WO2006103743A1 - 通信制御装置及び通信制御システム - Google Patents
通信制御装置及び通信制御システム Download PDFInfo
- Publication number
- WO2006103743A1 WO2006103743A1 PCT/JP2005/005789 JP2005005789W WO2006103743A1 WO 2006103743 A1 WO2006103743 A1 WO 2006103743A1 JP 2005005789 W JP2005005789 W JP 2005005789W WO 2006103743 A1 WO2006103743 A1 WO 2006103743A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- data
- communication control
- search
- control device
- circuit
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
- Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10S707/00—Data processing: database and file management or data structures
- Y10S707/912—Applications of a database
- Y10S707/922—Communications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
- Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10S707/00—Data processing: database and file management or data structures
- Y10S707/953—Organization of data
- Y10S707/959—Network
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10—TECHNICAL SUBJECTS COVERED BY FORMER USPC
- Y10S—TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y10S707/00—Data processing: database and file management or data structures
- Y10S707/99931—Database or file accessing
- Y10S707/99939—Privileged access
Definitions
- the present invention relates to a communication control technique, and more particularly, to a communication control apparatus and a communication control system that control permission / refusal of access to content held at a location accessible via a network.
- databases such as a list of permitted access sites, a list of prohibited access sites, prohibited word keywords, and useful word keywords are prepared, and these databases are referred to when accessing external information via the Internet.
- a technique for controlling access has been proposed (for example, see Patent Document 1).
- Patent Document 1 Japanese Patent Laid-Open No. 2001-282797
- the present invention has been made in view of such circumstances, and an object thereof is to provide a technique for realizing a high-speed communication control device.
- One embodiment of the present invention relates to a communication control apparatus.
- the communication control apparatus requests a storage unit for storing reference data serving as a reference for determining whether or not to permit access to content held at a location accessible via a network, and access to the content.
- a search unit that acquires whether or not the reference data is included in the communication data, and a processing unit that controls access to the content based on the search result.
- the search unit is configured by a wire logic circuit.
- the search unit may search whether or not the reference data is included in the information indicating the location of the access destination content included in the communication data.
- the information indicating the position of the content may be, for example, a URL (Uniform Resource Locator).
- the storage unit may include a plurality of databases that store the reference data.
- the search unit stores the communication data for each of the plurality of databases in the database.
- a plurality of the search circuits which may include a search circuit for searching whether or not the force includes reference data, may execute a search of the plurality of databases in parallel. Thereby, the search speed can be improved.
- a plurality of the search circuits which may have priorities set for the plurality of databases, execute a search of the plurality of databases in parallel, and match the reference data of the plurality of databases.
- a search result with a high priority may be adopted. Even if priority is set, searches can be executed in parallel at the same time. Thus, the search speed can be improved.
- the database may store data indicating a position of content permitted to be accessed.
- the database may store data indicating the location of content that is prohibited from being accessed.
- the database may store data indicating the location of content that contains computer viruses and access is prohibited.
- the database may store, for each power category, data in which a user individually sets a power prohibiting power that allows access to content belonging to the category.
- the communication control system includes any one of the communication control devices described above and a server device connected to the communication control device and controlling the operation of the communication control device.
- the communication control device can realize various functions, and a highly flexible system can be provided.
- FIG. 1 is a diagram showing a configuration of a communication control system according to an embodiment.
- FIG. 2 is a diagram showing a configuration of a conventional communication control device.
- FIG. 3 is a diagram showing a configuration of a communication control apparatus according to the embodiment.
- FIG. 4 is a diagram showing an internal configuration of a packet processing circuit.
- FIG. 5 is a diagram showing an internal configuration of a position detection circuit.
- FIG. 6 is a diagram showing an example of internal data of the first database.
- FIG. 7 is a diagram showing another example of internal data of the first database.
- FIG. 8 is a diagram showing still another example of internal data in the first database.
- FIG. 9 is a diagram showing a configuration of a comparison circuit included in a Neuner research circuit.
- FIG. 10 is a diagram showing an example of internal data of the second database.
- FIG. 11 is a diagram showing another example of internal data of the second database.
- FIG. 12 is a diagram showing an internal configuration of a packet processing circuit according to the embodiment.
- FIG. 13 is a diagram showing an example of internal data of the virus list
- Fig. 13 (b) is a diagram showing an example of internal data of the white list
- Fig. 13 (c) is a diagram showing an example of internal data of a black list.
- FIG. 14 is a diagram showing an example of internal data of a common category list.
- FIG. 15 (a), (b), (c), and (d) are diagrams showing examples of internal data of the second database.
- FIG. 16 is a diagram showing the priorities of the virus list, white list, black list, and common category list.
- 10 communication control device 20 packet processing circuit, 30 search circuit, 32 position detection circuit, 3 3 comparison circuit, 34 index circuit, 35 comparison circuit, 36 binary search circuit, 40 processing execution circuit, 50 first database, 57 user database, 60 second database, 100 communication control system, 110 operation monitoring server, 120 connection management server, 13 0 message output server, 140 log management server, 150 database server, 160 URL database, 161 virus list, 162 white list, 163 black list, 164 common category list.
- FIG. 1 shows a configuration of a communication control system according to the embodiment.
- the communication control system 100 includes a communication control device 10 and various peripheral devices provided to support the operation of the communication control device 10.
- the communication control apparatus 10 of the present embodiment realizes a URL filtering function provided by an Internet service provider or the like.
- the communication control device 10 provided in the network path acquires an access request for content, analyzes the content, and determines whether or not access to the content is permitted. When access to the content is permitted, the communication control device 10 sends the access request to the content. Is sent to the server that holds When access to the content is prohibited, the communication control apparatus 10 discards the access request and returns a warning message or the like to the request source.
- the communication control device 10 receives an HTTP (HyperText Transfer Protocol) “GET” request message, and the URL of the content of the access destination matches the list of reference data for determining whether access is permitted or not. Search for whether or not it is possible to determine whether to allow access to the content.
- HTTP HyperText Transfer Protocol
- the peripheral devices include an operation monitoring server 110, a connection management server 120, a message output server 130, a log management server 140, and a database server 150.
- the connection management server 120 manages connections to the communication control device 10. For example, the connection management server 120 uses the information that uniquely identifies the mobile phone terminal included in the packet when the communication control device 10 processes a packet in which the mobile phone terminal power is also transmitted. Authenticate that you are 10 users. Once authenticated, the packet that has also been sent the IP address temporarily attached to the mobile phone terminal is sent to the communication control unit 10 for processing for a certain period without being authenticated by the connection management server 120. .
- the message output server 130 outputs a message to the access request destination or request source in accordance with the access permission / rejection result determined by the communication control device 10.
- the log management server 140 manages the operation history of the communication control device 10.
- the database server 150 acquires the latest database from the URL database 160 and inputs it to the communication control device 10.
- the communication control apparatus 10 may have a backup database.
- the operation monitoring server 110 monitors the operation statuses of peripheral devices such as the communication control device 10, the connection management server 120, the message output server 130, the log management server 140, and the database server 150.
- the operation monitoring server 110 performs monitoring control of the communication control device 10 having the highest priority in the communication control system 100 and all peripheral devices.
- the communication control device 10 is configured by a dedicated hardware circuit.
- the operation monitoring server 110 uses a boundary scan circuit by utilizing a technique such as Patent No.
- the communication control system 100 of the present embodiment has various functions connected to the periphery of a communication control device 10 configured by a dedicated hardware circuit for high-speed operation.
- a configuration controlled by a server group having a server various functions can be realized by a similar configuration by appropriately replacing the software of the server group. According to the present embodiment, such a highly flexible communication control system can be provided.
- FIG. 2 shows a configuration of a conventional communication control device 1.
- the conventional communication control apparatus 1 includes a communication control unit 2 on the reception side, a packet processing unit 3, and a communication control unit 4 on the transmission side.
- Each of the communication control units 2 and 4 includes PHY processing units 5a and 5b that perform processing on the physical layer of the packet, and MAC processing units 6a and 6b that perform processing on the MAC layer of the packet.
- the packet processing unit 3 includes a protocol processing unit that performs processing according to a protocol, such as an IP processing unit 7 that performs IP (Internet Protocol) protocol processing and a TCP processing unit 8 that performs TCP (Transport Control Protocol) protocol processing.
- an AP processing unit 9 that performs application layer processing.
- the AP processing unit 9 executes processing such as filtering according to data included in the packet.
- the packet processing unit 3 is realized by software using a CPU that is a general-purpose processor and an OS that runs on a CPU.
- the performance of the communication control device 1 depends on the performance of the CPU, and even if it is intended to realize a communication control device capable of processing large-capacity packets at high speed, it is naturally limited. There is. For example, with a 64-bit CPU, the maximum amount of data that can be processed simultaneously at one time is 64 bits, and there was no communication control device with higher performance.
- maintenance work such as OS version upgrades that would never have the possibility of security holes was required.
- FIG. 3 shows a configuration of the communication control apparatus according to the present embodiment.
- the communication control device 10 replaces the packet processing unit 3 realized by software including the CPU and OS in the conventional communication control device 1 shown in FIG.
- a packet processing circuit 20 constituted by By installing a dedicated hardware circuit for processing communication data rather than processing communication data by OS and software that operates on a CPU that is a general-purpose processing circuit, the performance limitations caused by the CPU and OS are limited. It is possible to overcome and realize a communication control device with high processing capability.
- the communication data and the reference are used using the CPU.
- the CPU needs to repeat the process of reading 64 bits from the communication data into the memory, comparing it with the reference data, and then reading the next 64 bits into the memory. The reading time is limited, and the processing speed is limited.
- a dedicated hardware circuit configured by a yard logic circuit is provided in order to compare communication data and reference data.
- a dedicated hardware circuit may be realized using FPGA (Field Programmable Gate Array)!
- the communication control apparatus 10 of the present embodiment is configured by dedicated hardware using a wired logic circuit, an OS (Operating System) is not required. For this reason, it is possible to reduce costs and man-hours for management and maintenance that require operations such as OS installation, bug handling, and version upgrade. In addition, general-purpose functions are required. Unlike a CPU that does not include unnecessary functions, it can be expected to reduce costs without using extra resources, reduce circuit area, and increase processing speed. Furthermore, unlike conventional communication control devices that use an OS, it does not have an extra function, so it is unlikely that a security hole will occur, and is resistant to attacks from malicious third parties via the network. Excellent resistance.
- OS Operating System
- FIG. 4 shows the internal configuration of the packet processing circuit.
- the packet processing circuit 20 includes a first database 50 that stores reference data serving as a reference for determining the contents of processing to be performed on communication data, and the received communication data includes reference data! Whether or not the search circuit 30 for searching by comparing the communication data with the reference data, and the search result by the search circuit 30 and the contents of the processing to be executed for the communication data are stored in association with each other.
- the second database 60 includes a processing execution circuit 40 that processes communication data based on the search result by the search circuit 30 and the conditions stored in the second database 60.
- the search circuit 30 divides the reference data stored in the first database 50 into three or more ranges, the position detection circuit 32 for detecting the position of the comparison target data to be compared with the reference data from the communication data Index circuit 34, which is an example of a determination circuit that determines to which of the ranges the comparison target data belongs, and a binary search that searches for reference data that matches the comparison target data within the determined range Circuit 36.
- the binary search method is used in the present embodiment.
- FIG. 5 shows the internal configuration of the position detection circuit.
- the position detection circuit 32 includes a plurality of comparison circuits 33a to 33f for comparing the position specifying data for specifying the position of the comparison target data with the communication data.
- six comparison circuits 33a to 33f are provided, but as will be described later, the number of comparison circuits may be arbitrary.
- Communication data is input to each of the comparison circuits 33a to 33f with a predetermined data length, for example, shifted by 1 byte.
- the plurality of comparison circuits 33a to 33f the position specifying data to be detected and the communication data are compared in parallel at the same time.
- a character string “No. # # #” included in communication data is detected, and the character string is detected. Included The number “# # #” is compared with the reference data, and if it matches the reference data, the packet is allowed to pass, and if it does not match, the packet is discarded. To do.
- the comparison circuit 33c matches, and it is detected that the character string “No.” exists as the third character from the top of the communication data. In this way, it is detected that numerical data as comparison target data exists after the position specifying data “No.” detected by the position detection circuit 32.
- the position detection circuit 32 may be used as a circuit for detecting a character string for general purposes, not only for detecting position specifying data. It may also be configured to detect position specific data in bit units, not just character strings.
- FIG. 6 shows an example of internal data of the first database.
- the first database 50 stores the data sorted according to some sort condition, which is a reference data force used as a reference for determining contents of processing such as knot filtering, routing, switching, and replacement. In the example of FIG. 6, 1000 pieces of reference data are stored.
- an offset 51 indicating the position of the comparison target data in the communication data is stored.
- the data structure in the knot is defined in bit units, so if the position of flag information etc. for determining the processing contents of the packet is set as offset 51, only the necessary bits are set. Since the processing contents can be determined by comparing the two, the processing efficiency can be improved. Even if the data structure of the packet is changed, it can be dealt with by changing the offset 51.
- the first database 50 may store the data length of the comparison target data. As a result, comparison can be performed by operating only the necessary comparators, so that search efficiency can be improved.
- the index circuit 34 determines to which of these ranges the comparison target data belongs.
- 1000 pieces of reference data are divided into four ranges 52a to 52d, each having 250 pieces.
- the index circuit 34 includes a plurality of comparison circuits 35a to 35c that compare the reference data at the boundary of the range with the comparison target data. By comparing the comparison target data and the boundary reference data simultaneously in parallel by the comparison circuits 35a to 35c, it is possible to determine which range the comparison target data belongs to by one comparison process.
- the binary search circuit 36 When the range is determined by the index circuit 34, the binary search circuit 36 performs a search by the binary search method.
- the binary search circuit 36 further divides the range determined by the index circuit 34 into two, and compares the reference data at the boundary position with the comparison target data to determine which range it belongs to.
- the binary search circuit 36 includes a plurality of comparison circuits for comparing the reference data and the comparison target data in bit units, for example, 1024 in this embodiment, and simultaneously executes 1024-bit bit matching.
- the range The reference data at the boundary position is read out in two and is compared with the comparison target data. Thereafter, the range is further limited by repeating this process, and finally the reference data that matches the comparison target data is searched.
- the comparison target data following the position specifying data “No.” is the number “361”. Since there is a space for one character between the position identification data “No.” and the comparison target data “361”, offset 51 is set to “8” to remove this space from the comparison target data. Is set.
- the Neua research circuit 36 skips “8” bits, that is, one byte from the communication data following the position specifying data “No.”, and reads “361” as the comparison target data.
- comparison circuits 35a to 35c of the index circuit 34 "361" is input as comparison target data, and as reference data, the comparison circuit 35a receives reference data "between the ranges 52a and 52b" Reference data “704” at the boundary between the ranges 52b and 52c is input to the comparison circuit 35b. Reference data “937” at the boundary between the ranges 52c and 52d is input to the comparison circuit 35c, respectively. Comparisons are made simultaneously by the comparison circuits 35a to 35c, and it is determined that the comparison target data “361” belongs to the range 52a. Thereafter, the binary search circuit 36 searches whether or not the comparison target data “361” exists in the reference data.
- FIG. 7 shows another example of internal data of the first database.
- the number of reference data is less than the number of data that can be held in the first database 50, here 1000.
- the first database 50 stores the reference data in descending order from the last data position. And 0 is stored in the remaining data.
- the database is always full by allocating from the back of the loading area without allocating the leading force data, and if there is a vacancy at the beginning of the loading area, all the vacancy is zero-suppressed.
- the maximum time for binary search can be made constant.
- the binary search circuit 36 when “0” is read as the reference data during the search, the binary search circuit 36 is self-explanatory, so the range can be specified without comparison and the next comparison can be made. it can. This can improve the search speed.
- the reference data is stored in the first database 50, the reference data is stored in ascending order of the first data position.
- the comparison process as described above cannot be omitted in the remaining data.
- the comparison technique described above is realized by configuring the search circuit 30 with a dedicated hardware circuit.
- FIG. 8 shows still another example of the internal data of the first database.
- the number of reference data belonging to the range is non-uniform, such as 500 for the range 52a and 100 for the range 52b. ing.
- These ranges may be set according to the distribution of the appearance frequency of the reference data in the communication data. That is, the ranges may be set so that the sum of the appearance frequencies of the reference data belonging to the respective ranges is substantially the same. This can improve the search efficiency.
- the reference data input to the comparison circuits 35a to 35c of the index circuit 34 may be capable of changing an external force. As a result, the range can be set dynamically and the search efficiency can be optimized.
- FIG. 9 shows a configuration of a comparison circuit included in the binary search circuit.
- the bin research circuit 36 includes 1024 comparison circuits 36a, 36b,. Each comparison circuit 36a, 36b,... Receives reference data 54 and comparison target data 56 one bit at a time, and compares them.
- the internal configurations of the comparison circuits 35a to 35c of the index circuit 34 are also the same. In this way, by executing the comparison process with a dedicated hardware circuit, a large number of comparison circuits can be operated in parallel and a large number of bits can be compared at the same time. be able to.
- FIG. 10 shows an example of internal data of the second database.
- the second database 60 includes a search result column 62 for storing the search result by the search circuit 30 and a processing content column 64 for storing the content of processing to be executed on communication data.
- a search result column 62 for storing the search result by the search circuit 30
- a processing content column 64 for storing the content of processing to be executed on communication data.
- the processing execution circuit 40 searches the second database 60 based on the search result, and executes processing on the communication data.
- Processing execution circuit 40 It may be realized by a wired logic circuit.
- FIG. 11 shows another example of internal data of the second database.
- the processing content is set for each reference data.
- information about the route may be stored in the second database 60.
- the process execution circuit 40 executes processes such as filtering, routing, switching, and replacement stored in the second database 60 according to the search result by the search circuit 30.
- the first database 50 and the second database 60 may be integrated.
- the first database and the second database are provided to be rewritable by an external force. By exchanging these databases, various data processing and communication control can be realized using the same communication control device 10. It is also possible to set up two or more databases that store the reference data to be searched and perform multi-step search processing! At this time, more complicated conditional branches may be realized by providing two or more databases that store search results and processing contents in association with each other. In this way, if multiple databases are used to perform multi-stage searches, multiple position detection circuits 32, index circuits 34, binary search circuits 36, etc. may be provided.
- the data used for the comparison described above may be compressed by the same compression logic.
- the same comparison as usual is possible.
- the amount of data to be loaded at the time of comparison can be reduced. If the amount of data to be loaded is reduced, the time required to read data from the memory is shortened, so the overall processing time can be shortened.
- the amount of the comparator can be reduced, it is possible to contribute to the downsizing, weight saving, and cost reduction of the apparatus.
- the data used for the comparison may be stored in a compressed format, or may be compressed after being read from the memory and before the comparison.
- Reference data that serves as a reference for determining the content of the processing to be performed on the acquired data A first storage unit for storing data
- a search unit that searches whether the reference data is included in the data by comparing the data with the reference data
- a second storage unit for storing the search result by the search unit and the content of the processing in association with each other;
- a processing unit that executes, on the data, a process associated with the search result based on the search result
- the search unit is configured by a wired logic circuit.
- the wired logic circuit includes a plurality of first comparison circuits that compare the data and the reference data bit by bit.
- the search unit includes a position detection circuit that detects a position of comparison target data to be compared with the reference data from the data.
- the position detection circuit includes a plurality of second comparison circuits that compare the position specifying data for specifying the position of the comparison target data with the data, and A data processing apparatus, wherein the data is input to the second comparison circuit while shifting the position by a predetermined data length and compared in parallel with the position specifying data.
- the search unit includes a binary search circuit for searching whether or not the reference data is included in the data by bina research.
- a data processing apparatus comprising:
- the search unit compares the plurality of reference data stored in the first storage unit with the reference data when divided into three or more ranges.
- a data processing apparatus comprising: a determination circuit that determines to which of the ranges the data to be compared belongs.
- the determination circuit includes a plurality of third comparison circuits that compare reference data at the boundary of the range and the comparison target data, and the plurality of third comparison circuits provide the comparison target.
- a data processing apparatus characterized by simultaneously determining in parallel which of the three or more ranges the data belongs to.
- the first storage unit further stores information indicating a position of comparison target data in the data
- the search unit includes information indicating the position.
- a data processing apparatus wherein the comparison target data is extracted based on the data.
- FIG. 12 shows the internal configuration of the packet processing circuit 20 of the present embodiment.
- the packet processing circuit 20 of the present embodiment includes a user database 57, a virus list 161, a white list 162, a black list 163, and a common category list 164 as the first database 50.
- the user database 57 stores information on users who use the communication control device 10.
- the communication control device 10 accepts information for identifying the user as well as the user power, and matches the information accepted by the search circuit 30 with the user database 57 to authenticate the user.
- the source address stored in the IP header of the TCP / IP packet may be used! /
- the user may accept the user ID and password.
- the storage location of the source address in the packet is fixed, so when matching with the user database 57 in the search circuit 30, it is not necessary to detect the position by the position detection circuit 32. Specify the storage location of. If it is authenticated that the user is registered in the user database 57, then the content URL 1S virus list 161, white list 162, black list 163, and common category are used to determine whether access to the content is permitted. Matches Listing 1 64. Since the white list 162 and the black list 163 are provided for each user, when the user is authenticated and the user ID is arbitrarily determined, the white list 162 and the black list 163 of the user are given to the search circuit 30.
- the virus list 161 stores a list of URLs of contents including computer viruses. Access requests for URL content stored in virus list 161 are denied.
- the white list 162 is provided for each user, and stores a list of URLs of contents permitted to be accessed.
- the black list 163 is provided for each user and stores a list of URLs of contents that are prohibited from being accessed.
- Fig. 13 (a) shows an example of internal data of virus list 161
- Fig. 13 (b) shows an example of internal data of white list 162
- Fig. 13 (c) shows an example of internal data of black list 163. An example is shown.
- the virus list 161, the white list 162, and the black list 163 have a category number column 165, a URL column 166, and a title column 167, respectively.
- the URL field 166 stores URLs of contents that are permitted or prohibited to be accessed.
- the category number field 165 contains the content category. Stores the number of the file.
- the title column 167 stores the title of the content.
- the common category list 164 stores a list for classifying the content indicated by the URL into a plurality of categories.
- FIG. 14 shows an example of internal data of the common category list 164.
- the common category list 164 also includes a category number column 165, a URL column 166, and a title column 167.
- the communication control device 10 extracts the URL included in the “GET” request message, and the URL is included in the Winoless list 161, the white list 162, the black list 163, or the common category list 164.
- the search circuit 30 searches for whether or not. At this time, for example, a character string “http: ⁇ ” may be detected by the position detection circuit 32, and a data string following the character string may be extracted as target data.
- the extracted URL is matched with the reference data of the virus squirrel 161, the white squirrel 162, the black squirrel 163, and the common category list 164 by the index circuit 34 and the bina research circuit 36.
- FIGS. 15 (a), (b), (c), and (d) show examples of internal data of the second database 60 of the present embodiment.
- Fig. 15 (a) shows the search results and processing contents for virus list 161.
- URL power included in a GET request If a URL matches the virus list 161, access to that URL is prohibited.
- FIG. 15 (b) shows the search results and processing contents for the white list 162.
- FIG. URL power included in a GET request Whitelist 16 If it matches a URL in the list, access to that URL is allowed.
- FIG. 15 (c) shows the search results and processing contents for the blacklist 163. If a URL included in a GET request matches a URL included in blacklist 163, access to that URL is prohibited.
- FIG. 15 (d) shows search results and processing contents for the common category list 164.
- the user For the search results for the common category list 164, the user must individually set whether to prohibit access to content belonging to that category for each category. Can do.
- a user ID column 168 and a category column 169 are provided in the second database 60 related to the common category list 164.
- the user ID column 168 stores an ID for identifying the user.
- the category field 169 for each of the categories classified into 57 types, access to contents belonging to the category is used. Information indicating whether or not the user permits is stored.
- the access to the URL is permitted is determined based on the category of the URL and the user ID.
- the number of common categories is 57, but other common categories may be used.
- FIG. 16 shows priorities of the virus list 161, the white list 162, the black list 163, and the common category list 164.
- the priority is higher in the order of the virus list 161, the white list 162, the black list 163, and the common category list 164.
- the content URL stored in the white list 162 is permitted. Even if the URL is stored in the virus list 161, access is prohibited as content containing a computer virus.
- the search circuit 30a that matches the virus list 161 and the search circuit that matches the white list 162 are obtained by using the communication control device 10 configured by a dedicated hardware circuit.
- a search circuit 30c for matching the black list 163, and a search circuit 30d for matching the common category list 164 are provided, and each search circuit 30 performs matching in parallel at the same time. If there are multiple hits, use the one with the highest priority. As a result, even when a plurality of databases are provided and priorities are set for them, the search time can be greatly reduced.
- Whether the virus list 161, the white list 162, the black list 163, or the common category list 164 prioritizes access permission may be set in the second database 60, for example. ,. V. You can rewrite the conditions of the second database 60 according to whether the priority list is given priority.
- the process execution circuit 40 If access to the content is permitted, the process execution circuit 40 outputs a signal for notifying the message output server 130 of the fact.
- the message output server 130 sends a “GET” request message to the server holding the content. .
- the processing execution circuit 40 When access to the content is prohibited, when the processing execution circuit 40 outputs a signal for notifying the message output server 130 to that effect, the message output server 130 sends a “GET” request message to the access destination server. Discard without sending. At this time, a response message indicating that access is prohibited may be transmitted to the request source. It may also be forcibly transferred to another web page. In this case, the processing execution circuit 40 rewrites the destination address and URL to the destination address and sends it. Information such as the URL to which the response message is forwarded may be stored in the second database 60 or the like.
- search circuit 30 is a dedicated hardware circuit composed of an FPGA or the like, high-speed search processing is realized as described above, and filtering processing is performed while minimizing the impact on traffic. Can do. Power of Internet Service Providers By providing such a filtering service, the added value can be increased and more users can be gathered.
- the white list 162 or the black list 163 may be provided in common for all users.
- the present invention can be applied to a communication control apparatus that controls access to content.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
Abstract
Description
Claims
Priority Applications (13)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2005/005789 WO2006103743A1 (ja) | 2005-03-28 | 2005-03-28 | 通信制御装置及び通信制御システム |
CN200580049496A CN100580644C (zh) | 2005-03-28 | 2005-03-28 | 通信控制装置及通信控制系统 |
US11/910,240 US8073855B2 (en) | 2005-03-28 | 2005-03-28 | Communication control device and communication control system |
EP05727698A EP1868103A1 (en) | 2005-03-28 | 2005-03-28 | Communication control device and communication control system |
CA002603106A CA2603106A1 (en) | 2005-03-28 | 2005-03-28 | Communication control device and communication control system |
JP2007505311A JP4554675B2 (ja) | 2005-03-28 | 2005-03-28 | 通信制御装置及び通信制御システム |
KR20077021091A KR20070103774A (ko) | 2005-02-18 | 2005-08-25 | 통신 제어 장치 및 통신 제어 시스템 |
US11/884,526 US8336092B2 (en) | 2005-02-18 | 2005-08-25 | Communication control device and communication control system |
EP05774657A EP1850234A1 (en) | 2005-02-18 | 2005-08-25 | Communication control device and communication control system |
CA002596948A CA2596948A1 (en) | 2005-02-18 | 2005-08-25 | Communication control device and communication control system |
JP2007503571A JP4546998B2 (ja) | 2005-02-18 | 2005-08-25 | 通信制御システム |
CN2005800493258A CN101147138B (zh) | 2005-02-18 | 2005-08-25 | 通信控制系统 |
PCT/JP2005/015480 WO2006087837A1 (ja) | 2005-02-18 | 2005-08-25 | 通信制御装置及び通信制御システム |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2005/005789 WO2006103743A1 (ja) | 2005-03-28 | 2005-03-28 | 通信制御装置及び通信制御システム |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2006103743A1 true WO2006103743A1 (ja) | 2006-10-05 |
Family
ID=37053016
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2005/005789 WO2006103743A1 (ja) | 2005-02-18 | 2005-03-28 | 通信制御装置及び通信制御システム |
Country Status (6)
Country | Link |
---|---|
US (1) | US8073855B2 (ja) |
EP (1) | EP1868103A1 (ja) |
JP (1) | JP4554675B2 (ja) |
CN (1) | CN100580644C (ja) |
CA (1) | CA2603106A1 (ja) |
WO (1) | WO2006103743A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2010117874A (ja) * | 2008-11-13 | 2010-05-27 | Hitachi Ltd | Urlフィルタリングシステム |
JP2013172425A (ja) * | 2012-02-22 | 2013-09-02 | Nippon Telegr & Teleph Corp <Ntt> | フィルタリング装置、および、フィルタリング方法 |
Families Citing this family (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20100306209A1 (en) * | 2006-07-22 | 2010-12-02 | Tien-Fu Chen | Pattern matcher and its matching method |
US9092380B1 (en) * | 2007-10-11 | 2015-07-28 | Norberto Menendez | System and method of communications with supervised interaction |
CN101325495B (zh) * | 2008-07-10 | 2012-02-01 | 成都市华为赛门铁克科技有限公司 | 一种应用于检测黑客服务器的检测方法、装置及系统 |
US8719365B1 (en) * | 2009-02-12 | 2014-05-06 | Adobe Systems Incorporated | Graphic output from remote execution of applications redirected with dynamically sized virtual screen |
US8650653B2 (en) * | 2009-12-24 | 2014-02-11 | Intel Corporation | Trusted graphics rendering for safer browsing on mobile devices |
US9251282B2 (en) * | 2010-06-21 | 2016-02-02 | Rapid7 LLC | Systems and methods for determining compliance of references in a website |
WO2012044248A1 (en) * | 2010-09-28 | 2012-04-05 | Empire Technology Development Llc | Data filtering for communication devices |
CN102469117B (zh) * | 2010-11-08 | 2014-11-05 | 中国移动通信集团广东有限公司 | 一种异常访问行为的识别方法及装置 |
US8863232B1 (en) | 2011-02-04 | 2014-10-14 | hopTo Inc. | System for and methods of controlling user access to applications and/or programs of a computer |
US8667592B2 (en) * | 2011-03-15 | 2014-03-04 | Symantec Corporation | Systems and methods for looking up anti-malware metadata |
EP2840737B1 (en) * | 2012-05-02 | 2019-05-01 | Huawei Technologies Co., Ltd. | Method and apparatus for controlling network device |
US8856907B1 (en) | 2012-05-25 | 2014-10-07 | hopTo Inc. | System for and methods of providing single sign-on (SSO) capability in an application publishing and/or document sharing environment |
US9419848B1 (en) | 2012-05-25 | 2016-08-16 | hopTo Inc. | System for and method of providing a document sharing service in combination with remote access to document applications |
US8713658B1 (en) | 2012-05-25 | 2014-04-29 | Graphon Corporation | System for and method of providing single sign-on (SSO) capability in an application publishing environment |
US9239812B1 (en) | 2012-08-08 | 2016-01-19 | hopTo Inc. | System for and method of providing a universal I/O command translation framework in an application publishing environment |
CN102915376A (zh) * | 2012-11-13 | 2013-02-06 | 北京神州绿盟信息安全科技股份有限公司 | 检测数据库异常行为的方法和设备 |
US9367542B2 (en) * | 2013-01-10 | 2016-06-14 | International Business Machines Corporation | Facilitating access to resource(s) idenfitied by reference(s) included in electronic communications |
CN104253785B (zh) * | 2013-06-25 | 2017-10-27 | 腾讯科技(深圳)有限公司 | 危险网址识别方法、装置及系统 |
CN103368957B (zh) * | 2013-07-04 | 2017-03-15 | 北京奇虎科技有限公司 | 对网页访问行为进行处理的方法及系统、客户端、服务器 |
CN103336693B (zh) * | 2013-07-04 | 2016-06-22 | 北京奇虎科技有限公司 | refer链的创建方法、装置及安全检测设备 |
CN103581321B (zh) * | 2013-11-06 | 2017-05-31 | 北京奇虎科技有限公司 | 一种refer链的创建方法、装置及安全检测方法和客户端 |
US9467453B2 (en) | 2014-02-19 | 2016-10-11 | Qualcomm Incorporated | Network access and control for mobile devices |
CN111629038B (zh) * | 2020-05-19 | 2023-08-08 | 北京达佳互联信息技术有限公司 | 虚拟资源分享处理方法、装置、服务器及存储介质 |
US20220046036A1 (en) * | 2020-08-04 | 2022-02-10 | Oracle International Corporation | Mirage Instance of a Database Server |
CN113763137B (zh) * | 2021-11-10 | 2022-10-14 | 山东派盟网络科技有限公司 | 信息推送方法及计算机设备 |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH09181791A (ja) * | 1995-10-23 | 1997-07-11 | Kawasaki Steel Corp | データ受信装置 |
WO2002082750A1 (fr) * | 2001-04-02 | 2002-10-17 | Dcl Inc. | Dispositif de recherche de chaines binaires et procede associe |
JP2003280988A (ja) * | 2002-03-25 | 2003-10-03 | Duaxes Corp | I/o装置の制御装置及びそのi/o制御装置を用いた制御システム |
JP2004030678A (ja) * | 2002-06-27 | 2004-01-29 | Microsoft Corp | ウェブブラウジングのためのコンテンツフィルタリング |
Family Cites Families (19)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US4475237A (en) * | 1981-11-27 | 1984-10-02 | Tektronix, Inc. | Programmable range recognizer for a logic analyzer |
US5341479A (en) * | 1989-01-31 | 1994-08-23 | Storage Technology Corporation | Address mark triggered read/write head buffer |
JPH04180425A (ja) | 1990-11-15 | 1992-06-26 | Toshiba Corp | 通信システム |
US5802065A (en) * | 1995-10-23 | 1998-09-01 | Kawasaki Steel Corporation | Data receiving device |
US5956336A (en) * | 1996-09-27 | 1999-09-21 | Motorola, Inc. | Apparatus and method for concurrent search content addressable memory circuit |
US5951651A (en) * | 1997-07-23 | 1999-09-14 | Lucent Technologies Inc. | Packet filter system using BITMAP vector of filter rules for routing packet through network |
US6341130B1 (en) * | 1998-02-09 | 2002-01-22 | Lucent Technologies, Inc. | Packet classification method and apparatus employing two fields |
US6185552B1 (en) * | 1998-03-19 | 2001-02-06 | 3Com Corporation | Method and apparatus using a binary search engine for searching and maintaining a distributed data structure |
US6236678B1 (en) * | 1998-10-30 | 2001-05-22 | Broadcom Corporation | Method and apparatus for converting between byte lengths and burdened burst lengths in a high speed cable modem |
US6631466B1 (en) | 1998-12-31 | 2003-10-07 | Pmc-Sierra | Parallel string pattern searches in respective ones of array of nanocomputers |
JP2000250737A (ja) | 1999-03-01 | 2000-09-14 | Kawasaki Steel Corp | 半導体集積回路 |
US6278995B1 (en) * | 1999-03-02 | 2001-08-21 | Nms Communications Corporation | Apparatus and method for providing a binary range tree search |
JP2001168911A (ja) | 1999-12-09 | 2001-06-22 | Hitachi Cable Ltd | パケットフィルタ装置 |
US6697806B1 (en) * | 2000-04-24 | 2004-02-24 | Sprint Communications Company, L.P. | Access network authorization |
JP2004140618A (ja) | 2002-10-18 | 2004-05-13 | Yokogawa Electric Corp | パケットフィルタ装置および不正アクセス検知装置 |
JP2004172917A (ja) | 2002-11-20 | 2004-06-17 | Nec Corp | パケット検索装置及びそれに用いるパケット処理検索方法並びにそのプログラム |
JP2004187201A (ja) | 2002-12-06 | 2004-07-02 | Nippon Telegr & Teleph Corp <Ntt> | データ列検索用ノード,これを用いるデータ列検索方法並びにデータ列検索処理装置 |
US20050060535A1 (en) * | 2003-09-17 | 2005-03-17 | Bartas John Alexander | Methods and apparatus for monitoring local network traffic on local network segments and resolving detected security and network management problems occurring on those segments |
US7454418B1 (en) * | 2003-11-07 | 2008-11-18 | Qiang Wang | Fast signature scan |
-
2005
- 2005-03-28 CN CN200580049496A patent/CN100580644C/zh not_active Expired - Fee Related
- 2005-03-28 CA CA002603106A patent/CA2603106A1/en not_active Abandoned
- 2005-03-28 US US11/910,240 patent/US8073855B2/en not_active Expired - Fee Related
- 2005-03-28 JP JP2007505311A patent/JP4554675B2/ja not_active Expired - Fee Related
- 2005-03-28 EP EP05727698A patent/EP1868103A1/en not_active Withdrawn
- 2005-03-28 WO PCT/JP2005/005789 patent/WO2006103743A1/ja active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH09181791A (ja) * | 1995-10-23 | 1997-07-11 | Kawasaki Steel Corp | データ受信装置 |
WO2002082750A1 (fr) * | 2001-04-02 | 2002-10-17 | Dcl Inc. | Dispositif de recherche de chaines binaires et procede associe |
JP2003280988A (ja) * | 2002-03-25 | 2003-10-03 | Duaxes Corp | I/o装置の制御装置及びそのi/o制御装置を用いた制御システム |
JP2004030678A (ja) * | 2002-06-27 | 2004-01-29 | Microsoft Corp | ウェブブラウジングのためのコンテンツフィルタリング |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2010117874A (ja) * | 2008-11-13 | 2010-05-27 | Hitachi Ltd | Urlフィルタリングシステム |
JP2013172425A (ja) * | 2012-02-22 | 2013-09-02 | Nippon Telegr & Teleph Corp <Ntt> | フィルタリング装置、および、フィルタリング方法 |
Also Published As
Publication number | Publication date |
---|---|
JPWO2006103743A1 (ja) | 2008-09-04 |
EP1868103A1 (en) | 2007-12-19 |
US8073855B2 (en) | 2011-12-06 |
CN100580644C (zh) | 2010-01-13 |
CN101167063A (zh) | 2008-04-23 |
US20090132509A1 (en) | 2009-05-21 |
CA2603106A1 (en) | 2006-10-05 |
JP4554675B2 (ja) | 2010-09-29 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4554675B2 (ja) | 通信制御装置及び通信制御システム | |
JP4554671B2 (ja) | 通信制御装置 | |
JP4087427B2 (ja) | データ処理システム | |
JPWO2006087837A1 (ja) | 通信制御システム | |
JP4571184B2 (ja) | 通信管理システム | |
WO2008062542A1 (fr) | Appareil de commande de communication | |
JP4319246B2 (ja) | 通信制御装置及び通信制御方法 | |
WO2006087837A1 (ja) | 通信制御装置及び通信制御システム | |
KR20080017046A (ko) | 데이터 프로세싱 시스템 | |
JP5156892B2 (ja) | ログ出力制御装置及びログ出力制御方法 | |
JPWO2009066347A1 (ja) | 負荷分散装置 | |
WO2008075426A1 (ja) | 通信制御装置及び通信制御方法 | |
JP4638513B2 (ja) | 通信制御装置及び通信制御方法 | |
JPWO2009066343A1 (ja) | 通信制御装置及び通信制御方法 | |
JPWO2009066344A1 (ja) | 通信制御装置、通信制御システム及び通信制御方法 | |
KR20070121806A (ko) | 통신 제어 장치 및 통신 제어 시스템 | |
JPWO2009069178A1 (ja) | 通信制御装置及び通信制御方法 | |
JPWO2009066349A1 (ja) | 通信制御装置及び通信制御方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2007505311 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2603106 Country of ref document: CA |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2005727698 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 200580049496.0 Country of ref document: CN |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020077024645 Country of ref document: KR |
|
NENP | Non-entry into the national phase |
Ref country code: RU |
|
WWW | Wipo information: withdrawn in national office |
Ref document number: RU |
|
WWP | Wipo information: published in national office |
Ref document number: 2005727698 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11910240 Country of ref document: US |