US20090132554A1 - Data processing system - Google Patents
Data processing system Download PDFInfo
- Publication number
- US20090132554A1 US20090132554A1 US11/914,912 US91491205A US2009132554A1 US 20090132554 A1 US20090132554 A1 US 20090132554A1 US 91491205 A US91491205 A US 91491205A US 2009132554 A1 US2009132554 A1 US 2009132554A1
- Authority
- US
- United States
- Prior art keywords
- data
- data processing
- packet
- database
- communication control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/953—Querying, e.g. by the use of web search engines
- G06F16/9535—Search customisation based on user profiles and personalisation
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
- G06F15/16—Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F13/00—Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/90—Details of database functions independent of the retrieved data types
- G06F16/95—Retrieval from the web
- G06F16/953—Querying, e.g. by the use of web search engines
- G06F16/9538—Presentation of query results
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
Definitions
- the present invention relates to a data processing technique, particularly to a technique for operating multiple databases.
- the Internet has enabled easy access to a vast amount of information.
- harmful information is proliferating thereon and regulation on its originator does not keep up with the proliferation.
- Patent Document 1 Japanese Patent Application Laid-open No. 2001-282797.
- the present invention has been made in view of such a situation, and a general purpose thereof is to provide a technique for operating multiple databases appropriately.
- the data processing system comprises: a data processing unit which processes data acquired; and a plurality of data retaining units which store databases used to process the data, wherein: each of the plurality of data retaining units stores a primary database in common and stores the respective shares of a secondary database; and the data processing system further comprises at least one more data retaining unit which can store the primary database and the respective shares of the secondary database.
- the primary database may contain data for determining which share of the secondary database is to be used to process the data.
- the primary database may contain data for user authentication, while the secondary database may contain information on data processing for each user, etc.
- the data processing system may further comprise an operation management unit, which manages the operating state of the plurality of data retaining units.
- the operation management unit may operate as many as the number of data retaining units required to share and store the secondary database, and may place the other data retaining unit on standby; when a database retained in the data retaining units is updated, the operation management unit may store, in a data retaining unit on standby, updated data of the database retained in any one of the data retaining units in operation, and may subsequently stop the operation of the data retaining unit storing the database before update and place the data retaining unit storing the updated database in operation.
- databases can be updated without halting the operation.
- the operation management unit may store the database retained by the data retaining unit in a data retaining unit on standby, and may place the data retaining unit on standby in operation. Thus, even if one of the data retaining units stops because of failure or the like, the main operation will be continued properly.
- the data retaining unit on standby may store the primary database in advance. If the data retaining unit stores, in advance, the primary database, which is used mutually and contains data for determining which share of the secondary database is to be used to process the data, the data retaining unit on standby can be placed in operation promptly even though one of the data retaining units in operation becomes inoperable.
- a plurality of the data processing units may be provided so as to correspond to the plurality of data retaining units respectively.
- the data processing system may further comprise a data supply unit, which provides acquired data to the plurality of data processing units in parallel. This enables appropriate data processing using the data processing units even in the case where a data retaining unit is further added, or the case where the content of a database retained by the respective data retaining units is changed because of database updating or the like.
- the data supply unit may provide acquired data as it is to the plurality of data processing units in parallel without processing the data. Consequently, the data supply unit need not process data, thereby improving the data processing speed.
- each of the plurality of data processing units may refer to a database retained in the corresponding data retaining unit so as to determine whether or not to process the data. Accordingly, data can be appropriately processed by the proper data processing unit.
- the data processing units may be communication control apparatuses which acquire packets to control communications, and, upon acquisition of a packet from the data supply unit, each of the data processing units may acquire the packet without determining whether the packet is directed to the data processing unit itself, and may refer to a database retained in the corresponding data retaining unit so as to determine whether or not to process the packet. Consequently, the data processing units need not check MAC addresses or IP addresses, thereby improving the packet processing speed.
- the data supply unit may provide to the plurality of communication control apparatuses in parallel an acquired packet as a unicast packet without converting the packet to a broadcast packet. Consequently, the data supply unit need not, for example, process the header of the packet to convert the packet to a broadcast, thereby improving the packet processing speed.
- FIG. 1 is a diagram that shows a configuration of a communication control system according to a base technology.
- FIG. 2 is a diagram that shows a configuration of a conventional communication control apparatus.
- FIG. 3 is a diagram that shows a configuration of a communication control apparatus according to the base technology.
- FIG. 4 is a diagram that shows an internal configuration of a packet processing circuit.
- FIG. 5 is a diagram that shows an internal configuration of a position detection circuit.
- FIG. 6 is a diagram that shows an example of internal data of a first database.
- FIG. 7 is a diagram that shows another example of internal data of the first database.
- FIG. 8 is a diagram that shows yet another example of internal data of the first database.
- FIG. 9 is a diagram that shows a configuration of comparison circuits included in a binary search circuit.
- FIG. 10 is a diagram that shows an example of internal data of a second database.
- FIG. 11 is a diagram that shows another example of internal data of the second database.
- FIG. 12 is a diagram that shows an internal configuration of the packet processing circuit used for URL filtering.
- FIG. 13A is a diagram that shows an example of internal data of a virus list
- FIG. 13B is a diagram that shows an example of internal data of a whitelist
- FIG. 13C is a diagram that shows an example of internal data of a blacklist.
- FIG. 14 is a diagram that shows an example of internal data of a common category list.
- FIG. 18 is a diagram that shows configurations of communication control apparatuses according to the embodiment.
- FIG. 19 is a diagram that shows an example of internal data of a management table provided in an operation monitoring server.
- FIGS. 21A , 21 B and 21 C are diagrams for describing a procedure for updating databases in the communication control apparatuses.
- FIG. 1 shows a configuration of a communication control system according to the base technology.
- a communication control system 100 comprises a communication control apparatus 10 and various peripheral apparatuses provided to support the operation of the communication control apparatus 10 .
- the communication control apparatus 10 of the base technology performs a URL filtering function provided by an Internet service provider or the like.
- the communication control apparatus 10 provided on a network path acquires a request for access to a content, analyzes the content, and determines whether or not the access to the content should be permitted. If the access to the content is permitted, the communication control apparatus 10 will transmit the access request to a server that retains the content. If the access to the content is prohibited, the communication control apparatus 10 will discard the access request and return a warning message or the like to the source of the request.
- the communication control apparatus 10 of the base technology receives an access request, such as an HTTP (HyperText Transfer Protocol) “GET” request message.
- the apparatus searches a list of reference data for determining access permission to check if the URL of the content to be accessed appears in the list, so as to determine whether or not the access to the content should be permitted.
- HTTP HyperText Transfer Protocol
- the peripheral apparatuses include an operation monitoring server 110 , a connection management server 120 , a message output server 130 , a log management server 140 and a database server 150 .
- the connection management server 120 manages connection to the communication control apparatus 10 .
- the connection management server 120 authenticates the user as a user of the communication control apparatus 10 , based on information included in the packet, which uniquely identifies the cellular phone terminal. Once the user is authenticated, packets transmitted from the IP address, which is temporarily provided for the cellular phone terminal, will be transmitted to the communication control apparatus 10 and processed therein, without being authenticated by the connection management server 120 during a certain period.
- the communication control apparatus 10 configured with a dedicated hardware circuit for faster operation, is controlled by using a group of peripheral servers connected thereto and having various functions. Accordingly, by suitably replacing the software of the group of servers, a wide variety of functions can be achieved with a similar configuration.
- the base technology provides such communication control system having high flexibility.
- the packet processing unit 3 of the conventional communication control apparatus 1 is implemented by software, using a general-purpose processor, or CPU, and an OS running on the CPU. With such configuration, however, the performance of the communication control apparatus 1 depends on the performance of the CPU, hampering the creation of a communication control apparatus capable of high-speed processing of a large volume of packets. For example, a 64-bit CPU can process only up to 64 bits at a time, and hence, there has existed no communication control apparatus having a higher performance than this. In addition, since the conventional communication control apparatus is predicated on the presence of an OS with versatile functionality, the possibility of security holes cannot be eliminated completely, requiring maintenance work including OS upgrades.
- FIG. 3 shows a configuration of a communication control apparatus in the base technology.
- the communication control apparatus 10 comprises a packet processing circuit 20 configured with dedicated hardware employing a wired logic circuit, instead of the packet processing unit 3 implemented by software including a CPU and an OS in the conventional communication control apparatus 1 shown in FIG. 2 .
- a dedicated hardware circuit to process communication data, rather than processing it with an OS and software running on a general-purpose processing circuit such as CPU, the performance limitations posed by the CPU or OS can be overcome, enabling a communication control apparatus having high throughput.
- a case will be considered here in which, in packet filtering or the likes a search is conducted to check if the data in a packet includes reference data, which serves as criteria for filtering.
- reference data which serves as criteria for filtering.
- a dedicated hardware circuit configured with a wired logic circuit to compare communication data with reference data.
- This circuit includes multiple comparators arranged in parallel, so as to enable the comparison of data having a length greater than 64 bits, such as 1024 bits.
- bit matching can be simultaneously performed on a large number of bits in parallel. Since 1024-bit data can be processed at a time, while the conventional communication control apparatus 1 using a CPU processes only 64 bits, the processing speed can be improved remarkably. Increasing the number of comparators will improve the throughput, but also increase the cost and size of the apparatus. Accordingly, an optimal hardware circuit may be designed in accordance with the desired performance, cost or size.
- the dedicated hardware circuit may be configured using FPGA (Field Programmable Gate Array), etc.
- the communication control apparatus 10 of the base technology is configured with dedicated hardware employing a wired logic circuit, it does not require any OS (Operating System). This can eliminate the need for the installation, bug fixes, or version upgrades of an OS, thereby reducing the cost and man-hours required for administration and maintenance. Also, unlike CPUs requiring versatile functionality, the communication control apparatus 10 does not include any unnecessary functions or use needless resources, and hence, reduced cost, a smaller circuit area or improved processing speed can be expected. Furthermore, again unlike conventional OS-based communication control apparatuses, the absence of unnecessary functions decreases the possibility of security holes and thus enhances the tolerance against attacks from malicious third parties over a network.
- OS Operating System
- FIG. 4 shows an internal configuration of the packet processing circuit.
- the packet processing circuit 20 comprises: a first database 50 for storing reference data to be referred to when determining processing to be performed on communication data; a search circuit 30 for searching received communication data for the reference data by comparing the two; a second database 60 for storing a search result of the search circuit 30 and a content of processing to be performed on the communication data, which are related to each other; and a process execution circuit 40 for processing the communication data based on the search result of the search circuit 30 and the conditions stored in the second database 60 .
- the search circuit 30 includes: a position detection circuit 32 for detecting the position of comparison target data, which is to be compared with reference data, in communication data; an index circuit 34 which serves as an example of a determination circuit for determining which range the comparison target data belongs to, among three or more ranges into which the reference data stored in the first database 50 is divided; and a binary search circuit 36 for searching the determined range for the reference data that matches the comparison target data.
- the reference data may be searched for the comparison target data using any search technique, and a binary search method is used in the base technology.
- the base technology will be described by way of example for explaining the operation of the communication control apparatus 10 , in which a character string “No. ###” in communication data is detected, the number “###” included in the character string is then compared with reference data, and if the number matches the reference data, the packet will be allowed to pass, while, if they do not match, the packet will be discarded.
- the position detection circuit 32 may also be used as a circuit for detecting character strings for various purposes. Moreover, the position detection circuit 32 may be configured to detect position identification data in units of bits, not just as a character string.
- FIG. 6 shows an example of internal data of the first database.
- the first database 50 stores reference data to be referred to when determining the processing on packets, such as filtering, routing, switching, and replacement.
- the pieces of reference data are sorted according to some sort conditions. In the example of FIG. 6 , 1000 pieces of reference data are stored.
- the top record of the first database 50 contains an offset 51 which indicates the position of comparison target data in communication data. For example, in a TCP packet, the data configuration within the packet is determined in units of bits. Therefore, if the position of flag information or the like for determining the processing on the packet is given in the form of the offset 51 , the processing can be determined by comparing only necessary bits, thus improving the processing efficiency. Also, even when the configuration of packet data is changed, it can be settled by modifying the offset 51 accordingly.
- the first database 50 may store the data length of comparison target data. In this case, since the comparison can be performed by operating only a required number of comparators, the search efficiency can be improved.
- Each of the comparison circuits 35 a - 35 c of the index circuit 34 receives “361” as comparison target data.
- the comparison circuit 35 a receives “378”, which lies at the border of the ranges 52 a and 52 b .
- the comparison circuit 35 b receives reference data “704” lying at the border of the ranges 52 b and 52 c
- the comparison circuit 35 c receives reference data “937” lying at the border of the ranges 52 c and 52 d .
- the comparison circuits 35 a - 35 c then perform comparisons simultaneously, determining that the comparison target data “361” belongs to the range 52 a .
- the binary search circuit 36 searches the reference data for the comparison target data “361”.
- FIG. 7 shows another example of internal data of the first database.
- the number of pieces of reference data is smaller than the number of pieces of data storable in the first database 50 , i.e., 1000 in this case.
- the first database 50 stores the pieces of reference data in descending order, starting with the last data position therein. Then, 0 is stored in the rest of the data positions.
- the database is loaded with data not from the top but from the bottom of the loading area, and all the vacancies occurring in the front of the loading area, if any, are replaced with zero. Consequently, the database is fully loaded at any time, so that the maximum time necessary for a binary search will be constant.
- the binary search circuit 36 reads reference data “0” during a search, the circuit can identify the range without making a comparison, as the comparison result is obvious, and can proceed to the next comparison. Consequently, the search speed can be improved.
- the first database 50 stores pieces of reference data in ascending order, from the first data position therein. In the rest of data positions will be stored a maximum value or the like, and in such case, the skip of comparison processing as described above cannot be made during a binary search.
- the comparison technique described above can be implemented by configuring the search circuit 30 with a dedicated hardware circuit.
- FIG. 8 shows yet another example of internal data of the first database.
- the reference data is not evenly divided into three or more ranges, but unevenly divided into ranges that accommodate different numbers of pieces of data, such as 500 pieces in the range 52 a and 100 pieces in the range 52 b .
- These ranges may be determined depending on the distribution of frequencies with which reference data occurs in communication data. Specifically, the ranges may be determined so that the sums of the frequencies of occurrence of reference data belonging to the respective ranges are almost the same. Accordingly, the search efficiency can be improved.
- the reference data to be input to the comparison circuits 35 a - 35 c of the index circuit 34 may be modifiable from the outside. In such case, the ranges can be dynamically set, so that the search efficiency will be optimized.
- FIG. 9 shows a configuration of comparison circuits included in the binary search circuit.
- the binary search circuit 36 includes 1024 comparison circuits, such as 36 a , 36 b , . . . .
- Each of the comparison circuits 36 a , 36 b , etc. receives 1 bit of reference data 54 and 1 bit of comparison target data 56 to compare the bits in value.
- the comparison circuits 35 a - 35 c of the index circuit 34 have similar internal configurations. Since the comparison processing is thus performed by a dedicated hardware circuit, a large number of comparison circuits can be operated in parallel to compare a large number of bits at a time, thereby speeding up the comparison processing.
- FIG. 10 shows an example of internal data of the second database.
- the second database 60 includes a search result field 62 , which contains a search result of the search circuit 30 , and a processing content field 64 , which contains a processing content to be performed on communication data.
- the database stores the search results and the processing contents related to each other. In the example of FIG. 10 , conditions are established such that a packet will be allowed to pass if its communication data contains reference data; if not, the packet will be discarded.
- the process execution circuit 40 searches the second database 60 for a processing content based on the search result and performs the processing on the communication data.
- the process execution circuit 40 may also be configured with a wired logic circuit.
- FIG. 11 shows another example of internal data of the second database.
- the processing content is set for each piece of reference data.
- replacement data may be stored in the second database 60 .
- packet routing or switching information on the route may be stored in the second database 60 .
- the process execution circuit 40 performs processing, such as filtering, routing, switching, or replacement, which is specified in the second database 60 , in accordance with the search result of the search circuit 30 .
- the processing content is set for each piece of reference data, as shown in FIG. 11 , the first database 50 and the second database 60 may be merged with each other.
- the first database and the second database are configured to be rewritable from the outside. By replacing these databases, various types of data processing and communication control can be achieved using the same communication control apparatus 10 .
- multistage search processing may be performed by providing two or more databases that store reference data to be searched. In such instance, more complicated conditional branching may be performed by providing two or more databases that store search results and processing contents related to each other.
- a plurality of the position detection circuits 32 , the index circuits 34 , the binary search circuits 36 , etc. may also be provided.
- the data intended for the foregoing comparison may be compressed by the same compression logic. If both the source data and the target data to be compared are compressed by the same method, the comparison can be performed in the same manner as usual, thus reducing the amount of data to be loaded for comparison. The smaller amount of data to be loaded can reduce the time required to read out the data from the memory, thereby reducing the overall processing time. Moreover, the number of comparators can be also reduced, which contributes to the miniaturization, weight saving, and cost reduction of the apparatus.
- the data intended for comparison may be stored in a compressed form, or may be read out from the memory and compressed before comparison.
- a first memory unit which contains reference data to be referred to when determining contents of processing to be performed on acquired data
- a second memory unit which stores a result of search obtained by the search section and the contents of processing in association with each other;
- the position detection circuit includes a plurality of second comparison circuits which compare the data with position identification data for identifying the position of the comparison target data, and wherein the plurality of second comparison circuits receive the data, each having a shift of a predetermined data length, and compare the data with the position identification data simultaneously in parallel.
- search section includes a determination circuit which determines which range the comparison target data to be compared with the reference data pertains to, out of three or more ranges into which the plurality of pieces of reference data stored in the first memory unit are divided.
- the first memory unit further contains information that indicates the position of the comparison target data in the data, and wherein the search section extracts the comparison target data based on the position-indicating information.
- the search circuit 30 performs matching with the user database 57 , the position detection circuit 32 need not detect the position, and the only thing required there is to specify, as the offset 51 , the storage location of the source address.
- the URL of a content is checked against the virus list 161 , whitelist 162 , blacklist 163 and common category list 164 , in order to determine whether or not the access to the content should be permitted.
- the whitelist 162 and blacklist 163 are provided for each user, and when a user ID is uniquely specified after the user authentication, the whitelist 162 and blacklist 163 for the user are provided to the search circuit 30 .
- Each of the virus list 161 , whitelist 162 and blacklist 163 contains a category number field 165 , a URL field 166 and a title field 167 .
- the URL field 166 contains a URL of a content to which access is permitted or prohibited.
- the category number field 165 contains a category number of a content.
- the title field 167 contains a title of a content.
- the common category list 164 contains a list for classifying contents represented by URLs into multiple categories.
- FIG. 14 shows an example of internal data of the common category list 164 .
- the common category list 164 also contains the category number field 165 , URL field 166 and title field 167 .
- the communication control apparatus 10 extracts a URL included in a “GET” request message and searches the virus list 161 , whitelist 162 , blacklist 163 and common category list 164 for the URL using the search circuit 30 .
- a character string “http://”, for example may be detected by the position detection circuit 32 so as to extract the subsequent data string as target data.
- the index circuit 34 and binary search circuit 36 perform matching between the extracted URL and the reference data in the virus list 161 , whitelist 162 , blacklist 163 and common category list 164 .
- FIGS. 15A , 15 B, 15 C and 15 D show examples of internal data of the second database 60 used for URL filtering.
- FIG. 15A shows the search result and processing content with respect to the virus list 161 . If a URL included in a GET request matches a URL included in the virus list 161 , the access to the URL will be prohibited.
- FIG. 15B shows the search result and processing content with respect to the whitelist 162 . If a URL included in a GET request matches a URL included in the whitelist 162 , the access to the URL will be permitted.
- FIG. 15C shows the search result and processing content with respect to the blacklist 163 . If a URL included in a GET request matches a URL included in the blacklist 163 , the access to the URL will be prohibited.
- FIG. 15D shows the search result and processing content with respect to the common category list 164 .
- a user can determiner with respect to each of the categories, the permission or prohibition of the access to contents belonging to the category, in relation to the results of search through the common category list 164 .
- the second database 60 for the common category list 164 contains a user ID field 168 and a category field 169 .
- the user ID field 168 contains an ID for identifying a user.
- the category field 169 contains information that indicates the permission or prohibition of the access to contents belonging to respective categories, which is determined by a user for each of 57 categories classified.
- the permission for the access to the URL will be determined according to the category that the URL belongs to and the user ID.
- the number of common categories is 57 in FIG. 15D , it is not limited thereto.
- the matching is performed on the lists, for example, in descending order of priority and the first match is employed.
- the matching is performed on the lists in ascending order of priority, and the latest match is employed to replace the preceding match.
- a search circuit 30 a for performing matching with respect to the virus list 161
- a search circuit 30 b for performing matching with respect to the whitelist 162
- a search circuit 30 c for performing matching with respect to the blacklist 163
- a search circuit 30 d for performing matching with respect to the common category list 164 ;
- the priorities of the virus list 161 , whitelist 162 , blacklist 163 and common category list 164 , with which the permission of access is determined, may be provided in the second database 60 , for example.
- the conditions in the second database 60 may be modified depending on the priorities of the lists.
- the process execution circuit 40 When access to a content is permitted, the process execution circuit 40 outputs a signal to the message output server 130 to convey the permission. The message output server 130 then transmits a “GET” request message to the server retaining the content. When access to a content is prohibited, the process execution circuit 40 outputs a signal to the message output server 130 to convey the prohibition, and the message output server 130 then discards a “GET” request message for the server of access destination without transmitting it. At this time, a response message conveying the prohibition of the access may be transmitted to the request source. Alternatively, transfer to another web page may be forced. In this case, the process execution circuit 40 changes the destination address and URL to those of the transfer destination and transmits the “GET” request message. Information including such response message or URL of the transfer destination may be stored in the second database 60 or the like.
- the present embodiment proposes a technique for operating the communication control apparatus 10 that is versatile and flexible. Such technique can reduce man-hours and costs required for system modification due to increase of users. In addition, initial investment can be also reduced because a large scale system does not has to be constructed at the beginning in expectation of increase of users; only an appropriate number of communication control apparatuses need to be provided based on the number of users, instead.
- the communication control system 100 of the present embodiment are provided as many as the number of communication control apparatuses required to share and store at least part of databases necessary for packet processing, and at least one more apparatus is provided extra.
- the number of communication control apparatuses required for operation is four.
- one or more communication control apparatuses should be further provided as standby units in case any of the communication control apparatuses in operation fails or in case a database in any of the communication control apparatuses is updated. Accordingly, at least five communication control apparatuses are provided in total. Conventionally, the entire system has needed to be duplexed considering fault tolerance.
- a divided unit of the communication control apparatus 10 may be only provided extra, thereby enabling cost reduction.
- the operating state of the multiple communication control apparatuses 10 a , 10 b , 10 c , etc. is managed by the operation monitoring server 110 .
- the operation monitoring server 110 of the present embodiment has a management table for managing the operating state of the communication control apparatuses.
- FIG. 18 shows configurations of the communication control apparatuses 10 according to the present embodiment.
- the search circuit 30 and process execution circuit 40 correspond to a data processing unit
- the configuration retaining the first database 50 and second database 60 corresponds to a data retaining unit in the present invention.
- a data retaining unit and the corresponding data processing unit are provided in each of the communication control apparatuses 10 a , 10 b and 10 c .
- These communication control apparatuses may be collectively provided in a single apparatus.
- a single data processing unit may refer to databases stored in multiple data retaining units to process data.
- the data retaining unit may be a storage apparatus, such as a RAM, or may be a part of the area in the storage apparatus. Also, multiple storage apparatuses may be considered as one data retaining unit.
- each of the communication control apparatuses 10 a , 10 b , 10 c , etc. stores the user database 57 containing data of all users.
- Each of the communication control apparatuses is notified by the operation monitoring server 110 of the range of user IDs assigned to users whom the communication control apparatus should handle.
- Each of the apparatuses then refers to the data of user IDs within the notified range in the user database 57 to authenticate a user, and determines whether or not to process a packet that the apparatus has received.
- the operation monitoring server 110 monitors the operating state of multiple communication control apparatuses 10 .
- the operation monitoring server 110 stores, in the communication control apparatus 10 on standby, the same data as stored in the inoperable apparatus, and places the standby communication control apparatus 10 in operation.
- the communication control apparatus 10 with the apparatus ID “2” halts the operation because of a failure, as shown in FIG. 20
- the communication control apparatus 10 with the apparatus ID “6” which has been on standby, stores the data of user IDs “100001-200000” and starts operating.
- the communication control apparatus 10 on standby may store any of the data in advance to be made in a hot standby state, or may be in a cold standby state.
- the data retaining unit of the communication control apparatus 10 on standby stores the user database 57 in advance, and the operation monitoring server 110 notifies the standby apparatus of the range of user IDs handled by the inoperable communication control apparatus 10 so that the standby communication control apparatus 10 can handle the users instead. Consequently, the communication control apparatus 10 on standby can be placed in operation promptly, so that the chance that a packet remains unprocessed can be minimized.
- the communication control apparatus 10 on standby may be placed in operation when only the user database 57 is stored therein. Although this cannot provide the complete URL filtering service, the situation of packets remaining unprocessed can be avoided.
- the databases that have not yet been stored may be stored during maintenance or database updating, which will be described later.
- the databases that are mutually used, such as the virus list 161 and common category list 164 may be also stored in the communication control apparatus 10 on standby in advance. Accordingly, when the standby apparatus is placed in operation, part of the service such as denying access to URLs contained in the virus list 161 can be provided.
- the database server 150 acquires the latest database from the URL database 160 at a certain time and retains it therein.
- the database server 150 also updates the user database upon registration of a new user or withdrawal of a user registration and retains it therein.
- the operation monitoring server 110 transfers the data from the database server 150 and stores it in the communication control apparatus 10 at a certain time.
- FIGS. 21A , 21 B and 21 C are diagrams for describing the procedure for updating databases.
- FIG. 21A shows that the communication control apparatuses 10 with the apparatus IDs “1”-“5” are in operation while the communication control apparatus 10 with the apparatus ID “6” is on standby.
- the operation monitoring server 110 identifies the communication control apparatus 10 in a standby state then and instructs the database server 150 to store the data in the communication control apparatus 10 .
- the communication control apparatus 10 with the apparatus ID “6” is on standby, so that the database server 150 stores the data in that apparatus.
- the operation monitoring server 110 then changes the operating state field 113 for the apparatus ID “6” to “data updating”.
- FIG. 21B shows a state where a database of a communication control apparatus 10 is being updated.
- the database server 150 stores, in the user database 57 in the communication control apparatus 10 with the apparatus ID “6” on standby, the data of users handled by one of the communication control apparatuses 10 in operation.
- the data of the virus list 161 , whitelist 162 , blacklist 163 , common category list 164 and second database 60 are also stored therein.
- the data of users with the user IDs “000001-100000”, which have been handled by the communication control apparatus 10 with the apparatus ID “1” are stored in the communication control apparatus 10 with the apparatus ID “6”.
- the data of users with the user IDs “100001-200000” are stored in the communication control apparatus 10 with the apparatus ID “1” before the apparatus is placed in operation, and, subsequently, the operation of the communication control apparatus 10 with the apparatus ID “2” is stopped. Thereafter, databases are similarly updated by turns, so that the databases of all the communication control apparatuses 10 can be updated behind the actual operation, without halting the operation of the communication control system 100 .
- FIG. 22 shows a configuration of a communication path control apparatus provided to process packets with multiple communication control apparatuses 10 .
- a communication path control apparatus 200 comprises a switch 210 , an optical splitter 220 , which is an example of a data supply unit, and a switch 230 .
- the switch 210 transmits a received packet to the communication control apparatuses 10 .
- the optical splitter 220 that provides the packet to the multiple communication control apparatuses 10 a , 10 b and 10 c in parallel.
- the switch 210 practically transmits a packet to the optical splitter 220 , which transmits the packet to each of the communication control apparatuses in parallel.
- Each of the communication control apparatuses is not set to a mode in which an apparatus receives only packets directed to the MAC address of the apparatus, but set to promiscuous mode in which an apparatus receives all packets regardless of the destination MAC addresses.
- each of the communication control apparatuses When receiving a packet sent via parallelcast from the optical splitter 220 , each of the communication control apparatuses omits MAC address matching and acquires every packet.
- Each of the apparatuses then refers to the user database 57 stored in the data retaining unit to perform user ID matching as described in the base technology, and determines whether or not the apparatus should process the packet.
- the communication control apparatuses 10 a and 10 b discard the packet while the communication control apparatus 10 c performs the URL filtering as described previously.
- the communication control apparatus 10 c will transmit a response packet to the switch 210 bypassing the optical splitter 220 . If the communication control apparatus 10 c processes the packet and the access thereto is permitted, the communication control apparatus 10 c will transmit the packet to the destination of the request for the content. Between the communication control apparatuses 10 and the upstream communication line, there is provided the switch 230 by which packets transmitted from the multiple communication control apparatuses 10 a , 10 b and 10 c are aggregated. The communication control apparatus 10 c will practically transmit the packet to the switch 230 , which transmits the packet to the upstream communication line.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Mathematical Physics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Computer And Data Communications (AREA)
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2005/009246 WO2006123420A1 (ja) | 2005-05-20 | 2005-05-20 | データ処理システム |
Publications (1)
Publication Number | Publication Date |
---|---|
US20090132554A1 true US20090132554A1 (en) | 2009-05-21 |
Family
ID=37431004
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/914,912 Abandoned US20090132554A1 (en) | 2005-05-20 | 2005-05-20 | Data processing system |
US11/915,135 Expired - Fee Related US7865474B2 (en) | 2005-05-20 | 2006-07-27 | Data processing system |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/915,135 Expired - Fee Related US7865474B2 (en) | 2005-05-20 | 2006-07-27 | Data processing system |
Country Status (7)
Country | Link |
---|---|
US (2) | US20090132554A1 (zh) |
EP (2) | EP1901172A1 (zh) |
JP (2) | JP4087427B2 (zh) |
KR (1) | KR20080021677A (zh) |
CN (2) | CN101213528B (zh) |
CA (2) | CA2608156A1 (zh) |
WO (2) | WO2006123420A1 (zh) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100250623A1 (en) * | 2009-03-31 | 2010-09-30 | Microsoft Corporation | Generic editor for databases |
WO2013170064A2 (en) * | 2012-05-09 | 2013-11-14 | SunStone Information Defense Inc. | Methods and apparatus for identifying and removing malicious applications |
US10419410B2 (en) * | 2016-12-15 | 2019-09-17 | Seagate Technology Llc | Automatic generation of unique identifiers for distributed directory management users |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101213528B (zh) * | 2005-05-20 | 2010-04-07 | Duaxes株式会社 | 数据处理系统 |
US20080060062A1 (en) * | 2006-08-31 | 2008-03-06 | Robert B Lord | Methods and systems for preventing information theft |
JPWO2008075426A1 (ja) * | 2006-12-20 | 2010-04-02 | デュアキシズ株式会社 | 通信制御装置及び通信制御方法 |
US7470320B1 (en) | 2007-06-07 | 2008-12-30 | Xerox Corporation | Nanosized particles of monoazo laked pigment with tunable properties |
US8126860B2 (en) * | 2007-07-17 | 2012-02-28 | Ricoh Company, Limited | Method and apparatus for processing data |
WO2009066346A1 (ja) * | 2007-11-19 | 2009-05-28 | Duaxes Corporation | ログ出力制御装置及びログ出力制御方法 |
WO2009066338A1 (ja) * | 2007-11-19 | 2009-05-28 | Duaxes Corporation | 通信制御装置 |
US8286219B2 (en) * | 2008-02-16 | 2012-10-09 | Xencare Software Inc. | Safe and secure program execution framework |
JP4894826B2 (ja) | 2008-07-14 | 2012-03-14 | ソニー株式会社 | 通信装置、通信システム、報知方法、及びプログラム |
US8381292B1 (en) * | 2008-12-30 | 2013-02-19 | The Uab Research Foundation | System and method for branding a phishing website using advanced pattern matching |
CN102231199A (zh) * | 2011-06-27 | 2011-11-02 | 中国建设银行股份有限公司 | 一种交易信息异步处理的方法及装置 |
US20170193041A1 (en) * | 2016-01-05 | 2017-07-06 | Sqrrl Data, Inc. | Document-partitioned secondary indexes in a sorted, distributed key/value data store |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030225760A1 (en) * | 2002-05-30 | 2003-12-04 | Jarmo Ruuth | Method and system for processing replicated transactions parallel in secondary server |
Family Cites Families (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPS6343446A (ja) * | 1986-08-11 | 1988-02-24 | Mitsubishi Electric Corp | パケツト交換装置 |
JPH03131141A (ja) * | 1989-10-16 | 1991-06-04 | Nippon Telegr & Teleph Corp <Ntt> | 光論理バス通信方式 |
JPH04180425A (ja) | 1990-11-15 | 1992-06-26 | Toshiba Corp | 通信システム |
JPH0675840A (ja) * | 1992-08-26 | 1994-03-18 | Hitachi Ltd | データベースメンテナンス方式 |
JP4000223B2 (ja) * | 1997-09-24 | 2007-10-31 | 富士通株式会社 | 情報検索方法,情報検索システムおよび同システム用検索管理装置 |
JPH11232279A (ja) | 1998-02-12 | 1999-08-27 | Kawasaki Steel Corp | 分割探索方法及び装置 |
JP2001051890A (ja) * | 1999-08-10 | 2001-02-23 | Toshiba Corp | 仮想分散ファイルサーバシステム |
JP2001168911A (ja) | 1999-12-09 | 2001-06-22 | Hitachi Cable Ltd | パケットフィルタ装置 |
JP3776278B2 (ja) * | 2000-02-07 | 2006-05-17 | 日本電信電話株式会社 | データベース処理システム |
JP3605343B2 (ja) | 2000-03-31 | 2004-12-22 | デジタルア−ツ株式会社 | インターネット閲覧制御方法、その方法を実施するプログラムを記録した媒体およびインターネット閲覧制御装置 |
JP3873027B2 (ja) | 2001-04-02 | 2007-01-24 | 株式会社インフォーエス | ビットストリングの検索装置および方法 |
JP3829702B2 (ja) | 2001-11-29 | 2006-10-04 | 横河電機株式会社 | フレーム同期装置及び方法 |
JP2003258997A (ja) * | 2002-02-27 | 2003-09-12 | Nippon Telegr & Teleph Corp <Ntt> | サービス制御ノードシステムの予備方式 |
JP2004140618A (ja) | 2002-10-18 | 2004-05-13 | Yokogawa Electric Corp | パケットフィルタ装置および不正アクセス検知装置 |
JP2004164435A (ja) | 2002-11-14 | 2004-06-10 | Nec Software Kyushu Ltd | 接続要求中継装置、フィルタリングシステム、方法、及びプログラム |
JP2004172917A (ja) | 2002-11-20 | 2004-06-17 | Nec Corp | パケット検索装置及びそれに用いるパケット処理検索方法並びにそのプログラム |
GB0227048D0 (en) * | 2002-11-20 | 2002-12-24 | 3Com Corp | Network units for use in and organisation of cascade systems |
JP2004187201A (ja) | 2002-12-06 | 2004-07-02 | Nippon Telegr & Teleph Corp <Ntt> | データ列検索用ノード,これを用いるデータ列検索方法並びにデータ列検索処理装置 |
JP4346975B2 (ja) | 2003-06-27 | 2009-10-21 | 株式会社ルネサステクノロジ | 連想メモリ機能付き集積回路及び侵入検知装置 |
JP2005084841A (ja) * | 2003-09-05 | 2005-03-31 | Patolis Corp | データベース検索システム、データベース検索プログラム、データベース検索方法 |
CN100448238C (zh) * | 2004-09-06 | 2008-12-31 | 恒生电子股份有限公司 | 离散数据集中处理系统 |
CN101213528B (zh) * | 2005-05-20 | 2010-04-07 | Duaxes株式会社 | 数据处理系统 |
-
2005
- 2005-05-20 CN CN2005800509256A patent/CN101213528B/zh not_active Expired - Fee Related
- 2005-05-20 WO PCT/JP2005/009246 patent/WO2006123420A1/ja active Application Filing
- 2005-05-20 CA CA002608156A patent/CA2608156A1/en not_active Abandoned
- 2005-05-20 JP JP2006552407A patent/JP4087427B2/ja not_active Expired - Fee Related
- 2005-05-20 EP EP05741571A patent/EP1901172A1/en not_active Withdrawn
- 2005-05-20 US US11/914,912 patent/US20090132554A1/en not_active Abandoned
- 2005-07-27 CN CN200580050928A patent/CN100590615C/zh not_active Expired - Fee Related
- 2005-07-27 KR KR1020077029633A patent/KR20080021677A/ko not_active Application Discontinuation
- 2005-07-27 CA CA002609130A patent/CA2609130A1/en not_active Abandoned
- 2005-07-27 JP JP2006552413A patent/JP4087428B2/ja not_active Expired - Fee Related
- 2005-07-27 EP EP05767291A patent/EP1901173A1/en not_active Withdrawn
- 2005-07-27 WO PCT/JP2005/013772 patent/WO2006123443A1/ja active Application Filing
-
2006
- 2006-07-27 US US11/915,135 patent/US7865474B2/en not_active Expired - Fee Related
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030225760A1 (en) * | 2002-05-30 | 2003-12-04 | Jarmo Ruuth | Method and system for processing replicated transactions parallel in secondary server |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100250623A1 (en) * | 2009-03-31 | 2010-09-30 | Microsoft Corporation | Generic editor for databases |
US8386429B2 (en) * | 2009-03-31 | 2013-02-26 | Microsoft Corporation | Generic editor for databases |
US8626715B2 (en) | 2009-03-31 | 2014-01-07 | Microsoft Corporation | Generic editor for databases |
WO2013170064A2 (en) * | 2012-05-09 | 2013-11-14 | SunStone Information Defense Inc. | Methods and apparatus for identifying and removing malicious applications |
WO2013170064A3 (en) * | 2012-05-09 | 2014-05-08 | SunStone Information Defense Inc. | Methods and apparatus for identifying and removing malicious applications |
US9659175B2 (en) | 2012-05-09 | 2017-05-23 | SunStone Information Defense Inc. | Methods and apparatus for identifying and removing malicious applications |
US10235524B2 (en) | 2012-05-09 | 2019-03-19 | SunStone Information Defense, Inc. | Methods and apparatus for identifying and removing malicious applications |
US11687653B2 (en) | 2012-05-09 | 2023-06-27 | SunStone Information Defense, Inc. | Methods and apparatus for identifying and removing malicious applications |
US10419410B2 (en) * | 2016-12-15 | 2019-09-17 | Seagate Technology Llc | Automatic generation of unique identifiers for distributed directory management users |
Also Published As
Publication number | Publication date |
---|---|
CA2608156A1 (en) | 2006-11-23 |
JPWO2006123420A1 (ja) | 2008-12-25 |
CA2609130A1 (en) | 2006-11-23 |
WO2006123443A1 (ja) | 2006-11-23 |
EP1901173A1 (en) | 2008-03-19 |
KR20080021677A (ko) | 2008-03-07 |
US20090216802A1 (en) | 2009-08-27 |
CN101213528B (zh) | 2010-04-07 |
US7865474B2 (en) | 2011-01-04 |
JP4087428B2 (ja) | 2008-05-21 |
WO2006123420A1 (ja) | 2006-11-23 |
CN101213529A (zh) | 2008-07-02 |
WO2006123443A8 (ja) | 2007-07-05 |
JP4087427B2 (ja) | 2008-05-21 |
JPWO2006123443A1 (ja) | 2008-12-25 |
EP1901172A1 (en) | 2008-03-19 |
CN101213528A (zh) | 2008-07-02 |
CN100590615C (zh) | 2010-02-17 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7865474B2 (en) | Data processing system | |
US8073855B2 (en) | Communication control device and communication control system | |
US20080281716A1 (en) | Communication Control Device | |
US8417677B2 (en) | Communication management system, communication management method and communication control device | |
US8336092B2 (en) | Communication control device and communication control system | |
US8572759B2 (en) | Communication management system and communication management method | |
US20080270360A1 (en) | Data Processing Device | |
US8117305B2 (en) | Communication management system, communication management method, and communication control device | |
US20100299398A1 (en) | Communication control apparatus | |
US8463727B2 (en) | Communication management system and communication management method | |
US8019776B2 (en) | Determining device and determining method for determining processing to be performed based on acquired data | |
US8065322B2 (en) | Binary search circuit and method | |
US20100138181A1 (en) | Testing apparatus | |
JP4319246B2 (ja) | 通信制御装置及び通信制御方法 | |
KR20080017046A (ko) | 데이터 프로세싱 시스템 | |
JPWO2008075426A1 (ja) | 通信制御装置及び通信制御方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: DUAXES CORPORATION, JAPAN Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:NAGOYA, MITSUGU;REEL/FRAME:020529/0331 Effective date: 20080115 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION |