WO2008050651A1 - Communication device, communication method, and program - Google Patents

Communication device, communication method, and program Download PDF

Info

Publication number
WO2008050651A1
WO2008050651A1 PCT/JP2007/070254 JP2007070254W WO2008050651A1 WO 2008050651 A1 WO2008050651 A1 WO 2008050651A1 JP 2007070254 W JP2007070254 W JP 2007070254W WO 2008050651 A1 WO2008050651 A1 WO 2008050651A1
Authority
WO
WIPO (PCT)
Prior art keywords
detection rule
intrusion detection
communication
unauthorized intrusion
application
Prior art date
Application number
PCT/JP2007/070254
Other languages
French (fr)
Japanese (ja)
Inventor
Yoshiaki Okuyama
Takuya Murakami
Original Assignee
Nec Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nec Corporation filed Critical Nec Corporation
Publication of WO2008050651A1 publication Critical patent/WO2008050651A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Definitions

  • the present invention relates to a communication device having a network intrusion detection program, and in particular, a technology for optimizing the operation of an intrusion detection program according to the internal state of a device connected to a network or the state of a terminal on the network. About.
  • IDS Network Intrusion Detection Device
  • IDS has a mechanism for detecting network anomalies by matching communication packets with patterns for detecting unauthorized intrusion. This pattern is hereinafter referred to as unauthorized intrusion detection rule.
  • unauthorized intrusion detection rule When network abnormalities increase, the processing load for matching with intrusion detection rules increases, and hardware resources such as processor and memory resources on the equipment are consumed significantly.
  • Patent Publication 2003-9260 3 is a technical document for reducing the number of intrusion detection rules by removing harmless intrusion detection rules and minimizing performance degradation caused by IDS. There is a host configuration automatic detection type IDS system described in.
  • the first conventional problem is that, in devices such as mobile terminals, network home appliances, and sensor devices, which have restrictions on hardware resources such as processor performance and memory capacity, the IDS processing is used for the device.
  • the performance may be significantly reduced.
  • IDS processing consumes a great deal of load processing even on a device with sufficient hardware resources, so if the number of types of unauthorized network access increases, it may become impossible to process. There is ten lives.
  • the reason is that if a large number of unauthorized intrusion detection rules are set, the unauthorized intrusion detection processing may consume a large amount of processor memory resources and the desired processing may not be performed. In addition, processing efficiency, response time, and communication efficiency are reduced.
  • the second problem is that if the number of unauthorized intrusion detection rules is reduced to solve the first problem, the security risk increases.
  • An object of the present invention is to minimize the degradation in processing performance due to IDS by optimizing the intrusion detection rule according to the communication request, the internal state of the terminal such as the application state, or the state of the terminal on the network. It is.
  • the conventional application provides a means for performing the above operation without modifying the application.
  • the device changes the intrusion detection rule during device operation according to the communication request processing of the application program, the activation and termination of the application, the state of the external terminal, and the like.
  • this mechanism there are a mechanism that detects the internal state of the terminal and automatically determines the necessary intrusion detection rules, and a mechanism that only the necessary intrusion detection rules are matched with the intrusion detection rules. It is characterized by having.
  • the present invention makes effective use of hardware resources (processor, memory, etc.) of a communication device that performs unauthorized intrusion detection processing of networks and terminals by enabling only necessary unauthorized intrusion detection rules. As a result, according to the present invention, it is possible to execute the unauthorized intrusion detection process even in an apparatus with limited hardware resources such as a portable terminal.
  • FIG. 1 is a block diagram showing a first embodiment for carrying out the present invention.
  • FIG. 2 is a diagram showing an example of a conversion table for a port detection rule database that converts port numbers into detection rule identifiers.
  • FIG. 3 is a diagram showing an example of a detection rule database for converting a detection rule identifier into a detection rule and determining whether the detection rule is valid / invalid.
  • FIG. 4 is a diagram showing an operation sequence from waiting for a port number until an IDS configuration change is performed in the first embodiment of the present invention.
  • FIG. 5 is a block diagram for carrying out a second embodiment of the present invention.
  • FIG. 6 is a diagram illustrating an example of a conversion table of a port detection rule database that converts an application identifier to a detection rule identifier.
  • FIG. 7 is a diagram showing an operation sequence until an IDS configuration change is performed when an application is activated in the second embodiment of the present invention.
  • FIG. 8 is a block diagram for carrying out a third embodiment of the present invention.
  • FIG. 9 is a diagram showing an operation sequence until an IDS configuration change is performed when an application is activated in the third embodiment of the present invention.
  • FIG. 10 is a block diagram for carrying out a fourth embodiment of the present invention.
  • FIG. 11 is a diagram showing an example of a conversion table of a protocol / detection rule database for converting protocol identifiers to detection rule identifiers.
  • FIG. 12 is a diagram showing an operation sequence until an IDS configuration change is performed when an application is activated in the fourth embodiment of the present invention.
  • FIG. 1 is a block diagram showing a first embodiment for carrying out the present invention.
  • the terminal 1 includes an application 11, a socket 12, a communication request detection unit 13, a port 'detection rail database 14, a detection node configuration change unit 15, and a detection rule database 1.
  • the application 11 is an application built in the mobile terminal 1.
  • the socket 12 is a communication library such as a socket library often used in a general OS. In addition to normal communication processing, the socket 12 notifies the communication request detection unit 13 of a port number to be used when a standby or connection request is received.
  • the communication request detection unit 13 receives the port number from the socket 12, refers to the port 'detection rule database 14, and converts the received port number into a corresponding intrusion detection rule number. In addition, the intrusion detection rule number is notified to the detection rule configuration change unit 15.
  • the port 'detection rule database 14 is a database for converting the port number and the corresponding unauthorized intrusion detection rule number.
  • the detection rule configuration change unit 15 receives the unauthorized intrusion detection rule number and instructs the detection rule database 16 to validate / invalidate the unauthorized intrusion detection rule. It also instructs IDS 17 to change the intrusion detection rules.
  • the detection rule database 16 converts the intrusion detection rule number and the corresponding intrusion detection rule, and stores a flag indicating whether the intrusion detection rule is valid or invalid.
  • the intrusion detection rule valid / invalid flag can be changed with.
  • IDS 17 receives an intrusion detection rule change instruction and validates / invalidates the intrusion detection rule.
  • FIG. 2 is an example of a conversion table of the port detection rule database 14 that converts port numbers into detection rule identifiers.
  • FIG. 3 shows an example of the detection rule database 16 for converting the detection rule identifier into a detection rule and determining the validity / invalidity of the detection rule.
  • FIG. 4 is an operation sequence from the port number standby until the IDS configuration change is performed in the first embodiment of the present invention.
  • step al the application 11 inputs the standby port number 80, calls the socket 12, and requests a communication standby start 'end process.
  • step a2 the socket 12 notifies the communication request detection unit 13 of the port number 80 given as an input. Wait until communication start / end is not executed until the configuration of the intrusion detection rule is changed.
  • step a3 the communication request detection unit 13 inquires of the port detection rule database 14 about the unauthorized intrusion detection rule number by using the given port number 80 as an input.
  • step a4 the port detection rule database 14 returns the intrusion detection rule number corresponding to the port number. If the table contents are as shown in Figure 2
  • the port detection rule database 14 returns the intrusion detection rule numbers 1 and 2 corresponding to the port number 80 to the communication request detection unit 13.
  • step a5 the communication request detection unit 13 uses the unauthorized intrusion detection rule number (here, 1 and 2) returned from the port 'detection rule database 14 as an argument to the detection rule configuration change unit 15 for unauthorized intrusion. Instructs detection rule change.
  • the detection rule configuration changing unit 15 detects the intrusion detection rule numbers 1 and 2 in step a6 so as to validate the intrusion detection rule numbers 1 and 2 (see Fig. 3).
  • the detection rule configuration changing unit 15 instructs the detection rule database 16 to invalidate the unauthorized intrusion detection rule numbers 1 and 2 in step a6.
  • the detection rule configuration change unit 15 sends the configuration change notification of the intrusion detection rule to IDS 17 in step a7.
  • IDS 17 loads the intrusion detection rule for which the valid / invalid flag is valid.
  • the detection rule configuration change unit 15 transmits a configuration change completion notification to the socket 12 in step a9.
  • Socket 12 performs standby start / end processing at port 80 in step alO.
  • FIG. 5 is a block diagram for carrying out the second embodiment of the present invention, and describes the internal configuration of the terminal 1 of the present embodiment.
  • Terminal 1 includes application 11, application activation monitor 18, application detection rule database 19, detection rule configuration change unit 15, detection rule database 16, IDS 17, and the like.
  • the application activation monitor 18 monitors the activation / termination of the application, and converts the activated application to the identifier of the corresponding intrusion detection rule. In addition, the detection rule configuration change unit 15 is notified of the intrusion detection rule identifier.
  • the application detection rule database 19 is a database that performs conversion between an application identifier and a corresponding intrusion detection rule.
  • the detection rule configuration changing unit 15, the detection rule database 16, and the IDS 17 are the same as those in the first embodiment.
  • FIG. 5 the overall operation of the present exemplary embodiment will be described in detail with reference to FIGS. 5, 6, and 7.
  • FIG. 5 the overall operation of the present exemplary embodiment will be described in detail with reference to FIGS. 5, 6, and 7.
  • FIG. 6 is an example of a conversion table of the port 'detection rule database 14 that converts application identifiers to detection rule identifiers.
  • FIG. 7 shows an operation sequence until an IDS configuration change is performed when an application is activated in the second embodiment of the present invention.
  • the application activation monitor 18 acquires the identifier of the application that has been activated' terminated in step bl.
  • an http server application is described as an example.
  • the application activation monitor 18 determines from the application identifier in step b2. In order to convert to the intrusion detection rule identifier, the application 'detection routine database 19 is inquired about the intrusion detection rule identifier with the application identifier as an argument.
  • the application 'detection rule database 19 returns an intrusion detection rule corresponding to the application identifier in step b3. If the contents of the table are as shown in FIG. 6, the application detection rule database 19 returns the intrusion detection rule identifiers 1 and 2 corresponding to the http server application to the application activation monitor 18.
  • step b4 the application activation monitoring unit 18 uses the identifier of the intrusion detection rule returned from the application 'detection rule database 19 (here, 1 and 2) as an argument to the detection rule configuration changing unit 15. Instructs the intrusion detection rule change.
  • FIG. 8 is a block diagram for carrying out the third embodiment of the present invention, and describes the internal configuration of terminal 1 and terminal 2 of the present example.
  • the terminal 1 includes an external communication request detection unit la, a port 'detection rule database 14, a detection rule configuration change unit 15, a detection rule database 16, and an IDS 17.
  • the terminal 2 includes an application 21 and a socket 22.
  • the external communication request detection unit la receives a communication start / completion request type and a port number from an external terminal, and converts the port number into a corresponding intrusion detection rule number. In addition, the intrusion detection rule number is notified to the detection rule configuration change unit 15.
  • the application 21 is an application built in the mobile terminal.
  • the socket 22 is a communication library such as a socket library often used in a general OS. In addition to normal communication processing, the socket 22 notifies the external communication request detection unit la of the port number to be used when a standby or connection request is received.
  • Port 1 of terminal 1 'detection rule database 14, detection rule configuration changing unit 15, detection rule database 16, and IDS 17 use the same ones as in the first embodiment.
  • the overall operation of the present exemplary embodiment will be described in detail with reference to FIGS. 8 and 9.
  • FIG. 9 shows an operation sequence until an IDS configuration change is performed when an application is activated in the third embodiment of the present invention.
  • step cl the application 21 inputs the standby port number 80, calls the socket 22, and requests communication standby start / end processing.
  • Socket 22 starts communication with port number 80 given as input in step c2.
  • step c3 the external communication request detection unit la makes an inquiry about the unauthorized intrusion detection rule number to the port 'detection rule database 14 by using the given port number 80 as an input.
  • the port detection rule database 14 returns the intrusion detection rule number corresponding to the port number in step c4. If the contents of the table are as shown in FIG. 2, the port detection rule database 14 returns the intrusion detection rule numbers 1 and 2 corresponding to the port number 80 to the communication request detection unit la.
  • the external communication request detection unit la changes the detection rule configuration by using the intrusion detection rule number (here, 1 and 2) returned as the argument in step c5. Instructs part 15 to change the intrusion detection rule.
  • the detection rule configuration change unit 15 transmits a configuration change completion notification to the socket 22 in step c6.
  • Socket 22 performs standby start / end processing at port 80 in step c7.
  • FIG. 10 is a block diagram for carrying out the fourth embodiment of the present invention.
  • This fourth embodiment is an improvement of the first embodiment, in which the port number is dynamically changed and RTP or the like is supported so as to correspond to various data formats such as audio and video protocols. It is embodiment for implementing with the protocol of.
  • FIG. 11 is an example of a conversion table of a protocol.detection rule database le that performs conversion into protocol identifier power and detection rule identifier.
  • FIG. 12 shows the ID when the application is activated in the fourth embodiment of the present invention.
  • the telephone application lb instructs the socket lc to transmit communication permission data (for example, 200 OK of the SIP protocol) to step dl to start communication such as voice and video.
  • Communication permission data for example, SDP
  • SDP contains the type of audio and video protocol used and the standby port.
  • the socket lc receives the transmission instruction from the telephone application lb, analyzes the SDP in step d2, and extracts the audio and video protocol identifier and the port number.
  • step d3 the socket lc delivers the protocol identifier and the port number extracted by the analysis in step d2 to the communication request detection unit Id.
  • step d4 the communication request detection unit Id searches the protocol detection rule database le (see Fig. 11) using the protocol identifier as a key to convert the protocol identifier delivered from the socket lc into a detection rule. I do.
  • step d5 the protocol 'detection rule database le returns the detection rule number corresponding to the protocol identifier to the communication request detection unit Id.
  • Examples of utilization of the present invention include devices that require an input operation unit such as a computer, a portable information terminal, and a mobile phone.
  • the network unauthorized intrusion detection device that is effective in the present invention can be applied to a communication device.

Abstract

Provided is a mechanism for optimizing an unauthorized intrusion detection rule in accordance with an application program communication request process or an internal state of a terminal such as an application start/end. In order to achieve mechanism, the communication device includes: a mechanism for detecting the internal state of the terminal and automatically deciding the an unauthorized intrusion detection rule; and a mechanism for validating only the necessary detection rule.

Description

明 細 書  Specification
通信装置、通信方法およびプログラム  COMMUNICATION DEVICE, COMMUNICATION METHOD, AND PROGRAM
技術分野  Technical field
[0001] 本発明は、ネットワーク不正侵入検知プログラムを有する通信装置に関し、特に、ネ ットワークに接続する装置の内部状態またはネットワーク上の端末などの状態に応じ て不正侵入検知プログラムの動作の最適化技術に関する。  TECHNICAL FIELD [0001] The present invention relates to a communication device having a network intrusion detection program, and in particular, a technology for optimizing the operation of an intrusion detection program according to the internal state of a device connected to a network or the state of a terminal on the network. About.
背景技術  Background art
[0002] Webページ改ざんや Dos攻撃(サービス不能攻撃)など、システムへの不正侵入の 最初のステップとしてのネットワーク攻撃は増加の一途を迪つて!/、る。これらの攻撃は 従来のファイアウォールだけでは防御が困難である。  [0002] Network attacks as the first step of unauthorized intrusion into the system, such as Web page alteration and Dos attack (denial of service attack), are increasing! /. These attacks are difficult to defend with conventional firewalls alone.
[0003] このような攻撃に対する対策として、ネットワークの異常を検知してネットワーク管理 者に通知する IDS (ネットワーク不正侵入検知装置)がある。侵入口を探る偵察行動 や実際の侵入の試みは日常茶飯事となり、ハッキングも増加している現在、 IDSはネ ットワーク管理上にぉレ、て不可欠なものになってきてレ、る。  [0003] As a countermeasure against such an attack, there is an IDS (Network Intrusion Detection Device) that detects a network abnormality and notifies a network administrator. While reconnaissance behavior and actual intrusion attempts to find intruders have become daily routines and hacking is increasing, IDS is becoming an indispensable part of network management.
[0004] IDSは、通信パケットを不正侵入を検出するためのパターンと照合することによりネ ットワークの異常を検知するという仕組みとなっている。このパターンを、以後不正侵 入検知ルールと呼ぶ。ネットワークの異常が増大すると、不正侵入検知ルールとのマ ツチングの処理負荷が増大し、装置上のプロセッサやメモリ資源などのハードウェアリ ソースを大幅に消費するという問題点がある。  [0004] IDS has a mechanism for detecting network anomalies by matching communication packets with patterns for detecting unauthorized intrusion. This pattern is hereinafter referred to as unauthorized intrusion detection rule. When network abnormalities increase, the processing load for matching with intrusion detection rules increases, and hardware resources such as processor and memory resources on the equipment are consumed significantly.
[0005] また、サーバ装置などに組み込まれる IDSであっても、将来マッチングさせる不正 侵入検知ルールが増加すると、処理負荷が想定されたプロセッサやメモリ資源を超 えて増大する可能性がある。このため、特に携帯端末やネットワーク家電機器、セン サーデバイスのようなプロセッサ性能、メモリ搭載量などのハードウェアリソースが限ら れている装置に IDSを搭載する場合、 IDSによる処理プロセッサの負荷増大、メモリ 消費量の増大により、本来機器が行うべき処理性能を悪化させてしまう可能性がある  [0005] Even if IDS is incorporated in a server device or the like, if the number of unauthorized intrusion detection rules to be matched in the future increases, the processing load may increase beyond the assumed processor and memory resources. For this reason, especially when installing IDS in devices with limited hardware resources such as processor performance and memory capacity, such as mobile terminals, network home appliances, and sensor devices, the processor load increases due to IDS, memory There is a possibility of deteriorating the processing performance that should be performed by the device due to the increase in consumption.
[0006] したがって、発生する可能性が低い、あるいは装置やネットワークにとって害のない 不正侵入検知ルールを削除して数を削減し、 IDSによる性能低下を最小限にとどめ るのが望ましい。 [0006] Therefore, it is unlikely to occur or harmless to devices and networks It is desirable to reduce the number of intrusion detection rules to minimize the performance degradation caused by IDS.
[0007] この課題を解決するために本発明より先に出願された技術文献として、特許公開 2 005— 316779号公報に記載されたアクセスログに基づいた不正侵入検知ルールの 自動生成に関するものがある。  [0007] As a technical document filed prior to the present invention in order to solve this problem, there is a technique related to automatic generation of an intrusion detection rule based on an access log described in Japanese Patent Publication No. 2005-316779. .
[0008] この特許公開 2005— 316779号公報に記載されたものは、端末へのネットワーク 不正侵入を検知し、不正アクセスがあった場合、そのアクセスに対応する異常バケツ トの検知処理を自動的に追加する端末装置である。このため、事前に多数の不正侵 入検知ルールを装置に設定しておく必要がない。  [0008] In this patent publication 2005-316779, the network unauthorized entry to the terminal is detected, and when there is an unauthorized access, an abnormal bucket detection process corresponding to the access is automatically performed. This is a terminal device to be added. For this reason, it is not necessary to set a number of unauthorized intrusion detection rules in the device in advance.
[0009] また、ネットワークにとって害のな!/、不正侵入検知ルールを削除して数を削減し、 I DSによる性能低下を最小限にするための技術文献として、特許公開 2003— 9260 3号公報に記載されたホスト構成自動検知型 IDSシステムがある。  [0009] Patent Publication 2003-9260 3 is a technical document for reducing the number of intrusion detection rules by removing harmless intrusion detection rules and minimizing performance degradation caused by IDS. There is a host configuration automatic detection type IDS system described in.
[0010] この特許公開 2003— 92603号公報に記載されたものは、監視対象ホストの構成 により、不正侵入検知ルールを削減する機能を持っている。  [0010] The one described in this patent publication 2003-92603 has a function of reducing unauthorized intrusion detection rules by the configuration of the monitored host.
[0011] 上述した特許公開 2005— 316779号公報に記載の技術では、不正アクセスがあ つた場合に改めて異常パケットの検知処理を追加するので、初回の不正アクセスに 対しては効果がな!/、と!/、う問題点がある。  [0011] In the technology described in the above-mentioned Patent Publication 2005-316779, an abnormal packet detection process is newly added in the case of unauthorized access, so there is no effect on the first unauthorized access! /, There is a problem!
[0012] したがって、ネットワーク管理者や端末利用者は不正アクセスの痕跡を知ることがで きず、侵入された端末を踏み台に新たなセキュリティ問題が発生する危険性がある。  [0012] Therefore, the network administrator and terminal user cannot know the trace of unauthorized access, and there is a risk that a new security problem will occur using the intruded terminal as a stepping stone.
[0013] また、特許公開 2003— 92603号公報に記載の技術では、構成スキャナがスキャン したデータから IDSのルールセットへの変換する方式につ!/、ては言及されて!/、なレ、。 本発明では、このようなセキュリティリスクを回避しつつ、かつ IDSによる性能低下を 最小限にする方法を提供する。  [0013] In addition, in the technology described in Japanese Patent Publication No. 2003-92603, a method for converting data scanned by a configuration scanner into an IDS rule set! / Is mentioned! / . The present invention provides a method for avoiding such security risks and minimizing performance degradation due to IDS.
[0014] 従来の第 1の問題点は、携帯端末やネットワーク家電機器、センサーデバイスのよう なプロセッサ性能、メモリ搭載量などのハードウェアリソースに制約がある装置におい ては、 IDSの処理により装置の性能が大幅に低下してしまう可能性があるという点で ある。また、 IDSの処理はハードウェアリソースが十分な装置でも負荷処理を大幅に 消費するのでネットワーク不正アクセスの種類が増加すると処理しきれなくなる可能 十生がある。 [0014] The first conventional problem is that, in devices such as mobile terminals, network home appliances, and sensor devices, which have restrictions on hardware resources such as processor performance and memory capacity, the IDS processing is used for the device. The performance may be significantly reduced. Also, IDS processing consumes a great deal of load processing even on a device with sufficient hardware resources, so if the number of types of unauthorized network access increases, it may become impossible to process. There is ten lives.
[0015] その理由は、不正侵入検知ルールを多数設定すると、不正侵入検知処理がプロセ ッサゃメモリのリソースを大幅に消費し、本来行いたい処理が行えなくなる可能性が あるためである。また、処理効率、応答時間、通信効率の低下も起こる。  [0015] The reason is that if a large number of unauthorized intrusion detection rules are set, the unauthorized intrusion detection processing may consume a large amount of processor memory resources and the desired processing may not be performed. In addition, processing efficiency, response time, and communication efficiency are reduced.
[0016] 第 2の問題点は、第 1の問題点を解決するために不正侵入検知ルールを削減しす ぎると、セキュリティリスクが増大するという点である。  [0016] The second problem is that if the number of unauthorized intrusion detection rules is reduced to solve the first problem, the security risk increases.
[0017] その理由は、事前に不正侵入検知ルールを設定しておかなければ、この不正侵入 検知ルールに対応する最初の攻撃がきたときにこれを防御できないためである。 発明の開示  [0017] The reason is that unless an intrusion detection rule is set in advance, it cannot be protected when the first attack corresponding to the intrusion detection rule comes. Disclosure of the invention
[0018] 本発明の目的は、通信要求や、アプリケーション状態など端末内部の状態、または ネットワーク上の端末の状態によって不正侵入検知ルールを最適化することで IDS による処理性能低下を最小限にとどめることである。  [0018] An object of the present invention is to minimize the degradation in processing performance due to IDS by optimizing the intrusion detection rule according to the communication request, the internal state of the terminal such as the application state, or the state of the terminal on the network. It is.
[0019] また、従来のアプリケーションに改造を行うと開発コストが掛かるので、従来のアプリ ケーシヨンは改造を行わずに上記動作を行うことができる手段を提供する。  [0019] In addition, since the development cost is increased when a conventional application is modified, the conventional application provides a means for performing the above operation without modifying the application.
[0020] 上述の目的を達成するために、本発明による装置は、アプリケーションプログラムの 通信要求処理、アプリケーションの起動'終了、外部端末の状態などに応じて、不正 侵入検知ルールを装置動作時に変更する機構を設ける。この機構を実現するために 端末の内部状態を検出し、必要な不正侵入検知ルールを自動的に決定する機構と 、必要な不正侵入検知ルールのみ不正侵入検知ルールのマッチング対象とする機 構とを有することを特徴とするものである。  [0020] In order to achieve the above-described object, the device according to the present invention changes the intrusion detection rule during device operation according to the communication request processing of the application program, the activation and termination of the application, the state of the external terminal, and the like. Provide a mechanism. To realize this mechanism, there are a mechanism that detects the internal state of the terminal and automatically determines the necessary intrusion detection rules, and a mechanism that only the necessary intrusion detection rules are matched with the intrusion detection rules. It is characterized by having.
[0021] 本発明は、必要な不正侵入検知ルールのみを有効化することによって、ネットヮー クおよび端末の不正侵入検知処理を行う通信装置のハードウェアリソース(プロセッ サ、メモリなど)を有効利用する。この結果、本発明によれば、例えば携帯端末などの ハードウェアリソースが制限された装置でも不正侵入検知処理を実行することができ るという効果を奏する。  [0021] The present invention makes effective use of hardware resources (processor, memory, etc.) of a communication device that performs unauthorized intrusion detection processing of networks and terminals by enabling only necessary unauthorized intrusion detection rules. As a result, according to the present invention, it is possible to execute the unauthorized intrusion detection process even in an apparatus with limited hardware resources such as a portable terminal.
[0022] また、本発明によれば、通信時の不要な不正侵入検知ルールとの比較処理を行う 必要がなくなるので、通信効率向上の効果がある。  [0022] Further, according to the present invention, it is not necessary to perform a comparison process with an unnecessary intrusion detection rule at the time of communication, so that there is an effect of improving communication efficiency.
図面の簡単な説明 [0023] [図 1]本発明を実施するための第一の実施の形態を示すブロック図である。 Brief Description of Drawings FIG. 1 is a block diagram showing a first embodiment for carrying out the present invention.
[図 2]ポート番号から検知ルール識別子に変換を行うポート'検知ルールデータべ一 スの変換表の一例を示す図である。  FIG. 2 is a diagram showing an example of a conversion table for a port detection rule database that converts port numbers into detection rule identifiers.
[図 3]検知ルール識別子から、検知ルールへの変換と、検知ルールの有効/無効を 判定する検知ルールデータベースの一例を示す図である。  FIG. 3 is a diagram showing an example of a detection rule database for converting a detection rule identifier into a detection rule and determining whether the detection rule is valid / invalid.
[図 4]本発明の第一の実施の形態においてポート番号の待ち受けから IDS構成変更 が行われるまでの動作シーケンスを示す図である。  FIG. 4 is a diagram showing an operation sequence from waiting for a port number until an IDS configuration change is performed in the first embodiment of the present invention.
[図 5]本発明の第二の実施の形態を実施するためのブロック図である。  FIG. 5 is a block diagram for carrying out a second embodiment of the present invention.
[図 6]アプリケーション識別子から検知ルール識別子に変換を行うポート'検知ルール データベースの変換表の一例を示す図である。  FIG. 6 is a diagram illustrating an example of a conversion table of a port detection rule database that converts an application identifier to a detection rule identifier.
[図 7]本発明の第二の実施の形態においてアプリケーションを起動した時に IDS構成 変更が行われるまでの動作シーケンスを示す図である。 FIG. 7 is a diagram showing an operation sequence until an IDS configuration change is performed when an application is activated in the second embodiment of the present invention.
[図 8]本発明の第三の実施の形態を実施するためのブロック図である。  FIG. 8 is a block diagram for carrying out a third embodiment of the present invention.
[図 9]本発明の第三の実施の形態においてアプリケーションを起動した時に IDS構成 変更が行われるまでの動作シーケンスを示す図である。  FIG. 9 is a diagram showing an operation sequence until an IDS configuration change is performed when an application is activated in the third embodiment of the present invention.
[図 10]本発明の第四の実施の形態を実施するためのブロック図である。  FIG. 10 is a block diagram for carrying out a fourth embodiment of the present invention.
[図 11]プロトコル識別子から検知ルール識別子に変換を行うプロトコル.検知ルール データベースの変換表の一例を示す図である。  FIG. 11 is a diagram showing an example of a conversion table of a protocol / detection rule database for converting protocol identifiers to detection rule identifiers.
[図 12]本発明の第四の実施の形態においてアプリケーションを起動した時に IDS構 成変更が行われるまでの動作シーケンスを示す図である。 FIG. 12 is a diagram showing an operation sequence until an IDS configuration change is performed when an application is activated in the fourth embodiment of the present invention.
発明を実施するための最良の形態  BEST MODE FOR CARRYING OUT THE INVENTION
[0024] 以下、本発明の実施の形態について図面を参照して詳細に説明する。 Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
[0025] 図 1を参照しながら、本発明の装置について説明する。 [0025] The apparatus of the present invention will be described with reference to FIG.
[0026] 図 1は、本発明を実施するための第一の実施の形態を示すブロック図であり、端末  FIG. 1 is a block diagram showing a first embodiment for carrying out the present invention.
1の内部構成を詳細に記述したものである。  1 describes the internal configuration in detail.
[0027] 端末 1は、アプリケーション 11と、ソケット 12と、通信要求検出部 13と、ポート '検知 ノレールデータベース 14と、検知ノレ一ノレ構成変更部 15と、検知ルールデータベース 1[0027] The terminal 1 includes an application 11, a socket 12, a communication request detection unit 13, a port 'detection rail database 14, a detection node configuration change unit 15, and a detection rule database 1.
6と、 IDS 17とカゝら構成される。 [0028] アプリケーション 11は、携帯端末 1に内蔵されるアプリケーションである。 6 and IDS 17 and so on. The application 11 is an application built in the mobile terminal 1.
[0029] ソケット 12は、一般的な OSでよく使われるソケットライブラリなどの通信ライブラリで ある。ソケット 12は、通常の通信処理に加え、待ち受けまたは接続要求を受け付けた ときに使用するポート番号を通信要求検出部 13に通知する。  [0029] The socket 12 is a communication library such as a socket library often used in a general OS. In addition to normal communication processing, the socket 12 notifies the communication request detection unit 13 of a port number to be used when a standby or connection request is received.
[0030] 通信要求検出部 13は、ソケット 12からポート番号を受け取り、ポート'検知ルール データベース 14を参照して、受け取ったポート番号を対応する不正侵入検知ルール 番号に変換する。また、不正侵入検知ルール番号を検知ルール構成変更部 15に通 知する。 [0030] The communication request detection unit 13 receives the port number from the socket 12, refers to the port 'detection rule database 14, and converts the received port number into a corresponding intrusion detection rule number. In addition, the intrusion detection rule number is notified to the detection rule configuration change unit 15.
[0031] ポート'検知ルールデータベース 14は、ポート番号と対応不正侵入検知ルール番 号との変換を行うデータベースである。  [0031] The port 'detection rule database 14 is a database for converting the port number and the corresponding unauthorized intrusion detection rule number.
[0032] 検知ルール構成変更部 15は、不正侵入検知ルール番号を受け取り、不正侵入検 知ルールの有効/無効化を検知ルールデータベース 16に指示する。また、 IDS 17 に不正侵入検知ルールの変更を指示する。 The detection rule configuration change unit 15 receives the unauthorized intrusion detection rule number and instructs the detection rule database 16 to validate / invalidate the unauthorized intrusion detection rule. It also instructs IDS 17 to change the intrusion detection rules.
[0033] 検知ルールデータベース 16は、不正侵入検知ルール番号と、対応する不正侵入 検知ルールとの変換を行う、また、不正侵入検知ルールが有効/無効かのフラグを 保存しており、外部から指示により不正侵入検知ルール有効/無効フラグの変更が 行える。 [0033] The detection rule database 16 converts the intrusion detection rule number and the corresponding intrusion detection rule, and stores a flag indicating whether the intrusion detection rule is valid or invalid. The intrusion detection rule valid / invalid flag can be changed with.
[0034] IDS 17は、不正侵入検知ルールの変更指示を受け取り、不正侵入検知ルールの 有効/無効化を行う。  [0034] IDS 17 receives an intrusion detection rule change instruction and validates / invalidates the intrusion detection rule.
[0035] 次に、図 1、図 2、図 3および図 4を参照して本実施の形態の全体の動作について 詳細に説明する。  Next, the overall operation of the present embodiment will be described in detail with reference to FIG. 1, FIG. 2, FIG. 3 and FIG.
[0036] 図 2は、ポート番号から検知ルール識別子に変換を行うポート'検知ルールデータ ベース 14の変換表の一例である。  FIG. 2 is an example of a conversion table of the port detection rule database 14 that converts port numbers into detection rule identifiers.
[0037] 図 3は、検知ルール識別子から、検知ルールへの変換と、検知ルールの有効/無 効を判定する検知ルールデータベース 16の一例である。 FIG. 3 shows an example of the detection rule database 16 for converting the detection rule identifier into a detection rule and determining the validity / invalidity of the detection rule.
[0038] 図 4は、本発明の第一の実施の形態においてポート番号の待ち受けから IDS構成 変更が行われるまでの動作シーケンスである。 FIG. 4 is an operation sequence from the port number standby until the IDS configuration change is performed in the first embodiment of the present invention.
[0039] アプリケーション 11力 特定のポート番号で待ち受けを行うとき、ソケット 12の待ち 受け開始 ·終了関数 (たとえば POSIXの accept ()、 close ()などの待ち受け関数)を 呼び出す。ここでは、 80番ポートで待ち受け開始 ·終了を行う場合を例にとって説明 する(図 4参照)。 [0039] Application 11 power When listening on a specific port number, wait for socket 12 Call start / end functions (for example, POSIX accept (), close () standby functions). Here, the case of starting / ending standby on port 80 is described as an example (see Fig. 4).
[0040] アプリケーション 11は、ステップ alにおいて、待ち受けポート番号 80を入力として、 ソケット 12を呼び出し、通信待ち受け開始'終了処理を依頼する。  [0040] In step al, the application 11 inputs the standby port number 80, calls the socket 12, and requests a communication standby start 'end process.
[0041] ソケット 12は、ステップ a2において、入力として与えられたポート番号 80を通信要 求検出部 13に通知する。また、不正侵入検知ルールの構成が変更されるまで、通信 待ち受け開始 ·終了の実行を行わずに待機する。 In step a2, the socket 12 notifies the communication request detection unit 13 of the port number 80 given as an input. Wait until communication start / end is not executed until the configuration of the intrusion detection rule is changed.
[0042] 通信要求検出部 13は、ステップ a3において、与えられたポート番号 80を入力とし てポート'検知ルールデータベース 14に不正侵入検知ルール番号の問い合わせを 行う。 [0042] In step a3, the communication request detection unit 13 inquires of the port detection rule database 14 about the unauthorized intrusion detection rule number by using the given port number 80 as an input.
[0043] ポート'検知ルールデータベース 14は、ステップ a4において、ポート番号に対応す る不正侵入検知ルール番号を返す。テーブルの内容が図 2に示したものである場合 [0043] In step a4, the port detection rule database 14 returns the intrusion detection rule number corresponding to the port number. If the table contents are as shown in Figure 2
、ポート'検知ルールデータベース 14は、ポート番号 80に対応する不正侵入検知ル ール番号 1、 2を通信要求検出部 13に返す。 The port detection rule database 14 returns the intrusion detection rule numbers 1 and 2 corresponding to the port number 80 to the communication request detection unit 13.
[0044] 通信要求検出部 13は、ステップ a5において、ポート'検知ルールデータベース 14 から返された不正侵入検知ルール番号 (ここでは、 1、 2)を引数として検知ルール構 成変更部 15に不正侵入検知ルール変更の指示を行う。 [0044] In step a5, the communication request detection unit 13 uses the unauthorized intrusion detection rule number (here, 1 and 2) returned from the port 'detection rule database 14 as an argument to the detection rule configuration change unit 15 for unauthorized intrusion. Instructs detection rule change.
[0045] 待ち受け開始の場合は、検知ルール構成変更部 15は、ステップ a6において、不正 侵入検知ルール番号 1、 2を有効化するように検知ルールデータベース 16 (図 3参照[0045] In the case of standby start, the detection rule configuration changing unit 15 detects the intrusion detection rule numbers 1 and 2 in step a6 so as to validate the intrusion detection rule numbers 1 and 2 (see Fig. 3).
)に指示を行う。 ).
[0046] また、待ち受け終了の場合は、検知ルール構成変更部 15は、ステップ a6において 、不正侵入検知ルール番号 1、 2を無効化するように検知ルールデータベース 16に 指示を行う。  [0046] When the standby is completed, the detection rule configuration changing unit 15 instructs the detection rule database 16 to invalidate the unauthorized intrusion detection rule numbers 1 and 2 in step a6.
[0047] 不正侵入検知ルールの構成変更が行われたので、検知ルール構成変更部 15は、 ステップ a7において、 IDS 17に不正侵入検知ルールの構成変更通知を送る。  [0047] Since the configuration change of the intrusion detection rule has been performed, the detection rule configuration change unit 15 sends the configuration change notification of the intrusion detection rule to IDS 17 in step a7.
[0048] IDS 17は、ステップ a8において、有効/無効フラグが有効になっている不正侵入 検知ルールをロードする。 [0049] 検知ルール構成変更部 15は、ステップ a9において、ソケット 12に構成変更完了通 知を送信する。 [0048] In step a8, IDS 17 loads the intrusion detection rule for which the valid / invalid flag is valid. The detection rule configuration change unit 15 transmits a configuration change completion notification to the socket 12 in step a9.
[0050] ソケット 12は、ステップ alOにおいて、 80番ポートでの待ち受け開始 ·終了処理を行 [0050] Socket 12 performs standby start / end processing at port 80 in step alO.
5。 Five.
[0051] 続いて、発明を実施するための第二の実施の形態について図面を参照して詳細に 説明する。  [0051] Next, a second embodiment for carrying out the invention will be described in detail with reference to the drawings.
[0052] 図 5は、本発明の第二の実施の形態を実施するためのブロック図であり、本実施例 の端末 1の内部構成を記述している。  FIG. 5 is a block diagram for carrying out the second embodiment of the present invention, and describes the internal configuration of the terminal 1 of the present embodiment.
[0053] 端末 1は、アプリケーション 11と、アプリケーション起動監視 18と、アプリケーション. 検知ルールデータベース 19と、検知ルール構成変更部 15と、検知ルールデータべ ース 16と、 IDS 17と力、ら構成される。 [0053] Terminal 1 includes application 11, application activation monitor 18, application detection rule database 19, detection rule configuration change unit 15, detection rule database 16, IDS 17, and the like. The
[0054] アプリケーション起動監視 18は、アプリケーションの起動 ·終了を監視し、起動 '終 了したアプリケーションを対応する不正侵入検知ルールの識別子に変換する。また、 不正侵入検知ルールの識別子を検知ルール構成変更部 15に通知する。 The application activation monitor 18 monitors the activation / termination of the application, and converts the activated application to the identifier of the corresponding intrusion detection rule. In addition, the detection rule configuration change unit 15 is notified of the intrusion detection rule identifier.
[0055] アプリケーション.検知ルールデータベース 19は、アプリケーションの識別子と対応 不正侵入検知ルールとの変換を行うデータベースである。 The application detection rule database 19 is a database that performs conversion between an application identifier and a corresponding intrusion detection rule.
[0056] 検知ルール構成変更部 15と、検知ルールデータベース 16と、 IDS 17については、 第一の実施の形態と同様のものを利用する。 [0056] The detection rule configuration changing unit 15, the detection rule database 16, and the IDS 17 are the same as those in the first embodiment.
[0057] 次に、図 5、図 6および図 7を参照して本実施の形態の全体の動作について詳細に 説明する。 Next, the overall operation of the present exemplary embodiment will be described in detail with reference to FIGS. 5, 6, and 7. FIG.
[0058] 図 6は、アプリケーション識別子から検知ルール識別子に変換を行うポート'検知ル 一ノレデータベース 14の変換表の一例である。  FIG. 6 is an example of a conversion table of the port 'detection rule database 14 that converts application identifiers to detection rule identifiers.
[0059] 図 7は、本発明の第二の実施の形態においてアプリケーションを起動した時に IDS 構成変更が行われるまでの動作シーケンスである。 FIG. 7 shows an operation sequence until an IDS configuration change is performed when an application is activated in the second embodiment of the present invention.
[0060] アプリケーション 11が起動 '終了されると、アプリケーション起動監視 18は、ステップ blにおいて、起動 '終了したアプリケーションの識別子を取得する。ここでは、 httpサ ーバアプリケーションを例にとって説明する。 [0060] When the application 11 is activated 'terminated, the application activation monitor 18 acquires the identifier of the application that has been activated' terminated in step bl. Here, an http server application is described as an example.
[0061] アプリケーション起動監視 18は、ステップ b2において、アプリケーション識別子から 不正侵入検知ルール識別子への変換を行うために、アプリケーション '検知ルーノレ データベース 19にアプリケーション識別子を引数にして不正侵入検知ルール識別子 の問い合わせを行う。 [0061] The application activation monitor 18 determines from the application identifier in step b2. In order to convert to the intrusion detection rule identifier, the application 'detection routine database 19 is inquired about the intrusion detection rule identifier with the application identifier as an argument.
[0062] アプリケーション '検知ルールデータベース 19は、ステップ b3において、アプリケー シヨン識別子に対応する不正侵入検知ルールを返す。テーブルの内容が図 6に示し たもの場合、アプリケーション'検知ルールデータベース 19は、 httpサーバアプリケ ーシヨンに対応する不正侵入検知ルールの識別子 1、 2をアプリケーション起動監視 18に返す。  [0062] The application 'detection rule database 19 returns an intrusion detection rule corresponding to the application identifier in step b3. If the contents of the table are as shown in FIG. 6, the application detection rule database 19 returns the intrusion detection rule identifiers 1 and 2 corresponding to the http server application to the application activation monitor 18.
[0063] アプリケーション起動監視 18は、ステップ b4において、アプリケーション'検知ルー ルデータベース 19からり返された不正侵入検知ルールの識別子(ここでは、 1、 2)を 引数にして検知ルール構成変更部 15に不正侵入検知ルール変更の指示を行う。  [0063] In step b4, the application activation monitoring unit 18 uses the identifier of the intrusion detection rule returned from the application 'detection rule database 19 (here, 1 and 2) as an argument to the detection rule configuration changing unit 15. Instructs the intrusion detection rule change.
[0064] その後、第一の実施の形態におけるステップ a6〜a8と同様の処理を行う。 [0064] Thereafter, processing similar to steps a6 to a8 in the first embodiment is performed.
[0065] 続いて、本発明の第三の実施の形態について図面を参照して詳細に説明する。 [0065] Next, a third embodiment of the present invention will be described in detail with reference to the drawings.
[0066] 図 8は、本発明の第三の実施の形態を実施するためのブロック図であり、本実施例 の端末 1と端末 2の内部構成を記述する。 FIG. 8 is a block diagram for carrying out the third embodiment of the present invention, and describes the internal configuration of terminal 1 and terminal 2 of the present example.
[0067] 端末 1は、外部通信要求検出部 laと、ポート'検知ルールデータベース 14と、検知 ルール構成変更部 15と、検知ルールデータベース 16と、 IDS17と力、ら構成される。 [0067] The terminal 1 includes an external communication request detection unit la, a port 'detection rule database 14, a detection rule configuration change unit 15, a detection rule database 16, and an IDS 17.
[0068] 端末 2は、アプリケーション 21と、ソケット 22とから構成される。 The terminal 2 includes an application 21 and a socket 22.
[0069] 外部通信要求検出部 laは、外部の端末から通信開始 ·完了要求の種類とポート番 号とを受け取り、ポート番号を対応する不正侵入検知ルール番号に変換する。また、 不正侵入検知ルール番号を検知ルール構成変更部 15に通知する。 [0069] The external communication request detection unit la receives a communication start / completion request type and a port number from an external terminal, and converts the port number into a corresponding intrusion detection rule number. In addition, the intrusion detection rule number is notified to the detection rule configuration change unit 15.
[0070] アプリケーション 21は、携帯端末に内蔵されるアプリケーションである。 [0070] The application 21 is an application built in the mobile terminal.
[0071] ソケット 22は、一般的な OSでよく使われるソケットライブラリなどの通信ライブラリで ある。ソケット 22は、通常の通信処理に加え、待ち受けまたは、接続要求を受け付け た時に使用するポート番号を外部通信要求検出部 laに通知する。 [0071] The socket 22 is a communication library such as a socket library often used in a general OS. In addition to normal communication processing, the socket 22 notifies the external communication request detection unit la of the port number to be used when a standby or connection request is received.
[0072] 端末 1のポート'検知ルールデータベース 14と、検知ルール構成変更部 15と、検 知ルールデータベース 16と、 IDS17は、第一の実施の形態と同様のものを利用する [0073] 次に、図 8および図 9を参照して本実施の形態の全体の動作について詳細に説明 する。 [0072] Port 1 of terminal 1 'detection rule database 14, detection rule configuration changing unit 15, detection rule database 16, and IDS 17 use the same ones as in the first embodiment. Next, the overall operation of the present exemplary embodiment will be described in detail with reference to FIGS. 8 and 9.
[0074] 図 9は、本発明の第三の実施の形態においてアプリケーションを起動した時に IDS 構成変更が行われるまでの動作シーケンスである。  FIG. 9 shows an operation sequence until an IDS configuration change is performed when an application is activated in the third embodiment of the present invention.
[0075] アプリケーション 21は、ステップ clにおいて、待ち受けポート番号 80を入力として、 ソケット 22を呼び出し、通信待ち受け開始 ·終了処理を依頼する。 In step cl, the application 21 inputs the standby port number 80, calls the socket 22, and requests communication standby start / end processing.
[0076] ソケット 22は、ステップ c2において、入力として与えられたポート番号 80と通信開始[0076] Socket 22 starts communication with port number 80 given as input in step c2.
•完了要求の種類を外部通信要求検出部 laに通知する。また、不正侵入検知ルー ルの構成が変更されるまで通信待ち受け開始 ·終了の実行を行わずに待機する。 • Notify the external communication request detection unit la of the type of completion request. Wait until communication start / end is not executed until the configuration of the intrusion detection rule is changed.
[0077] 外部通信要求検出部 laは、ステップ c3において、与えられたポート番号 80を入力 としてポート'検知ルールデータベース 14に不正侵入検知ルール番号の問い合わ せを行う。 [0077] In step c3, the external communication request detection unit la makes an inquiry about the unauthorized intrusion detection rule number to the port 'detection rule database 14 by using the given port number 80 as an input.
[0078] ポート'検知ルールデータベース 14は、ステップ c4において、ポート番号に対応す る不正侵入検知ルール番号を返す。テーブルの内容が図 2に示したものである場合 、ポート'検知ルールデータベース 14は、ポート番号 80に対応する不正侵入検知ル ール番号 1、 2を通信要求検出部 l aに返す。  [0078] The port detection rule database 14 returns the intrusion detection rule number corresponding to the port number in step c4. If the contents of the table are as shown in FIG. 2, the port detection rule database 14 returns the intrusion detection rule numbers 1 and 2 corresponding to the port number 80 to the communication request detection unit la.
[0079] 外部通信要求検出部 laは、ステップ c5において、ポート'検知ルールデータべ一 ス 14力も返された不正侵入検知ルール番号(ここでは、 1、 2)を引数にして検知ルー ル構成変更部 15に不正侵入検知ルール変更の指示を行う。  [0079] The external communication request detection unit la changes the detection rule configuration by using the intrusion detection rule number (here, 1 and 2) returned as the argument in step c5. Instructs part 15 to change the intrusion detection rule.
[0080] その後、第一の実施の形態におけるステップ a6〜a8と同様の処理を行う。  [0080] Thereafter, the same processing as in steps a6 to a8 in the first embodiment is performed.
[0081] 検知ルール構成変更部 15は、ステップ c6において、ソケット 22に構成変更完了通 知を送信する。  The detection rule configuration change unit 15 transmits a configuration change completion notification to the socket 22 in step c6.
[0082] ソケット 22は、ステップ c7において、 80番ポートでの待ち受け開始 ·終了処理を行う [0082] Socket 22 performs standby start / end processing at port 80 in step c7.
Yes
[0083] 続いて、発明を実施するための第四の実施の形態について説明する。  [0083] Next, a fourth embodiment for carrying out the invention will be described.
[0084] 図 10は、本発明の第四の実施の形態を実施するためのブロック図である。 FIG. 10 is a block diagram for carrying out the fourth embodiment of the present invention.
[0085] この第四の実施の形態は、第一の実施の形態を改良したもので、ポート番号が動 的に変化し、音声、映像プロトコルなど様々なデータ形式に対応するように RTPなど のプロトコルで実施するための実施形態である。 [0085] This fourth embodiment is an improvement of the first embodiment, in which the port number is dynamically changed and RTP or the like is supported so as to correspond to various data formats such as audio and video protocols. It is embodiment for implementing with the protocol of.
[0086] 次に、図 10、図 11および図 12を参照して本発明の第四の実施の形態の全体の動 作について詳細に説明する。 Next, the overall operation of the fourth exemplary embodiment of the present invention will be described in detail with reference to FIG. 10, FIG. 11, and FIG.
[0087] 図 11は、プロトコル識別子力、ら検知ルール識別子に変換を行うプロトコル.検知ル ールデータベース leの変換表の一例である。 FIG. 11 is an example of a conversion table of a protocol.detection rule database le that performs conversion into protocol identifier power and detection rule identifier.
[0088] 図 12は、本発明の第四の実施の形態においてアプリケーションを起動した時に IDFIG. 12 shows the ID when the application is activated in the fourth embodiment of the present invention.
S構成変更が行われるまでの動作シーケンスである。 This is an operation sequence until the S configuration change is performed.
[0089] 電話アプリケーション lbは、音声や映像などの通信を開始するために、ステップ dl にお!/、て、通信許可データ(たとえば SIPプロトコルの 200OK)の送信の指示をソケ ット lcに行う。通信許可データ(たとえば SDP)には、利用する音声や映像プロトコル のタイプや待ち受けポートが入っている。 [0089] The telephone application lb instructs the socket lc to transmit communication permission data (for example, 200 OK of the SIP protocol) to step dl to start communication such as voice and video. . Communication permission data (for example, SDP) contains the type of audio and video protocol used and the standby port.
[0090] ソケット lcは、電話アプリケーション lbから送信指示を受け付け、ステップ d2におい て、 SDPを解析し、音声や映像プロトコル識別子と、ポート番号を取り出す。 [0090] The socket lc receives the transmission instruction from the telephone application lb, analyzes the SDP in step d2, and extracts the audio and video protocol identifier and the port number.
[0091] ソケット lcは、ステップ d3において、ステップ d2の解析により取り出されたプロトコル 識別子と、ポート番号を通信要求検出部 Idに引き渡す。 In step d3, the socket lc delivers the protocol identifier and the port number extracted by the analysis in step d2 to the communication request detection unit Id.
[0092] 通信要求検出部 Idは、ステップ d4において、ソケット lcから引き渡されたプロトコル 識別子を検知ルールに変換するために、プロトコル識別子をキーにしてプロトコル' 検知ルールデータベース le (図 11参照)の検索を行う。 [0092] In step d4, the communication request detection unit Id searches the protocol detection rule database le (see Fig. 11) using the protocol identifier as a key to convert the protocol identifier delivered from the socket lc into a detection rule. I do.
[0093] プロトコル'検知ルールデータベース leは、ステップ d5において、プロトコル識別子 に対応した検知ルール番号を通信要求検出部 Idに返却する。 [0093] In step d5, the protocol 'detection rule database le returns the detection rule number corresponding to the protocol identifier to the communication request detection unit Id.
[0094] その後、第一の実施の形態におけるステップ a6〜al0と同様の処理を行う。 [0094] Thereafter, the same processing as in steps a6 to al0 in the first embodiment is performed.
[0095] 本発明の活用例として、コンピュータ、携帯情報端末、携帯電話などの入力操作部 を必要とする機器がある。 Examples of utilization of the present invention include devices that require an input operation unit such as a computer, a portable information terminal, and a mobile phone.
[0096] 本発明に力、かるネットワーク不正侵入検知装置は、通信装置に適用可能である。 [0096] The network unauthorized intrusion detection device that is effective in the present invention can be applied to a communication device.
[0097] 以上、実施例を参照して本願発明を説明した力 本願発明は上記実施例に限定さ れるものではない。本願発明の構成や詳細には、本願発明のスコープ内で当業者が 理解し得る様々な変更をすることができる。 [0097] As described above, the power of explaining the present invention with reference to the embodiments The present invention is not limited to the above embodiments. Various changes that can be understood by those skilled in the art can be made to the configuration and details of the present invention within the scope of the present invention.
[0098] この出願 (ま、 2006年 10月 26曰 ίこ出願された曰本出願特願 2006—290906を基 礎とする優先権を主張し、その開示の全てをここに取り込む。 [0098] This application (based on the Japanese Patent Application No. 2006-290906 filed on October 26, 2006) Claim the foundational priority and incorporate all of its disclosure here.

Claims

請求の範囲 The scope of the claims
[1] ネットワークおよび端末への不正侵入検知機能と、  [1] Network and terminal intrusion detection function,
ネットワークおよび端末への不正侵入検知に利用する検知ルールを最適化する機 能とを有する通信装置。  A communication device that has the function of optimizing detection rules used to detect unauthorized intrusions into networks and terminals.
[2] 請求項 1に記載の通信装置において、  [2] In the communication device according to claim 1,
装置内または装置外の状態変更を検知し、前記状態変更に対応して使用する不 正侵入検知ルールを決定する検知ルール決定手段と、  Detection rule determining means for detecting a state change inside or outside the device and determining an intrusion detection rule to be used in response to the state change;
前記不正侵入検知ルールに従って不正侵入を検出する不正侵入検出手段とを備 えることを特徴とする通信装置。  A communication apparatus comprising: an unauthorized intrusion detection unit configured to detect an unauthorized intrusion according to the unauthorized intrusion detection rule.
[3] 請求項 2に記載の通信装置において、 [3] In the communication device according to claim 2,
前記検知ルール決定手段は、自端末のアプリケーションからの通信要求を受け付 け通信元/先アドレスまたはポート番号に基づいて使用する不正侵入検知ルールを 決定することを特徴とする通信装置。  The detection rule determining means receives a communication request from an application of its own terminal and determines an unauthorized intrusion detection rule to be used based on a communication source / destination address or a port number.
[4] 請求項 3に記載の通信装置において、 [4] In the communication device according to claim 3,
前記検知ルール決定手段は、通信元/先アドレスまたはポート番号と不正侵入検 知ルールと対応づけて記憶する記憶手段を有し、前記記憶手段を用いて不正侵入 検知ルールを決定することを特徴とする通信装置。  The detection rule determining means has storage means for storing a communication source / destination address or port number and an unauthorized intrusion detection rule in association with each other, and determines the unauthorized intrusion detection rule using the storage means. Communication device.
[5] 請求項 2に記載の通信装置において、 [5] In the communication device according to claim 2,
前記検知ルール決定手段は、アプリケーションの起動 ·終了を検出し、起動'終了 したアプリケーションに基づいて不正侵入検知ルールを決定することを特徴とする通 信装置。  The detection rule determining means detects activation / termination of an application, and determines an unauthorized intrusion detection rule based on the activated / terminated application.
[6] 請求項 5に記載の通信装置において、  [6] The communication device according to claim 5,
前記検知ルール決定手段は、アプリケーションの識別子と不正侵入検知ルールと を対応づけて記憶する記憶手段を有し、前記記憶手段を用いて不正侵入検知ルー ルを決定することを特徴とする通信装置。  The communication device characterized in that the detection rule determining means has storage means for storing an application identifier and an unauthorized intrusion detection rule in association with each other, and determines an unauthorized intrusion detection rule using the storage means.
[7] 請求項 2に記載の通信装置において、 [7] In the communication device according to claim 2,
前記検知ルール決定手段は、他端末の通信要求を受け付け通信元/先アドレス またはポート番号に基づいて使用する不正侵入検知ルールを決定することを特徴と する通信装置。 The detection rule determination means receives a communication request of another terminal and determines an unauthorized intrusion detection rule to be used based on a communication source / destination address or a port number. Communication device.
[8] 請求項 2に記載の通信装置において、 [8] The communication device according to claim 2,
前記検知ルール決定手段は、自端末の通信データを監視し通信データによって不 正侵入検知ルールを決定することを特徴とする通信装置。  The communication device characterized in that the detection rule determination means monitors communication data of the terminal itself and determines an intrusion detection rule based on the communication data.
[9] 装置内または装置外の状態変更を検知し、前記状態変更に対応して使用する不 正侵入検知ルールを決定する第 1の処理と、 [9] A first process for detecting a state change inside or outside the device and determining an intrusion detection rule to be used in response to the state change;
前記不正侵入検知ルールに従って不正侵入を検出する第 2の処理とを備える通信 方法。  And a second process for detecting unauthorized intrusion in accordance with the unauthorized intrusion detection rule.
[10] 請求項 9に記載の通信方法において、  [10] In the communication method according to claim 9,
前記第 1の処理は、アプリケーションからの通信要求を受け付け通信元/先ァドレ スまたはポート番号に基づいて使用する不正侵入検知ルールを決定することを特徴 とする通信方法。  The communication method is characterized in that the first process receives a communication request from an application and determines an intrusion detection rule to be used based on a communication source / destination address or a port number.
[11] 請求項 10に記載の通信方法において、 [11] In the communication method according to claim 10,
前記第 1の処理は、通信元/先アドレスまたはポート番号と不正侵入検知ルールと 対応づけて記憶する第 3の処理を有し、前記第 3の処理を用いて不正侵入検知ルー ルを決定することを特徴とする通信方法。  The first process includes a third process for storing a communication source / destination address or port number and an unauthorized intrusion detection rule in association with each other, and determines an unauthorized intrusion detection rule using the third process. A communication method characterized by the above.
[12] 請求項 9に記載の通信方法において、 [12] In the communication method according to claim 9,
前記第 1の処理は、アプリケーションの起動 ·終了を検出し、起動'終了したアプリケ ーシヨンに基づいて不正侵入検知ルールを決定することを特徴とする通信方法。  The communication method according to claim 1, wherein the first process detects activation / termination of an application and determines an intrusion detection rule based on the activated / terminated application.
[13] 請求項 12に記載の通信方法において、 [13] In the communication method according to claim 12,
前記第 1の処理は、アプリケーションの識別子と不正侵入検知ルールとを対応づけ て記憶する第 3の処理を有しと、前記第 3の処理を用いて不正侵入検知ルールを決 定することを特徴とする通信方法。  The first process includes a third process for storing an application identifier and an unauthorized intrusion detection rule in association with each other, and determines an unauthorized intrusion detection rule using the third process. Communication method.
[14] 請求項 9に記載の通信方法において、 [14] In the communication method according to claim 9,
前記第 1の処理は、他端末の通信要求を受け付け通信元/先アドレスまたはポート 番号に基づいて使用する不正侵入検知ルールを決定することを特徴とする通信方 法。  The communication method is characterized in that the first process receives a communication request from another terminal and determines an unauthorized intrusion detection rule to be used based on a communication source / destination address or a port number.
[15] 請求項 9に記載の通信方法において、 前記第 1の処理は、自端末の通信データを監視し通信データによって不正侵入検 知ルールを決定することを特徴とする通信方法。 [15] In the communication method according to claim 9, The first process is characterized in that the communication data of the terminal is monitored and an unauthorized intrusion detection rule is determined based on the communication data.
[16] コンピュータに、  [16] On the computer,
装置内または装置外の状態変更を検知し、前記状態変更に対応して使用する不 正侵入検知ルールを決定する第 1の手順と、  A first procedure for detecting a state change inside or outside the device and determining an intrusion detection rule to be used in response to the state change;
前記不正侵入検知ルールに従って不正侵入を検出する第 2の手順とを実行させる ためのプログラム。  A program for executing a second procedure for detecting unauthorized intrusion according to the unauthorized intrusion detection rule.
[17] 請求項 16に記載のプログラムにおいて、 [17] In the program according to claim 16,
前記第 1の手順は、アプリケーションからの通信要求を受け付け通信元/先ァドレ スまたはポート番号に基づいて使用する不正侵入検知ルールを決定することを特徴 とするプログラム。  The first procedure is a program that accepts a communication request from an application and determines an intrusion detection rule to be used based on a communication source / destination address or a port number.
[18] 請求項 17に記載のプログラムにおいて、  [18] In the program according to claim 17,
前記第 1の手順は、通信元/先アドレスまたはポート番号と不正侵入検知ルールと 対応づけて記憶する第 3の手順を有し、前記第 3の手順を用いて不正侵入検知ルー ルを決定することを特徴とするプログラム。  The first procedure includes a third procedure for storing a communication source / destination address or port number in association with an unauthorized intrusion detection rule, and determining an unauthorized intrusion detection rule using the third procedure. A program characterized by that.
[19] 請求項 16に記載のプログラムにおいて、 [19] In the program according to claim 16,
前記第 1の手順は、アプリケーションの起動 ·終了を検出し、起動'終了したアプリケ ーシヨンに基づいて不正侵入検知ルールを決定することを特徴とするプログラム。  The first procedure is a program for detecting activation / termination of an application and determining an intrusion detection rule based on the activated / terminated application.
[20] 請求項 19に記載のプログラムにおいて、 [20] In the program according to claim 19,
前記第 1の手順は、アプリケーションの識別子と不正侵入検知ルールとを対応づけ て記憶する第 3の手順を有し、前記第 3の手順を用いて不正侵入検知ルールを決定 することを特 ί毁とするプログラム。  The first procedure includes a third procedure for storing an application identifier and an unauthorized intrusion detection rule in association with each other, and determining an unauthorized intrusion detection rule using the third procedure. Program.
[21] 請求項 20に記載のプログラムにおいて、 [21] In the program according to claim 20,
前記第 1の手順は、他端末の通信要求を受け付け通信元/先アドレスまたはポート 番号に基づいて使用する不正侵入検知ルールを決定することを特徴とするプロダラ ム。  The first procedure is characterized in that a communication request from another terminal is received and an intrusion detection rule to be used is determined based on a communication source / destination address or a port number.
[22] 請求項 17に記載のプログラムにおいて、  [22] In the program according to claim 17,
前記第 1の手順は、自端末の通信データを監視し通信データによって不正侵入検 The first procedure monitors the communication data of the terminal itself and detects unauthorized intrusion using the communication data.
PCT/JP2007/070254 2006-10-26 2007-10-17 Communication device, communication method, and program WO2008050651A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2006290906A JP2010033100A (en) 2006-10-26 2006-10-26 Communication device and detection device of intrusion to network
JP2006-290906 2006-10-26

Publications (1)

Publication Number Publication Date
WO2008050651A1 true WO2008050651A1 (en) 2008-05-02

Family

ID=39324450

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2007/070254 WO2008050651A1 (en) 2006-10-26 2007-10-17 Communication device, communication method, and program

Country Status (2)

Country Link
JP (1) JP2010033100A (en)
WO (1) WO2008050651A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009139170A1 (en) * 2008-05-16 2009-11-19 パナソニック株式会社 Attack packet detector, attack packet detection method, image receiver, content storage device, and ip communication device
JP2012104088A (en) * 2010-11-09 2012-05-31 Shijin Kogyo Sakushinkai Information security protection host

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5655185B2 (en) * 2011-06-28 2015-01-21 日本電信電話株式会社 Malware-infected terminal detection device, malware-infected terminal detection method, and malware-infected terminal detection program
WO2023058212A1 (en) * 2021-10-08 2023-04-13 三菱電機株式会社 Control device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003092603A (en) * 2001-09-17 2003-03-28 Toshiba Corp Network intrusion detecting system, apparatus and program

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003092603A (en) * 2001-09-17 2003-03-28 Toshiba Corp Network intrusion detecting system, apparatus and program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TAKASHI HORIE, TOSHIHARU HARADA, KAZUO TANAKA: "Adaptive Access Policy for the Linux Kernel", PROCEEDINGS OF THE 2005 SYMPOSIUM ON APPLICATIONS AND THE INTERNET (SAINT'05), IEEE, February 2005 (2005-02-01), pages 82 - 88 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009139170A1 (en) * 2008-05-16 2009-11-19 パナソニック株式会社 Attack packet detector, attack packet detection method, image receiver, content storage device, and ip communication device
JP2012104088A (en) * 2010-11-09 2012-05-31 Shijin Kogyo Sakushinkai Information security protection host
US8458785B2 (en) 2010-11-09 2013-06-04 Institute For Information Industry Information security protection host

Also Published As

Publication number Publication date
JP2010033100A (en) 2010-02-12

Similar Documents

Publication Publication Date Title
JP4499161B2 (en) Method, system and apparatus for realizing data service security in a mobile communication system
US8935419B2 (en) Filtering device for detecting HTTP request and disconnecting TCP connection
US8713665B2 (en) Systems, methods, and media for firewall control via remote system information
JP4087428B2 (en) Data processing system
JP4327698B2 (en) Network type virus activity detection program, processing method and system
US20080060074A1 (en) Intrusion detection system, intrusion detection method, and communication apparatus using the same
WO2007116605A1 (en) Communication terminal, rule distribution apparatus and program
US20090119745A1 (en) System and method for preventing private information from leaking out through access context analysis in personal mobile terminal
WO2010003317A1 (en) Device, method and system for preventing web page from being tampered
WO2021112494A1 (en) Endpoint-based managing-type detection and response system and method
SE525304C2 (en) Method and apparatus for controlling access between a computer and a communication network
WO2008050651A1 (en) Communication device, communication method, and program
JP2019152912A (en) Unauthorized communication handling system and method
EP2141885B1 (en) Embedded firewall at a telecommunications endpoint
JP4254290B2 (en) Peripheral device driver proxy installation program, apparatus and method
EP2232810A1 (en) Automatic proxy detection and traversal
WO2010117155A9 (en) System-on-chip malicious code detection apparatus for a mobile device
JP4619280B2 (en) Communication terminal
KR20080017046A (en) Data processing system
JP2001268261A (en) Method for providing data communication service using mobile network, mobile unit for receiving data communication service using the mobile network, and external device
US20070226486A1 (en) Telnet security system and operation method thereof
KR20230053129A (en) A control method and the device for internet search engine using security interface
US8453230B2 (en) Communicating apparatus for performing communication over IP network by using SIP, controlling method therefor, and program
JP4638513B2 (en) Communication control device and communication control method
CN115834184A (en) Safety detection method and system for container flow, electronic equipment and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07829988

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07829988

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP