WO2002086717A1 - Computer virus check device and method - Google Patents

Computer virus check device and method Download PDF

Info

Publication number
WO2002086717A1
WO2002086717A1 PCT/JP2002/003645 JP0203645W WO02086717A1 WO 2002086717 A1 WO2002086717 A1 WO 2002086717A1 JP 0203645 W JP0203645 W JP 0203645W WO 02086717 A1 WO02086717 A1 WO 02086717A1
Authority
WO
WIPO (PCT)
Prior art keywords
pattern
data
memory
collation
collated
Prior art date
Application number
PCT/JP2002/003645
Other languages
English (en)
French (fr)
Inventor
Kiyotoshi Yoshii
Original Assignee
Xaxon R & D Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xaxon R & D Corporation filed Critical Xaxon R & D Corporation
Priority to JP2002584171A priority Critical patent/JP4334231B2/ja
Publication of WO2002086717A1 publication Critical patent/WO2002086717A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/567Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware

Definitions

  • the present invention relates to a device and method for checking computers for viruses.
  • W097/12321 and W097/39399 disclose programs for checking a computer for viruses and removing them. These conventional programs had the following inconveniences:
  • the pattern matching process for a computer virus check is normally a comparison between large volume data, so the time required for this process increases corresponding to the data volume (number of virus patterns to be detected).
  • Problem (B) In order to ensure high speed processing, the pattern data and pattern matching program had to be resident on the main memory, which took up a large space on the main memory.
  • the present invention aims at solving all of the above-mentioned problems (A) to (D) at the same time and providing means for executing a computer virus check at high speed.
  • the computer virus check device comprises a task queue memory for receiving and saving file information uniquely specifying a file containing data; a file buffer memory for acquiring and storing the file specified by said file information in said task queue memory; a pattern data memory for storing pattern data identifying a computer virus; one or more pattern matching circuits for collating the file stored in said file buffer memory against said pattern data and determining whether there is a matching pattern; a scheduler for activating at least one of said pattern matching circuits based on said file information in said task queue memory; and notification means for notifying the determination result of said pattern matching circuit in relation with said file information.
  • Fig. 1 is a functional block diagram of the device according to Embodiment 1 of the present invention
  • Fig. 2 is an example of a table used for identifying files, etc.;
  • Fig. 3 shows the concept of an example of a proxy server carrying plural devices according to the present invention
  • Fig. 4 is an example of a table used for load distribution
  • Fig. 5 is a model view showing the circuit layout of Embodiment 2 of the present invention
  • Fig. 6 is a model view showing the circuit layout of Variation 1 of Embodiment 2 of the present invention
  • Fig. 7 is a model view showing the circuit layout of Variation 2 of Embodiment 2 of the present invention.
  • Fig. 8 is a model view showing the circuit layout of Embodiment 3 of the present invention
  • Fig. 9 is a model view showing an example of a circuit for removing whitespace
  • Fig. 10A is a model view of Embodiment 4 of the present invention
  • Fig. 10B is a rough flowchart of Embodiment 4 of the present invention
  • Fig. 11 is a model view showing the structure of the device according to Embodiment 5 of the present invention
  • Fig. 12 is an example of the index file data structure
  • Fig .13 is a flowchart of the operation of Embodiment 5 of the present invention.
  • Fig. 14 is a (continued) flowchart of the operation of Embodiment 5 of the present invention.
  • a computer comprising a host CPU 101 and a main memory 102 is connected to a network.
  • This computer is connected via a bus interface 201 to a computer virus check device 1 (hereinafter referred to as the "present device.")
  • Data received from the network using communication software executed by host CPU 101 is temporarily stored in main memory 102. If the data size is large, all or a portion of the data may be temporarily stored in an external storage device (not illustrated) that can be accessed by host CPU 101.
  • the data stored in main memory 102 constitutes a single or a plurality of data blocks of predetermined units such as communication session units, packet units, and file units (or a combination of different unit types). For purposes of convenience, a case where file units are used will be described hereiribelow.
  • the start address and data length of the data block stored in file units in main memory 102 are stored in a table in the main memory as shown in Fig. 2.
  • the program executed by the host CPU is called the "host process.”
  • the data block stored in main memory 102 is described by host process 104.
  • the information in above-referenced table will be called "task information.”
  • host process 104 transfers all or a portion of the contents of said table to a task queue 202 of the present device via a bus interface 201.
  • the task queue is commonly formed by a FIFO (FIRST IN FIRST OUT) format memory or register set.
  • a scheduler 203 Upon detecting the transfer of task information to task queue 202, a scheduler 203 activates a DMA controller 204 of the present device. DMA controller 204 acquires the data block in main memory 102 based on the task information, places the information in a file buffer memory 205 of the present device, and notifies scheduler 203 of the readiness state of file buffer memory 205.
  • a plurality of data blocks may be transferred through direct memory access at the same time.
  • the activated scheduler 203 activates a pattern matching circuit 206 and passes the address and data length in file buffer memory 205 to this circuit.
  • all or a portion of them is selected according to a predetermined order.
  • Scheduler 203 and pattern matching circuit 206 are formed of a logical circuit or an equivalent computer program, a processor (host CPU 101 may take over this function), and a memory.
  • the activated pattern matching circuit 206 reads the pattern data from a pattern data memory
  • circuit 206 When circuit 206 detects a pattern match, it flags a flag 207 (switches predetermined bits of a flag register on.)
  • a detection circuit 208 notifies host process 104 via bus interface 201.
  • Host process 104 (or a detection program 105 which is executed parallel to the host process) regularly polls the register of said detection circuit 208 via bus interface 201, for example, and thereby detects a change in flag 207. If there is a change, a notice is displayed on a display device warning the operator that a pattern identical to that of a computer virus has been detected.
  • detection circuit 208 itself may activate an indicator 209 comprising a light emitting diode or speaker and notify the operator of a detected pattern identical to that of a computer virus separately from the host process.
  • Pattern update device 211 comprises a pattern update program, a processor for executing this program, and a memory.
  • Pattern update program may be stored in the main memory (103 in Fig. 1), or host CPU 101 may take over the function of the processor.
  • the update data is acquired from a file server in a network, such as the Internet.
  • One method of performing the update is to equip pattern update device 211 with network connection means and connecting to said file server via device 211.
  • a computer having network connection means may connect to the file server, and write the acquired update data in pattern data memory 210 via bus interface 201.
  • a plurality of pattern matching circuits 206 is connected in parallel.
  • Scheduler 203 distributes the plurality of data blocks in file buffer memory 205 among the respective pattern matching circuits 206 and activates the circuits.
  • To distribute the data among the circuits and activate the circuits means that, for example, after the information of the first data block (start address, data length, etc.) is passed to a first pattern matching circuit, the information of the second data block is passed to a second pattern matching circuit without waiting for the execution of the first pattern matching circuit to be finished. For example, the head address of the data block is passed to the first pattern matching circuit
  • bus interface 201 may be packaged in a one-chip semiconductor integrated circuit.
  • the control program of a computer having a plurality of the present devices mounted thereon, and the proxy server having the present device mounted thereon will be explained.
  • a case where a computer having two of the present device 402 (denoted by numeral 1 in Fig. 1), namely 402A and 402B, is used as proxy server 401 will be hereinafter explained.
  • the number of mounted present devices 402 is not limited to two.
  • the computer further comprises a network interface card 404 for connection with the Internet, and card 403 for connection with a LAN (LOCAL AREA NETWORK).
  • IP IP
  • P3 IP address
  • P2 IP address
  • Port numbers may also be used in addition to the IP addresses.
  • Fig. 3 it is decided whether 402A or 402B should process the received packet data according to the description in the table in Fig. 4.
  • a processing counter 501 as shown in the table in Fig. 4, monitoring the count values, and distributing the load between 402A and 402B so that the processing counters 501 show roughly the same counts, a generally uniform load distribution can be realized.
  • a new IP address Px other than PI - P3 is received, either 402A or 402B with the smaller count number is given priority, and Px is added to the table. Thereby, packet data having a new IP address can be adequately allocated.
  • the device comprises a MAC301 and a PHY302, and the present device as a whole fulfills the function of a network interface device (NIC).
  • NIC network interface device
  • This structure omits redundant data transfer.
  • NIC 404 when NIC 404 is independent from present device 402, data received across the Internet is transferred via host bus 106 to main memory 102, and thereafter from main memory 102 to present device 402. This means that the received data passes twice through host bus 106.
  • NIC 404 and present device 402 are the same device, so, applied to the device in Fig. 3, the data passes through host bus 106 one time less, thereby omitting redundant data transfer.
  • MAC 301 is called a media access controller, a device for managing communication procedures such as negotiations and handshakes between computers connected through an Ethernet network.
  • PHY 302 is called a physical layer, a device selecting the adequate equipment according to the type of cable, etc., for connecting to the network. For example, in the case of a 10BASE-T standard Ethernet, a twisted pair cable is used, so the device performs conversion from byte data to serial data and bit string to voltage signal, etc.
  • the data received from the network is sent from PHY 302 to MAC 301, then temporarily buffered in file buffer memory 205, and transferred via bus interface 201 to main memory 102.
  • setting the computer virus check on and off may be conducted for example by providing file buffer memory 205 with a set variable, and setting the variable via a computer program executed by host CPU 101. It is also possible to provide an electric contact switch for switching the above- mentioned flag on and off directly on the present device.
  • the received data is temporarily buffered in file buffer memory 205, then a decoder 303 (including a MIME decoder) is activated, and this decoder decodes the received data within the file buffer memory in data blocks of file format.
  • pattern matching circuit 206 is activated, and this circuit starts the computer virus check for the data portions for which decoding has finished.
  • DMA 204 is activated, and DMA 204 transfers the temporarily buffered, received data to main memory 102. For example, a set variable is provided in file buffer memory 205, and based thereon, the data before decoding or after decoding, whichever is selected, is transferred.
  • the computer virus check which requires a great calculation load, is processed by hardware separate from the host CPU, thereby reducing the load on the host CPU.
  • Embodiment 2 of the present invention relates to a data collation circuit included in pattern matching circuit 206, and particularly to a method and circuit for designating a wild card.
  • Fig. 5 is a model view showing the circuit layout of Embodiment 2.
  • This circuit comprises a collation pattern memory A (1101), a collated buffer memory B (1102) and a collation circuit 1201.
  • the buffer is illustrated as a FIFO buffer using a shift register on the side of collated memory B (1102).
  • collation pattern memory A (1101) with the shift register function.
  • Variation 1 of Embodiment 2 Fig. 6 is an embodiment of the present invention having a mask bit.
  • the collation circuit in Fig. 6 has a mask bit (M bit) that is on the higher order than the collation data value of the N bit of collation pattern memory A (1101).
  • the collation circuit (1201) calculates the logical product (AND) between the value of the mask bit M and the value of collated buffer memory B (1102), and then calculates the exclusive disjunction (XOR) between such output and the N bit section. Thereby, a wild card (unconditional match) is found for a bit for which the mask bit is zero.
  • the mask bit of all bits are zero, the logical product between the mask bit and collated buffer memory B (1102) is zero, so all N bits are treated as wild cards.
  • Fig. 7 shows Variation 2 of Embodiment 2.
  • a continuous data stream is input from the end of collated buffer memory B (1102).
  • the buffer memory can store data of greater size than the largest of the patterns to be collated.
  • the register group may also contain register shift function necessary to shift the pattern collation position.
  • a lookup table (1301) is provided using which the head K byte of collated buffer memory B (1102) can be accessed as an index I.
  • a value showing whether a pattern having index I as its head K byte exists is written into this lookup table.
  • Fig. 7 shows an example of a pointer showing the head address of the pattern list.
  • a maximum value m of the bit width that can be saved in the lookup table is defined, and when there are m patterns or more that have index I as the head K byte, a specific value denoting that m has been exceeded may be written in the lookup table.
  • index I When index I is used to access lookup table (1301) and the number of patterns corresponding to index I is found to be zero, the pattern collation ends. At this time, a termination signal can be output to trigger the register shift function of the input buffer, thereby going on to the next pattern collation.
  • Value P of the lookup table that is positioned corresponding to index I is one of the inputs of the pattern collation circuit that will be described below.
  • the value to be written in lookup table (1301) is determined as follows. First, all values of the lookup table are set to initial value Z. Then, the index is calculated for all patterns to be collated in order. If the pattern length is shorter than the input buffer length, a value showing that the short portion is a wild card is input. This value is written only for a minimum length, i.e., up to the rear end of a specific position necessary for calculating the index. The byte value of the specific position necessary for index calculation is read, and index I is calculated by combining the read value, or by using a predetermined formula. Then, the value of the position corresponding to index I of the lookup table is increased. If the predetermined maximum value m is exceeded, the value is not increased above maximum value m. Furthermore, this value may be calculated in advance before using this circuit, and only the final value may be written in the lookup table, or alternatively, this initialization rule may be integrated as an initialization circuit.
  • Pattern collation circuit (1201) receives the above-mentioned value P of the lookup table. If value P is a value showing that there is no corresponding pattern, pattern collation operation is not performed. If value P is a value showing that a corresponding pattern exists, a pattern list storing multiple patterns corresponding to index I in collation pattern memory A (1101) is accessed. This pattern list may exist at a position succeeding value P of the lookup table, or a separate lookup table may be referenced, or instead, a pointer showing the pattern list may be written in the lookup table and the pattern list may be referenced by using this pointer.
  • the pattern list stores the portion of the pattern that was not used for calculation of index I. Although it is possible to also store the portion used for calculating index I and use it in the pattern collation, it is omitted in advance to avoid redundant circuits. Furthermore, it is also possible to store the pattern number together with the pattern as a set, allowing distinction of the matching pattern.
  • the output of the pattern collation circuit is whether a matching pattern exists.
  • the matching pattern number is also output as necessary. If the pattern is of variable length, there are two methods of storing the pattern. One is to store the remaining pattern length, and the other is to store a wild card that matches with arbitrary data for the portion of the pattern lacking in length for reference by the collation circuit. According to the first method, bytes after the pattern length are always determined to be matching, and according to the second method, the collation circuit determines that the wild card matches with arbitrary bytes.
  • Embodiment 2, Variation 1 and Variation 2 may also be used in combination with one another.
  • a wild card may be designated for the collation pattern bytes, thereby improving retrieval efficiency and reducing the consumption of the used memory. Furthermore, according to Variation 2, a portion of the pattern is used as an index to refer to the lookup table, thereby reducing linear search processing and improving collation speed. Thereby, the time required for collation is lesser dependent on pattern number or type, thereby realizing pattern collation with lesser deviation in processing time.
  • Embodiment 3
  • Embodiment 3 relates to a whitespace processing circuit contained in pattern matching circuit 206.
  • Fig. 8 is a block view of a circuit relating to Embodiment 3.
  • Input data buffer 2101 is a FIFO (FIRST IN FIRST OUT) type memory, functioning to temporarily store excess input and handing down the data to the next step.
  • FIFO FIRST IN FIRST OUT
  • multi-byte character determination circuit 2102 can be realized by defining the first byte of each input multi- byte character string as C, and combining a comparison circuit with a logical circuit as follows: ((0x81 ⁇ C) AND (C ⁇ 0x9F)) OR ((OxEO ⁇ C) AND (C ⁇ OxEF))
  • Ox denotes a hexadecimal number
  • the data is assumed to be a multi-byte character, and if false, a single byte character.
  • a character code identified to be a non-leading byte of the multi-byte character (second byte onward) bypasses the following process and is directly input in collated data buffer memory 2110.
  • multi- byte character determination circuit 2102 one succeeding byte from the input data buffer is acquired and copied unconditionally in collated data buffer memory 2110, thereby processing two-byte characters, etc.
  • multi-byte character determination circuit 2102 can be set to be bypassed (made invalid) by an establishment register 2201.
  • multi-byte status register 2203 is used to save the shift status.
  • multi-byte status register stores "1," and during the time when "1" is stored, the data is determined as multi-byte, bypassing the succeeding circuit and directly input in collated data buffer memory 2110.
  • the shift status register is reset to zero, and the following input data is treated as a single byte character again.
  • Switching between the JIS code and the shift JIS code may also be conducted by establishment register 2201.
  • the data is input in whitespace removal circuit 2103.
  • Fig. 9 shows an example of the whitespace removal circuit.
  • the device in Fig. 9 stores a code corresponding to whitespace in the character recordation register 202, and determines whitespace based on whether any of the codes in the register matches with said input data C. If the number of character types to be defined as whitespace is very large (e.g., several thousand bytes), a RAM may be used.
  • the character codes determined as small letters are converted to capital letters. Conversion of a small letter (C) to a capital letter (C) is conducted for example as follows. C' ⁇ - (C AND 0xBF) The input data after the series of processing steps above is input in collation circuit 2111, then input in collated data buffer memory 2110, and then collated against the data in collation pattern memory 2112. As result of collation, if for example the exclusive disjunction (XOR) for each byte is zero, then it is assumed that there is a match.
  • XOR exclusive disjunction
  • a flag establishing a bypass for each of circuits 2102 to 2105 is provided in establishment register 2201, operable for example by a computer connected to the establishment register.
  • establishment register 2201 operable for example by a computer connected to the establishment register.
  • Embodiment 4 of the present invention relates to a method and device for detecting data patterns through multi-stage collation.
  • Figs. 10A and 10B show an embodiment of the present invention. Computer viruses within network traffic are detected.
  • a host CPU 3101 established as a gateway to a network is provided with a first NIC (Network Interface Computer) 3102 and a second NIC 3103, with each of the NICs relaying data as gateways between networks (proxy servers). They may also be used together with software having firewall function.
  • Host CPU 3101 is provided with a first subsystem 3201 connected via a bus 3106, the subsystem having a checksum calculation circuit 3203 together with a FIFO 3202 of n bytes (step 1 to step n) and a pattern collation circuit 3204, and a RAM (Random Access Memory) 3205 storing data patterns.
  • the RAM is preferably a flash memory or other nonvolatile memory.
  • RAM 3205 stores at least one or more calculated checksum values of specific consecutive n bytes within computer virus data for each of the computer viruses.
  • RAM 3205 stores a data string extracted from the data area characterizing the computer virus for each of the computer viruses.
  • Main memory 3104 accessible by host CPU 3101 reads computer virus detection software 3105, which is executed by host CPU 3101.
  • computer virus detection software 3105 was executed for all data passing through NIC 3102 and 3103, which required large processing time.
  • the present invention conducts the processing according to the flow below. First, the data input from NIC 3102 (or 3103) is unfolded in main memory 3104 by connecting the divided packets according to a sequence code.
  • DMA Direct Memory Access
  • circuit 3210 mounted in subsystem 3201 activates the DMA circuit and transfers the data in the main memory to a submemory 3209.
  • the DMA circuit is activated by accessing the control register of DMA circuit 3208 mapped within the address space of host CPU 3101. During the data transfer to submemory 3209 by the DMA, the data passes through a FIFO
  • the checksum is calculated in real time. Specifically, when data d' of the output step (step n in Fig. 10) of FIFO (3202) is abandoned with the FIFO shift, data d' is subtracted from accumulator register 3206. On the other hand, whenever a new value d is input in the input step (step 1 in Fig. 10), value d is added to accumulator register 3206. Thereby, accumulator register 3206 constantly saves updated value corresponding to the checksum of all FIFO steps (steps 1 to n).
  • the accumulator register (for value An) conducts inverse operation of a predetermined arithmetic expression for the abandoned data, and An' is calculated.
  • the value (An') of the accumulator register and the input data d are used in the operation of said arithmetic operation, and (An+1) is calculated.
  • the contents of RAM 3205 storing the checksum data calculated for assumed data patterns are collated against the checksum value stored in accumulator register 3206 via pattern collation circuit 3204. If a pattern match is found as result of the collation, the pattern number of the matching pattern is output to register 3207. At the same time, an interruption is given to host CPU 3101, or a control register is provided, the address space of the host CPU is mapped so the host CPU can access the control register, the control register is flagged, and the flag is polled by the host CPU.
  • pattern collation is conducted (rough collation), and the data screened (sieved) by the results are divided into data that are possibly infected by a computer virus, and data that are not.
  • the data that are possibly infected are repeatedly screened with changing pattern data in a similar way as above.
  • Data for which the possibility of computer virus infection is determined zero as result of passing through the above procedure at least once is output to the network via NIC 3103 (or 3102).
  • the present invention may also be realized only by software without using any hardware.
  • subsystem 3201 in Fig. 10 is unnecessary, realizing the screening process including the above-mentioned pattern collation process with software having all of the collation process read in host CPU 3101 and main memory 3104.
  • the computer virus check device realizing the method according to the present device has higher throughput compared to the conventional art, so it can be applied to network gateway devices and computer virus check devices for large scale network storage devices. Furthermore, an access restriction device can also be realized that cuts off the relay of web sites and electronic mails containing predetermined terms by using pattern data calculated based on predetermined terms, character strings and network addresses, such as URLs, instead of the pattern data for computer viruses. This type of device can be applied to network gateway devices for educational facilities in order to cut off the reading of terms that are not suitable for minors. Conducting screening through rough collation and reducing the data volume passing through time-consuming processes enables considerable improvement of the throughput of the device as a whole.
  • Embodiment 5 Embodiment 5
  • Embodiment 5 of the present invention relates to a method and device for reducing the load on the computer virus detection device by using a cache system.
  • Fig. 11 shows an embodiment of the present invention. Shown is a gateway proxy server for detecting a computer virus within computer network traffic.
  • Server 4101 placed at a relay point of a computer network functions as a proxy server for data relay between an external server 4201 and a client computer 4301, both connected through a network.
  • Server 4101 comprises a memory 4103 that stores software 4132 for performing a virus check for data to be relayed and a CPU 4102 for driving the software, a mass storage device 4141, and an NIC (Network Interface Computer) 4110.
  • the NIC is connected with the CPU and the memory via a bus.
  • the NIC and the memory are connected by the same bus, but they may be connected by separate buses.
  • the memory is a RAM.
  • the memory stores an index file 4131 for storing information on all files for which virus check has ended.
  • An example of the data structure of index file 4131 is shown in Fig. 12.
  • storing an index file in memory functions to enhance access speed to the index file, and in order to ensure permanent storage, the index file is written and stored from time to time in the mass storage device in order to ensure permanent storage.
  • a hard disk device may be used as the mass storage device.
  • File demand requests from client computer 301 are issued and processed according to procedures such as HTTP protocols and FTP protocols.
  • Step 1002 file demand requests are mediated by server 101 (Step 1002), and collated first against index file 131 (Step 1003).
  • the file demand request is transferred to an external server 4201 in the network (Step 1005).
  • External server 4201 sends the file specified by the request.
  • the file sent from external server 4201 is returned to server 4101 (Step 1005), and undergoes a virus check by virus check software, etc., 4132 (Step 1006).
  • Step 1008 If no virus is detected as result of the virus check, a copy of the file entity is stored in mass storage device 4104 as cache file 4141, and at the same time, index file 4131 is updated (Step 1008).
  • the virus check software, etc., 4132 attempts the extermination of the virus (Step 1101). If the software succeeds in exterminating the virus, the software sets a virus extermination flag on and stores the file after virus extermination in mass storage device 4104 and updates index file 4131 (Steps 1104, 1105).
  • the software sets the virus extermination flag off and makes an addition to index file 4131 (Steps 1106, 1107).
  • the file entity infected by the virus is not stored in mass storage device 4104.
  • the virus infection flag is not on, this means that the file, not infected by a virus, has been acquired, so the entity of cache file 4141 specified by the index is fetched from mass storage device 4104 (Step 1013) and the file is sent to the client that sent the demand request (Step 1009).
  • Step 1011 If the virus infection flag is on at Step 1011 and the virus extermination flag is also on, this means that the file entity after virus extermination exists in mass storage device 4104, so the file entity is fetched and sent to the client. If the file extermination flag is off, the demanding client is notified of the virus infection and file transmission stops (Step 1015).
  • the notification of virus infection may be made via electronic mail. It is also possible to send a virus-warning file instead of the demanded file to alert the user.
  • Index file 4131 may be copied for example once an hour in mass storage device 4104 to ensure permanent storage.
  • a cache system If a cache system is provided, a copy of the file itself after virus check is saved in the mass storage device, and the saved date and time is recorded in the index file.
  • the saved date and time is repeatedly checked in fixed intervals, and after a predetermined period has lapsed (e.g., 24 hours), the file entity is deleted from mass storage device 4104, and at the same time, the index information for such file is also deleted from index file 4131.
  • a file after virus check that has once been acquired remains within the mass storage device for a predetermined period, so when there is a request for the same file, the file can simply be acquired from the mass storage device, saving the communication time with external server 4201 and the time for conducting a virus check for such file.
  • server 4101 checks whether a request for the same file already exists in index file 4131 (Step 1002).
  • the flag is checked, and if there is no computer virus infection, the file is fetched from mass storage device 4104 and sent to the client. In this case, there is no need to access external server 4201, and there is also no need to conduct a virus check again for the same file, so high-speed response and reduced server load can be expected.
  • a computer virus check device can be realized that monitors network traffic between networks in real time.
  • the burden placed by the computer virus check device can be reduced, enabling processing of much network traffic with small resources.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Software Systems (AREA)
  • Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Storage Device Security (AREA)
PCT/JP2002/003645 2001-04-16 2002-04-12 Computer virus check device and method WO2002086717A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2002584171A JP4334231B2 (ja) 2001-04-16 2002-04-12 コンピュータウイルス検査装置及び半導体集積回路

Applications Claiming Priority (10)

Application Number Priority Date Filing Date Title
JP2001116347 2001-04-16
JP2001-116347 2001-04-16
JP2001184010 2001-06-18
JP2001-184010 2001-06-18
JP2001-186108 2001-06-20
JP2001186108 2001-06-20
JP2001-213484 2001-07-13
JP2001213484 2001-07-13
JP2001-234498 2001-08-02
JP2001234498 2001-08-02

Publications (1)

Publication Number Publication Date
WO2002086717A1 true WO2002086717A1 (en) 2002-10-31

Family

ID=27531869

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2002/003645 WO2002086717A1 (en) 2001-04-16 2002-04-12 Computer virus check device and method

Country Status (2)

Country Link
JP (2) JP4334231B2 (ja)
WO (1) WO2002086717A1 (ja)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2406485A (en) * 2003-09-11 2005-03-30 Detica Ltd Hardware detection of predermined bit patterns in data packets
JP2006012164A (ja) * 2004-06-21 2006-01-12 Microsoft Corp アイテムストア用のアンチウイルス
US7987466B2 (en) 2005-08-22 2011-07-26 Hitachi, Ltd. Storage system
EP2458523A1 (en) * 2010-11-30 2012-05-30 Samsung SDS Co. Ltd. Anti-malware scanning system and method thereof
WO2013141545A1 (ko) * 2012-03-21 2013-09-26 삼성에스디에스 주식회사 안티-멀웨어 시스템 및 상기 시스템에서의 데이터 처리 방법
WO2013191833A1 (en) * 2012-06-21 2013-12-27 Cisco Technology, Inc. Method and device for secure content retrieval
US9098703B2 (en) 2010-08-19 2015-08-04 Samsung Sds Co., Ltd. SOC with security function and device and scanning method using the same
EP1714229B1 (de) 2004-08-02 2015-11-18 Mahltig Management- und Beteiligungs GmbH Sicherheitsmodul und verfahren zum steuern und kontrollieren eines datenverkehrs eines personalcomputers
US20170093894A1 (en) * 2007-06-05 2017-03-30 Dell Software Inc. Notification for reassembly-free file scanning
US9699210B2 (en) 2012-09-26 2017-07-04 Fujitsu Limited Data processing device that executes virus countermeasure processing, data processing method, and recording medium storing a data processing program
CN113553585A (zh) * 2020-04-24 2021-10-26 新唐科技股份有限公司 病毒防护芯片及病毒防护方法
CN113646751A (zh) * 2019-04-01 2021-11-12 宜日网络有限公司 通讯系统、信息提供装置、程序及信息提供方法

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007026423A1 (ja) * 2005-08-31 2007-03-08 Matsushita Electric Industrial Co., Ltd. Icモジュールおよびicモジュールを搭載した携帯通信端末
SE534099C2 (sv) * 2008-06-02 2011-04-26 Klaus Drosch Anordning för att skydda data
US8489534B2 (en) * 2009-12-15 2013-07-16 Paul D. Dlugosch Adaptive content inspection
US9392005B2 (en) * 2010-05-27 2016-07-12 Samsung Sds Co., Ltd. System and method for matching pattern
KR101279213B1 (ko) * 2010-07-21 2013-06-26 삼성에스디에스 주식회사 시스템 온 칩 기반의 안티-멀웨어 서비스를 제공할 수 있는 디바이스 및 그 방법과 인터페이스 방법
JP5738042B2 (ja) * 2011-03-31 2015-06-17 株式会社ラック ゲートウェイ装置、情報処理装置、処理方法およびプログラム
WO2014030300A1 (ja) * 2012-08-23 2014-02-27 日本電気株式会社 マッチングシステム、マッチング方法およびマッチングプログラム
JP5893787B2 (ja) * 2015-04-21 2016-03-23 株式会社ラック 情報処理装置、処理方法およびプログラム
JP6711000B2 (ja) * 2016-02-12 2020-06-17 日本電気株式会社 情報処理装置、ウィルス検出方法及びプログラム
JP7304039B2 (ja) * 2019-04-01 2023-07-06 e-Janネットワークス株式会社 通信システム

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS61256440A (ja) * 1985-05-10 1986-11-14 Hitachi Ltd 比較回路
JPS63225824A (ja) * 1987-03-16 1988-09-20 Agency Of Ind Science & Technol 集合演算方式
JPH01159729A (ja) * 1987-12-16 1989-06-22 Nec Corp 記号列照合メモリおよびそのカスケード接続方式
JPH01266623A (ja) * 1988-04-18 1989-10-24 Nec Corp 一致検出回路
JPH08179942A (ja) * 1994-12-27 1996-07-12 Hitachi Ltd 免疫ic,およびそれを用いた免疫icカードとコンピュータ
JPH09171493A (ja) * 1995-12-20 1997-06-30 Fuji Electric Co Ltd データ転送装置
JPH10222346A (ja) * 1997-01-31 1998-08-21 Matsushita Electric Ind Co Ltd 情報処理装置
JPH10307776A (ja) * 1997-05-06 1998-11-17 Nec Niigata Ltd コンピュータウイルス受信監視装置及びそのシステム
JP2000200278A (ja) * 1998-12-28 2000-07-18 Kuikku:Kk テキストフィルタリングシステム及びテキストフィルタリング方法

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JPS61256440A (ja) * 1985-05-10 1986-11-14 Hitachi Ltd 比較回路
JPS63225824A (ja) * 1987-03-16 1988-09-20 Agency Of Ind Science & Technol 集合演算方式
JPH01159729A (ja) * 1987-12-16 1989-06-22 Nec Corp 記号列照合メモリおよびそのカスケード接続方式
JPH01266623A (ja) * 1988-04-18 1989-10-24 Nec Corp 一致検出回路
JPH08179942A (ja) * 1994-12-27 1996-07-12 Hitachi Ltd 免疫ic,およびそれを用いた免疫icカードとコンピュータ
JPH09171493A (ja) * 1995-12-20 1997-06-30 Fuji Electric Co Ltd データ転送装置
JPH10222346A (ja) * 1997-01-31 1998-08-21 Matsushita Electric Ind Co Ltd 情報処理装置
JPH10307776A (ja) * 1997-05-06 1998-11-17 Nec Niigata Ltd コンピュータウイルス受信監視装置及びそのシステム
JP2000200278A (ja) * 1998-12-28 2000-07-18 Kuikku:Kk テキストフィルタリングシステム及びテキストフィルタリング方法

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2406485A (en) * 2003-09-11 2005-03-30 Detica Ltd Hardware detection of predermined bit patterns in data packets
GB2406485B (en) * 2003-09-11 2006-09-13 Detica Ltd Real-time network monitoring and security
JP2006012164A (ja) * 2004-06-21 2006-01-12 Microsoft Corp アイテムストア用のアンチウイルス
EP1714229B1 (de) 2004-08-02 2015-11-18 Mahltig Management- und Beteiligungs GmbH Sicherheitsmodul und verfahren zum steuern und kontrollieren eines datenverkehrs eines personalcomputers
US7987466B2 (en) 2005-08-22 2011-07-26 Hitachi, Ltd. Storage system
US8220000B2 (en) 2005-08-22 2012-07-10 Hitachi, Ltd. System and method for executing files stored in logical units based on priority and input/output load of the logical units
US20170093894A1 (en) * 2007-06-05 2017-03-30 Dell Software Inc. Notification for reassembly-free file scanning
US10686808B2 (en) 2007-06-05 2020-06-16 Sonicwall Inc. Notification for reassembly-free file scanning
US10021121B2 (en) * 2007-06-05 2018-07-10 Sonicwall Inc. Notification for reassembly-free file scanning
US9098703B2 (en) 2010-08-19 2015-08-04 Samsung Sds Co., Ltd. SOC with security function and device and scanning method using the same
CN102592073A (zh) * 2010-11-30 2012-07-18 三星Sds株式会社 反恶意软件扫描系统及其方法
US8719931B2 (en) 2010-11-30 2014-05-06 Samsung Sds Co., Ltd. Anti-malware scanning system and method thereof
EP2458523A1 (en) * 2010-11-30 2012-05-30 Samsung SDS Co. Ltd. Anti-malware scanning system and method thereof
CN103959300A (zh) * 2012-03-21 2014-07-30 三星Sds株式会社 反恶意程序系统及该系统中的数据处理方法
WO2013141545A1 (ko) * 2012-03-21 2013-09-26 삼성에스디에스 주식회사 안티-멀웨어 시스템 및 상기 시스템에서의 데이터 처리 방법
US9736260B2 (en) 2012-06-21 2017-08-15 Cisco Technology, Inc. Redirecting from a cloud service to a third party website to save costs without sacrificing security
WO2013191833A1 (en) * 2012-06-21 2013-12-27 Cisco Technology, Inc. Method and device for secure content retrieval
US9699210B2 (en) 2012-09-26 2017-07-04 Fujitsu Limited Data processing device that executes virus countermeasure processing, data processing method, and recording medium storing a data processing program
CN113646751A (zh) * 2019-04-01 2021-11-12 宜日网络有限公司 通讯系统、信息提供装置、程序及信息提供方法
CN113646751B (zh) * 2019-04-01 2024-05-28 宜日网络有限公司 通讯系统、信息提供装置、程序及信息提供方法
CN113553585A (zh) * 2020-04-24 2021-10-26 新唐科技股份有限公司 病毒防护芯片及病毒防护方法
CN113553585B (zh) * 2020-04-24 2024-03-12 新唐科技股份有限公司 病毒防护芯片及病毒防护方法

Also Published As

Publication number Publication date
JP2009223908A (ja) 2009-10-01
JP4392461B2 (ja) 2010-01-06
JP4334231B2 (ja) 2009-09-30
JP2004528651A (ja) 2004-09-16

Similar Documents

Publication Publication Date Title
WO2002086717A1 (en) Computer virus check device and method
AU2004303220B2 (en) Real-time network monitoring and security
JP4392294B2 (ja) 通信統計収集装置
US7467406B2 (en) Embedded data set processing
US9313047B2 (en) Handling high throughput and low latency network data packets in a traffic management device
JP4743894B2 (ja) データ・パケットを伝送しながらセキュリティを改良するための方法及び装置
WO2007118096A2 (en) Merging multi-line log entries
WO2000060793A2 (en) Firewall including local bus
US20140185629A1 (en) Queue processing method
CN108460044B (zh) 数据的处理方法和装置
WO2008121690A2 (en) Data and control plane architecture for network application traffic management device
US8898339B2 (en) Method of transferring data implying a network analyser card
US7324438B1 (en) Technique for nondisruptively recovering from a processor failure in a multi-processor flow device
CN116015889A (zh) 数据流转发方法、装置、网络设备及存储介质
CN113055493B (zh) 数据包处理方法、装置、系统、调度设备和存储介质
JP6107413B2 (ja) 分析装置、ネットワークシステム、ポートの切り替え方法及びプログラム
JP4027213B2 (ja) 侵入検知装置およびその方法
CN114500418A (zh) 数据统计方法及相关装置
US9160688B2 (en) System and method for selective direct memory access
WO2003060701A2 (en) Method and system for event distribution
EP1347597A2 (en) Embedded system having multiple data receiving channels
Dufey et al. Event building in an intelligent network interface card for the LHCb DAQ system
KR100440662B1 (ko) 데이터 압축기술을 포함한 네트워크 시스템 및 그 동작방법
JPH04298137A (ja) 通信制御装置
JPH1188400A (ja) 仮想lan環境におけるスパニングツリープロトコルの実装方法

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2002584171

Country of ref document: JP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase