WO2011152052A1 - 通信制御装置およびパケットフィルタリング方法 - Google Patents
通信制御装置およびパケットフィルタリング方法 Download PDFInfo
- Publication number
- WO2011152052A1 WO2011152052A1 PCT/JP2011/003097 JP2011003097W WO2011152052A1 WO 2011152052 A1 WO2011152052 A1 WO 2011152052A1 JP 2011003097 W JP2011003097 W JP 2011003097W WO 2011152052 A1 WO2011152052 A1 WO 2011152052A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- packet
- condition information
- condition
- control unit
- communication
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/64—Hybrid switching systems
- H04L12/6418—Hybrid transport
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0245—Filtering by information in the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0263—Rule management
Definitions
- the present invention relates to a communication control apparatus and a packet filtering method for avoiding attacks on a system from a network such as a Dos attack (Denial of Service attack).
- a Dos attack Delivery of Service attack
- ICMP Internet Control Message Protocol
- the first method is to avoid the attack by grasping the Dos attack pattern contents in advance and discarding packets that match the Dos attack pattern.
- This method is used in, for example, anti-virus software used for ensuring security on a PC (Personal Computers) or the like.
- the second method is to selectively receive only the packets that the device uses for communication.
- a MAC address filtering function mounted on a conventional MAC corresponds to this method.
- the MAC address filtering function provides security for the receiving device by registering the unicast MAC address of the other device with the receiving device so as not to receive packets other than packets transmitted from the other device. It is a method to secure.
- the Dos attack technique is evolving day by day, and various patterns of attacks appear. Therefore, in the method of grasping the Dos attack pattern in advance, it is necessary to update the attack pattern as needed.
- Examples of such communication devices include home appliances such as televisions and hard disk recorders.
- home appliances such as televisions and hard disk recorders.
- televisions having a function of acquiring and playing back multimedia contents via the Internet.
- a television having such a network function is executed only by a communication program installed at the time of factory shipment, and no subsequent communication program is added or deleted.
- the types of packets used by the television are only the types specified in advance. That is, theoretically, if only the pattern of a specified type of packet is registered as a condition for passing the filter, the Dos attack can be avoided.
- packet filtering is performed on a LAN (not shown) so as not to affect main processing (for example, channel selection and broadcast data decoding for a television). It is generally performed by hardware such as a local area network controller. This prevents a load for packet filtering from being applied to a CPU (Central Processing Unit) that executes the main processing.
- CPU Central Processing Unit
- the present invention is a communication control apparatus having a packet filtering function that allows only packets corresponding to registered conditions to pass through in consideration of the conventional problems described above, without increasing the capacity of a memory for storing the conditions,
- An object of the present invention is to provide a communication control apparatus that performs packet filtering accurately.
- a communication control device is a communication control device that is connected to a network and executes one or more communication application programs, the first control unit, A first memory that stores packets to be processed by one or more communication application programs, and a first that indicates N + 1 or more (N is an integer of 1 or more) conditions for specifying packets to be stored in the first memory A storage unit for storing condition information; and a network communication unit for selectively transferring received packets to the first memory, wherein the network communication unit receives a packet transmitted through the network.
- a second memory for storing second condition information in which up to N conditions among the N + 1 or more conditions are registered, and the reception unit receives A second control unit that performs a filtering process that is a process of transferring a packet that satisfies a condition registered in the second condition information to the first memory, and the first control unit includes: The second condition information is updated using at least one of the N + 1 or more conditions indicated in the first condition information.
- the first control unit can temporally change a combination of a plurality of conditions stored in the second memory referred to by the second control unit. Thereby, all the conditions necessary for specifying the packet to be transferred to the first memory are used for packet filtering.
- the second condition information is updated even during a period in which conditions such as addition or deletion of conditions are not updated with respect to the first condition information (a period in which the N + 1 or more conditions are maintained as they are).
- all of the N + 1 or more conditions can be used as conditions actually used for the filter processing within a predetermined period.
- the communication control device has a packet filtering function that allows only packets corresponding to the registered condition to pass, and the capacity of the memory (second memory) for storing the condition is increased. Packet filtering can be performed accurately without increasing it.
- the first control unit when the first control unit updates the second condition information, the first control unit includes the N + 1 or more conditions indicated in the first condition information.
- An unregistered condition that is not registered in the second condition information at the time of update is read from the first condition information, and the read unregistered condition is one of the conditions indicated in the second condition information
- the unregistered condition may be registered in the second condition information by replacing with the above condition.
- the first control unit may repeatedly update the second condition information.
- the first control unit repeatedly updates the second condition information, so that each of the N + 1 or more conditions indicated in the first condition information May be registered in the second condition information in a predetermined order.
- the first control unit since the first control unit has only to read the conditions from the first condition information in a predetermined order in the update process of the second condition information, for example, the update process is efficiently executed. Further, for example, all of the conditions for specifying a packet required by the communication control device are surely and equally registered in the second condition information.
- the first control unit when the first control unit updates the second condition information, when there are a plurality of the unregistered conditions, the first control unit includes a plurality of the unregistered conditions.
- the first control unit when there are a plurality of the unregistered conditions, the first control unit includes a plurality of the unregistered conditions.
- the second condition information is registered in order from the longest period not registered in the second condition information. Therefore, for example, all of the conditions for specifying the packet required by the communication control device are surely and equally registered in the second condition information.
- the first condition information further includes priority information indicating a priority of each condition indicated in the first condition information
- the first control unit includes: When updating the second condition information, when there are a plurality of unregistered conditions, the unregistered condition with the highest priority among the plurality of unregistered conditions is identified by referring to the priority information. Then, the specified unregistered condition may be read from the first condition information.
- an unregistered condition having a high priority is reliably identified from a plurality of unregistered conditions and registered in the second condition information. For this reason, for example, processing of a packet having a high priority as a processing target is executed more efficiently.
- the first control unit when the first control unit updates the second condition information, the first control unit includes the N conditions indicated in the second condition information. A condition with the earliest time registered in the second condition information may be specified, and the specified condition may be replaced with the unregistered condition read from the first condition information by the control unit.
- the second condition information when the second condition information is updated, the one with the longest continuous period registered in the second condition information at that time is replaced with the unregistered condition. Therefore, for example, it is possible to prevent a bias from occurring in the condition indicated by the second condition information.
- each of the N + 1 or more conditions is associated with one of the one or more communication application programs, and the first control unit further includes the 1
- the first condition information may be updated by adding a condition corresponding to the communication application program to be executed to the first condition information.
- the first condition information that is the supplier of the condition to the second condition information is updated according to the activation status of the communication application program.
- the second condition information is maintained in a state where only the actually necessary conditions are registered according to the time. Therefore, for example, the efficiency of processing related to packet filtering is further improved.
- the first control unit further deletes a condition corresponding to the communication application program from the first condition information when the execution of the communication application program is completed. You may do that.
- an unnecessary condition is surely deleted from the first condition information when it becomes unnecessary. Therefore, for example, the efficiency of processing related to packet filtering is further improved.
- the present invention can also be realized as a packet filtering method including a characteristic process executed by the communication control apparatus according to any one of the above aspects.
- the present invention can be realized as a program for causing a computer to execute each process included in the packet filtering method and as a recording medium on which the program is recorded.
- the program can be distributed via a transmission medium such as the Internet or a recording medium such as a DVD.
- the present invention can also be realized as an integrated circuit including characteristic components of the communication control device according to any one of the above aspects.
- the present invention is a communication control apparatus having a packet filtering function that allows only packets that meet registered conditions to pass, and performs communication that accurately performs packet filtering without increasing the capacity of a memory that stores the conditions.
- a control device can be provided.
- the system including the communication control device is not destroyed by the Dos attack, and only a packet required by the device can be received using a limited memory capacity.
- FIG. 1 is a diagram showing a main hardware configuration of a communication control apparatus according to an embodiment of the present invention.
- FIG. 2 is a block diagram showing a main functional configuration of the communication control apparatus according to the embodiment of the present invention.
- FIG. 3 is a diagram illustrating an example of a data configuration of the passing packet table according to the embodiment of the present invention.
- FIG. 4 is a block diagram showing a main functional configuration of the control unit in the embodiment of the present invention.
- FIG. 5 is a diagram illustrating an example of a data configuration of the device use packet table according to the embodiment of the present invention.
- FIG. 6A is a flowchart showing a basic processing flow executed by the communication control apparatus according to the embodiment of the present invention.
- FIG. 6A is a flowchart showing a basic processing flow executed by the communication control apparatus according to the embodiment of the present invention.
- FIG. 6B is a flowchart showing a flow of a series of processing when the control unit performs update control in the embodiment of the present invention.
- FIG. 7 is a diagram showing an example of transition of the contents of each table when the processing flow shown in FIG. 6B is executed.
- FIG. 8 is a diagram illustrating a correspondence example between a packet pattern registered in the device usage packet table and a communication program in the embodiment of the present invention.
- FIG. 9A is a diagram illustrating a first example of an updated device usage packet table according to the embodiment of the present invention.
- FIG. 9B is a diagram showing a second example of the updated device usage packet table according to the embodiment of the present invention.
- FIG. 1 is a diagram showing a main hardware configuration of a communication control apparatus 100 according to an embodiment of the present invention.
- the communication control device 100 is connected to a LAN 101 that is a wired or wireless communication network, and can communicate with an external device via the LAN 101.
- the communication control apparatus 100 includes a network interface 102, a first memory 103, a CPU 104, and a hard disk drive (HDD) 105.
- the network interface 102 is an example of a network communication unit in the communication control apparatus of the present invention.
- the network interface 102 is hardware that receives data transmitted from an external device via the LAN 101.
- the network interface 102 has a memory structure such as FIFO and descriptor ring, and can receive a plurality of packets.
- the first memory 103 is a memory for storing packets used by the communication control device 100 among packets received from the LAN 101.
- the packet stored in the first memory 103 is read and processed during execution of the communication program stored in the HDD 105.
- the communication control apparatus 100 communicates with an external device.
- the HDD 105 is an example of a storage unit in the communication control device of the present invention, and is a storage device that stores a device use packet table in which a packet pattern used by the communication control device 100 is recorded.
- the HDD 105 also stores a communication control layer and one or more communication programs executed by the 100.
- the device use packet table will be described later with reference to FIG.
- the storage unit in the communication control apparatus of the present invention is only required to be able to store information such as a device use packet table, and is a kind of non-volatile storage different from the HDD such as EEPROM (Electrically Erasable and Programmable Read Only Memory). It may be realized by a medium.
- EEPROM Electrically Erasable and Programmable Read Only Memory
- the communication program and the device use packet table may be stored in different storage devices.
- the communication control device 100 is realized as a device that is incorporated in a home appliance such as a television, for example, and that transmits and receives data via a wired or wireless network by executing a communication program.
- FIG. 2 is a block diagram showing a main functional configuration of the communication control apparatus 100.
- the network interface 102 includes a packet receiving unit 201, a second control unit 210, and a second memory 200.
- the second control unit 210 includes a comparison unit 202 and a transfer unit 204.
- the packet receiving unit 201 receives a packet transmitted from the LAN 101.
- the second control unit 210 transfers, to the first memory 103, packets that satisfy the conditions registered in the passing packet table 205 stored in the second memory 200 among the packets received by the packet receiving unit 201.
- Filter processing that is.
- the filtering process is executed by the comparison unit 202 and the transfer unit 204 performing the following processing.
- the comparing unit 202 compares each packet received by the packet receiving unit 201 (hereinafter, also simply referred to as “received packet”) with a condition for transfer to the first memory 103.
- the comparison unit 202 compares each received packet with N packet patterns (N is an integer equal to or greater than 1) indicated in the passing packet table 205 stored in the second memory 200.
- the comparison unit 202 has a discard unit 203.
- the discarding unit 203 receives a received packet that is determined not to correspond to any of the N packet patterns, that is, a received packet that is determined not to be transferred to the first packet. Discard before being transferred to 103.
- the second control unit 210 may determine whether or not the received packet corresponds to one of N packet patterns by a process other than the comparison process. For example, the second control unit 210 may make the determination by substituting information such as a transmission source address acquired from the received packet into a predetermined function including information indicating N packet patterns.
- the received packet determined not to be transferred to the first packet may not be transferred from the network interface 102 to the first memory 103, and the processing method may be a method other than discarding.
- the processing method may be stored in a predetermined storage device for analysis of attack patterns.
- the transfer unit 204 transfers the received packet to the first memory 103 when the received packet corresponds to any one of N packet patterns as a result of the comparison by the comparing unit 202. As a result, the received packet is stored in the first memory 103.
- the second memory 200 is a memory for storing the passing packet table 205 as described above.
- the passing packet table 205 is a table in which conditions for specifying packets to be received by the communication control apparatus 100 are registered. A data configuration example of the passing packet table 205 will be described later with reference to FIG.
- the first control unit 206 updates the passing packet table 205. Specifically, the first control unit 206 can newly register a pattern of a packet to be transferred to the first memory 103 and can delete an already registered pattern.
- the packet pattern registered in the device use packet table 405 stored in the HDD 105 is used.
- the update process by the first control unit 206 and the filter process by the second control unit 210 are realized by the CPU 104 executing a control program (not shown) stored in the HDD 105, for example. .
- the execution unit 207 is a processing unit that executes one or more communication programs stored in the HDD 105, and is realized by the CPU 104, for example.
- the execution unit 207 reads and processes the packet stored in the first memory 103 by executing the communication program.
- the second memory 200 in which the passing packet table 205 is stored is realized by a memory in the network interface 102 configured by hardware.
- the maximum number of patterns that can be registered is about several tens to several hundreds, which is very small compared to packet patterns that should be received by a device including the network interface card. Is.
- a packet not required by the communication control apparatus 100 is a Dos attack packet (hereinafter referred to as an “attack packet”) in the network interface 102 configured as hardware. It can be recognized that there is. A packet recognized as an attack packet can be discarded before being transferred to the first memory 103. As a result, it is possible to reduce the bus usage rate due to data transfer, and to suppress the processing load on the CPU 104 generated as a result of unnecessary data transfer.
- attack packet a Dos attack packet in the network interface 102 configured as hardware.
- FIG. 3 is a diagram illustrating an example of a data configuration of the passing packet table 205.
- the passing packet table 205 is an example of second condition information in the communication control apparatus of the present invention, and is a table that can register up to N conditions among N + 1 or more conditions shown in the device usage packet table 405. .
- the “condition” is a packet pattern composed of one or more pieces of attribute information of the packet.
- N is an example for clarifying the description of the embodiment, and is not limited to a specific number.
- the comparison unit 202 compares the received packet with the information shown in the passing packet table 205. As a result of the comparison, when the received packet matches any packet pattern shown in the passing packet table 205, the comparison unit 202 transfers the packet to the first memory 103 via the transfer unit 204. If they do not match, the discard unit 203 discards the received packet.
- each packet pattern registered in the passing packet table 205 includes a source MAC address indicated in the Ether frame header, a source IP address indicated in the IP header, and a protocol, as shown in FIG. This is a combination of the type and destination port information indicated in the TCP header or UDP header.
- the information constituting the packet pattern is not limited to these header information, and may be information included in other fields in the header of the packet. Further, the information is not limited to the header information, and information may be acquired from the data portion of various protocols and registered in the passing packet table 205 as information indicating a packet pattern to be passed. That is, information other than the header information may be used for the comparison process by the comparison unit 202.
- FIG. 4 is a block diagram showing the main functional configuration of the first control unit 206.
- the first control unit 206 includes an entry number acquisition unit 401, a table update unit 402, an update control unit 403, and a timer 404.
- the entry number acquisition unit 401 acquires the total number of entries in the passing packet table 205.
- the table updating unit 402 registers packet patterns in the passing packet table 205 and deletes packet patterns from the passing packet table 205.
- the update control unit 403 identifies a packet pattern to be added to the passing packet table 205 from the device use packet table 405 and causes the table update unit 402 to register the packet pattern. Further, the update control unit 403 identifies a packet pattern to be deleted along with this registration, and causes the table update unit 402 to delete it. That is, the update control unit 403 can cause the table update unit 402 to perform packet pattern replacement.
- the timer 404 notifies the update control unit 403 of the update timing.
- the device use packet table 405 all packet patterns used by the communication control apparatus 100 are recorded. That is, a packet pattern for specifying all packets to be transferred from the network interface 102 to the first memory 103 is recorded in the device use packet table 405.
- the device use packet table 405 for example, a pattern of a packet used by the communication control device 100 when the communication control device 100 is shipped from the factory is recorded.
- the pattern of the packet used by the device may be updated according to the activation status of the communication program in the communication control apparatus 100. Such update of the device use packet table 405 will be described later with reference to FIG.
- the timer 404 notifies the update control unit 403 of timing (update timing) to be updated at regular intervals.
- the timer 404 has a function of notifying the update control unit 403 of the update timing at regular intervals such as every 10 ms or every 100 ms.
- the update control unit 403 acquires the total number of entries in the passing packet table 205 via the entry number acquisition unit 401 when the communication program is started. Further, the update control unit 403 reads packet patterns corresponding to the total number of entries from the device use packet table 405. The read packet pattern is registered in the passing packet table 205 by the table updating unit 402.
- the timer 404 notifies the update control unit 403 to perform the update 100 ms after the first registration.
- the update control unit 403 acquires a packet pattern not registered in the passing packet table 205 from the device use packet table 405 and replaces it with a pattern already registered in the passing packet table 205. In this way, the passing packet table 205 is updated.
- FIG. 5 is a diagram illustrating an example of a data configuration of the device use packet table 405.
- the device use packet table 405 is an example of first condition information in the communication control apparatus 100 of the present invention, and is a table indicating N + 1 or more conditions for specifying a packet to be stored in the first memory 103. That is, it is a table in which conditions for specifying a packet required by the communication control apparatus 100 are recorded.
- the number of patterns “4” is an example for clarifying the description of the embodiment, and is not limited to a specific number.
- Each entry has “registration pattern”, “registration order”, and “registering flag” as data items. Each entry is given an entry number.
- “Registration pattern” is an item indicating a packet pattern to be registered in the passing packet table 205.
- “Registration order” is an item indicating the order in which the packet pattern of the entry is registered in the passing packet table 205.
- “Registering flag” is an item for identifying whether or not the packet pattern of the entry is registered in the passing packet table 205.
- pattern 1 and the like are shown, but as “registration pattern”, information having the same data configuration as “pattern” in passing packet table 205 shown in FIG. 3 is registered.
- “Registration order” is an item indicating a numerical value to be counted up in order, and the order in which the update control unit 403 registers the pattern of the entry in the passing packet table 205 is recorded. For example, in the example shown in FIG. 5, it is shown that the registration pattern of entry number “1”, the registration pattern of entry number “2”, and the registration pattern of entry number “3” are registered in the passing packet table 205 in this order.
- “Registering flag” is an item used to identify whether or not the registration pattern of the entry is being registered in the passing packet table 205. Specifically, an entry that is being registered in the passing packet table 205 is recorded as “registered”, and an entry that is not registered in the passing packet table 205 is recorded as “not registered”.
- the update control unit 403 can search for an entry to be updated next from the registration order and the registering flag shown in the device use packet table 405.
- the entry is registered in the passing packet table 205 in the past as the registration flag is “registered” and the numerical value in the registration order is smaller.
- the entry registered in the passing packet table 205 is the earliest entry. Therefore, it is possible to determine that the packet pattern shown in the entry is a replacement target with priority.
- an entry that has a non-registration period in the passing packet table 205 is longer as the registration flag is “not registered” and the numerical value in the registration order is smaller. In other words, the entry has the longest period since it was deleted from the passing packet table 205 in the past. Therefore, it is possible to determine that the packet pattern indicated in the entry is a registration target with priority.
- FIG. 6A is a flowchart showing a basic processing flow executed by the communication control apparatus 100 according to the embodiment of the present invention.
- the first control unit 206 updates the passing packet table 205 using the information shown in the device usage packet table 405 (S100).
- the second control unit 210 performs a filtering process on the packet received by the packet receiving unit 201 based on the conditions registered in the updated passing packet table 205 (S110). Specifically, the following processing is performed by the comparison unit 202 and the transfer unit 204.
- the comparison unit 202 compares the received packet with the packet pattern shown in the passed packet table 205 after being updated by the first control unit 206. As a result, it is determined whether or not the received packet satisfies the conditions shown in the updated passing packet table 205 (S110).
- the received packet is transferred and stored in the first memory 103 by the transfer unit 204 (S120).
- the received packet is discarded by the discarding unit 203 in the present embodiment.
- FIG. 6B is a flowchart showing a flow of a series of processes when the first control unit 206 performs update control.
- the update control unit 403 included in the first control unit 206 initializes the device use packet table 405 at the initial time such as when the communication program is started (S601). In the initial state, since the passing packet table 205 is unused, the update control unit 403 sets the registration order of each entry in the device use packet table 405 via the table update unit 402 to “0”, and sets a registration flag. “Not registered”. As a result, the device use packet table 405 is initialized.
- the update control unit 403 determines whether the number of entries M registered in the device usage packet table 405 is greater than the maximum number of entries N that can be registered in the passing packet table 205 (S604).
- the update control unit 403 determines that all entries registered in the device use packet table 405 can be registered in the passing packet table 205. As a result, the update control unit 403 registers the packet patterns of all entries shown in the device usage packet table 405 in the passing packet table 205 (S605), and ends the process related to updating the passing packet table 205.
- the update control unit 403 performs update processing for sequentially rewriting the contents of the passing packet table 205. Specifically, the following processing is performed.
- the update control unit 403 registers N that can be registered in the passing packet table 205 from the number M of entries registered in the device usage packet table 405 (S606).
- the update control unit 403 extracts, for example, three entries corresponding to pattern 1 to pattern 3 from the four entries in the device usage packet table 405.
- the update control unit 403 controls the table update unit 402 to register the extracted three packet patterns in the passing packet table 205.
- the update control unit 403 updates the registration order and the registration flag of the three entries in the device usage packet table 405 that are registered in the process of S606 (S607). Specifically, the update control unit 403 assigns a numerical value from 1 to 3 to the registration order as the registration order of the corresponding three entries, and updates the registering flag to “registered”. As a result, the device use packet table 405 has the contents shown in FIG.
- the update control unit 403 determines whether a certain time has elapsed (S608). Specifically, the update control unit 403 determines whether or not a notification is generated from the timer 404. If not (No in S608), the update control unit 403 returns to S608 and waits until a notification is generated.
- the update control unit 403 acquires an entry whose registration flag is “unregistered” from the device use packet table 405 (S609). In the case of this example, the update control unit 403 acquires an entry corresponding to pattern 4 in the device usage packet table 405.
- the update control unit 403 further acquires an entry pattern whose registration flag is “registered” from the device use packet table 405 (S610). Specifically, the update control unit 403 further acquires these three entries because the entries corresponding to pattern 1 to pattern 3 in the device usage packet table 405 are “registered”.
- the update control unit 403 identifies the pattern to be changed from the entries acquired in S609 and S610 (S611).
- the update control unit 403 specifies the entry with the smallest numerical value in the registration order from the three entries acquired in S610.
- the pattern 1 of the passing packet table 205 is specified as a pattern to be replaced with the pattern 4 acquired in S609.
- the update control unit 403 controls the table update unit 402 to register the unregistered pattern acquired in S609 in the passing packet table 205 (S612). Specifically, the table update unit 402 replaces the contents of pattern 1 in the passing packet table 205 with the contents of pattern 4 shown in the device usage packet table 405.
- the update control unit 403 returns to S607 and updates the registration order of the entries in the device use packet table 405 and the registration flag. Specifically, the update control unit 403 updates the registering flag of the pattern 1 entry from “registered” to “not registered”, and changes the registering flag of pattern 4 from “not registered” to “registered”. Update. The update control unit 403 updates the registration order of each entry to the latest value. That is, at this time, “4” is recorded in the device usage packet table 405 as the registration order of the pattern 4.
- FIG. 7 is a diagram showing an example of transition of the contents of each table when the processing flow shown in FIG. 6B is executed.
- the notification timing of the timer 404 is assumed to be 100 ms.
- the pattern with the earliest registration time in the passing packet table 205 among the three patterns of the passing packet table 205 is stored in the passing packet table 205 at the time of the update. It is replaced with a pattern that is not registered.
- an attack packet that does not correspond to any packet pattern shown in the passing packet table 205 cannot pass through the network interface 102, and the communication control apparatus 100 is protected from the Dos attack.
- the number of patterns registered in the device usage packet table 405 is two or more than the maximum number of entries N that can be registered in the passing packet table 205.
- the first control unit 206 when there are a plurality of unregistered patterns, the first control unit 206, for example, among the plurality of unregistered patterns, the unregistered pattern with the longest period after being deleted from the passing packet table 205 in the past. Is identified. In short, the first control unit 206 identifies an unregistered pattern having the longest period that is not used for packet filtering.
- the first control unit 206 further reads the specified unregistered pattern from the device use packet table 405 and replaces it with the packet pattern having the longest period registered in the passing packet table 205.
- each of the plurality of packet patterns registered in the device use packet table 405 is sequentially and reliably and equally registered in the passing packet table 205.
- comparison of periods after deletion from the passing packet table 205 and comparison of periods registered in the passing packet table 205 compare numerical values in the registration order of each packet pattern. Can be specified.
- the update control unit 403 uses the device use packet table to indicate the last registration time in the passing packet table 205 for each of the plurality of packet patterns and the last deletion time from the passing packet table 205 for each of the plurality of packet patterns. 405 may be recorded.
- the passage packet table 205 may not be updated every predetermined time (in the example shown in FIG. 7, every 100 ms). That is, the update interval of the passing packet table 205 may not be constant. The update of the passing packet table 205 may be repeated so that all packet patterns necessary for packet filtering appear in the passing packet table 205.
- the communication control apparatus 100 has a packet filtering function. Specifically, only the received packet corresponding to the packet pattern registered in the passing packet table 205 is passed through the network interface 102 and stored in the first memory 103 as a processing target of the communication program. A received packet that does not correspond to any of these packet patterns is discarded as a Dos packet.
- the combination of packet patterns held in the passing packet table 205 is switched by time sharing. In addition, the passing packet table 205 is updated.
- the procedure for updating the passing packet table 205 shown in FIG. 7 is an example, and the present invention is not limited to this procedure. For example, it is assumed that the maximum value that can be registered in the passing packet table 205 is 3 and the number of patterns registered in the device usage packet table 405 is 5 or more.
- the update control unit 403 may simultaneously replace two or more patterns among the three patterns registered in the passing packet table 205.
- the passing packet table 205 is updated so that each of a plurality of packet patterns corresponding to all types of received packets that are essentially necessary appears in the passing packet table 205 at any timing of repeated updating. It only has to be done.
- the priority of the packet pattern registered in the device usage packet table 405 may be determined in consideration of the activation frequency of the communication program corresponding to each packet pattern, the type of processing, and the like.
- a packet pattern corresponding to a communication program that is constantly activated or most frequently activated among a plurality of communication programs executed by the communication control apparatus 100 has a high priority.
- a packet pattern corresponding to a communication program for receiving and outputting an emergency broadcast informing information such as a disaster can be said to have a high priority.
- a packet pattern corresponding to a communication program for decoding and displaying moving image stream data (that is, a packet pattern for identifying the stream data) has a high priority from the viewpoint of smooth reproduction of moving images. I can say that.
- priority information (numerical value or the like) indicating the priority determined according to the activation frequency of the communication program corresponding to each entry or the type of processing to be executed is stored in each entry of the device usage packet table 405. Is added.
- the first control unit 206 when updating the passing packet table 205, the first control unit 206 reads the packet pattern having the highest priority from a plurality of packet patterns not registered in the passing packet table 205 from the device use packet table 405. . The first control unit 206 further replaces the read packet pattern with, for example, a packet pattern having the lowest priority in the passing packet table 205.
- the packet pattern having a high priority is maintained in the state registered in the passing packet table 205 for a longer period than the packet pattern having a low priority.
- the device use packet table 405 that is the source of the packet pattern to the passing packet table 205 may be updated.
- FIG. 8 is a diagram showing an example of correspondence between packet patterns registered in the device usage packet table 405 and communication programs.
- patterns 1 to 4 correspond to communication programs [A] to [D], respectively.
- the received packet corresponding to the pattern 1 is a packet processed by [A].
- the device use packet table 405 may be updated according to the activation status of the communication program.
- FIG. 9A is a diagram illustrating a first example of the updated device usage packet table 405, and FIG. 9B is a diagram illustrating a second example of the updated device usage packet table 405.
- This registration process is performed, for example, when the update control unit 403 registers the patterns 1 and 3 in the device use packet table 405 according to the activated instructions [A] and [C].
- the information indicating the patterns 1 and 3 may be held in [A] and [C].
- the device use packet table 405 is stored in the HDD 105. It may be stored separately.
- the update control unit 403 registers the pattern 2 corresponding to [B] in the device use packet table 405.
- the pattern 2 is read from the device use packet table 405 and registered in the passing packet table 205.
- the update control unit 403 After this, for example, when the communication program [A] ends (that is, when execution of [A] ends and [A] shifts to a non-startup state), for example, the update control unit 403 Then, the pattern 1 is deleted from the device use packet table 405.
- the passing packet table 205 is updated as shown in FIG. As a result, each of the four packet patterns intermittently appears in the passing packet table 205.
- the maximum number N of entries that can be registered in the passing packet table 205 is 3 and the total number of packet patterns used for packet filtering is 10. Under this assumption, even if the activation status of each communication program is taken into consideration, for example, when the number of activated communication programs becomes 5, the passing packet table 205 needs to be updated.
- the passing packet table 205 may be updated according to the activation status of the communication program without updating the device use packet table 405.
- the first control unit 206 updates the passing packet table 205, it confirms which communication program is being activated.
- the first control unit 206 further reads out a packet pattern corresponding to the active communication program and unregistered in the passing packet table 205 at the time of the update from the device use packet table 405 and registers it in the passing packet table 205. To do.
- the read unregistered pattern is replaced with the packet pattern corresponding to the communication program that has not been started or the packet pattern with the longest period registered in the passing packet table 205.
- the network interface 102 is configured by hardware. That is, the communication control apparatus 100 performs packet filtering by hardware.
- the CPU 104 may perform packet filtering by referring to the passing packet table 205 stored in a predetermined storage medium.
- the CPU 104 may compare the received packet with a smaller number of packet patterns than the total number of packet patterns necessary for packet filtering. For this reason, more efficient packet filtering is executed than when all the packet patterns necessary for packet filtering are used for comparison.
- the communication control device has been described based on the embodiment.
- the present invention is not limited to these embodiments. Unless it deviates from the gist of the present invention, various modifications conceived by those skilled in the art have been made in the present embodiment, or forms constructed by combining a plurality of the above-described constituent elements are within the scope of the present invention. include.
- the present invention is useful as a communication device that transmits and receives information and a home appliance such as a television, and as a communication control device provided in the communication device and the home appliance.
- Communication control device 101 LAN 102 Network interface 103 First memory 104 CPU 105 HDD 200 Second memory 201 Packet receiving unit 202 Comparison unit 203 Discarding unit 204 Transfer unit 205 Passed packet table 206 First control unit 207 Execution unit 210 Second control unit 401 Number of entries acquisition unit 402 Table update unit 403 Update control unit 404 Timer 405 Device use packet table
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
101 LAN
102 ネットワークインターフェース
103 第一メモリ
104 CPU
105 HDD
200 第二メモリ
201 パケット受信部
202 比較部
203 破棄部
204 転送部
205 通過パケットテーブル
206 第一制御部
207 実行部
210 第二制御部
401 エントリ数取得部
402 テーブル更新部
403 更新制御部
404 タイマー
405 機器使用パケットテーブル
Claims (10)
- ネットワークに接続され、1以上の通信アプリケーションプログラムを実行する通信制御装置であって、
第一制御部と、
前記1以上の通信アプリケーションプログラムに処理されるパケットを蓄積する第一メモリと、
前記第一メモリに蓄積すべきパケットを特定するためのN+1個以上(Nは1以上の整数)の条件を示す第一条件情報を記憶する記憶部と、
受信したパケットを選択的に前記第一メモリに転送するネットワーク通信部とを備え、
前記ネットワーク通信部は、
前記ネットワークを介して送信されるパケットを受信する受信部と、
前記N+1個以上の条件のうちのN個までの条件が登録される第二条件情報を記憶する第二メモリと、
前記受信部が受信したパケットのうち、前記第二条件情報に登録されている条件に該当するパケットを前記第一メモリに転送する処理であるフィルタ処理を行う第二制御部と、を有し、
前記第一制御部は、前記第一条件情報に示される前記N+1個以上の条件のうちの少なくとも1つの条件を用いて、前記第二条件情報の更新を行う
通信制御装置。 - 前記第一制御部は、前記第二条件情報の更新を行う場合、前記第一条件情報に示される前記N+1個以上の条件のうち、当該更新の時点で前記第二条件情報に登録されていない条件である未登録条件を前記第一条件情報から読み出し、読み出した未登録条件を、前記第二条件情報に示される条件のうちのいずれかの条件と置き換えることで前記未登録条件を前記第二条件情報に登録する
請求項1記載の通信制御装置。 - 前記第一制御部は、前記第二条件情報の更新を繰り返し行う
請求項1または2に記載の通信制御装置。 - 前記第一制御部は、前記第二条件情報の更新を繰り返し行うことで、前記第一条件情報に示される前記N+1個以上の条件のそれぞれを、所定の順序で前記第二条件情報に登録する
請求項1または2に記載の通信制御装置。 - 前記第一制御部は、前記第二条件情報の更新を行う場合、前記未登録条件が複数あるときは、複数の前記未登録条件の中で、過去に前記第二条件情報から削除されてからの期間が最も長い未登録条件を特定し、特定した未登録条件を前記第一条件情報から読み出す
請求項2記載の通信制御装置。 - 前記第一条件情報はさらに、前記第一条件情報に示される条件それぞれの優先度を示す優先度情報を含み、
前記第一制御部は、前記第二条件情報の更新を行う場合、前記未登録条件が複数あるときは、前記優先度情報を参照することで、複数の前記未登録条件の中で最も優先度の高い未登録条件を特定し、特定した未登録条件を前記第一条件情報から読み出す
請求項2記載の通信制御装置。 - 前記第一制御部は、前記第二条件情報の更新を行う場合、前記第二条件情報に示される前記N個までの条件のうち、前記第二条件情報に登録された時期が最も早い条件を特定し、特定した条件を、前記制御部が前記第一条件情報から読み出した前記未登録条件と置き換える
請求項2記載の通信制御装置。 - 前記N+1個以上の条件のそれぞれは、前記1以上の通信アプリケーションプログラムのいずれかと対応付けられており、
前記第一制御部はさらに、前記1以上の通信アプリケーションプログラムのいずれかが実行される際に、実行される通信アプリケーションプログラムに対応する条件を前記第一条件情報に追加することで、前記第一条件情報を更新する
請求項1~7のいずれか1項に記載の通信制御装置。 - 前記第一制御部はさらに、前記通信アプリケーションプログラムの実行が終了した場合、前記通信アプリケーションプログラムに対応する条件を、前記第一条件情報から削除する
請求項8記載の通信制御装置。 - ネットワークに接続され、1以上の通信アプリケーションプログラムを実行する通信制御装置におけるパケットフィルタリング方法であって、
前記通信制御装置は、
前記1以上の通信アプリケーションプログラムに処理されるパケットを格納する第一メモリと、
前記第一メモリに格納すべきパケットを特定するためのN+1個以上(Nは1以上の整数)の条件を示す第一条件情報を記憶する記憶部と、
受信したパケットを選択的に前記第一メモリに転送するネットワーク通信部とを備え、
前記パケットフィルタリング方法は、
前記ネットワークを介して送信されるパケットを前記ネットワーク通信部が受信する受信ステップと、
前記ネットワーク通信部が有する第二メモリに記憶されている、前記N+1個以上の条件のうちのN個の条件が登録された第二条件情報を、前記第一条件情報に示される前記N+1個以上の条件のうちの少なくとも1つの条件を用いて更新する更新ステップと、
前記受信ステップにおいて受信されたパケットのうち、前記更新ステップにおいて更新された前記第二条件情報に登録されている条件に該当するパケットを前記第一メモリに転送する処理であるフィルタ処理を行うフィルタリングステップと
を含むパケットフィルタリング方法。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2011535824A JP4861539B1 (ja) | 2010-06-02 | 2011-06-02 | 通信制御装置およびパケットフィルタリング方法 |
US13/318,635 US20120311692A1 (en) | 2010-06-02 | 2011-06-02 | Communication contol apparatus and packet filtering method |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2010-127366 | 2010-06-02 | ||
JP2010127366 | 2010-06-02 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2011152052A1 true WO2011152052A1 (ja) | 2011-12-08 |
Family
ID=45066443
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2011/003097 WO2011152052A1 (ja) | 2010-06-02 | 2011-06-02 | 通信制御装置およびパケットフィルタリング方法 |
Country Status (3)
Country | Link |
---|---|
US (1) | US20120311692A1 (ja) |
JP (1) | JP4861539B1 (ja) |
WO (1) | WO2011152052A1 (ja) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015115794A (ja) * | 2013-12-12 | 2015-06-22 | 株式会社日立製作所 | 転送装置、転送方法、および、転送プログラム |
Families Citing this family (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2013079999A1 (en) * | 2011-12-02 | 2013-06-06 | Canon Kabushiki Kaisha | Methods and devices for encoding and decoding messages |
US9032385B2 (en) | 2011-12-28 | 2015-05-12 | Lg Electronics Inc. | Mobile terminal and control method thereof |
JP2013161122A (ja) * | 2012-02-01 | 2013-08-19 | Canon Inc | データ処理装置、情報処理方法、及びプログラム |
JP6112938B2 (ja) * | 2013-03-29 | 2017-04-12 | キヤノン株式会社 | 情報処理装置及びその制御方法、並びにプログラム |
JP5835291B2 (ja) * | 2013-09-05 | 2015-12-24 | コニカミノルタ株式会社 | 通信装置およびそのカスタマイズ方法ならびにコンピュータプログラム |
US11159546B1 (en) * | 2021-04-20 | 2021-10-26 | Centripetal Networks, Inc. | Methods and systems for efficient threat context-aware packet filtering for network protection |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000112852A (ja) * | 1998-10-06 | 2000-04-21 | Toshiba Corp | 通信システムにおける同時使用端末数の制限機構 |
JP2002232453A (ja) * | 2001-02-02 | 2002-08-16 | Nec Corp | インターネットプロトコルフィルタリング装置及びインターネットプロトコルフィルタリング方法 |
JP2005203941A (ja) * | 2004-01-14 | 2005-07-28 | Matsushita Electric Ind Co Ltd | パケット処理方法、パケット処理装置、パケット処理プログラム、パケット受信処理装置およびパケット受信システム |
Family Cites Families (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6845499B2 (en) * | 2001-01-31 | 2005-01-18 | I2 Technologies Us, Inc. | System and method for developing software applications using an extended XML-based framework |
JP3794491B2 (ja) * | 2002-08-20 | 2006-07-05 | 日本電気株式会社 | 攻撃防御システムおよび攻撃防御方法 |
WO2006090781A1 (ja) * | 2005-02-24 | 2006-08-31 | Nec Corporation | フィルタリングルール分析方法及びシステム |
JP2006246302A (ja) * | 2005-03-07 | 2006-09-14 | Matsushita Electric Ind Co Ltd | パケットフィルタ装置、およびそれを用いた装置、並びに、パケットフィルタ方法 |
JP5131563B2 (ja) * | 2007-02-21 | 2013-01-30 | 日本電気株式会社 | コンピュータ、動作ルール適用方法、オペレーティングシステム |
JP5153480B2 (ja) * | 2008-06-27 | 2013-02-27 | 三菱電機株式会社 | ゲートウェイ装置およびパケットフィルタリング方法 |
CN102812675B (zh) * | 2010-02-04 | 2015-05-13 | 日本电信电话株式会社 | 分组转送处理装置、方法 |
-
2011
- 2011-06-02 WO PCT/JP2011/003097 patent/WO2011152052A1/ja active Application Filing
- 2011-06-02 US US13/318,635 patent/US20120311692A1/en not_active Abandoned
- 2011-06-02 JP JP2011535824A patent/JP4861539B1/ja not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2000112852A (ja) * | 1998-10-06 | 2000-04-21 | Toshiba Corp | 通信システムにおける同時使用端末数の制限機構 |
JP2002232453A (ja) * | 2001-02-02 | 2002-08-16 | Nec Corp | インターネットプロトコルフィルタリング装置及びインターネットプロトコルフィルタリング方法 |
JP2005203941A (ja) * | 2004-01-14 | 2005-07-28 | Matsushita Electric Ind Co Ltd | パケット処理方法、パケット処理装置、パケット処理プログラム、パケット受信処理装置およびパケット受信システム |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2015115794A (ja) * | 2013-12-12 | 2015-06-22 | 株式会社日立製作所 | 転送装置、転送方法、および、転送プログラム |
Also Published As
Publication number | Publication date |
---|---|
JP4861539B1 (ja) | 2012-01-25 |
US20120311692A1 (en) | 2012-12-06 |
JPWO2011152052A1 (ja) | 2013-07-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP4861539B1 (ja) | 通信制御装置およびパケットフィルタリング方法 | |
JP4392294B2 (ja) | 通信統計収集装置 | |
US9853988B2 (en) | Method and system for detecting threats using metadata vectors | |
US9118571B2 (en) | Methods of operating load balancing switches and controllers using matching patterns with unrestricted characters | |
CN102577275B (zh) | 中继控制设备、中继控制系统、中继控制方法 | |
US11057423B2 (en) | System for distributing virtual entity behavior profiling in cloud deployments | |
WO2009139170A1 (ja) | 攻撃パケット検知装置、攻撃パケット検知方法、映像受信装置、コンテンツ記録装置、およびip通信装置 | |
US9059965B2 (en) | Method and system for enforcing security policies on network traffic | |
WO2019232071A1 (en) | Aggregation of scalable network flow events | |
WO2012098786A1 (ja) | ネットワークシステム、コントローラ、スイッチ、及びトラフィック監視方法 | |
JP6454224B2 (ja) | 通信装置 | |
JP2011522473A (ja) | 低速および/または分散型のスキャニングマルウェアに感染した企業ネットワークホストを識別するための方法およびシステム | |
US8725852B1 (en) | Dynamic network action based on DHCP notification | |
US9521154B2 (en) | Detecting suspicious network activity using flow sampling | |
JP2017046149A (ja) | 通信装置 | |
US20210084013A1 (en) | Method and apparatus for autonomous firewall rule management | |
US20170195181A1 (en) | Method and system for selective route download in network devices | |
US20140086250A1 (en) | Communication device and address learning method | |
US20180191650A1 (en) | Publish-subscribe based exchange for network services | |
WO2016195619A1 (en) | Application of network flow rule action based on packet counter | |
CN106209680B (zh) | 信息处理装置以及信息处理方法 | |
US8948188B1 (en) | Method and apparatus for managing traffic through a network switch | |
US11218357B1 (en) | Aggregation of incident data for correlated incidents | |
CN108111420B (zh) | 一种流表项管理方法、装置、电子设备及存储介质 | |
US20090073877A1 (en) | Packet processing apparatus, communication system, packet processing method and program that executes this method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 2011535824 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13318635 Country of ref document: US |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11789465 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 11789465 Country of ref document: EP Kind code of ref document: A1 |