WO2008050651A1 - Dispositif de communication, procédé de communication et programme de communication - Google Patents

Dispositif de communication, procédé de communication et programme de communication Download PDF

Info

Publication number
WO2008050651A1
WO2008050651A1 PCT/JP2007/070254 JP2007070254W WO2008050651A1 WO 2008050651 A1 WO2008050651 A1 WO 2008050651A1 JP 2007070254 W JP2007070254 W JP 2007070254W WO 2008050651 A1 WO2008050651 A1 WO 2008050651A1
Authority
WO
WIPO (PCT)
Prior art keywords
detection rule
intrusion detection
communication
unauthorized intrusion
application
Prior art date
Application number
PCT/JP2007/070254
Other languages
English (en)
Japanese (ja)
Inventor
Yoshiaki Okuyama
Takuya Murakami
Original Assignee
Nec Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nec Corporation filed Critical Nec Corporation
Publication of WO2008050651A1 publication Critical patent/WO2008050651A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action

Definitions

  • the present invention relates to a communication device having a network intrusion detection program, and in particular, a technology for optimizing the operation of an intrusion detection program according to the internal state of a device connected to a network or the state of a terminal on the network. About.
  • IDS Network Intrusion Detection Device
  • IDS has a mechanism for detecting network anomalies by matching communication packets with patterns for detecting unauthorized intrusion. This pattern is hereinafter referred to as unauthorized intrusion detection rule.
  • unauthorized intrusion detection rule When network abnormalities increase, the processing load for matching with intrusion detection rules increases, and hardware resources such as processor and memory resources on the equipment are consumed significantly.
  • Patent Publication 2003-9260 3 is a technical document for reducing the number of intrusion detection rules by removing harmless intrusion detection rules and minimizing performance degradation caused by IDS. There is a host configuration automatic detection type IDS system described in.
  • the first conventional problem is that, in devices such as mobile terminals, network home appliances, and sensor devices, which have restrictions on hardware resources such as processor performance and memory capacity, the IDS processing is used for the device.
  • the performance may be significantly reduced.
  • IDS processing consumes a great deal of load processing even on a device with sufficient hardware resources, so if the number of types of unauthorized network access increases, it may become impossible to process. There is ten lives.
  • the reason is that if a large number of unauthorized intrusion detection rules are set, the unauthorized intrusion detection processing may consume a large amount of processor memory resources and the desired processing may not be performed. In addition, processing efficiency, response time, and communication efficiency are reduced.
  • the second problem is that if the number of unauthorized intrusion detection rules is reduced to solve the first problem, the security risk increases.
  • An object of the present invention is to minimize the degradation in processing performance due to IDS by optimizing the intrusion detection rule according to the communication request, the internal state of the terminal such as the application state, or the state of the terminal on the network. It is.
  • the conventional application provides a means for performing the above operation without modifying the application.
  • the device changes the intrusion detection rule during device operation according to the communication request processing of the application program, the activation and termination of the application, the state of the external terminal, and the like.
  • this mechanism there are a mechanism that detects the internal state of the terminal and automatically determines the necessary intrusion detection rules, and a mechanism that only the necessary intrusion detection rules are matched with the intrusion detection rules. It is characterized by having.
  • the present invention makes effective use of hardware resources (processor, memory, etc.) of a communication device that performs unauthorized intrusion detection processing of networks and terminals by enabling only necessary unauthorized intrusion detection rules. As a result, according to the present invention, it is possible to execute the unauthorized intrusion detection process even in an apparatus with limited hardware resources such as a portable terminal.
  • FIG. 1 is a block diagram showing a first embodiment for carrying out the present invention.
  • FIG. 2 is a diagram showing an example of a conversion table for a port detection rule database that converts port numbers into detection rule identifiers.
  • FIG. 3 is a diagram showing an example of a detection rule database for converting a detection rule identifier into a detection rule and determining whether the detection rule is valid / invalid.
  • FIG. 4 is a diagram showing an operation sequence from waiting for a port number until an IDS configuration change is performed in the first embodiment of the present invention.
  • FIG. 5 is a block diagram for carrying out a second embodiment of the present invention.
  • FIG. 6 is a diagram illustrating an example of a conversion table of a port detection rule database that converts an application identifier to a detection rule identifier.
  • FIG. 7 is a diagram showing an operation sequence until an IDS configuration change is performed when an application is activated in the second embodiment of the present invention.
  • FIG. 8 is a block diagram for carrying out a third embodiment of the present invention.
  • FIG. 9 is a diagram showing an operation sequence until an IDS configuration change is performed when an application is activated in the third embodiment of the present invention.
  • FIG. 10 is a block diagram for carrying out a fourth embodiment of the present invention.
  • FIG. 11 is a diagram showing an example of a conversion table of a protocol / detection rule database for converting protocol identifiers to detection rule identifiers.
  • FIG. 12 is a diagram showing an operation sequence until an IDS configuration change is performed when an application is activated in the fourth embodiment of the present invention.
  • FIG. 1 is a block diagram showing a first embodiment for carrying out the present invention.
  • the terminal 1 includes an application 11, a socket 12, a communication request detection unit 13, a port 'detection rail database 14, a detection node configuration change unit 15, and a detection rule database 1.
  • the application 11 is an application built in the mobile terminal 1.
  • the socket 12 is a communication library such as a socket library often used in a general OS. In addition to normal communication processing, the socket 12 notifies the communication request detection unit 13 of a port number to be used when a standby or connection request is received.
  • the communication request detection unit 13 receives the port number from the socket 12, refers to the port 'detection rule database 14, and converts the received port number into a corresponding intrusion detection rule number. In addition, the intrusion detection rule number is notified to the detection rule configuration change unit 15.
  • the port 'detection rule database 14 is a database for converting the port number and the corresponding unauthorized intrusion detection rule number.
  • the detection rule configuration change unit 15 receives the unauthorized intrusion detection rule number and instructs the detection rule database 16 to validate / invalidate the unauthorized intrusion detection rule. It also instructs IDS 17 to change the intrusion detection rules.
  • the detection rule database 16 converts the intrusion detection rule number and the corresponding intrusion detection rule, and stores a flag indicating whether the intrusion detection rule is valid or invalid.
  • the intrusion detection rule valid / invalid flag can be changed with.
  • IDS 17 receives an intrusion detection rule change instruction and validates / invalidates the intrusion detection rule.
  • FIG. 2 is an example of a conversion table of the port detection rule database 14 that converts port numbers into detection rule identifiers.
  • FIG. 3 shows an example of the detection rule database 16 for converting the detection rule identifier into a detection rule and determining the validity / invalidity of the detection rule.
  • FIG. 4 is an operation sequence from the port number standby until the IDS configuration change is performed in the first embodiment of the present invention.
  • step al the application 11 inputs the standby port number 80, calls the socket 12, and requests a communication standby start 'end process.
  • step a2 the socket 12 notifies the communication request detection unit 13 of the port number 80 given as an input. Wait until communication start / end is not executed until the configuration of the intrusion detection rule is changed.
  • step a3 the communication request detection unit 13 inquires of the port detection rule database 14 about the unauthorized intrusion detection rule number by using the given port number 80 as an input.
  • step a4 the port detection rule database 14 returns the intrusion detection rule number corresponding to the port number. If the table contents are as shown in Figure 2
  • the port detection rule database 14 returns the intrusion detection rule numbers 1 and 2 corresponding to the port number 80 to the communication request detection unit 13.
  • step a5 the communication request detection unit 13 uses the unauthorized intrusion detection rule number (here, 1 and 2) returned from the port 'detection rule database 14 as an argument to the detection rule configuration change unit 15 for unauthorized intrusion. Instructs detection rule change.
  • the detection rule configuration changing unit 15 detects the intrusion detection rule numbers 1 and 2 in step a6 so as to validate the intrusion detection rule numbers 1 and 2 (see Fig. 3).
  • the detection rule configuration changing unit 15 instructs the detection rule database 16 to invalidate the unauthorized intrusion detection rule numbers 1 and 2 in step a6.
  • the detection rule configuration change unit 15 sends the configuration change notification of the intrusion detection rule to IDS 17 in step a7.
  • IDS 17 loads the intrusion detection rule for which the valid / invalid flag is valid.
  • the detection rule configuration change unit 15 transmits a configuration change completion notification to the socket 12 in step a9.
  • Socket 12 performs standby start / end processing at port 80 in step alO.
  • FIG. 5 is a block diagram for carrying out the second embodiment of the present invention, and describes the internal configuration of the terminal 1 of the present embodiment.
  • Terminal 1 includes application 11, application activation monitor 18, application detection rule database 19, detection rule configuration change unit 15, detection rule database 16, IDS 17, and the like.
  • the application activation monitor 18 monitors the activation / termination of the application, and converts the activated application to the identifier of the corresponding intrusion detection rule. In addition, the detection rule configuration change unit 15 is notified of the intrusion detection rule identifier.
  • the application detection rule database 19 is a database that performs conversion between an application identifier and a corresponding intrusion detection rule.
  • the detection rule configuration changing unit 15, the detection rule database 16, and the IDS 17 are the same as those in the first embodiment.
  • FIG. 5 the overall operation of the present exemplary embodiment will be described in detail with reference to FIGS. 5, 6, and 7.
  • FIG. 5 the overall operation of the present exemplary embodiment will be described in detail with reference to FIGS. 5, 6, and 7.
  • FIG. 6 is an example of a conversion table of the port 'detection rule database 14 that converts application identifiers to detection rule identifiers.
  • FIG. 7 shows an operation sequence until an IDS configuration change is performed when an application is activated in the second embodiment of the present invention.
  • the application activation monitor 18 acquires the identifier of the application that has been activated' terminated in step bl.
  • an http server application is described as an example.
  • the application activation monitor 18 determines from the application identifier in step b2. In order to convert to the intrusion detection rule identifier, the application 'detection routine database 19 is inquired about the intrusion detection rule identifier with the application identifier as an argument.
  • the application 'detection rule database 19 returns an intrusion detection rule corresponding to the application identifier in step b3. If the contents of the table are as shown in FIG. 6, the application detection rule database 19 returns the intrusion detection rule identifiers 1 and 2 corresponding to the http server application to the application activation monitor 18.
  • step b4 the application activation monitoring unit 18 uses the identifier of the intrusion detection rule returned from the application 'detection rule database 19 (here, 1 and 2) as an argument to the detection rule configuration changing unit 15. Instructs the intrusion detection rule change.
  • FIG. 8 is a block diagram for carrying out the third embodiment of the present invention, and describes the internal configuration of terminal 1 and terminal 2 of the present example.
  • the terminal 1 includes an external communication request detection unit la, a port 'detection rule database 14, a detection rule configuration change unit 15, a detection rule database 16, and an IDS 17.
  • the terminal 2 includes an application 21 and a socket 22.
  • the external communication request detection unit la receives a communication start / completion request type and a port number from an external terminal, and converts the port number into a corresponding intrusion detection rule number. In addition, the intrusion detection rule number is notified to the detection rule configuration change unit 15.
  • the application 21 is an application built in the mobile terminal.
  • the socket 22 is a communication library such as a socket library often used in a general OS. In addition to normal communication processing, the socket 22 notifies the external communication request detection unit la of the port number to be used when a standby or connection request is received.
  • Port 1 of terminal 1 'detection rule database 14, detection rule configuration changing unit 15, detection rule database 16, and IDS 17 use the same ones as in the first embodiment.
  • the overall operation of the present exemplary embodiment will be described in detail with reference to FIGS. 8 and 9.
  • FIG. 9 shows an operation sequence until an IDS configuration change is performed when an application is activated in the third embodiment of the present invention.
  • step cl the application 21 inputs the standby port number 80, calls the socket 22, and requests communication standby start / end processing.
  • Socket 22 starts communication with port number 80 given as input in step c2.
  • step c3 the external communication request detection unit la makes an inquiry about the unauthorized intrusion detection rule number to the port 'detection rule database 14 by using the given port number 80 as an input.
  • the port detection rule database 14 returns the intrusion detection rule number corresponding to the port number in step c4. If the contents of the table are as shown in FIG. 2, the port detection rule database 14 returns the intrusion detection rule numbers 1 and 2 corresponding to the port number 80 to the communication request detection unit la.
  • the external communication request detection unit la changes the detection rule configuration by using the intrusion detection rule number (here, 1 and 2) returned as the argument in step c5. Instructs part 15 to change the intrusion detection rule.
  • the detection rule configuration change unit 15 transmits a configuration change completion notification to the socket 22 in step c6.
  • Socket 22 performs standby start / end processing at port 80 in step c7.
  • FIG. 10 is a block diagram for carrying out the fourth embodiment of the present invention.
  • This fourth embodiment is an improvement of the first embodiment, in which the port number is dynamically changed and RTP or the like is supported so as to correspond to various data formats such as audio and video protocols. It is embodiment for implementing with the protocol of.
  • FIG. 11 is an example of a conversion table of a protocol.detection rule database le that performs conversion into protocol identifier power and detection rule identifier.
  • FIG. 12 shows the ID when the application is activated in the fourth embodiment of the present invention.
  • the telephone application lb instructs the socket lc to transmit communication permission data (for example, 200 OK of the SIP protocol) to step dl to start communication such as voice and video.
  • Communication permission data for example, SDP
  • SDP contains the type of audio and video protocol used and the standby port.
  • the socket lc receives the transmission instruction from the telephone application lb, analyzes the SDP in step d2, and extracts the audio and video protocol identifier and the port number.
  • step d3 the socket lc delivers the protocol identifier and the port number extracted by the analysis in step d2 to the communication request detection unit Id.
  • step d4 the communication request detection unit Id searches the protocol detection rule database le (see Fig. 11) using the protocol identifier as a key to convert the protocol identifier delivered from the socket lc into a detection rule. I do.
  • step d5 the protocol 'detection rule database le returns the detection rule number corresponding to the protocol identifier to the communication request detection unit Id.
  • Examples of utilization of the present invention include devices that require an input operation unit such as a computer, a portable information terminal, and a mobile phone.
  • the network unauthorized intrusion detection device that is effective in the present invention can be applied to a communication device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

L'invention propose un mécanisme pour optimiser une règle de détection d'intrusion non autorisée selon un procédé de demande de communication de programme d'application ou un état interne d'un terminal tel qu'un début/une fin d'application. Afin d'obtenir le mécanisme, le dispositif de communication comprend : un mécanisme pour détecter l'état interne du terminal et décider automatiquement la règle de détection d'intrusion non autorisée ; et un mécanisme pour ne valider que la règle de détection nécessaire.
PCT/JP2007/070254 2006-10-26 2007-10-17 Dispositif de communication, procédé de communication et programme de communication WO2008050651A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2006-290906 2006-10-26
JP2006290906A JP2010033100A (ja) 2006-10-26 2006-10-26 通信装置およびネットワークへの不正侵入検知装置

Publications (1)

Publication Number Publication Date
WO2008050651A1 true WO2008050651A1 (fr) 2008-05-02

Family

ID=39324450

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2007/070254 WO2008050651A1 (fr) 2006-10-26 2007-10-17 Dispositif de communication, procédé de communication et programme de communication

Country Status (2)

Country Link
JP (1) JP2010033100A (fr)
WO (1) WO2008050651A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009139170A1 (fr) * 2008-05-16 2009-11-19 パナソニック株式会社 Détecteur de paquets d'attaque, procédé de détection de paquets d'attaque, récepteur d'image, dispositif de stockage de contenu et dispositif de communication ip
JP2012104088A (ja) * 2010-11-09 2012-05-31 Shijin Kogyo Sakushinkai 情報セキュリティ保護ホスト
US11991206B2 (en) 2018-05-22 2024-05-21 Mitsubishi Electric Corporation Installation location selection assistance apparatus, installation location selection assistance method, and computer readable medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5655185B2 (ja) * 2011-06-28 2015-01-21 日本電信電話株式会社 マルウェア感染端末検知装置、マルウェア感染端末検知方法及びマルウェア感染端末検知プログラム
JP7471532B2 (ja) 2021-10-08 2024-04-19 三菱電機株式会社 制御装置

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003092603A (ja) * 2001-09-17 2003-03-28 Toshiba Corp ネットワーク侵入検知システム、装置及びプログラム

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003092603A (ja) * 2001-09-17 2003-03-28 Toshiba Corp ネットワーク侵入検知システム、装置及びプログラム

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TAKASHI HORIE, TOSHIHARU HARADA, KAZUO TANAKA: "Adaptive Access Policy for the Linux Kernel", PROCEEDINGS OF THE 2005 SYMPOSIUM ON APPLICATIONS AND THE INTERNET (SAINT'05), IEEE, February 2005 (2005-02-01), pages 82 - 88 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2009139170A1 (fr) * 2008-05-16 2009-11-19 パナソニック株式会社 Détecteur de paquets d'attaque, procédé de détection de paquets d'attaque, récepteur d'image, dispositif de stockage de contenu et dispositif de communication ip
JP2012104088A (ja) * 2010-11-09 2012-05-31 Shijin Kogyo Sakushinkai 情報セキュリティ保護ホスト
US8458785B2 (en) 2010-11-09 2013-06-04 Institute For Information Industry Information security protection host
US11991206B2 (en) 2018-05-22 2024-05-21 Mitsubishi Electric Corporation Installation location selection assistance apparatus, installation location selection assistance method, and computer readable medium

Also Published As

Publication number Publication date
JP2010033100A (ja) 2010-02-12

Similar Documents

Publication Publication Date Title
JP4499161B2 (ja) 移動通信システムにおいてデータサービスのセキュリティを実現する方法、システム及び装置
US8713665B2 (en) Systems, methods, and media for firewall control via remote system information
JP4087428B2 (ja) データ処理システム
JP4327698B2 (ja) ネットワーク型ウィルス活動検出プログラム、処理方法およびシステム
US20080060074A1 (en) Intrusion detection system, intrusion detection method, and communication apparatus using the same
WO2007116605A1 (fr) Terminal de communication, appareil de distribution de regle et programme
US20090119745A1 (en) System and method for preventing private information from leaking out through access context analysis in personal mobile terminal
WO2010003317A1 (fr) Dispositif, procédé et système pour empêcher la falsification d'une page web
WO2008050651A1 (fr) Dispositif de communication, procédé de communication et programme de communication
WO2021112494A1 (fr) Système et procédé de détection et de réponse de type gestion basée sur des points d'extrémité
US20040128545A1 (en) Host controlled dynamic firewall system
JP2019152912A (ja) 不正通信対処システム及び方法
EP2141885B1 (fr) Pare-feu intégré dans un point limite de télécommunications
JP4254290B2 (ja) 周辺機器ドライバ代理インストールプログラム、装置および方法
WO2009087382A1 (fr) Détection et traversée de serveur mandataire automatiques
WO2010117155A9 (fr) Détecteur de code malveillant à système sur puce pour dispositif mobile
Müller Evaluating the Security and Resilience of Typical off the Shelf CoAP IoT Devices: Assessing CoAP and Wi-Fi vulnerabilities
JP4619280B2 (ja) 通信端末
KR20080017046A (ko) 데이터 프로세싱 시스템
JP2001268261A (ja) 移動網を用いたデータ通信サービスの提供方法、移動網を用いたデータ通信サービスの提供を受ける移動機、および外部装置
US20070226486A1 (en) Telnet security system and operation method thereof
KR20230053129A (ko) 보안 인터페이스를 이용한 보안검색엔진 제어방법 및 장치
US8453230B2 (en) Communicating apparatus for performing communication over IP network by using SIP, controlling method therefor, and program
JP4638513B2 (ja) 通信制御装置及び通信制御方法
CN115834184A (zh) 容器流量的安全检测方法、系统、电子设备和存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07829988

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07829988

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP