US20090132554A1 - Data processing system - Google Patents

Data processing system Download PDF

Info

Publication number
US20090132554A1
US20090132554A1 US11/914,912 US91491205A US2009132554A1 US 20090132554 A1 US20090132554 A1 US 20090132554A1 US 91491205 A US91491205 A US 91491205A US 2009132554 A1 US2009132554 A1 US 2009132554A1
Authority
US
United States
Prior art keywords
data
data processing
packet
database
communication control
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11/914,912
Other languages
English (en)
Inventor
Mitsugu Nagoya
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Duaxes Corp
Original Assignee
Duaxes Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Duaxes Corp filed Critical Duaxes Corp
Assigned to DUAXES CORPORATION reassignment DUAXES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: NAGOYA, MITSUGU
Publication of US20090132554A1 publication Critical patent/US20090132554A1/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • G06F16/9535Search customisation based on user profiles and personalisation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F15/00Digital computers in general; Data processing equipment in general
    • G06F15/16Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/953Querying, e.g. by the use of web search engines
    • G06F16/9538Presentation of query results
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F17/00Digital computing or data processing equipment or methods, specially adapted for specific functions

Definitions

  • the present invention relates to a data processing technique, particularly to a technique for operating multiple databases.
  • the Internet has enabled easy access to a vast amount of information.
  • harmful information is proliferating thereon and regulation on its originator does not keep up with the proliferation.
  • Patent Document 1 Japanese Patent Application Laid-open No. 2001-282797.
  • the present invention has been made in view of such a situation, and a general purpose thereof is to provide a technique for operating multiple databases appropriately.
  • the data processing system comprises: a data processing unit which processes data acquired; and a plurality of data retaining units which store databases used to process the data, wherein: each of the plurality of data retaining units stores a primary database in common and stores the respective shares of a secondary database; and the data processing system further comprises at least one more data retaining unit which can store the primary database and the respective shares of the secondary database.
  • the primary database may contain data for determining which share of the secondary database is to be used to process the data.
  • the primary database may contain data for user authentication, while the secondary database may contain information on data processing for each user, etc.
  • the data processing system may further comprise an operation management unit, which manages the operating state of the plurality of data retaining units.
  • the operation management unit may operate as many as the number of data retaining units required to share and store the secondary database, and may place the other data retaining unit on standby; when a database retained in the data retaining units is updated, the operation management unit may store, in a data retaining unit on standby, updated data of the database retained in any one of the data retaining units in operation, and may subsequently stop the operation of the data retaining unit storing the database before update and place the data retaining unit storing the updated database in operation.
  • databases can be updated without halting the operation.
  • the operation management unit may store the database retained by the data retaining unit in a data retaining unit on standby, and may place the data retaining unit on standby in operation. Thus, even if one of the data retaining units stops because of failure or the like, the main operation will be continued properly.
  • the data retaining unit on standby may store the primary database in advance. If the data retaining unit stores, in advance, the primary database, which is used mutually and contains data for determining which share of the secondary database is to be used to process the data, the data retaining unit on standby can be placed in operation promptly even though one of the data retaining units in operation becomes inoperable.
  • a plurality of the data processing units may be provided so as to correspond to the plurality of data retaining units respectively.
  • the data processing system may further comprise a data supply unit, which provides acquired data to the plurality of data processing units in parallel. This enables appropriate data processing using the data processing units even in the case where a data retaining unit is further added, or the case where the content of a database retained by the respective data retaining units is changed because of database updating or the like.
  • the data supply unit may provide acquired data as it is to the plurality of data processing units in parallel without processing the data. Consequently, the data supply unit need not process data, thereby improving the data processing speed.
  • each of the plurality of data processing units may refer to a database retained in the corresponding data retaining unit so as to determine whether or not to process the data. Accordingly, data can be appropriately processed by the proper data processing unit.
  • the data processing units may be communication control apparatuses which acquire packets to control communications, and, upon acquisition of a packet from the data supply unit, each of the data processing units may acquire the packet without determining whether the packet is directed to the data processing unit itself, and may refer to a database retained in the corresponding data retaining unit so as to determine whether or not to process the packet. Consequently, the data processing units need not check MAC addresses or IP addresses, thereby improving the packet processing speed.
  • the data supply unit may provide to the plurality of communication control apparatuses in parallel an acquired packet as a unicast packet without converting the packet to a broadcast packet. Consequently, the data supply unit need not, for example, process the header of the packet to convert the packet to a broadcast, thereby improving the packet processing speed.
  • FIG. 1 is a diagram that shows a configuration of a communication control system according to a base technology.
  • FIG. 2 is a diagram that shows a configuration of a conventional communication control apparatus.
  • FIG. 3 is a diagram that shows a configuration of a communication control apparatus according to the base technology.
  • FIG. 4 is a diagram that shows an internal configuration of a packet processing circuit.
  • FIG. 5 is a diagram that shows an internal configuration of a position detection circuit.
  • FIG. 6 is a diagram that shows an example of internal data of a first database.
  • FIG. 7 is a diagram that shows another example of internal data of the first database.
  • FIG. 8 is a diagram that shows yet another example of internal data of the first database.
  • FIG. 9 is a diagram that shows a configuration of comparison circuits included in a binary search circuit.
  • FIG. 10 is a diagram that shows an example of internal data of a second database.
  • FIG. 11 is a diagram that shows another example of internal data of the second database.
  • FIG. 12 is a diagram that shows an internal configuration of the packet processing circuit used for URL filtering.
  • FIG. 13A is a diagram that shows an example of internal data of a virus list
  • FIG. 13B is a diagram that shows an example of internal data of a whitelist
  • FIG. 13C is a diagram that shows an example of internal data of a blacklist.
  • FIG. 14 is a diagram that shows an example of internal data of a common category list.
  • FIG. 18 is a diagram that shows configurations of communication control apparatuses according to the embodiment.
  • FIG. 19 is a diagram that shows an example of internal data of a management table provided in an operation monitoring server.
  • FIGS. 21A , 21 B and 21 C are diagrams for describing a procedure for updating databases in the communication control apparatuses.
  • FIG. 1 shows a configuration of a communication control system according to the base technology.
  • a communication control system 100 comprises a communication control apparatus 10 and various peripheral apparatuses provided to support the operation of the communication control apparatus 10 .
  • the communication control apparatus 10 of the base technology performs a URL filtering function provided by an Internet service provider or the like.
  • the communication control apparatus 10 provided on a network path acquires a request for access to a content, analyzes the content, and determines whether or not the access to the content should be permitted. If the access to the content is permitted, the communication control apparatus 10 will transmit the access request to a server that retains the content. If the access to the content is prohibited, the communication control apparatus 10 will discard the access request and return a warning message or the like to the source of the request.
  • the communication control apparatus 10 of the base technology receives an access request, such as an HTTP (HyperText Transfer Protocol) “GET” request message.
  • the apparatus searches a list of reference data for determining access permission to check if the URL of the content to be accessed appears in the list, so as to determine whether or not the access to the content should be permitted.
  • HTTP HyperText Transfer Protocol
  • the peripheral apparatuses include an operation monitoring server 110 , a connection management server 120 , a message output server 130 , a log management server 140 and a database server 150 .
  • the connection management server 120 manages connection to the communication control apparatus 10 .
  • the connection management server 120 authenticates the user as a user of the communication control apparatus 10 , based on information included in the packet, which uniquely identifies the cellular phone terminal. Once the user is authenticated, packets transmitted from the IP address, which is temporarily provided for the cellular phone terminal, will be transmitted to the communication control apparatus 10 and processed therein, without being authenticated by the connection management server 120 during a certain period.
  • the communication control apparatus 10 configured with a dedicated hardware circuit for faster operation, is controlled by using a group of peripheral servers connected thereto and having various functions. Accordingly, by suitably replacing the software of the group of servers, a wide variety of functions can be achieved with a similar configuration.
  • the base technology provides such communication control system having high flexibility.
  • the packet processing unit 3 of the conventional communication control apparatus 1 is implemented by software, using a general-purpose processor, or CPU, and an OS running on the CPU. With such configuration, however, the performance of the communication control apparatus 1 depends on the performance of the CPU, hampering the creation of a communication control apparatus capable of high-speed processing of a large volume of packets. For example, a 64-bit CPU can process only up to 64 bits at a time, and hence, there has existed no communication control apparatus having a higher performance than this. In addition, since the conventional communication control apparatus is predicated on the presence of an OS with versatile functionality, the possibility of security holes cannot be eliminated completely, requiring maintenance work including OS upgrades.
  • FIG. 3 shows a configuration of a communication control apparatus in the base technology.
  • the communication control apparatus 10 comprises a packet processing circuit 20 configured with dedicated hardware employing a wired logic circuit, instead of the packet processing unit 3 implemented by software including a CPU and an OS in the conventional communication control apparatus 1 shown in FIG. 2 .
  • a dedicated hardware circuit to process communication data, rather than processing it with an OS and software running on a general-purpose processing circuit such as CPU, the performance limitations posed by the CPU or OS can be overcome, enabling a communication control apparatus having high throughput.
  • a case will be considered here in which, in packet filtering or the likes a search is conducted to check if the data in a packet includes reference data, which serves as criteria for filtering.
  • reference data which serves as criteria for filtering.
  • a dedicated hardware circuit configured with a wired logic circuit to compare communication data with reference data.
  • This circuit includes multiple comparators arranged in parallel, so as to enable the comparison of data having a length greater than 64 bits, such as 1024 bits.
  • bit matching can be simultaneously performed on a large number of bits in parallel. Since 1024-bit data can be processed at a time, while the conventional communication control apparatus 1 using a CPU processes only 64 bits, the processing speed can be improved remarkably. Increasing the number of comparators will improve the throughput, but also increase the cost and size of the apparatus. Accordingly, an optimal hardware circuit may be designed in accordance with the desired performance, cost or size.
  • the dedicated hardware circuit may be configured using FPGA (Field Programmable Gate Array), etc.
  • the communication control apparatus 10 of the base technology is configured with dedicated hardware employing a wired logic circuit, it does not require any OS (Operating System). This can eliminate the need for the installation, bug fixes, or version upgrades of an OS, thereby reducing the cost and man-hours required for administration and maintenance. Also, unlike CPUs requiring versatile functionality, the communication control apparatus 10 does not include any unnecessary functions or use needless resources, and hence, reduced cost, a smaller circuit area or improved processing speed can be expected. Furthermore, again unlike conventional OS-based communication control apparatuses, the absence of unnecessary functions decreases the possibility of security holes and thus enhances the tolerance against attacks from malicious third parties over a network.
  • OS Operating System
  • FIG. 4 shows an internal configuration of the packet processing circuit.
  • the packet processing circuit 20 comprises: a first database 50 for storing reference data to be referred to when determining processing to be performed on communication data; a search circuit 30 for searching received communication data for the reference data by comparing the two; a second database 60 for storing a search result of the search circuit 30 and a content of processing to be performed on the communication data, which are related to each other; and a process execution circuit 40 for processing the communication data based on the search result of the search circuit 30 and the conditions stored in the second database 60 .
  • the search circuit 30 includes: a position detection circuit 32 for detecting the position of comparison target data, which is to be compared with reference data, in communication data; an index circuit 34 which serves as an example of a determination circuit for determining which range the comparison target data belongs to, among three or more ranges into which the reference data stored in the first database 50 is divided; and a binary search circuit 36 for searching the determined range for the reference data that matches the comparison target data.
  • the reference data may be searched for the comparison target data using any search technique, and a binary search method is used in the base technology.
  • the base technology will be described by way of example for explaining the operation of the communication control apparatus 10 , in which a character string “No. ###” in communication data is detected, the number “###” included in the character string is then compared with reference data, and if the number matches the reference data, the packet will be allowed to pass, while, if they do not match, the packet will be discarded.
  • the position detection circuit 32 may also be used as a circuit for detecting character strings for various purposes. Moreover, the position detection circuit 32 may be configured to detect position identification data in units of bits, not just as a character string.
  • FIG. 6 shows an example of internal data of the first database.
  • the first database 50 stores reference data to be referred to when determining the processing on packets, such as filtering, routing, switching, and replacement.
  • the pieces of reference data are sorted according to some sort conditions. In the example of FIG. 6 , 1000 pieces of reference data are stored.
  • the top record of the first database 50 contains an offset 51 which indicates the position of comparison target data in communication data. For example, in a TCP packet, the data configuration within the packet is determined in units of bits. Therefore, if the position of flag information or the like for determining the processing on the packet is given in the form of the offset 51 , the processing can be determined by comparing only necessary bits, thus improving the processing efficiency. Also, even when the configuration of packet data is changed, it can be settled by modifying the offset 51 accordingly.
  • the first database 50 may store the data length of comparison target data. In this case, since the comparison can be performed by operating only a required number of comparators, the search efficiency can be improved.
  • Each of the comparison circuits 35 a - 35 c of the index circuit 34 receives “361” as comparison target data.
  • the comparison circuit 35 a receives “378”, which lies at the border of the ranges 52 a and 52 b .
  • the comparison circuit 35 b receives reference data “704” lying at the border of the ranges 52 b and 52 c
  • the comparison circuit 35 c receives reference data “937” lying at the border of the ranges 52 c and 52 d .
  • the comparison circuits 35 a - 35 c then perform comparisons simultaneously, determining that the comparison target data “361” belongs to the range 52 a .
  • the binary search circuit 36 searches the reference data for the comparison target data “361”.
  • FIG. 7 shows another example of internal data of the first database.
  • the number of pieces of reference data is smaller than the number of pieces of data storable in the first database 50 , i.e., 1000 in this case.
  • the first database 50 stores the pieces of reference data in descending order, starting with the last data position therein. Then, 0 is stored in the rest of the data positions.
  • the database is loaded with data not from the top but from the bottom of the loading area, and all the vacancies occurring in the front of the loading area, if any, are replaced with zero. Consequently, the database is fully loaded at any time, so that the maximum time necessary for a binary search will be constant.
  • the binary search circuit 36 reads reference data “0” during a search, the circuit can identify the range without making a comparison, as the comparison result is obvious, and can proceed to the next comparison. Consequently, the search speed can be improved.
  • the first database 50 stores pieces of reference data in ascending order, from the first data position therein. In the rest of data positions will be stored a maximum value or the like, and in such case, the skip of comparison processing as described above cannot be made during a binary search.
  • the comparison technique described above can be implemented by configuring the search circuit 30 with a dedicated hardware circuit.
  • FIG. 8 shows yet another example of internal data of the first database.
  • the reference data is not evenly divided into three or more ranges, but unevenly divided into ranges that accommodate different numbers of pieces of data, such as 500 pieces in the range 52 a and 100 pieces in the range 52 b .
  • These ranges may be determined depending on the distribution of frequencies with which reference data occurs in communication data. Specifically, the ranges may be determined so that the sums of the frequencies of occurrence of reference data belonging to the respective ranges are almost the same. Accordingly, the search efficiency can be improved.
  • the reference data to be input to the comparison circuits 35 a - 35 c of the index circuit 34 may be modifiable from the outside. In such case, the ranges can be dynamically set, so that the search efficiency will be optimized.
  • FIG. 9 shows a configuration of comparison circuits included in the binary search circuit.
  • the binary search circuit 36 includes 1024 comparison circuits, such as 36 a , 36 b , . . . .
  • Each of the comparison circuits 36 a , 36 b , etc. receives 1 bit of reference data 54 and 1 bit of comparison target data 56 to compare the bits in value.
  • the comparison circuits 35 a - 35 c of the index circuit 34 have similar internal configurations. Since the comparison processing is thus performed by a dedicated hardware circuit, a large number of comparison circuits can be operated in parallel to compare a large number of bits at a time, thereby speeding up the comparison processing.
  • FIG. 10 shows an example of internal data of the second database.
  • the second database 60 includes a search result field 62 , which contains a search result of the search circuit 30 , and a processing content field 64 , which contains a processing content to be performed on communication data.
  • the database stores the search results and the processing contents related to each other. In the example of FIG. 10 , conditions are established such that a packet will be allowed to pass if its communication data contains reference data; if not, the packet will be discarded.
  • the process execution circuit 40 searches the second database 60 for a processing content based on the search result and performs the processing on the communication data.
  • the process execution circuit 40 may also be configured with a wired logic circuit.
  • FIG. 11 shows another example of internal data of the second database.
  • the processing content is set for each piece of reference data.
  • replacement data may be stored in the second database 60 .
  • packet routing or switching information on the route may be stored in the second database 60 .
  • the process execution circuit 40 performs processing, such as filtering, routing, switching, or replacement, which is specified in the second database 60 , in accordance with the search result of the search circuit 30 .
  • the processing content is set for each piece of reference data, as shown in FIG. 11 , the first database 50 and the second database 60 may be merged with each other.
  • the first database and the second database are configured to be rewritable from the outside. By replacing these databases, various types of data processing and communication control can be achieved using the same communication control apparatus 10 .
  • multistage search processing may be performed by providing two or more databases that store reference data to be searched. In such instance, more complicated conditional branching may be performed by providing two or more databases that store search results and processing contents related to each other.
  • a plurality of the position detection circuits 32 , the index circuits 34 , the binary search circuits 36 , etc. may also be provided.
  • the data intended for the foregoing comparison may be compressed by the same compression logic. If both the source data and the target data to be compared are compressed by the same method, the comparison can be performed in the same manner as usual, thus reducing the amount of data to be loaded for comparison. The smaller amount of data to be loaded can reduce the time required to read out the data from the memory, thereby reducing the overall processing time. Moreover, the number of comparators can be also reduced, which contributes to the miniaturization, weight saving, and cost reduction of the apparatus.
  • the data intended for comparison may be stored in a compressed form, or may be read out from the memory and compressed before comparison.
  • a first memory unit which contains reference data to be referred to when determining contents of processing to be performed on acquired data
  • a second memory unit which stores a result of search obtained by the search section and the contents of processing in association with each other;
  • the position detection circuit includes a plurality of second comparison circuits which compare the data with position identification data for identifying the position of the comparison target data, and wherein the plurality of second comparison circuits receive the data, each having a shift of a predetermined data length, and compare the data with the position identification data simultaneously in parallel.
  • search section includes a determination circuit which determines which range the comparison target data to be compared with the reference data pertains to, out of three or more ranges into which the plurality of pieces of reference data stored in the first memory unit are divided.
  • the first memory unit further contains information that indicates the position of the comparison target data in the data, and wherein the search section extracts the comparison target data based on the position-indicating information.
  • the search circuit 30 performs matching with the user database 57 , the position detection circuit 32 need not detect the position, and the only thing required there is to specify, as the offset 51 , the storage location of the source address.
  • the URL of a content is checked against the virus list 161 , whitelist 162 , blacklist 163 and common category list 164 , in order to determine whether or not the access to the content should be permitted.
  • the whitelist 162 and blacklist 163 are provided for each user, and when a user ID is uniquely specified after the user authentication, the whitelist 162 and blacklist 163 for the user are provided to the search circuit 30 .
  • Each of the virus list 161 , whitelist 162 and blacklist 163 contains a category number field 165 , a URL field 166 and a title field 167 .
  • the URL field 166 contains a URL of a content to which access is permitted or prohibited.
  • the category number field 165 contains a category number of a content.
  • the title field 167 contains a title of a content.
  • the common category list 164 contains a list for classifying contents represented by URLs into multiple categories.
  • FIG. 14 shows an example of internal data of the common category list 164 .
  • the common category list 164 also contains the category number field 165 , URL field 166 and title field 167 .
  • the communication control apparatus 10 extracts a URL included in a “GET” request message and searches the virus list 161 , whitelist 162 , blacklist 163 and common category list 164 for the URL using the search circuit 30 .
  • a character string “http://”, for example may be detected by the position detection circuit 32 so as to extract the subsequent data string as target data.
  • the index circuit 34 and binary search circuit 36 perform matching between the extracted URL and the reference data in the virus list 161 , whitelist 162 , blacklist 163 and common category list 164 .
  • FIGS. 15A , 15 B, 15 C and 15 D show examples of internal data of the second database 60 used for URL filtering.
  • FIG. 15A shows the search result and processing content with respect to the virus list 161 . If a URL included in a GET request matches a URL included in the virus list 161 , the access to the URL will be prohibited.
  • FIG. 15B shows the search result and processing content with respect to the whitelist 162 . If a URL included in a GET request matches a URL included in the whitelist 162 , the access to the URL will be permitted.
  • FIG. 15C shows the search result and processing content with respect to the blacklist 163 . If a URL included in a GET request matches a URL included in the blacklist 163 , the access to the URL will be prohibited.
  • FIG. 15D shows the search result and processing content with respect to the common category list 164 .
  • a user can determiner with respect to each of the categories, the permission or prohibition of the access to contents belonging to the category, in relation to the results of search through the common category list 164 .
  • the second database 60 for the common category list 164 contains a user ID field 168 and a category field 169 .
  • the user ID field 168 contains an ID for identifying a user.
  • the category field 169 contains information that indicates the permission or prohibition of the access to contents belonging to respective categories, which is determined by a user for each of 57 categories classified.
  • the permission for the access to the URL will be determined according to the category that the URL belongs to and the user ID.
  • the number of common categories is 57 in FIG. 15D , it is not limited thereto.
  • the matching is performed on the lists, for example, in descending order of priority and the first match is employed.
  • the matching is performed on the lists in ascending order of priority, and the latest match is employed to replace the preceding match.
  • a search circuit 30 a for performing matching with respect to the virus list 161
  • a search circuit 30 b for performing matching with respect to the whitelist 162
  • a search circuit 30 c for performing matching with respect to the blacklist 163
  • a search circuit 30 d for performing matching with respect to the common category list 164 ;
  • the priorities of the virus list 161 , whitelist 162 , blacklist 163 and common category list 164 , with which the permission of access is determined, may be provided in the second database 60 , for example.
  • the conditions in the second database 60 may be modified depending on the priorities of the lists.
  • the process execution circuit 40 When access to a content is permitted, the process execution circuit 40 outputs a signal to the message output server 130 to convey the permission. The message output server 130 then transmits a “GET” request message to the server retaining the content. When access to a content is prohibited, the process execution circuit 40 outputs a signal to the message output server 130 to convey the prohibition, and the message output server 130 then discards a “GET” request message for the server of access destination without transmitting it. At this time, a response message conveying the prohibition of the access may be transmitted to the request source. Alternatively, transfer to another web page may be forced. In this case, the process execution circuit 40 changes the destination address and URL to those of the transfer destination and transmits the “GET” request message. Information including such response message or URL of the transfer destination may be stored in the second database 60 or the like.
  • the present embodiment proposes a technique for operating the communication control apparatus 10 that is versatile and flexible. Such technique can reduce man-hours and costs required for system modification due to increase of users. In addition, initial investment can be also reduced because a large scale system does not has to be constructed at the beginning in expectation of increase of users; only an appropriate number of communication control apparatuses need to be provided based on the number of users, instead.
  • the communication control system 100 of the present embodiment are provided as many as the number of communication control apparatuses required to share and store at least part of databases necessary for packet processing, and at least one more apparatus is provided extra.
  • the number of communication control apparatuses required for operation is four.
  • one or more communication control apparatuses should be further provided as standby units in case any of the communication control apparatuses in operation fails or in case a database in any of the communication control apparatuses is updated. Accordingly, at least five communication control apparatuses are provided in total. Conventionally, the entire system has needed to be duplexed considering fault tolerance.
  • a divided unit of the communication control apparatus 10 may be only provided extra, thereby enabling cost reduction.
  • the operating state of the multiple communication control apparatuses 10 a , 10 b , 10 c , etc. is managed by the operation monitoring server 110 .
  • the operation monitoring server 110 of the present embodiment has a management table for managing the operating state of the communication control apparatuses.
  • FIG. 18 shows configurations of the communication control apparatuses 10 according to the present embodiment.
  • the search circuit 30 and process execution circuit 40 correspond to a data processing unit
  • the configuration retaining the first database 50 and second database 60 corresponds to a data retaining unit in the present invention.
  • a data retaining unit and the corresponding data processing unit are provided in each of the communication control apparatuses 10 a , 10 b and 10 c .
  • These communication control apparatuses may be collectively provided in a single apparatus.
  • a single data processing unit may refer to databases stored in multiple data retaining units to process data.
  • the data retaining unit may be a storage apparatus, such as a RAM, or may be a part of the area in the storage apparatus. Also, multiple storage apparatuses may be considered as one data retaining unit.
  • each of the communication control apparatuses 10 a , 10 b , 10 c , etc. stores the user database 57 containing data of all users.
  • Each of the communication control apparatuses is notified by the operation monitoring server 110 of the range of user IDs assigned to users whom the communication control apparatus should handle.
  • Each of the apparatuses then refers to the data of user IDs within the notified range in the user database 57 to authenticate a user, and determines whether or not to process a packet that the apparatus has received.
  • the operation monitoring server 110 monitors the operating state of multiple communication control apparatuses 10 .
  • the operation monitoring server 110 stores, in the communication control apparatus 10 on standby, the same data as stored in the inoperable apparatus, and places the standby communication control apparatus 10 in operation.
  • the communication control apparatus 10 with the apparatus ID “2” halts the operation because of a failure, as shown in FIG. 20
  • the communication control apparatus 10 with the apparatus ID “6” which has been on standby, stores the data of user IDs “100001-200000” and starts operating.
  • the communication control apparatus 10 on standby may store any of the data in advance to be made in a hot standby state, or may be in a cold standby state.
  • the data retaining unit of the communication control apparatus 10 on standby stores the user database 57 in advance, and the operation monitoring server 110 notifies the standby apparatus of the range of user IDs handled by the inoperable communication control apparatus 10 so that the standby communication control apparatus 10 can handle the users instead. Consequently, the communication control apparatus 10 on standby can be placed in operation promptly, so that the chance that a packet remains unprocessed can be minimized.
  • the communication control apparatus 10 on standby may be placed in operation when only the user database 57 is stored therein. Although this cannot provide the complete URL filtering service, the situation of packets remaining unprocessed can be avoided.
  • the databases that have not yet been stored may be stored during maintenance or database updating, which will be described later.
  • the databases that are mutually used, such as the virus list 161 and common category list 164 may be also stored in the communication control apparatus 10 on standby in advance. Accordingly, when the standby apparatus is placed in operation, part of the service such as denying access to URLs contained in the virus list 161 can be provided.
  • the database server 150 acquires the latest database from the URL database 160 at a certain time and retains it therein.
  • the database server 150 also updates the user database upon registration of a new user or withdrawal of a user registration and retains it therein.
  • the operation monitoring server 110 transfers the data from the database server 150 and stores it in the communication control apparatus 10 at a certain time.
  • FIGS. 21A , 21 B and 21 C are diagrams for describing the procedure for updating databases.
  • FIG. 21A shows that the communication control apparatuses 10 with the apparatus IDs “1”-“5” are in operation while the communication control apparatus 10 with the apparatus ID “6” is on standby.
  • the operation monitoring server 110 identifies the communication control apparatus 10 in a standby state then and instructs the database server 150 to store the data in the communication control apparatus 10 .
  • the communication control apparatus 10 with the apparatus ID “6” is on standby, so that the database server 150 stores the data in that apparatus.
  • the operation monitoring server 110 then changes the operating state field 113 for the apparatus ID “6” to “data updating”.
  • FIG. 21B shows a state where a database of a communication control apparatus 10 is being updated.
  • the database server 150 stores, in the user database 57 in the communication control apparatus 10 with the apparatus ID “6” on standby, the data of users handled by one of the communication control apparatuses 10 in operation.
  • the data of the virus list 161 , whitelist 162 , blacklist 163 , common category list 164 and second database 60 are also stored therein.
  • the data of users with the user IDs “000001-100000”, which have been handled by the communication control apparatus 10 with the apparatus ID “1” are stored in the communication control apparatus 10 with the apparatus ID “6”.
  • the data of users with the user IDs “100001-200000” are stored in the communication control apparatus 10 with the apparatus ID “1” before the apparatus is placed in operation, and, subsequently, the operation of the communication control apparatus 10 with the apparatus ID “2” is stopped. Thereafter, databases are similarly updated by turns, so that the databases of all the communication control apparatuses 10 can be updated behind the actual operation, without halting the operation of the communication control system 100 .
  • FIG. 22 shows a configuration of a communication path control apparatus provided to process packets with multiple communication control apparatuses 10 .
  • a communication path control apparatus 200 comprises a switch 210 , an optical splitter 220 , which is an example of a data supply unit, and a switch 230 .
  • the switch 210 transmits a received packet to the communication control apparatuses 10 .
  • the optical splitter 220 that provides the packet to the multiple communication control apparatuses 10 a , 10 b and 10 c in parallel.
  • the switch 210 practically transmits a packet to the optical splitter 220 , which transmits the packet to each of the communication control apparatuses in parallel.
  • Each of the communication control apparatuses is not set to a mode in which an apparatus receives only packets directed to the MAC address of the apparatus, but set to promiscuous mode in which an apparatus receives all packets regardless of the destination MAC addresses.
  • each of the communication control apparatuses When receiving a packet sent via parallelcast from the optical splitter 220 , each of the communication control apparatuses omits MAC address matching and acquires every packet.
  • Each of the apparatuses then refers to the user database 57 stored in the data retaining unit to perform user ID matching as described in the base technology, and determines whether or not the apparatus should process the packet.
  • the communication control apparatuses 10 a and 10 b discard the packet while the communication control apparatus 10 c performs the URL filtering as described previously.
  • the communication control apparatus 10 c will transmit a response packet to the switch 210 bypassing the optical splitter 220 . If the communication control apparatus 10 c processes the packet and the access thereto is permitted, the communication control apparatus 10 c will transmit the packet to the destination of the request for the content. Between the communication control apparatuses 10 and the upstream communication line, there is provided the switch 230 by which packets transmitted from the multiple communication control apparatuses 10 a , 10 b and 10 c are aggregated. The communication control apparatus 10 c will practically transmit the packet to the switch 230 , which transmits the packet to the upstream communication line.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Mathematical Physics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Computer And Data Communications (AREA)
US11/914,912 2005-05-20 2005-05-20 Data processing system Abandoned US20090132554A1 (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2005/009246 WO2006123420A1 (ja) 2005-05-20 2005-05-20 データ処理システム

Publications (1)

Publication Number Publication Date
US20090132554A1 true US20090132554A1 (en) 2009-05-21

Family

ID=37431004

Family Applications (2)

Application Number Title Priority Date Filing Date
US11/914,912 Abandoned US20090132554A1 (en) 2005-05-20 2005-05-20 Data processing system
US11/915,135 Expired - Fee Related US7865474B2 (en) 2005-05-20 2006-07-27 Data processing system

Family Applications After (1)

Application Number Title Priority Date Filing Date
US11/915,135 Expired - Fee Related US7865474B2 (en) 2005-05-20 2006-07-27 Data processing system

Country Status (7)

Country Link
US (2) US20090132554A1 (zh)
EP (2) EP1901172A1 (zh)
JP (2) JP4087427B2 (zh)
KR (1) KR20080021677A (zh)
CN (2) CN101213528B (zh)
CA (2) CA2608156A1 (zh)
WO (2) WO2006123420A1 (zh)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100250623A1 (en) * 2009-03-31 2010-09-30 Microsoft Corporation Generic editor for databases
WO2013170064A2 (en) * 2012-05-09 2013-11-14 SunStone Information Defense Inc. Methods and apparatus for identifying and removing malicious applications
US10419410B2 (en) * 2016-12-15 2019-09-17 Seagate Technology Llc Automatic generation of unique identifiers for distributed directory management users

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101213528B (zh) * 2005-05-20 2010-04-07 Duaxes株式会社 数据处理系统
US20080060062A1 (en) * 2006-08-31 2008-03-06 Robert B Lord Methods and systems for preventing information theft
JPWO2008075426A1 (ja) * 2006-12-20 2010-04-02 デュアキシズ株式会社 通信制御装置及び通信制御方法
US7470320B1 (en) 2007-06-07 2008-12-30 Xerox Corporation Nanosized particles of monoazo laked pigment with tunable properties
US8126860B2 (en) * 2007-07-17 2012-02-28 Ricoh Company, Limited Method and apparatus for processing data
WO2009066346A1 (ja) * 2007-11-19 2009-05-28 Duaxes Corporation ログ出力制御装置及びログ出力制御方法
WO2009066338A1 (ja) * 2007-11-19 2009-05-28 Duaxes Corporation 通信制御装置
US8286219B2 (en) * 2008-02-16 2012-10-09 Xencare Software Inc. Safe and secure program execution framework
JP4894826B2 (ja) 2008-07-14 2012-03-14 ソニー株式会社 通信装置、通信システム、報知方法、及びプログラム
US8381292B1 (en) * 2008-12-30 2013-02-19 The Uab Research Foundation System and method for branding a phishing website using advanced pattern matching
CN102231199A (zh) * 2011-06-27 2011-11-02 中国建设银行股份有限公司 一种交易信息异步处理的方法及装置
US20170193041A1 (en) * 2016-01-05 2017-07-06 Sqrrl Data, Inc. Document-partitioned secondary indexes in a sorted, distributed key/value data store

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030225760A1 (en) * 2002-05-30 2003-12-04 Jarmo Ruuth Method and system for processing replicated transactions parallel in secondary server

Family Cites Families (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS6343446A (ja) * 1986-08-11 1988-02-24 Mitsubishi Electric Corp パケツト交換装置
JPH03131141A (ja) * 1989-10-16 1991-06-04 Nippon Telegr & Teleph Corp <Ntt> 光論理バス通信方式
JPH04180425A (ja) 1990-11-15 1992-06-26 Toshiba Corp 通信システム
JPH0675840A (ja) * 1992-08-26 1994-03-18 Hitachi Ltd データベースメンテナンス方式
JP4000223B2 (ja) * 1997-09-24 2007-10-31 富士通株式会社 情報検索方法,情報検索システムおよび同システム用検索管理装置
JPH11232279A (ja) 1998-02-12 1999-08-27 Kawasaki Steel Corp 分割探索方法及び装置
JP2001051890A (ja) * 1999-08-10 2001-02-23 Toshiba Corp 仮想分散ファイルサーバシステム
JP2001168911A (ja) 1999-12-09 2001-06-22 Hitachi Cable Ltd パケットフィルタ装置
JP3776278B2 (ja) * 2000-02-07 2006-05-17 日本電信電話株式会社 データベース処理システム
JP3605343B2 (ja) 2000-03-31 2004-12-22 デジタルア−ツ株式会社 インターネット閲覧制御方法、その方法を実施するプログラムを記録した媒体およびインターネット閲覧制御装置
JP3873027B2 (ja) 2001-04-02 2007-01-24 株式会社インフォーエス ビットストリングの検索装置および方法
JP3829702B2 (ja) 2001-11-29 2006-10-04 横河電機株式会社 フレーム同期装置及び方法
JP2003258997A (ja) * 2002-02-27 2003-09-12 Nippon Telegr & Teleph Corp <Ntt> サービス制御ノードシステムの予備方式
JP2004140618A (ja) 2002-10-18 2004-05-13 Yokogawa Electric Corp パケットフィルタ装置および不正アクセス検知装置
JP2004164435A (ja) 2002-11-14 2004-06-10 Nec Software Kyushu Ltd 接続要求中継装置、フィルタリングシステム、方法、及びプログラム
JP2004172917A (ja) 2002-11-20 2004-06-17 Nec Corp パケット検索装置及びそれに用いるパケット処理検索方法並びにそのプログラム
GB0227048D0 (en) * 2002-11-20 2002-12-24 3Com Corp Network units for use in and organisation of cascade systems
JP2004187201A (ja) 2002-12-06 2004-07-02 Nippon Telegr & Teleph Corp <Ntt> データ列検索用ノード,これを用いるデータ列検索方法並びにデータ列検索処理装置
JP4346975B2 (ja) 2003-06-27 2009-10-21 株式会社ルネサステクノロジ 連想メモリ機能付き集積回路及び侵入検知装置
JP2005084841A (ja) * 2003-09-05 2005-03-31 Patolis Corp データベース検索システム、データベース検索プログラム、データベース検索方法
CN100448238C (zh) * 2004-09-06 2008-12-31 恒生电子股份有限公司 离散数据集中处理系统
CN101213528B (zh) * 2005-05-20 2010-04-07 Duaxes株式会社 数据处理系统

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030225760A1 (en) * 2002-05-30 2003-12-04 Jarmo Ruuth Method and system for processing replicated transactions parallel in secondary server

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20100250623A1 (en) * 2009-03-31 2010-09-30 Microsoft Corporation Generic editor for databases
US8386429B2 (en) * 2009-03-31 2013-02-26 Microsoft Corporation Generic editor for databases
US8626715B2 (en) 2009-03-31 2014-01-07 Microsoft Corporation Generic editor for databases
WO2013170064A2 (en) * 2012-05-09 2013-11-14 SunStone Information Defense Inc. Methods and apparatus for identifying and removing malicious applications
WO2013170064A3 (en) * 2012-05-09 2014-05-08 SunStone Information Defense Inc. Methods and apparatus for identifying and removing malicious applications
US9659175B2 (en) 2012-05-09 2017-05-23 SunStone Information Defense Inc. Methods and apparatus for identifying and removing malicious applications
US10235524B2 (en) 2012-05-09 2019-03-19 SunStone Information Defense, Inc. Methods and apparatus for identifying and removing malicious applications
US11687653B2 (en) 2012-05-09 2023-06-27 SunStone Information Defense, Inc. Methods and apparatus for identifying and removing malicious applications
US10419410B2 (en) * 2016-12-15 2019-09-17 Seagate Technology Llc Automatic generation of unique identifiers for distributed directory management users

Also Published As

Publication number Publication date
CA2608156A1 (en) 2006-11-23
JPWO2006123420A1 (ja) 2008-12-25
CA2609130A1 (en) 2006-11-23
WO2006123443A1 (ja) 2006-11-23
EP1901173A1 (en) 2008-03-19
KR20080021677A (ko) 2008-03-07
US20090216802A1 (en) 2009-08-27
CN101213528B (zh) 2010-04-07
US7865474B2 (en) 2011-01-04
JP4087428B2 (ja) 2008-05-21
WO2006123420A1 (ja) 2006-11-23
CN101213529A (zh) 2008-07-02
WO2006123443A8 (ja) 2007-07-05
JP4087427B2 (ja) 2008-05-21
JPWO2006123443A1 (ja) 2008-12-25
EP1901172A1 (en) 2008-03-19
CN101213528A (zh) 2008-07-02
CN100590615C (zh) 2010-02-17

Similar Documents

Publication Publication Date Title
US7865474B2 (en) Data processing system
US8073855B2 (en) Communication control device and communication control system
US20080281716A1 (en) Communication Control Device
US8417677B2 (en) Communication management system, communication management method and communication control device
US8336092B2 (en) Communication control device and communication control system
US8572759B2 (en) Communication management system and communication management method
US20080270360A1 (en) Data Processing Device
US8117305B2 (en) Communication management system, communication management method, and communication control device
US20100299398A1 (en) Communication control apparatus
US8463727B2 (en) Communication management system and communication management method
US8019776B2 (en) Determining device and determining method for determining processing to be performed based on acquired data
US8065322B2 (en) Binary search circuit and method
US20100138181A1 (en) Testing apparatus
JP4319246B2 (ja) 通信制御装置及び通信制御方法
KR20080017046A (ko) 데이터 프로세싱 시스템
JPWO2008075426A1 (ja) 通信制御装置及び通信制御方法

Legal Events

Date Code Title Description
AS Assignment

Owner name: DUAXES CORPORATION, JAPAN

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NAGOYA, MITSUGU;REEL/FRAME:020529/0331

Effective date: 20080115

STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION