WO2006046659A1 - 通信路のデータ量監視制御システム - Google Patents
通信路のデータ量監視制御システム Download PDFInfo
- Publication number
- WO2006046659A1 WO2006046659A1 PCT/JP2005/019817 JP2005019817W WO2006046659A1 WO 2006046659 A1 WO2006046659 A1 WO 2006046659A1 JP 2005019817 W JP2005019817 W JP 2005019817W WO 2006046659 A1 WO2006046659 A1 WO 2006046659A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- repeater
- switch
- internal
- network
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L43/00—Arrangements for monitoring or testing data switching networks
- H04L43/08—Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
- H04L43/0876—Network utilisation, e.g. volume of load or congestion level
- H04L43/0894—Packet rate
Definitions
- the present invention relates to security in a network, and particularly to a security technique effective for abnormal data or a large amount of data that is sent to an external network or an internal network.
- JP-A-10-207839 (Patent Document 1) is known as a prior art for protecting an internal system from a virus that enters via a network.
- a file consisting of data obtained via a communication line is stored in a readable / writable memory, and it is determined that there is or may be a virus in the file stored in this memory.
- the switches are provided on the data input side and output side of the memory so that the switches cannot be turned on at the same time. Les.
- Patent Document 1 Japanese Patent Laid-Open No. 10-207839
- this host terminal system down is a system down attack designed to allow hackers to infiltrate the target host.
- an account that uses a large number of steps (via a third-party terminal) to launch a DoS attack on the internal network exploits a security hole, and can be accessed with root authority when restarting due to a buffer overrun. Create (set backdoor). If the system is subsequently brought down due to a buffer overflow, the only way to recover is to restart. On the other hand, a normal system administrator restarts with the network connected. At that time, as described above, since an account that can intrude into the host terminal with root authority is created, it is possible to enter the host terminal from the outside using this account.
- the present invention has been made in view of these points, and provides a data amount monitoring control system for a communication path that is extremely effective against attacks on an internal network to which a large amount of data is sent. Doing this is a technical issue.
- the present invention employs the following means. That is, the present invention is a data amount monitoring control device for a communication path interposed between an external network and an internal network, and is connected to the external network and has an external repeater having a buffer for temporarily storing packet data; , An internal repeater connected to the internal network and having a buffer for temporarily storing bucket data, and a relay for diagnostic inspection that measures the amount of data transferred and outputs a switch operation instruction signal to the switch control unit And
- the connection Z between the internal repeater and the diagnostic test relay is opened Z, and the open Z connection between the diagnostic test repeater and the external repeater is exclusively performed.
- the Z control connection between the diagnostic test repeater and the internal repeater, and the external repeater and the diagnostic test repeater in response to an instruction signal from the switch control unit.
- FIG. 1 is a schematic diagram of a data amount monitoring control system according to the present invention.
- FIG. 2 is an explanatory diagram showing the operation concept of the data amount monitoring control system of the present invention.
- FIG. 3 is a system configuration diagram of the data monitoring control system of the embodiment.
- FIG. 4 is a detailed hardware configuration diagram of the data monitoring control system of the embodiment.
- FIG. 5 is an explanatory diagram showing an operation concept of the switch according to the embodiment.
- FIG. 6 A diagram showing step-by-step operation procedures of packet data and switches of the embodiment (1)
- FIG. 7 A step-by-step diagram of the packet data and switch operation procedure of the embodiment (2)
- FIG. 8 A step-by-step diagram showing the operation procedure of the packet data and the switch in the embodiment (3)
- FIG. 9 A diagram showing step-by-step operation procedures of packet data and switches of the embodiment (4)
- FIG. 10 A step-by-step diagram showing the packet data and switch operation procedure of the embodiment (5)
- FIG. 11 A step-by-step diagram showing the packet data and switch operation procedure of the embodiment (6)
- FIG. 12 A diagram showing step-by-step operation procedures of packet data and switches of the embodiment (7)
- FIG. 13 is a diagram (8) showing step-by-step the operation procedure of packet data and switches according to the embodiment.
- FIG. 14 A step-by-step diagram showing the packet data and switch operation procedure of the embodiment (9).
- FIG. 15 A step-by-step diagram showing the packet data and switch operation procedure of the embodiment (10) [FIG. 16] A step-by-step diagram of the packet data and switch operation procedure of the embodiment (11) [FIG. 17]
- FIG. 18 is a diagram showing step-by-step operation procedures of packet data and switches in the embodiment (FIG. 18).
- FIG. 18 is a diagram showing step-by-step operation procedures of packet data and switches in the embodiments.
- Figure (14) showing step-by-step operation procedure of data and switch (Fig. 20)
- Fig. 15 (step) showing step-by-step operation procedure of packet data and switch of embodiment (Fig. 21)
- Figure 22 The figure which shows the operation procedure of packet data and switch of an embodiment in steps (17) The best mode for carrying out the invention
- this switch system has an internal repeater, a control repeater, and an external repeater.
- a switch (1) is provided on the inward / outward communication path between the internal repeater and the control repeater, and a switch (2) is provided between the control repeater and the external repeater.
- the switch (3) is provided on the outer and inner communication paths of the control repeater and the internal repeater, and the switch (4) is provided between the external repeater and the control repeater. You're being.
- FIG. 2 schematically shows an internal configuration of the control repeater.
- control repeater includes a diagnostic inspection repeater including a diagnostic inspection unit, and a switching unit including a switch control unit and a switch mechanism unit.
- the switching mechanism in the switching unit is controlled around the diagnostic detection repeater, so that the communication path between the external network and the internal network is connected exclusively.
- the diagnostic test unit uses the breaker method to set the packet amount as a reference target for the diagnostic test. For example, when a large amount of packets enter the host network connected to the internal network to lose resources.
- the diagnostic detection unit If the amount of packets per second (referred to as breakpoints) that can damage the resources of the host terminal is set as a judgment criterion value in a timely manner, and packets exceeding the breakpoint are sustained within a certain period of time,
- the diagnostic detection unit outputs a signal for stopping switch switching to the switch mechanism unit via the switch control unit, and disconnects communication between the internal network and the external network.
- the diagnostic test unit If an excessive amount of communication occurs on a specific logical communication path through a security hole, the normal average communication traffic on the specific logical communication path is used as a criterion, and the allowable capacity is determined by looking at the difference. When this value is exceeded, the diagnostic test unit outputs a signal for stopping switch switching to the switch mechanism unit via the switch control unit, and disconnects communication between the internal network and the external network.
- FIG. 3 is a diagram schematically showing the hardware configuration of this system
- FIG. 4 is a more detailed explanatory diagram.
- SRAM is installed in the internal repeater and the external repeater.
- the SRAM-IN in the internal repeater and the SRAM-OUT in the external repeater are for the inward area and the outward direction, respectively.
- An area is provided.
- the inward area is a storage area for receiving data from the NIC, and the outward area functions as an area for storing data sent to the NIC.
- the seesaw SW unit consists of SW1 and SW2 that operate as seesaws.
- the seesaw is an expression for making the operation easy to understand, and precisely means exclusion control.
- exclusive control means control of a relationship such that when one is on, the other is always off.
- SW1 has SW1_1 and SW1-2
- SW2 has SW2-1 and SW2-2.
- SW1-1 is the NIC-IN power of the internal network and SDRAM-IN communication path of the PCI bridge
- SW1-2 is the communication path of SDRAM-OUT from the PCI bridge to NIC-OUT.
- SW 1-1 and SW1-2 are in an exclusive control relationship. When SW1-1 is connected to the communication path, SW 1-2 is open, and SW1-1 opens the communication path. SW1-2 is in the connected state.
- SW2-1 connects the communication path from NIC_IN to SDRAM_IN of the PCI bridge
- SW2-2 connects the SDRAM_OUT force of PCI bridge to the communication path of NIC_OUT.
- SW2-1 and SW2-2 are also in an exclusive control relationship. When SW2-1 is connected to the communication path, SW2-2 is open, and SW2-1 opens the communication path. SW2-2 is in the connected state.
- SW1 and SW2 are in the default state shown in FIG. 4, that is, SW1-1 is on in SW1 and SW2-2 is on in SW2.
- the seesaw operation is performed at this powerful timing (the timing will be explained later).
- SW1 switches to the opposite state (SW1-1 is off, SW1-2 is on) according to this operation timing, and returns to the default state.
- SW2 performs a seesaw operation at a certain operation timing.
- SW1 and SW2 operate independently of each other.
- Network (eg LAN) force data connected to NIC_IN is input.
- the input data is once stored in the NIC_IN buffer (not shown).
- RAM_IN RAM_IN
- SW1 is in the default state, so the data that has been output from the RAM_IN reaches the SDRAM_IN as it is.
- FIG. 5 is an explanatory diagram showing the data flow in (6) above.
- SW1 that was in the default state until then switches to the opposite state, and SW1-2 is turned on.
- SRAM_OOUT the data capacity reaches RAM_OUT
- SW1 switched above returns to the default again, and SW1-2 is turned off.
- the buffer prepared here is composed of, for example, a 128-byte FIFO (First In Frist Out) memory.
- the data is output to the network (eg WAN) connected to NIC-OUT.
- the network eg WAN
- NIC-OUT As described above, the data input to NIC-IN is output to NIC-OUT by the exclusive operation of SW1. In the case of the reverse flow, SW2 operates exclusively.
- 6 to 22 show stepwise the movement of packet data and the operation of switches SW1 and SW2 according to this embodiment.
- upstream packet data arrives at NIC-IN from the internal network, passes through SW1-1 of SW1, which is connected from NIC-IN, and reaches the SW server (diagnostic test repeater) (Fig. 6 to Figure 10).
- the SW server verifies the uplink packet data, and if the verification result is OK, the SW control SW 1 of SW1 is released to the switch mechanism unit and the SW control 2 is connected to the switch control unit.
- Such a switching signal is output (Fig. 12).
- the upstream packet data is sent to the external network via NIC_OUT via SW1-2 of SW1 that is switched and connected ( Figures 13-17).
- downstream packet data from the external network is connected via NIC OUT. It reaches the SW server (diagnostic test repeater) via the connected SW2-2 (Fig. 8 to Fig. 11).
- the SW server verifies the downlink packet data, and if the verification result is OK, opens SW2-2 of SW2 to the switch mechanism unit to the switch control unit, and SW2- A switching signal is output so that 1 is connected (Fig. 14 ⁇ : 17). Then, the downlink packet data is sent to the internal network via NIC_IN via SW2-1 that is switched and connected (Figs. 18-22). Note that SW1 switches to the original state at the timing shown in FIG. 16, and SW2 switches to the original state at the timing shown in FIG.
- a switch connection control device for a communication path that is interposed in a communication path and exclusively selects connection with one communication path and connection with the other communication path.
- the present invention can be used for a security technique against a network attack in which a large amount of data is sent via a communication path.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Environmental & Geological Engineering (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
Claims
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP20050805370 EP1811731A1 (en) | 2004-10-27 | 2005-10-27 | Data amount monitoring control system of channels |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2004313128A JP2006128954A (ja) | 2004-10-27 | 2004-10-27 | 通信路のデータ量監視制御システム |
JP2004-313128 | 2004-10-27 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006046659A1 true WO2006046659A1 (ja) | 2006-05-04 |
Family
ID=36227901
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2005/019817 WO2006046659A1 (ja) | 2004-10-27 | 2005-10-27 | 通信路のデータ量監視制御システム |
Country Status (3)
Country | Link |
---|---|
EP (1) | EP1811731A1 (ja) |
JP (1) | JP2006128954A (ja) |
WO (1) | WO2006046659A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2019145050A (ja) * | 2018-02-23 | 2019-08-29 | Necソリューションイノベータ株式会社 | 情報転送装置、情報転送方法及び情報転送プログラム |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR102046424B1 (ko) * | 2019-02-13 | 2019-11-19 | 주식회사 티이이웨어 | 신뢰실행환경(Trusted Execution Environment)에서 관리되는 클러스터의 내부키로부터 BIP-32 프로토콜에 기초하여 트랜잭션을 서명하는 키 보관 관리 시스템 및 방법 |
KR102046425B1 (ko) * | 2019-02-13 | 2019-11-19 | 주식회사 티이이웨어 | 신뢰실행환경(Trusted Execution Environment)에서 관리되는 클러스터의 키를 이용하여 threshold signature 방식에 기반한 트랜잭션을 서명하는 키 보관 관리 시스템 및 방법 |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10207839A (ja) * | 1997-01-27 | 1998-08-07 | Hironori Wakayama | ウイルス及びハッカーの侵入防止方法、及びサーバーへのウイルス及びハッカー侵入防止機構 |
JP2003152806A (ja) * | 2001-11-13 | 2003-05-23 | Ionos:Kk | 通信路のスイッチ接続制御システム |
JP2004248198A (ja) * | 2003-02-17 | 2004-09-02 | Fujitsu Ltd | DoS攻撃防御方法及び装置 |
-
2004
- 2004-10-27 JP JP2004313128A patent/JP2006128954A/ja active Pending
-
2005
- 2005-10-27 EP EP20050805370 patent/EP1811731A1/en not_active Withdrawn
- 2005-10-27 WO PCT/JP2005/019817 patent/WO2006046659A1/ja not_active Application Discontinuation
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10207839A (ja) * | 1997-01-27 | 1998-08-07 | Hironori Wakayama | ウイルス及びハッカーの侵入防止方法、及びサーバーへのウイルス及びハッカー侵入防止機構 |
JP2003152806A (ja) * | 2001-11-13 | 2003-05-23 | Ionos:Kk | 通信路のスイッチ接続制御システム |
JP2004248198A (ja) * | 2003-02-17 | 2004-09-02 | Fujitsu Ltd | DoS攻撃防御方法及び装置 |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2019145050A (ja) * | 2018-02-23 | 2019-08-29 | Necソリューションイノベータ株式会社 | 情報転送装置、情報転送方法及び情報転送プログラム |
JP6992975B2 (ja) | 2018-02-23 | 2022-01-13 | Necソリューションイノベータ株式会社 | 情報転送装置、情報転送方法及び情報転送プログラム |
Also Published As
Publication number | Publication date |
---|---|
EP1811731A1 (en) | 2007-07-25 |
JP2006128954A (ja) | 2006-05-18 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9749011B2 (en) | Physical unidirectional communication apparatus and method | |
US9203802B2 (en) | Secure layered iterative gateway | |
US20100257599A1 (en) | Dynamic authenticated perimeter defense | |
CN109561091B (zh) | 一种用于人防工程的网络安全防护系统 | |
WO2017073089A1 (ja) | 通信装置及びシステム及び方法 | |
JP2007006054A (ja) | パケット中継装置及びパケット中継システム | |
JP2004172871A (ja) | ウィルス拡散を防止する集線装置およびそのためのプログラム | |
CN107277058B (zh) | 一种基于bfd协议的接口认证方法及系统 | |
JP6923809B2 (ja) | 通信制御システム、ネットワークコントローラ及びコンピュータプログラム | |
WO2011079607A1 (zh) | 一种实现交换机端口mac地址防迁移的方法及装置 | |
CN108449310B (zh) | 一种国产网络安全隔离与单向导入系统及方法 | |
WO2006046659A1 (ja) | 通信路のデータ量監視制御システム | |
US8984619B2 (en) | Methods, systems, and computer readable media for adaptive assignment of an active security association instance in a redundant gateway configuration | |
JP3859490B2 (ja) | 通信路のスイッチ接続制御システム | |
KR101463873B1 (ko) | 정보 유출 차단 장치 및 방법 | |
WO2015039456A1 (zh) | 网络数据自环回的控制方法及装置 | |
JP3699941B2 (ja) | 分散型サービス不能攻撃防止方法及びゲート装置、通信装置、分散型サービス不能攻撃防止プログラム及び記録媒体 | |
WO2015018200A1 (zh) | 防火墙设备中检测引擎的升级方法及装置 | |
KR20180028742A (ko) | 모드 변경이 가능한 양방향 통신 장치 및 방법 | |
WO2008083565A1 (fr) | Procédé et système associés à une politique d'inversion de protection | |
US20210136103A1 (en) | Control device, communication system, control method, and computer program | |
JP2004140618A (ja) | パケットフィルタ装置および不正アクセス検知装置 | |
WO2022001937A1 (zh) | 业务传输方法、装置、网络设备和存储介质 | |
CN115333994A (zh) | 实现vpn路由快速收敛的方法、装置以及电子设备 | |
CN114095341A (zh) | 网络恢复方法、装置、计算机设备和存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BW BY BZ CA CH CN CO CR CU CZ DK DM DZ EC EE EG ES FI GB GD GH GM HR HU ID IL IN IS KE KG KM KP KR KZ LC LK LR LS LT LU LV LY MD MG MK MN MW MX MZ NA NG NO NZ OM PG PH PL PT RO RU SC SD SG SK SL SM SY TJ TM TN TR TT TZ UG US UZ VC VN YU ZA ZM |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GM KE LS MW MZ NA SD SZ TZ UG ZM ZW AM AZ BY KG MD RU TJ TM AT BE BG CH CY DE DK EE ES FI FR GB GR HU IE IS IT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2005805370 Country of ref document: EP |
|
WWP | Wipo information: published in national office |
Ref document number: 2005805370 Country of ref document: EP |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: 2005805370 Country of ref document: EP |