WO2005117374A1 - 中継装置、パケットフィルタリング方法及びパケットフィルタリングプログラム - Google Patents
中継装置、パケットフィルタリング方法及びパケットフィルタリングプログラム Download PDFInfo
- Publication number
- WO2005117374A1 WO2005117374A1 PCT/JP2005/009632 JP2005009632W WO2005117374A1 WO 2005117374 A1 WO2005117374 A1 WO 2005117374A1 JP 2005009632 W JP2005009632 W JP 2005009632W WO 2005117374 A1 WO2005117374 A1 WO 2005117374A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- packet
- received
- verification
- order
- payload
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/02—Details
- H04L12/22—Arrangements for preventing the taking of data from a data transmission channel without authorisation
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/34—Flow control; Congestion control ensuring sequence integrity, e.g. using sequence numbers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Definitions
- the present invention relates to a relay device that relays a communication message for each packet, a bucket filtering method in the relay device, and a bucket filtering program.
- a message that violates the protocol of the application layer has an illegal cause in the content of data, that is, in the payload of the bucket (the body of data originally intended to be transferred excluding the header information in the packet). It is not detected by packet filtering that detects illegal data by referring to information. In order to detect an illegal message in an application layer protocol, it is necessary to refer to the contents of the data, and an application gateway can detect such an illegal message in this way (for example, see Non-Patent Document 1 below). .
- Non-patent Document 1 Yukio Ito, Masayoshi Shido, Osamu Noro, "Illustrations: Standard Latest VPN, N-Book” Shuwa System, May 2003, p.
- the application gateway is a type of proxy interposed between the server and the client, and monitors transmitted and received data as a message stream. That is, bucket The application gateway reconfigures the data flowing through the network as a communication message as a communication message, and detects fraud by analyzing the restructured communication message. Therefore, since the application gateway does not relay the packet until it determines that the communication message is not invalid, the flow of the packet in the network is interrupted, causing a communication delay. In addition, since the application gateway detects the illegal communication message for each protocol, only the number of protocols is required.
- the present invention has been made to solve the above-described problem, and it is an object of the present invention to prevent an increase in communication delay and to detect an illegal communication message in an application layer protocol regardless of the type of protocol. It is an object of the present invention to provide a relay device, a packet filtering method, and a packet filtering program that can perform the packet filtering.
- a relay device is a relay device that relays a communication message for each packet, and the received packets are received in the order in which they should be received. If the packet is not received in the order in which it should be received by the order determining means for determining whether or not the packet is power, the packet is retained and the packet is retained. Packet holding means for controlling the relaying of packets, and the order in which the packets held by the packet holding means should be verified as to whether they should be verified together with the packets received after being held. Should be received by the merging means for merging the payload of the received packet and the payload of the held packet based on the judgment, and the order judging means.
- the merging means If it is determined that the packets have been received in the order, it is checked whether the payload of the packet or the payload of the packet merged by the merging means satisfies a predetermined rule, and A verification unit that holds information on the contents of the verification for use in the next verification of the communication message; and a control unit that relays the packet when the verification unit determines that the packet satisfies the rule. And relay control means for controlling relay of the packet when the rule is not satisfied.
- the verification by the verification unit and the holding of the information on the verification content be performed by using an automaton, for example.
- an automaton the above rules for verifying and retaining the contents of verification can be described declaratively, making rule creation, verification, and maintenance easier.
- the present invention can be described as an invention of a packet filtering method and a packet filtering program as described below, in addition to being described as an invention of a relay apparatus as described above.
- a packet filtering method and a packet filtering program as described below, in addition to being described as an invention of a relay apparatus as described above.
- a packet filtering method is a packet filtering method in a relay device that relays a communication message for each packet, and determines whether received packets are received in the order in which they should be received. If it is determined in the order determining step and the order determining step that the packet is not received in the order in which it should be received, the packet is held and the packet is relayed. The packet holding step and whether or not the packet held in the packet holding step should be verified together with the packet received after being held, based on the order in which the packet should be received. Merges the received packet payload and the held packet payload based on the judgment.
- the pay port of the packet or the payload of the packet merged in the merge step is determined in advance.
- Specially Sign it is preferable that the verification in the verification step and the holding of the information on the verification contents be performed by using an automaton as an example.
- a packet filtering program provides a relay device that relays a communication message for each packet to determine whether or not a received packet is received in the order in which it should be received. If it is determined by the order determination process that the packet is not received in the order in which it should be received, the packet is held and the packet holding process is controlled to relay the packet. Judge whether or not the packet held by the packet is to be verified together with the packet received after being held based on the order in which the packet should be received, and based on the judgment, the received packet Packet and the payload of the held packet are merged, and the packets are received in the order to be received by the order determination process.
- the verification processing determines that the packet satisfies the rule, control is performed so that the packet is relayed. And a relay control process for performing control to prohibit relaying of the packet when the rule is not satisfied. Further, it is preferable that the verification by the verification processing and the holding of the information on the verification contents be performed by using an automaton, as an example.
- FIG. 1 is a diagram showing a configuration of a relay device according to an embodiment.
- FIG. 2 is a diagram showing an example of the order of transmitting and receiving packets.
- FIG. 3 is a flowchart showing a process executed by the relay device in the embodiment.
- FIG. 4 is a diagram showing an example of an automaton expression.
- FIG. 5 is a diagram showing a configuration of a packet filtering program according to the embodiment.
- 10 Relay device, 11 ⁇ Receiver unit, 12 ⁇ Transmitter unit, 13 ⁇ Order decision unit, 14 ⁇ Packet holding unit, 15 ⁇ Merge unit, 16 ⁇ Verification unit, 17 ⁇ ⁇ ⁇ Relay control unit, 20 ... source, 30 ... destination, 40 ... recording medium, 40a ... program storage area, 41 ⁇ ⁇ ⁇ packet filtering program, 41 a ... order determination module, 41b ... packet holding module, 41c: Merger module, 4 Id: Verification module, 41e: Relay control module.
- FIG. 1 shows a configuration of a relay device 10 according to the present embodiment.
- the relay device 10 relays the packet by transmitting the packet transmitted from the transmission source 20 to the transmission destination 30.
- the relay device 10 is also specifically configured with a CPU, a memory, and the like, and is preferably realized by an information processing device such as a router bridge.
- the transmission source 20 corresponds to, for example, a server device that transmits data or another relay device.
- the transmission destination 30 corresponds to, for example, a client device that is a data transmission destination.
- a packet refers to data obtained by dividing data, which is a communication message, into small pieces for transmission and reception via a network and adding control information such as an address of a transmission destination.
- control information such as an address of a transmission destination.
- an example of transmission of a packet is mainly based on Transmission Control Protocol (TCP).
- TCP Transmission Control Protocol
- Packets are controlled as described above when data that is a communication message is divided.
- a header storing control information is added.
- a sequence number and the like which are information of an order for correctly reconstructing (restoring) data from a packet, are stored.
- Data reconstruction is performed by concatenating the payloads of the packets in order of the sequence number. It should be noted that a series of transmitted packets is not always received at the destination of the data in the order of the sequence numbers. This is also due to the reason that each packet is relayed via a different route on the network.
- the sequence number is determined based on the size of the payload as follows. For example, if the sequence number of the first packet is 2001 and the payload size is 1000 bytes, the sequence number of the next packet is 3001, and the sequence number of the next packet is 4001.
- FIG. 2 shows a simple example of packet division and reassembly.
- the information to be transmitted on the data transmission side is added to the header of each packet with information in the order of "1", “2", “3”, and “4" to reconstruct the data. It is assumed that the data is divided and transmitted in that order.
- the data receiving side does not always receive packets in the order of "1,” "2,” “3,” and “4.”
- "1", “3", “2” , "4" in some cases. Even in such a case, the data can be reconstructed by referring to the order information included in the packet header.
- the relay device 10 includes a receiving unit 11, a transmitting unit 12, an order determining unit 13 (order determining unit), a packet holding unit 14 (packet holding unit), and a merging unit 15 (merging unit). Means), a verification unit 16 (verification means), and a relay control unit 17 (relay control means). It is assumed that the relay device 10 relays all packets related to a communication message transmitted to the transmission destination 30 like a proxy.
- the receiving unit 11 is a unit that receives a packet to be relayed transmitted from the transmission source 20.
- the transmitting unit 12 is a unit that transmits the packet to be relayed received by the receiving unit 11 to a predetermined destination 30.
- the order determining unit 13 is a unit that refers to the packet received by the receiving unit 11 and determines whether or not the packet is received in the order in which it should be received.
- the order in which data should be received is, for example, the order in which data is reconstructed, that is, the sequence number is small Order is preferably used. It is preferable that the determination as to whether or not the power has been received in the order in which it should be received is made, for example, by referring to information in the header of the packet. Information on the judgment result is transmitted to the packet holding unit 14, the merging unit 15, and the verification unit 16, respectively.
- the packet holding unit 14 holds the received packets (packets of the packets). This is the part to keep. Further, the packet holding unit 14 controls the transmitting unit 12 to transmit the packet to a predetermined destination 30.
- the merging unit 15 determines whether the packet held by the packet holding unit 14 is to be verified together with the packet received by the receiving unit 11 after being held, and This is a part that merges the payload of the packet received based on the determination with the payload of the held packet.
- the verification is verification by the verification unit 16. A specific determination method and the like will be described later.
- the verification unit 16 When the order determination unit 13 determines that the received packets are received in the order in which they should be received, the verification unit 16 satisfies a predetermined rule for the payload of the packet. This is the part that verifies the power.
- the payload of the packet to be verified is the merged payload if the payload of the received packet is merged with the payload of the packet held in the packet holding unit 14 by the merger 15. It is assumed that Further, the verification unit 16 holds information on the contents of the verification for use in the next verification of the same communication message. In the verification of the next packet in the same communication message, the same effect as that of verifying the message stream can be obtained by using the information on the stored verification contents.
- the verification by the verification unit 16 is performed by setting the payload to be verified to a character string data. It is preferable to determine whether the character string data satisfies a predetermined rule.
- a predetermined rule it is preferable to use a rule that detects a communication message that violates a communication protocol defined in an application layer protocol.
- Such rules include, for example, that the character string data applies or does not apply to a predetermined pattern.
- control codes other than character strings are not included. This is to detect malicious communication messages that often contain control codes.
- this rule is to include one corresponding to a specific protocol, it is possible to detect illegal communication messages in that protocol more accurately.
- the relay control unit 17 controls the transmitting unit 12 to transmit the packet when the packet is determined to be satisfied by the verification unit 16, and determines that the packet does not satisfy the rule by the verification unit 16.
- This section controls the transmission section 12 so as to prohibit transmission of the packet when the transmission is performed.
- This process is performed when a packet related to a communication message transmitted from the transmission source 20 to the transmission destination 30 is relayed by the relay device 10.
- TCP Transmission Control Protocol
- a packet is transmitted after a connection is established between the transmission source 20 and the relay device 10.
- the relay device 10 receives the arriving packet at the receiving unit 11 (S01).
- the receiving unit 11 determines which connection the received packet is based on, in the header information of the packet, the IP (Internet Protocol) addresses of the source 20 and the destination 30, the port numbers of the source 20 and the destination 30, In addition, it specifies and stores it by referring to information that specifies the application layer protocol. Also, the receiving unit 11 specifies which communication message the packet belongs to by referring to the header information of the packet. Further, the receiving unit 11 specifies the transmission destination 30 (relay destination) based on the information and the routing table held by the relay device 10.
- IP Internet Protocol
- the order determining unit 13 determines whether or not the received packets are received in the order in which they should be received (S02). The decision is to read the received packet and This is done by referring to the sequence number included in the header.
- the merging unit 15 sets the packet to be merged with the received packet. It is determined whether the packet is in the packet held by the packet holding unit 14 (S03). In the case of the packet of "1", there is no packet to be merged because it is the first packet received in the same communication message. Note that, in FIG. 2, the data is not normally reconstructed in the force relay device 10 in which the data is reconstructed from the packet.
- the verification unit 16 verifies whether or not the payload of the received packet satisfies the rule (S05). If it is determined that the packet satisfies the rule, that is, the packet does not relate to an unauthorized communication message, the relay control unit 17 controls the transmitting unit 12 to transmit the packet to the destination 30. I do.
- the transmitting unit 12 that has received the control transmits the packet (S06).
- the determination that the message is not related to an unauthorized communication message is a determination of the information up to the received packet. That is, the information of the packet received after this determination may indicate that the packet relates to an unauthorized communication message.
- the verification unit 16 holds information on verification contents. At this point, if all the packets in the communication message have been transmitted, the process ends (S08).
- the relay control unit 17 transmits the packet to the transmission destination 30.
- the transmission unit 12 is controlled to prohibit the transmission.
- the transmission unit 12 that has received the control prohibits the transmission of the packet (S07).
- packet transmission is prohibited, transmission of all packets received thereafter is also prohibited, and the process ends.
- the previous packet has already been transmitted to the destination 30, but the In the previous section, normally, data is not sent to the application layer until all the packets have arrived !, so it is possible to prevent attacks due to illegal communication messages.
- the receiving unit 11 continues to Receive the packet (SOI). Subsequently, the order determining unit 13 determines whether the received packets are received in the order in which they should be received (S02). Here, for example, as in the case of the packet “3” in FIG. 2, the packet is not received in the order in which it should be received (the packet received before the packet “2” to be received before the packet “3”). Is determined), the bucket holding unit 14 holds a copy of the packet (S09). Subsequently, the packet holding unit 14 controls the transmitting unit 12 to transmit the packet to the destination 30. The transmitting unit 12 that has received the control transmits the packet (S10). By this processing, the packets received in the order earlier than the order in which they should be received are held by the packet holding unit 14.
- the receiving unit 11 receives the packet (S01), and the order determining unit 13 determines whether or not the received packets are received in the order in which they should be received (S02).
- the order determining unit 13 determines whether or not the received packets are received in the order in which they should be received (S02).
- the merging unit 15 determines whether or not there is a packet to be merged with the received packet in the packet held by the packet holding unit 14 (S03). For this determination, the order determining unit 13 reads the packet held by the packet holding unit 14 and refers to the sequence number of the header of the packet.
- This determination is made by determining whether or not the held packet should be verified together with the received packet, based on the order in which the packet should be received. For example, if a packet in the order following the received packet is in the retained packet, the retained packet is determined to be verified along with the received packet and they are merged. It is determined to be performed. For example, in the example of FIG. 2, the packet of "3" is held, and when the packet of "2" is received, the packet of "3" is held following the packet of "2". The packet of "3" is determined to be merged with the received packet of "2".
- the merging unit 15 merges the payloads of these packets so that the verification unit 16 can verify them (S04).
- the verification unit 16 verifies whether the merged payload satisfies the rule (S05). In the verification here, if the verification of the packet related to the same communication message has been performed before this verification, the information on the verification contents held in the verification unit 16 is used. In the example of FIG. 2, "2" and "3" When verifying the payload of the packet of "1", the verification is performed by referring to the verification contents of "1" performed earlier.
- the relay control unit 17 transmits the packet to the transmission destination 30 by the transmission unit 12. Is controlled.
- the transmission unit 12 that has received the control transmits the packet (S06). Since the packet held by the packet holding unit 14 has already been transmitted, it is preferable that the packet transmitted here does not include the held packet. At this point, if all the packets in the communication message have been transmitted, the process ends (S08). If it is determined that the rule is not satisfied, the same processing as described above is performed.
- the relay device 10 every time a packet is received, the payload is verified for fraud and the packet is transmitted. Therefore, the communication is performed in the detection of a fraudulent communication message in the application layer protocol. An increase in delay can be prevented. Also, rules used for fraud verification can be set regardless of the type of application layer protocol, so that illegal communication messages can be detected regardless of the type of protocol.
- the verification by the verification unit 16 and the retention of the information on the verification contents be performed by using an automaton.
- Verification by the automaton can be performed by state transition based on the contents of the payload of the knocket.
- the verification contents can be retained by setting the state in the automaton corresponding to the verification contents and retaining the state every time the verification unit 16 performs the verification.
- a message consisting of alphabetic characters is defined as "echojnessage” using a regular expression.
- a state called “receive” is defined as an initial state (INITIAL).
- the state “receive” defines in parentheses that if the content of the payload S "echojnessage” is matched, the state is changed to "reply”.
- the state “reply” is a state in which the received packet is transmitted. That is, the automaton shown in the examples (a) to (c) of FIG. It can be determined that it is a character string. Also, as shown in the example (d) of FIG. 4, the size of the message length can be determined.
- the order of the packets may be determined with reference to flags and the like included in the fragmented data, and the above-described processing may be performed. it can.
- a packet filtering program for causing the relay device 10 to execute the above-described series of processes will be described.
- the packet filtering program 41 is stored in a program storage area 40a formed on the recording medium 40 provided in the relay device 10.
- the packet filtering program 41 includes an order determination module 41a, a packet holding module 41b, a merging module 41c, a verification module 41d, and a relay control module 4 le.
- the function realized by executing the order determining module 41a is the same as the function of the order determining unit 13 included in the relay device 10.
- the packet holding module 41b has the function of the packet holding unit 14
- the merging module 41c has the function of the merging unit 15
- the verification module 41d has the function of the verification unit 16
- the relay control module 41e has the function of the relay control unit 17.
- the packet filtering program 41 may be configured so that part or all of the packet filtering program 41 is transmitted via a transmission medium such as a communication line, received by another device, and recorded (including installation). Further, the above program can be recorded on a computer-readable recording medium and distributed.
- Such recording media include, for example, magnetic media such as a node disk and a flexible disk, optical media such as a CD-ROM and a DVD-ROM, magneto-optical media such as a floppy disk, and programs for executing or storing program instructions.
- hardware devices such as RAM, ROM, and semiconductor non-volatile memory, etc., which are specially arranged to operate, are included.
- recording medium Drive for reading recording media (for example, flexible disk drive, etc.)
- the present invention can be used as a relay device, a bucket filtering method, and a packet filtering program capable of preventing an increase in communication delay and detecting an illegal communication message in an application layer protocol regardless of the type of protocol.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP05743800A EP1737172A4 (en) | 2004-05-31 | 2005-05-26 | RELAY DEVICE, APKET FILTERING METHOD, AND PACKAGE FILTERING PROGRAM |
KR20067004403A KR100752955B1 (ko) | 2004-05-31 | 2005-05-26 | 중계 장치, 패킷 필터링 방법 및 패킷 필터링 프로그램 |
US11/569,743 US7633957B2 (en) | 2004-05-31 | 2005-05-26 | Relay device, packet filtering method, and packet filtering program |
CNB2005800007404A CN100473060C (zh) | 2004-05-31 | 2005-05-26 | 中继装置、数据包过滤方法 |
IL178267A IL178267A0 (en) | 2004-05-31 | 2006-09-21 | Relay device, packet filtering method, and packet filtering program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2004162129A JP4418302B2 (ja) | 2004-05-31 | 2004-05-31 | 中継装置、パケットフィルタリング方法及びパケットフィルタリングプログラム |
JP2004-162129 | 2004-05-31 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005117374A1 true WO2005117374A1 (ja) | 2005-12-08 |
Family
ID=35451250
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2005/009632 WO2005117374A1 (ja) | 2004-05-31 | 2005-05-26 | 中継装置、パケットフィルタリング方法及びパケットフィルタリングプログラム |
Country Status (8)
Country | Link |
---|---|
US (1) | US7633957B2 (ja) |
EP (1) | EP1737172A4 (ja) |
JP (1) | JP4418302B2 (ja) |
KR (1) | KR100752955B1 (ja) |
CN (1) | CN100473060C (ja) |
IL (1) | IL178267A0 (ja) |
TW (1) | TW200642389A (ja) |
WO (1) | WO2005117374A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2008028740A (ja) * | 2006-07-21 | 2008-02-07 | Secure Ware:Kk | 通信制御装置、通信制御方法、及びコンピュータプログラム |
Families Citing this family (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP5177366B2 (ja) * | 2007-08-28 | 2013-04-03 | 日本電気株式会社 | サービス提供システム、フィルタリング装置、及びフィルタリング方法 |
US8050682B2 (en) * | 2008-03-14 | 2011-11-01 | Samsung Electronics Co., Ltd. | Method and system for delivering and constructing status information in communication system |
EP2449817B1 (en) * | 2009-06-30 | 2018-08-29 | Telefonaktiebolaget LM Ericsson (publ) | Method and apparatuses for moving a service or ip session from first to second access |
JP6529033B2 (ja) * | 2015-10-01 | 2019-06-12 | 株式会社エヴリカ | 情報処理装置、方法およびプログラム |
US10248814B2 (en) * | 2017-01-25 | 2019-04-02 | Hewlett Packard Enterprise Development Lp | Memory integrity monitoring |
JP2018207343A (ja) * | 2017-06-06 | 2018-12-27 | 株式会社オートネットワーク技術研究所 | 中継装置、中継方法及び中継プログラム |
JP7304801B2 (ja) * | 2019-12-12 | 2023-07-07 | 三菱電機株式会社 | 中継装置及び通信システム |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000174808A (ja) * | 1998-12-03 | 2000-06-23 | Lucent Technol Inc | デ―タパケットフィルタの動作方法 |
JP2003099339A (ja) * | 2001-09-25 | 2003-04-04 | Toshiba Corp | 侵入検知・防御装置及びプログラム |
JP2004062417A (ja) * | 2002-07-26 | 2004-02-26 | Nippon Telegr & Teleph Corp <Ntt> | 認証サーバ装置、サーバ装置、およびゲートウェイ装置 |
Family Cites Families (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5758083A (en) * | 1995-10-30 | 1998-05-26 | Sun Microsystems, Inc. | Method and system for sharing information between network managers |
JP4292654B2 (ja) | 1999-03-19 | 2009-07-08 | ソニー株式会社 | 記録装置および方法、再生装置および方法、並びに記録媒体 |
TW453070B (en) | 2000-01-17 | 2001-09-01 | Accton Technology Corp | Wireless network communication system and method with double packet filtering function |
TW484282B (en) | 2000-04-10 | 2002-04-21 | D Link Corp | Monitoring management method of network exchange system to the online frame |
US6381242B1 (en) * | 2000-08-29 | 2002-04-30 | Netrake Corporation | Content processor |
US7180895B2 (en) | 2001-12-31 | 2007-02-20 | 3Com Corporation | System and method for classifying network packets with packet content |
US9392002B2 (en) * | 2002-01-31 | 2016-07-12 | Nokia Technologies Oy | System and method of providing virus protection at a gateway |
JP2003296213A (ja) * | 2002-04-03 | 2003-10-17 | Sony Corp | 情報授受方法および情報授受システム |
TW550903B (en) | 2002-04-23 | 2003-09-01 | Via Tech Inc | Method for filtering packets and the associated devices |
CN1757210A (zh) * | 2003-01-15 | 2006-04-05 | 希尔纳公司 | 用于在光网络上传输分组数据的方法和装置 |
-
2004
- 2004-05-31 JP JP2004162129A patent/JP4418302B2/ja not_active Expired - Fee Related
-
2005
- 2005-05-26 CN CNB2005800007404A patent/CN100473060C/zh not_active Expired - Fee Related
- 2005-05-26 US US11/569,743 patent/US7633957B2/en not_active Expired - Fee Related
- 2005-05-26 EP EP05743800A patent/EP1737172A4/en not_active Withdrawn
- 2005-05-26 KR KR20067004403A patent/KR100752955B1/ko not_active IP Right Cessation
- 2005-05-26 WO PCT/JP2005/009632 patent/WO2005117374A1/ja not_active Application Discontinuation
- 2005-05-27 TW TW094117569A patent/TW200642389A/zh unknown
-
2006
- 2006-09-21 IL IL178267A patent/IL178267A0/en unknown
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000174808A (ja) * | 1998-12-03 | 2000-06-23 | Lucent Technol Inc | デ―タパケットフィルタの動作方法 |
JP2003099339A (ja) * | 2001-09-25 | 2003-04-04 | Toshiba Corp | 侵入検知・防御装置及びプログラム |
JP2004062417A (ja) * | 2002-07-26 | 2004-02-26 | Nippon Telegr & Teleph Corp <Ntt> | 認証サーバ装置、サーバ装置、およびゲートウェイ装置 |
Non-Patent Citations (1)
Title |
---|
See also references of EP1737172A4 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2008028740A (ja) * | 2006-07-21 | 2008-02-07 | Secure Ware:Kk | 通信制御装置、通信制御方法、及びコンピュータプログラム |
Also Published As
Publication number | Publication date |
---|---|
EP1737172A4 (en) | 2008-02-20 |
JP4418302B2 (ja) | 2010-02-17 |
US7633957B2 (en) | 2009-12-15 |
CN100473060C (zh) | 2009-03-25 |
KR20060063957A (ko) | 2006-06-12 |
KR100752955B1 (ko) | 2007-08-30 |
JP2005347853A (ja) | 2005-12-15 |
CN1839601A (zh) | 2006-09-27 |
EP1737172A1 (en) | 2006-12-27 |
TW200642389A (en) | 2006-12-01 |
US20070242681A1 (en) | 2007-10-18 |
TWI332341B (ja) | 2010-10-21 |
IL178267A0 (en) | 2006-12-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2005117374A1 (ja) | 中継装置、パケットフィルタリング方法及びパケットフィルタリングプログラム | |
JP3225924B2 (ja) | 通信品質制御装置 | |
KR100910818B1 (ko) | 비-macsec 노드들을 통해 macsec 패킷들을터널링하기 위한 방법 및 시스템 | |
KR101745624B1 (ko) | 실시간 스팸 탐색 시스템 | |
US7725595B1 (en) | Embedded communications system and method | |
WO2022151867A1 (zh) | 一种http转https双向透明代理的方法和装置 | |
EP1734718A2 (en) | Computer-implemented method with real-time response mechanism for detecting viruses in data transfer on a stream basis | |
US7764694B2 (en) | System, method, and apparatus for prioritizing network traffic using deep packet inspection (DPI) | |
JP4743894B2 (ja) | データ・パケットを伝送しながらセキュリティを改良するための方法及び装置 | |
JP2007538444A (ja) | ファイアウォール・システム | |
US20090300153A1 (en) | Method, System and Apparatus for Identifying User Datagram Protocol Packets Using Deep Packet Inspection | |
US7738380B1 (en) | Reassembly-free rewriting of out-of-order data payload | |
CN111585890A (zh) | 基于SRv6的网络路径验证方法及系统 | |
CN108737413B (zh) | 传输层的数据处理方法、装置及计算机可读存储介质 | |
RU2358395C2 (ru) | Способ уменьшения времени прохождения исполняемого файла через контрольную точку | |
US9241048B2 (en) | Mechanism for processing network event protocol messages | |
CN112235329A (zh) | 一种识别syn报文真实性的方法、装置及网络设备 | |
WO2007010593A1 (ja) | Tcpセッションエミュレーション装置 | |
US7971254B1 (en) | Method and system for low-latency detection of viruses transmitted over a network | |
JP2001358771A (ja) | 通信品質制御装置 | |
US8799644B2 (en) | System and method of preventing the transmission of known and unknown electronic content to and from servers or workstations connected to a common network | |
KR101104599B1 (ko) | 네트워크 상에서 tcp syn 플러딩 공격을 차단하는 장치 및 방법 | |
Herrin | Linux IP Networking | |
TW594472B (en) | Computer virus scanning method for network data packet | |
Savage | Protocol Design in an Uncooperative Internet |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200580000740.4 Country of ref document: CN |
|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 1020067004403 Country of ref document: KR |
|
WWP | Wipo information: published in national office |
Ref document number: 1020067004403 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 178267 Country of ref document: IL |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2005743800 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11569743 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: DE |
|
WWP | Wipo information: published in national office |
Ref document number: 2005743800 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 11569743 Country of ref document: US |