WO2006087907A1 - 通信制御装置 - Google Patents
通信制御装置 Download PDFInfo
- Publication number
- WO2006087907A1 WO2006087907A1 PCT/JP2006/301591 JP2006301591W WO2006087907A1 WO 2006087907 A1 WO2006087907 A1 WO 2006087907A1 JP 2006301591 W JP2006301591 W JP 2006301591W WO 2006087907 A1 WO2006087907 A1 WO 2006087907A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- message
- communication control
- data
- access
- unit
- Prior art date
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06Q—INFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
- G06Q30/00—Commerce
- G06Q30/06—Buying, selling or leasing transactions
- G06Q30/0601—Electronic shopping [e-shopping]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1101—Session protocols
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1069—Session establishment or de-establishment
Definitions
- the present invention relates to a communication control technique, and more particularly to a communication control apparatus that outputs a message to an access request source.
- databases such as a list of permitted access sites, a list of prohibited access sites, prohibited word keywords, and useful word keywords are prepared, and these databases are referred to when accessing external information via the Internet.
- a technique for controlling access has been proposed (for example, see Patent Document 1).
- Patent Document 1 Japanese Patent Laid-Open No. 2001-282797
- the present inventors have conceived a technique for outputting an appropriate message to an access requesting user when access is prohibited or access is permitted. It came to. We have come up with a technology that can flexibly set this message and a useful business model that uses this technology. [0006]
- the present invention has been made in view of such circumstances, and an object thereof is to provide a technique for outputting an appropriate message in response to an access request for content.
- One embodiment of the present invention relates to a communication control apparatus.
- This communication control apparatus associates and holds a content address held at a location accessible via a network and a message to be output to a requester who has requested access to the content.
- a search unit for acquiring communication data for requesting access to the content, and searching whether the address is included in the communication data; and the communication data
- a message output unit that reads and outputs the message associated with the address when the address is included.
- the message holding unit holds the address of the content that is prohibited from access or the content of the content that is permitted to access and the message that should be output to the request source that has requested access to the content. Also good. For example, a message requesting access to a user who has requested access to content whose access is prohibited, or alternative content may be output. In addition, advertisements related to the content may be output to users who have requested access to the content for which access is permitted.
- the message holding unit may classify the content into a plurality of categories, and may hold a message to be output to a request source that has requested access to content belonging to the category for each category. .
- the communication control device may further include a user database that holds information for specifying a user, the search unit includes information indicating a source of the communication data included in the communication data;
- the message output unit that may search the source database from the user database by comparing the information for identifying the user registered in the user database, The message may be output when the user is registered in the user database.
- the message holding unit requests the user to access the content for each user. It may hold a message to be output at the time. Content related to the user may be output alone, or may be output together with a message regarding access control.
- the message output to the user may be preset by the user, or may be provided by a third party such as an advertising business.
- the communication control device may further include a registration accepting unit that accepts registration of the message and registers in the message holding unit, and a charging unit that charges a fee for the registration of the message.
- the billing unit may charge a fee to the access request source or the request destination when the message output unit outputs a message.
- the communication control apparatus may further include a history holding unit that holds the output history of the message, and an evaluation unit that evaluates the output history of the message held in the history holding unit.
- the evaluation unit specifies the access request source when there are access requests exceeding the same number of the same access request source power, and outputs a message to the access request source to the message output unit You may instruct.
- the communication control apparatus may further include an antenna that transmits and receives signals to and from the mobile communication terminal by wireless communication, and the communication data is received from the mobile communication terminal via the antenna.
- the message may be transmitted to the mobile communication terminal via the antenna.
- FIG. 1 is a diagram showing a configuration of a communication control system according to a base technology.
- FIG. 2 is a diagram showing a configuration of a conventional communication control device.
- FIG. 3 is a diagram showing a configuration of a communication control apparatus according to the base technology.
- FIG. 4 is a diagram showing an internal configuration of a packet processing circuit.
- FIG. 5 is a diagram showing an internal configuration of a position detection circuit.
- FIG. 6 is a diagram showing an example of internal data of the first database.
- FIG. 7 is a diagram showing another example of internal data of the first database.
- FIG. 8 is a diagram showing still another example of internal data in the first database.
- FIG. 9 is a diagram showing a configuration of a comparison circuit included in a Neuner research circuit.
- FIG. 10 is a diagram showing an example of internal data of the second database.
- FIG. 11 is a diagram showing another example of internal data of the second database.
- FIG. 12 is a diagram showing another configuration example of the communication control apparatus according to the base technology.
- FIG. 13 is a diagram showing an internal configuration of a packet processing circuit for URL filtering.
- FIG. 14 (a) is a diagram showing an example of internal data of the virus Z phishing site list
- FIG. 14 (b) is a diagram showing an example of internal data of the white list
- c) is a diagram showing an example of black list internal data.
- FIG. 15 is a diagram showing an example of internal data of a common category list.
- FIGS. 16 (a), (b), (c), and (d) are diagrams showing examples of internal data of the second database.
- FIG. 17 is a diagram showing priorities of virus Z phishing site list, white list, black list, and common category list.
- FIG. 18 is a diagram showing a configuration of a message output server according to the embodiment.
- FIG. 19 is a diagram illustrating an arrangement example of the communication control system according to the embodiment.
- FIG. 20 is a diagram showing an arrangement example of the communication control system according to the embodiment.
- FIG. 21 is a diagram showing an arrangement example of the communication control system according to the embodiment.
- FIG. 22 is a diagram showing an arrangement example of the communication control system according to the embodiment.
- FIG. 23 is a diagram showing an arrangement example of the communication control system according to the embodiment.
- FIG. 24 is a diagram illustrating an arrangement example of the communication control system according to the embodiment.
- FIG. 1 shows a configuration of a communication control system according to the base technology.
- the communication control system 100 includes a communication control device 10 and various peripheral devices provided to support the operation of the communication control device 10.
- the base communication control device 10 realizes a URL filtering function provided by an Internet service provider or the like.
- the communication control device 10 provided in the network path acquires an access request for the content, analyzes the content, and determines whether to permit access to the content. If access to the content is permitted, the communication control apparatus 10 sends the access request to the server that holds the content. When access to the content is prohibited, the communication control device 10 discards the access request and returns a warning message or the like to the request source.
- the communication control device 10 receives an access request such as a “GETJ request message” of HTTP (HyperText Transfer Protocol), and enters the list of reference data for judging whether or not the access destination content is allowed to be accessed. Search whether it matches, and determine whether to allow access to the content.
- HTTP HyperText Transfer Protocol
- the peripheral devices include an operation monitoring server 110, a connection management server 120, a message output server 130, a log management server 140, and a database server 150.
- Connection management server 120 manages the connection to the communication control apparatus 10. For example, the connection management server 120 uses the information that uniquely identifies the mobile phone terminal included in the packet when the communication control device 10 processes a packet in which the mobile phone terminal power is also transmitted. Authenticate that you are 10 users. Once authenticated, the packet that has also been sent the IP address temporarily attached to the mobile phone terminal is sent to the communication control unit 10 for processing for a certain period without being authenticated by the connection management server 120. .
- the message output server 130 outputs a message to the access request destination or request source in accordance with the access permission / rejection result determined by the communication control device 10.
- the log management server 140 manages the operation history of the communication control device 10.
- the database server 150 acquires the latest database from the URL database 160 and inputs it to the communication control device 10.
- the communication control apparatus 10 may have a backup database.
- the operation monitoring server 110 monitors the operation statuses of peripheral devices such as the communication control device 10, the connection management server 120, the message output server 130, the log management server 140, and the database server 150.
- the operation monitoring server 110 performs monitoring control of the communication control device 10 having the highest priority in the communication control system 100 and all peripheral devices.
- the communication control device 10 is configured by a dedicated hardware circuit.
- the operation monitoring server 110 uses a boundary scan circuit by utilizing a technique such as Patent No. 3041340 by the present applicant. By inputting / outputting monitoring data to / from the communication control device 10 or the like, the operation status can be monitored even while the communication control device 10 is in operation.
- the communication control system 100 of the base technology has various functions connected to the periphery of the communication control device 10 configured by a dedicated hardware circuit for high-speed operation.
- various functions can be realized by a similar configuration by appropriately replacing the software of the server group. According to the base technology, such a highly flexible communication control system can be provided.
- FIG. 2 shows a configuration of a conventional communication control device 1.
- the conventional communication control apparatus 1 includes a communication control unit 2 on the reception side, a packet processing unit 3, and a communication control unit 4 on the transmission side.
- Communication control Each of the units 2 and 4 includes a PHY processing unit 5a and 5b that processes the physical layer of the packet, and a MAC processing unit 6a and 6b that processes the MAC layer of the packet.
- the packet processing unit 3 includes a protocol processing unit that performs processing according to a protocol, such as an IP processing unit 7 that performs IP (Internet Protocol) protocol processing and a TCP processing unit 8 that performs TCP (Transport Control Protocol) protocol processing.
- an AP processing unit 9 that performs application layer processing.
- the AP processing unit 9 executes processing such as filtering according to data included in the packet.
- the packet processing unit 3 is realized by software using a CPU that is a general-purpose processor and an OS that runs on a CPU.
- the performance of the communication control device 1 depends on the performance of the CPU, and even if it is intended to realize a communication control device capable of processing large-capacity packets at high speed, it is naturally limited. There is. For example, with a 64-bit CPU, the maximum amount of data that can be processed simultaneously at one time is 64 bits, and there was no communication control device with higher performance.
- maintenance work such as OS version upgrades that would never have the possibility of security holes was required.
- FIG. 3 shows the configuration of the communication control apparatus of the base technology.
- the communication control device 10 is configured by dedicated hardware using a wired logic circuit instead of the packet processing unit 3 that is realized by software including a CPU and an OS in the conventional communication control device 1 shown in FIG.
- the packet processing circuit 20 is provided.
- the communication data and the reference are used using the CPU.
- the CPU repeats the process of reading 64 bits from the communication data into the memory, comparing it with the reference data, and then reading the next 64 bits into the memory. Since it is necessary to repeat the process, the reading time to the memory is rate-determined, and the processing speed is limited.
- a dedicated hardware circuit configured by a wired logic circuit.
- This circuit includes a plurality of comparators provided in parallel to allow comparison of data lengths longer than 64 bits, eg, data lengths of 1024 bits.
- the communication control device 1 using the conventional CPU can process only 1024 bits at a time, but can dramatically increase the processing speed by processing only 1024 bits at a time. .
- Increasing the number of comparators improves processing performance, but also increases cost and size, so it is only necessary to design an optimal hardware circuit in consideration of the desired processing performance, cost, size, etc.
- a dedicated hardware circuit may be realized using FPGA (Field Programmable Gate Array).
- the communication control apparatus 10 of the base technology is configured by dedicated hardware using a wired logic circuit, and therefore does not require an OS (Operating System). For this reason, it is possible to reduce costs and man-hours for management and maintenance that require operations such as OS installation, bug handling, and version upgrade. Also, unlike CPUs that require general-purpose functions, they do not include unnecessary functions, so you can reduce costs without using extra resources, reduce circuit area, and increase processing speed. . Furthermore, unlike conventional communication control devices that use OS, it does not have extra functions, so it is less likely to generate security holes, etc. against attacks from malicious third parties via networks. Excellent resistance.
- OS Operating System
- the conventional communication control device 1 processes a packet by software premised on the CPU and OS, receives all the data of the packet, performs a powerful protocol process, and passes the data to the application. .
- the communication control apparatus 10 of the base technology since processing is performed by a dedicated hardware circuit, it is not necessary to start processing after receiving all the data of the packet. In this way, the process can be started at any time without waiting for the subsequent data to be received. For example, position detection described later The position detection process in the circuit can be started when position specifying data for specifying the position of the comparison target data is received. As described above, since various processes can be executed in a floating manner without waiting for reception of all data, the time required to process packet data can be shortened.
- FIG. 4 shows an internal configuration of the packet processing circuit.
- the packet processing circuit 20 includes a first database 50 that stores reference data serving as a reference for determining the contents of processing to be performed on communication data, and the received communication data includes reference data! Whether or not the search circuit 30 for searching by comparing the communication data with the reference data, and the search result by the search circuit 30 and the contents of the processing to be executed for the communication data are stored in association with each other.
- the second database 60 includes a processing execution circuit 40 that processes communication data based on the search result by the search circuit 30 and the conditions stored in the second database 60.
- the search circuit 30 divides the reference data stored in the first database 50 into three or more ranges, the position detection circuit 32 for detecting the position of the comparison target data to be compared with the reference data from the communication data Index circuit 34, which is an example of a determination circuit that determines to which of the ranges the comparison target data belongs, and a binary search that searches for reference data that matches the comparison target data within the determined range Circuit 36.
- the binary search method is used in the premise technology that can use any search technology.
- FIG. 5 shows an internal configuration of the position detection circuit.
- the position detection circuit 32 includes a plurality of comparison circuits 33a to 33f for comparing the position specifying data for specifying the position of the comparison target data with the communication data.
- six comparison circuits 33a to 33f are provided, but as will be described later, the number of comparison circuits may be arbitrary.
- Communication data is input to each of the comparison circuits 33a to 33f with a predetermined data length, for example, shifted by 1 byte.
- the plurality of comparison circuits 33a to 33f the position specifying data to be detected and the communication data are compared in parallel at the same time.
- the character string "No. # # #” included in the communication data is detected and included in the character string.
- the number “# # #” is compared with the reference data. This is explained in the case where the packet is discarded if it does not match.
- the comparison circuit 33c matches, and it is detected that the character string “No.” exists as the third character from the top of the communication data. In this way, it is detected that numerical data as comparison target data exists after the position specifying data “No.” detected by the position detection circuit 32.
- the position detection circuit 32 may be used as a circuit for detecting a character string for general purposes, not only for detecting position specifying data. It may also be configured to detect position specific data in bit units, not just character strings.
- FIG. 6 shows an example of internal data of the first database.
- the first database 50 stores the data sorted according to some sort condition, which is a reference data force used as a reference for determining the contents of processing such as knot filtering, routing, switching, and replacement.
- some sort condition which is a reference data force used as a reference for determining the contents of processing such as knot filtering, routing, switching, and replacement.
- 1000 pieces of reference data are stored.
- the first record of the first database 50 includes the position of the comparison target data in the communication data.
- An offset 51 indicating the position is stored.
- the data structure in the knot is defined in bit units, so if the position of flag information etc. for determining the processing contents of the packet is set as offset 51, only the necessary bits are set. Since the processing contents can be determined by comparing the two, the processing efficiency can be improved. Even if the data structure of the packet is changed, it can be dealt with by changing the offset 51.
- the first database 50 may store the data length of the comparison target data. As a result, comparison can be performed by operating only the necessary comparators, so that search efficiency can be improved.
- the index circuit 34 determines to which of these ranges the comparison target data belongs.
- 1000 pieces of reference data are divided into four ranges 52a to 52d, each having 250 pieces.
- the index circuit 34 includes a plurality of comparison circuits 35a to 35c that compare the reference data at the boundary of the range with the comparison target data. By comparing the comparison target data and the boundary reference data simultaneously in parallel by the comparison circuits 35a to 35c, it is possible to determine which range the comparison target data belongs to by one comparison process.
- the boundary reference data input to the comparison circuits 35a to 35c of the index circuit 34 may be set by a device provided outside the communication control device 10, or may be set in advance in the first database 50.
- the reference data for the position may be entered automatically! In the latter case, even if the first database 50 is updated, the reference data at a predetermined position in the first database 50 is automatically input to the comparison circuits 35a to 35c. Processing can be executed.
- the binary search circuit 36 executes a search by the binary search method.
- the binary search circuit 36 is controlled by the index circuit 34.
- the determined range is further divided into two, and the reference data at the boundary position is compared with the comparison target data to determine which range it belongs to.
- the binary search circuit 36 includes a plurality of comparison circuits for comparing the reference data and the comparison target data in bit units, for example, 1024 in the base technology, and simultaneously executes 1024-bit bit matching.
- the reference data at the boundary position is read by dividing the range into two and compared with the comparison target data. Thereafter, this process is repeated to further limit the range, and finally, reference data that matches the comparison target data is searched.
- the comparison target data following the position specifying data “No.” is the number “361”. Since there is a space for one character between the position identification data “No.” and the comparison target data “361”, offset 51 is set to “8” to remove this space from the comparison target data. Is set.
- the Neua research circuit 36 skips “8” bits, that is, one byte from the communication data following the position specifying data “No.”, and reads “361” as the comparison target data.
- comparison circuits 35a to 35c of the index circuit 34 "361" is input as the comparison target data, and as the reference data, the comparison circuit 35a has the reference data "between the ranges 52a and 52b" Reference data “704” at the boundary between the ranges 52b and 52c is input to the comparison circuit 35b. Reference data “937” at the boundary between the ranges 52c and 52d is input to the comparison circuit 35c, respectively. Comparisons are made simultaneously by the comparison circuits 35a to 35c, and it is determined that the comparison target data “361” belongs to the range 52a. Thereafter, the binary search circuit 36 searches whether or not the comparison target data “361” exists in the reference data.
- FIG. 7 shows another example of internal data of the first database.
- the number of reference data is less than the number of data that can be held in the first database 50, here 1000.
- the first database 50 stores the reference data in descending order from the last data position. And 0 is stored in the remaining data.
- the database publishing method it is arranged from the back of the loading area without placing the leading force data, and if there is a vacancy at the beginning of the loading area, all vacancies are zero-suppressed. As a result, the database is always full, and the maximum time for binary search can be kept constant. Further, when “0” is read as the reference data during the search, the binary search circuit 36 can determine the range without performing the comparison and can proceed to the next comparison because the comparison result is obvious. This can improve the search speed.
- the reference data is stored in the first database 50, the reference data is stored in ascending order of the first data position.
- the comparison process as described above cannot be omitted in the remaining data.
- the comparison technique described above is realized by configuring the search circuit 30 with a dedicated hardware circuit.
- FIG. 8 shows still another example of internal data of the first database.
- the number of reference data belonging to the range is non-uniform, such as 500 for the range 52a and 100 for the range 52b. ing.
- These ranges may be set according to the distribution of the appearance frequency of the reference data in the communication data. That is, the ranges may be set so that the sum of the appearance frequencies of the reference data belonging to the respective ranges is substantially the same. This can improve the search efficiency.
- the reference data input to the comparison circuits 35a to 35c of the index circuit 34 may be capable of changing an external force. As a result, the range can be set dynamically and the search efficiency can be optimized.
- FIG. 9 shows a configuration of a comparison circuit included in the binary search circuit.
- the bin research circuit 36 includes 1024 comparison circuits 36a, 36b,. Each comparison circuit 36a, 36b,... Receives reference data 54 and comparison target data 56 one bit at a time, and compares them.
- the internal configurations of the comparison circuits 35a to 35c of the index circuit 34 are also the same. In this way, by executing the comparison process with a dedicated hardware circuit, a large number of comparison circuits can be operated in parallel and a large number of bits can be compared at the same time. be able to.
- FIG. 10 shows an example of internal data of the second database.
- the second database 60 is executed with respect to the search result column 62 for storing the search result by the search circuit 30 and the communication data.
- a processing content column 64 for storing the processing content to be stored, and the search result and the processing content are stored in association with each other.
- the passage condition is set to permit the packet to pass, and when it is not included, the packet is discarded.
- the processing execution circuit 40 searches the second database 60 based on the search result, and executes processing on the communication data.
- the processing execution circuit 40 may also be realized by a wired logic circuit.
- FIG. 11 shows another example of internal data of the second database.
- the processing content is set for each reference data.
- information about the route may be stored in the second database 60.
- the process execution circuit 40 executes processes such as filtering, routing, switching, and replacement stored in the second database 60 according to the search result by the search circuit 30.
- the first database 50 and the second database 60 may be integrated.
- the first database and the second database are rewritable by an external force. By exchanging these databases, various data processing and communication control can be realized using the same communication control device 10. It is also possible to set up two or more databases that store the reference data to be searched and perform multi-step search processing! At this time, more complicated conditional branches may be realized by providing two or more databases that store search results and processing contents in association with each other. In this way, if multiple databases are used to perform multi-stage searches, multiple position detection circuits 32, index circuits 34, binary search circuits 36, etc. may be provided.
- the data used for the comparison described above may be compressed by the same compression logic.
- the same comparison as usual is possible.
- the amount of data to be loaded at the time of comparison can be reduced. If the amount of data to be loaded is reduced, the time required to read data from the memory is shortened, so the overall processing time can be shortened.
- the amount of comparators can be reduced, so the equipment can be made smaller, lighter, and less expensive. It can contribute to the conversion.
- the data used for the comparison may be stored in a compressed format, or may be compressed after being read from the memory and before the comparison.
- FIG. 12 shows another configuration example of the communication control apparatus of the base technology.
- the communication control device 10 shown in this figure has two communication control units 12 having the same configuration as the communication control device 10 shown in FIG.
- a switching control unit 14 for controlling the operation of each communication control unit 12 is provided.
- Each communication control unit 12 has two input / output interfaces 16 and is connected to two networks on the upstream side and the downstream side via the respective input / output interfaces 16.
- the communication control unit 12 inputs communication data from either one of the network powers and outputs the processed data to the other network.
- the switching control unit 14 switches the direction of communication data flow in the communication control unit 12 by switching input / output of the input / output interface 16 provided in each communication control unit 12. As a result, bidirectional communication control is possible, not just in one direction.
- the switching control unit 14 may control so that one of the communication control units 12 processes an inbound packet and the other processes an outbound packet, or controls both to process an inbound packet.
- both parties may control to process outbound packets.
- the direction of communication to be controlled can be made variable according to the traffic status and purpose.
- the switching control unit 14 may acquire the operation status of each communication control unit 12, and may switch the direction of communication control according to the operation status. For example, when one communication control unit 12 is in a standby state and the other communication control unit 12 is operating, when it is detected that the communication control unit 12 has stopped due to a failure or the like, it is on standby as an alternative. The communication control unit 12 may be operated. As a result, the fault tolerance of the communication control device 10 can be improved. Further, when maintenance such as database update is performed on one communication control unit 12, the other communication control unit 12 may be operated as an alternative. Thereby, it is possible to appropriately perform maintenance without stopping the operation of the communication control device 10.
- Three or more communication control units 12 may be provided in the communication control device 10.
- Switching control unit For example, even if the communication status of each communication control unit 12 is controlled so that more communication control units 12 are allocated to the communication control processing in the direction with a large amount of traffic, for example, the traffic status is acquired. Good. As a result, even if the amount of communication in a certain direction increases, the decrease in communication speed can be minimized.
- a part of the communication control unit 2 or 4 may be shared between the plurality of communication control units 12.
- a part of the packet processing circuit 20 may be shared.
- a first storage unit that stores reference data serving as a reference for determining the content of processing to be performed on the acquired data
- a search unit that searches whether the reference data is included in the data by comparing the data with the reference data
- a second storage unit for storing the search result by the search unit and the content of the processing in association with each other;
- a processing unit that executes, on the data, a process associated with the search result based on the search result
- the search unit is configured by a wired logic circuit.
- the wired logic circuit includes a plurality of first comparison circuits that compare the data and the reference data bit by bit.
- the search unit includes a position detection circuit that detects a position of comparison target data to be compared with the reference data from the data.
- the position detection circuit includes the comparison target data.
- a plurality of second comparison circuits for comparing the position specifying data for specifying the position of the data and the data, and the data is input to the plurality of second comparison circuits by shifting the position by a predetermined data length.
- a data processing apparatus for comparing in parallel with the position specifying data.
- the search unit includes a binary search circuit for searching whether or not the reference data is included in the data by bina research.
- a data processing apparatus comprising:
- the reference data when the number of data of the reference data is smaller than the number of data that can be held in the first storage unit, the reference data in descending order from the last data position of the first storage unit.
- a data processing apparatus characterized by storing data and storing 0 in the remaining data.
- the search unit compares the plurality of reference data stored in the first storage unit with the reference data when divided into three or more ranges.
- a data processing apparatus comprising: a determination circuit that determines to which of the ranges the data to be compared belongs.
- the determination circuit includes a plurality of third comparison circuits that compare reference data at the boundary of the range and the comparison target data, and the plurality of third comparison circuits provide the comparison target.
- a data processing apparatus characterized in that a force belonging to any of the ranges of 3 or more is determined in parallel at the same time.
- the reference data stored at a predetermined position in the first storage unit is input to the third comparison circuit as reference data for the boundary.
- Data processing device the reference data stored at a predetermined position in the first storage unit is input to the third comparison circuit as reference data for the boundary.
- the first storage unit further stores information indicating a position of comparison target data in the data
- the search unit stores information indicating the position.
- a data processing apparatus wherein the comparison target data is extracted based on the data.
- the search unit when the search unit acquires data to be compared with the reference data without waiting for acquisition of all data in the communication packet, the data And a data processing device, wherein comparison of the reference data is started.
- a plurality of data processing devices according to any one of the above aspects 1 to 13 are provided, and each of the data processing devices includes two interfaces for inputting / outputting data to / from a communication line.
- a data processing apparatus characterized in that the direction of processing the data is variably controlled by switching between input and output.
- FIG. 13 shows an internal configuration of the packet processing circuit 20 for URL filtering.
- the packet processing circuit 20 includes a user database 57, a virus Z phishing site list 161, a white list 162, a black list 163, and a common category list 164 as the first database 50.
- the user database 57 is a list of users who use the communication control device 10. Store information.
- the communication control device 10 receives information for identifying the user from the user, matches the information received by the search circuit 30 with the user database 57, and authenticates the user.
- the source address stored in the IP header of the TCP / IP packet may be used, and the user power may accept the user ID and password. In the former case, the storage location of the source address in the packet is determined.
- the position detection circuit 32 when matching with the user database 57 in the search circuit 30, it is not necessary to detect the position by the position detection circuit 32. If you specify the storage location of. If the user is authenticated as a user registered in the user database 57, then the content URL is changed to the virus / phishing site list 161, the white list 162, the black list, in order to determine whether or not access to the content is permitted. 163 and common category list 164. Since the white list 162 and the black list 163 are provided for each user, when the user is authenticated and the user ID is arbitrarily determined, the white list 162 and the black list 163 of the user are given to the search circuit 30. .
- the virus / phishing site list 161 stores a list of URLs of contents including computer Winoles and a list of URLs of “ ⁇ ” sites used for phishing scams. Access requests for URL content stored in Virus Z Phishing Site List 161 are denied. Even if a user tries to access a virus site or phishing site without being aware of it or deceived, the access will be appropriately prohibited and the damage from viruses and phishing scams will be protected. Can do. In addition, since the list of virus sites and phishing sites is stored in the user's terminal and access is restricted on the terminal side, access control is performed centrally by the communication control device 10 provided in the communication path. Therefore, it is possible to restrict access more reliably and efficiently.
- the communication control device 10 acquires and maintains a list of authenticated sites that have been certified by a certification body as being a legitimate site, not a virus site or a phishing site, and accesses the URLs stored in the list. May be permitted.
- a legitimate site is hijacked by a virus, etc., and a virus is incorporated or used for phishing, a legitimate site operator or the like
- the URL of the site hijacked in the list 161 may be registered so that access can be temporarily prohibited until the site is restored to a normal state.
- information such as an IP number, TCP number, and MAC address may be combined and checked. As a result, prohibition conditions with higher accuracy can be set, so that virus sites and phishing sites can be filtered more reliably.
- the white list 162 is provided for each user, and stores a list of URLs of contents permitted to be accessed.
- the black list 163 is provided for each user, and stores a list of URLs of contents whose access is prohibited.
- Fig. 14 (a) shows an example of internal data of virus / phishing site list 161
- Fig. 14 (b) shows an example of internal data of white list 162,
- Fig. 14 (c) shows black list 163.
- An example of internal data is shown.
- the virus Z phishing site list 161, the white list 162, and the black list 163 have a category number column 165, a URL column 166, and a title column 167, respectively.
- the URL field 166 stores the URL of the content for which access is permitted or prohibited.
- the category number column 165 stores content category numbers.
- the title column 167 stores the title of the content.
- the common category list 164 stores a list for classifying the content indicated by the URL into a plurality of categories.
- FIG. 15 shows an example of internal data of the common category list 164.
- the common category list 164 also includes a category number column 165, a URL column 166, and a title column 167.
- the communication control apparatus 10 extracts the URL included in the “GET” request message and the URL is stored in the virus / phishing site list 161, the white list 162, the black list 163, or the common category list 164.
- the search circuit 30 searches whether the power is included. At this time, for example, a character string “http: ⁇ ” may be detected by the position detection circuit 32, and a data string following the character string may be extracted as target data.
- the extracted URL is matched with the reference data of the virus Z phishing site list 161, the white list 162, the black list 163, and the common category list 164 by the index circuit 34 and the binary search circuit 36.
- FIGS. 16 (a), (b), (c), and (d) show the second database 60 for URL filtering.
- An example of internal data is shown.
- Figure 16 (a) shows the search results and processing details for the virus Z phishing site list 161. URL power included in a GET request, etc. If it matches a URL included in the Virus Z Fitting Cinder Site List 161, access to that URL is prohibited.
- FIG. 16 (b) shows the search results and processing contents for the white list 162.
- FIG. 16 (c) shows search results and processing contents for the blacklist 163.
- FIG. 16 (d) shows search results and processing contents for the common category list 164.
- the user for the search result for the common category list 164, the user must individually set whether to prohibit access to content belonging to the category for each category. Can do.
- a user ID column 168 and a category column 169 are provided in the second database 60 related to the common category list 164.
- the user ID column 168 stores an ID for identifying the user.
- the category column 169 stores information indicating whether or not the user permits access to content belonging to the category for each of the 57 categories. If the URL matches the URL included in the URL force common category list 164 included in the GET request, whether the access to the URL is permitted is determined based on the category of the URL and the user ID.
- the number of common categories is 57, but other common categories may be used.
- FIG. 17 shows priorities of the virus / phishing site list 161, the white list 162, the black list 163, and the common category list 164.
- the priority is higher in the order of Virus Z Fitting Site List 161, White List 162, Black List 163, and Common Category List 164.
- the URL of the content that is permitted to be accessed in White List 162 Even if the URL is stored in the virus / phishing site list 161, access is prohibited as content containing computer viruses or content used for phishing scams.
- the first hit is performed by matching in order from the list with the highest priority.
- the power was low, the priority was low, and the power of overwriting what was hit later was matched.
- the search circuit 30a for matching the virus Z fishing site list 161 and the search for matching the white list 162 are performed.
- a circuit 30b, a search circuit 30c for matching the black list 163, and a search circuit 30d for matching the common category list 164 are provided, and each search circuit 30 performs matching in parallel at the same time. If multiple lists are hit, the one with the highest priority is used. As a result, even when a plurality of databases are provided and priorities are set for them, the search time can be greatly reduced.
- Which of the virus Z phishing site list 161, the white list 162, the black list 163, and the common category list 164 is to be prioritized to determine whether access is permitted or not is set in the second database 60, for example.
- Moyo. V You can rewrite the conditions of the second database 60 according to whether you give priority to the list of deviations! /.
- the process execution circuit 40 When access to the content is permitted, the process execution circuit 40 outputs a signal for notifying the message output server 130 of the fact.
- the message output server 130 sends a “GET” request message to the server holding the content.
- the processing execution circuit 40 When access to the content is prohibited, when the processing execution circuit 40 outputs a signal for notifying the message output server 130 to that effect, the message output server 130 sends a “GET” request message to the access destination server. Discard without sending. At this time, a response message indicating that access is prohibited may be transmitted to the request source. It may also be forcibly transferred to another web page. In this case, the process execution circuit 40 Rewrite the destination address and URL to the destination address and send it. Information such as the URL of the response message is stored in the second database 60, the message output server 130, etc.!
- the message output server 130 uses the ping command or the like to confirm that the request source actually exists, and if it exists, confirms the state of the request source and then sends a message to the request source. May be output.
- the message sent from the message output server 130 to the request source may be set for each user, or for each access destination content, each category, or a database such as the white list 162 or the black list 163. Each may be settable. For example, the screen displayed when access is prohibited may be registered in the message output server 130 by the user by customizing the screen. Also, as described above, when a legitimate site is hacked and access is temporarily restricted, a message for guiding to a mirror site of the legitimate site may be output.
- the message output server 130 may manage a message transmission history and use the message transmission history information for various controls. For example, if a large number of access requests are sent within a short time, the request source may be a denial of service attack (DoS attack). The packet from the request source may be blocked without being sent to the request destination.
- the message transmission history may be statistically processed and provided to a website administrator or the like. As a result, the user's access history can be used for marketing and communication status control. Depending on the situation, the number of message transmissions can be reduced or increased. For example, when a specific IP number access request is sent, many times as many messages can be sent for that single request message.
- the search circuit 30 is a dedicated hardware circuit composed of an FPGA or the like, high-speed search processing is realized as described above, and filtering processing is performed while minimizing the impact on traffic. Can do. Power of Internet Service Providers By providing such a filtering service, the added value can be increased and more users can be gathered.
- the white list 162 or the black list 163 may be provided in common for all users.
- a technique for outputting a message to an access request source is proposed.
- the communication control device 10 receives the access request packet for the content, determines whether the access is permitted, and if the access is prohibited, the communication control device 10 gives an error to the message output server 130. Directs output of messages such as messages.
- the message output to the access request source by the message output server 130 can be flexibly set for each user of the access request source, for each URL of the access destination, for each category, for each database, etc. Appropriate messages can be output accordingly.
- content and a message may be stored in association with each other, and a message associated with the content may be output to a user who has issued an access request to the content. .
- FIG. 18 shows a configuration of message output server 130 according to the embodiment.
- the message output server 130 of this embodiment includes a message output unit 131, a message holding unit 132, a history holding unit 133, an evaluation unit 134, a registration receiving unit 135, and a charging unit 136.
- the message holding unit 132 holds a message output to the access request source.
- the message may be set for each user.
- the message holding unit 132 stores information for identifying the user in association with the message output to the user or the file name of the file storing the message.
- the message may be set for each category in the category list or for each URL accessed.
- the site operator may set advertisement information as a message for each URL.
- the message holding unit 132 can set a message according to a plurality of conditions such as for each user or for each URL, information indicating whether to give priority to the shifted message may be further stored.
- the registration receiving unit 135 receives message registration. Set a message for each user When the registration is possible, the registration reception unit 135 receives a message registration from the user and registers it in the message holding unit 132. In addition, registration of messages may be accepted from content providers and advertisement providers. When charging the registration fee for the message registrant, the registration receiving unit 135 instructs the charging unit 136 to charge the registration fee when receiving the message registration. The billing unit 136 performs processing for subtracting the registration fee from the registrant's account.
- the message output unit 131 uses the connection management server 120 or the communication control device 10 that processes the access request packet, and the user ID of the access requesting user. And the message holding unit 132 is referred to, and the message set for the user is output.
- the message output unit 131 acquires the URL or category identification information of the access destination from the communication control device 10, and refers to the message holding unit 132. , Output the message set in the URL or category.
- the message output unit 131 registers the history of outputting the message in the history holding unit 133.
- the billing unit 136 is instructed to charge.
- a message including an advertisement may be set for each category or URL of the access destination! /.
- an advertisement related to the content of the site may be included in the message. This makes it possible to provide advertisements related to the site that the user is trying to browse, so that the advertising effectiveness can be enhanced.
- a message including an advertisement may be set for each user. For example, a user may set an area of interest and include information such as advertisements in the message.
- the message may include a link to another site.
- links to other sites include links to sites that offer advertisements, links to sites related to the content you are accessing, links to sites with higher popularity rankings, It may contain links to sites, etc.
- a message including a link to the mirror site may be output to a user who tries to access the site.
- a message including a link to the destination URL may be output to the user who tries to access the URL before the transfer.
- the message output unit 131 extracts a list of sites related to the content of the access destination, such as highly related sites, popular sites, high-quality sites, sites authenticated by a certificate authority, etc. Create it and include it in the message.
- the evaluation unit 134 refers to the message output history held in the history holding unit 133 and evaluates the communication status, the status of the access request source, and the like.
- the evaluation unit 134 may statistically process the message transmission history and provide it to a website administrator or the like.
- the user's access history can be used for marketing or for communication status control.
- set the user's terminal to send access requests periodically refer to the message sending history for that, understand the user's action history, etc. so that it can be used for IJ. Oh ,.
- the evaluation unit 134 may be a denial of service attack (DoS attack), etc., when a large number of access requests are sent in the same request power for a short time.
- the request source may be registered in the access denial list, and the packet from the request source may be blocked without being sent to the request destination.
- the evaluation unit 134 may confirm that the request source actually exists by using a ping command or the like, and may confirm the state if it exists.
- the message output unit 131 may output a message to the request source.
- the communication control device 10 is a completely transparent communication device that does not have an OS and a CPU, and does not have an IP address, and thus is not subject to attack.
- the message output server 130 can “repel” a message to the attacker, so that the attacker's device can be loaded. In this case, since the communication control system 100 rebounds without passing an unauthorized access request, it functions like a mirror. Sending multiple messages in response to one access request.
- Communication control system 100 of the present embodiment is provided in a communication path between a user terminal that issues an access request and an access destination device. Examples of the arrangement of the communication control system 100 are listed below.
- FIG. 19 shows an example of the arrangement of the communication control system.
- This figure shows an example in which a mobile phone terminal 260 is used as an example of a user terminal.
- An access request issued from the mobile phone terminal 260 is sent to the Internet 200 via the base station device 262 installed by the carrier and the control station device 264 provided in the station building, and reaches the web server 250 via the Internet 200.
- the base station apparatus 262 is provided with a communication control system 100.
- the content of the message holding unit 132 may be changed for each base station device 262, and a different message may be output for each area covered by the base station device 262.
- the communication control system 100 may be downsized by installing only the minimum necessary functions. For example, the configuration of the connection management server 120, the log management server 140, etc. may be omitted.
- the communication control system 100 By providing the communication control system 100 in the base station device 262, communication control processing is distributed. Therefore, it is possible to reduce the size and weight of the device by providing a small communication control system 100, and to reduce costs. can do.
- access requests issued from the mobile phone terminal 260 are controlled. Since a message can be sent to the request source before sending it to the master station device 264, the amount of communication can be reduced. In addition, since a message is sent to the base station device 262 that communicates directly with the mobile phone terminal 260, the ability to deliver the message to the mobile phone terminal 260 more reliably and quickly can be used.
- FIG. 20 shows another arrangement example of the communication control system. This figure is also different from the example shown in FIG. 19 in which the mobile phone terminal 260 is used. Since the message processing is centrally executed in the control station device 264 provided in the station building, system maintenance is easy.
- FIG. 21 shows still another arrangement example of the communication control system.
- a mobile phone terminal 260 is used as an example of a user terminal.
- An access request issued from the mobile phone terminal 260 is transmitted to the Internet 200 via the wireless LAN access point 272 and the router device 274, and reaches the web server 250 via the Internet 200.
- the communication control system 100 is provided at the access point 272.
- the access point 272 by executing message processing with a device close to the mobile phone terminal 260, it is possible to reduce useless communication.
- communication control according to the access point 272 can be performed, such as preventing employees from accessing inappropriate websites during working hours.
- FIG. 22 shows still another arrangement example of the communication control system.
- This figure also shows an example of a wireless LAN, but unlike FIG. 21, a communication control system 100 is provided in the router device 274.
- the number of communication control systems 100 installed can be reduced, and maintenance can be facilitated.
- FIG. 23 and FIG. 24 show still another arrangement example of the communication control system.
- This figure shows an example in which a personal computer (PC) 280 is used as an example of a user terminal.
- the access request issued from the PC 280 is sent to the Internet 200 via the LAN router devices 282 and 284, and reaches the web server 250 via the Internet 200.
- FIG. 23 shows an example in which the communication control system 100 is provided in the router device 282
- FIG. 24 shows an example in which the communication control system 100 is provided in the router device 284.
- the communication control system 100 is incorporated in the devices constituting the network.
- the force communication control system 100 shown in FIG. 1 may be provided at an arbitrary position on the network.
- access control for communication data received by a receiving unit such as an antenna of the base station device 262 and the access point 272, a network device of the control station device 264, the router device 274, 282, or 284, etc.
- a message may be output without determining whether it is necessary.
- a message may be output without authenticating whether or not the requesting user is a user registered in the user database 57. That is, the communication control system 100 may capture all packets that pass through and output a message to the source of the packets.
- a message may be output only to a user authenticated by the connection management server 120, or a message may be output only to a user registered in the user database 57.
- the present invention can be applied to a communication control system that controls whether or not content can be accessed.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Business, Economics & Management (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Business, Economics & Management (AREA)
- Accounting & Taxation (AREA)
- Finance (AREA)
- General Physics & Mathematics (AREA)
- Multimedia (AREA)
- Strategic Management (AREA)
- Marketing (AREA)
- Development Economics (AREA)
- Economics (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Mathematical Physics (AREA)
- Software Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2007503606A JP4554671B2 (ja) | 2005-02-18 | 2006-01-31 | 通信制御装置 |
US11/884,607 US20080281716A1 (en) | 2005-02-18 | 2006-01-31 | Communication Control Device |
EP06712734A EP1850235A1 (en) | 2005-02-18 | 2006-01-31 | Communication control device |
CA002598375A CA2598375A1 (en) | 2005-02-18 | 2006-01-31 | Communication control device |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2005-042755 | 2005-02-18 | ||
JP2005042755 | 2005-02-18 | ||
JP2005-248482 | 2005-08-29 | ||
JP2005248482 | 2005-08-29 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006087907A1 true WO2006087907A1 (ja) | 2006-08-24 |
Family
ID=36916318
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2006/301592 WO2006087908A1 (ja) | 2005-02-18 | 2006-01-31 | 通信制御装置 |
PCT/JP2006/301591 WO2006087907A1 (ja) | 2005-02-18 | 2006-01-31 | 通信制御装置 |
Family Applications Before (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2006/301592 WO2006087908A1 (ja) | 2005-02-18 | 2006-01-31 | 通信制御装置 |
Country Status (6)
Country | Link |
---|---|
US (2) | US20080196085A1 (ja) |
EP (2) | EP1850236A1 (ja) |
JP (2) | JP4554671B2 (ja) |
KR (2) | KR20070103502A (ja) |
CA (2) | CA2598375A1 (ja) |
WO (2) | WO2006087908A1 (ja) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008062542A1 (fr) * | 2006-11-24 | 2008-05-29 | Duaxes Corporation | Appareil de commande de communication |
JP2009290469A (ja) * | 2008-05-28 | 2009-12-10 | Hideaki Watanabe | ネットワーク通信システム |
JPWO2009066348A1 (ja) | 2007-11-19 | 2011-03-31 | デュアキシズ株式会社 | 通信制御装置及び通信制御方法 |
JP2012515956A (ja) * | 2009-01-16 | 2012-07-12 | デバイススケープ・ソフトウェア・インコーポレーテッド | 強化されたスマートクライアントサポートのためのシステム及びその方法 |
JP5488462B2 (ja) * | 2008-05-16 | 2014-05-14 | 日本電気株式会社 | 基地局装置、情報処理装置、フィルタリングシステム、フィルタリング方法及びプログラム |
JPWO2021124485A1 (ja) * | 2019-12-18 | 2021-06-24 |
Families Citing this family (38)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
KR100745044B1 (ko) * | 2006-03-29 | 2007-08-01 | 한국전자통신연구원 | 피싱 사이트 접속 방지 장치 및 방법 |
US20070245422A1 (en) * | 2006-04-18 | 2007-10-18 | Softrun, Inc. | Phishing-Prevention Method Through Analysis of Internet Website to be Accessed and Storage Medium Storing Computer Program Source for Executing the Same |
US7873915B2 (en) * | 2006-06-16 | 2011-01-18 | Microsoft Corporation | Suppressing dialog boxes |
US8904487B2 (en) * | 2006-08-31 | 2014-12-02 | Red Hat, Inc. | Preventing information theft |
US20080060062A1 (en) * | 2006-08-31 | 2008-03-06 | Robert B Lord | Methods and systems for preventing information theft |
US9326138B2 (en) | 2006-09-06 | 2016-04-26 | Devicescape Software, Inc. | Systems and methods for determining location over a network |
US8743778B2 (en) * | 2006-09-06 | 2014-06-03 | Devicescape Software, Inc. | Systems and methods for obtaining network credentials |
US8893241B2 (en) | 2007-06-01 | 2014-11-18 | Albright Associates | Systems and methods for universal enhanced log-in, identity document verification and dedicated survey participation |
US9398022B2 (en) | 2007-06-01 | 2016-07-19 | Teresa C. Piliouras | Systems and methods for universal enhanced log-in, identity document verification, and dedicated survey participation |
US8959584B2 (en) | 2007-06-01 | 2015-02-17 | Albright Associates | Systems and methods for universal enhanced log-in, identity document verification and dedicated survey participation |
US8056118B2 (en) | 2007-06-01 | 2011-11-08 | Piliouras Teresa C | Systems and methods for universal enhanced log-in, identity document verification, and dedicated survey participation |
US20090094073A1 (en) * | 2007-10-03 | 2009-04-09 | Yahoo! Inc. | Real time click (rtc) system and methods |
US8091118B2 (en) * | 2007-12-21 | 2012-01-03 | At & T Intellectual Property I, Lp | Method and system to optimize efficiency when managing lists of untrusted network sites |
US8413250B1 (en) | 2008-06-05 | 2013-04-02 | A9.Com, Inc. | Systems and methods of classifying sessions |
GB2462456A (en) * | 2008-08-08 | 2010-02-10 | Anastasios Bitsios | A method of determining whether a website is a phishing website, and apparatus for the same |
US8122129B2 (en) * | 2008-09-09 | 2012-02-21 | Actiance, Inc. | Hash-based resource matching |
US20100064353A1 (en) * | 2008-09-09 | 2010-03-11 | Facetime Communications, Inc. | User Mapping Mechanisms |
CN101674293B (zh) * | 2008-09-11 | 2013-04-03 | 阿里巴巴集团控股有限公司 | 一种分布式应用中处理非正常请求的方法及系统 |
US8484338B2 (en) * | 2008-10-02 | 2013-07-09 | Actiance, Inc. | Application detection architecture and techniques |
JP5304801B2 (ja) * | 2009-01-07 | 2013-10-02 | 富士通株式会社 | 無線基地局、無線通信システムおよび無線通信方法 |
JP5367845B2 (ja) * | 2009-02-20 | 2013-12-11 | テレフオンアクチーボラゲット エル エム エリクソン(パブル) | リモートソースからのdlnaデータ配信 |
TWI476624B (zh) * | 2009-05-13 | 2015-03-11 | Alibaba Group Holding Ltd | Methods and Systems for Handling Abnormal Requests in Distributed Applications |
JP5455582B2 (ja) * | 2009-11-27 | 2014-03-26 | キヤノン株式会社 | 情報処理装置及びその制御方法、並びにプログラム |
KR101080734B1 (ko) * | 2010-01-14 | 2011-11-07 | 주식회사 안철수연구소 | 스푸핑 방지 방법 및 장치 |
US20130218999A1 (en) * | 2010-12-01 | 2013-08-22 | John Martin | Electronic message response and remediation system and method |
EP2676399A4 (en) | 2011-02-14 | 2016-02-17 | Devicescape Software Inc | SYSTEMS AND METHODS FOR NETWORK CARE |
KR101231975B1 (ko) * | 2011-05-12 | 2013-02-08 | (주)이스트소프트 | 차단서버를 이용한 스푸핑 공격 방어방법 |
US8700913B1 (en) | 2011-09-23 | 2014-04-15 | Trend Micro Incorporated | Detection of fake antivirus in computers |
US8953471B2 (en) * | 2012-01-05 | 2015-02-10 | International Business Machines Corporation | Counteracting spam in voice over internet protocol telephony systems |
CN103248613B (zh) * | 2012-02-09 | 2014-07-23 | 腾讯科技(深圳)有限公司 | 控制应用程序访问网络的方法及装置 |
CN103259767B (zh) * | 2012-02-17 | 2016-05-04 | 宇龙计算机通信科技(深圳)有限公司 | 防止移动终端成为ddos攻击源的方法及移动终端 |
US8997228B1 (en) * | 2012-09-06 | 2015-03-31 | Symantec Corporation | Techniques for detecting infected websites |
CN103679053B (zh) * | 2013-11-29 | 2017-03-15 | 北京奇安信科技有限公司 | 一种网页篡改的检测方法及装置 |
US20160127461A1 (en) * | 2014-10-30 | 2016-05-05 | Barracuda Networks, Inc. | Method and apparatus for real time interactive moderation of network traffic |
CN104580204A (zh) * | 2014-12-31 | 2015-04-29 | 北京奇虎科技有限公司 | 镜像网站识别方法及装置 |
WO2017113082A1 (en) * | 2015-12-29 | 2017-07-06 | Thomson Licensing | Url filtering method and device |
US12019774B2 (en) * | 2018-04-19 | 2024-06-25 | Murata Machinery, Ltd. | Exclusive control system and exclusive control method |
US10938821B2 (en) * | 2018-10-31 | 2021-03-02 | Dell Products L.P. | Remote access controller support registration system |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002342279A (ja) * | 2001-03-13 | 2002-11-29 | Fujitsu Ltd | フィルタリング装置、フィルタリング方法およびこの方法をコンピュータに実行させるプログラム |
JP2003324460A (ja) * | 2002-05-08 | 2003-11-14 | Nippon Telegr & Teleph Corp <Ntt> | アクセス制御時のエラーメッセージ表示方法およびゲートウェイ装置 |
JP2005004620A (ja) * | 2003-06-13 | 2005-01-06 | Fujitsu Ltd | 広告配信方法および広告配信プログラム |
Family Cites Families (11)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6516416B2 (en) * | 1997-06-11 | 2003-02-04 | Prism Resources | Subscription access system for use with an untrusted network |
US6631466B1 (en) * | 1998-12-31 | 2003-10-07 | Pmc-Sierra | Parallel string pattern searches in respective ones of array of nanocomputers |
JP3605343B2 (ja) * | 2000-03-31 | 2004-12-22 | デジタルア−ツ株式会社 | インターネット閲覧制御方法、その方法を実施するプログラムを記録した媒体およびインターネット閲覧制御装置 |
KR100329545B1 (ko) * | 2000-04-21 | 2002-04-01 | 김태주 | 유해사이트의 접속차단 서비스 제공장치 및 방법 |
US6697806B1 (en) * | 2000-04-24 | 2004-02-24 | Sprint Communications Company, L.P. | Access network authorization |
JP2002073548A (ja) * | 2000-09-05 | 2002-03-12 | Maspro Denkoh Corp | データアクセス制限装置 |
US20070192863A1 (en) * | 2005-07-01 | 2007-08-16 | Harsh Kapoor | Systems and methods for processing data flows |
US8055899B2 (en) * | 2000-12-18 | 2011-11-08 | Digimarc Corporation | Systems and methods using digital watermarking and identifier extraction to provide promotional opportunities |
JP3731111B2 (ja) * | 2001-02-23 | 2006-01-05 | 三菱電機株式会社 | 侵入検出装置およびシステムならびにルータ |
US20060064469A1 (en) * | 2004-09-23 | 2006-03-23 | Cisco Technology, Inc. | System and method for URL filtering in a firewall |
US20060123478A1 (en) * | 2004-12-02 | 2006-06-08 | Microsoft Corporation | Phishing detection, prevention, and notification |
-
2006
- 2006-01-31 CA CA002598375A patent/CA2598375A1/en not_active Abandoned
- 2006-01-31 EP EP06712735A patent/EP1850236A1/en not_active Withdrawn
- 2006-01-31 US US11/884,589 patent/US20080196085A1/en not_active Abandoned
- 2006-01-31 KR KR1020077021090A patent/KR20070103502A/ko not_active Application Discontinuation
- 2006-01-31 CA CA002598392A patent/CA2598392A1/en not_active Abandoned
- 2006-01-31 JP JP2007503606A patent/JP4554671B2/ja not_active Expired - Fee Related
- 2006-01-31 WO PCT/JP2006/301592 patent/WO2006087908A1/ja active Application Filing
- 2006-01-31 KR KR1020077020854A patent/KR20070112166A/ko not_active Application Discontinuation
- 2006-01-31 EP EP06712734A patent/EP1850235A1/en not_active Withdrawn
- 2006-01-31 US US11/884,607 patent/US20080281716A1/en not_active Abandoned
- 2006-01-31 WO PCT/JP2006/301591 patent/WO2006087907A1/ja active Application Filing
- 2006-01-31 JP JP2007503607A patent/JPWO2006087908A1/ja active Pending
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2002342279A (ja) * | 2001-03-13 | 2002-11-29 | Fujitsu Ltd | フィルタリング装置、フィルタリング方法およびこの方法をコンピュータに実行させるプログラム |
JP2003324460A (ja) * | 2002-05-08 | 2003-11-14 | Nippon Telegr & Teleph Corp <Ntt> | アクセス制御時のエラーメッセージ表示方法およびゲートウェイ装置 |
JP2005004620A (ja) * | 2003-06-13 | 2005-01-06 | Fujitsu Ltd | 広告配信方法および広告配信プログラム |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2008062542A1 (fr) * | 2006-11-24 | 2008-05-29 | Duaxes Corporation | Appareil de commande de communication |
JPWO2009066348A1 (ja) | 2007-11-19 | 2011-03-31 | デュアキシズ株式会社 | 通信制御装置及び通信制御方法 |
JP5488462B2 (ja) * | 2008-05-16 | 2014-05-14 | 日本電気株式会社 | 基地局装置、情報処理装置、フィルタリングシステム、フィルタリング方法及びプログラム |
JP2009290469A (ja) * | 2008-05-28 | 2009-12-10 | Hideaki Watanabe | ネットワーク通信システム |
JP2012515956A (ja) * | 2009-01-16 | 2012-07-12 | デバイススケープ・ソフトウェア・インコーポレーテッド | 強化されたスマートクライアントサポートのためのシステム及びその方法 |
JPWO2021124485A1 (ja) * | 2019-12-18 | 2021-06-24 | ||
JP7416089B2 (ja) | 2019-12-18 | 2024-01-17 | 日本電気株式会社 | 管理装置、管理方法、及びプログラム |
Also Published As
Publication number | Publication date |
---|---|
KR20070112166A (ko) | 2007-11-22 |
EP1850235A1 (en) | 2007-10-31 |
JPWO2006087908A1 (ja) | 2008-07-03 |
JPWO2006087907A1 (ja) | 2008-07-03 |
KR20070103502A (ko) | 2007-10-23 |
US20080281716A1 (en) | 2008-11-13 |
CA2598375A1 (en) | 2006-08-24 |
EP1850236A1 (en) | 2007-10-31 |
US20080196085A1 (en) | 2008-08-14 |
CA2598392A1 (en) | 2006-08-24 |
WO2006087908A1 (ja) | 2006-08-24 |
JP4554671B2 (ja) | 2010-09-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4554671B2 (ja) | 通信制御装置 | |
JP4554675B2 (ja) | 通信制御装置及び通信制御システム | |
JP4546998B2 (ja) | 通信制御システム | |
JP4087428B2 (ja) | データ処理システム | |
KR20070103774A (ko) | 통신 제어 장치 및 통신 제어 시스템 | |
WO2008062542A1 (fr) | Appareil de commande de communication | |
WO2006087837A1 (ja) | 通信制御装置及び通信制御システム | |
JP4319246B2 (ja) | 通信制御装置及び通信制御方法 | |
JP5156892B2 (ja) | ログ出力制御装置及びログ出力制御方法 | |
JPWO2009066347A1 (ja) | 負荷分散装置 | |
JPWO2009066344A1 (ja) | 通信制御装置、通信制御システム及び通信制御方法 | |
WO2008075426A1 (ja) | 通信制御装置及び通信制御方法 | |
JPWO2009066349A1 (ja) | 通信制御装置及び通信制御方法 | |
JP4638513B2 (ja) | 通信制御装置及び通信制御方法 | |
JPWO2009069178A1 (ja) | 通信制御装置及び通信制御方法 | |
JPWO2009066348A1 (ja) | 通信制御装置及び通信制御方法 | |
KR20070121806A (ko) | 통신 제어 장치 및 통신 제어 시스템 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2007503606 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2006712734 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2598375 Country of ref document: CA |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020077021090 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 200680010718.2 Country of ref document: CN |
|
WWP | Wipo information: published in national office |
Ref document number: 2006712734 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11884607 Country of ref document: US |