WO2012014509A1 - 不正アクセス遮断制御方法 - Google Patents
不正アクセス遮断制御方法 Download PDFInfo
- Publication number
- WO2012014509A1 WO2012014509A1 PCT/JP2011/053489 JP2011053489W WO2012014509A1 WO 2012014509 A1 WO2012014509 A1 WO 2012014509A1 JP 2011053489 W JP2011053489 W JP 2011053489W WO 2012014509 A1 WO2012014509 A1 WO 2012014509A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- switch
- communication terminal
- set row
- correspondence table
- port
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4604—LAN interconnection over a backbone network, e.g. Internet, Frame Relay
- H04L12/462—LAN interconnection over a bridge based backbone
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
Definitions
- the present invention relates to an unauthorized access blocking control method, and more particularly, to a technology for detecting port information of an L2 switch (Layer 2 Switch) to which a communication terminal in a network is connected and performing communication blocking control of the communication terminal.
- L2 switch Layer 2 Switch
- Patent Document 1 when the access control device described in Patent Document 1 detects communication between communication terminals that are not permitted by the access policy, a counterfeit ARP (Address) Resolution Protocol) is used to inhibit communication between the communication terminals. By transmitting the response, it is possible to restrict access without changing the hardware or software of the communication terminal.
- ARP Address Resolution Protocol
- the unauthorized connection prevention system described in Patent Document 2 registers the MAC (Media Access Control) address of the information processing apparatus permitted to connect to the network in the approval list part, and is not registered in the approval list part.
- a PC that is not permitted to connect to the network by sending an ARP response packet with a false MAC address as the MAC address of the information processing device to the disallowed device.
- the non-permitted device can be prevented from connecting to an internal server or other device on the same subnet, and can also be prevented from connecting to a device on an external network via a router or the like.
- the network unauthorized connection prevention device described in Patent Document 3 sequentially transmits an ARP request to each registered terminal, and from the ARP reply returned in response to the ARP request, the individual terminal of the terminal is transmitted. It is determined whether or not the presence information has been registered. When it is determined that the presence information has not been registered, the terminal is regarded as an unauthorized terminal, and an interfering message indicating that the unique information of the terminal is duplicated exists. By sending it, it is possible to prevent unauthorized connection in the LAN.
- Patent Documents 1-3 since the process of blocking communication between communication terminals is performed based on the IP address, communication of communication terminals having a plurality of IP addresses is immediately performed. In addition, there is a problem that it is difficult to reliably block.
- the method of blocking using ARP packets if there is a delay on the network, a forged ARP response is sent to the communication terminal, and after receiving the forged ARP response, the correct ARP response is communicated. In this case, the ARP table of the communication terminal is rewritten with information that arrives later, and there is a problem that access control that blocks communication cannot be performed.
- L2 switch Layer 2 Switch
- the L2 switch determines the relay destination based on the MAC address included in the packet as destination information. Yes. Therefore, in order to immediately and reliably block communication of a communication terminal having a plurality of IP addresses, it is certain to detect the port information of the L2 switch to which the communication terminal is connected and block the port. It can be said that it is a method. In this method, it is necessary to detect port information of the L2 switch to which the communication terminal is connected.
- management information is received from an L2 switch managed by a network monitoring terminal, an MvP table is created as a correspondence table between MAC addresses and L2 switch ports from this management information, Connection information between L2 switches in the network is detected based on the MvP table (the inventor of Patent Document 4 is the same as the inventor of the present application).
- the method for creating the MvP table is the same as that in Patent Document 4, but the port information of the L2 switch to which the communication terminal is connected is detected using this MvP table, and the communication of the communication terminal is cut off. A method of performing control is provided.
- an object of the present invention is to provide a method for easily and reliably blocking communication of a terminal in which unauthorized access is detected in a network configuration including an L2 switch.
- the invention according to claim 1 is an unauthorized access blocking control that detects port information of an L2 switch to which a communication terminal in a network is connected, and controls the communication of the communication terminal.
- a method Based on the management information received by the network monitoring terminal from the L2 switch, the MAC address M (Ci) of the communication terminal Ci (1 ⁇ i ⁇ total number of communication terminals in the network) and the L2 switch that detects the MAC address M (Ci) Correspondence table M1 with port information set Row ⁇ M (Ci) ⁇ of Sj (1 ⁇ j ⁇ total number of layer 2 switches), and MAC address M (Sj) and MAC address M (Sj) of L2 switch Sj
- the set Row ⁇ M (Ci) ⁇ of the correspondence table M1 of the MvP table created in the first step is compared with the set
- the invention according to claim 2 is the unauthorized access blocking control method according to claim 1,
- the third step includes (1) identifying the L2 switch Sj in which the set Row ⁇ M (Sj) ⁇ of the correspondence table M2 is empty; (2) From the set Row ⁇ M (Ci) ⁇ of the correspondence table M1, the port P (Sj, n) of the L2 switch Sj specified in (1) above (1 ⁇ n ⁇ the total number of ports of the L2 switch Sj) And identifying it as port information to which the communication terminal Ci is connected.
- the invention according to claim 3 is the unauthorized access blocking control method according to claim 1 or 2,
- the fifth step is provided to release the cutoff state.
- the invention according to claim 4 is an unauthorized access blocking control program for detecting port information of an L2 switch to which a communication terminal in a network is connected, and for causing a network monitoring terminal that performs blocking control of communication of the communication terminal to function.
- the MAC address M (Ci) of the communication terminal Ci (1 ⁇ i ⁇ total number of communication terminals in the network) and the L2 that has detected the MAC address M (Ci) Table M1 of port information set Row ⁇ M (Ci) ⁇ of switch Sj (1 ⁇ j ⁇ total number of layer 2 switches), and MAC address M (Sj) and MAC address M (Sj) of L2 switch Sj
- a first function that creates a correspondence table M2 with a set Row ⁇ M (Sj) ⁇ of port information of the L2 switch that has detected the MvP table,
- the set Row ⁇ M (Ci) ⁇ of the correspondence table M1 of the MvP table created by the first function is
- the invention according to claim 5 is the unauthorized access blocking control program according to claim 4, wherein the third function is: (1) a function of specifying the L2 switch Sj in which the set Row ⁇ M (Sj) ⁇ of the correspondence table M2 is empty; (2) From the set Row ⁇ M (Ci) ⁇ of the correspondence table M1, the port P (Sj, n) of the L2 switch Sj specified in (1) above (1 ⁇ n ⁇ the total number of ports of the L2 switch Sj) And a function for identifying it as port information to which the communication terminal Ci is connected, It is characterized by having.
- the invention according to claim 6 is the unauthorized access blocking control program according to any one of claims 4 to 5,
- the port of the L2 switch to which the communication terminal Ci is connected is in a shut-off state, it has a fifth function for releasing the shut-off state.
- the invention of claim 1 or claim 4 it becomes possible to automatically detect port information of the L2 switch to which the communication terminal is connected, and when the network monitoring terminal H detects unauthorized access in the network. After identifying the target communication terminal, the communication terminal of the communication terminal can be immediately and reliably cut off by setting the port of the L2 switch to which the communication terminal is connected to the cut-off state. Therefore, there is an effect of improving operational efficiency and security of network management.
- FIG. 3 is a flowchart showing an example of an operation for blocking communication of a communication terminal C4 in the configuration shown in FIG. It is the schematic diagram which showed an example of the network block diagram concerning 2nd Embodiment of this invention.
- FIG. 4 is a flowchart showing an example of an operation for blocking communication of a communication terminal C4 in the configuration shown in FIG. It is the schematic diagram which showed an example of the network block diagram concerning 3rd Embodiment of this invention.
- FIG. 1 shows an example of a network configuration diagram according to the first embodiment.
- An SNMP agent is mounted on each of the switches S1, S2, and S3.
- the nth port of the L2 switch Sj (1 ⁇ j ⁇ 3) is represented in the form of P (Sj, n).
- L2 switches S1 and S2 are connected by port P (S1,15) and port P (S2,1). Similarly, the L2 switches S2 and S3 are connected by the port P (S2, 14) and the port P (S3, 1).
- the network monitoring terminal H detects unauthorized access in the network
- the communication terminal is connected after the target communication terminal is identified.
- the port information of the L2 switch is detected, and control for reliably blocking communication of the communication terminal is performed.
- the network monitoring terminal H that has detected unauthorized access identifies the target communication terminal, for example, when the traffic amount exceeds the threshold or when a packet of a communication terminal that is not permitted by the access policy is detected.
- description of the method for the network monitoring terminal H to detect unauthorized access and the method for identifying the communication terminal that is the target of unauthorized access will be omitted.
- the network monitoring terminal H After the network monitoring terminal H identifies the communication terminal that is the target of unauthorized access, the network monitoring terminal H detects the port information of the L2 switch to which the communication terminal is connected, and puts the port into a blocked state, thereby the communication terminal Securely block communications.
- FIG. 2 shows an operation of blocking the communication of the communication terminal C4 when the network monitoring terminal H detects the unauthorized access and identifies the communication terminal C4 that is the target of unauthorized access in the configuration shown in FIG. is there.
- step S01 based on the management information received from the L2 switch by the network monitoring terminal H, the L2 switch Sj (1 ⁇ j ⁇ 3) that has detected the MAC address M (C4) and MAC address M (C4) of the communication terminal C4.
- a correspondence table M2 with Sj) ⁇ is created as an MvP table.
- an inquiry is made by designating an IP address to the L2 switch Sj on which the SNMP agent is installed, and the management information of the SNMP agent is returned as a response.
- MIB1 specified by RFC1156, MIB2 specified by RFC1213, BRIDGE-MIB specified by RFC1493, and IF-MIB specified by RFC2863 MIB1 specified by RFC1156, MIB2 specified by RFC1213, BRIDGE-MIB specified by RFC1493, and IF-MIB specified by RFC2863
- any port P Sj, The MAC address on the header of the frame passing through n
- an SNMP agent is implemented by making an inquiry to all IP addresses in the address range managed by the network monitoring terminal H. It is possible to receive a response from the network device, and the IP address of the switch Sj can be detected from the response information.
- step S02 the correspondence table M1 and the correspondence table M2 of the MvP table created in step S01 are compared, and when there is an element that matches both, the normalization process is performed to delete the element from the correspondence table M2 I do.
- the set Row ⁇ M (S1) ⁇ of the correspondence table M2 of the MvP table created in step S01 there is no element that matches the set Row ⁇ M (C4) ⁇ of the correspondence table M1, so the deletion process is not performed.
- the set Row ⁇ M (S2) ⁇ of the correspondence table M2 has an element P (S1,15) that matches the set Row ⁇ M (C4) ⁇ of the correspondence table M1, the element is set to the set Row ⁇ M ( S2) ⁇ .
- the set Row ⁇ M (S3) ⁇ of the correspondence table M2 includes elements P (S1,15) and P (S2,14) that match the set Row ⁇ M (C4) ⁇ of the correspondence table M1.
- the element is deleted from the set Row ⁇ M (S3) ⁇ .
- the set Row ⁇ M (S3) ⁇ of the correspondence table M2 is an empty set.
- step S03 it is specified that the L2 switch S3 of Row ⁇ M (S3) ⁇ that has become this empty set is connected to the communication terminal C4. Further, the port information P (S3,2) of the L2 switch S3 specified above is extracted from the set Row ⁇ M (C4) ⁇ of the correspondence table M1, and the port information to which the communication terminal C4 is connected is extracted. As specified.
- step S04 the port P (S3, 2) of the L2 switch S3 to which the communication terminal C4 detected in step S03 is connected is turned off.
- the network monitoring terminal H issues a blocking command to the port P (S3, 2) of the L2 switch S3, for example. As a result, communication of the communication terminal C4 is cut off.
- the unauthorized access blocking control method specifies the target communication terminal when the network monitoring terminal H detects unauthorized access in the network, and then performs the above-described processing (steps S01 to S04). ), The communication of the communication terminal can be interrupted easily and reliably.
- step S01 to S04 when the investigation of the cause of unauthorized access and the measures for the communication terminal that has been blocked by the above-described processing (steps S01 to S04) are completed, the blocked communication state may be released.
- step S05 for canceling the blocking state of the port P (S3, 2) of the L2 switch S3 is inserted, and the processing shown in the flowchart of FIG. The state can be released.
- steps S01 to S05 can be realized by executing a program on the program control processor of the network monitoring terminal H.
- FIG. 3 shows an example of a network configuration when a non-intelligent hub SX that does not support SNMP exists in the network.
- the L2 switches S1 and SX are connected by a port P (S1,15) and a port P (SX, 1).
- the L2 switches SX and S2 are connected by the port P (SX, 16) and the port P (S2, 1)
- the L2 switches SX and S3 are connected by the port P (SX, 14) and the port P (S3, 1). ).
- the network monitoring terminal H detects the port information of the L2 switch to which the communication terminal is connected by performing the processing described in the first embodiment (FIG. 2). It is possible to perform communication cutoff control of the communication terminal.
- FIG. 4 shows an operation of blocking the communication of the communication terminal C4 when the network monitoring terminal H detects the unauthorized access and identifies the communication terminal C4 to be unauthorized access in the configuration shown in FIG. is there.
- step S01 the network monitoring terminal H creates an MvP table based on the management information received from the L2 switch. Note that since the SNMP agent is not installed in the non-intelligent hub SX, the network monitoring terminal H cannot receive management information from the non-intelligent hub SX. .
- step S02 the correspondence table M1 and the correspondence table M2 of the MvP table created in step S01 are compared, and when there is an element that matches both, the normalization process is performed to delete the element from the correspondence table M2 I do.
- the set Row ⁇ M (S1) ⁇ of the correspondence table M2 of the MvP table created in step S01 there is an element P (S2,1) that matches the set Row ⁇ M (C4) ⁇ of the correspondence table M1. Delete the element from the set Row ⁇ M (S1) ⁇ .
- the set Row ⁇ M (S2) ⁇ of the correspondence table M2 has an element P (S1,15) that matches the set Row ⁇ M (C4) ⁇ of the correspondence table M1, the element is set to the set Row ⁇ M ( S2) ⁇ .
- the set Row ⁇ M (S3) ⁇ of the correspondence table M2 includes elements P (S1,15) and P (S2,1) that match the set Row ⁇ M (C4) ⁇ of the correspondence table M1.
- the element is deleted from the set Row ⁇ M (S3) ⁇ .
- the set Row ⁇ M (S3) ⁇ of the correspondence table M2 is an empty set.
- step S03 it is specified that the L2 switch S3 of Row ⁇ M (S3) ⁇ that has become this empty set is connected to the communication terminal C4. Further, the port information P (S3,2) of the L2 switch S3 specified above is extracted from the set Row ⁇ M (C4) ⁇ of the correspondence table M1, and the port information to which the communication terminal C4 is connected is extracted. As specified.
- step S04 the port P (S3, 2) of the L2 switch S3 to which the communication terminal C4 detected in step S03 is connected is turned off. As a result, communication of the communication terminal C4 is cut off.
- the network monitoring terminal H is connected to the communication terminal by performing the processing described in the first embodiment (FIG. 2).
- the processing described in the first embodiment FOG. 2.
- FIG. 5 shows an example of a network configuration when a non-intelligent hub SX that does not support SNMP exists in the network.
- L2 switches S1 and S2 are connected by port P (S1,15) and port P (S2,1).
- L2 switches S2 and S3 are connected by port P (S2,14) and port P (S3,1)
- L2 switches S3 and SX are connected by port P (S3,2) and port P (SX, 1). ).
- the network monitoring terminal H detects the port information of the L2 switch to which the communication terminal is connected by performing the processing described in the first embodiment (FIG. 2). It is possible to perform communication cutoff control of the communication terminal.
- the port P (S3, 2) of the L2 switch S3 to which the communication terminal C4 is connected Is detected and the port P (S3, 2) is set in a blocking state, whereby the communication of the communication terminal C4 can be blocked.
- the communication via the non-intelligent hub SX is blocked by setting the port P (S3, 2) to the blocked state.
- the present invention can be applied to a technique for easily and reliably blocking communication of a terminal in which unauthorized access is detected in a network configuration including an L2 switch.
Abstract
Description
ネットワーク監視端末がL2スイッチから受け取った管理情報に基づき、通信端末Ci(1≦i≦ネットワーク内の通信端末の総数)のMACアドレスM(Ci)と当該MACアドレスM(Ci)を検出したL2スイッチSj(1≦j≦レイヤー2スイッチの総数)のポート情報の集合Row{M(Ci)}との対応表M1、およびL2スイッチSjのMACアドレスM(Sj)と当該MACアドレスM(Sj)を検出したL2スイッチのポート情報の集合Row{M(Sj)}との対応表M2をMvPテーブルとして作成する第1ステップと、
前記第1ステップで作成したMvPテーブルの対応表M1の集合Row{M(Ci)}と、対応表M2の集合Row{M(Sj)}とを比較して、双方に一致する要素が存在する場合に当該要素を集合Row{M(Sj)}から削除する正規化の処理を行う第2ステップと、
前記第2ステップで正規化した後のMvPテーブルから通信端末Ciが接続されているL2スイッチのポート情報を検出する第3ステップと、
前記第3ステップで検出した通信端末Ciが接続されているL2スイッチのポートを遮断状態にする第4ステップと、を有することを特徴とする。
前記第3ステップは、
(1)対応表M2の集合Row{M(Sj)}が空になったL2スイッチSjを特定するステップと、
(2)対応表M1の集合Row{M(Ci)}の中から、上記(1)で特定したL2スイッチSjのポートP(Sj,n)(1≦n≦L2スイッチSjのポートの総数)を抽出し、それを通信端末Ciが接続されているポート情報として特定するステップと、を有することを特徴とする。
通信端末Ciが接続されているL2スイッチのポートが遮断状態にあるときに、その遮断状態を解除する第5ステップを有することを特徴とする。
前記ネットワーク監視端末がL2スイッチから受け取った管理情報に基づき、通信端末Ci(1≦i≦ネットワーク内の通信端末の総数)のMACアドレスM(Ci)と当該MACアドレスM(Ci)を検出したL2スイッチSj(1≦j≦レイヤー2スイッチの総数)のポート情報の集合Row{M(Ci)}との対応表M1、およびL2スイッチSjのMACアドレスM(Sj)と当該MACアドレスM(Sj)を検出したL2スイッチのポート情報の集合Row{M(Sj)}との対応表M2をMvPテーブルとして作成する第1機能と、
前記第1機能で作成したMvPテーブルの対応表M1の集合Row{M(Ci)}と、対応表M2の集合Row{M(Sj)}とを比較して、双方に一致する要素が存在する場合に当該要素を集合Row{M(Sj)}から削除する正規化の処理を行う第2機能と、 前記第2機能で正規化した後のMvPテーブルから通信端末Ciが接続されているL2スイッチのポート情報を検出する第3機能と、
前記第3機能で検出した通信端末Ciが接続されているL2スイッチのポートを遮断状態にする第4機能と、を有することを特徴とする。
(1)対応表M2の集合Row{M(Sj)}が空になったL2スイッチSjを特定する機能と、
(2)対応表M1の集合Row{M(Ci)}の中から、上記(1)で特定したL2スイッチSjのポートP(Sj,n)(1≦n≦L2スイッチSjのポートの総数)を抽出し、それを通信端末Ciが接続されているポート情報として特定する機能と、
を有することを特徴とする。
通信端末Ciが接続されているL2スイッチのポートが遮断状態にあるときに、その遮断状態を解除する第5機能を有することを特徴とする。
S1~S3 L2スイッチ
SX ノンインテリジェントハブ
C1~C6 通信端末
本発明の第1実施形態に係る不正アクセス遮断制御方法について図1を用いて説明する。図1は第1実施形態に係るネットワーク構成図の一例を示したものである。
次にネットワーク内にSNMP非対応のノンインテリジェントハブSXが存在する場合のネットワーク構成の一例を図3に示す。
次にネットワーク内にSNMP非対応のノンインテリジェントハブSXが存在する場合のネットワーク構成の一例を図5に示す。
Claims (6)
- ネットワーク内の通信端末が接続されているL2スイッチのポート情報を検出して、当該通信端末の通信の遮断制御を行う方法であって、
ネットワーク監視端末がL2スイッチから受け取った管理情報に基づき、通信端末Ci(1≦i≦ネットワーク内の通信端末の総数)のMACアドレスM(Ci)と当該MACアドレスM(Ci)を検出したL2スイッチSj(1≦j≦レイヤー2スイッチの総数)のポート情報の集合Row{M(Ci)}との対応表M1、およびL2スイッチSjのMACアドレスM(Sj)と当該MACアドレスM(Sj)を検出したL2スイッチのポート情報の集合Row{M(Sj)}との対応表M2をMvPテーブルとして作成する第1ステップと、
前記第1ステップで作成したMvPテーブルの対応表M1の集合Row{M(Ci)}と、対応表M2の集合Row{M(Sj)}とを比較して、双方に一致する要素が存在する場合に当該要素を集合Row{M(Sj)}から削除する正規化の処理を行う第2ステップと、
前記第2ステップで正規化した後のMvPテーブルから通信端末Ciが接続されているL2スイッチのポート情報を検出する第3ステップと、
前記第3ステップで検出した通信端末Ciが接続されているL2スイッチのポートを遮断状態にする第4ステップと、
を有することを特徴とする不正アクセス遮断制御方法。 - 前記第3ステップは、
(1)対応表M2の集合Row{M(Sj)}が空になったL2スイッチSjを特定するステップと、
(2)対応表M1の集合Row{M(Ci)}の中から、上記(1)で特定したL2スイッチSjのポートP(Sj,n)(1≦n≦L2スイッチSjのポートの総数)を抽出し、それを通信端末Ciが接続されているポート情報として特定するステップと、
を有することを特徴とする請求項1に記載の不正アクセス遮断制御方法。 - 通信端末Ciが接続されているL2スイッチのポートが遮断状態にあるときに、その遮断状態を解除する第5ステップを有することを特徴とする請求項1乃至請求項2に記載の不正アクセス遮断制御方法。
- ネットワーク内の通信端末が接続されているL2スイッチのポート情報を検出して、当該通信端末の通信の遮断制御を行うネットワーク監視端末を機能させるコンピュータプログラムであって、
前記ネットワーク監視端末がL2スイッチから受け取った管理情報に基づき、通信端末Ci(1≦i≦ネットワーク内の通信端末の総数)のMACアドレスM(Ci)と当該MACアドレスM(Ci)を検出したL2スイッチSj(1≦j≦レイヤー2スイッチの総数)のポート情報の集合Row{M(Ci)}との対応表M1、およびL2スイッチSjのMACアドレスM(Sj)と当該MACアドレスM(Sj)を検出したL2スイッチのポート情報の集合Row{M(Sj)}との対応表M2をMvPテーブルとして作成する第1機能と、
前記第1機能で作成したMvPテーブルの対応表M1の集合Row{M(Ci)}と、対応表M2の集合Row{M(Sj)}とを比較して、双方に一致する要素が存在する場合に当該要素を集合Row{M(Sj)}から削除する正規化の処理を行う第2機能と、 前記第2機能で正規化した後のMvPテーブルから通信端末Ciが接続されているL2スイッチのポート情報を検出する第3機能と、
前記第3機能で検出した通信端末Ciが接続されているL2スイッチのポートを遮断状態にする第4機能と、
を有することを特徴とする不正アクセス遮断制御プログラム。 - 前記第3機能は、
(1)対応表M2の集合Row{M(Sj)}が空になったL2スイッチSjを特定する機能と、
(2)対応表M1の集合Row{M(Ci)}の中から、上記(1)で特定したL2スイッチSjのポートP(Sj,n)(1≦n≦L2スイッチSjのポートの総数)を抽出し、それを通信端末Ciが接続されているポート情報として特定する機能と、
を有することを特徴とする請求項4に記載の不正アクセス遮断制御プログラム。 - 通信端末Ciが接続されているL2スイッチのポートが遮断状態にあるときに、その遮断状態を解除する第5機能を有することを特徴とする請求項4乃至請求項5に記載の不正アクセス遮断制御プログラム。
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP11812105.2A EP2600566B1 (en) | 2010-07-30 | 2011-02-18 | Unauthorized access blocking control method |
US13/812,994 US8955049B2 (en) | 2010-07-30 | 2011-02-18 | Method and a program for controlling communication of target apparatus |
JP2011515621A JP5134141B2 (ja) | 2010-07-30 | 2011-02-18 | 不正アクセス遮断制御方法 |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2010172126 | 2010-07-30 | ||
JP2010-172126 | 2010-07-30 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2012014509A1 true WO2012014509A1 (ja) | 2012-02-02 |
Family
ID=45529733
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2011/053489 WO2012014509A1 (ja) | 2010-07-30 | 2011-02-18 | 不正アクセス遮断制御方法 |
Country Status (4)
Country | Link |
---|---|
US (1) | US8955049B2 (ja) |
EP (1) | EP2600566B1 (ja) |
JP (1) | JP5134141B2 (ja) |
WO (1) | WO2012014509A1 (ja) |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2014195180A (ja) * | 2013-03-28 | 2014-10-09 | Oki Electric Ind Co Ltd | 局番認識装置および局番認識システム |
JP2018064228A (ja) * | 2016-10-14 | 2018-04-19 | アンリツネットワークス株式会社 | パケット制御装置 |
JP2019041176A (ja) * | 2017-08-23 | 2019-03-14 | 株式会社ソフトクリエイト | 不正接続遮断装置及び不正接続遮断方法 |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2012014509A1 (ja) * | 2010-07-30 | 2012-02-02 | 株式会社サイバー・ソリューションズ | 不正アクセス遮断制御方法 |
JP6117050B2 (ja) * | 2013-08-09 | 2017-04-19 | 株式会社日立製作所 | ネットワーク制御装置 |
CN105699383B (zh) * | 2015-12-16 | 2018-10-16 | 南京铁道职业技术学院 | 增强消息传送能力的轨道扣件的检测方法 |
US10979323B2 (en) | 2017-05-31 | 2021-04-13 | Cyber Solutions Inc. | Network map display method and network map display program |
JP6977507B2 (ja) * | 2017-11-24 | 2021-12-08 | オムロン株式会社 | 制御装置および制御システム |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH025A (ja) | 1987-06-11 | 1990-01-05 | Asahi Optical Co Ltd | カメラの視線方向検出装置 |
JPH079706A (ja) | 1993-06-25 | 1995-01-13 | Canon Inc | 印刷装置 |
JP2004185498A (ja) | 2002-12-05 | 2004-07-02 | Matsushita Electric Ind Co Ltd | アクセス制御装置 |
JP2005198090A (ja) | 2004-01-08 | 2005-07-21 | Fujitsu Ltd | ネットワーク不正接続防止方法及び装置 |
JP2006148255A (ja) * | 2004-11-16 | 2006-06-08 | Hitachi Ltd | 不正機器の接続位置特定装置および接続位置特定方法 |
WO2006118203A1 (ja) * | 2005-04-27 | 2006-11-09 | Cyber Solutions Inc. | ネットワークマップ生成方法 |
JP2007514811A (ja) | 2003-11-29 | 2007-06-07 | ロバート・ヴァレンタイン・カソウスキー | 基材に適用されたアミンと亜リン酸の反応を含む防護性組成物 |
JP2009253461A (ja) * | 2008-04-02 | 2009-10-29 | Nec Corp | ネットワーク、通信管理装置、有線スイッチ、無線コントローラ、不正通信の遮断方法およびプログラム |
Family Cites Families (15)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2268374A (en) * | 1992-06-23 | 1994-01-05 | Ibm | Network addressing |
JPH0832607A (ja) * | 1994-07-13 | 1996-02-02 | Hitachi Cable Ltd | ネットワーク構成管理方法 |
US5926463A (en) * | 1997-10-06 | 1999-07-20 | 3Com Corporation | Method and apparatus for viewing and managing a configuration of a computer network |
JP4558139B2 (ja) * | 2000-05-02 | 2010-10-06 | 株式会社バッファロー | ネットワーク管理装置 |
US7383574B2 (en) * | 2000-11-22 | 2008-06-03 | Hewlett Packard Development Company L.P. | Method and system for limiting the impact of undesirable behavior of computers on a shared data network |
JP4174392B2 (ja) * | 2003-08-28 | 2008-10-29 | 日本電気株式会社 | ネットワークへの不正接続防止システム、及びネットワークへの不正接続防止装置 |
JP4128974B2 (ja) * | 2004-03-31 | 2008-07-30 | 富士通株式会社 | レイヤ2ループ検知システム |
US7639684B2 (en) * | 2004-12-23 | 2009-12-29 | Infineon Technologies Ag | Modified ethernet switch |
EP1836792A1 (en) * | 2004-12-30 | 2007-09-26 | BCE Inc. | System and method for secure access |
US7463593B2 (en) * | 2005-01-13 | 2008-12-09 | International Business Machines Corporation | Network host isolation tool |
US7969966B2 (en) * | 2005-12-19 | 2011-06-28 | Alcatel Lucent | System and method for port mapping in a communications network switch |
US7936670B2 (en) * | 2007-04-11 | 2011-05-03 | International Business Machines Corporation | System, method and program to control access to virtual LAN via a switch |
JP5045417B2 (ja) * | 2007-12-19 | 2012-10-10 | ソニー株式会社 | ネットワークシステム及びダイレクトアクセス方法 |
US8521856B2 (en) * | 2007-12-29 | 2013-08-27 | Cisco Technology, Inc. | Dynamic network configuration |
WO2012014509A1 (ja) * | 2010-07-30 | 2012-02-02 | 株式会社サイバー・ソリューションズ | 不正アクセス遮断制御方法 |
-
2011
- 2011-02-18 WO PCT/JP2011/053489 patent/WO2012014509A1/ja active Application Filing
- 2011-02-18 US US13/812,994 patent/US8955049B2/en not_active Expired - Fee Related
- 2011-02-18 JP JP2011515621A patent/JP5134141B2/ja active Active
- 2011-02-18 EP EP11812105.2A patent/EP2600566B1/en active Active
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH025A (ja) | 1987-06-11 | 1990-01-05 | Asahi Optical Co Ltd | カメラの視線方向検出装置 |
JPH079706A (ja) | 1993-06-25 | 1995-01-13 | Canon Inc | 印刷装置 |
JP2004185498A (ja) | 2002-12-05 | 2004-07-02 | Matsushita Electric Ind Co Ltd | アクセス制御装置 |
JP2007514811A (ja) | 2003-11-29 | 2007-06-07 | ロバート・ヴァレンタイン・カソウスキー | 基材に適用されたアミンと亜リン酸の反応を含む防護性組成物 |
JP2005198090A (ja) | 2004-01-08 | 2005-07-21 | Fujitsu Ltd | ネットワーク不正接続防止方法及び装置 |
JP2006148255A (ja) * | 2004-11-16 | 2006-06-08 | Hitachi Ltd | 不正機器の接続位置特定装置および接続位置特定方法 |
WO2006118203A1 (ja) * | 2005-04-27 | 2006-11-09 | Cyber Solutions Inc. | ネットワークマップ生成方法 |
JP2009253461A (ja) * | 2008-04-02 | 2009-10-29 | Nec Corp | ネットワーク、通信管理装置、有線スイッチ、無線コントローラ、不正通信の遮断方法およびプログラム |
Non-Patent Citations (1)
Title |
---|
See also references of EP2600566A4 |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2014195180A (ja) * | 2013-03-28 | 2014-10-09 | Oki Electric Ind Co Ltd | 局番認識装置および局番認識システム |
JP2018064228A (ja) * | 2016-10-14 | 2018-04-19 | アンリツネットワークス株式会社 | パケット制御装置 |
JP2019041176A (ja) * | 2017-08-23 | 2019-03-14 | 株式会社ソフトクリエイト | 不正接続遮断装置及び不正接続遮断方法 |
Also Published As
Publication number | Publication date |
---|---|
US8955049B2 (en) | 2015-02-10 |
JPWO2012014509A1 (ja) | 2013-09-12 |
EP2600566A1 (en) | 2013-06-05 |
US20140165143A1 (en) | 2014-06-12 |
EP2600566A4 (en) | 2016-06-08 |
EP2600566B1 (en) | 2017-08-02 |
JP5134141B2 (ja) | 2013-01-30 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5134141B2 (ja) | 不正アクセス遮断制御方法 | |
CN110445770B (zh) | 网络攻击源定位及防护方法、电子设备及计算机存储介质 | |
JP4174392B2 (ja) | ネットワークへの不正接続防止システム、及びネットワークへの不正接続防止装置 | |
CN101326771B (zh) | 操作虚拟网络的方法和设备以及数据网络系统 | |
CN100477620C (zh) | 利用单个物理端口的在线入侵检测 | |
JP4777461B2 (ja) | ネットワークセキュリティ監視装置ならびにネットワークセキュリティ監視システム | |
US20070101422A1 (en) | Automated network blocking method and system | |
CN109525601B (zh) | 内网中终端间的横向流量隔离方法和装置 | |
JP6782842B2 (ja) | 通信ネットワーク用の方法及び電子監視ユニット | |
JP2006339933A (ja) | ネットワークアクセス制御方法、およびシステム | |
CN101674306B (zh) | 地址解析协议报文处理方法及交换机 | |
CN105262738A (zh) | 一种路由器及其防arp攻击的方法 | |
CN105743878A (zh) | 使用蜜罐的动态服务处理 | |
JP2007006054A (ja) | パケット中継装置及びパケット中継システム | |
EP1540921B1 (en) | Method and apparatus for inspecting inter-layer address binding protocols | |
CN106789982B (zh) | 一种应用于工业控制系统中的安全防护方法和系统 | |
US20200204520A1 (en) | Virtual routing and forwarding (vrf)-aware socket | |
US9124625B1 (en) | Interdicting undesired service | |
EP3133790B1 (en) | Message sending method and apparatus | |
Amin et al. | Edge-computing with graph computation: A novel mechanism to handle network intrusion and address spoofing in SDN | |
CN102546387A (zh) | 一种数据报文的处理方法、装置及系统 | |
WO2015196799A1 (zh) | 报文处理方法、装置及线卡 | |
TWI732708B (zh) | 基於多接取邊緣運算的網路安全系統和網路安全方法 | |
CN112671783B (zh) | 一种基于vlan用户组的防主机ip扫描方法 | |
EP4044547A1 (en) | Message processing method, apparatus, and system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 2011515621 Country of ref document: JP |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11812105 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REEP | Request for entry into the european phase |
Ref document number: 2011812105 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2011812105 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13812994 Country of ref document: US |