WO2015025817A1 - Communication terminal, communication system, communication method, and program - Google Patents

Communication terminal, communication system, communication method, and program Download PDF

Info

Publication number
WO2015025817A1
WO2015025817A1 PCT/JP2014/071568 JP2014071568W WO2015025817A1 WO 2015025817 A1 WO2015025817 A1 WO 2015025817A1 JP 2014071568 W JP2014071568 W JP 2014071568W WO 2015025817 A1 WO2015025817 A1 WO 2015025817A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
communication
destination address
communication data
acquired
Prior art date
Application number
PCT/JP2014/071568
Other languages
French (fr)
Japanese (ja)
Inventor
貴裕 飯星
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2015532850A priority Critical patent/JPWO2015025817A1/en
Publication of WO2015025817A1 publication Critical patent/WO2015025817A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/64Routing or path finding of packets in data switching networks using an overlay routing layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Definitions

  • the present invention is based on the priority claim of Japanese Patent Application No. 2013-170013 (filed on Aug. 20, 2013), the entire contents of which are incorporated herein by reference. Shall.
  • the present invention relates to a communication terminal, a communication system, a communication method, and a program.
  • NW local network
  • Patent Document 1 discloses a communication filtering system that performs filtering for communication from an external NW to an internal NW.
  • the communication filtering described in Patent Literature 1 includes a communication filtering unit 30 including a filtering unit 301, a user authentication unit 302, and a user information storage unit 402.
  • an administrator registers user information (user identifier and user authentication information) of all users who form a community in the user information storage unit 402 in advance.
  • the filtering unit 301 When receiving the request from the user terminal 21, the filtering unit 301 requests the user authentication unit 302 for user authentication.
  • the user authentication unit 302 receives a user authentication request from the filtering unit 301, and collates the user identifier and user authentication information included in the request with the user information stored in the user information storage unit 402. Then, the user authentication unit 302 determines that the user authentication is successful if there is user information that matches the combination of the user identifier and user authentication information included in the request, and the user identifier and user authentication information included in the request. If there is no user information that matches this combination, it is determined that the user authentication has failed, and the user authentication result is notified to the filtering unit 301.
  • the filtering unit 301 discards the request from the terminal 21 when the user authentication unit 302 fails in the user authentication. On the other hand, when the user authentication unit 302 succeeds in user authentication, the filtering unit 301 transfers the request from the terminal 21 to the requested service.
  • an administrator registers user information of users who are allowed to communicate in the user information storage unit 402 in advance. That is, in the communication filtering system, the administrator grasps the user who forms the community and performs processing of registering user information of the user in advance.
  • An object of the present invention is to provide a communication terminal, a communication system, a communication method, and a program that contribute to solving the problem.
  • the communication terminal uses communication means (unit) capable of transmitting communication data generated by an application, and identification information in which the destination address of the communication data indicates the destination of the communication data. And a control means (unit) capable of determining whether the communication data can be transmitted based on whether the destination address is acquired from an address resolution system that can be searched.
  • the communication system includes an address resolution system capable of searching for a destination address using identification information representing a destination of communication data, and a communication means (unit) capable of transmitting communication data generated by an application. And a communication terminal having control means (unit) capable of determining whether or not the communication data can be transmitted based on whether or not a destination address of the communication data is acquired from the address resolution system.
  • a communication method includes a step of transmitting communication data generated by an application, and the destination address of the communication data is searched for the destination address using identification information indicating the destination of the communication data. Determining whether or not to transmit the communication data based on whether or not it has been acquired from a possible address resolution system.
  • the program according to the fourth aspect of the present invention can search the destination address using the process of transmitting the communication data generated by the application, and the destination address of the communication data using the identification information indicating the destination of the communication data
  • the computer is caused to execute processing for determining whether or not to transmit the communication data based on whether or not it has been acquired from a simple address resolution system.
  • the program can also be provided as a program product recorded in a non-transitory computer-readable storage medium.
  • the communication terminal the communication system, the communication method, and the program according to the present invention, it is possible to suppress the management cost for filtering when filtering communication in the communication terminal.
  • FIG. 1 shows an example of a communication system according to a first embodiment of the present invention.
  • the example of a structure of the communication terminal of the 1st Embodiment of this invention is shown. It is a sequence diagram which shows the operation example of the 1st Embodiment of this invention. It is a flowchart which shows the operation example of the control part 11 of the communication terminal 1 of the 1st Embodiment of this invention.
  • the example of a structure of the communication terminal of the 2nd Embodiment of this invention is shown.
  • stored in notification information DB (Database) 13 of the 2nd Embodiment of this invention is shown.
  • stored in notification information DB13 of the 2nd Embodiment of this invention is shown.
  • the example of a structure of the communication terminal of the 5th Embodiment of this invention is shown.
  • stored in processing rule DB14 of the 5th Embodiment of this invention is shown.
  • the example of a structure of the 6th Embodiment of this invention is shown.
  • the example of the flow table in the 6th Embodiment of this invention is shown.
  • the example of the communication system of the 6th Embodiment of this invention is shown.
  • the example of a structure of the communication terminal of the 6th Embodiment of this invention is shown.
  • the example of a structure of the communication server of the 6th Embodiment of this invention is shown.
  • the example of the processing rule of the 6th Embodiment of this invention is shown.
  • the example of a structure of the virtual switch 15 of the 6th Embodiment of this invention is shown. It is a sequence diagram which shows the operation example of the 6th Embodiment of this invention. It is a sequence diagram which shows the operation example of the 7th Embodiment of this invention.
  • the communication system according to the first embodiment of the present invention includes a communication terminal 1, a notification device 2, and a network 3, as shown in FIG.
  • the reference numerals of the drawings attached to this summary are attached to the respective elements for convenience as an example for facilitating understanding, and are not intended to limit the present invention to the illustrated embodiment.
  • the communication terminal 1 executes communication filtering by using address resolution (address request) for acquiring a communication destination address. Since the communication terminal 1 performs filtering of communication using the address resolution, for example, it is possible to suppress management costs required for managing applications installed in the communication terminals owned by each user.
  • address resolution address request
  • the communication terminal 1 is a device having a communication function such as a mobile phone, a smartphone, a personal computer, a tablet terminal, a mobile router, a switch, and a server.
  • the mobile router is a terminal that relays, for example, a 3G (Third Generation) line of a mobile phone or a wireless LAN (Local Area Network) network.
  • FIG. 2 shows a configuration example of the communication terminal 1 in the first embodiment of the present invention.
  • the communication terminal 1 includes a plurality of applications 10, a control unit (control unit) 11, and a communication unit (communication unit) 12.
  • At least one of the plurality of applications 10 uses, for example, a destination address (IP (Internet Protocol) address or the like) acquired from an address resolution system such as a DNS server by a DNS (Domain Name System) resolver included in the control unit 11. Communicate.
  • IP Internet Protocol
  • DNS Domain Name System
  • the control unit 11 when the destination address of the communication data of the application 10 is unknown, the control unit 11 performs address resolution using a DNS resolver or the like. For example, the control unit 11 transmits identification information included in a URL (Uniform Resource Locator) or identification information such as FQDN (Fully Quality Qualified Domain Name) to a DNS server or the like to the notification device 2 (DNS server or the like). For example, the notification device 2 searches for a destination address using the identification information and notifies the control unit 11 of the destination address. The control unit 11 notifies the application 10 of the destination address notified in response to the request.
  • URL Uniform Resource Locator
  • FQDN Frully Quality Qualified Domain Name
  • the control unit 11 determines whether the communication data can be transmitted based on whether the destination address of the communication data generated by the application 10 is acquired from the address resolution system.
  • the communication data permitted to be transmitted by the control unit 11 is transmitted from the communication unit 12.
  • the communication unit 12 is means for transferring a packet generated from the communication data from the communication terminal 1 to the connection destination, and is, for example, an antenna.
  • the communication terminal 1 transfers the packet to the network 3 using the communication unit 12.
  • the notification device 2 is a device that notifies the address of the connection destination of the communication terminal 1 in response to an address request from the communication terminal 1.
  • the notification device 2 is, for example, a DNS (Domain Name Service) server.
  • the notification device 2 notifies the communication terminal 1 of the destination address corresponding to the identification information of the connection destination notified from the communication terminal 1 in response to the communication terminal 1 requesting the address.
  • FIG. 3 is a sequence diagram showing an operation example of the first embodiment of the present invention.
  • the communication terminal 1 uses the identification information (such as the domain name and FQDN included in the URL) that uniquely identifies the connection destination to the notification device 2 to resolve the address of the destination. Is requested (S001).
  • identification information such as the domain name and FQDN included in the URL
  • the notification device 2 Upon receiving the address request, the notification device 2 notifies the communication terminal 1 of the destination address corresponding to the connection destination identification information notified from the communication terminal 1 (S002).
  • the communication terminal 1 that has received the notification of the address transmits a packet using the notified address (S003).
  • FIG. 4 is a flowchart showing an operation example of the control unit 11 included in the communication terminal 1 in the first embodiment of the present invention.
  • control unit 11 determines whether or not the destination address of communication data related to the communication has been acquired from the notification device 2 (S102).
  • control unit 11 transmits a packet corresponding to the communication data toward the destination address (S103).
  • control unit 11 when the destination address is not acquired from the address resolution system, the control unit 11 does not transfer the packet corresponding to the communication data, for example, discards it (S104).
  • control unit 11 of the communication terminal 1 determines whether or not to transmit the communication data based on whether or not the destination address of the communication data generated by the application 10 is acquired from the address resolution system. By determining, communication filtering is performed.
  • the communication terminal 1 it is possible to ensure the security of the communication terminal 1 even when an unauthorized application is installed in the communication terminal 1.
  • an application in which an address to an illegal destination is embedded is installed in the communication terminal 1.
  • address resolution by DNS or the like is not executed, and communication to the illegal destination embedded in the application is executed.
  • the communication terminal 1 can prevent communication to a destination address that has not been acquired by address resolution, and thus the security of the communication terminal 1 can be enhanced.
  • the communication terminal 1 has a notification information database (DB) 13 that stores the correspondence between the destination address acquired from the notification device 2 and the application 10. Note that the technique of the first embodiment described above can be applied to the second embodiment.
  • DB notification information database
  • whether or not the control unit 11 of the communication terminal 1 refers to the notification information DB 13 and acquires the destination address of the communication data generated by the application 10 from the address resolution system. It functions as a means for determining.
  • the communication terminal 1 executes communication filtering based on the result of determination by the control unit 11.
  • the communication system according to the second embodiment of the present invention is the same as that shown in FIG.
  • FIG. 5 shows a configuration example of the communication terminal 1 in the second embodiment of the present invention.
  • the communication terminal 1 has a notification information database (DB) 13 for storing which application has notified the address notified from the notification device 2.
  • DB notification information database
  • the control unit 11 notifies the application 10 of the acquired destination address in response to the acquisition of the destination address from the notification device 2. In response to notifying the application 10 of the destination address, the control unit 11 associates the destination address with an identifier that uniquely identifies the application that has notified the destination address, and stores them in the notification information DB 13.
  • FIG. 6 shows an example of a table stored in the notification information DB 13.
  • the notification information DB 13 stores the address notified to the application 10 by the control unit 11 and an identifier for uniquely identifying the application 10 in association with each other.
  • the control unit 11 refers to the notification information DB 13 to determine whether or not the destination address of the communication data generated by the application 10 has been acquired from the notification device 2 (address resolution is performed). Whether or not) is determined.
  • the notification information DB 13 stores, for example, a destination address “210.147.209.89” and an identifier “S” that uniquely identifies the application 10 that acquired the destination address. Further, the notification information DB 13 stores, for example, a destination address “210.147.209.90” and an identifier “T” that uniquely identifies the application 10 that acquired the destination address.
  • the control unit 11 refers to the notification information DB 13 in response to receiving communication data from at least one of the plurality of applications 10.
  • the notification information DB 13 stores the destination address of the communication data and the identifier of the application 10 that has transmitted the communication data of the destination address in association with the notification information DB 13, the control unit 11 notifies the destination address of the notification data. It is determined that it has been acquired from the device 2.
  • the control unit 11 refers to the notification information DB 13 using the identifier of the application 10 included in the communication data and the destination address of the communication data.
  • the control unit 11 requests an application identifier from the application 10 that has transmitted the communication data, and uses the identifier and the destination address acquired in response to the request, Refer to the notification information DB 13.
  • the control unit 11 receives the destination address from the notification device 2. It is determined that it has not been acquired.
  • control unit 11 refers to the notification information DB 13 in response to receiving a packet including the destination address “210.147.209.89” from the application 10 having the identifier “S”. Since the destination address “210.147.209.89” and the identifier “S” are stored in the notification information DB 13 in association with each other, the control unit 11 determines that the destination address has been acquired from the notification device 2.
  • the control unit 11 refers to the notification information DB 13 in response to receiving a packet including the destination address “210.147.209.89” from the application 10 having the identifier “T”. Since the address “210.147.209.89” and the identifier “T” are not stored in the notification information DB 13 in association with each other, the control unit 11 determines that the destination address is not obtained from the notification device 2.
  • FIG. 7 shows another example of the table stored in the notification information DB 13.
  • the notification information DB 13 stores the destination address notified to the application 10 by the control unit 11 and the port number corresponding to the application 10 in association with each other. Since it can be estimated that the port numbers corresponding to the plurality of applications 10 are different from each other, each of the plurality of applications 10 can be identified by the port number. Therefore, when the destination address and the port number are stored in the notification information DB 13 in association with each other, the control unit 11 determines that the destination address of the communication data generated by the application 10 is acquired from the notification device 2. To do.
  • control unit 11 determines that the destination address of the communication data is not obtained from the notification device 2 when the destination address and the port number are not stored in the notification information DB 13 in association with each other.
  • the notification information DB 13 stores, for example, a destination address “210.147.209.89” and a port number “15” corresponding to the application 10 that acquired the destination address in association with each other. Further, the notification information DB 13 stores, for example, a destination address “210.147.209.90” and a port number “16” corresponding to the application 10 that acquired the address in association with each other.
  • control unit 11 receives communication data having a destination address “210.147.209.89” from the application 10 corresponding to the port number “15”, and refers to the notification information DB 13. Since the destination address “210.147.209.89” and the port number “15” are stored in the notification information DB 13 in association with each other, the control unit 11 determines that the destination address has been acquired from the notification device 2.
  • the control unit 11 receives communication data whose destination address is “210.147.209.89” from the application 10 corresponding to the port number “16”, and refers to the notification information DB 13.
  • the control unit 11 determines that the destination address “210.147.209.89” and the port number “16” are not stored in association with each other in the notification information DB 13, and thus is not acquired from the notification device 2. To do.
  • the control unit 11 transmits communication data as a packet from the communication unit 12 in response to determining that the destination address has been acquired from the notification device 2.
  • the control unit 11 executes a process for rejecting transmission of communication data (for example, discarding data).
  • the control unit 11 may execute a process of transferring the packet to the quarantine network instead of the process of discarding the packet.
  • FIG. 8 is a flowchart showing an operation example of the control unit 11 included in the communication terminal 1 in the second embodiment of the present invention.
  • control unit 11 receives a destination address resolution request from at least one of a plurality of applications (S201).
  • control unit 11 In response to receiving the address resolution request, the control unit 11 requests an address from the notification device 2 using the destination identification information (S202).
  • the control unit 11 notifies the application 10 of the destination address acquired from the notification device 2 (S203).
  • control unit 11 In response to notifying the application 10 of the destination address, the control unit 11 associates the notified address with an identifier that uniquely identifies the application (or the port number corresponding to the application that requested the address), and notifies the application 10 It memorize
  • control unit 11 When the communication has occurred (S205), the control unit 11 refers to the notification information DB 13 and determines whether or not the communication destination address has been acquired from the notification device 2 (S206).
  • the control unit 11 transmits the communication data as a packet to the destination address (S207).
  • control unit 11 executes a process for rejecting transmission of communication data (for example, discarding) (S208).
  • the notification information DB 13 included in the communication terminal 1 includes a destination address and an identifier for uniquely identifying the application that acquired the destination address (or a port number corresponding to the application that requested the address).
  • identification information of communication connection destinations is stored in association with each other.
  • any of the techniques of the first and second embodiments described above can be applied.
  • the control unit 11 of the communication terminal 1 refers to the notification information DB 13 and uses the destination address and the identifier (or port number) of the application 10 to identify the connection destination. It is determined whether or not the search is successful.
  • the control unit 11 when the destination address of the communication data is acquired from the notification device 2, the control unit 11 successfully searches for connection destination identification information.
  • the control unit 11 fails to search for connection destination identification information. Therefore, in the third embodiment of the present invention, the control unit 11 determines whether or not the destination address of the communication data has been acquired from the notification device 2 by determining whether or not the search for the connection destination identification information is successful. As a result, communication filtering can be performed.
  • the communication system includes a communication terminal 1, a notification device 2, a network 3, and a service providing device 4 (connection destination).
  • the service providing device 4 is a device to which the communication terminal 1 is connected, and is a device that provides services to the communication terminal 1.
  • the service providing device 4 is a Web server, for example.
  • the service providing device 4 is not limited to one and may be a plurality.
  • the communication terminal 1 regarding the 3rd Embodiment of this invention is the same as that of FIG.
  • the application 10 notifies the notification device 2 of the service identification information of the service providing device 4 described above as the connection destination identification information.
  • the service identification information is identification information that can uniquely identify the service providing apparatus 4 other than the address, such as the name (name) of the service providing apparatus 4 and the name (name) of the service provided by the service providing apparatus 4. .
  • At least one of the plurality of applications 10 transmits a packet using the address notified from the notification device 2 and communicates with the service providing device 4.
  • the control unit 11 notifies the destination address acquired from the notification device 2 to the application 10 that has requested the address. In response to notifying the application 10 of the destination address, the control unit 11 determines the notified destination address, the identifier that uniquely identifies the application 10 that requested the destination address, and the service identification information of the service providing apparatus 4. The information is stored in the notification information DB 13 in association with each other.
  • the identifier that uniquely identifies the application 10 that requested the destination address may be a port number corresponding to the application 10 that requested the address.
  • FIG. 10 shows an example of a table stored in the notification information DB 13.
  • the notification information DB 13 stores an identifier that uniquely identifies the application 10
  • a port number corresponding to the application that requested the address may be used instead of the identifier.
  • the notification information DB 13 includes an address notified to the application 10 by the control unit 11, an identifier for uniquely identifying the application 10 that has requested the address, and a service of the service providing apparatus 4 corresponding to the address.
  • the identification information is stored in association with each other.
  • the notification information DB 13 includes, for example, a destination address “210.147.209.89”, an identifier “S” that uniquely identifies the application 10 that requested the address, and service identification information “AAA” of the service providing apparatus 4 corresponding to the address. Are stored in association with each other.
  • the control unit 11 receives communication data from at least one of the plurality of applications 10.
  • the control unit 11 refers to the notification information DB 13 and searches for service identification information from the destination address of the received communication data and the identifier of the application 10 that is the transmission source of the communication data.
  • control unit 11 receives communication data including the destination address “210.147.209.89” from the application 10 with the identifier “S” and refers to the notification information DB 13 using the identifier and the destination address, the control unit 11 The service identifier “AAA” is successfully searched.
  • control unit 11 when the control unit 11 receives communication data including the destination address “210.147.209.89” from the application 10 with the identifier “T” and refers to the notification information DB 13 using the identifier and the destination address, the control unit 11 The search for service identification information “AAA” fails.
  • the control unit 11 transmits the communication data as a packet when the service identification information is successfully retrieved.
  • control unit 11 executes a process (for example, discarding) for rejecting transmission of communication data.
  • a process for example, discarding
  • control unit 11 may execute a process of transferring the packet to the quarantine network instead of the process of discarding the packet.
  • the notification device 2 In response to receiving an address request from the communication terminal 1, the notification device 2 searches for the address of the service providing device 4 corresponding to the notified service identifier, and notifies the communication terminal 1 of the searched address.
  • FIG. 11 is a flowchart showing an operation example of the control unit 11 included in the communication terminal 1 in the third embodiment of the present invention.
  • control unit 11 receives a request for a destination address of a connection destination from at least one of a plurality of applications (S301).
  • control unit 11 In response to receiving the address request, the control unit 11 notifies the notification device 2 of the service identification information and transmits a destination address resolution request (S302).
  • the control unit 11 notifies the application 10 that has requested the address of the address notified from the notification device 2 (S303).
  • the control unit 11 In response to notifying the application 10 of the destination address, the control unit 11 notifies the destination address, an identifier (or a port number corresponding to the application) that uniquely identifies the application that requested the destination address, and a service providing apparatus Are associated with the service identification information and stored in the notification information DB 13 (S304).
  • control unit 11 When the communication occurs (S305), the control unit 11 refers to the notification information DB 13 and searches for service identification information (S306).
  • control unit 11 transmits the communication data as a packet (S307).
  • control unit 11 does not transfer the received packet, for example, discards it (S308).
  • the communication terminal 1 includes a processing rule (DB) 14 that stores a rule for processing a packet.
  • DB processing rule
  • control unit 11 of the communication terminal 1 can determine processing of a packet corresponding to at least one of a plurality of applications with reference to the processing rule DB 14.
  • the communication system according to the fourth embodiment of the present invention is the same as that shown in FIG.
  • FIG. 12 shows a configuration example of the communication terminal 1 in the fourth embodiment of the present invention.
  • the communication terminal 1 has a processing rule DB 14 that stores processing rules for processing packets.
  • control unit 11 In response to the acquisition of the destination address from the notification device 2, the control unit 11 notifies the destination address to the application 10 that has requested the destination address. In response to notifying the application 10 of the destination address, the control unit 11 stores a processing rule for processing the packet in the processing rule DB 14.
  • the processing rule DB 14 stores processing rules for processing packets.
  • the notification information DB 14 stores an identifier that uniquely identifies the application 10
  • a port number corresponding to the application that requested the address may be used instead of the identifier.
  • FIG. 13 shows an example of a table stored in the processing rule DB 14.
  • the processing rule DB 14 stores a destination address notified to the application 10 by the control unit 11, an identifier for uniquely identifying the application 10, and processing contents indicating processing for a packet in association with each other.
  • the processing rule DB 14 stores, for example, a destination address “210.147.209.89”, an identifier “S” of the application 10 that requested the address, and “transfer” as processing contents indicating processing for the packet in association with each other.
  • processing rule DB 14 includes, for example, a destination address “210.147.209.89”, an identifier “others (indicating that it is other than S)” of the application 10, and “discard” as processing contents indicating processing on the packet. Store in association with each other.
  • processing rule DB 14 includes, for example, the destination address “210.147.209.90”, the identifier “others (indicating that it is other than T)” of the application 10, and “destination address xx "Rewrite to x and transfer (transfer to quarantine network)" is stored in association with each other.
  • the processing rule DB 14 stores the processing content “transfer” in association with the identifier of the application 10 that acquired the destination address from the notification device 2.
  • the processing rule DB 14 stores the processing content “discard” or “transfer to quarantine network” in association with the identifier of the application 10 that has not acquired the destination address from the notification device 2.
  • control unit 11 In response to receiving a packet corresponding to communication data generated by at least one of the plurality of applications 10, the control unit 11 refers to the processing rule DB 14 and acquires the destination address included in the packet and the address. Based on the identifier of the application 10, processing contents for processing the received packet are extracted.
  • FIG. 14 is a flowchart showing an operation example of the control unit 11 included in the communication terminal 1 in the fourth embodiment of the present invention.
  • control unit 11 receives a request for a destination address of a connection destination from at least one of a plurality of applications (S401).
  • control unit 11 In response to receiving the request for the destination address, the control unit 11 notifies the service identification information, for example, and requests the address from the notification device 2 (S402).
  • the control unit 11 notifies the destination address acquired from the notification device 2 to the application 10 that requested the destination address (S403).
  • the control unit 11 stores the processing rule for processing the packet in the processing rule DB 14 in response to the notification of the destination address to the application 10 (S404).
  • control unit 11 When the communication occurs (S405), the control unit 11 refers to the notification information DB 14 and searches for a processing rule for processing the packet from the destination address and the identifier of the application 10 (S406).
  • control unit 11 processes the received packet according to the processing rule (S407).
  • control unit 11 does not transfer the received packet, for example, discards it (S408).
  • the communication terminal 1 can select RAT (Radio Access Technology), which is a communication method used for communication, according to service identification information of a connection destination. Note that the techniques of the first to fourth embodiments described above can be applied to the fifth embodiment.
  • RAT Radio Access Technology
  • the communication terminal 1 includes a notification information DB 13 that stores a correspondence relationship between a destination address acquired from the notification device 2 and an application, and a processing rule DB 14 that stores a processing rule for processing a packet.
  • the communication unit 12 includes a communication interface corresponding to each of a plurality of types of communication methods (RAT).
  • control unit 11 of the communication terminal 1 refers to the notification information DB 13 to determine whether the destination address has been acquired from the notification device 2, and then refers to the processing rule DB 14. Thus, it is possible to determine a process to be applied to the received packet.
  • the communication system according to the fifth embodiment of the present invention is the same as that shown in FIG.
  • FIG. 15 shows a configuration example of the communication terminal 1 in the fifth embodiment of the present invention.
  • the communication terminal 1 includes a notification information DB 13 and a processing rule DB 14.
  • the control unit 11 notifies the application 10 of the destination address in response to the acquisition of the destination address from the notification device 2. For example, when the control unit 11 notifies the application 10 of the destination address, the control unit 11 identifies the destination address, an identifier that uniquely identifies the application 10 (or a port number corresponding to the application), and a service corresponding to the address.
  • the service identification information of the providing device 4 is stored in the notification information DB 13 in association with it.
  • the example of the table stored in the notification information DB 13 in the fifth embodiment of the present invention is the same as the example shown in FIG. 6, FIG. 7, or FIG.
  • the notification information DB 13 is the table shown in FIG. 6 as an example.
  • the control unit 11 determines whether or not the communication destination address and the identifier of the application 10 that acquired the destination address are stored in the notification information DB 13 in association with the occurrence of the communication.
  • the control unit 11 determines the processing rule DB 14. Refer to and process the packet.
  • control unit 11 refers to the notification information DB 13 and the communication destination address and the identifier of the application 10 that acquired the destination address are associated with each other and are not stored in the notification information DB 13, Discard the packet. Note that the control unit 11 may execute a process of transferring the packet to the quarantine network instead of the process of discarding the packet.
  • FIG. 16 shows an example of a table stored in the processing rule DB 14 in the fifth embodiment of the present invention.
  • the processing rule DB 14 stores a communication type and a processing content applied to a packet in association with each other.
  • the communication type is, for example, a type of communication service identified from the packet port number or the like.
  • the communication type is not limited to the port number of the packet, and may be identified based on other information.
  • the processing rule DB 14 of the fifth embodiment defines processing for selecting a communication method (RAT) according to the communication type.
  • the processing rule DB 14 stores, for example, the communication type “A” and “transfer packet from the communication interface corresponding to WiFi” as the processing content corresponding to the communication type in association with each other.
  • the processing rule DB 14 associates, for example, the communication type “B” with “3G (Third Generation) / LTE (Long Term Term Evolution) corresponding communication interface” as the processing content corresponding to the communication type.
  • 3G hird Generation
  • LTE Long Term Term Evolution
  • the control unit 11 refers to the processing rule DB 14 based on the communication port number, for example, and searches the communication type corresponding to the port number and the processing content of the communication type.
  • control unit 11 “discards” or “transfers to the quarantine network”.
  • the sixth embodiment of the present invention shows an example in which the present invention is implemented by improving the technique called OpenFlow, which is a centralized control type network architecture.
  • the sixth embodiment can be applied to any of the above-described embodiments.
  • OpenFlow recognizes communication as an end-to-end flow, and can perform path control and the like on a per-flow basis.
  • FIG. 17 shows an outline of a communication system configured by the open flow technology.
  • a flow is a series of communication packets having predetermined attributes (attributes identified based on a communication destination, a transmission source, and the like), for example.
  • the OpenFlow switch (OpenFlow Switch) 51 is a network switch that employs OpenFlow technology.
  • the OpenFlow controller (OpenFlow controller) 50 is an information processing apparatus that controls the OpenFlow switch 51.
  • the OpenFlow switch 51 communicates with the OpenFlow controller 50 via a secure channel 52 that is set up with the OpenFlow controller 50.
  • the OpenFlow controller 50 sets the flow table (Flow Table) 510 of the OpenFlow switch 51 via the secure channel 52.
  • the secure channel 52 is a communication path on which measures for preventing eavesdropping or falsification of communication between the switch and the controller are taken.
  • FIG. 18 shows a configuration example of each entry (flow entry) in the flow table 510.
  • the flow entry includes a matching rule (Match Fields) for matching with information (for example, destination IP address, VLAN ID (Virtual Local Area Network Identifier), etc.) included in the header of the packet received by the switch, and each packet flow. It is composed of statistical information (Counters) that is statistical information and instructions (Instructions) that define a method of processing a packet that matches the matching rule.
  • the OpenFlow switch 51 When the OpenFlow switch 51 receives a packet, it refers to the flow table 510.
  • the open flow switch 51 searches for a flow entry that matches the header information of the received packet.
  • the OpenFlow switch 51 processes the received packet according to the processing method defined in the instruction field of the found entry.
  • the processing method specifies, for example, “transfer received packet from a predetermined port”, “discard received packet”, “rewrite part of the header of the received packet and transfer from a predetermined port” Has been.
  • the OpenFlow switch 51 transfers the received packet to the OpenFlow controller 50 via the secure channel 52, for example.
  • the OpenFlow switch 51 requests the OpenFlow controller 50 to set a flow entry that defines the received packet processing method by transferring the received packet.
  • the OpenFlow switch 51 may request the controller to set a flow entry according to the processing method when a packet matches a flow entry that specifies that a request is transmitted to the controller. .
  • the OpenFlow controller 50 determines the received packet processing method and sets a flow entry including the determined processing method in the flow table 510. After that, the open flow switch 51 processes subsequent packets belonging to the same flow as the received packet according to the set flow entry.
  • FIG. 19 shows an example of a communication system according to the sixth embodiment of the present invention.
  • the sixth embodiment of the present invention includes a communication terminal 1, a notification device 2, a network 3, a service providing device 4, and a control server 6.
  • the control server 6 can communicate with the communication terminal 1 according to the OpenFlow protocol. Note that the function of the notification device 2 and the function of the control server 6 may be implemented in the same device. Further, the function of the communication terminal 1 and the function of the control server 6 may be implemented in the same device.
  • FIG. 20 is a diagram showing an example of the configuration of the communication terminal 1 in the sixth embodiment of the present invention.
  • the communication terminal 1 includes a plurality of applications 10, a virtual switch 15, a plurality of switch ports 16, and at least one communication interface 17.
  • a plurality of communication interfaces 17 are illustrated, but the number of communication interfaces 17 may be one.
  • Each communication interface 17 corresponds to, for example, a predetermined communication method (RAT).
  • RAT predetermined communication method
  • the communication terminal 1 has a virtual switch 15 configured by improving the OpenFlow switch.
  • the virtual switch 15 is configured by software (virtual switch), but the present invention may be configured by hardware.
  • the virtual switch 15 has the same function as the control unit 11 illustrated in FIG. Further, the virtual switch 15 has a function of operating according to an instruction transmitted from the control server 6.
  • Each application 10 is connected to the switch port 16.
  • the communication interface 17 is connected to the switch port 16.
  • FIG. 21 shows an example of the configuration of the control server 6.
  • the control server 6 includes a communication unit 60, a processing rule determination unit 61, a management DB 62, a terminal management unit 63, and a notification information DB 64.
  • the communication unit 60 has a function of communicating with the communication terminal 1 based on the OpenFlow protocol.
  • the communication unit 60 receives a request for a packet processing rule (corresponding to the above-mentioned “flow entry”) from the communication terminal 1.
  • the communication unit 60 notifies the communication terminal 1 of the processing rule.
  • the notification information DB 64 is a database that manages information (for example, FIGS. 6, 7, and 10) related to the notification information exemplified in the above-described embodiment.
  • the notification information DB 64 has a database composed of information related to notification information (for example, FIGS. 6, 7, and 10) for each communication terminal 1 managed by the control server 6.
  • the control server 6 transmits the destination address and information (for example, a port number) for identifying the application corresponding to the destination address to the control server 6. Notice.
  • the notification information DB 64 stores, for example, information received from the virtual switch 15 of each communication terminal 1 (for example, information for identifying a destination address and an application).
  • the notification information DB 64 may store the service identification information of the service providing apparatus 4 corresponding to the destination address in association with the destination address and the information for identifying the application.
  • the processing rule determination unit 61 determines a processing rule to be set in the virtual switch 15 of the communication terminal 1.
  • the processing rule determination unit 61 refers to the information included in the notification information DB 64 and the terminal management unit 63 and generates a processing rule to be set in the virtual switch.
  • the terminal management unit 63 manages, for example, an SSID of a wireless LAN access point to which the communication terminal 1 can be connected, position information of the communication terminal 1, and information (for example, an application identifier) related to an application installed in the communication terminal 1. To do. For example, the terminal management unit 63 transmits a collection request for such information to the communication terminal 1 and collects the information. For example, the terminal management unit 63 collects information from the communication terminal 1 at a predetermined cycle.
  • the terminal management unit 63 manages, for example, the connection relationship between the switch port 16 and the application for the communication terminal 1. Further, the terminal management unit 63 manages, for example, the connection relationship between the switch port 16 and the communication interface 12 for the communication terminal 1.
  • a communication device such as a network switch compliant with OpenFlow has a function (Port Status) for notifying the controller of the port status of the communication device and a function (Feature Request / Reply) for notifying the controller of the characteristics of the switch.
  • the terminal management unit 63 may collect information from the communication terminal 1 using these functions.
  • the virtual switch 15 of each communication terminal 1 can request the control server 6 for a processing rule for processing a packet.
  • the processing rule determination unit 61 refers to the notification information DB 64 in response to a request from the virtual switch 15, and determines the destination address of the packet corresponding to the request and the identifier of the application 10 that is the transmission source of the packet. It is determined whether or not they are stored in association with each other. If the destination address of the packet corresponding to the request from the virtual switch 15 and the identifier of the transmission source application of the packet are associated with each other and stored in the notification information DB 64, the processing rule determination unit 61 stores the destination address as It is determined that the information is acquired from the notification device 2.
  • the processing rule determination unit 61 creates a processing rule for transferring the packet.
  • the processing rule determination unit 61 creates a processing rule for discarding the packet. Note that the processing rule determination unit 61 may create a processing rule for transferring to the quarantine network instead of the processing rule for discarding the packet.
  • the processing rule determination unit 61 stores the generated processing rule in the management DB 62.
  • FIG. 22 shows an example of processing rules generated by the processing rule determination unit 61.
  • the processing rule determination unit 61 defines a destination address of a packet corresponding to a request from the virtual switch 15 and a port number of the packet as a matching rule.
  • the processing rule determining unit 61 for example, as a processing method “Instruction” corresponding to the matching rule, defines a processing method for transferring a packet from the port 16 corresponding to the communication method (RAT) corresponding to the destination address and the port number.
  • RAT communication method
  • the matching rule of the processing rule on the first line is “destination address is“ A ”and port number is“ 80 ””.
  • the instruction of the processing rule on the first line indicates that the packet is transferred to the switch port 16 corresponding to WiFi.
  • the matching rule of the processing rule on the third line is “destination address is“ A ”and port number is“ 110 ””.
  • the instruction of the processing rule on the third line indicates that the packet is discarded.
  • FIG. 23 shows an example of the configuration of the virtual switch 15.
  • the virtual switch 15 includes a communication unit 150, a processing rule DB 151, and a processing unit 153.
  • the processing unit 153 includes a process search unit 153 and an action execution unit 154.
  • the communication unit 150 communicates with the control server 6 according to the OpenFlow protocol.
  • the processing rule DB 151 stores the processing rule notified from the control server 6.
  • the processing unit 152 processes the packet according to the processing rule notified from the control server 6.
  • the process search unit 153 searches the process rule DB 151 for a process rule corresponding to the received packet.
  • the process search unit 153 compares the packet with the “Maching Field” of the process rule stored in the process rule DB 142 to search for a process rule corresponding to the packet.
  • the action execution unit 154 processes the packet according to the processing method defined in the “Instruction” field of the searched processing rule.
  • the processing search unit 153 requests the control server 6 to set the processing rule.
  • FIG. 24 is a sequence diagram showing an operation example of the sixth embodiment of the present invention.
  • the communication terminal 1 when transmitting a packet, requests the notification device 2 via the control server 6 for the destination address of the service providing device 4 that is the transmission destination of the packet. (S601 and S602). Note that the communication terminal 1 may request the destination address from the notification device 2 without using the control server 6. The notification device 2 notifies the communication terminal 1 of the destination address. In this case, the communication terminal 1 notifies the control server 6 of the destination address acquired from the notification device 2.
  • the notification device 2 Upon receiving the address request, the notification device 2 notifies the address to the communication terminal 1 via the control server 6 (S603 and S604).
  • the communication terminal 1 Upon receiving the address notification, the communication terminal 1 requests a processing rule for processing the packet from the control server 6 when transmitting the packet using the notified address (S605).
  • the control server 6 notifies the communication terminal 1 of a processing rule for processing the packet (Flow Mod in S606).
  • the communication terminal 1 transfers the packet based on the processing rule notified from the control server 6 (S607).
  • the seventh embodiment of the present invention shows another example in which the present invention is implemented by improving the technique called OpenFlow, which is a centralized network architecture.
  • the seventh embodiment can be applied to any of the above-described embodiments.
  • the processing rule determination unit 61 of the control server 6 notifies the communication terminal 1 in advance of a processing rule for processing a packet in response to receiving an address from the notification device 2. . Therefore, the communication terminal 1 does not need to request a processing rule when transmitting a packet.
  • the communication system according to the seventh embodiment of the present invention is the same as that shown in FIG.
  • a configuration example of the control server 6 according to the seventh embodiment of the present invention is the same as that shown in FIG.
  • the processing rule determination unit 61 determines a processing rule to be set in the virtual switch 15 of the communication terminal 1.
  • the processing rule determination unit 61 refers to information held by the terminal management unit 63 and generates a processing rule to be set in the virtual switch.
  • the processing rule determination unit 61 sets a processing rule for processing a packet to the communication terminal 1 that notifies the address.
  • the processing rule determination unit 61 sets in advance a processing rule for transferring a packet transmitted by the application 10 that requested the address. To do.
  • the processing rule determination unit 61 for example, for discarding a packet transmitted by the application 10 not requesting the address in response to receiving an address from the notification device 2 to the communication terminal 1.
  • a processing rule or a processing rule for transferring to the quarantine network is set in advance.
  • FIG. 25 is a sequence diagram showing an operation example of the seventh embodiment of the present invention.
  • the communication terminal 1 when transmitting a packet, the communication terminal 1 requests the notification device 2 via the control server 6 for the address of the service providing device 4 that is the transmission destination of the packet ( S801 and S802).
  • the notification device 2 Upon receiving the address request, the notification device 2 notifies the control server 6 of the address (S803).
  • the control server 6 notifies the communication terminal 1 of the address received from the notification device 2 (S804).
  • control server 6 sets a processing rule for processing the packet to the communication terminal 1 that notifies the address (S805).
  • the communication terminal 1 that has received the notification of the address transfers a packet including the notified address based on the processing rule notified from the control server 6 (S806).

Abstract

A communication terminal is provided with a communication means capable of transmitting communication data generated by an application, and a control means capable of determining, on the basis of whether or not a destination address of the communication data has been acquired from an address solution system capable of retrieving the destination address using identification information indicating the destination of the communication data, whether or not the transmission of communication data is permitted. In filtering of communication in the communication terminal, it becomes possible to reduce management costs for the filtering.

Description

通信端末、通信システム、通信方法およびプログラムCommunication terminal, communication system, communication method, and program
 (関連出願についての記載)
 本発明は、日本国特許出願:特願2013-170013号(2013年8月20日出願)の優先権主張に基づくものであり、同出願の全記載内容は引用をもって本書に組み込み記載されているものとする。
 本発明は、通信端末、通信システム、通信方法およびプログラムに関する。 (Description of related applications)
The present invention is based on the priority claim of Japanese Patent Application No. 2013-170013 (filed on Aug. 20, 2013), the entire contents of which are incorporated herein by reference. Shall.
The present invention relates to a communication terminal, a communication system, a communication method, and a program.
 近年、企業等は、イントラネットやある部門内のローカルなネットワーク(NW:Network)などの内部NWにおいて、社員やある部門のメンバに対してサービスを提供している。このような内部NWは、企業等の秘密情報を含んでいることや、様々なシステムが稼働していることがあるため、外部NWからの第三者による不正アクセスを抑制して、安全性を確保する必要がある。 In recent years, companies and the like have provided services to employees and members of a department in an internal NW such as an intranet or a local network (NW: Network) in a department. Such an internal NW contains confidential information of companies, etc., and various systems may be operating. It is necessary to secure.
 特許文献1は、外部NWから内部NWへの通信に対して、フィルタリングを行う通信フィルタリングシステム等を開示している。特許文献1に記載の通信フィルタリングは、フィルタリング部301と、ユーザ認証部302とを有する通信フィルタリング部30と、ユーザ情報記憶部402とを含む。特許文献1において、管理者は、ユーザ情報記憶部402に、コミュニティを形成するすべてのユーザのユーザ情報(ユーザ識別子およびユーザ認証情報)を予め登録する。 Patent Document 1 discloses a communication filtering system that performs filtering for communication from an external NW to an internal NW. The communication filtering described in Patent Literature 1 includes a communication filtering unit 30 including a filtering unit 301, a user authentication unit 302, and a user information storage unit 402. In Patent Literature 1, an administrator registers user information (user identifier and user authentication information) of all users who form a community in the user information storage unit 402 in advance.
 フィルタリング部301は、ユーザ端末21からリクエストを受信すると、ユーザ認証部302にユーザ認証を要求する。 When receiving the request from the user terminal 21, the filtering unit 301 requests the user authentication unit 302 for user authentication.
 ユーザ認証部302は、フィルタリング部301からユーザ認証の要求を受けて、リクエストに含まれるユーザ識別子およびユーザ認証情報と、ユーザ情報記憶部402に記憶されているユーザ情報とを照合する。そして、ユーザ認証部302は、リクエストに含まれるユーザ識別子およびユーザ認証情報の組み合わせと一致するユーザ情報が存在していればユーザ認証に成功したと判定し、リクエストに含まれるユーザ識別子およびユーザ認証情報の組み合わせと一致するユーザ情報が存在していなければユーザ認証に失敗したと判定し、ユーザ認証結果をフィルタリング部301に通知する。 The user authentication unit 302 receives a user authentication request from the filtering unit 301, and collates the user identifier and user authentication information included in the request with the user information stored in the user information storage unit 402. Then, the user authentication unit 302 determines that the user authentication is successful if there is user information that matches the combination of the user identifier and user authentication information included in the request, and the user identifier and user authentication information included in the request. If there is no user information that matches this combination, it is determined that the user authentication has failed, and the user authentication result is notified to the filtering unit 301.
 フィルタリング部301は、ユーザ認証部302においてユーザ認証に失敗した場合、端末21からのリクエストを破棄する。一方、フィルタリング部301は、ユーザ認証部302においてユーザ認証に成功した場合、端末21からのリクエストを、リクエストされたサービスに転送する。 The filtering unit 301 discards the request from the terminal 21 when the user authentication unit 302 fails in the user authentication. On the other hand, when the user authentication unit 302 succeeds in user authentication, the filtering unit 301 transfers the request from the terminal 21 to the requested service.
特開2008-46875号公報JP 2008-46875 A
 特許文献1に記載の通信フィルタリングシステムでは、管理者が、通信を許可するユーザのユーザ情報を予めユーザ情報記憶部402に登録する。すなわち、該通信フィルタリングシステムにおいて、管理者は、コミュニティを形成するユーザを把握し、そのユーザのユーザ情報を予め登録するという処理を行う。 In the communication filtering system described in Patent Document 1, an administrator registers user information of users who are allowed to communicate in the user information storage unit 402 in advance. That is, in the communication filtering system, the administrator grasps the user who forms the community and performs processing of registering user information of the user in advance.
 ところで、近年、スマートフォンやタブレット型端末などの通信端末が普及し、これらの通信端末からの通信をフィルタリングするニーズが増している。このような通信端末は、アプリケーションをダウンロードして利用する場合があり、利用するアプリケーションの増加に伴い、フィルタリング対象の通信が増加することが想定される。 By the way, in recent years, communication terminals such as smartphones and tablet terminals have become widespread, and needs for filtering communication from these communication terminals are increasing. Such a communication terminal may download and use an application, and it is assumed that the communication to be filtered increases as the number of applications to be used increases.
 通信フィルタリングのために管理者がユーザ情報を管理する特許文献1の技術を利用して上述の通信端末の通信のフィルタリングを実行した場合、フィルタリングのための管理コスト(管理者による各ユーザ端末のアプリケーション管理に伴う負担等)が問題となる。 When filtering of communication of the communication terminal described above is performed using the technology of Patent Document 1 in which an administrator manages user information for communication filtering, the management cost for filtering (the application of each user terminal by the administrator) The burden associated with management is a problem.
 そこで、通信端末における通信のフィルタリングに際し、フィルタリングのための管理コストを抑制することが課題となる。本発明の目的は、かかる課題解決に寄与する通信端末、通信システム、通信方法およびプログラムを提供することにある。 Therefore, when filtering communication in a communication terminal, it becomes a problem to suppress the management cost for filtering. An object of the present invention is to provide a communication terminal, a communication system, a communication method, and a program that contribute to solving the problem.
 本発明の第1の態様に係る通信端末は、アプリケーションが生成した通信データを送信可能な通信手段(部)と、前記通信データの宛先アドレスが、前記通信データの宛先を表す識別情報を用いて前記宛先アドレスを検索可能なアドレス解決システムから取得されたか否かに基づいて、前記通信データの送信可否を判定可能な制御手段(部)とを備えている。 The communication terminal according to the first aspect of the present invention uses communication means (unit) capable of transmitting communication data generated by an application, and identification information in which the destination address of the communication data indicates the destination of the communication data. And a control means (unit) capable of determining whether the communication data can be transmitted based on whether the destination address is acquired from an address resolution system that can be searched.
 本発明の第2の態様に係る通信システムは、通信データの宛先を表す識別情報を用いて宛先アドレスを検索可能なアドレス解決システムと、アプリケーションが生成した通信データを送信可能な通信手段(部)、および、前記通信データの宛先アドレスが、前記アドレス解決システムから取得されたか否かに基づいて、前記通信データの送信可否を判定可能な制御手段(部)を有する通信端末とを備えている。 The communication system according to the second aspect of the present invention includes an address resolution system capable of searching for a destination address using identification information representing a destination of communication data, and a communication means (unit) capable of transmitting communication data generated by an application. And a communication terminal having control means (unit) capable of determining whether or not the communication data can be transmitted based on whether or not a destination address of the communication data is acquired from the address resolution system.
 本発明の第3の態様に係る通信方法は、アプリケーションが生成した通信データを送信するステップと、前記通信データの宛先アドレスが、前記通信データの宛先を表す識別情報を用いて前記宛先アドレスを検索可能なアドレス解決システムから取得されたか否かに基づいて、前記通信データの送信可否を判定するステップとを含む。 A communication method according to a third aspect of the present invention includes a step of transmitting communication data generated by an application, and the destination address of the communication data is searched for the destination address using identification information indicating the destination of the communication data. Determining whether or not to transmit the communication data based on whether or not it has been acquired from a possible address resolution system.
 本発明の第4の態様に係るプログラムは、アプリケーションが生成した通信データを送信する処理と、前記通信データの宛先アドレスが、前記通信データの宛先を表す識別情報を用いて前記宛先アドレスを検索可能なアドレス解決システムから取得されたか否かに基づいて、前記通信データの送信可否を判定する処理とをコンピュータに実行させる。なお、プログラムは、非一時的なコンピュータ可読記録媒体(non-transitory computer-readable storage medium)に記録されたプログラム製品として提供することもできる。 The program according to the fourth aspect of the present invention can search the destination address using the process of transmitting the communication data generated by the application, and the destination address of the communication data using the identification information indicating the destination of the communication data The computer is caused to execute processing for determining whether or not to transmit the communication data based on whether or not it has been acquired from a simple address resolution system. The program can also be provided as a program product recorded in a non-transitory computer-readable storage medium.
 本発明に係る通信端末、通信システム、通信方法およびプログラムによると、通信端末における通信のフィルタリングに際し、フィルタリングのための管理コストを抑制することが可能となる。 According to the communication terminal, the communication system, the communication method, and the program according to the present invention, it is possible to suppress the management cost for filtering when filtering communication in the communication terminal.
本発明の第1の実施形態の通信システムの例を示す。1 shows an example of a communication system according to a first embodiment of the present invention. 本発明の第1の実施形態の通信端末の構成の例を示す。The example of a structure of the communication terminal of the 1st Embodiment of this invention is shown. 本発明の第1の実施形態の動作例を示すシーケンス図である。It is a sequence diagram which shows the operation example of the 1st Embodiment of this invention. 本発明の第1の実施形態の通信端末1の制御部11の動作例を示すフローチャートである。It is a flowchart which shows the operation example of the control part 11 of the communication terminal 1 of the 1st Embodiment of this invention. 本発明の第2の実施形態の通信端末の構成の例を示す。The example of a structure of the communication terminal of the 2nd Embodiment of this invention is shown. 本発明の第2の実施形態の通知情報DB(Database)13に記憶されるテーブルの例を示す。The example of the table memorize | stored in notification information DB (Database) 13 of the 2nd Embodiment of this invention is shown. 本発明の第2の実施形態の通知情報DB13に記憶されるテーブルの他の例を示す。The other example of the table memorize | stored in notification information DB13 of the 2nd Embodiment of this invention is shown. 本発明の第2の実施形態の通信端末1の制御部11の動作例を示すフローチャートである。It is a flowchart which shows the operation example of the control part 11 of the communication terminal 1 of the 2nd Embodiment of this invention. 本発明の第3の実施形態の通信システムの例を示す。The example of the communication system of the 3rd Embodiment of this invention is shown. 本発明の第3の実施形態の通知情報DB13に記憶されるテーブルの例を示す。The example of the table memorize | stored in notification information DB13 of the 3rd Embodiment of this invention is shown. 本発明の第3の実施形態の通信端末1の制御部11の動作例を示すフローチャートである。It is a flowchart which shows the operation example of the control part 11 of the communication terminal 1 of the 3rd Embodiment of this invention. 本発明の第4の実施形態の通信端末の構成の例を示す。The example of a structure of the communication terminal of the 4th Embodiment of this invention is shown. 本発明の第4の実施形態の処理規則DB14に記憶されるテーブルの例を示す。The example of the table memorize | stored in processing rule DB14 of the 4th Embodiment of this invention is shown. 本発明の第4の実施形態の通信端末1に含まれる制御部11の動作例を示すフローチャートである。It is a flowchart which shows the operation example of the control part 11 contained in the communication terminal 1 of the 4th Embodiment of this invention. 本発明の第5の実施形態の通信端末の構成の例を示す。The example of a structure of the communication terminal of the 5th Embodiment of this invention is shown. 本発明の第5の実施形態の処理規則DB14に記憶されるテーブルの例を示す。The example of the table memorize | stored in processing rule DB14 of the 5th Embodiment of this invention is shown. 本発明の第6の実施形態の構成の例を示す。The example of a structure of the 6th Embodiment of this invention is shown. 本発明の第6の実施形態におけるフローテーブルの例を示す。The example of the flow table in the 6th Embodiment of this invention is shown. 本発明の第6の実施形態の通信システムの例を示す。The example of the communication system of the 6th Embodiment of this invention is shown. 本発明の第6の実施形態の通信端末の構成の例を示す。The example of a structure of the communication terminal of the 6th Embodiment of this invention is shown. 本発明の第6の実施形態の通信サーバの構成の例を示す。The example of a structure of the communication server of the 6th Embodiment of this invention is shown. 本発明の第6の実施形態の処理規則の例を示す。The example of the processing rule of the 6th Embodiment of this invention is shown. 本発明の第6の実施形態の仮想スイッチ15の構成の例を示す。The example of a structure of the virtual switch 15 of the 6th Embodiment of this invention is shown. 本発明の第6の実施形態の動作例を示すシーケンス図である。It is a sequence diagram which shows the operation example of the 6th Embodiment of this invention. 本発明の第7の実施形態の動作例を示すシーケンス図である。It is a sequence diagram which shows the operation example of the 7th Embodiment of this invention.
 <実施形態1>
 本発明の第1の実施形態について図面を参照して説明する。本発明の第1の実施形態に関する通信システムは、図1に示すように、通信端末1、通知装置2、ネットワーク3とを含む。なお、この概要に付記した図面参照符号は、理解を助けるための一例として各要素に便宜上付記したものであり、本発明を図示の態様に限定することを意図するものではない。 <Embodiment 1>
A first embodiment of the present invention will be described with reference to the drawings. The communication system according to the first embodiment of the present invention includes a communication terminal 1, a notification device 2, and a network 3, as shown in FIG. Note that the reference numerals of the drawings attached to this summary are attached to the respective elements for convenience as an example for facilitating understanding, and are not intended to limit the present invention to the illustrated embodiment.
 本発明の第1の実施形態において、通信端末1は、通信の宛先アドレスを取得するためのアドレス解決(アドレスの要求)を利用して、通信のフィルタリングを実行する。通信端末1は、該アドレス解決を利用して通信のフィルタリングを実行するので、例えば、各ユーザが保有する通信端末にインストールされたアプリケーションの管理等に要する管理コストを抑制できる。 In the first embodiment of the present invention, the communication terminal 1 executes communication filtering by using address resolution (address request) for acquiring a communication destination address. Since the communication terminal 1 performs filtering of communication using the address resolution, for example, it is possible to suppress management costs required for managing applications installed in the communication terminals owned by each user.
 本発明の第1の実施形態において、通信端末1は、例えば、携帯電話、スマートフォン、パーソナルコンピュータ、タブレット型端末、モバイルルータ、スイッチ、サーバ等の通信機能を有する装置である。なお、モバイルルータは、例えば、携帯電話の3G(Third Generation)回線や無線LAN(Local Area Network)のネットワークを中継する端末である。 In the first embodiment of the present invention, the communication terminal 1 is a device having a communication function such as a mobile phone, a smartphone, a personal computer, a tablet terminal, a mobile router, a switch, and a server. The mobile router is a terminal that relays, for example, a 3G (Third Generation) line of a mobile phone or a wireless LAN (Local Area Network) network.
 図2は、本発明の第1の実施形態における、通信端末1の構成例を示す。 FIG. 2 shows a configuration example of the communication terminal 1 in the first embodiment of the present invention.
 通信端末1は、複数のアプリケーション10と、制御部(制御手段)11と、通信部(通信手段)12を含む。 The communication terminal 1 includes a plurality of applications 10, a control unit (control unit) 11, and a communication unit (communication unit) 12.
 複数のアプリケーション10の少なくとも1つは、例えば、制御部11が有するDNS(Domain Name System)リゾルバ等がDNSサーバ等のアドレス解決システムから取得した宛先アドレス(IP(Internet Protocol)アドレス等)を用いて通信を行う。 At least one of the plurality of applications 10 uses, for example, a destination address (IP (Internet Protocol) address or the like) acquired from an address resolution system such as a DNS server by a DNS (Domain Name System) resolver included in the control unit 11. Communicate.
 制御部11は、例えば、アプリケーション10の通信データの宛先アドレスが不明な場合に、DNSリゾルバ等を用いて、アドレス解決を行う。例えば、制御部11は、DNSサーバ等にURL(Uniform Resource Locator)に含まれる識別情報やFQDN(Fully Qualified Domain Name)等の識別情報を通知装置2(DNSサーバ等)に送信する。通知装置2は、例えば、識別情報を用いて宛先アドレスを検索し、制御部11に通知する。制御部11は、要求に応じて通知された宛先アドレスをアプリケーション10に通知する。 For example, when the destination address of the communication data of the application 10 is unknown, the control unit 11 performs address resolution using a DNS resolver or the like. For example, the control unit 11 transmits identification information included in a URL (Uniform Resource Locator) or identification information such as FQDN (Fully Quality Qualified Domain Name) to a DNS server or the like to the notification device 2 (DNS server or the like). For example, the notification device 2 searches for a destination address using the identification information and notifies the control unit 11 of the destination address. The control unit 11 notifies the application 10 of the destination address notified in response to the request.
 制御部11は、アプリケーション10が生成した通信データの宛先アドレスが、アドレス解決システムから取得されたか否かに基づいて、通信データの送信可否を判定する。制御部11が送信許可した通信データは、通信部12から送信される。 The control unit 11 determines whether the communication data can be transmitted based on whether the destination address of the communication data generated by the application 10 is acquired from the address resolution system. The communication data permitted to be transmitted by the control unit 11 is transmitted from the communication unit 12.
 通信部12は、通信データから生成されたパケットを通信端末1から接続先に向けて転送する手段であり、例えば、アンテナである。通信端末1は、通信部12を用いて、ネットワーク3にパケットを転送する。 The communication unit 12 is means for transferring a packet generated from the communication data from the communication terminal 1 to the connection destination, and is, for example, an antenna. The communication terminal 1 transfers the packet to the network 3 using the communication unit 12.
 通知装置2は、通信端末1からのアドレスの要求に応じて、通信端末1の接続先のアドレスを通知する装置である。通知装置2は、例えば、DNS(Domain Name Service)サーバである。 The notification device 2 is a device that notifies the address of the connection destination of the communication terminal 1 in response to an address request from the communication terminal 1. The notification device 2 is, for example, a DNS (Domain Name Service) server.
 通知装置2は、通信端末1がアドレスを要求したことに応じて、通信端末1から通知される接続先の識別情報に対応する宛先アドレスを、該通信端末1に通知する。 The notification device 2 notifies the communication terminal 1 of the destination address corresponding to the identification information of the connection destination notified from the communication terminal 1 in response to the communication terminal 1 requesting the address.
 図3は、本発明の第1の実施形態の動作例を示すシーケンス図である。 FIG. 3 is a sequence diagram showing an operation example of the first embodiment of the present invention.
 本発明の第1の実施形態において、通信端末1は、通知装置2に対して、接続先を一意に識別する識別情報(URLに含まれるドメイン名やFQDN等)を用いて、宛先のアドレス解決を要求する(S001)。 In the first embodiment of the present invention, the communication terminal 1 uses the identification information (such as the domain name and FQDN included in the URL) that uniquely identifies the connection destination to the notification device 2 to resolve the address of the destination. Is requested (S001).
 アドレスの要求を受けた通知装置2は、通信端末1から通知された接続先の識別情報に対応する宛先アドレスを、該通信端末1に対して通知する(S002)。 Upon receiving the address request, the notification device 2 notifies the communication terminal 1 of the destination address corresponding to the connection destination identification information notified from the communication terminal 1 (S002).
 アドレスの通知を受けた通信端末1は、通知されたアドレスを用いて、パケットを送信する(S003)。 The communication terminal 1 that has received the notification of the address transmits a packet using the notified address (S003).
 図4は、本発明の第1の実施形態における、通信端末1に含まれる制御部11の動作例を示すフローチャートである。 FIG. 4 is a flowchart showing an operation example of the control unit 11 included in the communication terminal 1 in the first embodiment of the present invention.
 本発明の第1の実施形態において、制御部11は、通信が発生すると(S101)、当該通信に関する通信データの宛先アドレスが通知装置2から取得されたか否かを判定する(S102)。 In the first embodiment of the present invention, when communication occurs (S101), the control unit 11 determines whether or not the destination address of communication data related to the communication has been acquired from the notification device 2 (S102).
 制御部11は、宛先アドレスがアドレス解決システムから取得されたものである場合、通信データに対応するパケットを宛先アドレスに向けて送信する(S103)。 When the destination address is acquired from the address resolution system, the control unit 11 transmits a packet corresponding to the communication data toward the destination address (S103).
 一方、制御部11は、宛先アドレスがアドレス解決システムから取得されたものではない場合、通信データに対応するパケットを転送せず、例えば破棄する(S104)。 On the other hand, when the destination address is not acquired from the address resolution system, the control unit 11 does not transfer the packet corresponding to the communication data, for example, discards it (S104).
 本発明の第1の実施形態において、通信端末1の制御部11は、アプリケーション10が生成した通信データの宛先アドレスが、アドレス解決システムから取得されたか否かに基づいて、通信データの送信可否を判定することで、通信のフィルタリングを行う。 In the first embodiment of the present invention, the control unit 11 of the communication terminal 1 determines whether or not to transmit the communication data based on whether or not the destination address of the communication data generated by the application 10 is acquired from the address resolution system. By determining, communication filtering is performed.
 したがって、通信端末1の通信フィルタリングにおいて、各ユーザが保有する通信端末にインストールされたアプリケーションの管理等に要する管理コストが抑制される。 Therefore, in the communication filtering of the communication terminal 1, the management cost required for managing the application installed in the communication terminal owned by each user is suppressed.
 また、実施形態1により、通信端末1に不正なアプリケーションがインストールされた場合でも、通信端末1のセキュリティを確保することが可能となる。例えば、不正な宛先へのアドレスが埋め込まれたアプリケーションが通信端末1にインストールされる場合が想定される。このアプリケーションを用いて通信が実行された場合、不正な宛先へのアドレスがアプリケーションに埋め込まれているため、DNS等によるアドレス解決が実行されず、アプリケーションに埋め込まれた不正な宛先に対する通信が実行されることが想定される。実施形態1の技術により、通信端末1は、アドレス解決により取得されていない宛先アドレスへの通信を防止することが可能となり、よって、通信端末1のセキュリティを強化することが可能となる。 In addition, according to the first embodiment, it is possible to ensure the security of the communication terminal 1 even when an unauthorized application is installed in the communication terminal 1. For example, it is assumed that an application in which an address to an illegal destination is embedded is installed in the communication terminal 1. When communication is executed using this application, since the address to the illegal destination is embedded in the application, address resolution by DNS or the like is not executed, and communication to the illegal destination embedded in the application is executed. It is assumed that With the technique of the first embodiment, the communication terminal 1 can prevent communication to a destination address that has not been acquired by address resolution, and thus the security of the communication terminal 1 can be enhanced.
 <実施形態2>
 本発明の第2の実施形態について図面を参照して説明する。第2の実施形態では、通信端末1が、通知装置2から取得した宛先アドレスとアプリケーション10との対応関係を記憶する通知情報データベース(DB:Database)13を有する。なお、第2の実施形態は、上述した第1の実施形態の技術を適用することが可能である。 <Embodiment 2>
A second embodiment of the present invention will be described with reference to the drawings. In the second embodiment, the communication terminal 1 has a notification information database (DB) 13 that stores the correspondence between the destination address acquired from the notification device 2 and the application 10. Note that the technique of the first embodiment described above can be applied to the second embodiment.
 また、本発明の第2の実施形態では、通信端末1の制御部11が、通知情報DB13を参照して、アプリケーション10が生成した通信データの宛先アドレスが、アドレス解決システムから取得されたか否かを判定する手段として機能する。該通信端末1は、制御部11による判定の結果に基づいて、通信のフィルタリングを実行する。 Also, in the second embodiment of the present invention, whether or not the control unit 11 of the communication terminal 1 refers to the notification information DB 13 and acquires the destination address of the communication data generated by the application 10 from the address resolution system. It functions as a means for determining. The communication terminal 1 executes communication filtering based on the result of determination by the control unit 11.
 本発明の第2の実施形態に関する通信システムは、図1と同様である。 The communication system according to the second embodiment of the present invention is the same as that shown in FIG.
 図5は、本発明の第2の実施形態における、通信端末1の構成例を示す。 FIG. 5 shows a configuration example of the communication terminal 1 in the second embodiment of the present invention.
 本発明の第2の実施形態において、通信端末1は、通知装置2から通知されたアドレスを、いずれのアプリケーションに通知したかについて記憶する通知情報データベース(DB)13を有する。 In the second embodiment of the present invention, the communication terminal 1 has a notification information database (DB) 13 for storing which application has notified the address notified from the notification device 2.
 制御部11は、通知装置2から宛先アドレスを取得したことに応じて、取得した宛先アドレスをアプリケーション10に通知する。制御部11は、宛先アドレスをアプリケーション10に通知することに応じて、当該宛先アドレスと、当該宛先アドレスを通知したアプリケーションを一意に識別する識別子とを対応づけて、通知情報DB13に記憶する。 The control unit 11 notifies the application 10 of the acquired destination address in response to the acquisition of the destination address from the notification device 2. In response to notifying the application 10 of the destination address, the control unit 11 associates the destination address with an identifier that uniquely identifies the application that has notified the destination address, and stores them in the notification information DB 13.
 図6は、通知情報DB13に記憶されるテーブルの例を示す。 FIG. 6 shows an example of a table stored in the notification information DB 13.
 図6に示すように、通知情報DB13は、制御部11がアプリケーション10に通知したアドレスと、アプリケーション10を一意に識別する識別子とを対応付けて記憶する。本発明の第2の実施形態では、制御部11が、通知情報DB13を参照して、アプリケーション10が生成した通信データの宛先アドレスが、通知装置2から取得されたか否か(アドレス解決を行っているか否か)判定する。 As shown in FIG. 6, the notification information DB 13 stores the address notified to the application 10 by the control unit 11 and an identifier for uniquely identifying the application 10 in association with each other. In the second embodiment of the present invention, the control unit 11 refers to the notification information DB 13 to determine whether or not the destination address of the communication data generated by the application 10 has been acquired from the notification device 2 (address resolution is performed). Whether or not) is determined.
 通知情報DB13は、例えば、宛先アドレス「210.147.209.89」と、当該宛先アドレスを取得したアプリケーション10を一意に識別する識別子「S」とを対応付けて記憶する。また、通知情報DB13は、例えば、宛先アドレス「210.147.209.90」と、当該宛先アドレスを取得したアプリケーション10を一意に識別する識別子「T」とを対応付けて記憶する。 The notification information DB 13 stores, for example, a destination address “210.147.209.89” and an identifier “S” that uniquely identifies the application 10 that acquired the destination address. Further, the notification information DB 13 stores, for example, a destination address “210.147.209.90” and an identifier “T” that uniquely identifies the application 10 that acquired the destination address.
 制御部11は、複数のアプリケーション10の少なくとも1つから通信データを受信したことに応じて、通知情報DB13を参照する。制御部11は、通知情報DB13に、通信データの宛先アドレスと、当該宛先アドレスの通信データを送信したアプリケーション10の識別子とが、通知情報DB13に対応付けて記憶されている場合、宛先アドレスは通知装置2から取得されたものと判定する。制御部11は、例えば、通信データに含まれるアプリケーション10の識別子と、当該通信データの宛先アドレスとを用いて、通知情報DB13を参照する。また、例えば、制御部11は、通信データを受信した場合、当該通信データを送信したアプリケーション10に対して、アプリケーションの識別子を要求し、要求に応じて取得した識別子と宛先アドレスとを用いて、通知情報DB13を参照する。 The control unit 11 refers to the notification information DB 13 in response to receiving communication data from at least one of the plurality of applications 10. When the notification information DB 13 stores the destination address of the communication data and the identifier of the application 10 that has transmitted the communication data of the destination address in association with the notification information DB 13, the control unit 11 notifies the destination address of the notification data. It is determined that it has been acquired from the device 2. For example, the control unit 11 refers to the notification information DB 13 using the identifier of the application 10 included in the communication data and the destination address of the communication data. For example, when receiving the communication data, the control unit 11 requests an application identifier from the application 10 that has transmitted the communication data, and uses the identifier and the destination address acquired in response to the request, Refer to the notification information DB 13.
 一方、制御部11は、通知情報DB13に、通信データの宛先アドレスと、該宛先アドレスの通信データを送信したアプリケーション10の識別子とが対応付けて記憶されていない場合、宛先アドレスは通知装置2から取得されたものではないと判定する。 On the other hand, when the destination address of the communication data and the identifier of the application 10 that transmitted the communication data of the destination address are not stored in the notification information DB 13 in association with each other, the control unit 11 receives the destination address from the notification device 2. It is determined that it has not been acquired.
 制御部11は、例えば、識別子が「S」のアプリケーション10から宛先アドレス「210.147.209.89」を含むパケットを受信したことに応じて、通知情報DB13を参照する。制御部11は、通知情報DB13に、宛先アドレス「210.147.209.89」と識別子「S」とが対応付けて記憶されているので、宛先アドレスは通知装置2から取得されたものと判定する。 For example, the control unit 11 refers to the notification information DB 13 in response to receiving a packet including the destination address “210.147.209.89” from the application 10 having the identifier “S”. Since the destination address “210.147.209.89” and the identifier “S” are stored in the notification information DB 13 in association with each other, the control unit 11 determines that the destination address has been acquired from the notification device 2.
 一方、制御部11は、例えば、識別子が「T」のアプリケーション10から宛先アドレス「210.147.209.89」を含むパケットを受信したことに応じて、通知情報DB13を参照する。制御部11は、通知情報DB13に、アドレス「210.147.209.89」と識別子「T」とは対応付けて記憶されていないので、宛先アドレスは通知装置2から取得されたものではないと判定する。 On the other hand, for example, the control unit 11 refers to the notification information DB 13 in response to receiving a packet including the destination address “210.147.209.89” from the application 10 having the identifier “T”. Since the address “210.147.209.89” and the identifier “T” are not stored in the notification information DB 13 in association with each other, the control unit 11 determines that the destination address is not obtained from the notification device 2.
 図7は、通知情報DB13に記憶されるテーブルの他の例を示す。 FIG. 7 shows another example of the table stored in the notification information DB 13.
 図7に示すように、通知情報DB13は、制御部11がアプリケーション10に通知した宛先アドレスと、アプリケーション10に対応するポート番号とを対応付けて記憶する。複数のアプリケーション10に対応するポート番号は互いに異なると推定できるため、複数のアプリケーション10の各々は、ポート番号により識別可能である。したがって、制御部11は、通知情報DB13に、宛先アドレスとポート番号とが対応付けて記憶されている場合、アプリケーション10が生成した通信データの宛先アドレスは、通知装置2から取得されたものと判定する。 As shown in FIG. 7, the notification information DB 13 stores the destination address notified to the application 10 by the control unit 11 and the port number corresponding to the application 10 in association with each other. Since it can be estimated that the port numbers corresponding to the plurality of applications 10 are different from each other, each of the plurality of applications 10 can be identified by the port number. Therefore, when the destination address and the port number are stored in the notification information DB 13 in association with each other, the control unit 11 determines that the destination address of the communication data generated by the application 10 is acquired from the notification device 2. To do.
 一方、制御部11は、通知情報DB13に、宛先アドレスとポート番号とが対応付けて記憶されていない場合、通信データの宛先アドレスは通知装置2から取得されたものではないと判定する。 On the other hand, the control unit 11 determines that the destination address of the communication data is not obtained from the notification device 2 when the destination address and the port number are not stored in the notification information DB 13 in association with each other.
 通知情報DB13は、例えば、宛先アドレス「210.147.209.89」と、当該宛先アドレスを取得したアプリケーション10に対応するポート番号「15」とを対応付けて記憶する。また、通知情報DB13は、例えば、宛先アドレス「210.147.209.90」と、該アドレスを取得したアプリケーション10に対応するポート番号「16」とを対応付けて記憶する。 The notification information DB 13 stores, for example, a destination address “210.147.209.89” and a port number “15” corresponding to the application 10 that acquired the destination address in association with each other. Further, the notification information DB 13 stores, for example, a destination address “210.147.209.90” and a port number “16” corresponding to the application 10 that acquired the address in association with each other.
 制御部11は、例えば、ポート番号「15」に対応するアプリケーション10から、宛先アドレスが「210.147.209.89」の通信データを受信し、通知情報DB13を参照する。制御部11は、通知情報DB13に、宛先アドレス「210.147.209.89」とポート番号「15」とが対応付けて記憶されているので、当該宛先アドレスは通知装置2から取得されたと判定する。 For example, the control unit 11 receives communication data having a destination address “210.147.209.89” from the application 10 corresponding to the port number “15”, and refers to the notification information DB 13. Since the destination address “210.147.209.89” and the port number “15” are stored in the notification information DB 13 in association with each other, the control unit 11 determines that the destination address has been acquired from the notification device 2.
 一方、制御部11は、例えば、ポート番号「16」に対応するアプリケーション10から宛先アドレスが「210.147.209.89」の通信データを受信し、通知情報DB13を参照する。制御部11は、通知情報DB13では、宛先アドレス「210.147.209.89」とポート番号「16」とが対応付けて記憶されていないので、当該宛先アドレスは通知装置2から取得されたものではないと判定する。 On the other hand, for example, the control unit 11 receives communication data whose destination address is “210.147.209.89” from the application 10 corresponding to the port number “16”, and refers to the notification information DB 13. The control unit 11 determines that the destination address “210.147.209.89” and the port number “16” are not stored in association with each other in the notification information DB 13, and thus is not acquired from the notification device 2. To do.
 制御部11は、宛先アドレスが通知装置2から取得されたと判定したことに応じて、通信データを、パケットとして通信部12から送信する。 The control unit 11 transmits communication data as a packet from the communication unit 12 in response to determining that the destination address has been acquired from the notification device 2.
 一方、制御部11は、宛先アドレスが通知装置2から取得されたものではないと判定したことに応じて、通信データの送信を拒否するための処理(例えば、データの破棄)を実行する。なお、制御部11は、該パケットを破棄する処理に代えて、検疫ネットワークに転送する処理を実行してもよい。 On the other hand, in response to determining that the destination address is not obtained from the notification device 2, the control unit 11 executes a process for rejecting transmission of communication data (for example, discarding data). Note that the control unit 11 may execute a process of transferring the packet to the quarantine network instead of the process of discarding the packet.
 図8は、本発明の第2の実施形態における、通信端末1に含まれる制御部11の動作例を示すフローチャートである。 FIG. 8 is a flowchart showing an operation example of the control unit 11 included in the communication terminal 1 in the second embodiment of the present invention.
 本発明の第2の実施形態において、制御部11は、複数のアプリケーションの少なくとも1つから、宛先アドレスの解決要求を受ける(S201)。 In the second embodiment of the present invention, the control unit 11 receives a destination address resolution request from at least one of a plurality of applications (S201).
 制御部11は、アドレスの解決要求を受けたことに応じて、宛先の識別情報を用いて、通知装置2にアドレスを要求する(S202)。 In response to receiving the address resolution request, the control unit 11 requests an address from the notification device 2 using the destination identification information (S202).
 制御部11は、通知装置2から取得した宛先アドレスを、アプリケーション10に対して通知する(S203)。 The control unit 11 notifies the application 10 of the destination address acquired from the notification device 2 (S203).
 制御部11は、宛先アドレスをアプリケーション10に通知したことに応じて、通知したアドレスと、アプリケーションを一意に識別する識別子(又はアドレスを要求したアプリケーションに対応するポート番号)とを対応づけて、通知情報DB13に記憶する(S204)。 In response to notifying the application 10 of the destination address, the control unit 11 associates the notified address with an identifier that uniquely identifies the application (or the port number corresponding to the application that requested the address), and notifies the application 10 It memorize | stores in information DB13 (S204).
 制御部11は、通信が発生した場合(S205)、通知情報DB13を参照し、通信の宛先アドレスが通知装置2から取得されたか否かを判定する(S206)。 When the communication has occurred (S205), the control unit 11 refers to the notification information DB 13 and determines whether or not the communication destination address has been acquired from the notification device 2 (S206).
 制御部11は、判断の結果、宛先アドレスが通知装置2から取得されたものである場合、通信データをパケットとして宛先アドレスに対して送信する(S207)。 If the destination address is obtained from the notification device 2 as a result of the determination, the control unit 11 transmits the communication data as a packet to the destination address (S207).
 一方、制御部11は、判断の結果、宛先アドレスが通知装置2から取得されたものでない場合、通信データの送信を拒否するための処理(例えば、破棄)を実行する(S208)。 On the other hand, if the destination address is not acquired from the notification device 2 as a result of the determination, the control unit 11 executes a process for rejecting transmission of communication data (for example, discarding) (S208).
 <実施形態3>
 本発明の第3の実施形態について図面を参照して説明する。本発明の第3の実施形態では、通信端末1が有する通知情報DB13が、宛先アドレスと、宛先アドレスを取得したアプリケーションを一意に識別する識別子(又はアドレスを要求したアプリケーションに対応するポート番号)とに加え、通信の接続先の識別情報を対応付けて記憶する。なお、第3の実施形態では、上述した第1および第2の実施形態のいずれの技術も適用可能である。 <Embodiment 3>
A third embodiment of the present invention will be described with reference to the drawings. In the third embodiment of the present invention, the notification information DB 13 included in the communication terminal 1 includes a destination address and an identifier for uniquely identifying the application that acquired the destination address (or a port number corresponding to the application that requested the address). In addition to this, identification information of communication connection destinations is stored in association with each other. In the third embodiment, any of the techniques of the first and second embodiments described above can be applied.
 本発明の第3の実施形態において、通信端末1の制御部11は、通知情報DB13を参照して、宛先アドレスと、アプリケーション10の識別子(又はポート番号)とを用いて、接続先の識別情報の検索が成功するか否かを判断する。本発明の第3の実施形態において、制御部11は、通信データの宛先アドレスが通知装置2から取得されたものである場合、接続先の識別情報の検索に成功する。一方、制御部11は、通信データの宛先アドレスが通知装置2から取得されたものではない場合、接続先の識別情報の検索に失敗する。
したがって、本発明の第3の実施形態において、制御部11は、接続先の識別情報の検索が成功するか否かを判断することで、通信データの宛先アドレスが通知装置2から取得されたか否かを判定でき、その結果、通信のフィルタリングを行うことができる。 In the third embodiment of the present invention, the control unit 11 of the communication terminal 1 refers to the notification information DB 13 and uses the destination address and the identifier (or port number) of the application 10 to identify the connection destination. It is determined whether or not the search is successful. In the third embodiment of the present invention, when the destination address of the communication data is acquired from the notification device 2, the control unit 11 successfully searches for connection destination identification information. On the other hand, if the destination address of the communication data is not acquired from the notification device 2, the control unit 11 fails to search for connection destination identification information.
Therefore, in the third embodiment of the present invention, the control unit 11 determines whether or not the destination address of the communication data has been acquired from the notification device 2 by determining whether or not the search for the connection destination identification information is successful. As a result, communication filtering can be performed.
 本発明の第3の実施形態に関する通信システムは、図9に示すように、通信端末1、通知装置2、ネットワーク3、サービス提供装置4(接続先)とを含む。 As shown in FIG. 9, the communication system according to the third embodiment of the present invention includes a communication terminal 1, a notification device 2, a network 3, and a service providing device 4 (connection destination).
 サービス提供装置4は、通信端末1の接続先の装置であり、通信端末1に対してサービスを提供する装置である。サービス提供装置4は、例えば、Webサーバである。なお、サービス提供装置4は1つに限らず、複数であってもよい。 The service providing device 4 is a device to which the communication terminal 1 is connected, and is a device that provides services to the communication terminal 1. The service providing device 4 is a Web server, for example. The service providing device 4 is not limited to one and may be a plurality.
 本発明の第3の実施形態に関する通信端末1は、図5と同様である。 The communication terminal 1 regarding the 3rd Embodiment of this invention is the same as that of FIG.
 本発明の第3の実施形態において、複数のアプリケーション10の少なくとも1つは、サービス提供装置4と通信する場合、通知装置2に対して、該サービス提供装置4を一意に識別可能なサービス識別情報を通知して、該サービス提供装置4のアドレスを要求する。 In the third embodiment of the present invention, when at least one of the plurality of applications 10 communicates with the service providing apparatus 4, service identification information that can uniquely identify the service providing apparatus 4 with respect to the notification apparatus 2. And requests the address of the service providing apparatus 4.
 本発明の第3の実施形態において、アプリケーション10は、接続先の識別情報として、前述したサービス提供装置4のサービス識別情報を、通知装置2に対して通知する。サービス識別情報は、例えば、サービス提供装置4の名前(名称)や、サービス提供装置4が提供するサービスの名前(名称)など、アドレス以外でサービス提供装置4を一意に識別可能な識別情報である。 In the third embodiment of the present invention, the application 10 notifies the notification device 2 of the service identification information of the service providing device 4 described above as the connection destination identification information. The service identification information is identification information that can uniquely identify the service providing apparatus 4 other than the address, such as the name (name) of the service providing apparatus 4 and the name (name) of the service provided by the service providing apparatus 4. .
 また、複数のアプリケーション10の少なくとも1つは、通知装置2から通知されたアドレスを用いてパケットを送信し、サービス提供装置4と通信する。 Further, at least one of the plurality of applications 10 transmits a packet using the address notified from the notification device 2 and communicates with the service providing device 4.
 制御部11は、通知装置2から取得した宛先アドレスを、該アドレスを要求したアプリケーション10に通知する。制御部11は、宛先アドレスをアプリケーション10に通知することに応じて、通知した宛先アドレスと、その宛先アドレスを要求したアプリケーション10を一意に識別する識別子と、サービス提供装置4のサービス識別情報とを対応付けて、通知情報DB13に記憶する。なお、宛先アドレスを要求したアプリケーション10を一意に識別する識別子は、該アドレスを要求したアプリケーション10に対応するポート番号であってもよい。 The control unit 11 notifies the destination address acquired from the notification device 2 to the application 10 that has requested the address. In response to notifying the application 10 of the destination address, the control unit 11 determines the notified destination address, the identifier that uniquely identifies the application 10 that requested the destination address, and the service identification information of the service providing apparatus 4. The information is stored in the notification information DB 13 in association with each other. The identifier that uniquely identifies the application 10 that requested the destination address may be a port number corresponding to the application 10 that requested the address.
 図10は、通知情報DB13に記憶されるテーブルの例を示す。 FIG. 10 shows an example of a table stored in the notification information DB 13.
 なお、以下では、通知情報DB13が、アプリケーション10を一意に識別する識別子を記憶する例を説明するが、該識別子の代わりに、アドレスを要求したアプリケーションに対応するポート番号を用いることもできる。 In the following, an example in which the notification information DB 13 stores an identifier that uniquely identifies the application 10 will be described, but a port number corresponding to the application that requested the address may be used instead of the identifier.
 図10に示すように、通知情報DB13は、制御部11がアプリケーション10に通知したアドレスと、該アドレスを要求したアプリケーション10を一意に識別する識別子と、該アドレスに対応するサービス提供装置4のサービス識別情報とを対応付けて記憶する。 As shown in FIG. 10, the notification information DB 13 includes an address notified to the application 10 by the control unit 11, an identifier for uniquely identifying the application 10 that has requested the address, and a service of the service providing apparatus 4 corresponding to the address. The identification information is stored in association with each other.
 通知情報DB13は、例えば、宛先アドレス「210.147.209.89」と、該アドレスを要求したアプリケーション10を一意に識別する識別子「S」と、該アドレスに対応するサービス提供装置4のサービス識別情報「AAA」とを対応付けて記憶する。 The notification information DB 13 includes, for example, a destination address “210.147.209.89”, an identifier “S” that uniquely identifies the application 10 that requested the address, and service identification information “AAA” of the service providing apparatus 4 corresponding to the address. Are stored in association with each other.
 制御部11は、複数のアプリケーション10の少なくとも1つから通信データを受信する。制御部11は、通知情報DB13を参照して、受信した通信データの宛先のアドレスと、該通信データの送信元のアプリケーション10の識別子とから、サービス識別情報を検索する。 The control unit 11 receives communication data from at least one of the plurality of applications 10. The control unit 11 refers to the notification information DB 13 and searches for service identification information from the destination address of the received communication data and the identifier of the application 10 that is the transmission source of the communication data.
 制御部11は、例えば、識別子が「S」のアプリケーション10から宛先アドレス「210.147.209.89」を含む通信データを受信し、識別子と宛先アドレスを用いて通知情報DB13を参照すると、サービス提供装置4のサービス識別子「AAA」の検索に成功する。 For example, when the control unit 11 receives communication data including the destination address “210.147.209.89” from the application 10 with the identifier “S” and refers to the notification information DB 13 using the identifier and the destination address, the control unit 11 The service identifier “AAA” is successfully searched.
 制御部11は、例えば、識別子が「T」のアプリケーション10から宛先アドレス「210.147.209.89」を含む通信データを受信し、識別子と宛先アドレスを用いて通知情報DB13を参照すると、サービス提供装置4のサービス識別情報「AAA」の検索に失敗する。 For example, when the control unit 11 receives communication data including the destination address “210.147.209.89” from the application 10 with the identifier “T” and refers to the notification information DB 13 using the identifier and the destination address, the control unit 11 The search for service identification information “AAA” fails.
 制御部11は、サービス識別情報の検索に成功した場合には、通信データをパケットとして送信する。 The control unit 11 transmits the communication data as a packet when the service identification information is successfully retrieved.
 一方、制御部11は、サービス識別情報の検索に失敗した場合には、通信データの送信を拒否する処理(例えば、破棄)を実行する。なお、制御部11は、該パケットを破棄する処理に代えて、検疫ネットワークに転送する処理を実行してもよい。 On the other hand, when the search of the service identification information fails, the control unit 11 executes a process (for example, discarding) for rejecting transmission of communication data. Note that the control unit 11 may execute a process of transferring the packet to the quarantine network instead of the process of discarding the packet.
 通知装置2は、通信端末1からアドレスの要求を受けたことに応じて、通知されたサービス識別子に対応するサービス提供装置4のアドレスを検索し、検索したアドレスを通信端末1に通知する。 In response to receiving an address request from the communication terminal 1, the notification device 2 searches for the address of the service providing device 4 corresponding to the notified service identifier, and notifies the communication terminal 1 of the searched address.
 図11は、本発明の第3の実施形態における、通信端末1に含まれる制御部11の動作例を示すフローチャートである。 FIG. 11 is a flowchart showing an operation example of the control unit 11 included in the communication terminal 1 in the third embodiment of the present invention.
 本発明の第3の実施形態において、制御部11は、複数のアプリケーションの少なくとも1つから、接続先の宛先アドレスの要求を受ける(S301)。 In the third embodiment of the present invention, the control unit 11 receives a request for a destination address of a connection destination from at least one of a plurality of applications (S301).
 制御部11は、アドレスの要求を受けたことに応じて、サービス識別情報を通知装置2に通知して、宛先アドレスの解決要求を送信する(S302)。 In response to receiving the address request, the control unit 11 notifies the notification device 2 of the service identification information and transmits a destination address resolution request (S302).
 制御部11は、通知装置2から通知されたアドレスを、アドレスを要求したアプリケーション10に対して通知する(S303)。 The control unit 11 notifies the application 10 that has requested the address of the address notified from the notification device 2 (S303).
 制御部11は、宛先アドレスをアプリケーション10に通知したことに応じて、通知した宛先アドレスと、宛先アドレスを要求したアプリケーションを一意に識別する識別子(又はアプリケーションに対応するポート番号)と、サービス提供装置のサービス識別情報とを対応づけて、通知情報DB13に記憶する(S304)。 In response to notifying the application 10 of the destination address, the control unit 11 notifies the destination address, an identifier (or a port number corresponding to the application) that uniquely identifies the application that requested the destination address, and a service providing apparatus Are associated with the service identification information and stored in the notification information DB 13 (S304).
 制御部11は、通信が発生した場合(S305)、通知情報DB13を参照し、サービス識別情報を詮索する(S306)。 When the communication occurs (S305), the control unit 11 refers to the notification information DB 13 and searches for service identification information (S306).
 制御部11は、検索の結果、サービス識別情報の検索に成功した場合、通信データをパケットとして送信する(S307)。 If the search of the service identification information is successful as a result of the search, the control unit 11 transmits the communication data as a packet (S307).
 一方、制御部11は、検索の結果、サービス識別情報の検索に失敗した場合には、受信したパケットを転送せず、例えば破棄する(S308)。 On the other hand, if the search of the service identification information fails as a result of the search, the control unit 11 does not transfer the received packet, for example, discards it (S308).
 <実施形態4>
 本発明の第4の実施形態について図面を参照して説明する。本発明の第4の実施形態では、通信端末1が、パケットを処理するための規則を記憶する処理規則(DB)14を備える。なお、第4の実施形態は、上述した第1-第3の実施形態のいずれの技術も適用可能である。 <Embodiment 4>
A fourth embodiment of the present invention will be described with reference to the drawings. In the fourth embodiment of the present invention, the communication terminal 1 includes a processing rule (DB) 14 that stores a rule for processing a packet. Note that any of the techniques of the first to third embodiments described above can be applied to the fourth embodiment.
 本発明の第4の実施形態では、通信端末1の制御部11が、処理規則DB14を参照して、複数のアプリケーションの少なくとも1つに対応するパケットの処理を決定することが可能となる。 In the fourth embodiment of the present invention, the control unit 11 of the communication terminal 1 can determine processing of a packet corresponding to at least one of a plurality of applications with reference to the processing rule DB 14.
 本発明の第4の実施形態に関する通信システムは、図1と同様である。 The communication system according to the fourth embodiment of the present invention is the same as that shown in FIG.
 図12は、本発明の第4の実施形態における、通信端末1の構成例を示す。本発明の第4の実施形態において、通信端末1は、パケットを処理するための処理規則を記憶する処理規則DB14を有する。 FIG. 12 shows a configuration example of the communication terminal 1 in the fourth embodiment of the present invention. In the fourth embodiment of the present invention, the communication terminal 1 has a processing rule DB 14 that stores processing rules for processing packets.
 制御部11は、通知装置2から宛先アドレスを取得したことに応じて、該宛先アドレスを要求したアプリケーション10に宛先アドレスを通知する。制御部11は、宛先アドレスをアプリケーション10に通知することに応じて、パケットを処理するための処理規則を、処理規則DB14に記憶させる。 In response to the acquisition of the destination address from the notification device 2, the control unit 11 notifies the destination address to the application 10 that has requested the destination address. In response to notifying the application 10 of the destination address, the control unit 11 stores a processing rule for processing the packet in the processing rule DB 14.
 処理規則DB14は、パケットを処理するための処理規則を記憶する。 The processing rule DB 14 stores processing rules for processing packets.
 なお、以下では、通知情報DB14が、アプリケーション10を一意に識別する識別子を記憶する例を説明するが、識別子の代わりに、アドレスを要求したアプリケーションに対応するポート番号を用いることもできる。 In the following, an example in which the notification information DB 14 stores an identifier that uniquely identifies the application 10 will be described, but a port number corresponding to the application that requested the address may be used instead of the identifier.
 図13は、処理規則DB14に記憶されるテーブルの例を示す。図13に示すように、処理規則DB14は、制御部11がアプリケーション10に通知した宛先アドレスと、アプリケーション10を一意に識別する識別子と、パケットに対する処理を示す処理内容とを対応付けて記憶する。 FIG. 13 shows an example of a table stored in the processing rule DB 14. As illustrated in FIG. 13, the processing rule DB 14 stores a destination address notified to the application 10 by the control unit 11, an identifier for uniquely identifying the application 10, and processing contents indicating processing for a packet in association with each other.
 処理規則DB14は、例えば、宛先アドレス「210.147.209.89」と、そのアドレスを要求したアプリケーション10の識別子「S」と、パケットに対する処理を示す処理内容として「転送」とを、対応付けて記憶する。 The processing rule DB 14 stores, for example, a destination address “210.147.209.89”, an identifier “S” of the application 10 that requested the address, and “transfer” as processing contents indicating processing for the packet in association with each other.
 また、処理規則DB14は、例えば、宛先アドレス「210.147.209.89」と、アプリケーション10の識別子「その他(S以外であることを示す)」と、パケットに対する処理を示す処理内容として「破棄」とを、対応付けて記憶する。 Further, the processing rule DB 14 includes, for example, a destination address “210.147.209.89”, an identifier “others (indicating that it is other than S)” of the application 10, and “discard” as processing contents indicating processing on the packet. Store in association with each other.
 また、処理規則DB14は、例えば、宛先アドレス「210.147.209.90」と、アプリケーション10の識別子「その他(T以外であることを示す)」と、パケットに対する処理を示す処理内容として「宛先アドレスを×××に書き換えて転送(検疫ネットワークに転送)」とを、対応付けて記憶する。 In addition, the processing rule DB 14 includes, for example, the destination address “210.147.209.90”, the identifier “others (indicating that it is other than T)” of the application 10, and “destination address xx "Rewrite to x and transfer (transfer to quarantine network)" is stored in association with each other.
 本発明の第4の実施形態において、処理規則DB14は、通知装置2から宛先アドレスを取得したアプリケーション10の識別子に対応させて、「転送」という処理内容を記憶する。一方、処理規則DB14は、通知装置2から宛先アドレスを取得していないアプリケーション10の識別子に対応させて、「破棄」又は「検疫ネットワークに転送」という処理内容を記憶する。 In the fourth embodiment of the present invention, the processing rule DB 14 stores the processing content “transfer” in association with the identifier of the application 10 that acquired the destination address from the notification device 2. On the other hand, the processing rule DB 14 stores the processing content “discard” or “transfer to quarantine network” in association with the identifier of the application 10 that has not acquired the destination address from the notification device 2.
 制御部11は、複数のアプリケーション10の少なくとも1つが生成した通信データに対応するパケットを受信したことに応じて、処理規則DB14を参照して、該パケット含まれる宛先アドレスと、該アドレスを取得したアプリケーション10の識別子とに基づき、受信したパケットを処理するための処理内容を抽出する。 In response to receiving a packet corresponding to communication data generated by at least one of the plurality of applications 10, the control unit 11 refers to the processing rule DB 14 and acquires the destination address included in the packet and the address. Based on the identifier of the application 10, processing contents for processing the received packet are extracted.
 図14は、本発明の第4の実施形態における、通信端末1に含まれる制御部11の動作例を示すフローチャートである。 FIG. 14 is a flowchart showing an operation example of the control unit 11 included in the communication terminal 1 in the fourth embodiment of the present invention.
 本発明の第4の実施形態において、制御部11は、複数のアプリケーションの少なくとも1つから、接続先の宛先アドレスの要求を受ける(S401)。 In the fourth embodiment of the present invention, the control unit 11 receives a request for a destination address of a connection destination from at least one of a plurality of applications (S401).
 制御部11は、宛先アドレスの要求を受けたことに応じて、例えば、サービス識別情報を通知して、通知装置2にアドレスを要求する(S402)。 In response to receiving the request for the destination address, the control unit 11 notifies the service identification information, for example, and requests the address from the notification device 2 (S402).
 制御部11は、通知装置2から取得した宛先アドレスを、宛先アドレスを要求したアプリケーション10に対して通知する(S403)。 The control unit 11 notifies the destination address acquired from the notification device 2 to the application 10 that requested the destination address (S403).
 制御部11は、宛先アドレスをアプリケーション10に通知したことに応じて、パケットを処理するための処理規則を、処理規則DB14に記憶する(S404)。 The control unit 11 stores the processing rule for processing the packet in the processing rule DB 14 in response to the notification of the destination address to the application 10 (S404).
 制御部11は、通信が発生した場合(S405)、通知情報DB14を参照し、宛先アドレスと、アプリケーション10の識別子とから、そのパケットを処理するための処理規則を検索する(S406)。 When the communication occurs (S405), the control unit 11 refers to the notification information DB 14 and searches for a processing rule for processing the packet from the destination address and the identifier of the application 10 (S406).
 制御部11は、検索の結果、処理規則の検索に成功した場合には、受信したパケットを処理規則に応じて処理する(S407)。 If the search of the processing rule is successful as a result of the search, the control unit 11 processes the received packet according to the processing rule (S407).
 一方、制御部11は、検索の結果、処理規則の検索に失敗した場合には、受信したパケットを転送せず、例えば破棄する(S408)。 On the other hand, if the search of the processing rule fails as a result of the search, the control unit 11 does not transfer the received packet, for example, discards it (S408).
 <実施形態5>
 本発明の第5の実施形態について図面を参照して説明する。本発明の第5の実施形態では、通信端末1は、接続先のサービス識別情報に応じて、通信に用いる通信方式であるRAT(Radio Access Technology)を選択することが可能である。なお、第5の実施形態は、上述した第1-第4の実施形態の技術を適用可能である。 <Embodiment 5>
A fifth embodiment of the present invention will be described with reference to the drawings. In the fifth embodiment of the present invention, the communication terminal 1 can select RAT (Radio Access Technology), which is a communication method used for communication, according to service identification information of a connection destination. Note that the techniques of the first to fourth embodiments described above can be applied to the fifth embodiment.
 第5の実施形態において、通信端末1は、通知装置2から取得した宛先アドレスとアプリケーションとの対応関係を記憶する通知情報DB13と、パケットを処理するための処理規則を記憶する処理規則DB14とを備える。第5の実施形態において、通信部12は、複数種類の通信方式(RAT)の各々に対応する通信インターフェースを有する。 In the fifth embodiment, the communication terminal 1 includes a notification information DB 13 that stores a correspondence relationship between a destination address acquired from the notification device 2 and an application, and a processing rule DB 14 that stores a processing rule for processing a packet. Prepare. In the fifth embodiment, the communication unit 12 includes a communication interface corresponding to each of a plurality of types of communication methods (RAT).
 本発明の第5の実施形態において、通信端末1の制御部11は、通知情報DB13を参照し、宛先アドレスが通知装置2から取得されたか否かを判定し、その後、処理規則DB14を参照して受信したパケットに適用する処理を決定することが可能となる。 In the fifth embodiment of the present invention, the control unit 11 of the communication terminal 1 refers to the notification information DB 13 to determine whether the destination address has been acquired from the notification device 2, and then refers to the processing rule DB 14. Thus, it is possible to determine a process to be applied to the received packet.
 本発明の第5の実施形態に関する通信システムは、図9と同様である。 The communication system according to the fifth embodiment of the present invention is the same as that shown in FIG.
 図15は、本発明の第5の実施形態における、通信端末1の構成例を示す。本発明の第5の実施形態において、通信端末1は、通知情報DB13と、処理規則DB14とを有する。 FIG. 15 shows a configuration example of the communication terminal 1 in the fifth embodiment of the present invention. In the fifth embodiment of the present invention, the communication terminal 1 includes a notification information DB 13 and a processing rule DB 14.
 制御部11は、通知装置2から宛先アドレスを取得したことに応じて、該宛先アドレスをアプリケーション10に通知する。制御部11は、例えば、宛先アドレスをアプリケーション10に通知することに応じて、当該宛先アドレスと、アプリケーション10を一意に識別する識別子(又はアプリケーションに対応するポート番号)と、そのアドレスに対応するサービス提供装置4のサービス識別情報とを対応付けて、通知情報DB13に記憶する。 The control unit 11 notifies the application 10 of the destination address in response to the acquisition of the destination address from the notification device 2. For example, when the control unit 11 notifies the application 10 of the destination address, the control unit 11 identifies the destination address, an identifier that uniquely identifies the application 10 (or a port number corresponding to the application), and a service corresponding to the address. The service identification information of the providing device 4 is stored in the notification information DB 13 in association with it.
 本発明の第5の実施形態における通知情報DB13に記憶されるテーブルの例は、図6、図7または図10に示す例と同様であり、詳細な説明は省略する。 The example of the table stored in the notification information DB 13 in the fifth embodiment of the present invention is the same as the example shown in FIG. 6, FIG. 7, or FIG.
 なお、以下では、通知情報DB13が、図6に示されるテーブルである場合を例にして説明する。 In the following, a case where the notification information DB 13 is the table shown in FIG. 6 will be described as an example.
 制御部11は、通信の発生に応じて、通知情報DB13に、通信の宛先アドレスと、該宛際アドレスを取得したアプリケーション10の識別子とが対応付けて記憶されているか否かを判定する。 The control unit 11 determines whether or not the communication destination address and the identifier of the application 10 that acquired the destination address are stored in the notification information DB 13 in association with the occurrence of the communication.
 制御部11は、通知情報DB13を参照して、通信の宛先アドレスと、該宛際アドレスを取得したアプリケーション10の識別子とが対応付けられて通知情報DB13に記憶されている場合、処理規則DB14を参照してパケットを処理する。 When the communication destination address and the identifier of the application 10 that acquired the destination address are associated with each other and stored in the notification information DB 13 with reference to the notification information DB 13, the control unit 11 determines the processing rule DB 14. Refer to and process the packet.
 一方、制御部11は、通知情報DB13を参照して、通信の宛先アドレスと、該宛際アドレスを取得したアプリケーション10の識別子とが対応付けられて通知情報DB13に記憶されていない場合は、該パケットを破棄する。なお、制御部11は、該パケットを破棄する処理に代えて、検疫ネットワークに転送する処理を実行してもよい。 On the other hand, when the control unit 11 refers to the notification information DB 13 and the communication destination address and the identifier of the application 10 that acquired the destination address are associated with each other and are not stored in the notification information DB 13, Discard the packet. Note that the control unit 11 may execute a process of transferring the packet to the quarantine network instead of the process of discarding the packet.
 図16は、本発明の第5の実施形態における処理規則DB14に記憶されるテーブルの例を示す。図16に示すように、処理規則DB14は、通信種別と、パケットに適用する処理内容とを対応付けて記憶する。なお、通信種別は、例えば、パケットのポート番号等から識別される通信サービスの種別である。通信種別は、パケットのポート番号に限らず、他の情報に基づいて識別されてもよい。 FIG. 16 shows an example of a table stored in the processing rule DB 14 in the fifth embodiment of the present invention. As illustrated in FIG. 16, the processing rule DB 14 stores a communication type and a processing content applied to a packet in association with each other. The communication type is, for example, a type of communication service identified from the packet port number or the like. The communication type is not limited to the port number of the packet, and may be identified based on other information.
 第5の実施形態の処理規則DB14は、通信種別に応じて、通信方式(RAT)を選択する処理を規定する。 The processing rule DB 14 of the fifth embodiment defines processing for selecting a communication method (RAT) according to the communication type.
 処理規則DB14は、例えば、通信種別「A」と、当該通信種別に対応する処理内容として「WiFiに対応する通信インターフェースからパケットを転送」とを、対応付けて記憶する。 The processing rule DB 14 stores, for example, the communication type “A” and “transfer packet from the communication interface corresponding to WiFi” as the processing content corresponding to the communication type in association with each other.
 また、処理規則DB14は、例えば、通信種別「B」と、当該通信種別に対応する処理内容として「3G(Third Generation)/LTE(Long Term Evolution)の対応する通信インターフェース」とを、対応付けて記憶する。 Further, the processing rule DB 14 associates, for example, the communication type “B” with “3G (Third Generation) / LTE (Long Term Term Evolution) corresponding communication interface” as the processing content corresponding to the communication type. Remember.
 制御部11は、例えば、通信のポート番号に基づいて処理規則DB14を参照し、ポート番号に対応する通信種別と、当該通信種別の処理内容を検索する。 The control unit 11 refers to the processing rule DB 14 based on the communication port number, for example, and searches the communication type corresponding to the port number and the processing content of the communication type.
 一方、制御部11は、処理規則DB14から、通信のポート番号に対応する通信種別を検索できない場合には、受信したパケットを「破棄」又は「検疫ネットワークに転送」する。 On the other hand, if the communication type corresponding to the communication port number cannot be retrieved from the processing rule DB 14, the control unit 11 “discards” or “transfers to the quarantine network”.
 <実施形態6>
 本発明の第6の実施形態は、本発明を、集中制御型のネットワークアーキテクチャであるオープンフロー(OpenFlow)という技術を改良して実施する例を示す。 <Embodiment 6>
The sixth embodiment of the present invention shows an example in which the present invention is implemented by improving the technique called OpenFlow, which is a centralized control type network architecture.
 第6の実施形態は、上述の実施形態のいずれにも適用することができる。 The sixth embodiment can be applied to any of the above-described embodiments.
 オープンフローは、通信をエンドツーエンドのフローとして認識し、フロー単位で経路制御等を実行できる。 OpenFlow recognizes communication as an end-to-end flow, and can perform path control and the like on a per-flow basis.
 図17および図18を参照し、オープンフローについて説明する。 The open flow will be described with reference to FIG. 17 and FIG.
 図17に、オープンフロー技術により構成された通信システムの概要を示す。なお、フローとは、例えば、所定の属性(通信の宛先や送信元等に基づいて識別される属性)を有する一連の通信パケット群である。オープンフロースイッチ(OpenFlow Switch)51は、オープンフロー技術を採用したネットワークスイッチである。オープンフローコントローラ(OpenFlow Controller)50は、オープンフロースイッチ51を制御する情報処理装置である。 FIG. 17 shows an outline of a communication system configured by the open flow technology. A flow is a series of communication packets having predetermined attributes (attributes identified based on a communication destination, a transmission source, and the like), for example. The OpenFlow switch (OpenFlow Switch) 51 is a network switch that employs OpenFlow technology. The OpenFlow controller (OpenFlow controller) 50 is an information processing apparatus that controls the OpenFlow switch 51.
 オープンフロースイッチ51は、オープンフローコントローラ50との間に設定されたセキュアチャネル(Secure Channel)52を介して、オープンフローコントローラ50と通信する。オープンフローコントローラ50は、セキュアチャネル52を介して、オープンフロースイッチ51のフローテーブル(Flow Table)510の設定を行う。なお、セキュアチャネル52は、スイッチとコントローラ間の通信の盗聴や改ざん等を防止するための処置がなされた通信経路である。 The OpenFlow switch 51 communicates with the OpenFlow controller 50 via a secure channel 52 that is set up with the OpenFlow controller 50. The OpenFlow controller 50 sets the flow table (Flow Table) 510 of the OpenFlow switch 51 via the secure channel 52. The secure channel 52 is a communication path on which measures for preventing eavesdropping or falsification of communication between the switch and the controller are taken.
 図18は、フローテーブル510の各エントリ(フローエントリ)の構成例を示す。フローエントリは、スイッチが受信したパケットのヘッダに含まれる情報(例えば、宛先IPアドレスやVLAN ID(Virtual Local Area Network Identifier)等)と照合するためのマッチングルール(Match Fields)と、パケットフロー毎の統計情報である統計情報(Counters)と、マッチングルールにマッチするパケットの処理方法を規定するインストラクション(Instructions)とで構成される。 FIG. 18 shows a configuration example of each entry (flow entry) in the flow table 510. The flow entry includes a matching rule (Match Fields) for matching with information (for example, destination IP address, VLAN ID (Virtual Local Area Network Identifier), etc.) included in the header of the packet received by the switch, and each packet flow. It is composed of statistical information (Counters) that is statistical information and instructions (Instructions) that define a method of processing a packet that matches the matching rule.
 オープンフロースイッチ51は、パケットを受信すると、フローテーブル510を参照する。オープンフロースイッチ51は、受信したパケットのヘッダ情報にマッチするフローエントリを検索する。受信パケットのヘッダ情報にマッチするエントリが検索された場合、オープンフロースイッチ51は、検索されたエントリのインストラクションフィールドに定義された処理方法に従って、受信パケットを処理する。処理方法は、例えば、“受信パケットを所定のポートから転送する”、“受信したパケットを破棄する”、“受信パケットのヘッダの一部を書き換えて、所定のポートから転送する”といったことが規定されている。 When the OpenFlow switch 51 receives a packet, it refers to the flow table 510. The open flow switch 51 searches for a flow entry that matches the header information of the received packet. When an entry matching the header information of the received packet is found, the OpenFlow switch 51 processes the received packet according to the processing method defined in the instruction field of the found entry. The processing method specifies, for example, “transfer received packet from a predetermined port”, “discard received packet”, “rewrite part of the header of the received packet and transfer from a predetermined port” Has been.
 一方、受信パケットのヘッダ情報にマッチするエントリが見つからない場合、オープンフロースイッチ51は、例えば、セキュアチャネル52を介して、オープンフローコントローラ50に対して受信パケットを転送する。オープンフロースイッチ51は、受信パケットを転送することにより、オープンフローコントローラ50に対して、受信パケットの処理方法を規定したフローエントリの設定を要求する。オープンフロースイッチ51は、パケットの処理方法として、コントローラに要求を送信することを規定したフローエントリにパケットがマッチした場合、その処理方法に従って、コントローラに対してフローエントリの設定を要求してもよい。 On the other hand, when no entry matching the header information of the received packet is found, the OpenFlow switch 51 transfers the received packet to the OpenFlow controller 50 via the secure channel 52, for example. The OpenFlow switch 51 requests the OpenFlow controller 50 to set a flow entry that defines the received packet processing method by transferring the received packet. As a packet processing method, the OpenFlow switch 51 may request the controller to set a flow entry according to the processing method when a packet matches a flow entry that specifies that a request is transmitted to the controller. .
 オープンフローコントローラ50は、受信パケットの処理方法を決定し、決定した処理方法を含むフローエントリをフローテーブル510に設定する。その後、オープンフロースイッチ51は、設定されたフローエントリにより、受信パケットと同一のフローに属する後続のパケットを処理する。 The OpenFlow controller 50 determines the received packet processing method and sets a flow entry including the determined processing method in the flow table 510. After that, the open flow switch 51 processes subsequent packets belonging to the same flow as the received packet according to the set flow entry.
 図19は、本発明の第6の実施形態の通信システムの例を示す。本発明の第6の実施形態は、図19に示すように、通信端末1、通知装置2、ネットワーク3、サービス提供装置4、制御サーバ6とを含む。制御サーバ6は、通信端末1と、OpenFlowプロトコルに従って通信することが可能である。なお、通知装置2の機能と制御サーバ6の機能は、同一の装置に実装されてもよい。また、通信端末1の機能と制御サーバ6の機能は、同一の装置に実装されてもよい。 FIG. 19 shows an example of a communication system according to the sixth embodiment of the present invention. As shown in FIG. 19, the sixth embodiment of the present invention includes a communication terminal 1, a notification device 2, a network 3, a service providing device 4, and a control server 6. The control server 6 can communicate with the communication terminal 1 according to the OpenFlow protocol. Note that the function of the notification device 2 and the function of the control server 6 may be implemented in the same device. Further, the function of the communication terminal 1 and the function of the control server 6 may be implemented in the same device.
 図20は、本発明の第6の実施形態における、通信端末1の構成の例を示す図である。通信端末1は、複数のアプリケーション10、仮想スイッチ15、複数のスイッチポート16および少なくとも1つの通信インターフェース17を有する。なお、図21では、複数の通信インターフェース17を図示しているが、通信インターフェース17は1つであってもよい。各々の通信インターフェース17は、例えば、所定の通信方式(RAT)に対応している。 FIG. 20 is a diagram showing an example of the configuration of the communication terminal 1 in the sixth embodiment of the present invention. The communication terminal 1 includes a plurality of applications 10, a virtual switch 15, a plurality of switch ports 16, and at least one communication interface 17. In FIG. 21, a plurality of communication interfaces 17 are illustrated, but the number of communication interfaces 17 may be one. Each communication interface 17 corresponds to, for example, a predetermined communication method (RAT).
 通信端末1は、OpenFlowスイッチを改良して構成される仮想スイッチ15を有する。仮想スイッチ15は、ソフトウェア(仮想スイッチ)により構成されるが、本発明はハードウェアにより構成されてもよい。 The communication terminal 1 has a virtual switch 15 configured by improving the OpenFlow switch. The virtual switch 15 is configured by software (virtual switch), but the present invention may be configured by hardware.
 仮想スイッチ15は、図2に例示された制御部11と同様の機能を有する。また、仮想スイッチ15は、制御サーバ6から送信された指示に応じて動作する機能を有する。 The virtual switch 15 has the same function as the control unit 11 illustrated in FIG. Further, the virtual switch 15 has a function of operating according to an instruction transmitted from the control server 6.
 各アプリケーション10は、スイッチポート16に接続している。また、通信インターフェース17は、スイッチポート16に接続している。 Each application 10 is connected to the switch port 16. The communication interface 17 is connected to the switch port 16.
 図21は、制御サーバ6の構成の例を示す。 FIG. 21 shows an example of the configuration of the control server 6.
 制御サーバ6は、通信部60、処理規則決定部61、管理DB62、端末管理部63および通知情報DB64を含む。 The control server 6 includes a communication unit 60, a processing rule determination unit 61, a management DB 62, a terminal management unit 63, and a notification information DB 64.
 通信部60は、通信端末1と、OpenFlowプロトコルに基づいて通信する機能を有する。通信部60は、通信端末1から、パケットの処理規則(上述の“フローエントリ”に対応)の要求を受信する。また、通信部60は、通信端末1に処理規則を通知する。 The communication unit 60 has a function of communicating with the communication terminal 1 based on the OpenFlow protocol. The communication unit 60 receives a request for a packet processing rule (corresponding to the above-mentioned “flow entry”) from the communication terminal 1. In addition, the communication unit 60 notifies the communication terminal 1 of the processing rule.
 通知情報DB64は、例えば、上述の実施形態で例示された通知情報に関する情報(例えば、図6、図7および図10)を管理するデータベースである。なお、通知情報DB64は、制御サーバ6が管理する通信端末1毎に、通知情報に関する情報(例えば、図6、図7および図10)で構成されたデータベースを有する。各通信端末1の仮想スイッチ15は、通知装置2から宛先アドレスを取得した場合、当該宛先アドレスと、当該宛先アドレスに対応するアプリケーションを識別するための情報(例えば、ポート番号)を制御サーバ6に通知する。 The notification information DB 64 is a database that manages information (for example, FIGS. 6, 7, and 10) related to the notification information exemplified in the above-described embodiment. Note that the notification information DB 64 has a database composed of information related to notification information (for example, FIGS. 6, 7, and 10) for each communication terminal 1 managed by the control server 6. When the virtual switch 15 of each communication terminal 1 acquires the destination address from the notification device 2, the control server 6 transmits the destination address and information (for example, a port number) for identifying the application corresponding to the destination address to the control server 6. Notice.
 通知情報DB64は、例えば、各通信端末1の仮想スイッチ15から受信した情報(例えば、宛先アドレスとアプリケーションを識別するための情報)を記憶する。また、通知情報DB64は、宛先アドレスとアプリケーションを識別するための情報に加え、宛先アドレスに対応するサービス提供装置4のサービス識別情報とを対応付けて記憶してもよい。 The notification information DB 64 stores, for example, information received from the virtual switch 15 of each communication terminal 1 (for example, information for identifying a destination address and an application). The notification information DB 64 may store the service identification information of the service providing apparatus 4 corresponding to the destination address in association with the destination address and the information for identifying the application.
 処理規則決定部61は、通信端末1の仮想スイッチ15に設定する処理規則を決定する。処理規則決定部61は、通知情報DB64、端末管理部63が有する情報を参照し、仮想スイッチに設定する処理規則を生成する。 The processing rule determination unit 61 determines a processing rule to be set in the virtual switch 15 of the communication terminal 1. The processing rule determination unit 61 refers to the information included in the notification information DB 64 and the terminal management unit 63 and generates a processing rule to be set in the virtual switch.
 端末管理部63は、例えば、通信端末1が接続可能な無線LANのアクセスポイントのSSID、通信端末1の位置情報、通信端末1にインストールされているアプリケーションに関する情報(例えば、アプリケーションの識別子)を管理する。端末管理部63は、例えば、これらの情報の収集要求を通信端末1に送信し、情報を収集する。端末管理部63は、例えば、所定の周期で通信端末1から情報を収集する。 The terminal management unit 63 manages, for example, an SSID of a wireless LAN access point to which the communication terminal 1 can be connected, position information of the communication terminal 1, and information (for example, an application identifier) related to an application installed in the communication terminal 1. To do. For example, the terminal management unit 63 transmits a collection request for such information to the communication terminal 1 and collects the information. For example, the terminal management unit 63 collects information from the communication terminal 1 at a predetermined cycle.
 端末管理部63は、例えば、通信端末1について、スイッチポート16とアプリケーションの接続関係を管理する。また、端末管理部63は、例えば、通信端末1について、スイッチポート16と通信インターフェース12との接続関係を管理する。 The terminal management unit 63 manages, for example, the connection relationship between the switch port 16 and the application for the communication terminal 1. Further, the terminal management unit 63 manages, for example, the connection relationship between the switch port 16 and the communication interface 12 for the communication terminal 1.
 OpenFlowに準拠した通信機器(ネットワークスイッチ等)は、通信機器のポートのステータスをコントローラに通知する機能(Port Status)や、スイッチの特性をコントローラに通知する機能(Feature Request/Reply)を有する。端末管理部63は、それらの機能により、通信端末1から情報を収集してもよい。 A communication device (such as a network switch) compliant with OpenFlow has a function (Port Status) for notifying the controller of the port status of the communication device and a function (Feature Request / Reply) for notifying the controller of the characteristics of the switch. The terminal management unit 63 may collect information from the communication terminal 1 using these functions.
 各通信端末1の仮想スイッチ15は、パケットを処理するための処理規則を、制御サーバ6に要求することが可能である。処理規則決定部61は、例えば、仮想スイッチ15からの要求に応じて、通知情報DB64を参照して、要求に対応するパケットの宛先アドレスと、当該パケットの送信元であるアプリケーション10の識別子とが対応付けて記憶されているか否かを判定する。処理規則決定部61は、仮想スイッチ15からの要求に対応するパケットの宛先アドレスと、当該パケットの送信元アプリケーションの識別子とが対応付けられて通知情報DB64に記憶されている場合、当該宛先アドレスは通知装置2から取得されたものと判定する。 The virtual switch 15 of each communication terminal 1 can request the control server 6 for a processing rule for processing a packet. For example, the processing rule determination unit 61 refers to the notification information DB 64 in response to a request from the virtual switch 15, and determines the destination address of the packet corresponding to the request and the identifier of the application 10 that is the transmission source of the packet. It is determined whether or not they are stored in association with each other. If the destination address of the packet corresponding to the request from the virtual switch 15 and the identifier of the transmission source application of the packet are associated with each other and stored in the notification information DB 64, the processing rule determination unit 61 stores the destination address as It is determined that the information is acquired from the notification device 2.
 処理規則決定部61は、処理規則の生成要求に対応するパケットの宛先アドレスが通知装置2から取得されたものである場合には、該パケットを転送するための処理規則を作成する。 If the destination address of the packet corresponding to the processing rule generation request is obtained from the notification device 2, the processing rule determination unit 61 creates a processing rule for transferring the packet.
 一方、処理規則決定部61は、処理規則の生成要求に対応するパケットの宛先アドレスが通知装置2から取得されたものではない場合には、該パケットを破棄するための処理規則を作成する。なお、処理規則決定部61は、該パケットを破棄するための処理規則に代えて、検疫ネットワークに転送するための処理規則を作成してもよい。 On the other hand, if the destination address of the packet corresponding to the processing rule generation request is not obtained from the notification device 2, the processing rule determination unit 61 creates a processing rule for discarding the packet. Note that the processing rule determination unit 61 may create a processing rule for transferring to the quarantine network instead of the processing rule for discarding the packet.
 処理規則決定部61は、生成した処理規則を、管理DB62に格納する。 The processing rule determination unit 61 stores the generated processing rule in the management DB 62.
 図22は、処理規則決定部61が生成する処理規則の例を示す。処理規則決定部61は、例えば、仮想スイッチ15からの要求に対応するパケットの宛先アドレスと、当該パケットのポート番号をマッチングルールとして規定する。処理規則決定部61、例えば、マッチングルールに対応する処理方法“Instruction”として、宛先アドレスとポート番号とに対応する通信方式(RAT)に対応するポート16からパケットを転送する処理方法を規定する。 FIG. 22 shows an example of processing rules generated by the processing rule determination unit 61. For example, the processing rule determination unit 61 defines a destination address of a packet corresponding to a request from the virtual switch 15 and a port number of the packet as a matching rule. The processing rule determining unit 61, for example, as a processing method “Instruction” corresponding to the matching rule, defines a processing method for transferring a packet from the port 16 corresponding to the communication method (RAT) corresponding to the destination address and the port number.
 図22の例では、1行目の処理規則のマッチングルールは、「宛先アドレスが“A”で、ポート番号が“80”」である。また、1行目の処理規則のインストラクションは、WiFiに対応するスイッチポート16にパケットを転送することを示す。 In the example of FIG. 22, the matching rule of the processing rule on the first line is “destination address is“ A ”and port number is“ 80 ””. The instruction of the processing rule on the first line indicates that the packet is transferred to the switch port 16 corresponding to WiFi.
 図22の例では、3行目の処理規則のマッチングルールは、「宛先アドレスが“A”で、ポート番号が“110”」である。また、3行目の処理規則のインストラクションは、パケットを破棄することを示す。 In the example of FIG. 22, the matching rule of the processing rule on the third line is “destination address is“ A ”and port number is“ 110 ””. The instruction of the processing rule on the third line indicates that the packet is discarded.
 図23は、仮想スイッチ15の構成の例を示す。図23に示すように、仮想スイッチ15は、通信部150と、処理規則DB151と、処理部153とを有する。処理部153は、処理検索部153と、アクション実行部154とを有する。 FIG. 23 shows an example of the configuration of the virtual switch 15. As illustrated in FIG. 23, the virtual switch 15 includes a communication unit 150, a processing rule DB 151, and a processing unit 153. The processing unit 153 includes a process search unit 153 and an action execution unit 154.
 通信部150は、OpenFlowプロトコルに従って、制御サーバ6と通信する。 The communication unit 150 communicates with the control server 6 according to the OpenFlow protocol.
 処理規則DB151は、制御サーバ6から通知された処理規則を記憶する。 The processing rule DB 151 stores the processing rule notified from the control server 6.
 処理部152は、制御サーバ6から通知された処理規則に従って、パケットを処理する。 The processing unit 152 processes the packet according to the processing rule notified from the control server 6.
 処理検索部153は、処理規則DB151から、受信したパケットに対応する処理規則を検索する。処理検索部153は、パケットと、処理規則DB142に記憶された処理規則の“Maching Field”とを照合し、パケットに対応する処理規則を検索する。 The process search unit 153 searches the process rule DB 151 for a process rule corresponding to the received packet. The process search unit 153 compares the packet with the “Maching Field” of the process rule stored in the process rule DB 142 to search for a process rule corresponding to the packet.
 アクション実行部154は、検索された処理規則の“Instruction”フィールドに規定された処理方法に従って、パケットを処理する。 The action execution unit 154 processes the packet according to the processing method defined in the “Instruction” field of the searched processing rule.
 処理検索部153は、例えば、処理規則DB151に、受信したパケットに対応する処理規則が存在しない場合、処理規則の設定を制御サーバ6に要求する。 For example, when there is no processing rule corresponding to the received packet in the processing rule DB 151, the processing search unit 153 requests the control server 6 to set the processing rule.
 図24は、本発明の第6の実施形態の動作例を示すシーケンス図である。 FIG. 24 is a sequence diagram showing an operation example of the sixth embodiment of the present invention.
 本発明の第6の実施形態において、通信端末1は、パケットを送信する場合に、制御サーバ6を介して通知装置2に対して、パケットの送信先のサービス提供装置4の宛先アドレスを要求する(S601およびS602)。なお、通信端末1は、制御サーバ6を介さずに、通知装置2に対して宛先アドレスを要求してもよい。通知装置2は、通信端末1に宛先アドレスを通知する。この場合、通信端末1は、通知装置2から取得した宛先アドレスを制御サーバ6に通知する。 In the sixth embodiment of the present invention, when transmitting a packet, the communication terminal 1 requests the notification device 2 via the control server 6 for the destination address of the service providing device 4 that is the transmission destination of the packet. (S601 and S602). Note that the communication terminal 1 may request the destination address from the notification device 2 without using the control server 6. The notification device 2 notifies the communication terminal 1 of the destination address. In this case, the communication terminal 1 notifies the control server 6 of the destination address acquired from the notification device 2.
 アドレスの要求を受けた通知装置2は、制御サーバ6を介して通信端末1に対して、アドレスを通知する(S603およびS604)。 Upon receiving the address request, the notification device 2 notifies the address to the communication terminal 1 via the control server 6 (S603 and S604).
 アドレスの通知を受けた通信端末1は、通知されたアドレスを用いてパケットを送信する場合に、制御サーバ6に対して、パケットを処理するための処理規則を要求する(S605)。 Upon receiving the address notification, the communication terminal 1 requests a processing rule for processing the packet from the control server 6 when transmitting the packet using the notified address (S605).
 制御サーバ6は、パケットを処理するための処理規則を、通信端末1に通知する(S606のFlow Mod)。 The control server 6 notifies the communication terminal 1 of a processing rule for processing the packet (Flow Mod in S606).
 通信端末1は、制御サーバ6から通知された処理規則に基づいて、パケットを転送する(S607)。 The communication terminal 1 transfers the packet based on the processing rule notified from the control server 6 (S607).
 <実施形態7>
 本発明の第7の実施形態は、本発明を、集中制御型のネットワークアーキテクチャであるオープンフロー(OpenFlow)という技術を改良して実施する場合の他の例を示す。 <Embodiment 7>
The seventh embodiment of the present invention shows another example in which the present invention is implemented by improving the technique called OpenFlow, which is a centralized network architecture.
 第7の実施形態は、上述の実施形態のいずれにも適用することができる。 The seventh embodiment can be applied to any of the above-described embodiments.
 本発明の第7の実施形態では、制御サーバ6の処理規則決定部61が、通知装置2からアドレスを受け取ったことに応じて、パケットを処理するための処理規則を予め通信端末1に通知する。そのため、通信端末1は、パケットを送信する際に、処理規則を要求する必要がなくなる。 In the seventh embodiment of the present invention, the processing rule determination unit 61 of the control server 6 notifies the communication terminal 1 in advance of a processing rule for processing a packet in response to receiving an address from the notification device 2. . Therefore, the communication terminal 1 does not need to request a processing rule when transmitting a packet.
 本発明の第7の実施形態に関する通信システムは、図20と同様である。 The communication system according to the seventh embodiment of the present invention is the same as that shown in FIG.
 本発明の第7の実施形態に関する制御サーバ6の構成例は、図22と同様である。 A configuration example of the control server 6 according to the seventh embodiment of the present invention is the same as that shown in FIG.
 処理規則決定部61は、通信端末1の仮想スイッチ15に設定する処理規則を決定する。処理規則決定部61は、端末管理部63が有する情報を参照し、仮想スイッチに設定する処理規則を生成する。 The processing rule determination unit 61 determines a processing rule to be set in the virtual switch 15 of the communication terminal 1. The processing rule determination unit 61 refers to information held by the terminal management unit 63 and generates a processing rule to be set in the virtual switch.
 処理規則決定部61は、例えば、通知装置2からアドレスを受け取ったことに応じて、そのアドレスを通知する通信端末1に対して、パケットを処理するための処理規則を設定する。 For example, in response to receiving an address from the notification device 2, the processing rule determination unit 61 sets a processing rule for processing a packet to the communication terminal 1 that notifies the address.
 処理規則決定部61は、例えば、通信端末1に対して、通知装置2からアドレスを受け取ったことに応じて、そのアドレスを要求したアプリケーション10が送信するパケットを転送するための処理規則を予め設定する。 For example, in response to receiving an address from the notification device 2, the processing rule determination unit 61 sets in advance a processing rule for transferring a packet transmitted by the application 10 that requested the address. To do.
 一方、処理規則決定部61は、例えば、通信端末1に対して、通知装置2からアドレスを受け取ったことに応じて、そのアドレスを要求していないアプリケーション10が送信するパケットを、破棄するための処理規則、又は、検疫ネットワークに転送するための処理規則を予め設定する。 On the other hand, the processing rule determination unit 61, for example, for discarding a packet transmitted by the application 10 not requesting the address in response to receiving an address from the notification device 2 to the communication terminal 1. A processing rule or a processing rule for transferring to the quarantine network is set in advance.
 図25は、本発明の第7の実施形態の動作例を示すシーケンス図である。 FIG. 25 is a sequence diagram showing an operation example of the seventh embodiment of the present invention.
 本発明の第7の実施形態において、通信端末1は、パケットを送信する場合に、制御サーバ6を介して通知装置2に対して、パケットの送信先のサービス提供装置4のアドレスを要求する(S801およびS802)。 In the seventh embodiment of the present invention, when transmitting a packet, the communication terminal 1 requests the notification device 2 via the control server 6 for the address of the service providing device 4 that is the transmission destination of the packet ( S801 and S802).
 アドレスの要求を受けた通知装置2は、制御サーバ6にアドレスを通知する(S803)。 Upon receiving the address request, the notification device 2 notifies the control server 6 of the address (S803).
 制御サーバ6は、通知装置2から受け取ったアドレスを、通信端末1に通知する(S804)。 The control server 6 notifies the communication terminal 1 of the address received from the notification device 2 (S804).
 制御サーバ6は、通知装置2からアドレスを受け取ったことに応じて、そのアドレスを通知する通信端末1に対して、パケットを処理するための処理規則を設定する(S805)。 In response to receiving the address from the notification device 2, the control server 6 sets a processing rule for processing the packet to the communication terminal 1 that notifies the address (S805).
 アドレスの通知を受けた通信端末1は、制御サーバ6から通知された処理規則に基づいて、通知されたアドレスを含むパケットを転送する(S806)。 The communication terminal 1 that has received the notification of the address transfers a packet including the notified address based on the processing rule notified from the control server 6 (S806).
 なお、上記特許文献の全開示内容は、本書に引用をもって繰り込み記載されているものとする。本発明の全開示(請求の範囲を含む)の枠内において、さらにその基本的技術思想に基づいて、実施形態の変更・調整が可能である。また、本発明の全開示の枠内において種々の開示要素(各請求項の各要素、各実施形態の各要素、各図面の各要素等を含む)の多様な組み合わせ、ないし、選択が可能である。すなわち、本発明は、請求の範囲を含む全開示、技術的思想にしたがって当業者であればなし得るであろう各種変形、修正を含むことは勿論である。特に、本書に記載した数値範囲については、当該範囲内に含まれる任意の数値ないし小範囲が、別段の記載のない場合でも具体的に記載されているものと解釈されるべきである。 It should be noted that the entire disclosure of the above patent document is incorporated herein by reference. Within the scope of the entire disclosure (including claims) of the present invention, the embodiment can be changed and adjusted based on the basic technical concept. Further, various combinations or selections of various disclosed elements (including each element of each claim, each element of each embodiment, each element of each drawing, etc.) are possible within the framework of the entire disclosure of the present invention. is there. That is, the present invention of course includes various variations and modifications that could be made by those skilled in the art according to the entire disclosure including the claims and the technical idea. In particular, with respect to the numerical ranges described in this document, any numerical value or small range included in the range should be construed as being specifically described even if there is no specific description.
 1 通信端末
 2 通知装置
 3 ネットワーク
 4 サービス提供装置
 6 制御サーバ
 10 アプリケーション
 11 制御部
 12 通信部
 13 通知情報データベース(DB)
 14 処理規則データベース(DB)
 15 仮想スイッチ
 16 スイッチポート
 50 オープンフローコントローラ(OpenFlow Controller)
 51 オープンフロースイッチ(OpenFlow Switch)
 52 セキュアチャネル(Secure Channel)
 510 フローテーブル(Flow Table)
 60 通信部
 61 処理規則決定部
 62 管理データベース(DB)
 63 端末管理部
 64 通知情報データベース(DB)
 150 通信部
 151 処理規則データベース(DB)
 152 処理部
 153 処理検索部
 154 アクション実行部 DESCRIPTION OF SYMBOLS 1 Communication terminal 2 Notification apparatus 3 Network 4 Service provision apparatus 6 Control server 10 Application 11 Control part 12 Communication part 13 Notification information database (DB)
14 Processing Rule Database (DB)
15 Virtual switch 16 Switch port 50 OpenFlow Controller
51 OpenFlow Switch
52 Secure Channel
510 Flow Table
60 Communication Unit 61 Processing Rule Determination Unit 62 Management Database (DB)
63 Terminal Manager 64 Notification Information Database (DB)
150 communication unit 151 processing rule database (DB)
152 Processing Unit 153 Processing Search Unit 154 Action Execution Unit

Claims (40)

  1.  アプリケーションが生成した通信データを送信可能な通信手段と、
     前記通信データの宛先アドレスが、前記通信データの宛先を表す識別情報を用いて前記宛先アドレスを検索可能なアドレス解決システムから取得されたか否かに基づいて、前記通信データの送信可否を判定可能な制御手段と、を備える、
     ことを特徴とする通信端末。     A communication means capable of transmitting communication data generated by the application;
    Whether or not the communication data can be transmitted can be determined based on whether or not the destination address of the communication data is obtained from an address resolution system that can search the destination address using identification information indicating the destination of the communication data. Control means,
    A communication terminal characterized by that.
  2.  前記制御手段は、前記宛先アドレスが前記アドレス解決システムから取得されたアドレスである場合、前記通信データの送信を許可する、
     請求項1に記載の通信端末。     The control means permits transmission of the communication data when the destination address is an address acquired from the address resolution system.
    The communication terminal according to claim 1.
  3.  前記制御手段は、前記宛先アドレスが前記アドレス解決システムから取得されたアドレスではない場合、前記通信データの送信を拒否する、
     請求項1または2に記載の通信端末。     The control means rejects transmission of the communication data when the destination address is not an address acquired from the address resolution system;
    The communication terminal according to claim 1 or 2.
  4.  前記制御手段は、前記宛先アドレスが前記アドレス解決システムから取得されたアドレスではない場合、前記通信データを破棄する、
     請求項1ないし3のいずれか1項に記載の通信端末。     The control means discards the communication data when the destination address is not an address acquired from the address resolution system;
    The communication terminal according to any one of claims 1 to 3.
  5.  前記制御手段は、前記宛先アドレスが前記アドレス解決システムから取得されたアドレスではない場合、前記宛先アドレスが正当か否かを検証する、
     請求項1ないし3のいずれか1項に記載の通信端末。     The control means verifies whether the destination address is valid when the destination address is not an address acquired from the address resolution system.
    The communication terminal according to any one of claims 1 to 3.
  6.  前記アドレス解決システムから取得した前記宛先アドレスと、前記アプリケーションを識別するための識別子とを対応づけて記憶する記憶手段をさらに備え、
     前記制御手段は、前記記憶手段を参照して、前記通信データの宛先アドレスが前記アドレス解決システムから取得されたか否かを判定する、
     請求項1ないし5のいずれか1項に記載の通信端末。     Storage means for storing the destination address acquired from the address resolution system in association with an identifier for identifying the application;
    The control means refers to the storage means to determine whether or not a destination address of the communication data has been acquired from the address resolution system.
    The communication terminal according to any one of claims 1 to 5.
  7.  前記記憶手段は、前記アプリケーションを識別するための識別子として、前記アプリケーションに対応するポート番号を記憶する、
     請求項6に記載の通信端末。     The storage means stores a port number corresponding to the application as an identifier for identifying the application.
    The communication terminal according to claim 6.
  8.  前記記憶手段は、前記アドレス解決システムから取得した前記宛先アドレスと、前記アドレスを識別するための第一の識別子と、前記通信データの宛先が提供するサービスを識別するための第二の識別子とを対応付けて記憶する、
     請求項6または7に記載の通信端末。     The storage means includes the destination address acquired from the address resolution system, a first identifier for identifying the address, and a second identifier for identifying a service provided by the destination of the communication data. Store in association,
    The communication terminal according to claim 6 or 7.
  9.  前記制御手段は、前記アドレス解決システムから取得された宛先アドレスに送信される通信データを識別するための条件を含む処理規則に従って、当該条件で識別された通信データを前記通信手段から送信する、
     請求項1ないし8のいずれか1項に記載の通信端末。     The control means transmits the communication data identified by the condition from the communication means according to a processing rule including a condition for identifying the communication data transmitted to the destination address acquired from the address resolution system.
    The communication terminal according to any one of claims 1 to 8.
  10.  前記制御手段は、前記アドレス解決システムから取得されたものではない宛先アドレスに送信される通信データを識別するための条件を含む処理規則に従って、当該条件で識別された通信データの送信を拒否するための処理を実行する、
     請求項1ないし9のいずれか1項に記載の通信端末。     The control means rejects transmission of the communication data identified by the condition according to a processing rule including a condition for identifying the communication data transmitted to a destination address that is not obtained from the address resolution system. Execute the process of
    The communication terminal according to any one of claims 1 to 9.
  11.  通信データの宛先を表す識別情報を用いて宛先アドレスを検索可能なアドレス解決システムと、
     アプリケーションが生成した通信データを送信可能な通信手段、および、前記通信データの宛先アドレスが、前記アドレス解決システムから取得されたか否かに基づいて、前記通信データの送信可否を判定可能な制御手段を有する通信端末と、を備える、
     ことを特徴とする通信システム。     An address resolution system capable of searching for a destination address using identification information indicating a destination of communication data;
    Communication means capable of transmitting communication data generated by an application, and control means capable of determining whether the communication data can be transmitted based on whether a destination address of the communication data is acquired from the address resolution system. Having a communication terminal,
    A communication system characterized by the above.
  12.  前記制御手段は、前記宛先アドレスが前記アドレス解決システムから取得されたアドレスである場合、前記通信データの送信を許可する、
     請求項11に記載の通信システム。     The control means permits transmission of the communication data when the destination address is an address acquired from the address resolution system.
    The communication system according to claim 11.
  13.  前記制御手段は、前記宛先アドレスが前記アドレス解決システムから取得されたアドレスではない場合、前記通信データの送信を拒否する、
     請求項11または12に記載の通信システム。     The control means rejects transmission of the communication data when the destination address is not an address acquired from the address resolution system;
    The communication system according to claim 11 or 12.
  14.  前記制御手段は、前記宛先アドレスが前記アドレス解決システムから取得されたアドレスではない場合、前記通信データを破棄する、
     請求項11ないし13のいずれか1項に記載の通信システム。     The control means discards the communication data when the destination address is not an address acquired from the address resolution system;
    The communication system according to any one of claims 11 to 13.
  15.  前記制御手段は、前記宛先アドレスが前記アドレス解決システムから取得されたアドレスではない場合、前記宛先アドレスが正当か否かを検証する、
     請求項11ないし13のいずれか1項に記載の通信システム。     The control means verifies whether the destination address is valid when the destination address is not an address acquired from the address resolution system.
    The communication system according to any one of claims 11 to 13.
  16.  前記通信端末は、前記アドレス解決システムから取得した前記宛先アドレスと、前記アプリケーションを識別するための識別子とを対応づけて記憶する記憶手段をさらに有し、 前記制御手段は、前記記憶手段を参照して、前記通信データの宛先アドレスが前記アドレス解決システムから取得されたか否かを判定する、
     請求項11ないし15のいずれか1項に記載の通信システム。     The communication terminal further includes a storage unit that stores the destination address acquired from the address resolution system in association with an identifier for identifying the application, and the control unit refers to the storage unit. Determining whether a destination address of the communication data is acquired from the address resolution system;
    The communication system according to any one of claims 11 to 15.
  17.  前記記憶手段は、前記アプリケーションを識別するための識別子として、前記アプリケーションに対応するポート番号を記憶する、
     請求項16に記載の通信システム。     The storage means stores a port number corresponding to the application as an identifier for identifying the application.
    The communication system according to claim 16.
  18.  前記記憶手段は、前記アドレス解決システムから取得した前記宛先アドレスと、前記アドレスを識別するための第一の識別子と、前記通信データの宛先が提供するサービスを識別するための第二の識別子とを対応付けて記憶する、
     請求項16または17に記載の通信システム。     The storage means includes the destination address acquired from the address resolution system, a first identifier for identifying the address, and a second identifier for identifying a service provided by the destination of the communication data. Store in association,
    The communication system according to claim 16 or 17.
  19.  前記制御手段は、前記アドレス解決システムから取得された宛先アドレスに送信される通信データを識別するための条件を含む処理規則に従って、当該条件で識別された通信データを前記通信手段から送信する、
     請求項11ないし18のいずれか1項に記載の通信システム。     The control means transmits the communication data identified by the condition from the communication means according to a processing rule including a condition for identifying the communication data transmitted to the destination address acquired from the address resolution system.
    The communication system according to any one of claims 11 to 18.
  20.  前記制御手段は、前記アドレス解決システムから取得されたものではない宛先アドレスに送信される通信データを識別するための条件を含む処理規則に従って、当該条件で識別された通信データの送信を拒否するための処理を実行する、
     請求項11ないし19のいずれか1項に記載の通信システム。     The control means rejects transmission of the communication data identified by the condition according to a processing rule including a condition for identifying the communication data transmitted to a destination address that is not obtained from the address resolution system. Execute the process of
    The communication system according to any one of claims 11 to 19.
  21.  アプリケーションが生成した通信データを送信するステップと、
     前記通信データの宛先アドレスが、前記通信データの宛先を表す識別情報を用いて前記宛先アドレスを検索可能なアドレス解決システムから取得されたか否かに基づいて、前記通信データの送信可否を判定するステップと、を含む、
     ことを特徴とする通信方法。     Sending communication data generated by the application;
    Determining whether or not the communication data can be transmitted based on whether or not the destination address of the communication data is acquired from an address resolution system capable of searching for the destination address using identification information indicating the destination of the communication data. Including,
    A communication method characterized by the above.
  22.  前記宛先アドレスが前記アドレス解決システムから取得されたアドレスである場合、前記通信データの送信を許可する、
     請求項21に記載の通信方法。     If the destination address is an address obtained from the address resolution system, permit transmission of the communication data;
    The communication method according to claim 21.
  23.  前記宛先アドレスが前記アドレス解決システムから取得されたアドレスではない場合、前記通信データの送信を拒否する、
     請求項21または22に記載の通信方法。     If the destination address is not an address obtained from the address resolution system, reject transmission of the communication data;
    The communication method according to claim 21 or 22.
  24.  前記宛先アドレスが前記アドレス解決システムから取得されたアドレスではない場合、前記通信データを破棄する、
     請求項21ないし23のいずれか1項に記載の通信方法。     If the destination address is not an address obtained from the address resolution system, discard the communication data;
    The communication method according to any one of claims 21 to 23.
  25.  前記宛先アドレスが前記アドレス解決システムから取得されたアドレスではない場合、前記宛先アドレスが正当か否かを検証する、
     請求項21ないし23のいずれか1項に記載の通信方法。     If the destination address is not an address obtained from the address resolution system, verify whether the destination address is valid;
    The communication method according to any one of claims 21 to 23.
  26.  前記アドレス解決システムから取得した前記宛先アドレスと、前記アプリケーションを識別するための識別子とを対応づけて記憶するステップを含み、
     前記記憶した前記宛先アドレスと前記識別子との対応づけを参照して、前記通信データの宛先アドレスが前記アドレス解決システムから取得されたか否かを判定する、
     請求項21ないし25のいずれか1項に記載の通信方法。     Storing the destination address acquired from the address resolution system in association with an identifier for identifying the application,
    With reference to the correspondence between the stored destination address and the identifier, it is determined whether or not the destination address of the communication data has been acquired from the address resolution system.
    The communication method according to any one of claims 21 to 25.
  27.  前記アプリケーションを識別するための識別子として、前記アプリケーションに対応するポート番号を記憶する、
     請求項26に記載の通信方法。     Storing a port number corresponding to the application as an identifier for identifying the application;
    The communication method according to claim 26.
  28.  前記アドレス解決システムから取得した前記宛先アドレスと、前記アドレスを識別するための第一の識別子と、前記通信データの宛先が提供するサービスを識別するための第二の識別子とを対応付けて記憶する、
     請求項26または27に記載の通信方法。     The destination address acquired from the address resolution system, a first identifier for identifying the address, and a second identifier for identifying a service provided by the destination of the communication data are stored in association with each other. ,
    The communication method according to claim 26 or 27.
  29.  前記アドレス解決システムから取得された宛先アドレスに送信される通信データを識別するための条件を含む処理規則に従って、当該条件で識別された通信データを送信する
     請求項21ないし28のいずれか1項に記載の通信方法。     The communication data identified by the condition is transmitted according to a processing rule including a condition for identifying the communication data to be transmitted to the destination address acquired from the address resolution system. The communication method described.
  30.  前記アドレス解決システムから取得されたものではない宛先アドレスに送信される通信データを識別するための条件を含む処理規則に従って、当該条件で識別された通信データの送信を拒否するための処理を実行する、
     請求項21ないし29のいずれか1項に記載の通信方法。     In accordance with a processing rule including a condition for identifying communication data transmitted to a destination address not acquired from the address resolution system, a process for rejecting transmission of the communication data identified by the condition is executed. ,
    30. The communication method according to any one of claims 21 to 29.
  31.  アプリケーションが生成した通信データを送信する処理と、
     前記通信データの宛先アドレスが、前記通信データの宛先を表す識別情報を用いて前記宛先アドレスを検索可能なアドレス解決システムから取得されたか否かに基づいて、前記通信データの送信可否を判定する処理と、をコンピュータに実行させる、
     ことを特徴とするプログラム。     Processing to send communication data generated by the application;
    Processing for determining whether or not transmission of the communication data is possible based on whether or not the destination address of the communication data is acquired from an address resolution system that can search for the destination address using identification information indicating the destination of the communication data And let the computer run,
    A program characterized by that.
  32.  前記宛先アドレスが前記アドレス解決システムから取得されたアドレスである場合、前記通信データの送信を許可する処理を前記コンピュータに実行させる、
     請求項31に記載のプログラム。     When the destination address is an address acquired from the address resolution system, the computer is caused to execute a process for permitting transmission of the communication data.
    The program according to claim 31.
  33.  前記宛先アドレスが前記アドレス解決システムから取得されたアドレスではない場合、前記通信データの送信を拒否する処理を前記コンピュータに実行させる、
     請求項31または32に記載のプログラム。     If the destination address is not an address acquired from the address resolution system, the computer is caused to execute a process of rejecting transmission of the communication data.
    The program according to claim 31 or 32.
  34.  前記宛先アドレスが前記アドレス解決システムから取得されたアドレスではない場合、前記通信データを破棄する処理を前記コンピュータに実行させる、
     請求項31ないし33のいずれか1項に記載のプログラム。     If the destination address is not an address acquired from the address resolution system, the computer is caused to execute a process of discarding the communication data.
    The program according to any one of claims 31 to 33.
  35.  前記宛先アドレスが前記アドレス解決システムから取得されたアドレスではない場合、前記宛先アドレスが正当か否かを検証する処理を前記コンピュータに実行させる、
     請求項31ないし33のいずれか1項に記載のプログラム。     When the destination address is not an address acquired from the address resolution system, the computer is caused to execute processing for verifying whether the destination address is valid.
    The program according to any one of claims 31 to 33.
  36.  前記アドレス解決システムから取得した前記宛先アドレスと、前記アプリケーションを識別するための識別子とを対応づけて記憶する処理と、
     前記記憶した前記宛先アドレスと前記識別子との対応づけを参照して、前記通信データの宛先アドレスが前記アドレス解決システムから取得されたか否かを判定する処理と、を前記コンピュータに実行させる、
     請求項31ないし35のいずれか1項に記載のプログラム。     A process for storing the destination address acquired from the address resolution system in association with an identifier for identifying the application;
    A process of determining whether or not the destination address of the communication data is acquired from the address resolution system with reference to the correspondence between the stored destination address and the identifier;
    The program according to any one of claims 31 to 35.
  37.  前記アプリケーションを識別するための識別子として、前記アプリケーションに対応するポート番号を記憶する処理を前記コンピュータに実行させる、
     請求項36に記載のプログラム。     Causing the computer to execute a process of storing a port number corresponding to the application as an identifier for identifying the application;
    The program according to claim 36.
  38.  前記アドレス解決システムから取得した前記宛先アドレスと、前記アドレスを識別するための第一の識別子と、前記通信データの宛先が提供するサービスを識別するための第二の識別子とを対応付けて記憶する処理を前記コンピュータに実行させる、
     請求項36または37に記載のプログラム。     The destination address acquired from the address resolution system, a first identifier for identifying the address, and a second identifier for identifying a service provided by the destination of the communication data are stored in association with each other. Causing the computer to execute processing;
    The program according to claim 36 or 37.
  39.  前記アドレス解決システムから取得された宛先アドレスに送信される通信データを識別するための条件を含む処理規則に従って、当該条件で識別された通信データを送信する処理を前記コンピュータに実行させる、
     請求項31ないし38のいずれか1項に記載のプログラム。     In accordance with a processing rule including a condition for identifying communication data transmitted to a destination address acquired from the address resolution system, causing the computer to execute a process of transmitting communication data identified by the condition.
    The program according to any one of claims 31 to 38.
  40.  前記アドレス解決システムから取得されたものではない宛先アドレスに送信される通信データを識別するための条件を含む処理規則に従って、当該条件で識別された通信データの送信を拒否するための処理を実行する処理を前記コンピュータに実行させる、
     請求項31ないし39のいずれか1項に記載のプログラム。     In accordance with a processing rule including a condition for identifying communication data transmitted to a destination address not acquired from the address resolution system, a process for rejecting transmission of the communication data identified by the condition is executed. Causing the computer to execute processing;
    40. The program according to any one of claims 31 to 39.
PCT/JP2014/071568 2013-08-20 2014-08-18 Communication terminal, communication system, communication method, and program WO2015025817A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2015532850A JPWO2015025817A1 (en) 2013-08-20 2014-08-18 Communication terminal, communication system, communication method, and program

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2013170013 2013-08-20
JP2013-170013 2013-08-20

Publications (1)

Publication Number Publication Date
WO2015025817A1 true WO2015025817A1 (en) 2015-02-26

Family

ID=52483592

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/071568 WO2015025817A1 (en) 2013-08-20 2014-08-18 Communication terminal, communication system, communication method, and program

Country Status (2)

Country Link
JP (1) JPWO2015025817A1 (en)
WO (1) WO2015025817A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007005961A (en) * 2005-06-22 2007-01-11 Hikari Hiyo Communication method, communication system, and electronic settlement system led by receiver
JP2012509005A (en) * 2008-11-13 2012-04-12 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Method and apparatus for controlling communication services
JP2014036391A (en) * 2012-08-10 2014-02-24 Ricoh Co Ltd Communication device, communication system, and program

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007005961A (en) * 2005-06-22 2007-01-11 Hikari Hiyo Communication method, communication system, and electronic settlement system led by receiver
JP2012509005A (en) * 2008-11-13 2012-04-12 テレフオンアクチーボラゲット エル エム エリクソン(パブル) Method and apparatus for controlling communication services
JP2014036391A (en) * 2012-08-10 2014-02-24 Ricoh Co Ltd Communication device, communication system, and program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TAKESHI OKAMOTO: "Packet Filtering Using DNS Responses against Worm Propagation", TRANSACTIONS OF INFORMATION PROCESSING SOCIETY OF JAPAN, vol. 45, no. 10, 15 October 2004 (2004-10-15), pages 2407 - 2415 *

Also Published As

Publication number Publication date
JPWO2015025817A1 (en) 2017-03-02

Similar Documents

Publication Publication Date Title
CN111901135B (en) Data analysis method and device
US8910248B2 (en) Terminal connection status management with network authentication
US9178910B2 (en) Communication system, control apparatus, policy management apparatus, communication method, and program
US9602185B2 (en) Communication terminal, communication control apparatus, communication system, communication control method, and program
WO2014119715A1 (en) Communication terminal, communication method, program, communication system, and information processing apparatus
US10033734B2 (en) Apparatus management system, apparatus management method, and program
CN110233834B (en) Network system, method, device and equipment for intercepting attack message
EP3185598B1 (en) Application registration method and apparatus
US8769623B2 (en) Grouping multiple network addresses of a subscriber into a single communication session
CN112889029A (en) Methods, systems, and computer readable media for lock-free communication processing at a network node
US20130275620A1 (en) Communication system, control apparatus, communication method, and program
CN109309907B (en) Method and device for charging flow and related equipment
WO2014061583A1 (en) Communication node, control device, communication system, packet processing method, and program
US8239930B2 (en) Method for controlling access to a network in a communication system
WO2015025817A1 (en) Communication terminal, communication system, communication method, and program
JP6330814B2 (en) COMMUNICATION SYSTEM, CONTROL INSTRUCTION DEVICE, COMMUNICATION CONTROL METHOD, AND PROGRAM
US20170019845A1 (en) Communication terminal, communication method, and program-containing storage medium
US11381562B2 (en) Detection of a user equipment type related to access, services authorization and/or authentication
JP6272274B2 (en) Network device, authentication system, and authentication method
WO2016127583A1 (en) Authentication processing method and apparatus
JP5135292B2 (en) IP telephone exchange and IP telephone system
JPWO2015145976A1 (en) Communication system, control instruction apparatus, control execution apparatus, communication control method, and storage medium for storing program
JP2019029910A (en) System and method for communication control
WO2015129727A1 (en) Communication terminal, communication method and program
JP2017225173A (en) Traffic analysis system, traffic information transmission method and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14838166

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2015532850

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14838166

Country of ref document: EP

Kind code of ref document: A1