WO2007141835A1 - 通信管理システム、通信管理方法、及び通信制御装置 - Google Patents
通信管理システム、通信管理方法、及び通信制御装置 Download PDFInfo
- Publication number
- WO2007141835A1 WO2007141835A1 PCT/JP2006/311130 JP2006311130W WO2007141835A1 WO 2007141835 A1 WO2007141835 A1 WO 2007141835A1 JP 2006311130 W JP2006311130 W JP 2006311130W WO 2007141835 A1 WO2007141835 A1 WO 2007141835A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- content
- communication
- database
- communication control
- data
- Prior art date
Links
- 230000006854 communication Effects 0.000 title claims abstract description 375
- 238000004891 communication Methods 0.000 title claims abstract description 375
- 238000007726 management method Methods 0.000 title claims description 52
- 238000012545 processing Methods 0.000 claims description 107
- 238000000034 method Methods 0.000 claims description 78
- 238000001514 detection method Methods 0.000 claims description 60
- 230000008569 process Effects 0.000 claims description 42
- 230000005540 biological transmission Effects 0.000 claims description 24
- 230000004044 response Effects 0.000 claims description 11
- 238000005516 engineering process Methods 0.000 abstract description 42
- 238000010586 diagram Methods 0.000 description 40
- 241000700605 Viruses Species 0.000 description 32
- 238000012544 monitoring process Methods 0.000 description 18
- 230000001276 controlling effect Effects 0.000 description 13
- 238000001914 filtration Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 12
- 230000003287 optical effect Effects 0.000 description 8
- 230000001174 ascending effect Effects 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 4
- 230000002093 peripheral effect Effects 0.000 description 4
- 238000011144 upstream manufacturing Methods 0.000 description 3
- 238000009434 installation Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 101100397225 Schizosaccharomyces pombe (strain 972 / ATCC 24843) isp3 gene Proteins 0.000 description 1
- 230000004931 aggregating effect Effects 0.000 description 1
- 230000007175 bidirectional communication Effects 0.000 description 1
- 230000000903 blocking effect Effects 0.000 description 1
- 238000005266 casting Methods 0.000 description 1
- 150000001768 cations Chemical class 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 230000001934 delay Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 239000000284 extract Substances 0.000 description 1
- 238000007667 floating Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000009467 reduction Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 238000004904 shortening Methods 0.000 description 1
- 230000008685 targeting Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/552—Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/101—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00 applying security measures for digital rights management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/104—Peer-to-peer [P2P] networks
Definitions
- the present invention relates to a communication management technique, and in particular, a communication management system, a communication management method for managing distribution of content transmitted and received using peer “Peer to Peer (P2P)” communication, etc. And a communication control apparatus.
- P2P peer to Peer
- the present invention has been made in view of such circumstances, and an object thereof is to provide a technique for appropriately managing the distribution of content.
- This communication management system is a peer ' A terminal that performs peer-to-peer communication with another node that performs two-peer communication, and the content that the terminal has received the node power is content that should control distribution
- a content detection device that detects identification information of the content
- a communication control device that controls transmission and reception of the content whose distribution should be controlled with reference to the detected identification information.
- the content identification information may include a file name, a file size, or a hash value of the content.
- the communication control device acquires a database storing content identification information detected by the content detection device and content data, and determines whether the content identification information exists in the database.
- a search circuit for searching, and a process execution circuit for executing a process for controlling distribution of the content according to a search result of the search circuit may be included.
- the communication management system refers to the content database in which the content detected by the content detection device and the distribution should be controlled, the content database containing IJ ⁇ blueprints, and the communication database. And a database server for updating the database of the apparatus.
- the processing execution circuit may delete the identification information of the content.
- the processing execution circuit may rewrite the address of the node that is the distribution source of the content with the address of a warning content server that issues a warning that the distribution of the content should be restricted.
- the processing execution circuit Content transmission may be blocked.
- the processing execution circuit You may replace the content with warning content that issues a warning that the distribution of that content should be restricted.
- the communication control device may be configured by an FPGA (Field Programmable Gate Array) or a wire logic circuit.
- FPGA Field Programmable Gate Array
- Another aspect of the present invention relates to a communication management method.
- a terminal that performs peer-to-peer communication with a peer-to-peer communication with other nodes and communicates with the other nodes by the above-mentioned node power.
- the content identification information includes a step of detecting the identification information of the content, and a step of controlling transmission / reception of the content whose distribution should be controlled with reference to the detected identification information.
- Yet another embodiment of the present invention relates to a communication control apparatus.
- This communication control device includes a database storing content identification information of content detected as content that should be distributed among content transmitted and received between nodes performing peer-to-peer communication, and content data.
- FIG. 1 is a diagram showing a configuration of a communication control system according to a base technology.
- FIG. 2 is a diagram showing a configuration of a conventional communication control device.
- FIG. 3 is a diagram showing a configuration of a communication control apparatus according to the base technology.
- FIG. 4 is a diagram showing a configuration of a packet processing circuit.
- FIG. 5 is a diagram illustrating a configuration of a position detection circuit.
- FIG. 6 is a diagram showing another example of the position detection circuit.
- FIG. 7 is a diagram showing another example of the position detection circuit.
- FIG. 8 is a diagram showing an example of internal data of the first database.
- FIG. 9 is a diagram showing another example of internal data of the first database.
- FIG. 10 is a diagram showing still another example of internal data of the first database.
- FIG. 11 is a diagram showing another example of the index circuit.
- FIG. 14 is a diagram showing still another example of internal data of the first database.
- FIG. 15 is a diagram showing an example of internal data of the second database.
- FIG. 16 is a diagram showing another example of internal data of the second database.
- ⁇ 17 It is a diagram showing another configuration example of the communication control apparatus according to the base technology.
- FIG. 18 is a diagram illustrating a configuration of a communication control device including a plurality of communication control devices.
- FIG. 19 is a diagram showing an example of internal data of a management table provided in the operation monitoring server.
- FIG. 20 is a diagram for explaining an operation method when a communication control device fails.
- FIGS. 21 (a), 21 (b), and 21 (c) are diagrams for explaining a method of updating the database of the communication control device.
- FIG. 22 is a diagram showing a configuration of a communication path control device provided for processing a packet by a plurality of communication control devices.
- FIG. 23 is a diagram showing a configuration of a communication management system according to the first embodiment.
- FIG. 24 is a diagram showing another configuration example of the communication management system according to the first exemplary embodiment.
- FIG. 25 is a diagram illustrating a configuration of a packet processing circuit according to the first embodiment.
- FIG. 26 is a diagram showing a configuration of a communication management system according to a second embodiment.
- FIG. 27 is a sequence diagram showing a procedure of a method for controlling distribution of inappropriate content
- FIG. 28 is a sequence diagram showing the procedure of another method for controlling the distribution of inappropriate content.
- FIG. 29 is a sequence diagram showing a procedure of another method for controlling the distribution of inappropriate content.
- FIG. 30 is a diagram showing an internal configuration of a packet processing circuit for content distribution control.
- FIG.31 is a diagram showing an example of internal data of virus list
- Fig.31 (b) is a diagram showing an example of internal data of whitelist
- Fig.31 (c) is a diagram showing an example of internal data of a black list.
- FIG. 32 is a diagram showing an example of internal data of a common category list.
- FIGS. 33 (a), (b), (c), and (d) are diagrams showing examples of internal data of the second database.
- FIG. 34 is a diagram showing priorities of the virus list, white list, black list, and common category list.
- 10 communication control device 20 packet processing circuit, 30 search circuit, 32 position detection circuit, 3 3 comparison circuit, 34 index circuit, 35 comparison circuit, 36 binary search circuit, 36A, 36B, 36C comparison circuit, 36Z control Circuit, 40 processing execution circuit, 50 1st data base, 57 user database, 60 2nd database, 70 decoder circuit, 72 decryption key, 100 communication control system, 110 operation monitoring server, 120 connection management server, 130 message output Server, 140 Log management server, 150 Database server, 161 Virus list, 162 White list, 163 Black list, 164 Common category list, 20 0 Communication path control device, 300 Communication management system, 310 User terminal, 320 P2P node, 322 P2P network, 330 ISP, 340 node detector, 350 P2P node, 35 2 P2P node detection network, 354 Tents detection network, 356 illegal content detection device, 360 P2P node database, 362 illegal content database, 364 warning content sano, 390 Internet.
- FIG. 1 shows the configuration of the communication control system related to the prerequisite technology.
- the communication control system 100 includes a communication control device 10 and various peripheral devices provided to support the operation of the communication control device 10.
- the base technology communication control device 10 implements a packet filtering function provided by an Internet service provider or the like.
- the communication control device 10 provided in the network path acquires a packet transmitted / received via the network, analyzes the content, and determines whether communication is permitted. If communication is permitted, the communication control device 10 sends the packet to the network. When communication is prohibited, the communication control device 10 discards the packet and returns a warning message or the like to the transmission source if necessary.
- communication control device 10 are provided and function as a single communication control device 10 .
- individual communication control devices 10a, 10b, 10c,. are also referred to as communication control device 10 without distinction.
- each communication control device 10 divides and holds at least a part of a database necessary for bucket processing, but divides and holds the database. At least one more than the number required for the installation. For example, if the number of data is 300,000 or more and less than 400,000, the number of communication control devices required for operation is four.
- One or more communication control devices 10 are provided, and at least five communication control devices 10 in total are provided for standby for updating the database included in the communication control device 10. Conventionally, it was necessary to duplicate the entire system for fault tolerance, but according to the technology of this prerequisite technology, it is only necessary to provide an additional communication control device 10 in divided units. Can be reduced.
- the operation status of the plurality of communication control devices 10a, 10b, 10c,... Is managed by the operation monitoring server 110. Book The operation monitoring server 110 of the base technology has a management table for managing the operation status of the communication control device.
- the peripheral devices include an operation monitoring server 110, a connection management server 120, a message output server 130, a log management server 140, and a database server 150.
- the connection management server 120 manages connections to the communication control device 10. For example, the connection management server 120 uses the information that uniquely identifies the mobile phone terminal included in the packet when the communication control device 10 processes the packet that has also been sent with the mobile phone terminal power. Authenticate that the user can enjoy 100 services. Once authenticated, the packet that has also been sent the IP address temporarily attached to the mobile phone terminal is sent to the communication control device 10 for processing for a certain period of time without being authenticated by the connection management server 120. .
- the message output server 130 outputs a message to the transmission destination or transmission source of the packet according to the result of communication permission / rejection determined by the communication control device 10.
- the log management server 140 manages the operation history of the communication control device 10.
- the database server 150 acquires the latest database from the outside and inputs it to the communication control device 10. In order to update the database without stopping the operation of the communication control device 10, the communication control device 10 may have a backup database.
- the operation monitoring server 110 monitors the operation status of peripheral devices such as the communication control device 10, the connection management server 120, the message output server 130, the log management server 140, and the database server 150.
- the operation monitoring server 110 performs monitoring control of the communication control device 10 having the highest priority in the communication control system 100 and all peripheral devices.
- the communication control device 10 is configured by a dedicated hardware circuit.
- the operation monitoring server 110 uses a boundary scan circuit using a technology such as Japanese Patent No. 3041340 by the applicant. By inputting / outputting monitoring data to / from the communication control device 10 or the like, the operation status can be monitored even while the communication control device 10 is in operation.
- the communication control system 100 of the base technology has various functions connected to the periphery of the communication control device 10 configured by a dedicated hardware circuit for high-speed operation, as described below.
- various functions can be realized by a similar configuration by appropriately replacing the software of the server group. According to the base technology, such a highly flexible communication control system can be provided.
- FIG. 2 shows a configuration of a conventional communication control device 1.
- the conventional communication control apparatus 1 includes a communication control unit 2 on the reception side, a packet processing unit 3, and a communication control unit 4 on the transmission side.
- Each of the communication control units 2 and 4 includes PHY processing units 5a and 5b that perform processing on the physical layer of the packet, and MAC processing units 6a and 6b that perform processing on the MAC layer of the packet.
- the packet processing unit 3 includes a protocol processing unit that performs processing according to a protocol, such as an IP processing unit 7 that performs IP (Internet Protocol) protocol processing and a TCP processing unit 8 that performs TCP (Transport Control Protocol) protocol processing.
- an AP processing unit 9 that performs application layer processing.
- the AP processing unit 9 executes processing such as filtering according to data included in the packet.
- the packet processing unit 3 is realized by software using a CPU that is a general-purpose processor and an OS that runs on a CPU.
- the performance of the communication control device 1 depends on the performance of the CPU, and even if it is intended to realize a communication control device capable of processing large-capacity packets at high speed, it is naturally limited. There is. For example, with a 64-bit CPU, the maximum amount of data that can be processed simultaneously at one time is 64 bits, and there was no communication control device with higher performance.
- maintenance work such as OS version upgrades that would never have the possibility of security holes was required.
- FIG. 3 shows a configuration of the communication control apparatus according to the base technology.
- the communication control device 10 of this base technology replaces the packet processing unit realized by software including the CPU and OS in the conventional communication control device with a packet configured by dedicated hardware using a wired logic circuit.
- a processing circuit 20 is provided.
- the data included in the packet When searching for whether or not reference data that is a criterion for filtering is included, when comparing communication data and reference data using a CPU, only 64 bits can be compared at a time. There was a problem that even if it tried to improve the speed, it reached the peak in CPU performance. The CPU needs to repeat the process of reading 64 bits from the communication data into the memory, comparing it with the reference data, and then reading the next 64 bits into the memory. The reading time is limited, and the processing speed is limited.
- a dedicated hardware circuit configured by a wired logic circuit is provided to compare communication data and reference data.
- This circuit includes a plurality of comparators provided in parallel to enable comparison of data lengths longer than 64 bits, eg, data lengths of 1024 bits.
- the communication control device 1 using a conventional CPU can process 1024 bits at a time instead of processing only 64 bits at a time, and the processing speed can be dramatically improved.
- Increasing the number of comparators improves processing performance, but also increases cost and size, so it is only necessary to design an optimal hardware circuit in consideration of desired processing performance, cost, size, etc. .
- the communication control apparatus 10 of the base technology is configured by dedicated hardware using a wired logic circuit, and therefore does not require an OS (Operating System). For this reason, it is possible to reduce costs and man-hours for management and maintenance that require operations such as OS installation, bug handling, and version upgrade.
- OS Operating System
- CPUs that require general-purpose functions they do not include unnecessary functions, so you can reduce costs without using extra resources, reduce circuit area, and increase processing speed. .
- unlike conventional communication control devices that use an OS it does not have an extra function, so it is unlikely that a security hole will occur, and is resistant to attacks from malicious third parties via the network. Excellent resistance.
- the conventional communication control device 1 processes a packet by software premised on the CPU and the OS, receives all the data of the packet, performs power protocol processing, and stores the data. Passed to the pre-cation.
- the communication control apparatus 10 of the base technology since processing is performed by a dedicated hardware circuit, it is not necessary to start processing after receiving all the data of the packet. In this way, the process can be started at any time without waiting for the subsequent data to be received. For example, position detection processing in a position detection circuit described later can be started when position specifying data for specifying the position of comparison target data is received. As described above, since various processes can be executed in a floating manner without waiting for reception of all data, the time required to process packet data can be shortened.
- FIG. 4 shows the internal configuration of the packet processing circuit.
- the packet processing circuit 20 includes first databases 50A, 50B, and 50C that store reference data serving as a reference for determining the contents of processing to be performed on communication data (collectively, “first database 50”). ) And a search circuit 30 for searching whether the received communication data includes the reference data by comparing the communication data with the reference data, and the search result by the search circuit 30 and the communication data.
- a second database 60 for storing the contents of processing to be executed in association with each other, and a processing execution circuit for processing communication data based on the search results by the search circuit 30 and the conditions stored in the second database 60 Including 40.
- the search circuit 30 divides the reference data stored in the first database 50 into three or more ranges, the position detection circuit 32 for detecting the position of the comparison target data to be compared with the reference data from the communication data Index circuit 34, which is an example of a determination circuit that determines to which of the ranges the comparison target data belongs, and a binary search that searches for reference data that matches the comparison target data within the determined range Circuit 36.
- Any search technique can be used as a method for searching the comparison target data from the reference data, but the binary search method is used in this prerequisite technique.
- this base technology uses an improved binary search method, so three first databases 50 are provided for this purpose.
- the same reference data is stored in the first databases 50A, 50B, and 50C.
- FIG. 5 shows an internal configuration of the position detection circuit.
- the position detection circuit 32 has a plurality of ratios for comparing the position specifying data for specifying the position of the comparison target data and the communication data. Comparing circuits 33a to 33f are included. Here, six comparison circuits 33a to 33f are provided, but as will be described later, the number of comparison circuits may be arbitrary. Communication data is input to each of the comparison circuits 33a to 33f with a predetermined data length, for example, shifted by 1 byte. In the plurality of comparison circuits 33a to 33f, the position specifying data to be detected and the communication data are compared in parallel at the same time.
- the character string “No. # # #” included in the communication data is detected and included in the character string.
- the number “# # #” is compared with the reference data. If the data matches the reference data, the packet is allowed to pass. If it does not match, the packet is discarded. Light up.
- the comparison circuit 33c matches, and it is detected that the character string “No.” exists as the third character from the top of the communication data. In this way, it is detected that numerical data as comparison target data exists after the position specifying data “No.” detected by the position detection circuit 32.
- the position detection circuit 32 may be used as a circuit for detecting a character string for general purposes, not only for detecting position specifying data. It may also be configured to detect position specific data in bit units, not just character strings.
- FIG. 6 shows another example of the position detection circuit.
- predetermined data such as “ Padding such as “OOH” or “01H”.
- the communication data to be compared with the position specifying data only the same data length as the position specifying data is extracted, and then the same data as the data padded to the position specifying data is padded.
- the communication data may be copied as a work, and the copied data may be checked and input to the comparison circuits 33a to 33f.
- the position detection circuit 32 can be used for general purposes regardless of the data length of the position specifying data.
- FIG. 7 shows still another example of the position detection circuit.
- the power for padding predetermined data after the position specifying data.
- This data is treated as a field card.
- the comparison circuits 33a to 33f determine that the data to be compared matches unconditionally.
- the position detection circuit 32 can be used for general purposes regardless of the data length of the position specifying data.
- FIG. 8 shows an example of internal data of the first database.
- reference data used as criteria for determining processing contents such as knot filtering, routing, switching, and replacement is sorted and stored in ascending or descending order according to some sort condition. Yes.
- 1000 reference data are stored.
- the index circuit 34 determines to which of these ranges the comparison target data belongs. In the example of FIG. 8, 1000 pieces of reference data are divided into four ranges 52a to 52d, each having 250 pieces.
- the index circuit 34 includes a plurality of comparison circuits 35a to 35c that compare the reference data at the boundary of the range with the comparison target data. Comparison circuit 35a-3 By comparing the comparison target data with the boundary reference data in parallel in 5c, it is possible to determine which range the comparison target data belongs to by one comparison process.
- the boundary reference data input to the comparison circuits 35a to 35c of the index circuit 34 may be set by a device provided outside the communication control device 10, or may be set in advance in the first database 50.
- the reference data for the position may be entered automatically! In the latter case, even if the first database 50 is updated, the reference data at a predetermined position in the first database 50 is automatically input to the comparison circuits 35a to 35c. Processing can be executed.
- the binary search circuit 36 executes a search by the binary search method.
- the binary search circuit 36 further divides the range determined by the index circuit 34 into 2 n pieces, and compares the reference data at the boundary position with the comparison target data to determine which range it belongs to .
- the binary search circuit 36 includes a plurality of comparators for comparing the reference data and the comparison target data in bit units, for example, 1024 in the base technology, and simultaneously executes 1024-bit bit matching.
- the range is further divided into 2n, and the reference data at the boundary position is read out and compared with the comparison target data. Thereafter, this process is repeated to further limit the range, and finally, reference data that matches the comparison target data is searched.
- the comparison circuit 35a to 35c of the index circuit 34 receives "361" as comparison target data, and the reference data “378" at the boundary between the ranges 52a and 52b is input to the comparison circuit 35a as reference data.
- the reference data “937” at the boundary between the ranges 52b and 52c is input to the reference data “937” at the boundary between the ranges 52c and 52d, respectively.
- Comparison circuit 35a-35c Are simultaneously compared, and it is determined that the comparison target data “361” belongs to the range 52a. Thereafter, the binary search circuit 36 searches whether or not the comparison target data “361” exists in the reference data.
- FIG. 9 shows another example of internal data of the first database.
- the number of reference data is less than the number of data that can be held in the first database 50, here 1000.
- the first database 50 stores the reference data in descending order from the last data position.
- 0 is stored in the remaining data.
- the search time for binary search can be made constant.
- the binary search circuit 36 is self-explanatory, so the range can be specified without comparison and the next comparison can be made. it can. This can improve the search speed.
- the reference data when the reference data is stored in the first database 50, the reference data is stored in ascending order of the first data position.
- the comparison process as described above cannot be omitted in the remaining data.
- the comparison technique described above is realized by configuring the search circuit 30 with a dedicated hardware circuit.
- FIG. 10 shows still another example of internal data of the first database.
- the number of reference data belonging to the range is not uniform, such as 500 for the range 52a and 100 for the range 52b, which do not divide the reference data evenly into three or more ranges. ing .
- These ranges may be set according to the distribution of the appearance frequency of the reference data in the communication data. That is, the ranges may be set so that the sum of the appearance frequencies of the reference data belonging to the respective ranges is substantially the same. This can improve the search efficiency.
- the reference data input to the comparison circuits 35a to 35c of the index circuit 34 may be changeable from the outside. As a result, the range can be set dynamically and the search efficiency can be optimized.
- FIG. 11 shows another example of the index circuit.
- the index circuit 34 uses three comparison circuits 35a to 35c to determine which of the four ranges 52a to 52d of the first data base 50 belongs to. Determined force
- the indentus circuit 34 is provided with four comparison circuits 35d to 35g for determining whether the comparison target data is included in each of the four ranges 52a to 52d.
- the comparison circuit 35d receives the 0th reference data, the 250th reference data, and the comparison target data in the first database 50, and compares each reference data with the comparison target data. Thus, it is determined whether or not the reference data is included in the range 52a.
- the comparison results of .about.35g are input to the determination circuit 35z, and the determination circuit 35z outputs in which range the reference data is included.
- the comparison circuits 35d to 35g may output whether or not the force is included between the two reference data to which the reference data is input, or may be larger than, included in the range, or smaller than the range. Either of them may be output. If it is determined that the comparison target data is not included in any of the ranges 52a to 52d, it is determined that the comparison target data does not exist in the first database 50. Therefore, until the subsequent binary search is performed. The search can be terminated.
- FIG. 12 shows a configuration of a comparison circuit included in the binary search circuit.
- the comparison circuit included in the binary search circuit 36 includes 1024 comparators 36a, 36b,. In each of the comparators 36a, 36b,..., The reference data 54 and the comparison target data 56 are input one bit at a time, and their magnitudes are compared.
- the internal configurations of the comparison circuits 35a to 35c of the index circuit 34 are also the same. In this way, by executing the comparison process with a dedicated hardware circuit, a large number of comparison circuits can be operated in parallel and a large number of bits can be compared simultaneously, so that the comparison process can be performed at high speed. it can.
- FIG. 13 shows the configuration of the binary search circuit.
- the Neua Research circuit 36 includes the comparison circuits 36A, 36B, and 36C including the 1024 comparators 36a, 36b,... Shown in FIG. 12, and the control circuit 36Z that controls these comparison circuits. .
- the conventional binary search method first, data at the position 1Z2 in the search target range of the database in which the data is arranged in ascending or descending order is read and compared with the comparison target data. If the data is arranged in ascending order, the comparison data is smaller If so, the comparison target data exists in the first half of the search target range, so the second time, the first half is used as the search target range, and the data at the 1Z4 position of the first search target range is read out and compared with the comparison target data. To do. Conversely, if the comparison target data is larger, the comparison target data exists in the second half of the search target range. Therefore, the second half of the search target range is the 1Z2, that is, the position of 3Z4 in the first search target range. Read some data and compare with the data to be compared. In this way, the search target range is narrowed by half and finally reaches the target data.
- the data at position 1Z2 in the search target range is compared with the comparison target data for the first search.
- the comparison target data and the data at the positions 1Z4 and 3Z4 in the search target range are compared for the second search.
- two searches can be performed at a time, so the time required to read out the database data can be reduced.
- the number of comparisons can be reduced to half and the time required for the search can be shortened.
- three comparison circuits are provided in order to perform two searches simultaneously.
- 2 n ⁇ 1 One comparison circuit may be provided.
- the control circuit 36Z inputs the data at the position of lZ2 n , 2/2 ⁇ ⁇ , (2 n — l) Z2 n in the search target range to each of the 2 n — one comparison circuit, and Are simultaneously operated in parallel and compared with the data to be compared.
- the control circuit 36Z obtains the comparison results of the respective comparison circuits and determines whether comparison target data has been searched.
- the control circuit 36Z determines that the comparison target data has been searched, and ends the Neuer research. If no match signal is output, the next search is performed. If the data to be compared exists in the database, it should be within the range where the comparison result of 2 n — one comparison circuit is inverted. For example, when 15 comparison circuits are provided, the data at the 5Z16 position is smaller than the comparison target data.If the data at the 6Z16 position is larger than the comparison target data, the 5 Z16 force also falls within the range between 6Z16. There is data to be compared. Therefore, the control circuit 36Z acquires the comparison result of each comparison circuit, and the range in which the comparison result is inverted is searched for next time. The range is determined, and the data at the position of lZ2 n , 2/2 ⁇ ⁇ , (2 n -l) / 2 n of the determined next search target range is input to the respective comparison circuits.
- the first database 50A is connected to the comparison circuit 36A and supplies the data at the position 1Z4 in the search target range to the comparison circuit 36A.
- the second database 50B is connected to the comparison circuit 36B to supply the data at the position 2Z4 in the search target range to the comparison circuit 36B, and the first database 50C is connected to the comparison circuit 36C at the position 3Z4 in the search target range.
- Some data is supplied to the comparison circuit 36C. As a result, data can be simultaneously read out in parallel to the respective comparison circuits, so that the time required for reading data can be further shortened and the binary search can be performed at high speed.
- the search speed increases as the number of comparison circuits increases, it is sufficient to provide a sufficient number of comparison circuits to obtain a desired search speed in consideration of cost, size, and the like. It is preferable to have as many first databases as the number of comparison circuits, but considering the cost, size, etc., V, and some comparison circuits may share the database.
- FIG. 14 shows still another example of internal data of the first database.
- the first database 50 shown in FIG. 14 stores URLs of contents to be filtered.
- the data stored in the first database 50 may include predetermined data recognized as a wild card, for example, “OOH” or “01H”.
- “http: //www.xx.xx/********* J is recognized as“******* ”force S Wino Red card.
- Comparators 36a, 36b, ⁇ are determined to match regardless of the comparison target data. Therefore, all character strings starting with" http: ⁇ www.xx.xx / "are processed by the binary search circuit 36. Detected. As a result, for example, it is possible to easily perform processing for filtering all the contents under the domain “http: ⁇ www.xx.xx /”.
- FIG. 15 shows an example of internal data in the second database.
- the second database 60 includes a search result column 62 for storing the search result by the search circuit 30 and a processing content column 64 for storing the content of processing to be executed on communication data.
- a search result column 62 for storing the search result by the search circuit 30
- a processing content column 64 for storing the content of processing to be executed on communication data.
- the processing execution circuit 40 searches the second database 60 based on the search result, and executes processing on the communication data.
- the processing execution circuit 40 may also be realized by a wired logic circuit.
- FIG. 16 shows another example of internal data of the second database.
- the processing content is set for each reference data.
- information about the route may be stored in the second database 60.
- the process execution circuit 40 executes processes such as filtering, routing, switching, and replacement stored in the second database 60 according to the search result by the search circuit 30.
- the first database 50 and the second database 60 may be integrated.
- the first database and the second database are provided to be rewritable by an external force. By exchanging these databases, various data processing and communication control can be realized using the same communication control device 10. It is also possible to set up two or more databases that store the reference data to be searched and perform multi-step search processing! At this time, more complicated conditional branches may be realized by providing two or more databases that store search results and processing contents in association with each other. In this way, if multiple databases are used to perform multi-stage searches, multiple position detection circuits 32, index circuits 34, binary search circuits 36, etc. may be provided.
- Data used for the comparison described above may be compressed by the same compression logic.
- the same comparison as usual is possible.
- the amount of data to be loaded at the time of comparison can be reduced. If the amount of data to be loaded is reduced, the time required to read data from the memory is shortened, so the overall processing time can be shortened.
- the amount of the comparator can be reduced, it is possible to contribute to the downsizing, weight saving, and cost reduction of the apparatus.
- the data used for the comparison may be stored in a compressed format, or may be compressed after being read from the memory and before the comparison.
- FIG. 17 shows another configuration example of the communication control apparatus of the base technology.
- Communication control shown in this figure The device 10 has two communication control units 12 having the same configuration as the communication control device 10 shown in FIG.
- a switching control unit 14 for controlling the operation of each communication control unit 12 is provided.
- Each communication control unit 12 has two input / output interfaces 16 and is connected to two networks on the upstream side and the downstream side via the respective input / output interfaces 16.
- the communication control unit 12 inputs communication data from either one of the network powers and outputs the processed data to the other network.
- the switching control unit 14 switches the direction of communication data flow in the communication control unit 12 by switching input / output of the input / output interface 16 provided in each communication control unit 12. As a result, bidirectional communication control is possible, not just in one direction.
- the switching control unit 14 may control so that one of the communication control units 12 processes an inbound packet and the other processes an outbound packet, or controls both to process an inbound packet.
- both parties may control to process outbound packets.
- the direction of communication to be controlled can be made variable according to the traffic status and purpose.
- the switching control unit 14 may acquire the operation status of each communication control unit 12, and may switch the direction of communication control according to the operation status. For example, when one communication control unit 12 is in a standby state and the other communication control unit 12 is operating, when it is detected that the communication control unit 12 has stopped due to a failure or the like, it is on standby as an alternative. The communication control unit 12 may be operated. As a result, the fault tolerance of the communication control device 10 can be improved. Further, when maintenance such as database update is performed on one communication control unit 12, the other communication control unit 12 may be operated as an alternative. Thereby, it is possible to appropriately perform maintenance without stopping the operation of the communication control device 10.
- Three or more communication control units 12 may be provided in the communication control apparatus 10.
- the switching control unit 14 acquires the traffic state, and controls the communication direction of each communication control unit 12 so that more communication control units 12 are allocated to the communication control process in the direction with a large amount of communication. May be. As a result, even if the amount of communication in a certain direction increases, the communication speed remains low. The bottom can be minimized.
- FIG. 18 shows a configuration of the communication control device 10 including a plurality of communication control devices 10a, 10b, 10c,. Since the first database 50 requires a large capacity in proportion to the number of data, the first database 50 is divided and held in the communication control devices 10a, 10b, 10c,. As will be described later, in the communication control system 100 of the base technology, the communication packet to be processed is supplied to all the communication control devices 10a, 10b, 10c,. 10 processes the received packet.
- the communication control device 10a has a data ID power of 00000 1 to force "100000”
- the communication control device 10b has a data ID of "100001” to "20000 0”
- the communication control device 10c has a data ID of " Data from 200001 “to” 300000 "is held, and packets are processed by referring to the data held by each.
- FIG. 19 shows an example of internal data of the management table 111 provided in the operation monitoring server 110.
- the management table 111 is provided with a device ID column 112, an operation status column 113, and a data ID column 114.
- the device ID column 112 stores the device IDs of the communication control devices 10a, 10b, ...
- the operation status column 113 stores the operation status of the communication control device
- the data ID column 114 stores Stores the range of data IDs to be handled by the communication control device.
- the operation status includes, for example, “in operation”, “standby”, “failure”, “data updating”, and the like.
- the operation status column 113 is updated by the operation monitoring server 110 every time the operation status of the communication control devices 10a, 10b,. In the example shown in FIG. 19, since “465183” data is stored in the first database 50, five communication control devices 10 with device IDs “1” to “5” are in operation. Communication controller 10 of “6” is in the standby state.
- the operation monitoring server 110 monitors the operation status of the plurality of communication control devices 10, and detects that any communication control device 10 has become inoperable due to a problem. In such a case, the same data as the communication control device 10 whose operation has been stopped is stored in the communication control device 10 in the standby state, and the operation is switched to the communication control device 10. For example, as shown in FIG. 20, when the communication control device 10 with the device ID “2” is stopped due to a failure, the communication control device 10 with the device ID “6” in the standby state has the data ID “10000 1”. Store data of ⁇ 200000 "and start operation. This will cause some trouble Even if the communication control device 10 is stopped, the operation can be appropriately continued. Either one of the data may be stored in advance in the standby communication control device 10 and may be set in the hot standby state or in the cold standby state.
- the database server 150 acquires and holds the latest database from an external database at a predetermined timing.
- the operation monitoring server 110 transfers and stores data from the database server 150 to the communication control device 10 in order to reflect the latest database held in the database server 150 to the communication control device 10 at a predetermined timing. .
- FIGS. 21 (a), 21 (b), and 21 (c) are diagrams for explaining how the database is updated.
- Fig. 21 (a) as in Fig. 19, the communication control devices 10 with device IDs "1" to "5" are in operation, and the communication control device 10 with device ID "6" is in stand-alone. Indicates a situation.
- the operation monitoring server 110 identifies the communication control device 10 that is currently in the stand-by state, and instructs the database server 150 to store data in the communication control device 10. To do.
- the operation monitoring server 110 changes the operation status column 113 of the device ID “6” to “data updating in progress”.
- FIG. 21B shows a situation where the database of the communication control apparatus 10 is being updated.
- the database server 150 stores the data handled by any of the operating communication control devices 10 in the first database 50 of the communication control device 10 with the device ID “6” that was in standby.
- the data of the data ID “000001 to 100,000”, which was assigned to the communication control device 10 of the device ID “1”, is stored in the communication control device 10 of the device ID “6”. Yes.
- FIG. 21 (c) shows a situation in which the database of the communication control device 10 with the device ID “6” is updated and the operation is started, and the communication control device 10 with the device ID “1” is in a standby state instead.
- the operation monitoring server 110 finishes storing data to the communication control device 10 with the device ID “6”
- the operation monitoring server 110 holds the updated database with the communication control device 10 with the device ID “6”.
- the operation of the communication control device 10 with the device ID “1” that holds the database before update is stopped and placed in the standby state. As a result, the operation is switched to the communication control apparatus 10 whose database has been updated.
- the communication control device 10 with the device ID “1” is started to operate, and the device ID “2” is started.
- the operation of the communication control device 10 is stopped.
- the data stored in each communication control device 10 is not fixed. It changes by. If a process for determining whether the user data exists in any communication control apparatus 10 before sending a packet to each communication control apparatus 10, an extra time is required for the process. Therefore, in the present embodiment, the received packet is supplied to all the communication control devices 10, and each communication control device 10 processes the packet.
- a technique for realizing such a mechanism will be described.
- FIG. 22 shows a configuration of a communication path control device provided for processing a packet by a plurality of communication control devices 10.
- the communication path control device 200 includes a switch 210, an optical splitter 220, which is an example of a data supply unit, and a switch 230.
- the switch 210 transmits the received packet to the communication control device 10.
- an optical splitter 220 for supplying packets to the plurality of communication control devices 10a, 10b, and 10c in parallel is provided.
- the packet is transmitted to the optical splitter 220, and the optical splitter 220 transmits the packet to each communication control device in parallel.
- each communication control device is set to a promiscuous mode in which all packets are received regardless of the destination MAC address in a mode in which only the packet addressed to the MAC address of the own device is received.
- each communication control device receives a parallel-cast packet from the optical splitter 220, it omits the MAC address matching process and acquires and processes all packets.
- the communication control device 10c transmits a response packet to the switch 210 without going through the optical splitter 220 when returning a packet to the transmission source, such as when communication is prohibited. If the communication is permitted as a result of processing the packet, the communication control device 10c sends the packet to the network.
- a switch 230 for aggregating packets sent from the plurality of communication control devices 10a, 10b, 10c is provided between the communication control device 10 and the upstream communication line. Actually sends the packet to the switch 230, and the switch 230 sends the packet to the upstream communication line.
- the switch 230 When the switch 230 receives a packet whose destination power is also returned, if the returned packet does not require processing by the communication control device 10, the switch 232 force switch 210 Sent to port 212 and sent from switch 210 to the source. Normally, on the Internet, the route at the time of transmission is recorded in the packet in order to secure a return route so that the response packet to the packet is surely returned to the sender.
- a return route is prepared in advance in communication route control device 200, communication between devices is performed without recording the route, that is, without processing a packet. Thereby, useless processing can be omitted and the processing speed can be improved.
- the packet is processed only when the packet transmitted from the transmission source is transmitted to the transmission destination, and the response packet transmitted from the transmission destination to the transmission source is passed without being processed.
- the communication control apparatus 10 may be configured to process packets in both directions.
- the optical splitter 220 may be provided on both sides of the communication control device 10. Further, the bypass path from the switch 230 to the switch 210 may not be provided.
- the processing is performed by parallel casting the same packet to all the communication control devices.
- the communication control apparatus to be processed can appropriately process the packet.
- these communication control devices receive and process or discard all packets that are cast in parallel from the communication path control device 200, so that a device can be uniquely identified on the Internet. There is no need to assign an IP address.
- the communication control device of this embodiment is a malicious third party via the Internet. Since power cannot be attacked directly, communication control can be performed safely.
- FIG. 23 shows the configuration of the communication management system according to the first embodiment.
- the communication management system 300 manages P2P communication such as blocking or subordinate inappropriate communication between the P2P nodes 320 using the communication control system 100 having a function such as packet filtering.
- the user terminal 310 such as a personal computer is usually an Internet service provider (hereinafter referred to as "ISP") via a public telephone network, a mobile phone network, a LAN, a WAN, or the like (not shown).
- ISP Internet service provider
- P2P nodes 320 that are executing P2P applications such as file sharing software are P2P connected to each other to form a P2P network 322.
- the “P2P node 320” includes a server that provides a file search function in a file sharing application or a device that acts as a host.
- the server client model information is stored in the server, and the client obtains information by connecting to the server via the Internet. If illegal content flows are detected, It is only necessary to detect and stop the server that provides the content. However, in the P2P network 322, since direct communication is performed between the P2P nodes 320, it is difficult to detect illegal content distribution, and even if it is detected, any P2P node 320 is the source. It becomes difficult to identify what is.
- the P2P network 322 is not provided with a file search server for file sharing.
- the P2P node 320 directly asks whether there is a file between the P2P nodes 320. If it increases, communication will increase at an accelerated rate and the network May be congested and affect other user terminals 310 that use the ISP 330.
- the P2P node 320 communicates directly with other P2P nodes 320, so it is vulnerable to attacks by malicious P2P nodes 320 and becomes a hotbed for the spread of viruses. ing. Users who are unaware or uninterested in computer security use a file sharing application to become infected with viruses and leak important information.
- communication control system 100 described in the base technology is provided between user terminal 310 and P2P node 320 of P2P network 322.
- a P2P node detection network 352 for detecting the IP address of the P2P node 320 is provided, and the communication control system 100 is notified of identification information such as the IP address of the P2P node 320 detected by the node detection device 340. Used to detect communication with the P2P node 320.
- the communication control system 100 may be provided at an arbitrary position on the network.
- FIG. 23 shows an example in which the ISP 330 provides the communication control system 100.
- Most P2P nodes 320 are connected to the Internet 390 via V, some of the ISP 330! /, So if each ISP 330 installs the communication control system 100, P2P communication can be managed more appropriately. Can do.
- the P2P node 350 is connected to the Internet 390 via the layer 2 switch 344 and the router 342, and executes a P2P application to communicate with the P2P node 320 through a P2P connection.
- the node detection device 340 is provided between the P2P node 350 and the P2P network 322, acquires and analyzes a communication packet between the P2P node 350 and the P2P node 320 of the P2P network 322, and determines the IP address of the P2P node 320. Detects identification information such as TCP or UDP port numbers.
- the node detection device 340 records communication partners by applications other than the P2P application of the P2P node 350 such as inquiries to DNS.
- the node detection device 340 is a force layer 2 transmission type that analyzes a packet transmitted and received by the P2P node 350, and transmits the packet without filtering. Further, the node detection device 340 shown in FIG. 23 can be implemented as a router type device in addition to the layer 2 transparent type configuration. In this case, the node detection device 340 performs the operation of detecting and recording the other party of communication by the P2P application, although the power is routed like a normal router type device.
- the IP address and TC PZUDP port number of the P2P node 320 detected by the node detection device 340 are registered in the P2P node database 360. As described in the base technology, the data registered in the P2P node database 360 is reflected in the first database 50 of the communication control device 10 by the database server 150 of the communication control system 100 at a predetermined timing.
- the communication control device 10 registers the IP address and TCPZUDP port number of the transmission source or transmission destination of the packet passing through the ISP 330 30 in the first database 50 by the index circuit 34 and the binary search circuit 36. Search whether or not. If it is registered in the first database 50, it is a packet of P2P communication by the P2P node 320. Therefore, the processing execution circuit 40 discards the packet and interrupts P2P communication or delays packet transmission. It is inferior compared to other communications. If it is registered in the first database 50, otherwise it is not P2P communication, the processing execution circuit 40 sends the packet to the network without discarding it. As a result, P2P communication can be detected and regulated.
- the node detection device 340 detects and collects the IP address and TCPZUDP port number of the P2P node 320. If P2P communication uses a different protocol, the node detection device 340 matches the protocol. The identification information of the P2P node 320 capable of detecting P2P communication may be collected.
- the node detection device 340 detects the IP address and the TCPZUDP port number and registers them in the P 2P node database 360. Therefore, by shortening the interval at which the P2P node database 360 is reflected in the communication control system 100, the P2P node 320 can newly appear and the P2P communication of the P2P node 320 can be restricted in a short time. [0095] V, simply P2P node 320 registered in the P2P node database 360 after P2P communication is deleted from the P2P node database 360 if it has not been in P2P communication for a long time Good.
- the IP is stored in the P2P node database 360. Since the address and port number are registered, communication is restricted even though it is not P2P communication. Therefore, the last detection date / time may be recorded in the P2P node database 360, and the information of the P2P node 320 whose final detection date / time power has passed a predetermined period may be deleted from the P2P node database 360.
- this user terminal 310 starts P2P communication again, it is detected by the node detection device 340 and registered again in the P2P node database 360, and P2P communication with that node is blocked or subordinated.
- FIG. 24 shows another configuration example of the communication management system.
- the communication management system 300 shown in FIG. 24 differs from the communication management system 300 shown in FIG. 23 in the configuration of the network 352 for P2P node detection.
- the node detection device 340 is connected to the subsequent stage of the layer 2 switch 344 between the router 342 and the layer 2 switch 344.
- all the packets passing through the layer 2 switch 344 are duplicated and sent to the node detection device 340.
- the node detection device 340 analyzes the acquired packet, collects the identification information of the P2P node 320, and discards the packet.
- Other configurations and operations are the same as those of the communication management system 300 shown in FIG.
- FIG. 25 shows a configuration of the packet processing circuit 20 of the present embodiment.
- the packet processing circuit 20 further includes a decoder circuit 70 and a decryption key 72 in addition to the configuration of the base technology packet processing circuit 20 shown in FIG.
- Protocols used by P2P applications often include characteristic character strings. For example, when identification information such as the name of a P2P application is set in the header of a TCP packet, it can be determined whether or not the packet is a P2P communication packet by detecting the character string. Therefore, in the present embodiment, the position detection circuit 32 described in the base technology is used to detect a character string peculiar to P2P communication included in the packet and determine whether or not the power is P2P communication. Includes character strings specific to P2P communication The packet is discarded or subordinated by the processing execution circuit 40 until it is checked against the first database 50 by the index circuit 34 and the binary search circuit 36. This enables efficient P2P communication detection and filtering.
- communication data may be encrypted and transmitted / received.
- the decoder circuit 70 decrypts the communication data of the acquired packet with the decryption key 72 for decrypting the communication data encrypted by the P2P application. For example, when a P2P application encrypts communication data using a common key encryption method, the encrypted communication data is decrypted using the common key as the decryption key 72.
- the decoder circuit 70 is realized as a dedicated hardware circuit formed by a wired logic circuit without using a CPU and an OS as described in the preceding technology, but the decryption key 72 is provided so that external force can be rewritten. May be. As a result, even if the decryption key of the P2P application changes, it can be flexibly handled. It can also be used universally when different P2P applications appear.
- the position detection circuit 32 detects a character string unique to the decoded communication data power P2P communication.
- the position detection circuit 32 means that the decoding circuit 70 performs decoding processing. Since there is no data string, no character string peculiar to P2P communication is detected. Therefore, it is possible to determine whether or not the packet is a P2P communication packet based on the presence or absence of a character string unique to P2P communication.
- FIG. 26 shows a configuration of a communication management system according to the embodiment.
- This communication management system 300 manages the distribution of content distributed from the P2P node 320.
- the communication management system 300 according to the present embodiment is different from the communication management system 300 according to the first embodiment shown in FIG. 23 in that the illegal content detection network 354 is replaced with the P2P node detection network 352.
- an illegal content database 362 is provided instead of the P2P node database 360, and a warning content server 364 is further provided.
- the illegal content detection network 354 includes an illegal content detection device 356 instead of the node detection device 340 included in the P2P node detection network 352 of the first embodiment shown in FIG. Other configurations and operations are the same as those in the first embodiment.
- the illegal content detection device 356 detects the identification information of the content and stores it in the illegal content database 362. sign up.
- the illegal content detection device 356 may include a virus detection program for detecting content infected with a virus, and may detect identification information of the content infected with the virus. Further, when content such as an image or a moving image includes an inappropriate image whose distribution should be controlled, the identification information of the content may be detected.
- the illegal content detection device 356 detects the identification information of the content whose distribution should be controlled, such as a moving image including violent video that is illegal to distribute and an image that violates public order and morals.
- the illegal content detection device 356 may accept designation of inappropriate content from an operator who confirms the content and detects inappropriate content, and may detect identification information of the content.
- the identification information may include a hash value such as the content file name, file size, and MD5.
- the detected identification information is stored in the illegal content database 362 using a technology such as a dedicated line or VPN.
- the data registered in the illegal content database 362 is reflected in the first database 50 of the communication control device 10 by the database server 150 of the communication control system 100 at a predetermined timing as described in the base technology.
- the communication control device 10 uses the index circuit 34 and the binary search circuit 36 to determine whether or not the packet passing through the ISP3 30 includes inappropriate content data or an inappropriate content transmission request.
- the first database 50 is searched for. If content identification information is registered in the first database 50, the content is inappropriate. Therefore, the processing execution circuit 40 discards the packet to block transmission and reception, and warns the request destination of the transmission request. Perform processing to control the distribution of content, such as changing to the content server 364. If not registered in the first database 50, the processing execution circuit 40 sends the packet to the network without performing processing for controlling distribution. As a result, inappropriate distribution of content can be detected and appropriately controlled. [0106] Next, a specific method for controlling the distribution of inappropriate content will be described. FIG.
- FIG. 27 is a sequence diagram showing a procedure of a method for controlling the distribution of inappropriate content.
- the P2P node 320 that receives the search request receives the file name of the content extracted by the search.
- File summary information 380 and 382 including file size, file size, and hash value are returned (S12).
- the communication control system 100 is inappropriate.
- the file summary information 382 of the correct content is detected, and the file summary information is deleted (S14).
- the response packet from which the file summary information 382 of inappropriate content is deleted is sent to the user terminal 310 (S16).
- the P2P node 320 owns inappropriate content and can be distributed, the file summary information 382 of the content with inappropriate search response is deleted when viewed from the user terminal 310.
- the P2P node 320 is not owned and cannot be received. This can limit the distribution of inappropriate content.
- FIG. 28 is a sequence diagram showing a procedure of another method for controlling the distribution of inappropriate content.
- the P2P node 320 that has received the search request responds with the file summary information 380 and 382 of the content extracted by the search (S32).
- the communication control system 100 detects the file summary information 382 of inappropriate content and the file summary.
- the file included in the information The IP address of the distribution node, here P2P node 320, is changed to the IP address of the warning content server 364 that distributes the warning content (S34), and is sent to the user terminal 310 as a search response (S36) ).
- the user terminal 310 requests download to the P2P node 320 when downloading the content whose distribution is not restricted (S38).
- the P2P node 320 transmits the requested content (S40).
- the IP address of the download request destination has been changed to the warning content server 364, so the user terminal 310 is downed to the warning content server 364.
- the warning content server 364 transmits warning content warning that the requested content is inappropriate and distribution is restricted to the user terminal 310 (S44).
- the user terminal 310 cannot request the P2P node 320 to transmit. Thereby, distribution of inappropriate content can be restricted.
- FIG. 29 is a sequence diagram showing a procedure of another method for controlling the distribution of inappropriate content.
- the user terminal 310 requests the P2P node 320 to download the content (S5 0) and the P2P node 320 sends the requested content to the user terminal 310 (S52), the content 386 can be freely distributed. If there is an inappropriate content 388 to control the distribution, the communication control system 100 warns the inappropriate content 388 that the requested content is inappropriate and the distribution is restricted. Is replaced with the warning content 389 (S54) and sent to the user terminal 310 (S56).
- FIG. 30 shows the internal configuration of the packet processing circuit 20 of the communication control apparatus 10 of the present embodiment.
- the packet processing circuit 20 includes a user database 57, a virus list 161, a white list 162, a black list 163, and a common category list 164 as the first database 50.
- the user database 57 stores information on users who use the communication control device 10.
- the communication control device 10 receives information for identifying the user power user, matches the information received by the search circuit 30 with the user database 57, and authenticates the user. If it is authenticated that the user is registered in the user database 57, then the content identification information virus list 161, white list 162, black list 163, and common Matches against category list 164. Since the white list 162 and the black list 163 are provided for each user, when the user is authenticated and the user ID is arbitrarily determined, the white list 162 and the black list 163 of the user are given to the search circuit 30.
- the virus list 161 stores a list of identification information of contents including computer viruses. Distribution of the content of the identification information stored in the virus list 161 is blocked. As a result, even if a user tries to download a virus without noticing it, it is possible to properly prohibit access and protect the user from the virus damage.
- the white list 162 is provided for each user, and stores a list of identification information of contents permitted to be distributed.
- the black list 163 is provided for each user, and stores a list of content identification information that is prohibited from being distributed.
- Fig. 31 (a) shows an example of internal data of virus list 161
- Fig. 31 (b) shows an example of internal data of white list 162
- Fig. 31 (c) shows internal data of black list 163.
- An example of The virus list 161, the white list 162, and the black list 163 are provided with a category number column 165, a file name column 166, a size column 167, and a hash value column 170, respectively.
- the common category list 164 stores a list for classifying content into a plurality of categories and controlling distribution.
- FIG. 32 shows an example of internal data of the common category list 164.
- FIG. The common category list 164 also includes a category number field 165, a file name field 166, a size field 167, and a hash value field 170! /.
- the communication control device 10 extracts the file summary information transmitted / received in the file sharing protocol and the content identification information included in the content itself by the position detection circuit 32, and the identification information is stored in the virus list 161, The index circuit 34 and the binary search circuit 36 search whether or not they are included in the white list 162, the black list 163, or the common category list 164.
- FIGS. 33 (a), (b), (c), and (d) show examples of internal data of the second database 60 for content distribution control.
- Figure 33 (a) shows the search results and processing details for virus list 161. If the content identification information matches the identification information included in virus list 161, distribution of the content is prohibited.
- FIG. 33 (b) shows the search results and processing contents for the white list 162.
- FIG. Content identification information power If the content matches the identification information included in the white list 162, the distribution of the content is permitted.
- FIG. 33 (c) shows the search results and processing contents for the black list 163.
- FIG. When the content identification information matches the identification information included in the black list 163, the distribution of the content is prohibited.
- FIG. 33 (d) shows search results and processing contents for the common category list 164.
- FIG. 33 (d) for the search result for the common category list 164, for each category, the user is prohibited from allowing access to content belonging to that category. Can be set individually.
- a user ID column 168 and a category column 169 are provided in the second database 60 related to the common category list 164.
- the user ID column 168 stores an ID for identifying the user.
- the category column 169 stores information indicating whether or not the user permits access to content belonging to the category for each of the 57 categories. When the content identification information matches the identification information included in the common category list 164, whether or not access to the content is permitted is determined based on the content category and the user ID.
- the number of common categories is 57, but it may be other than that.
- FIG. 34 shows the priorities of the virus list 161, the white list 162, the black list 163, and the common category list 164.
- the priority is higher in the order of the virus list 161, the white list 162, the black list 163, and the common category list 164. Even if it exists, if the identification information is stored in the virus list 161, access is prohibited as content including a computer virus.
- the search circuit 30a that matches the virus list 161 and the search circuit that matches the white list 162 are obtained by using the communication control device 10 configured by a dedicated hardware circuit.
- a search circuit 30c for matching the black list 163, and a search circuit 30d for matching the common category list 164 are provided, and each search circuit 30 performs matching in parallel at the same time. If there are multiple hits, use the one with the highest priority. As a result, even when a plurality of databases are provided and priorities are set for them, the search time can be greatly reduced.
- Whether the virus list 161, the white list 162, the black list 163, or the common category list 164 is to be prioritized for access permission may be set, for example, in the second database 60. ,. V, second database 60 depending on whether priority is given to misalignment list 60 You can rewrite the conditions.
- the processing execution circuit 40 sends the packet as it is to the network. If the content should be restricted in distribution, the process execution circuit 40 executes the process described above. For example, when the distribution control shown in FIG. 27 is performed, the processing execution circuit 40 deletes the file summary information of the content detected by the search circuit 30 from the packet, and then sends the packet to the network. When the distribution control shown in FIG. 28 is performed, the process execution circuit 40 sets the IP address of the file distribution node included in the file summary information of the content detected by the search circuit 30 in advance in the second database 60 or the like. After rewriting the IP address of the alert content server 364, the packet is sent to the network. When the distribution control shown in FIG.
- the processing execution circuit 40 replaces the content detected by the search circuit 30 with the warning content set in the second database 60 or the like, and then sends the packet to the network. Send it out.
- This warning content may be given from the warning content server 364 to the communication control device 10.
- search circuit 30 is a dedicated hardware circuit composed of an FPGA or the like, high-speed search processing is realized as described above, and distribution control is performed while minimizing the impact on traffic. Can do. Power such as ISP330 By providing such a filtering service, added value can be increased and more users can be gathered.
- the white list 162 or the black list 163 may be provided in common for all users.
- the above-described content flow is not performed for all packets without performing user authentication. Control may be performed. In this case, the user database 57 need not be provided.
- the present invention can be used for a communication management system that manages the distribution of content.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Multimedia (AREA)
- Technology Law (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2006/311130 WO2007141835A1 (ja) | 2006-06-02 | 2006-06-02 | 通信管理システム、通信管理方法、及び通信制御装置 |
US12/302,467 US8417677B2 (en) | 2006-06-02 | 2006-06-02 | Communication management system, communication management method and communication control device |
JP2007507600A JP4015690B1 (ja) | 2006-06-02 | 2006-06-02 | 通信管理システム、通信管理方法、及び通信制御装置 |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2006/311130 WO2007141835A1 (ja) | 2006-06-02 | 2006-06-02 | 通信管理システム、通信管理方法、及び通信制御装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2007141835A1 true WO2007141835A1 (ja) | 2007-12-13 |
Family
ID=38801107
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2006/311130 WO2007141835A1 (ja) | 2006-06-02 | 2006-06-02 | 通信管理システム、通信管理方法、及び通信制御装置 |
Country Status (3)
Country | Link |
---|---|
US (1) | US8417677B2 (ja) |
JP (1) | JP4015690B1 (ja) |
WO (1) | WO2007141835A1 (ja) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011205197A (ja) * | 2010-03-24 | 2011-10-13 | Hitachi Ltd | P2p端末検知装置、p2p端末検知方法、およびp2p端末検知システム |
JP2012014310A (ja) * | 2010-06-30 | 2012-01-19 | Hitachi Information Systems Ltd | 情報漏えいファイル検知装置、及びその方法とプログラム |
JP2017102559A (ja) * | 2015-11-30 | 2017-06-08 | 日本電気株式会社 | マルウェア判定装置、マルウェア判定方法、及び、マルウェア判定プログラム |
Families Citing this family (22)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
FR2915598A1 (fr) * | 2007-04-27 | 2008-10-31 | France Telecom | Procede de filtrage de flots indesirables en provenance d'un terminal presume malveillant |
FR2916595A1 (fr) * | 2007-05-24 | 2008-11-28 | Thomson Licensing Sas | Procede de transmission de paquets de donnees |
WO2009069178A1 (ja) * | 2007-11-29 | 2009-06-04 | Duaxes Corporation | 通信制御装置及び通信制御方法 |
JP4850218B2 (ja) * | 2008-07-30 | 2012-01-11 | 株式会社ソニー・コンピュータエンタテインメント | データ配信システム |
CN101729442B (zh) * | 2008-10-23 | 2013-03-20 | 华为技术有限公司 | 一种实现内容共享的方法和装置 |
EP2359564B1 (en) * | 2008-12-03 | 2018-02-28 | Telefonaktiebolaget LM Ericsson (publ) | Method for selection of suitable peers in a peer-to-peer (p2p) network |
US9385992B2 (en) * | 2009-02-13 | 2016-07-05 | Alcatel Lucent | Inline key-based peer-to-peer processing |
US8204915B2 (en) * | 2009-02-13 | 2012-06-19 | Alcatel Lucent | Apparatus and method for generating a database that maps metadata to P2P content |
US8386429B2 (en) | 2009-03-31 | 2013-02-26 | Microsoft Corporation | Generic editor for databases |
KR101775027B1 (ko) | 2010-07-21 | 2017-09-06 | 삼성전자주식회사 | 컨텐트 공유 방법 및 장치 |
US8924705B1 (en) * | 2010-09-24 | 2014-12-30 | Revera Systems | Method and detection system for detecting encrypted peer-to-peer (EP2P) sessions associated with a particular EP2P network |
US8595211B1 (en) * | 2011-02-25 | 2013-11-26 | Symantec Corporation | Techniques for managing search engine results |
JPWO2013140684A1 (ja) * | 2012-03-19 | 2015-08-03 | 日本電気株式会社 | 通信装置、通信用識別情報管理サーバ、通信用識別情報取得方法、通信用識別情報提供方法およびプログラム |
US20130254343A1 (en) * | 2012-03-22 | 2013-09-26 | Akamai Technologies Inc. | Server with message exchange accounting |
WO2013181421A2 (en) * | 2012-05-31 | 2013-12-05 | Interdigital Patent Holdings, Inc. | Method and apparatus for device-to-device (d2d) mobility in wireless systems |
KR101609124B1 (ko) * | 2014-07-07 | 2016-04-20 | 주식회사 윈스 | 모바일 네트워크 환경에서 행위기반 분석 서비스 제공 방법 및 장치 |
US10448253B2 (en) * | 2015-01-08 | 2019-10-15 | Nec Corporation | Wireless terminal |
EP3669282B1 (en) * | 2017-09-20 | 2022-11-02 | Samsung Electronics Co., Ltd. | Method and apparatus for managing a service request in a blockchain network |
JP6824151B2 (ja) * | 2017-12-26 | 2021-02-03 | 三菱電機株式会社 | インシデント対応支援装置 |
US10911337B1 (en) * | 2018-10-10 | 2021-02-02 | Benjamin Thaddeus De Kosnik | Network activity monitoring service |
US20230030168A1 (en) * | 2021-07-27 | 2023-02-02 | Dell Products L.P. | Protection of i/o paths against network partitioning and component failures in nvme-of environments |
US11991281B1 (en) * | 2023-10-31 | 2024-05-21 | Massood Kamalpour | Systems and methods for digital data management including creation of storage location with storage access id |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005332048A (ja) * | 2004-05-18 | 2005-12-02 | Nippon Telegr & Teleph Corp <Ntt> | コンテンツ情報の配信方法、コンテンツ配信サーバ、コンテンツ情報の配信プログラム、および同プログラムを記録した記録媒体 |
JP2006079181A (ja) * | 2004-09-07 | 2006-03-23 | Sony Corp | 生体照合装置 |
JP2006121209A (ja) * | 2004-10-19 | 2006-05-11 | Ntt Communications Kk | ゲートウェイ装置 |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH04180425A (ja) | 1990-11-15 | 1992-06-26 | Toshiba Corp | 通信システム |
US7681032B2 (en) | 2001-03-12 | 2010-03-16 | Portauthority Technologies Inc. | System and method for monitoring unauthorized transport of digital content |
EP1315066A1 (en) * | 2001-11-21 | 2003-05-28 | BRITISH TELECOMMUNICATIONS public limited company | Computer security system |
US7096498B2 (en) * | 2002-03-08 | 2006-08-22 | Cipher Trust, Inc. | Systems and methods for message threat management |
JP2004104739A (ja) | 2002-09-05 | 2004-04-02 | Hironori Wakayama | ウィルス及びハッカー侵入防止機構のためのシステム、侵入防止方法および情報処理装置 |
JP2006018635A (ja) | 2004-07-02 | 2006-01-19 | Matsushita Electric Ind Co Ltd | フィルタリングシステム |
US7634813B2 (en) * | 2004-07-21 | 2009-12-15 | Microsoft Corporation | Self-certifying alert |
US20060041527A1 (en) * | 2004-08-03 | 2006-02-23 | Aaron Fessler | Virtual file system |
JP2006065488A (ja) | 2004-08-25 | 2006-03-09 | Nippon Telegr & Teleph Corp <Ntt> | コンテンツ配信システムにおける不正監視方法、コンテンツ配信システム、およびプログラム |
JP4579623B2 (ja) | 2004-08-27 | 2010-11-10 | キヤノン株式会社 | 情報処理装置及び受信パケットのフィルタリング処理方法 |
KR100611740B1 (ko) * | 2004-10-13 | 2006-08-11 | 한국전자통신연구원 | 핑거프린트 기반 불법복제 콘텐츠 추적 시스템 및 그 방법 |
US20100169195A1 (en) * | 2005-02-03 | 2010-07-01 | Bernard Trest | Preventing unauthorized distribution of content on computer networks |
-
2006
- 2006-06-02 JP JP2007507600A patent/JP4015690B1/ja not_active Expired - Fee Related
- 2006-06-02 US US12/302,467 patent/US8417677B2/en not_active Expired - Fee Related
- 2006-06-02 WO PCT/JP2006/311130 patent/WO2007141835A1/ja active Application Filing
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2005332048A (ja) * | 2004-05-18 | 2005-12-02 | Nippon Telegr & Teleph Corp <Ntt> | コンテンツ情報の配信方法、コンテンツ配信サーバ、コンテンツ情報の配信プログラム、および同プログラムを記録した記録媒体 |
JP2006079181A (ja) * | 2004-09-07 | 2006-03-23 | Sony Corp | 生体照合装置 |
JP2006121209A (ja) * | 2004-10-19 | 2006-05-11 | Ntt Communications Kk | ゲートウェイ装置 |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2011205197A (ja) * | 2010-03-24 | 2011-10-13 | Hitachi Ltd | P2p端末検知装置、p2p端末検知方法、およびp2p端末検知システム |
JP2012014310A (ja) * | 2010-06-30 | 2012-01-19 | Hitachi Information Systems Ltd | 情報漏えいファイル検知装置、及びその方法とプログラム |
JP2017102559A (ja) * | 2015-11-30 | 2017-06-08 | 日本電気株式会社 | マルウェア判定装置、マルウェア判定方法、及び、マルウェア判定プログラム |
Also Published As
Publication number | Publication date |
---|---|
US8417677B2 (en) | 2013-04-09 |
JPWO2007141835A1 (ja) | 2009-10-15 |
JP4015690B1 (ja) | 2007-11-28 |
US20100138382A1 (en) | 2010-06-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4015690B1 (ja) | 通信管理システム、通信管理方法、及び通信制御装置 | |
WO2006103743A1 (ja) | 通信制御装置及び通信制御システム | |
WO2006087907A1 (ja) | 通信制御装置 | |
JP4188409B2 (ja) | 通信管理システム、通信管理方法、及び通信制御装置 | |
JP4571184B2 (ja) | 通信管理システム | |
WO2006123443A1 (ja) | データ処理システム | |
WO2008023424A1 (fr) | Système de gestion de communication et procédé de gestion de communication associé | |
JPWO2009066343A1 (ja) | 通信制御装置及び通信制御方法 | |
JP5393286B2 (ja) | アクセス制御システム、アクセス制御装置及びアクセス制御方法 | |
JP2009181359A (ja) | ピア・ツー・ピア通信制御装置 | |
WO2008075426A1 (ja) | 通信制御装置及び通信制御方法 | |
JP2009182713A (ja) | 試験装置 | |
KR20080057284A (ko) | 통신 관리 시스템, 통신 관리 방법, 및 통신 제어 장치 | |
JP4638513B2 (ja) | 通信制御装置及び通信制御方法 | |
JP5380710B2 (ja) | 通信制御装置 | |
JPWO2009066344A1 (ja) | 通信制御装置、通信制御システム及び通信制御方法 | |
JPWO2009066347A1 (ja) | 負荷分散装置 | |
JP5248445B2 (ja) | 通信エージェント、検疫ネットワークシステム | |
JP5156892B2 (ja) | ログ出力制御装置及びログ出力制御方法 | |
KR20190113411A (ko) | 보안 서버 및 보안 서버의 운영 방법 | |
JP2009164712A (ja) | ボット検出装置 | |
JP2009151598A (ja) | 試験装置 | |
JP2009164711A (ja) | ボット検出装置 | |
JP2009182708A (ja) | ピア・ツー・ピア通信制御装置 | |
JPWO2009066349A1 (ja) | 通信制御装置及び通信制御方法 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
ENP | Entry into the national phase |
Ref document number: 2007507600 Country of ref document: JP Kind code of ref document: A |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 06756951 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 12302467 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 06756951 Country of ref document: EP Kind code of ref document: A1 |