAN information. Therefore, if threat removal unit 105 only sends communication data after threat removal to intelligent switch 20, the destination terminals 301 and 303 are not connected to the ports indicated by the VLAN information to which they belong. Communication with the terminals 301 and 303 is not established. Therefore, the packet rewriting unit 106 refers to the VLAN identification information table 10313 for the packets input to the threat elimination unit 105, and mutually converts them into VLAN information included in the same VLAN group information.

As a result, when the source terminal 302 communicates with the destination terminal 301, the packet rewriting section 106 rewrites the belonging VLAN information from the VLAN2a to the VLAN1a in the threat-removed communication data that has passed through the threat removal section 105. FIG. The destination of the rewritten communication data received by the port 1 of the intelligent switch 20 is the port 4 of the VLAN 1a to which the destination terminal 301 is connected.

Further, when the destination terminal 301 communicates with the source terminal 302, the threat-removed communication data that has passed through the threat removal unit 105 has its belonging VLAN information rewritten from VLAN1a to VLAN2a by the packet rewriting unit 106. FIG. The destination of the communication data in which the port 1 of the intelligent switch 20 has been rewritten is the port 7 of the VLAN 2a to which the source terminal 302 is connected.

Thus, communication is maintained between source terminal 302 and destination terminal 301 .

Also, when communicating from source terminal 304 to destination terminal 303, packet rewrite section 106 rewrites the belonging VLAN information from VLAN2b to VLAN1b in threat-removed communication data that has passed through threat removal section 105. FIG. The destination of the rewritten communication data received by the port 1 of the intelligent switch 20 is the port 5 of the VLAN 1a to which the destination terminal 303 is connected.

Further, when the transmission destination terminal 303 communicates with the transmission source terminal 304, the belonging VLAN information of the communication data after the threat elimination which has passed through the threat elimination section 105 is rewritten from VLAN1b to VLAN2b by the packet rewriting section 106, and the intelligent switch is executed. The destination of the rewritten communication data received by port 1 of terminal 20 is port 6 of VLAN 2b to which source terminal 304 is connected.

Thus, communication is maintained between source terminal 304 and destination terminal 303 .

30. Other Modifications of Embodiment 2 Although the present disclosure has been described based on the above embodiments, the present disclosure is not limited to the above embodiments, and the following Modification 1 of Embodiment 2 , Modification 2 of Embodiment 2 is also included in the present disclosure.

Modification 1 (hereinafter, this modification) of Embodiment 2 will be described. As shown in FIG. 28, port 3 of intelligent switch 20 and port 0 of intelligent switch 21 are connected by trunk line TRUNK2. Network protection device 10 connects to port 1 of intelligent switch 20 via trunk line TRUNK1.

Intelligent switch 21 sets port 4 and port 7 of intelligent switch 21 to VLAN 1a at the start of communication operation between source terminal 304 and destination terminal 303 . Also, a mirror function may be set in which the network protection device 10 and an arbitrary port of the intelligent switch 21 are connected via a LAN cable. At this time, the communication data acquisition unit 101 acquires the communication data 1010 from any port of the intelligent switch 21 as well.

When the transmission source terminal 304 and the transmission destination terminal 303 communicate with each other in the normal system network, the process is the same as in FIG. 13A described above. Also, when the transmission source terminal 304 and the transmission destination terminal 303 communicate with each other in the quarantine system network, it is the same as the above-described FIG. 17B. A thick solid line path in FIG. 28 is an example of a second communication path.

By adopting such a configuration, the network protection device 10 of this modification can protect the network connected to the intelligent switches 20 and 21 .

Modification 2 (hereinafter, this modification) of Embodiment 2 will be described. In FIG. 28, one intelligent switch 20 is connected to one network protection device 10 as the overall configuration of the network. Further, a configuration in which a plurality of intelligent switches 20 are connected as shown in FIG. 29 may be used. FIG. 29 is a diagram showing the overall configuration of a communication network to which network protection devices 10 and 11 belong according to this embodiment.

As shown in FIG. 29, the communication network includes network protection devices 10 and 11, intelligent switch 20, destination terminal 301, and source terminal 302, and intelligent switch 21, destination terminal 303, and source terminal 304 are LAN cables. are connected with each other. In the intelligent switch 21, the port 3 has a mirror function capable of outputting a copy of the communication data 1010 passing through the intelligent switch 21. FIG. Also, in the intelligent switch 21, the port 1 and the network protection device 11 are connected by a LAN cable. For example, commands for controlling the intelligent switch 21 are communicated between the network protection device 10 and the port 1 of the intelligent switch 21 .

In this communication network, the network protection device 11 connected to the intelligent switch 21 comprises a communication data acquisition section 111, a communication analysis section 112, and a terminal information management section 114. FIG.

When the transmission source terminal 304 and the transmission destination terminal 303 communicate with each other in the normal system network, the process is the same as in FIG. 13A described above. When communicating in the quarantine system network, the switch operation unit 103 controls the transmission source terminal 304 to remove the threat of the network protection device 10 via the ports 7 and 0 of the intelligent switch 21 and the ports 3 and 1 of the intelligent switch 20. 105, and VLAN 1b, through which the threat elimination unit 105 of the network protection device 10 connects to the destination terminal 303 via ports 1 and 3 of the intelligent switch 20 and ports 0 and 4 of the intelligent switch 21. Switch as you see fit. At this time, the packet rewriting unit 106 rewrites the belonging VLAN information of the communication data 1010 that has passed through the threat removing unit 105 from VLAN1b to VLAN2b. Port 1 of the intelligent switch 21 is set as a mirror function. A thick solid line path in FIG. 29 is an example of a second communication path.

By adopting such a configuration, threat detection is executed in a distributed manner in a network composed of a plurality of intelligent switches 20 and 21, and communication data 1010 passing through each intelligent switch 20 and 21 is detected by one device. Since threat detection is no longer concentrated on the network protection device, the load on the network can be reduced.

31. Other Modifications (1) In the above-described Embodiments 1 and 2 and Modifications 1 and 2 of Embodiments 1 and 2, although not shown, in the network protection device 10, the terminal information management unit 104 manages Arbitrary information such as the terminal information 10410 may be obtained from all the information and displayed appropriately. The network protection device 10 may also include an input unit for the user to update information and make settings as needed.

For example, the switch initial setting information 1031 and the terminal management unit setting information 1043 need to be set once before starting communication, but they may be set so that they can be checked using the display unit and the input unit. , the setting may be changed during communication operation.

In addition, the network protection device 10 has a display unit and an input unit that allow the user to make settings for switching the VLAN of the port to which the terminal is connected when the user makes an input to increase the threat score of the terminal. and may be provided.

At this time, the network protection device 10 may display the threat score 10418 of the terminal information 10410 as a graph in chronological order to visualize the threat of the terminal and use it as a reference for changing settings.

(2) In Embodiments 1 and 2 and Modifications 1 and 2 of Embodiments 1 and 2, the network protection device 10 in FIG. It may be a device that becomes Moreover, it is not necessary to implement all the functions of the network protection device 10 with only a single device, and the network protection device 10 may be configured using a plurality of devices. Also, the intelligent switch 20 may use, for example, an SDN switch, and may utilize a control communication protocol such as OpenFlow.

(3) In the above-described Embodiments 1 and 2 and Modifications 1 and 2 of Embodiments 1 and 2, each function may be configured as a computer program, or a dedicated program called ASIC (Application Specific Integrated Circuit). LSI (Large Scale Integrated-circuit), or may be configured using a function-changeable LSI such as PLD (Programmable Logic Device) and FPGA (Field Programmable Gate Array). Alternatively, a plurality of methods including these may be combined. Also, a plurality of functions or all functions included in the network protection device 10 may be configured as a single LSI called SoC (System on a Chip: system LSI). Also, if there is a technique for realizing functions equivalent to those of a computer program, LSI, FPGA, or SoC, such technique may be used.

(4) In Embodiments 1 and 2 and Modifications 1 and 2 of Embodiments 1 and 2, part or all of communication flow information analysis unit 1021 or communication data analysis unit 1022 in FIG. It is also possible to utilize an IDS that

(5) In Embodiments 1 and 2 and Modifications 1 and 2 of Embodiments 1 and 2, 10211 to 10214 included in communication flow information analysis section 1021 of communication analysis section 102 in FIG. As for 10221 to 10223 included in the data analysis section 1022, only some of them may be used, or analysis sections other than these may be used.

For example, a method of evaluating a pattern analysis result using machine learning and then making a judgment, a method of selecting an arbitrary method from among all the methods included in the communication analysis unit 102 and judging the correlation, a method of analyzing the past communication A method of determining the correlation with the result, a method of extracting a communication pattern from the past and evaluating the degree of deviation from the pattern by points, and the like are conceivable.

(6) In Embodiments 1 and 2 and Modifications 1 and 2 of Embodiments 1 and 2 described above, the threat removal unit 105 may use a commercially available IPS, FW, UTM, or the like.

(7) In Embodiments 1 and 2 and Modifications 1 and 2 of Embodiments 1 and 2, threat elimination unit 105 removes only communication data 1010 that poses a threat like IPS by a method called a signature method. Alternatively, a whitelist of communication information that must be passed at a minimum may be prepared, and any communication data that does not match the whitelist may be removed.

(8) In Embodiments 1 and 2 and Modifications 1 and 2 of Embodiments 1 and 2, IP addresses are described as fixed. good.

(9) In Embodiments 1 and 2 and Modifications 1 and 2 of Embodiments 1 and 2, threat removal unit 105 removes threats contained in communication data 1010. may be removed. In this case, communication data need not be transmitted to the destination terminal.

As described above, the network protection device and the network protection system according to one or more aspects have been described based on Embodiments 1 and 2 and Modifications 1 and 2 of Embodiments 1 and 2, but the present disclosure is not limited to the first and second embodiments and modified examples 1 and 2 of the first and second embodiments. As long as it does not depart from the spirit of the present disclosure, various modifications that a person skilled in the art can think of are applied to Embodiments 1 and 2 and Modifications 1 and 2 of Embodiments 1 and 2, and components in different embodiments may also be included within the scope of one or more aspects.

The present disclosure detects a threat or a suspected threat from communication between terminals in a subnetwork, and can remove communication data with a threat, and separates threat detection and threat removal. can realize earlier detection and more reliable terminal isolation. In addition, it is possible to increase the security level within the subnetwork while minimizing communication and control delays and minimizing the risk of malfunction of control systems in facilities, factories, and the like.

10, 11 Network defense device 101, 111 Communication data acquisition unit 1010 Communication data 1011 Source address information 1011a Assigned VLAN information 1012 Destination address information 10111 Source MAC address information 10112 Source IP address information 10113 Source port information 1013 Payload 10121 Destination MAC address information 10122 Destination IP address information 10123 Destination port information 102, 112 Communication analysis part (threat detection part)
1020 Terminal address confirmation unit 1021 Communication flow information analysis unit 10211 Blacklist communication detection unit 10212 Non-whitelist communication detection unit 10213 IP scan detection unit 10214 Port scan detection unit 1022 Communication data analysis unit 10221 Vulnerability attack detection unit 10222 Malware detection unit 10223 Authentication failure detection unit 1023 Terminal communication information 10230 Terminal number 10231 IP address information 10232 MAC address information 10232a VLAN information 10233 Update time information 10234 Threat detection content 103 Switch operation unit (route change unit)
1031 switch initial setting information 10310 switch identification information table 10311 switch identification information 10312 switch control IP address 10313 VLAN identification information table 10314 VLAN information 10314a VLAN group information 10315 VLAN network type 1032 switch information acquisition unit 10320 switch information 10321 switch identification information 10322 connection Port information 10323 VLAN information 10324 MAC address information 1033 Route change unit 104, 114 Terminal information management unit 1040 Terminal temporary information 10401 Switch identification information 10402 Connection port information 10402a Switch identification information 10403 VLAN information 10403a Switch identification information 10404 MAC address information 10404a Switch identification Information 10405 IP address information 10405a Switch identification information 10406 Update time information 10407 Threat addition score 1041 Terminal information storage unit 10410 Terminal information 10411 Management ID information 10412 Switch identification information 10413 Connection port information 10413a Switch identification information 10414 VLAN information 10414a Switch identification information 10415 MAC Address information 10415a Switch identification information 10416 IP address information 10416a Switch identification information 10417 Update time information 10418 Threat score 1042 Terminal information update unit 10420 Terminal update information 10421 Switch identification information 10422 Connection port information 10423 VLAN information 10424 MAC address information 10425 IP address information 10426 Update time information 10427 Threat score 1043 Terminal management section setting information 1043a Terminal management setting section 10430 Threat addition score information 104301 Detection content identification information 104302 Detection content 104303 Judgment 104304 Threat addition score 10431 Terminal management section reference value information 104311 Reference value content 104312 Reference value 105 threat removal unit 106 packet rewrite unit (rewrite unit)
20, 21 intelligent switch 301, 303 terminal 302, 304 attack terminal

Claims (11)

Communication data including at least information on a source terminal and information on a destination terminal, which flows through a switch that has a plurality of LAN (Local Area Network) ports and connects communication networks, is transmitted through the switch in promiscuous mode. a communication data acquisition unit that acquires data via
a threat detection unit that detects a threat to the communication data;
a threat removal unit;
when a threat is detected by the threat detection unit, a first communication path connecting the transmission source terminal and the transmission destination terminal without the threat elimination unit is established through the threat elimination unit; and a route changing unit that operates the switch to change to a second communication route different from the first communication route, which connects the destination terminal and the destination terminal,
The threat removal unit removes the threat of the communication data after the route change unit changes the communication route.
network protection device. The switch is connected to a first LAN port connected to the source terminal, a second LAN port and a third LAN port connected to the threat remover , and the destination terminal. and a fourth LAN port;
When the threat detection unit does not detect a threat, the route change unit converts the transmission source terminal connected to the first LAN port to the transmission destination connected to the fourth LAN port. setting the first communication path to the terminal to a first VLAN (Virtual Local Area Network);
When the threat detection unit detects a threat, the route change unit causes the second LAN port from the transmission source terminal connected to the first LAN port included in the second communication route to the second LAN port. A route to the threat removal unit connected to the port is set to a second VLAN different from the first VLAN, and from the threat removal unit connected to the port of the third LAN to the fourth LAN setting a route to the destination terminal connected to the port of the first VLAN,
The network protection device of claim 1. further comprising a rewriting unit that rewrites VLAN information of a communication network included in the communication data that has passed through the threat removal unit;
The switch has a fifth LAN port connected to the source terminal, a sixth LAN port connected to the threat remover, and a seventh LAN port connected to the destination terminal. and
When the threat detection unit detects no threat, the route change unit controls the transmission source terminal connected to the fifth LAN port and the transmission destination connected to the seventh LAN port. setting the terminal to the first VLAN;
When a threat is detected by the threat detection unit,
The route changing unit sets the transmission source terminal connected to the port of the fifth LAN included in the second communication route to a second VLAN different from the first VLAN, setting the destination terminal connected to the port of the LAN to the first VLAN;
wherein the rewriting unit rewrites VLAN information indicating the second VLAN to which the transmission source terminal belongs to VLAN information indicating the first VLAN to which the destination terminal belongs via the sixth LAN port; outputting the rewritten communication data to the switch;
The network protection device of claim 1. the first VLAN is a normal network that does not go through the threat removal unit;
the second VLAN is a quarantine network in which the threat removal unit removes the threat of the communication data;
When the threat detection unit detects a threat, the route change unit changes part of the first VLAN from the normal network to a quarantine network.
4. A network protection device according to claim 2 or 3. When the threat removal unit removes the threat of the communication data, the route change unit returns the quarantine network, which has been changed from the normal network, to the normal network.
5. The network protection device of claim 4. The communication data acquisition unit acquires a copy of the communication data,
the threat detection unit monitors a copy of the communication data in promiscuous mode;
A network protection device according to any one of claims 1-5. The threat removal unit removes unnecessary data including threats from the communication data in which threats are detected.
A network protection device according to any one of claims 1-6. The threat detection unit assigns a score to the source terminal in which the threat is detected according to the content of the detected threat,
The route changing unit, when the score given by the threat detection unit exceeds a first value, causes the communication data related to the source terminal to which the score is given to pass through the threat removal unit, causing the switch to change communication paths;
A network protection device according to any one of claims 1-7. The threat detection unit subtracts a predetermined value from the assigned score after a predetermined time has elapsed,
When the score of the source terminal in which the threat is detected falls below a second value, the route changing unit prevents connection between the source terminal and the destination terminal via the threat removal unit. causing the switch to reroute communication to
9. A network protection device according to claim 8. the threat detection unit does not subtract the score even after the predetermined period of time has passed when the score of the transmission source terminal in which the threat is detected exceeds a third value that is larger than the first value;
10. The network protection device of claim 9. Communication that acquires communication data, including at least information on a source terminal and information on a destination terminal, flowing through a switch that has a plurality of LAN ports and connects communication networks, via the switch in a promiscuous mode. a data acquisition unit;
a threat detection unit that detects a threat to the communication data;
a threat removal unit;
when a threat is detected by the threat detection unit, a first communication path connecting the transmission source terminal and the transmission destination terminal without the threat elimination unit is established through the threat elimination unit; and a route changing unit that operates the switch to change to a second communication route different from the first communication route, which connects the destination terminal and the destination terminal,
The threat removal unit removes the threat of the communication data after the route change unit changes the communication route.
network defense system.

Images