WO2015025817A1 - Terminal de communication, système de communication, procédé de communication, et programme - Google Patents

Terminal de communication, système de communication, procédé de communication, et programme Download PDF

Info

Publication number
WO2015025817A1
WO2015025817A1 PCT/JP2014/071568 JP2014071568W WO2015025817A1 WO 2015025817 A1 WO2015025817 A1 WO 2015025817A1 JP 2014071568 W JP2014071568 W JP 2014071568W WO 2015025817 A1 WO2015025817 A1 WO 2015025817A1
Authority
WO
WIPO (PCT)
Prior art keywords
address
communication
destination address
communication data
acquired
Prior art date
Application number
PCT/JP2014/071568
Other languages
English (en)
Japanese (ja)
Inventor
貴裕 飯星
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Priority to JP2015532850A priority Critical patent/JPWO2015025817A1/ja
Publication of WO2015025817A1 publication Critical patent/WO2015025817A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/38Flow based routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/64Routing or path finding of packets in data switching networks using an overlay routing layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • H04L61/4505Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols
    • H04L61/4511Network directories; Name-to-address mapping using standardised directories; using standardised directory access protocols using domain name system [DNS]

Definitions

  • the present invention is based on the priority claim of Japanese Patent Application No. 2013-170013 (filed on Aug. 20, 2013), the entire contents of which are incorporated herein by reference. Shall.
  • the present invention relates to a communication terminal, a communication system, a communication method, and a program.
  • NW local network
  • Patent Document 1 discloses a communication filtering system that performs filtering for communication from an external NW to an internal NW.
  • the communication filtering described in Patent Literature 1 includes a communication filtering unit 30 including a filtering unit 301, a user authentication unit 302, and a user information storage unit 402.
  • an administrator registers user information (user identifier and user authentication information) of all users who form a community in the user information storage unit 402 in advance.
  • the filtering unit 301 When receiving the request from the user terminal 21, the filtering unit 301 requests the user authentication unit 302 for user authentication.
  • the user authentication unit 302 receives a user authentication request from the filtering unit 301, and collates the user identifier and user authentication information included in the request with the user information stored in the user information storage unit 402. Then, the user authentication unit 302 determines that the user authentication is successful if there is user information that matches the combination of the user identifier and user authentication information included in the request, and the user identifier and user authentication information included in the request. If there is no user information that matches this combination, it is determined that the user authentication has failed, and the user authentication result is notified to the filtering unit 301.
  • the filtering unit 301 discards the request from the terminal 21 when the user authentication unit 302 fails in the user authentication. On the other hand, when the user authentication unit 302 succeeds in user authentication, the filtering unit 301 transfers the request from the terminal 21 to the requested service.
  • an administrator registers user information of users who are allowed to communicate in the user information storage unit 402 in advance. That is, in the communication filtering system, the administrator grasps the user who forms the community and performs processing of registering user information of the user in advance.
  • An object of the present invention is to provide a communication terminal, a communication system, a communication method, and a program that contribute to solving the problem.
  • the communication terminal uses communication means (unit) capable of transmitting communication data generated by an application, and identification information in which the destination address of the communication data indicates the destination of the communication data. And a control means (unit) capable of determining whether the communication data can be transmitted based on whether the destination address is acquired from an address resolution system that can be searched.
  • the communication system includes an address resolution system capable of searching for a destination address using identification information representing a destination of communication data, and a communication means (unit) capable of transmitting communication data generated by an application. And a communication terminal having control means (unit) capable of determining whether or not the communication data can be transmitted based on whether or not a destination address of the communication data is acquired from the address resolution system.
  • a communication method includes a step of transmitting communication data generated by an application, and the destination address of the communication data is searched for the destination address using identification information indicating the destination of the communication data. Determining whether or not to transmit the communication data based on whether or not it has been acquired from a possible address resolution system.
  • the program according to the fourth aspect of the present invention can search the destination address using the process of transmitting the communication data generated by the application, and the destination address of the communication data using the identification information indicating the destination of the communication data
  • the computer is caused to execute processing for determining whether or not to transmit the communication data based on whether or not it has been acquired from a simple address resolution system.
  • the program can also be provided as a program product recorded in a non-transitory computer-readable storage medium.
  • the communication terminal the communication system, the communication method, and the program according to the present invention, it is possible to suppress the management cost for filtering when filtering communication in the communication terminal.
  • FIG. 1 shows an example of a communication system according to a first embodiment of the present invention.
  • the example of a structure of the communication terminal of the 1st Embodiment of this invention is shown. It is a sequence diagram which shows the operation example of the 1st Embodiment of this invention. It is a flowchart which shows the operation example of the control part 11 of the communication terminal 1 of the 1st Embodiment of this invention.
  • the example of a structure of the communication terminal of the 2nd Embodiment of this invention is shown.
  • stored in notification information DB (Database) 13 of the 2nd Embodiment of this invention is shown.
  • stored in notification information DB13 of the 2nd Embodiment of this invention is shown.
  • the example of a structure of the communication terminal of the 5th Embodiment of this invention is shown.
  • stored in processing rule DB14 of the 5th Embodiment of this invention is shown.
  • the example of a structure of the 6th Embodiment of this invention is shown.
  • the example of the flow table in the 6th Embodiment of this invention is shown.
  • the example of the communication system of the 6th Embodiment of this invention is shown.
  • the example of a structure of the communication terminal of the 6th Embodiment of this invention is shown.
  • the example of a structure of the communication server of the 6th Embodiment of this invention is shown.
  • the example of the processing rule of the 6th Embodiment of this invention is shown.
  • the example of a structure of the virtual switch 15 of the 6th Embodiment of this invention is shown. It is a sequence diagram which shows the operation example of the 6th Embodiment of this invention. It is a sequence diagram which shows the operation example of the 7th Embodiment of this invention.
  • the communication system according to the first embodiment of the present invention includes a communication terminal 1, a notification device 2, and a network 3, as shown in FIG.
  • the reference numerals of the drawings attached to this summary are attached to the respective elements for convenience as an example for facilitating understanding, and are not intended to limit the present invention to the illustrated embodiment.
  • the communication terminal 1 executes communication filtering by using address resolution (address request) for acquiring a communication destination address. Since the communication terminal 1 performs filtering of communication using the address resolution, for example, it is possible to suppress management costs required for managing applications installed in the communication terminals owned by each user.
  • address resolution address request
  • the communication terminal 1 is a device having a communication function such as a mobile phone, a smartphone, a personal computer, a tablet terminal, a mobile router, a switch, and a server.
  • the mobile router is a terminal that relays, for example, a 3G (Third Generation) line of a mobile phone or a wireless LAN (Local Area Network) network.
  • FIG. 2 shows a configuration example of the communication terminal 1 in the first embodiment of the present invention.
  • the communication terminal 1 includes a plurality of applications 10, a control unit (control unit) 11, and a communication unit (communication unit) 12.
  • At least one of the plurality of applications 10 uses, for example, a destination address (IP (Internet Protocol) address or the like) acquired from an address resolution system such as a DNS server by a DNS (Domain Name System) resolver included in the control unit 11. Communicate.
  • IP Internet Protocol
  • DNS Domain Name System
  • the control unit 11 when the destination address of the communication data of the application 10 is unknown, the control unit 11 performs address resolution using a DNS resolver or the like. For example, the control unit 11 transmits identification information included in a URL (Uniform Resource Locator) or identification information such as FQDN (Fully Quality Qualified Domain Name) to a DNS server or the like to the notification device 2 (DNS server or the like). For example, the notification device 2 searches for a destination address using the identification information and notifies the control unit 11 of the destination address. The control unit 11 notifies the application 10 of the destination address notified in response to the request.
  • URL Uniform Resource Locator
  • FQDN Frully Quality Qualified Domain Name
  • the control unit 11 determines whether the communication data can be transmitted based on whether the destination address of the communication data generated by the application 10 is acquired from the address resolution system.
  • the communication data permitted to be transmitted by the control unit 11 is transmitted from the communication unit 12.
  • the communication unit 12 is means for transferring a packet generated from the communication data from the communication terminal 1 to the connection destination, and is, for example, an antenna.
  • the communication terminal 1 transfers the packet to the network 3 using the communication unit 12.
  • the notification device 2 is a device that notifies the address of the connection destination of the communication terminal 1 in response to an address request from the communication terminal 1.
  • the notification device 2 is, for example, a DNS (Domain Name Service) server.
  • the notification device 2 notifies the communication terminal 1 of the destination address corresponding to the identification information of the connection destination notified from the communication terminal 1 in response to the communication terminal 1 requesting the address.
  • FIG. 3 is a sequence diagram showing an operation example of the first embodiment of the present invention.
  • the communication terminal 1 uses the identification information (such as the domain name and FQDN included in the URL) that uniquely identifies the connection destination to the notification device 2 to resolve the address of the destination. Is requested (S001).
  • identification information such as the domain name and FQDN included in the URL
  • the notification device 2 Upon receiving the address request, the notification device 2 notifies the communication terminal 1 of the destination address corresponding to the connection destination identification information notified from the communication terminal 1 (S002).
  • the communication terminal 1 that has received the notification of the address transmits a packet using the notified address (S003).
  • FIG. 4 is a flowchart showing an operation example of the control unit 11 included in the communication terminal 1 in the first embodiment of the present invention.
  • control unit 11 determines whether or not the destination address of communication data related to the communication has been acquired from the notification device 2 (S102).
  • control unit 11 transmits a packet corresponding to the communication data toward the destination address (S103).
  • control unit 11 when the destination address is not acquired from the address resolution system, the control unit 11 does not transfer the packet corresponding to the communication data, for example, discards it (S104).
  • control unit 11 of the communication terminal 1 determines whether or not to transmit the communication data based on whether or not the destination address of the communication data generated by the application 10 is acquired from the address resolution system. By determining, communication filtering is performed.
  • the communication terminal 1 it is possible to ensure the security of the communication terminal 1 even when an unauthorized application is installed in the communication terminal 1.
  • an application in which an address to an illegal destination is embedded is installed in the communication terminal 1.
  • address resolution by DNS or the like is not executed, and communication to the illegal destination embedded in the application is executed.
  • the communication terminal 1 can prevent communication to a destination address that has not been acquired by address resolution, and thus the security of the communication terminal 1 can be enhanced.
  • the communication terminal 1 has a notification information database (DB) 13 that stores the correspondence between the destination address acquired from the notification device 2 and the application 10. Note that the technique of the first embodiment described above can be applied to the second embodiment.
  • DB notification information database
  • whether or not the control unit 11 of the communication terminal 1 refers to the notification information DB 13 and acquires the destination address of the communication data generated by the application 10 from the address resolution system. It functions as a means for determining.
  • the communication terminal 1 executes communication filtering based on the result of determination by the control unit 11.
  • the communication system according to the second embodiment of the present invention is the same as that shown in FIG.
  • FIG. 5 shows a configuration example of the communication terminal 1 in the second embodiment of the present invention.
  • the communication terminal 1 has a notification information database (DB) 13 for storing which application has notified the address notified from the notification device 2.
  • DB notification information database
  • the control unit 11 notifies the application 10 of the acquired destination address in response to the acquisition of the destination address from the notification device 2. In response to notifying the application 10 of the destination address, the control unit 11 associates the destination address with an identifier that uniquely identifies the application that has notified the destination address, and stores them in the notification information DB 13.
  • FIG. 6 shows an example of a table stored in the notification information DB 13.
  • the notification information DB 13 stores the address notified to the application 10 by the control unit 11 and an identifier for uniquely identifying the application 10 in association with each other.
  • the control unit 11 refers to the notification information DB 13 to determine whether or not the destination address of the communication data generated by the application 10 has been acquired from the notification device 2 (address resolution is performed). Whether or not) is determined.
  • the notification information DB 13 stores, for example, a destination address “210.147.209.89” and an identifier “S” that uniquely identifies the application 10 that acquired the destination address. Further, the notification information DB 13 stores, for example, a destination address “210.147.209.90” and an identifier “T” that uniquely identifies the application 10 that acquired the destination address.
  • the control unit 11 refers to the notification information DB 13 in response to receiving communication data from at least one of the plurality of applications 10.
  • the notification information DB 13 stores the destination address of the communication data and the identifier of the application 10 that has transmitted the communication data of the destination address in association with the notification information DB 13, the control unit 11 notifies the destination address of the notification data. It is determined that it has been acquired from the device 2.
  • the control unit 11 refers to the notification information DB 13 using the identifier of the application 10 included in the communication data and the destination address of the communication data.
  • the control unit 11 requests an application identifier from the application 10 that has transmitted the communication data, and uses the identifier and the destination address acquired in response to the request, Refer to the notification information DB 13.
  • the control unit 11 receives the destination address from the notification device 2. It is determined that it has not been acquired.
  • control unit 11 refers to the notification information DB 13 in response to receiving a packet including the destination address “210.147.209.89” from the application 10 having the identifier “S”. Since the destination address “210.147.209.89” and the identifier “S” are stored in the notification information DB 13 in association with each other, the control unit 11 determines that the destination address has been acquired from the notification device 2.
  • the control unit 11 refers to the notification information DB 13 in response to receiving a packet including the destination address “210.147.209.89” from the application 10 having the identifier “T”. Since the address “210.147.209.89” and the identifier “T” are not stored in the notification information DB 13 in association with each other, the control unit 11 determines that the destination address is not obtained from the notification device 2.
  • FIG. 7 shows another example of the table stored in the notification information DB 13.
  • the notification information DB 13 stores the destination address notified to the application 10 by the control unit 11 and the port number corresponding to the application 10 in association with each other. Since it can be estimated that the port numbers corresponding to the plurality of applications 10 are different from each other, each of the plurality of applications 10 can be identified by the port number. Therefore, when the destination address and the port number are stored in the notification information DB 13 in association with each other, the control unit 11 determines that the destination address of the communication data generated by the application 10 is acquired from the notification device 2. To do.
  • control unit 11 determines that the destination address of the communication data is not obtained from the notification device 2 when the destination address and the port number are not stored in the notification information DB 13 in association with each other.
  • the notification information DB 13 stores, for example, a destination address “210.147.209.89” and a port number “15” corresponding to the application 10 that acquired the destination address in association with each other. Further, the notification information DB 13 stores, for example, a destination address “210.147.209.90” and a port number “16” corresponding to the application 10 that acquired the address in association with each other.
  • control unit 11 receives communication data having a destination address “210.147.209.89” from the application 10 corresponding to the port number “15”, and refers to the notification information DB 13. Since the destination address “210.147.209.89” and the port number “15” are stored in the notification information DB 13 in association with each other, the control unit 11 determines that the destination address has been acquired from the notification device 2.
  • the control unit 11 receives communication data whose destination address is “210.147.209.89” from the application 10 corresponding to the port number “16”, and refers to the notification information DB 13.
  • the control unit 11 determines that the destination address “210.147.209.89” and the port number “16” are not stored in association with each other in the notification information DB 13, and thus is not acquired from the notification device 2. To do.
  • the control unit 11 transmits communication data as a packet from the communication unit 12 in response to determining that the destination address has been acquired from the notification device 2.
  • the control unit 11 executes a process for rejecting transmission of communication data (for example, discarding data).
  • the control unit 11 may execute a process of transferring the packet to the quarantine network instead of the process of discarding the packet.
  • FIG. 8 is a flowchart showing an operation example of the control unit 11 included in the communication terminal 1 in the second embodiment of the present invention.
  • control unit 11 receives a destination address resolution request from at least one of a plurality of applications (S201).
  • control unit 11 In response to receiving the address resolution request, the control unit 11 requests an address from the notification device 2 using the destination identification information (S202).
  • the control unit 11 notifies the application 10 of the destination address acquired from the notification device 2 (S203).
  • control unit 11 In response to notifying the application 10 of the destination address, the control unit 11 associates the notified address with an identifier that uniquely identifies the application (or the port number corresponding to the application that requested the address), and notifies the application 10 It memorize
  • control unit 11 When the communication has occurred (S205), the control unit 11 refers to the notification information DB 13 and determines whether or not the communication destination address has been acquired from the notification device 2 (S206).
  • the control unit 11 transmits the communication data as a packet to the destination address (S207).
  • control unit 11 executes a process for rejecting transmission of communication data (for example, discarding) (S208).
  • the notification information DB 13 included in the communication terminal 1 includes a destination address and an identifier for uniquely identifying the application that acquired the destination address (or a port number corresponding to the application that requested the address).
  • identification information of communication connection destinations is stored in association with each other.
  • any of the techniques of the first and second embodiments described above can be applied.
  • the control unit 11 of the communication terminal 1 refers to the notification information DB 13 and uses the destination address and the identifier (or port number) of the application 10 to identify the connection destination. It is determined whether or not the search is successful.
  • the control unit 11 when the destination address of the communication data is acquired from the notification device 2, the control unit 11 successfully searches for connection destination identification information.
  • the control unit 11 fails to search for connection destination identification information. Therefore, in the third embodiment of the present invention, the control unit 11 determines whether or not the destination address of the communication data has been acquired from the notification device 2 by determining whether or not the search for the connection destination identification information is successful. As a result, communication filtering can be performed.
  • the communication system includes a communication terminal 1, a notification device 2, a network 3, and a service providing device 4 (connection destination).
  • the service providing device 4 is a device to which the communication terminal 1 is connected, and is a device that provides services to the communication terminal 1.
  • the service providing device 4 is a Web server, for example.
  • the service providing device 4 is not limited to one and may be a plurality.
  • the communication terminal 1 regarding the 3rd Embodiment of this invention is the same as that of FIG.
  • the application 10 notifies the notification device 2 of the service identification information of the service providing device 4 described above as the connection destination identification information.
  • the service identification information is identification information that can uniquely identify the service providing apparatus 4 other than the address, such as the name (name) of the service providing apparatus 4 and the name (name) of the service provided by the service providing apparatus 4. .
  • At least one of the plurality of applications 10 transmits a packet using the address notified from the notification device 2 and communicates with the service providing device 4.
  • the control unit 11 notifies the destination address acquired from the notification device 2 to the application 10 that has requested the address. In response to notifying the application 10 of the destination address, the control unit 11 determines the notified destination address, the identifier that uniquely identifies the application 10 that requested the destination address, and the service identification information of the service providing apparatus 4. The information is stored in the notification information DB 13 in association with each other.
  • the identifier that uniquely identifies the application 10 that requested the destination address may be a port number corresponding to the application 10 that requested the address.
  • FIG. 10 shows an example of a table stored in the notification information DB 13.
  • the notification information DB 13 stores an identifier that uniquely identifies the application 10
  • a port number corresponding to the application that requested the address may be used instead of the identifier.
  • the notification information DB 13 includes an address notified to the application 10 by the control unit 11, an identifier for uniquely identifying the application 10 that has requested the address, and a service of the service providing apparatus 4 corresponding to the address.
  • the identification information is stored in association with each other.
  • the notification information DB 13 includes, for example, a destination address “210.147.209.89”, an identifier “S” that uniquely identifies the application 10 that requested the address, and service identification information “AAA” of the service providing apparatus 4 corresponding to the address. Are stored in association with each other.
  • the control unit 11 receives communication data from at least one of the plurality of applications 10.
  • the control unit 11 refers to the notification information DB 13 and searches for service identification information from the destination address of the received communication data and the identifier of the application 10 that is the transmission source of the communication data.
  • control unit 11 receives communication data including the destination address “210.147.209.89” from the application 10 with the identifier “S” and refers to the notification information DB 13 using the identifier and the destination address, the control unit 11 The service identifier “AAA” is successfully searched.
  • control unit 11 when the control unit 11 receives communication data including the destination address “210.147.209.89” from the application 10 with the identifier “T” and refers to the notification information DB 13 using the identifier and the destination address, the control unit 11 The search for service identification information “AAA” fails.
  • the control unit 11 transmits the communication data as a packet when the service identification information is successfully retrieved.
  • control unit 11 executes a process (for example, discarding) for rejecting transmission of communication data.
  • a process for example, discarding
  • control unit 11 may execute a process of transferring the packet to the quarantine network instead of the process of discarding the packet.
  • the notification device 2 In response to receiving an address request from the communication terminal 1, the notification device 2 searches for the address of the service providing device 4 corresponding to the notified service identifier, and notifies the communication terminal 1 of the searched address.
  • FIG. 11 is a flowchart showing an operation example of the control unit 11 included in the communication terminal 1 in the third embodiment of the present invention.
  • control unit 11 receives a request for a destination address of a connection destination from at least one of a plurality of applications (S301).
  • control unit 11 In response to receiving the address request, the control unit 11 notifies the notification device 2 of the service identification information and transmits a destination address resolution request (S302).
  • the control unit 11 notifies the application 10 that has requested the address of the address notified from the notification device 2 (S303).
  • the control unit 11 In response to notifying the application 10 of the destination address, the control unit 11 notifies the destination address, an identifier (or a port number corresponding to the application) that uniquely identifies the application that requested the destination address, and a service providing apparatus Are associated with the service identification information and stored in the notification information DB 13 (S304).
  • control unit 11 When the communication occurs (S305), the control unit 11 refers to the notification information DB 13 and searches for service identification information (S306).
  • control unit 11 transmits the communication data as a packet (S307).
  • control unit 11 does not transfer the received packet, for example, discards it (S308).
  • the communication terminal 1 includes a processing rule (DB) 14 that stores a rule for processing a packet.
  • DB processing rule
  • control unit 11 of the communication terminal 1 can determine processing of a packet corresponding to at least one of a plurality of applications with reference to the processing rule DB 14.
  • the communication system according to the fourth embodiment of the present invention is the same as that shown in FIG.
  • FIG. 12 shows a configuration example of the communication terminal 1 in the fourth embodiment of the present invention.
  • the communication terminal 1 has a processing rule DB 14 that stores processing rules for processing packets.
  • control unit 11 In response to the acquisition of the destination address from the notification device 2, the control unit 11 notifies the destination address to the application 10 that has requested the destination address. In response to notifying the application 10 of the destination address, the control unit 11 stores a processing rule for processing the packet in the processing rule DB 14.
  • the processing rule DB 14 stores processing rules for processing packets.
  • the notification information DB 14 stores an identifier that uniquely identifies the application 10
  • a port number corresponding to the application that requested the address may be used instead of the identifier.
  • FIG. 13 shows an example of a table stored in the processing rule DB 14.
  • the processing rule DB 14 stores a destination address notified to the application 10 by the control unit 11, an identifier for uniquely identifying the application 10, and processing contents indicating processing for a packet in association with each other.
  • the processing rule DB 14 stores, for example, a destination address “210.147.209.89”, an identifier “S” of the application 10 that requested the address, and “transfer” as processing contents indicating processing for the packet in association with each other.
  • processing rule DB 14 includes, for example, a destination address “210.147.209.89”, an identifier “others (indicating that it is other than S)” of the application 10, and “discard” as processing contents indicating processing on the packet. Store in association with each other.
  • processing rule DB 14 includes, for example, the destination address “210.147.209.90”, the identifier “others (indicating that it is other than T)” of the application 10, and “destination address xx "Rewrite to x and transfer (transfer to quarantine network)" is stored in association with each other.
  • the processing rule DB 14 stores the processing content “transfer” in association with the identifier of the application 10 that acquired the destination address from the notification device 2.
  • the processing rule DB 14 stores the processing content “discard” or “transfer to quarantine network” in association with the identifier of the application 10 that has not acquired the destination address from the notification device 2.
  • control unit 11 In response to receiving a packet corresponding to communication data generated by at least one of the plurality of applications 10, the control unit 11 refers to the processing rule DB 14 and acquires the destination address included in the packet and the address. Based on the identifier of the application 10, processing contents for processing the received packet are extracted.
  • FIG. 14 is a flowchart showing an operation example of the control unit 11 included in the communication terminal 1 in the fourth embodiment of the present invention.
  • control unit 11 receives a request for a destination address of a connection destination from at least one of a plurality of applications (S401).
  • control unit 11 In response to receiving the request for the destination address, the control unit 11 notifies the service identification information, for example, and requests the address from the notification device 2 (S402).
  • the control unit 11 notifies the destination address acquired from the notification device 2 to the application 10 that requested the destination address (S403).
  • the control unit 11 stores the processing rule for processing the packet in the processing rule DB 14 in response to the notification of the destination address to the application 10 (S404).
  • control unit 11 When the communication occurs (S405), the control unit 11 refers to the notification information DB 14 and searches for a processing rule for processing the packet from the destination address and the identifier of the application 10 (S406).
  • control unit 11 processes the received packet according to the processing rule (S407).
  • control unit 11 does not transfer the received packet, for example, discards it (S408).
  • the communication terminal 1 can select RAT (Radio Access Technology), which is a communication method used for communication, according to service identification information of a connection destination. Note that the techniques of the first to fourth embodiments described above can be applied to the fifth embodiment.
  • RAT Radio Access Technology
  • the communication terminal 1 includes a notification information DB 13 that stores a correspondence relationship between a destination address acquired from the notification device 2 and an application, and a processing rule DB 14 that stores a processing rule for processing a packet.
  • the communication unit 12 includes a communication interface corresponding to each of a plurality of types of communication methods (RAT).
  • control unit 11 of the communication terminal 1 refers to the notification information DB 13 to determine whether the destination address has been acquired from the notification device 2, and then refers to the processing rule DB 14. Thus, it is possible to determine a process to be applied to the received packet.
  • the communication system according to the fifth embodiment of the present invention is the same as that shown in FIG.
  • FIG. 15 shows a configuration example of the communication terminal 1 in the fifth embodiment of the present invention.
  • the communication terminal 1 includes a notification information DB 13 and a processing rule DB 14.
  • the control unit 11 notifies the application 10 of the destination address in response to the acquisition of the destination address from the notification device 2. For example, when the control unit 11 notifies the application 10 of the destination address, the control unit 11 identifies the destination address, an identifier that uniquely identifies the application 10 (or a port number corresponding to the application), and a service corresponding to the address.
  • the service identification information of the providing device 4 is stored in the notification information DB 13 in association with it.
  • the example of the table stored in the notification information DB 13 in the fifth embodiment of the present invention is the same as the example shown in FIG. 6, FIG. 7, or FIG.
  • the notification information DB 13 is the table shown in FIG. 6 as an example.
  • the control unit 11 determines whether or not the communication destination address and the identifier of the application 10 that acquired the destination address are stored in the notification information DB 13 in association with the occurrence of the communication.
  • the control unit 11 determines the processing rule DB 14. Refer to and process the packet.
  • control unit 11 refers to the notification information DB 13 and the communication destination address and the identifier of the application 10 that acquired the destination address are associated with each other and are not stored in the notification information DB 13, Discard the packet. Note that the control unit 11 may execute a process of transferring the packet to the quarantine network instead of the process of discarding the packet.
  • FIG. 16 shows an example of a table stored in the processing rule DB 14 in the fifth embodiment of the present invention.
  • the processing rule DB 14 stores a communication type and a processing content applied to a packet in association with each other.
  • the communication type is, for example, a type of communication service identified from the packet port number or the like.
  • the communication type is not limited to the port number of the packet, and may be identified based on other information.
  • the processing rule DB 14 of the fifth embodiment defines processing for selecting a communication method (RAT) according to the communication type.
  • the processing rule DB 14 stores, for example, the communication type “A” and “transfer packet from the communication interface corresponding to WiFi” as the processing content corresponding to the communication type in association with each other.
  • the processing rule DB 14 associates, for example, the communication type “B” with “3G (Third Generation) / LTE (Long Term Term Evolution) corresponding communication interface” as the processing content corresponding to the communication type.
  • 3G hird Generation
  • LTE Long Term Term Evolution
  • the control unit 11 refers to the processing rule DB 14 based on the communication port number, for example, and searches the communication type corresponding to the port number and the processing content of the communication type.
  • control unit 11 “discards” or “transfers to the quarantine network”.
  • the sixth embodiment of the present invention shows an example in which the present invention is implemented by improving the technique called OpenFlow, which is a centralized control type network architecture.
  • the sixth embodiment can be applied to any of the above-described embodiments.
  • OpenFlow recognizes communication as an end-to-end flow, and can perform path control and the like on a per-flow basis.
  • FIG. 17 shows an outline of a communication system configured by the open flow technology.
  • a flow is a series of communication packets having predetermined attributes (attributes identified based on a communication destination, a transmission source, and the like), for example.
  • the OpenFlow switch (OpenFlow Switch) 51 is a network switch that employs OpenFlow technology.
  • the OpenFlow controller (OpenFlow controller) 50 is an information processing apparatus that controls the OpenFlow switch 51.
  • the OpenFlow switch 51 communicates with the OpenFlow controller 50 via a secure channel 52 that is set up with the OpenFlow controller 50.
  • the OpenFlow controller 50 sets the flow table (Flow Table) 510 of the OpenFlow switch 51 via the secure channel 52.
  • the secure channel 52 is a communication path on which measures for preventing eavesdropping or falsification of communication between the switch and the controller are taken.
  • FIG. 18 shows a configuration example of each entry (flow entry) in the flow table 510.
  • the flow entry includes a matching rule (Match Fields) for matching with information (for example, destination IP address, VLAN ID (Virtual Local Area Network Identifier), etc.) included in the header of the packet received by the switch, and each packet flow. It is composed of statistical information (Counters) that is statistical information and instructions (Instructions) that define a method of processing a packet that matches the matching rule.
  • the OpenFlow switch 51 When the OpenFlow switch 51 receives a packet, it refers to the flow table 510.
  • the open flow switch 51 searches for a flow entry that matches the header information of the received packet.
  • the OpenFlow switch 51 processes the received packet according to the processing method defined in the instruction field of the found entry.
  • the processing method specifies, for example, “transfer received packet from a predetermined port”, “discard received packet”, “rewrite part of the header of the received packet and transfer from a predetermined port” Has been.
  • the OpenFlow switch 51 transfers the received packet to the OpenFlow controller 50 via the secure channel 52, for example.
  • the OpenFlow switch 51 requests the OpenFlow controller 50 to set a flow entry that defines the received packet processing method by transferring the received packet.
  • the OpenFlow switch 51 may request the controller to set a flow entry according to the processing method when a packet matches a flow entry that specifies that a request is transmitted to the controller. .
  • the OpenFlow controller 50 determines the received packet processing method and sets a flow entry including the determined processing method in the flow table 510. After that, the open flow switch 51 processes subsequent packets belonging to the same flow as the received packet according to the set flow entry.
  • FIG. 19 shows an example of a communication system according to the sixth embodiment of the present invention.
  • the sixth embodiment of the present invention includes a communication terminal 1, a notification device 2, a network 3, a service providing device 4, and a control server 6.
  • the control server 6 can communicate with the communication terminal 1 according to the OpenFlow protocol. Note that the function of the notification device 2 and the function of the control server 6 may be implemented in the same device. Further, the function of the communication terminal 1 and the function of the control server 6 may be implemented in the same device.
  • FIG. 20 is a diagram showing an example of the configuration of the communication terminal 1 in the sixth embodiment of the present invention.
  • the communication terminal 1 includes a plurality of applications 10, a virtual switch 15, a plurality of switch ports 16, and at least one communication interface 17.
  • a plurality of communication interfaces 17 are illustrated, but the number of communication interfaces 17 may be one.
  • Each communication interface 17 corresponds to, for example, a predetermined communication method (RAT).
  • RAT predetermined communication method
  • the communication terminal 1 has a virtual switch 15 configured by improving the OpenFlow switch.
  • the virtual switch 15 is configured by software (virtual switch), but the present invention may be configured by hardware.
  • the virtual switch 15 has the same function as the control unit 11 illustrated in FIG. Further, the virtual switch 15 has a function of operating according to an instruction transmitted from the control server 6.
  • Each application 10 is connected to the switch port 16.
  • the communication interface 17 is connected to the switch port 16.
  • FIG. 21 shows an example of the configuration of the control server 6.
  • the control server 6 includes a communication unit 60, a processing rule determination unit 61, a management DB 62, a terminal management unit 63, and a notification information DB 64.
  • the communication unit 60 has a function of communicating with the communication terminal 1 based on the OpenFlow protocol.
  • the communication unit 60 receives a request for a packet processing rule (corresponding to the above-mentioned “flow entry”) from the communication terminal 1.
  • the communication unit 60 notifies the communication terminal 1 of the processing rule.
  • the notification information DB 64 is a database that manages information (for example, FIGS. 6, 7, and 10) related to the notification information exemplified in the above-described embodiment.
  • the notification information DB 64 has a database composed of information related to notification information (for example, FIGS. 6, 7, and 10) for each communication terminal 1 managed by the control server 6.
  • the control server 6 transmits the destination address and information (for example, a port number) for identifying the application corresponding to the destination address to the control server 6. Notice.
  • the notification information DB 64 stores, for example, information received from the virtual switch 15 of each communication terminal 1 (for example, information for identifying a destination address and an application).
  • the notification information DB 64 may store the service identification information of the service providing apparatus 4 corresponding to the destination address in association with the destination address and the information for identifying the application.
  • the processing rule determination unit 61 determines a processing rule to be set in the virtual switch 15 of the communication terminal 1.
  • the processing rule determination unit 61 refers to the information included in the notification information DB 64 and the terminal management unit 63 and generates a processing rule to be set in the virtual switch.
  • the terminal management unit 63 manages, for example, an SSID of a wireless LAN access point to which the communication terminal 1 can be connected, position information of the communication terminal 1, and information (for example, an application identifier) related to an application installed in the communication terminal 1. To do. For example, the terminal management unit 63 transmits a collection request for such information to the communication terminal 1 and collects the information. For example, the terminal management unit 63 collects information from the communication terminal 1 at a predetermined cycle.
  • the terminal management unit 63 manages, for example, the connection relationship between the switch port 16 and the application for the communication terminal 1. Further, the terminal management unit 63 manages, for example, the connection relationship between the switch port 16 and the communication interface 12 for the communication terminal 1.
  • a communication device such as a network switch compliant with OpenFlow has a function (Port Status) for notifying the controller of the port status of the communication device and a function (Feature Request / Reply) for notifying the controller of the characteristics of the switch.
  • the terminal management unit 63 may collect information from the communication terminal 1 using these functions.
  • the virtual switch 15 of each communication terminal 1 can request the control server 6 for a processing rule for processing a packet.
  • the processing rule determination unit 61 refers to the notification information DB 64 in response to a request from the virtual switch 15, and determines the destination address of the packet corresponding to the request and the identifier of the application 10 that is the transmission source of the packet. It is determined whether or not they are stored in association with each other. If the destination address of the packet corresponding to the request from the virtual switch 15 and the identifier of the transmission source application of the packet are associated with each other and stored in the notification information DB 64, the processing rule determination unit 61 stores the destination address as It is determined that the information is acquired from the notification device 2.
  • the processing rule determination unit 61 creates a processing rule for transferring the packet.
  • the processing rule determination unit 61 creates a processing rule for discarding the packet. Note that the processing rule determination unit 61 may create a processing rule for transferring to the quarantine network instead of the processing rule for discarding the packet.
  • the processing rule determination unit 61 stores the generated processing rule in the management DB 62.
  • FIG. 22 shows an example of processing rules generated by the processing rule determination unit 61.
  • the processing rule determination unit 61 defines a destination address of a packet corresponding to a request from the virtual switch 15 and a port number of the packet as a matching rule.
  • the processing rule determining unit 61 for example, as a processing method “Instruction” corresponding to the matching rule, defines a processing method for transferring a packet from the port 16 corresponding to the communication method (RAT) corresponding to the destination address and the port number.
  • RAT communication method
  • the matching rule of the processing rule on the first line is “destination address is“ A ”and port number is“ 80 ””.
  • the instruction of the processing rule on the first line indicates that the packet is transferred to the switch port 16 corresponding to WiFi.
  • the matching rule of the processing rule on the third line is “destination address is“ A ”and port number is“ 110 ””.
  • the instruction of the processing rule on the third line indicates that the packet is discarded.
  • FIG. 23 shows an example of the configuration of the virtual switch 15.
  • the virtual switch 15 includes a communication unit 150, a processing rule DB 151, and a processing unit 153.
  • the processing unit 153 includes a process search unit 153 and an action execution unit 154.
  • the communication unit 150 communicates with the control server 6 according to the OpenFlow protocol.
  • the processing rule DB 151 stores the processing rule notified from the control server 6.
  • the processing unit 152 processes the packet according to the processing rule notified from the control server 6.
  • the process search unit 153 searches the process rule DB 151 for a process rule corresponding to the received packet.
  • the process search unit 153 compares the packet with the “Maching Field” of the process rule stored in the process rule DB 142 to search for a process rule corresponding to the packet.
  • the action execution unit 154 processes the packet according to the processing method defined in the “Instruction” field of the searched processing rule.
  • the processing search unit 153 requests the control server 6 to set the processing rule.
  • FIG. 24 is a sequence diagram showing an operation example of the sixth embodiment of the present invention.
  • the communication terminal 1 when transmitting a packet, requests the notification device 2 via the control server 6 for the destination address of the service providing device 4 that is the transmission destination of the packet. (S601 and S602). Note that the communication terminal 1 may request the destination address from the notification device 2 without using the control server 6. The notification device 2 notifies the communication terminal 1 of the destination address. In this case, the communication terminal 1 notifies the control server 6 of the destination address acquired from the notification device 2.
  • the notification device 2 Upon receiving the address request, the notification device 2 notifies the address to the communication terminal 1 via the control server 6 (S603 and S604).
  • the communication terminal 1 Upon receiving the address notification, the communication terminal 1 requests a processing rule for processing the packet from the control server 6 when transmitting the packet using the notified address (S605).
  • the control server 6 notifies the communication terminal 1 of a processing rule for processing the packet (Flow Mod in S606).
  • the communication terminal 1 transfers the packet based on the processing rule notified from the control server 6 (S607).
  • the seventh embodiment of the present invention shows another example in which the present invention is implemented by improving the technique called OpenFlow, which is a centralized network architecture.
  • the seventh embodiment can be applied to any of the above-described embodiments.
  • the processing rule determination unit 61 of the control server 6 notifies the communication terminal 1 in advance of a processing rule for processing a packet in response to receiving an address from the notification device 2. . Therefore, the communication terminal 1 does not need to request a processing rule when transmitting a packet.
  • the communication system according to the seventh embodiment of the present invention is the same as that shown in FIG.
  • a configuration example of the control server 6 according to the seventh embodiment of the present invention is the same as that shown in FIG.
  • the processing rule determination unit 61 determines a processing rule to be set in the virtual switch 15 of the communication terminal 1.
  • the processing rule determination unit 61 refers to information held by the terminal management unit 63 and generates a processing rule to be set in the virtual switch.
  • the processing rule determination unit 61 sets a processing rule for processing a packet to the communication terminal 1 that notifies the address.
  • the processing rule determination unit 61 sets in advance a processing rule for transferring a packet transmitted by the application 10 that requested the address. To do.
  • the processing rule determination unit 61 for example, for discarding a packet transmitted by the application 10 not requesting the address in response to receiving an address from the notification device 2 to the communication terminal 1.
  • a processing rule or a processing rule for transferring to the quarantine network is set in advance.
  • FIG. 25 is a sequence diagram showing an operation example of the seventh embodiment of the present invention.
  • the communication terminal 1 when transmitting a packet, the communication terminal 1 requests the notification device 2 via the control server 6 for the address of the service providing device 4 that is the transmission destination of the packet ( S801 and S802).
  • the notification device 2 Upon receiving the address request, the notification device 2 notifies the control server 6 of the address (S803).
  • the control server 6 notifies the communication terminal 1 of the address received from the notification device 2 (S804).
  • control server 6 sets a processing rule for processing the packet to the communication terminal 1 that notifies the address (S805).
  • the communication terminal 1 that has received the notification of the address transfers a packet including the notified address based on the processing rule notified from the control server 6 (S806).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Communication Control (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente invention concerne un terminal de communication qui est pourvu d'un moyen de communication capable de transmettre des données de communication générées par une application et un moyen de commande capable de déterminer, sur la base du fait qu'une adresse de destination des données de communication a été ou non acquise à partir d'un système de solution d'adresse capable d'extraire l'adresse de destination au moyen d'informations d'identification indiquant la destination des données de communication, si la transmission des données de communication est autorisée ou non. En filtrant les communications dans le terminal de communication, il devient possible de réduire les coûts de gestion pour le filtrage.
PCT/JP2014/071568 2013-08-20 2014-08-18 Terminal de communication, système de communication, procédé de communication, et programme WO2015025817A1 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
JP2015532850A JPWO2015025817A1 (ja) 2013-08-20 2014-08-18 通信端末、通信システム、通信方法およびプログラム

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2013170013 2013-08-20
JP2013-170013 2013-08-20

Publications (1)

Publication Number Publication Date
WO2015025817A1 true WO2015025817A1 (fr) 2015-02-26

Family

ID=52483592

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2014/071568 WO2015025817A1 (fr) 2013-08-20 2014-08-18 Terminal de communication, système de communication, procédé de communication, et programme

Country Status (2)

Country Link
JP (1) JPWO2015025817A1 (fr)
WO (1) WO2015025817A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007005961A (ja) * 2005-06-22 2007-01-11 Hikari Hiyo 着信者主導による通信方法及び通信システム及び電子決済システム
JP2012509005A (ja) * 2008-11-13 2012-04-12 テレフオンアクチーボラゲット エル エム エリクソン(パブル) 通信サービスを制御するための方法及び装置
JP2014036391A (ja) * 2012-08-10 2014-02-24 Ricoh Co Ltd 通信装置,通信システム,およびプログラム

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007005961A (ja) * 2005-06-22 2007-01-11 Hikari Hiyo 着信者主導による通信方法及び通信システム及び電子決済システム
JP2012509005A (ja) * 2008-11-13 2012-04-12 テレフオンアクチーボラゲット エル エム エリクソン(パブル) 通信サービスを制御するための方法及び装置
JP2014036391A (ja) * 2012-08-10 2014-02-24 Ricoh Co Ltd 通信装置,通信システム,およびプログラム

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TAKESHI OKAMOTO: "Packet Filtering Using DNS Responses against Worm Propagation", TRANSACTIONS OF INFORMATION PROCESSING SOCIETY OF JAPAN, vol. 45, no. 10, 15 October 2004 (2004-10-15), pages 2407 - 2415 *

Also Published As

Publication number Publication date
JPWO2015025817A1 (ja) 2017-03-02

Similar Documents

Publication Publication Date Title
US8910248B2 (en) Terminal connection status management with network authentication
US9178910B2 (en) Communication system, control apparatus, policy management apparatus, communication method, and program
US9602185B2 (en) Communication terminal, communication control apparatus, communication system, communication control method, and program
CN111901135A (zh) 一种数据分析方法及装置
WO2014119715A1 (fr) Terminal de communication, procédé de communication, programme, système de communication, et appareil de traitement d'informations
US10033734B2 (en) Apparatus management system, apparatus management method, and program
CN110233834B (zh) 网络系统、攻击报文的拦截方法、装置和设备
EP3185598B1 (fr) Procédé et appareil d'inscription de demandes
CN112889029A (zh) 用于网络节点处的无锁通信处理的方法、系统和计算机可读介质
US20130275620A1 (en) Communication system, control apparatus, communication method, and program
CN109309907B (zh) 用于流量计费的方法、装置及其相关设备
WO2014061583A1 (fr) Nœud de communication, dispositif de commande, système de communication, procédé de traitement de paquets, et programme
US8239930B2 (en) Method for controlling access to a network in a communication system
WO2015025817A1 (fr) Terminal de communication, système de communication, procédé de communication, et programme
JP6330814B2 (ja) 通信システム、制御指示装置、通信制御方法及びプログラム
US20170019845A1 (en) Communication terminal, communication method, and program-containing storage medium
US11381562B2 (en) Detection of a user equipment type related to access, services authorization and/or authentication
US20140323090A1 (en) Subscriber data management
JP6272274B2 (ja) ネットワーク装置、認証システムおよび認証方法
WO2016127583A1 (fr) Procédé et appareil de traitement d'authentification
WO2015145976A1 (fr) Système de communication, dispositif d'instruction de commande, dispositif de mise en œuvre de commande, procédé de commande de communication, et support d'informations sur lequel est stocké un programme
JP2019029910A (ja) 通信制御システム、及び通信制御方法
WO2015129727A1 (fr) Terminal de communications, procédé de communications et programme
JP2011003981A (ja) Ip電話交換機及びip電話システム
JP2017225173A (ja) トラフィック分析システム、トラフィック情報送信方法およびプログラム

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14838166

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2015532850

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14838166

Country of ref document: EP

Kind code of ref document: A1