WO2020039705A1 - Communication relay device - Google Patents

Communication relay device Download PDF

Info

Publication number
WO2020039705A1
WO2020039705A1 PCT/JP2019/023219 JP2019023219W WO2020039705A1 WO 2020039705 A1 WO2020039705 A1 WO 2020039705A1 JP 2019023219 W JP2019023219 W JP 2019023219W WO 2020039705 A1 WO2020039705 A1 WO 2020039705A1
Authority
WO
WIPO (PCT)
Prior art keywords
communication
unit
elements
buffer
bit width
Prior art date
Application number
PCT/JP2019/023219
Other languages
French (fr)
Japanese (ja)
Inventor
寛 岩澤
遠藤 浩通
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Publication of WO2020039705A1 publication Critical patent/WO2020039705A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks

Definitions

  • the present invention relates to a communication relay device.
  • a control system that controls facilities such as plants and assembly equipment must maintain safe and stable operation.
  • data with incorrect contents is transmitted via the control system network with the intention of inhibiting the operation of the control device or performing an erroneous operation.
  • IPS Intrusion Protection System
  • Japanese Patent Application Laid-Open No. H11-163873 describes "a determination unit that determines a feature value indicating a feature of a received communication frame, determines whether the feature value satisfies a condition, and sequentially transmits a plurality of elements to be received. Is determined to not satisfy the condition, a change unit that changes a part of a plurality of elements to be transmitted ”is disclosed.
  • This communication relay device has a configuration to detect unauthorized communication using a buffer, and when an unauthorized communication is received, a part of a plurality of elements of a communication frame is changed and sequentially transmitted to an external device. In addition, an unauthorized communication can be detected with a small delay time.
  • the communication relay device described in Patent Literature 1 can suppress the delay due to the relay of the communication frame, while the internal buffer stores the communication speed of the input communication frame (for example, 100 MHz in the case of a 100 Mbps network). It is made to work with. Therefore, as described later, the power consumption of the relay process is not always optimized.
  • a communication relay device includes a receiving unit that sequentially receives a plurality of elements in a communication frame transmitted from a first communication device, and sequentially stores a plurality of elements in the communication frame received by the receiving unit.
  • a plurality of buffer units having different combinations of the number of elements in the operation unit and the operation speed to be output, and a plurality of buffer units provided for each of the buffer units and comparing the elements corresponding to the number of elements of the buffer unit with the passage conditions of the buffer unit. And a comparing unit.
  • the communication relay device transmits a plurality of elements in order, and changes the element corresponding to the first area in the communication frame when any of the comparison units does not satisfy the passing condition.
  • the communication device includes a changing unit, and a transmitting unit that sequentially transmits a plurality of elements transmitted from the changing unit to the second communication device.
  • power consumption can be reduced while coping with various types of unauthorized communication. Problems, configurations, and effects other than those described above will be apparent from the following description of the embodiments.
  • FIG. 1 is a diagram illustrating a configuration example of an entire control system including a communication relay device according to a first embodiment of the present invention.
  • FIG. 2 is a block diagram illustrating an example of an internal configuration of the communication relay device according to the first embodiment of the present invention. It is a figure showing the example of the format of a communication frame.
  • FIG. 11 is a block diagram illustrating a schematic configuration example of a communication relay device according to a second embodiment of the present invention.
  • FIG. 4 is a block diagram illustrating a hardware configuration example of a computer included in the communication relay device.
  • FIG. 1 is a diagram illustrating a configuration example of an entire control system including a communication relay device 1 according to the first embodiment.
  • the control system includes, as an example, a firewall 21, a terminal device 22, a production management server 23, an HMI (Human Machine Interface) device 24, a monitoring control server 25, the communication relay device 1, It comprises a control device 26 and a control target facility 27. These are communicably connected to each other to form a hierarchical network.
  • HMI Human Machine Interface
  • the control target equipment 27 is connected to the control device 26.
  • the control device 26 is further connected to the communication relay device 1.
  • the communication relay device 1 is further connected to the monitoring control server 25 via the control system network 3.
  • the monitoring control server 25 is further connected to the HMI device 24 and the production management server 23 via a control system information network 33.
  • the production management server 23 is further connected to the terminal device 22 and the firewall 21 via the information network 32.
  • the firewall 21 is further connected to an external network 31 such as the Internet.
  • the firewall 21 relays communication between the information network 32 and the external network 31 and prevents unauthorized access from the external network 31 to the information network 32.
  • the production management server 23 determines plan values such as a plant production target and a production number instruction, and transmits the plan values to the monitoring control server 25.
  • the terminal device 22 accesses the production management server 23 via the information network 32, thereby inputting information relating to the plan value to the production management server 23, and displaying information such as results output from the production management server 23. .
  • the administrator of the terminal device 22 can monitor the performance of the control system.
  • the monitoring control server 25 determines the command value of the control target equipment 27 based on the plan value received from the production management server 23, and sends the command value to the control device 26 via the control system network 3 and the communication relay device 1. Send.
  • the HMI device 24 accesses the monitoring control server 25 via the control information network 33 to input information relating to command values to the monitoring control server 25 and display information such as a state output from the monitoring control server 25. I do. Thereby, the administrator of the HMI device 24 can monitor the state of the control target facility 27.
  • the control device 26 controls the control target equipment 27 based on the command value received from the monitoring control server 25.
  • the control target equipment 27 is a switch, a valve, a sensor, and the like.
  • the command value is, for example, the opening / closing or opening of a switch or valve.
  • the state is, for example, a pressure, a temperature, a rotation speed, or the like measured by a sensor.
  • the communication relay device 1 has not only a function of merely relaying communication, but also has a capability of detecting and blocking unauthorized communication transmitted from the control system network 3.
  • There are various types of unauthorized communication but from the viewpoint of an appropriate detection method, communication contents are roughly divided into two types.
  • the first one has a characteristic pattern in an area divided by a fixed bit length such as an octet (8 bits) unit such as a communication destination address and a port number.
  • the second one is a binary format, such as a communication including malware, which does not have a fixed bit string delimiter and has a characteristic pattern in a bit string at an arbitrary position.
  • FIG. 2 is a block diagram illustrating an example of the internal configuration of the communication relay device 1.
  • the communication relay device 1 includes an upstream communication port 11 connected to the first communication device 2 via the control system network 3 and a downstream communication port 16 connected to the second communication device 4 to be protected.
  • the communication relay device 1 may include a plurality of downstream communication ports 16 so that a plurality of second communication devices 4 can be connected to the communication relay device 1.
  • the first communication device 2 is, for example, the monitoring control server 25.
  • the second communication device 4 is, for example, the control device 26.
  • the communication relay device 1 further includes a multi-bit width buffer 121, a multi-bit width feature value comparison unit 131, a single bit width buffer 122, a single bit width feature value comparison unit 132, a replacement unit 15, and a feature value setting interface. 17 and a feature value definition unit 18.
  • the upstream communication port 11 receives a signal indicating a communication frame input from the first communication device 2 via the control system network 3, and converts the received signal into a data sequence (relay data sequence). And sequentially output them.
  • This data string includes a plurality of continuous elements. The element is, for example, a bit.
  • the data string is input to two types of buffers, that is, a multi-bit width buffer 121 and a single-bit width buffer 122.
  • a communication frame on the control system network 3 and a data string output from the upstream communication port 11 are based on the IEEE802.3 format. However, these may be based on any other communication standard. Good.
  • the transmission medium of the control system network 3 may be light, radio waves, or any combination thereof in addition to electricity.
  • the upstream communication port 11 may be a NIC (Network Interface Card).
  • the multi-bit width buffer 121 (an example of a buffer unit) sequentially stores and outputs a plurality of bits in a communication frame received by the upstream communication port 11.
  • the multi-bit width buffer 121 includes a shift register having a bit width of 8 bits (the number of bits of a shift operation unit) and a finite length (the number of shift stages is three in FIG. 2) as the number of elements.
  • the bit width is the number of bits of a shift operation unit of the shift register.
  • the 8-bit wide and 3-stage shift register stores a data string continuously input from the input terminal in 8 bits per stage, and shifts the data sequence to the next stage (right in the figure) in 8-bit units according to the drive clock signal.
  • the output operation is performed from the output terminal to the replacement unit 15 in the order of input.
  • each bit in the data sequence is transmitted at a fixed time after being received by the communication relay device 1.
  • matching of the matching pattern is performed on the communication frame in units of 8 bits.
  • the single bit width buffer 122 (an example of a buffer unit) sequentially stores and outputs a plurality of bits in the communication frame received by the upstream communication port 11.
  • the single bit width buffer 122 includes a shift register having a bit width of 1 bit and a finite length (the number of shift stages is 12 in FIG. 2) as the number of elements.
  • the 1-bit wide and 12-stage shift register stores a data string continuously input from the input terminal at one bit per stage, and shifts the data sequence to the next stage (right in the figure) in 1-bit units according to the drive clock signal. An operation of outputting (discarding) from the output end in the order of input is performed.
  • matching of the matching pattern is performed on the communication frame one bit at a time.
  • the data string received by each buffer is held in each buffer for a certain period proportional to the product of the number of bits (bit width) and the operation speed (operation frequency) of the operation unit of each buffer. . That is, the multi-bit width buffer 121 and the single-bit width buffer 122 are configured to have the same or substantially the same product of the bit width and the operation speed, although the combination of the bit width and the operation speed is different.
  • the shift operation speed in the 8-bit wide multi-bit buffer 121 is 12.5 MHz
  • the speed of the shift operation in the width buffer 122 is 100 MHz.
  • the difference in the speed of the shift operation causes a difference in power consumption described later.
  • these buffers may be configured using a technique such as a dual port memory or a FIFO buffer in addition to the shift register.
  • the multi-bit width feature value comparison unit 131 and the single bit width feature value comparison unit 132 are provided for each buffer, and perform a process of comparing a bit string corresponding to the bit width of the buffer with the passage condition of each buffer unit.
  • the multi-bit width feature value comparison unit 131 has an element for storing the multi-bit width matching pattern 141 therein.
  • the single-bit width feature value comparison unit 132 has an element that stores the single-bit width matching pattern 142 therein.
  • the multi-bit width feature value comparison unit 131 collates, for example, the data string held in the second stage of the multi-bit width buffer 121 with the multi-bit width matching pattern 141. Output a match signal.
  • the multi-bit width feature value comparison unit 131 uses the multi-bit width buffer 121 that shifts the data sequence by 8 bits, and checks the matching pattern of the communication frame by 8 bits.
  • the single-bit width feature value comparison unit 132 compares the data string held in the third to tenth stages of the single-bit width buffer 122 with the single-bit width matching pattern 142, and when both match, for example. Outputs a match signal to the replacement unit 15.
  • the single-bit width feature value comparison unit 132 uses the single-bit width buffer 122 that shifts the data string one bit at a time, and checks the matching pattern of the communication frame one bit at a time.
  • the replacing unit 15 receives the data string output from the multi-bit width buffer 121, transmits the data string to the downstream communication port 16, and, in accordance with the comparison result of each of the characteristic value comparing units 131 and 132, Rewrite some elements of the data string to be transmitted to the specified values. Details of the operation of the replacement unit 15 will be described later.
  • the downstream communication port 16 (an example of a transmission unit) converts the data string transmitted from the replacement unit 15 into a signal suitable for communication with an external device or a network again, and transmits the signal to the second communication device 4.
  • the data string to be transmitted and the data string output from the upstream communication port 11 are based on the IEEE802.3 format, but any communication standard may be used.
  • the downstream communication port 16 may be a NIC.
  • the communication frame on the control system network 3 is based on the IEEE802.3 format.
  • a communication frame based on the IEEE802.3 format will be described with reference to FIG.
  • FIG. 3 shows an example of the format of a communication frame.
  • a communication frame based on the IEEE802.3 format includes a preamble section, a header section, a payload section, and each field (area) of an FCS (Frame Check Sequence) section.
  • the end of the preamble part is SFD (Start Frame Delimiter), which indicates the start of the header.
  • SFD Start Frame Delimiter
  • the upstream communication port 11 When detecting the SFD from the received signal, the upstream communication port 11 outputs a frame start signal indicating the reception timing.
  • the frame start signal is a reference for the timing (position in the communication frame) at which the replacement unit 15 changes the information of the FCS unit in the communication frame.
  • the upstream communication port 11 may directly supply the frame start signal to the replacement unit 15 or may supply the frame start signal to the replacement unit 15 via the feature value comparison units 131 and 132.
  • the header section contains the destination address, source address, and type / length subfields, and is used to correctly deliver the packet to the destination.
  • the payload portion is the content (body) of the data to be transmitted.
  • the FCS section (an example of the first area) is an area for error detection in which an error check code for checking whether or not the IEEE 802.3 frame has a transmission error in the receiving device is stored.
  • the FCS value is calculated by CRC (Cyclic Redundancy Check) from the contents of the header and the payload, and is, for example, 32 bits.
  • the upstream communication port 11 recognizes the start timing of the header by detecting the SFD from the communication frame.
  • the replacement unit 15 recognizes the length of the payload by detecting the type / length, and recognizes the timing (the position in the communication frame) of the FCS unit. Note that the upstream communication port 11 or each of the characteristic value comparison units 131 and 132 may perform a process of detecting the type / length.
  • the device receiving the communication frame checks the FCS value included in the communication frame, and discards the communication frame if the value does not match the expected value.
  • the replacement unit 15 sequentially receives the 8-bit data string output from the multi-bit width buffer 121 and sequentially transmits the 8-bit data string to the downstream communication port 16 as it is in normal times. However, if the data string having the predetermined bit width does not satisfy the passing condition in any of the characteristic value comparing units 131 and 132, the replacing unit 15 changes the information of the FCS unit in the communication frame.
  • the replacement unit 15 when the match signal is received from either the multi-bit width feature value comparison unit 131 or the single bit width feature value comparison unit 132 (hereinafter, referred to as “when the feature value matches”), the replacement unit 15 The value of the FCS part in is inverted or rewritten to an invalid value.
  • the invalid value is, for example, 0.
  • the input values are output as they are.
  • the second communication device 4 receives the communication frame through the downstream communication port 16 of the communication relay device 1, and checks the FCS from the contents of the header and the payload. At this time, when the feature value matches, the value of the FCS part has been rewritten to an invalid value, so the received FCS value and the verified FCS value are different, and the communication frame is discarded. With this operation, when the second communication device 4 is the control device 26, an influence that the control device 26 is infected with malware by an unauthorized communication frame or causes an abnormal operation due to communication through an unauthorized port. Can be prevented. Therefore, even if the communication frame is harmful to the control device 26, it is possible to prevent the control capability of the control device 26 from being impaired.
  • the replacement target by the replacement unit 15 may be a part other than the FCS part, such as data of a specific area in the payload part. Even when the format of the communication frame is other than IEEE802.3, it is expected that a field holding an error detection code of the communication frame or a specific value in the format of the communication frame is set. By making fields and the like to be rewritten, the same effect as FCS can be expected.
  • the bit string to be rewritten is preferably located after the bit string to be compared with the matching pattern.
  • the bit string to be rewritten can be rewritten after the bit string to be collated has passed through each buffer.
  • the replacement unit 15 may output a predetermined addition value and add the addition value to the FCS unit.
  • the feature value setting interface 17 is configured to receive feature value information related to communication contents to be cut off by communication from an external device such as a personal computer, and write the feature value information to the feature value definition unit 18.
  • the feature value definition unit 18 is configured by a storage element such as a RAM, and has a function of transferring feature value information to the multi-bit width matching pattern 141 and the single bit width matching pattern 142. By this operation, the setting (matching pattern) of the communication content to be cut off by the communication relay device 1 can be updated, and the latest threat can be dealt with.
  • the specific implementation of the feature value setting interface 17 may be an independent format such as a serial port, or may be integrated with the upstream communication port 11 and update the feature value via the control system network 3. Is also good.
  • each buffer and feature are determined according to the granularity of the matching pattern (unit of comparison processing), as compared with the case where the buffer and the feature value comparison unit are configured with only a single bit width.
  • the operating speed (operating frequency) of the value comparing unit can be optimized. For example, detection of a binary signature (a pattern characteristic of malware) requires bit-by-bit matching.
  • detecting a pattern for example, a word
  • Implementation format is different. Therefore, the first embodiment can reduce power consumption while coping with various types of unauthorized communication.
  • the single-bit width buffer 122 and the single-bit width feature value comparison unit 132 need to operate at 100 MHz
  • the corresponding multi-bit width buffer 121 and multi-bit width feature value comparison unit 131 need only operate at an operating frequency of 12.5 MHz, which is 1/8 of that.
  • the collation bit position of the communication frame is a multiple of 4 or 8
  • the collation is performed by the multi-bit width buffer 121 and the multi-bit width feature value comparison unit 131.
  • the multi-bit width buffer 121 and the multi-bit width feature value comparison unit 131 for 8-bit width compare five 8-bit width matching patterns and perform the single-bit width buffer for 1-bit width.
  • the comparison processing of the remaining five 1-bit width matching patterns is performed by the 122 and the single bit width feature value comparison unit 132.
  • the single-bit width buffer 122 only notifies the comparison result from the single-bit width feature value comparison unit 132 to the replacement unit 15, and the multi-bit width buffer 121 is input from the upstream communication port 11.
  • the data sequence in the communication frame is output to the replacing unit 15 in order.
  • the second communication device 4 is the control device 26
  • a function of calculating and determining the characteristic value of the communication frame is added to the control device 26, and the function is realized using the limited processing capability of the control device 26. It is difficult.
  • adding the communication relay device 1 of the present embodiment to the outside of the control device 26, it is possible to prevent attacks on the control device 26 without changing the control device 26 and without increasing the load on the control device 26. Can be.
  • a person who intends to attack the control device 26 may continuously search for design or implementation deficiencies (vulnerabilities) in the control device 26 to be attacked, and apply a new attack method that exploits them. There is.
  • a control system such as an infrastructure that is required to operate for a long period of time, it is desirable that a defense measure against a new attack method can be continuously added during the operation period. Since it is difficult to stop the control device 26 while the control system is operating, it is difficult to modify the program of the control device 26 or apply a patch (modification program).
  • by setting the feature value extraction rule and the passage condition in the communication relay device 1 it is possible to cope with a new attack technique without stopping the operation of the control system.
  • the relay device using the store-and-forward scheme receives and stores all communication frames, determines whether to pass or discard the communication frame, and transmits only the communication frame determined to be passed. That is, the relay device does not start transmitting the communication frame until the determination is completed. Therefore, the relay delay time varies depending on the length of the communication frame and the like.
  • the communication relay device 1 receives each bit of the communication frame, inputs the bit to each buffer, passes each buffer, determines whether or not the communication frame is normal based on the partial data being passed. Some bits of the communication frame are rewritten, and each bit is transmitted in the order of reception. That is, the communication relay device 1 relays a plurality of communication frames received continuously to the second communication device 4 with a fixed delay time regardless of the length of the communication frame and the determination result of the communication frame. In the control system, since the communication frame is transmitted in a short cycle, the relay delay time is preferably constant.
  • the case where one set of the multi-bit width buffer and the multi-bit width feature value comparison unit and one set of the single bit width buffer and the single bit width feature value comparison unit are provided is described. Not limited to A plurality of circuits each corresponding to a multi-bit width and a single-bit width may be provided.
  • the bit width of at least one of the buffers and the feature value comparison units is one, and the bit width of the at least one of the buffers and the feature value comparison units is one. It suffices if it is 2 or more.
  • the power consumption is reduced to about 1/4 as compared with a single-bit width buffer, and a 4-bit standard MII (media-independent interface) is used. Since it is compatible with the interface, a conversion circuit is not required.
  • the operating frequency is 25 MHz.
  • the so-called blacklist system in which a communication frame including the feature value is cut off when the feature value matches any of the held feature values has been described, but the present invention is not limited to this example.
  • the communication relay device 1 is implemented in a so-called whitelist method, that is, a method in which a communication frame including the feature value is passed only when all of the retained feature values are matched, and all other frames are blocked. Is also good.
  • the passing condition is a matching pattern (a first pattern) in which an element corresponding to the number of elements in the buffer (a bit string corresponding to the bit width of the buffer) represents an unauthorized communication composed of elements having the number of elements. ).
  • the feature value comparison unit outputs a match signal when a data string that matches the first pattern exists in the communication pattern. Then, upon receiving the match signal from any of the feature value comparison units, the replacement unit 15 rewrites the value of the FCS unit in the communication frame. In the case of such a configuration, it is possible to perform good matching on a communication frame that is appropriate to perform matching using the blacklist method.
  • the pass condition is a matching pattern (bit string corresponding to the bit width of the buffer) indicating that the element corresponding to the number of elements of the buffer is not an unauthorized communication composed of the elements of the number of elements. 2 pattern).
  • the feature value comparison unit determines whether or not all data strings to be matched in the communication pattern match the second pattern, and notifies the replacement unit 15 of the determination result.
  • the replacement unit 15 replaces the value of the FCS unit in the communication frame with the data string. rewrite. In the case of such a configuration, it is possible to perform good matching on a communication frame that is appropriate to be matched by the whitelist method.
  • the control system network 3 is characterized in that communication frames having the same format and the same length are transmitted at a constant period.
  • the communication frame in such a case is, for example, one in which only the value of the fixed length in the payload changes, or one which indicates ON or OFF of the switch.
  • the passage condition may use the reception time of the communication frame.
  • the passing condition is that the frame reception interval is within a predetermined time range.
  • the second communication device 4 can be protected from unauthorized communication coming from the control system network 3.
  • a case is considered in which the second communication device 4 is attacked by malware infection or the like on a route other than the control system network 3 and sends out unauthorized communication from the second communication device 4 to the control system network 3.
  • the unauthorized communication is transmitted to the control system network 3 via the USB memory attached to the control device 26.
  • it is required to extend the communication transmission direction in both directions so as to prevent illegal communication from propagating in the opposite direction to the first embodiment.
  • a communication relay device that prevents illegal communication from propagating in the opposite direction to the first embodiment will be described.
  • FIG. 4 is a block diagram illustrating a schematic configuration example of a communication relay device 1A according to the second embodiment.
  • the communication relay device 1A includes two relay units, a first relay unit 40a and a second relay unit 40b.
  • the path of the communication frame transmitted from the control system network 3 to the second communication device 4 (referred to as “down” for convenience) and the path of the communication frame transmitted from the second communication device 4 to the control system network 3 (
  • the first relay unit 40a and the second relay unit 40b are inserted into “up”.
  • the first relay unit 40a relays a downstream communication frame
  • the second relay unit 40b relays an upstream communication frame.
  • Each of the first relay unit 40a and the second relay unit 40b has the same configuration as the communication relay device 1 described in the first embodiment.
  • the communication frames in which the value of the FCS field is replaced with an invalid value by the first relay unit 40 a are the second communication devices 4. Discarded by Similarly, among the communication frames transmitted in the upward direction from the second communication device 4, the communication frame in which the value of the FCS field is replaced with an invalid value by the second relay unit 40 b has, for example, a destination of the first communication device 2. If there is, it is discarded by the first communication device 2.
  • the function of protecting the second communication device 4 from the downlink that is, the unauthorized communication coming from the control system network 3
  • the function of protecting the second communication device 4 from the uplink that is, the unauthorized communication sent from the second communication device 4
  • a function of protecting the device connected to the third device can be realized.
  • the first relay unit 40a and the second relay unit 40b can set different matching patterns respectively. That is, the multi-bit width matching pattern 141 may be different between the first relay unit 40a and the second relay unit 40b. Similarly, the single bit width matching pattern 142 may be different patterns in the first relay unit 40a and the second relay unit 40b. Thereby, different matching patterns (passing conditions) can be defined for the up route and the down route. In this case, flexible measures can be taken according to the tendency of the threat on each of the up route and the down route.
  • the upstream communication port 11 in the first relay unit 40a and the downstream communication port 16 in the second relay unit 40b may be one communication port
  • the upstream communication port 11 in the second relay unit 40b and the The downstream communication port 16 in one relay section 40a may be one communication port
  • the first relay section 40a and the second relay section 40b may be provided in different housings.
  • the feature value setting interface 17 and the feature value definition unit 18 may be shared by the first relay unit 40a and the second relay unit 40b. That is, the first relay unit 40a and the second relay unit 40b do not include the feature value setting interface 17 and the feature value definition unit 18.
  • the administrator transfers the feature values (multi-bit width matching pattern, single bit width matching pattern) via the feature value setting interface 17 and the feature value definition unit 18 of the communication relay device 1A to the first relay unit 40a and the second relay unit. 40b is set individually or all at once.
  • the communication relay device 1A by using a common feature value for the downstream route and the upstream route, the number of steps for setting the feature value can be reduced as compared with a case where different feature values are used for the downstream route and the upstream route.
  • FIG. 5 is a block diagram illustrating an example of a hardware configuration of a computer 50 included in the communication relay apparatuses 1 and 1A when the communication is performed by software.
  • the hardware configuration of the computer 50 of the first relay unit 40a and the second relay unit 40b of the communication relay device 1A can be the same as that of the communication relay device 1.
  • the computer 50 includes a CPU (Central Processing Unit) 51, a ROM (Read Only Memory) 52, a RAM (Random Access Memory) 53, a nonvolatile storage 55, a first communication interface 56, and a second communication interface 57.
  • Each unit in the communication relay device 1 is connected to each other via a system bus 54 so as to be able to transmit and receive data to and from each other.
  • the CPU 51, the ROM 52, and the RAM 53 form a control unit.
  • This control unit controls the operation of the entire communication relay device 1 or each unit in the communication relay device 1A.
  • the CPU 51 reads out a program code of software for realizing each function according to each of the above-described embodiments from the ROM 52, executes the program code, and controls each unit and performs various calculations.
  • another arithmetic processing device such as an MPU (Micro Processing Unit) may be used instead of the CPU 51.
  • the ROM 52 is used as an example of a non-volatile memory (recording medium).
  • the ROM 52 stores programs, data, and the like necessary for the operation of the CPU 51.
  • the RAM 53 is used as an example of a volatile memory, and temporarily stores variables, parameters, and the like generated during the arithmetic processing by the CPU 51.
  • the non-volatile storage 55 is an example of a recording medium, and can store information such as programs executed by the CPU 51, programs such as an OS (Operating System), tables, and files.
  • a recording device such as a semiconductor memory, a hard disk, a solid state drive (SSD), or a magnetism or light can be used.
  • the program may be provided via a wired or wireless transmission medium such as a local area network (LAN), the Internet, or digital satellite broadcasting.
  • an NIC or a modem is used as the first communication interface 56, and various data can be transmitted and received to and from an external device via a network such as a LAN to which terminals are connected or a dedicated line. It is configured.
  • the first communication interface 56 corresponds to the upstream communication port 11.
  • an NIC or a modem is used as the second communication interface 57, and various data can be transmitted / received to / from an external device via a network such as a LAN to which a terminal is connected or a dedicated line. It is configured.
  • the second communication interface 57 corresponds to the downstream communication port 16.
  • the computer 50 may be provided with a display unit and an operation unit so that the observer can check the content displayed on the display unit and input necessary information through the operation unit.
  • the display unit is, for example, a liquid crystal display monitor, and displays a GUI screen, a result of processing performed by the CPU 51, and the like.
  • the operation unit for example, a pointing device such as a mouse or a touch panel, a keyboard, or the like is used.
  • the observer can perform a predetermined operation on the operation unit and input an instruction.
  • the operation unit generates an input signal according to the operation of the monitor and supplies the input signal to the CPU 51.
  • the configuration of the communication relay device is described in detail and specifically in order to easily explain the present invention, and is not necessarily limited to a configuration including all the described components. Further, a part of the configuration of one embodiment can be replaced with the component of another embodiment. It is also possible to add components of another embodiment to the configuration of one embodiment. Further, it is also possible to add, delete, or replace other components with respect to a part of the configuration of each embodiment.
  • the components, functions, processing units, and the like described above may be partially or entirely realized by hardware, for example, by designing an integrated circuit. Further, the processing performed by a certain processing unit may be realized by one piece of hardware, or may be realized by distributed processing by a plurality of pieces of hardware.
  • control lines and the information lines are considered to be necessary for the explanation, and do not necessarily indicate all the control lines and the information lines on the product. In fact, it can be considered that almost all components are connected to each other.

Abstract

A communication relay device according to one aspect of the present invention includes: a plurality of buffer units 121, 122 which sequentially store and output a plurality of elements in a communication frame transmitted from a first communication device 2, and in which combinations of the number of elements of an operation unit and operation speeds are different; a plurality of comparison units 131, 132 which are respectively provided to the buffer units 121, 133, and compare elements corresponding to the number of elements of the buffer unit with a passing condition of the buffer unit; a changing unit 15 which sequentially transmits the plurality of elements, and, when the elements corresponding to the number of elements in either of the comparison units do not meet the passing condition, changes elements corresponding to a first area in the communication frame; and a transmission unit which sequentially transmits, to a second communication device, a plurality of elements transmitted from the changing unit.

Description

通信中継装置Communication relay device
 本発明は、通信中継装置に関する。 << The present invention relates to a communication relay device.
 プラントや組み立て装置等の設備を制御する制御システムは、安全かつ安定な動作を維持する必要がある。一方、制御装置に対してその動作を阻害したり誤った動作を行わせる意図で、制御システムネットワークを介して不正な内容のデータが送られる場合がある。対策として、このような不正な通信を遮断する能力を具備したファイアウォールやIPS(Intrusion Protection System)等を介して防御対象の装置を制御システムネットワークに接続する方法が知られている。 制 御 A control system that controls facilities such as plants and assembly equipment must maintain safe and stable operation. On the other hand, there is a case where data with incorrect contents is transmitted via the control system network with the intention of inhibiting the operation of the control device or performing an erroneous operation. As a countermeasure, there is known a method of connecting a device to be protected to a control system network via a firewall or an IPS (Intrusion Protection System) having the ability to block such unauthorized communication.
 特許文献1には、「受信した通信フレームの特徴を示す特徴値を決定し、特徴値が条件を満たすか否かを判定する判定部と、受信される複数の要素を順に伝達し、特徴値が条件を満たさないと判定された場合、伝達される複数の要素の一部を変更する変更部」を備える通信中継装置が開示されている。この通信中継装置は、バッファを用いて不正な通信を検出する構成を有し、不正な通信を受信した場合に通信フレームの複数の要素の一部を変更して順に外部装置へ送信することで、少ない遅延時間で不正な通信の検出を実現する。 Japanese Patent Application Laid-Open No. H11-163873 describes "a determination unit that determines a feature value indicating a feature of a received communication frame, determines whether the feature value satisfies a condition, and sequentially transmits a plurality of elements to be received. Is determined to not satisfy the condition, a change unit that changes a part of a plurality of elements to be transmitted ”is disclosed. This communication relay device has a configuration to detect unauthorized communication using a buffer, and when an unauthorized communication is received, a part of a plurality of elements of a communication frame is changed and sequentially transmitted to an external device. In addition, an unauthorized communication can be detected with a small delay time.
特開2015-119386号公報JP 2015-119386 A
 しかしながら、特許文献1に記載の通信中継装置は、通信フレームの中継による遅延を抑えることができる一方で、その内部のバッファは入力される通信フレームの通信速度(例えば100Mbpsのネットワークであれば100MHz)で動作するように作られている。そのため、後述するように中継処理の消費電力等に関しては必ずしも最適化された構成ではなかった。 However, the communication relay device described in Patent Literature 1 can suppress the delay due to the relay of the communication frame, while the internal buffer stores the communication speed of the input communication frame (for example, 100 MHz in the case of a 100 Mbps network). It is made to work with. Therefore, as described later, the power consumption of the relay process is not always optimized.
 上記の状況から、種種の不正な通信に対応しつつ、消費電力を低減できる通信中継装置が要望されていた。 か ら Under the circumstances described above, there has been a demand for a communication relay device that can reduce power consumption while coping with various types of unauthorized communication.
 本発明の一態様の通信中継装置は、第1通信装置より送信される通信フレーム内の複数の要素を順に受信する受信部と、その受信部が受信した通信フレーム内の複数の要素を順次記憶及び出力する、動作単位の要素数と動作速度の組み合わせが異なる複数のバッファ部と、バッファ部ごとに設けられ、バッファ部の要素数に対応する要素と当該バッファ部の通過条件とを比較する複数の比較部と、を備える。また、通信中継装置は、複数の要素を順に伝送し、いずれかの比較部において要素数に対応する要素が上記通過条件を満たさない場合、通信フレーム内の第1領域に対応する要素を変更する変更部と、その変更部から伝送される複数の要素を順に第2通信装置へ送信する送信部と、を備える。 A communication relay device according to an aspect of the present invention includes a receiving unit that sequentially receives a plurality of elements in a communication frame transmitted from a first communication device, and sequentially stores a plurality of elements in the communication frame received by the receiving unit. A plurality of buffer units having different combinations of the number of elements in the operation unit and the operation speed to be output, and a plurality of buffer units provided for each of the buffer units and comparing the elements corresponding to the number of elements of the buffer unit with the passage conditions of the buffer unit. And a comparing unit. In addition, the communication relay device transmits a plurality of elements in order, and changes the element corresponding to the first area in the communication frame when any of the comparison units does not satisfy the passing condition. The communication device includes a changing unit, and a transmitting unit that sequentially transmits a plurality of elements transmitted from the changing unit to the second communication device.
 本発明の少なくとも一態様によれば、種種の不正な通信に対応しつつ、消費電力を低減することができる。
 上記した以外の課題、構成及び効果は、以下の実施形態の説明により明らかにされる。 According to at least one embodiment of the present invention, power consumption can be reduced while coping with various types of unauthorized communication.
Problems, configurations, and effects other than those described above will be apparent from the following description of the embodiments.
本発明の第1の実施形態に係る通信中継装置を含む制御システム全体の構成例を示す図である。FIG. 1 is a diagram illustrating a configuration example of an entire control system including a communication relay device according to a first embodiment of the present invention. 本発明の第1の実施形態に係る通信中継装置の内部構成例を示すブロック図である。FIG. 2 is a block diagram illustrating an example of an internal configuration of the communication relay device according to the first embodiment of the present invention. 通信フレームのフォーマットの例を示す図である。It is a figure showing the example of the format of a communication frame. 本発明の第2の実施形態に係る通信中継装置の概略構成例を示すブロック図である。FIG. 11 is a block diagram illustrating a schematic configuration example of a communication relay device according to a second embodiment of the present invention. 通信中継装置が備えるコンピューターのハードウェア構成例を示すブロック図である。FIG. 4 is a block diagram illustrating a hardware configuration example of a computer included in the communication relay device.
 以下、本発明を実施するための形態の例について、添付図面を参照して説明する。本明細書及び添付図面において実質的に同一の機能又は構成を有する構成要素については、同一の符号を付して重複する説明を省略する。 Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. In the specification and the accompanying drawings, components having substantially the same function or configuration are denoted by the same reference numerals, and redundant description will be omitted.
<第1の実施形態>
[制御システム全体の構成]
 まず、第1の実施形態に係る通信中継装置を含む制御システム全体の構成について説明する。図1は、第1の実施形態に係る通信中継装置1を含む制御システム全体の構成例を示す図である。 <First embodiment>
[Overall configuration of control system]
First, the configuration of the entire control system including the communication relay device according to the first embodiment will be described. FIG. 1 is a diagram illustrating a configuration example of an entire control system including a communication relay device 1 according to the first embodiment.
 図1に示すように、制御システムは一例として、ファイアウォール21と、端末装置22と、生産管理サーバ23と、HMI(Human Machine Interface)装置24と、監視制御サーバ25と、通信中継装置1と、制御装置26及び制御対象設備27から構成される。これらは相互に通信可能に接続されて階層状のネットワークを形成している。 As illustrated in FIG. 1, the control system includes, as an example, a firewall 21, a terminal device 22, a production management server 23, an HMI (Human Machine Interface) device 24, a monitoring control server 25, the communication relay device 1, It comprises a control device 26 and a control target facility 27. These are communicably connected to each other to form a hierarchical network.
 制御対象設備27は、制御装置26に接続されている。制御装置26は更に、通信中継装置1に接続されている。通信中継装置1は更に、制御システムネットワーク3を介して、監視制御サーバ25に接続されている。監視制御サーバ25は更に、制御系情報ネットワーク33を介して、HMI装置24及び生産管理サーバ23に接続されている。生産管理サーバ23は更に、情報系ネットワーク32を介して、端末装置22及びファイアウォール21に接続されている。ファイアウォール21は更に、インターネットなどの外部ネットワーク31に接続されている。 The control target equipment 27 is connected to the control device 26. The control device 26 is further connected to the communication relay device 1. The communication relay device 1 is further connected to the monitoring control server 25 via the control system network 3. The monitoring control server 25 is further connected to the HMI device 24 and the production management server 23 via a control system information network 33. The production management server 23 is further connected to the terminal device 22 and the firewall 21 via the information network 32. The firewall 21 is further connected to an external network 31 such as the Internet.
 ファイアウォール21は、情報系ネットワーク32と外部ネットワーク31との間の通信を中継すると共に、外部ネットワーク31から情報系ネットワーク32への不正アクセスを防ぐ。 The firewall 21 relays communication between the information network 32 and the external network 31 and prevents unauthorized access from the external network 31 to the information network 32.
 生産管理サーバ23は、プラントの生産目標や生産個数指示などの計画値を決定し、計画値を監視制御サーバ25へ送信する。端末装置22は、情報系ネットワーク32を介して生産管理サーバ23にアクセスすることにより、生産管理サーバ23へ計画値に関する情報を入力し、生産管理サーバ23から出力される実績などの情報を表示する。これにより、端末装置22の管理者は、制御システムの実績を監視することができる。 The production management server 23 determines plan values such as a plant production target and a production number instruction, and transmits the plan values to the monitoring control server 25. The terminal device 22 accesses the production management server 23 via the information network 32, thereby inputting information relating to the plan value to the production management server 23, and displaying information such as results output from the production management server 23. . Thus, the administrator of the terminal device 22 can monitor the performance of the control system.
 監視制御サーバ25は、生産管理サーバ23から受信した計画値に基づいて、制御対象設備27の指令値を決定し、制御システムネットワーク3及び通信中継装置1を介して、制御装置26へ指令値を送信する。HMI装置24は、制御系情報ネットワーク33を介して監視制御サーバ25にアクセスすることにより、監視制御サーバ25へ指令値に関する情報を入力し、監視制御サーバ25から出力される状態などの情報を表示する。これにより、HMI装置24の管理者は、制御対象設備27の状態を監視することができる。 The monitoring control server 25 determines the command value of the control target equipment 27 based on the plan value received from the production management server 23, and sends the command value to the control device 26 via the control system network 3 and the communication relay device 1. Send. The HMI device 24 accesses the monitoring control server 25 via the control information network 33 to input information relating to command values to the monitoring control server 25 and display information such as a state output from the monitoring control server 25. I do. Thereby, the administrator of the HMI device 24 can monitor the state of the control target facility 27.
 制御装置26は、監視制御サーバ25から受信した指令値に基づいて、制御対象設備27を制御する。制御対象設備27は、スイッチ、バルブ、及びセンサなどである。指令値は例えば、スイッチやバルブの開閉や開度などである。状態は例えば、センサにより計測される圧力、温度、回転数などである。 The control device 26 controls the control target equipment 27 based on the command value received from the monitoring control server 25. The control target equipment 27 is a switch, a valve, a sensor, and the like. The command value is, for example, the opening / closing or opening of a switch or valve. The state is, for example, a pressure, a temperature, a rotation speed, or the like measured by a sensor.
[不正な通信の種別と検出方法の違い]
 通信中継装置1は、単なる通信の中継の機能を持つのみではなく、制御システムネットワーク3から送信される不正な通信を検出及び遮断する能力を持つ。不正な通信の種別は多岐にわたるが、その適切な検出方法の観点から、通信内容は大きく分けて2種類に分けられる。一つ目は、通信の宛先アドレスやポート番号等、オクテット(8ビット)単位等の決まったビット長毎で区切られた領域に特徴的なパターンを有するものである。二つ目は、マルウェアを含む通信など、バイナリ形式であるため決まったビット列の区切りを持たず、任意の位置のビット列に特徴的なパターンを有するものである。前者と後者は、前者を検出するためには例えば8ビットずつのパターンの照合をかければ十分であるのに対し、後者を検出するためには通信フレームの内容に対して1ビットずつパターンの照合を行う必要があるという違いがある。 [Differences between unauthorized communication types and detection methods]
The communication relay device 1 has not only a function of merely relaying communication, but also has a capability of detecting and blocking unauthorized communication transmitted from the control system network 3. There are various types of unauthorized communication, but from the viewpoint of an appropriate detection method, communication contents are roughly divided into two types. The first one has a characteristic pattern in an area divided by a fixed bit length such as an octet (8 bits) unit such as a communication destination address and a port number. The second one is a binary format, such as a communication including malware, which does not have a fixed bit string delimiter and has a characteristic pattern in a bit string at an arbitrary position. For the former and the latter, it is sufficient to check the pattern of, for example, 8 bits each in order to detect the former, whereas in order to detect the latter, it is necessary to check the pattern of the communication frame one bit at a time. There is a difference that you need to do.
[通信中継装置の構成]
 次に、通信中継装置1の詳細について述べる。図2は、通信中継装置1の内部構成例を示すブロック図である。 [Configuration of communication relay device]
Next, details of the communication relay device 1 will be described. FIG. 2 is a block diagram illustrating an example of the internal configuration of the communication relay device 1.
 通信中継装置1は、制御システムネットワーク3を通じて第1通信装置2に接続されている上流通信ポート11と、保護対象の第2通信装置4に接続されている下流通信ポート16とを具備する。通信中継装置1が下流通信ポート16を複数個具備し、通信中継装置1に複数の第2通信装置4を接続できるようにしてもよい。第1通信装置2は、例えば監視制御サーバ25である。第2通信装置4は、例えば制御装置26である。通信中継装置1はさらに、多ビット幅バッファ121と、多ビット幅特徴値比較部131と、単ビット幅バッファ122と、単ビット幅特徴値比較部132と、置換部15と、特徴値設定インターフェース17、及び特徴値定義部18から構成される。 The communication relay device 1 includes an upstream communication port 11 connected to the first communication device 2 via the control system network 3 and a downstream communication port 16 connected to the second communication device 4 to be protected. The communication relay device 1 may include a plurality of downstream communication ports 16 so that a plurality of second communication devices 4 can be connected to the communication relay device 1. The first communication device 2 is, for example, the monitoring control server 25. The second communication device 4 is, for example, the control device 26. The communication relay device 1 further includes a multi-bit width buffer 121, a multi-bit width feature value comparison unit 131, a single bit width buffer 122, a single bit width feature value comparison unit 132, a replacement unit 15, and a feature value setting interface. 17 and a feature value definition unit 18.
 上流通信ポート11(受信部の一例)は、制御システムネットワーク3を介して第1通信装置2から入力された通信フレームを示す信号を受信し、受信した信号をデータ列(中継データ列)に変換して順次出力するように構成されている。このデータ列は、連続する複数の要素を含む。要素は例えばビットである。データ列は、2種類のバッファ、すなわち多ビット幅バッファ121と単ビット幅バッファ122にそれぞれ入力される。 The upstream communication port 11 (an example of a receiving unit) receives a signal indicating a communication frame input from the first communication device 2 via the control system network 3, and converts the received signal into a data sequence (relay data sequence). And sequentially output them. This data string includes a plurality of continuous elements. The element is, for example, a bit. The data string is input to two types of buffers, that is, a multi-bit width buffer 121 and a single-bit width buffer 122.
 本実施形態では、制御システムネットワーク3上の通信フレームや上流通信ポート11から出力されるデータ列はIEEE802.3形式に基づいているが、これらは他の任意の通信規格に基づくものであってもよい。制御システムネットワーク3の伝送媒体は、電気に加えて光、電波、あるいはそれらの任意の組み合わせであってもよい。上流通信ポート11は、NIC(Network  Interface  Card)であってもよい。 In the present embodiment, a communication frame on the control system network 3 and a data string output from the upstream communication port 11 are based on the IEEE802.3 format. However, these may be based on any other communication standard. Good. The transmission medium of the control system network 3 may be light, radio waves, or any combination thereof in addition to electricity. The upstream communication port 11 may be a NIC (Network Interface Card).
 多ビット幅バッファ121(バッファ部の一例)は、上流通信ポート11が受信した通信フレーム内の複数のビットを順次記憶及び出力する。例えば、多ビット幅バッファ121は、要素数として8ビットのビット幅(シフト動作単位のビット数)と有限の長さ(図2ではシフト段数が3段)を持つシフトレジスタから構成される。ビット幅は、シフトレジスタのシフト動作単位のビット数である。8ビット幅かつ3段のシフトレジスタは、入力端から連続して入力されるデータ列を1段あたり8ビット格納し、駆動クロック信号に従って8ビット単位で次段(図中右)にシフトさせ、入力された順に出力端から置換部15へ出力する動作を行う。このような多ビット幅バッファ121を備えることにより、データ列内の各ビットは、通信中継装置1で受信されてから一定時間で送信される。後述するように、この多ビット幅バッファ121を利用し、通信フレームに対して8ビットずつマッチングパターンの照合が行われる。 The multi-bit width buffer 121 (an example of a buffer unit) sequentially stores and outputs a plurality of bits in a communication frame received by the upstream communication port 11. For example, the multi-bit width buffer 121 includes a shift register having a bit width of 8 bits (the number of bits of a shift operation unit) and a finite length (the number of shift stages is three in FIG. 2) as the number of elements. The bit width is the number of bits of a shift operation unit of the shift register. The 8-bit wide and 3-stage shift register stores a data string continuously input from the input terminal in 8 bits per stage, and shifts the data sequence to the next stage (right in the figure) in 8-bit units according to the drive clock signal. The output operation is performed from the output terminal to the replacement unit 15 in the order of input. By providing such a multi-bit width buffer 121, each bit in the data sequence is transmitted at a fixed time after being received by the communication relay device 1. As will be described later, using the multi-bit width buffer 121, matching of the matching pattern is performed on the communication frame in units of 8 bits.
 単ビット幅バッファ122(バッファ部の一例)も同様に、上流通信ポート11が受信した通信フレーム内の複数のビットを順次記憶及び出力する。例えば、単ビット幅バッファ122は、要素数として1ビットのビット幅と有限の長さ(図2ではシフト段数が12段)を持つシフトレジスタから構成される。1ビット幅かつ12段のシフトレジスタは、入力端から連続して入力されるデータ列を1段あたり1ビット格納し、駆動クロック信号に従って1ビット単位で次段(図中右)にシフトさせ、入力された順に出力端から出力(破棄)する動作を行う。後述するように、この単ビット幅バッファ122を利用し、通信フレームに対して1ビットずつマッチングパターンの照合が行われる。 Similarly, the single bit width buffer 122 (an example of a buffer unit) sequentially stores and outputs a plurality of bits in the communication frame received by the upstream communication port 11. For example, the single bit width buffer 122 includes a shift register having a bit width of 1 bit and a finite length (the number of shift stages is 12 in FIG. 2) as the number of elements. The 1-bit wide and 12-stage shift register stores a data string continuously input from the input terminal at one bit per stage, and shifts the data sequence to the next stage (right in the figure) in 1-bit units according to the drive clock signal. An operation of outputting (discarding) from the output end in the order of input is performed. As will be described later, using the single-bit width buffer 122, matching of the matching pattern is performed on the communication frame one bit at a time.
 これらの動作により、各バッファが受信したデータ列は、各バッファの動作単位のビット数(ビット幅)と動作速度(動作周波数)の積に比例した一定期間、各バッファに保持されることになる。つまり、多ビット幅バッファ121と単ビット幅バッファ122は、ビット幅と動作速度の組み合わせが異なるが、各々のビット幅と動作速度の積は同一又は実質的に同一となるように構成される。 By these operations, the data string received by each buffer is held in each buffer for a certain period proportional to the product of the number of bits (bit width) and the operation speed (operation frequency) of the operation unit of each buffer. . That is, the multi-bit width buffer 121 and the single-bit width buffer 122 are configured to have the same or substantially the same product of the bit width and the operation speed, although the combination of the bit width and the operation speed is different.
 例えば、上流通信ポート11に入力される信号の帯域(通信速度)が100Mbps(Mega bit per second)であるとき、8ビット幅の多ビット幅バッファ121におけるシフト動作の速度は12.5MHz、単ビット幅バッファ122におけるシフト動作の速度は100MHzとなる。このシフト動作の速度の違いが、後述する消費電力の違いを生み出す。なお、これらのバッファはシフトレジスタのほか、デュアルポートメモリやFIFOバッファなどの技術を用いて構成されていてもよい。 For example, when the band (communication speed) of a signal input to the upstream communication port 11 is 100 Mbps (Mega bit per second), the shift operation speed in the 8-bit wide multi-bit buffer 121 is 12.5 MHz, The speed of the shift operation in the width buffer 122 is 100 MHz. The difference in the speed of the shift operation causes a difference in power consumption described later. Note that these buffers may be configured using a technique such as a dual port memory or a FIFO buffer in addition to the shift register.
[特徴値比較部]
 次に、多ビット幅特徴値比較部131と単ビット幅特徴値比較部132の動作について説明する。多ビット幅特徴値比較部131と単ビット幅特徴値比較部132は、バッファごとに設けられ、それぞれバッファのビット幅に対応するビット列と各バッファ部の通過条件とを比較する処理を行う。 [Feature value comparison unit]
Next, operations of the multi-bit width feature value comparison unit 131 and the single bit width feature value comparison unit 132 will be described. The multi-bit width feature value comparison unit 131 and the single bit width feature value comparison unit 132 are provided for each buffer, and perform a process of comparing a bit string corresponding to the bit width of the buffer with the passage condition of each buffer unit.
 多ビット幅特徴値比較部131は内部に、多ビット幅マッチングパターン141を記憶する素子を有する。また、単ビット幅特徴値比較部132は内部に、単ビット幅マッチングパターン142を記憶する素子を有する。 The multi-bit width feature value comparison unit 131 has an element for storing the multi-bit width matching pattern 141 therein. The single-bit width feature value comparison unit 132 has an element that stores the single-bit width matching pattern 142 therein.
 多ビット幅特徴値比較部131は、例えば多ビット幅バッファ121の2段目に保持されたデータ列を多ビット幅マッチングパターン141と照合し、両者が合致する場合には置換部15に対して合致信号を出力する。多ビット幅特徴値比較部131は、8ビットずつデータ列をシフトさせる多ビット幅バッファ121を利用し、通信フレームに対して8ビットずつマッチングパターンの照合を行う。 The multi-bit width feature value comparison unit 131 collates, for example, the data string held in the second stage of the multi-bit width buffer 121 with the multi-bit width matching pattern 141. Output a match signal. The multi-bit width feature value comparison unit 131 uses the multi-bit width buffer 121 that shifts the data sequence by 8 bits, and checks the matching pattern of the communication frame by 8 bits.
 同様に、単ビット幅特徴値比較部132は、例えば単ビット幅バッファ122の3段目から10段目に保持されたデータ列を単ビット幅マッチングパターン142と照合し、両者が合致する場合には置換部15に対して合致信号を出力する。単ビット幅特徴値比較部132は、1ビットずつデータ列をシフトさせる単ビット幅バッファ122を利用し、通信フレームに対して1ビットずつマッチングパターンの照合を行う。 Similarly, the single-bit width feature value comparison unit 132 compares the data string held in the third to tenth stages of the single-bit width buffer 122 with the single-bit width matching pattern 142, and when both match, for example. Outputs a match signal to the replacement unit 15. The single-bit width feature value comparison unit 132 uses the single-bit width buffer 122 that shifts the data string one bit at a time, and checks the matching pattern of the communication frame one bit at a time.
 置換部15(変更部の一例)は、多ビット幅バッファ121から出力されるデータ列を受信し、下流通信ポート16へ伝送するとともに、各特徴値比較部131,132の比較結果に応じて、伝送するデータ列の一部の要素を指示された値に書き換える。置換部15の動作の詳細については後述する。 The replacing unit 15 (an example of a changing unit) receives the data string output from the multi-bit width buffer 121, transmits the data string to the downstream communication port 16, and, in accordance with the comparison result of each of the characteristic value comparing units 131 and 132, Rewrite some elements of the data string to be transmitted to the specified values. Details of the operation of the replacement unit 15 will be described later.
 下流通信ポート16(送信部の一例)は、置換部15から伝送されるデータ列を、再び外部装置への通信又はネットワークに適する信号に変換し、第2通信装置4へ送信する。本実施形態では、上流通信ポート11と同様に、伝送されるデータ列や上流通信ポート11から出力されるデータ列はIEEE802.3形式に基づくとするが、任意の通信規格を用いてもよい。下流通信ポート16は、NICであってもよい。 The downstream communication port 16 (an example of a transmission unit) converts the data string transmitted from the replacement unit 15 into a signal suitable for communication with an external device or a network again, and transmits the signal to the second communication device 4. In the present embodiment, similarly to the upstream communication port 11, the data string to be transmitted and the data string output from the upstream communication port 11 are based on the IEEE802.3 format, but any communication standard may be used. The downstream communication port 16 may be a NIC.
[通信フレームの詳細と置換部の動作]
 本実施形態において、制御システムネットワーク3上の通信フレームはIEEE802.3形式に基づくものを例としている。ここで、IEEE802.3形式に基づく通信フレームについて、図3を用いて説明する。 [Details of communication frame and operation of replacement unit]
In the present embodiment, the communication frame on the control system network 3 is based on the IEEE802.3 format. Here, a communication frame based on the IEEE802.3 format will be described with reference to FIG.
(通信フレーム)
 図3は、通信フレームのフォーマットの例を示す。IEEE802.3形式に基づく通信フレームは、プリアンブル部と、ヘッダ部と、ペイロード部、及びFCS(Frame Check Sequence)部の各フィールド(領域)を含む。プリアンブル部の末尾はSFD(Start Frame Delimiter)であり、ヘッダの開始を示す。上流通信ポート11は、受信した信号からSFDを検出したとき、受信タイミングを示すフレーム開始信号を出力する。フレーム開始信号は、置換部15が通信フレーム内のFCS部の情報を変更するタイミング(通信フレーム内の位置)の基準となる。上流通信ポート11は、フレーム開始信号を置換部15に直接供給してもよいし、各特徴値比較部131,132を介して置換部15に供給してもよい。 (Communication frame)
FIG. 3 shows an example of the format of a communication frame. A communication frame based on the IEEE802.3 format includes a preamble section, a header section, a payload section, and each field (area) of an FCS (Frame Check Sequence) section. The end of the preamble part is SFD (Start Frame Delimiter), which indicates the start of the header. When detecting the SFD from the received signal, the upstream communication port 11 outputs a frame start signal indicating the reception timing. The frame start signal is a reference for the timing (position in the communication frame) at which the replacement unit 15 changes the information of the FCS unit in the communication frame. The upstream communication port 11 may directly supply the frame start signal to the replacement unit 15 or may supply the frame start signal to the replacement unit 15 via the feature value comparison units 131 and 132.
 ヘッダ部は、宛先アドレス、送信元アドレス及びタイプ/長さのサブフィールドを含み、パケットを正しく宛先に送り届けるために用いられる。ペイロード部は、送信されるデータの中身(本体)である。FCS部(第1領域の一例)は、IEEE802.3フレームに伝送誤りがあるかどうかを受信装置にて検査するための誤り検査符号が格納される、誤り検出のための領域である。FCS値は、ヘッダ部及びペイロード部の内容からCRC(Cyclic Redundancy Check)演算により算出され、例えば32ビットである。 The header section contains the destination address, source address, and type / length subfields, and is used to correctly deliver the packet to the destination. The payload portion is the content (body) of the data to be transmitted. The FCS section (an example of the first area) is an area for error detection in which an error check code for checking whether or not the IEEE 802.3 frame has a transmission error in the receiving device is stored. The FCS value is calculated by CRC (Cyclic Redundancy Check) from the contents of the header and the payload, and is, for example, 32 bits.
 上流通信ポート11は、通信フレームからSFDを検出することによりヘッダの開始タイミングを認識する。置換部15は、タイプ/長さを検出することにより、ペイロードの長さを認識し、FCS部のタイミング(通信フレーム内の位置)を認識する。なお、上流通信ポート11又は各特徴値比較部131,132が、タイプ/長さを検出する処理を行ってもよい。 (4) The upstream communication port 11 recognizes the start timing of the header by detecting the SFD from the communication frame. The replacement unit 15 recognizes the length of the payload by detecting the type / length, and recognizes the timing (the position in the communication frame) of the FCS unit. Note that the upstream communication port 11 or each of the characteristic value comparison units 131 and 132 may perform a process of detecting the type / length.
 上記通信フレームを受け取った装置は、その通信フレームに含まれるFCS値を検算し、期待される値と合致しない場合は当該通信フレームを破棄する。この仕組みにより、不正な通信やノイズ等により通信フレームの内容が変化した場合に、その正しくない値を制御等に用いてしまうことを防ぐことができる。 (4) The device receiving the communication frame checks the FCS value included in the communication frame, and discards the communication frame if the value does not match the expected value. With this mechanism, when the content of the communication frame changes due to unauthorized communication, noise, or the like, it is possible to prevent the incorrect value from being used for control or the like.
[置換部]
 上記内容を踏まえて、置換部15の動作を説明する。置換部15は、多ビット幅バッファ121から出力される8ビットのデータ列を順に受信し、通常時にはそれをそのまま下流通信ポート16へ順に伝送する。ただし、いずれかの特徴値比較部131,132において所定ビット幅のデータ列が通過条件を満たさない場合には、置換部15は、通信フレーム内のFCS部の情報を変更する。すなわち、置換部15は、多ビット幅特徴値比較部131と単ビット幅特徴値比較部132のいずれかから合致信号を受信した場合(以下、「特徴値合致時」と記す)、当該通信フレームにおけるFCS部の値を反転させたり無効な値に書き換えたりする。無効な値とは、例えば0である。FCS部以外のフィールドについては、入力された値をそのまま出力する。 [Replacement part]
The operation of the replacement unit 15 will be described based on the above contents. The replacement unit 15 sequentially receives the 8-bit data string output from the multi-bit width buffer 121 and sequentially transmits the 8-bit data string to the downstream communication port 16 as it is in normal times. However, if the data string having the predetermined bit width does not satisfy the passing condition in any of the characteristic value comparing units 131 and 132, the replacing unit 15 changes the information of the FCS unit in the communication frame. That is, when the match signal is received from either the multi-bit width feature value comparison unit 131 or the single bit width feature value comparison unit 132 (hereinafter, referred to as “when the feature value matches”), the replacement unit 15 The value of the FCS part in is inverted or rewritten to an invalid value. The invalid value is, for example, 0. For fields other than the FCS section, the input values are output as they are.
 第2通信装置4では、通信中継装置1の下流通信ポート16を通じて当該通信フレームを受信し、ヘッダ部及びペイロード部の内容からFCSを検算する。このとき、特徴値合致時においては、FCS部の値が無効な値に書き換えられているため、受信したFCS値と検算したFCS値が異なり通信フレームは破棄される。この動作により、第2通信装置4が制御装置26であった場合、不正な通信フレームにより制御装置26がマルウェアに感染したり不正なポート経由での通信により異常な動作を起こしたりするような影響を防ぐことができる。したがって、通信フレームが制御装置26にとって有害なものであった場合でも、制御装置26の制御能力を損なうことを防止できる。 The second communication device 4 receives the communication frame through the downstream communication port 16 of the communication relay device 1, and checks the FCS from the contents of the header and the payload. At this time, when the feature value matches, the value of the FCS part has been rewritten to an invalid value, so the received FCS value and the verified FCS value are different, and the communication frame is discarded. With this operation, when the second communication device 4 is the control device 26, an influence that the control device 26 is infected with malware by an unauthorized communication frame or causes an abnormal operation due to communication through an unauthorized port. Can be prevented. Therefore, even if the communication frame is harmful to the control device 26, it is possible to prevent the control capability of the control device 26 from being impaired.
 通信フレームにおいて、置換部15による書き換え対象は、ペイロード部内の特定の領域のデータ等、FCS部以外の部分であってもよい。なお、通信フレームの形式がIEEE802.3以外である場合も、当該通信フレームの誤り検出用符号が保持されたフィールドや、当該通信フレームの形式上特定の値が設定されることを期待されているフィールドなどを、書き換え対象とすることで、FCSと同様の効果が期待できる。 (4) In the communication frame, the replacement target by the replacement unit 15 may be a part other than the FCS part, such as data of a specific area in the payload part. Even when the format of the communication frame is other than IEEE802.3, it is expected that a field holding an error detection code of the communication frame or a specific value in the format of the communication frame is set. By making fields and the like to be rewritten, the same effect as FCS can be expected.
 通信フレームにおいて、書き換え対象のビット列は、マッチングパターンとの照合が行われるビット列より後に位置することが好ましい。これにより、照合対象のビット列が各バッファを通過した後に、書き換え対象のビット列を書き換えることができる。なお、FCS部の情報を変更する方法として、置換部15が所定の加算値を出力し、FCS部にその加算値を加えてもよい。 に お い て In the communication frame, the bit string to be rewritten is preferably located after the bit string to be compared with the matching pattern. Thus, the bit string to be rewritten can be rewritten after the bit string to be collated has passed through each buffer. In addition, as a method of changing the information of the FCS unit, the replacement unit 15 may output a predetermined addition value and add the addition value to the FCS unit.
[特徴値の設定及び更新]
 次に、特徴値設定インターフェース17及び特徴値定義部18の動作について説明する。
 特徴値設定インターフェース17は、パーソナルコンピューターなどの外部装置からの通信により遮断すべき通信内容に関する特徴値の情報を受け取り、その特徴値の情報を特徴値定義部18へ書き込むように構成されている。 [Feature value setting and updating]
Next, operations of the feature value setting interface 17 and the feature value definition unit 18 will be described.
The feature value setting interface 17 is configured to receive feature value information related to communication contents to be cut off by communication from an external device such as a personal computer, and write the feature value information to the feature value definition unit 18.
 特徴値定義部18は、RAM等の記憶素子から構成され、その特徴値の情報を多ビット幅マッチングパターン141及び単ビット幅マッチングパターン142へ転写する機能を持つ。この動作により、通信中継装置1で遮断すべき通信内容についての設定(マッチングパターン)を更新することができ、最新の脅威に対応させることができる。 The feature value definition unit 18 is configured by a storage element such as a RAM, and has a function of transferring feature value information to the multi-bit width matching pattern 141 and the single bit width matching pattern 142. By this operation, the setting (matching pattern) of the communication content to be cut off by the communication relay device 1 can be updated, and the latest threat can be dealt with.
 なお、特徴値設定インターフェース17の具体的な実装はシリアルポート等の独立した形式でもよいし、上流通信ポート11と一体化され、制御システムネットワーク3を経由して特徴値を更新する構成であってもよい。 The specific implementation of the feature value setting interface 17 may be an independent format such as a serial port, or may be integrated with the upstream communication port 11 and update the feature value via the control system network 3. Is also good.
[第1の実施形態の効果]
 このように構成された第1の実施形態は、単一のビット幅のみでバッファ及び特徴値比較部を構成した場合と比べ、マッチングパターンの粒度(比較処理の単位)に応じて各バッファ及び特徴値比較部の動作速度(動作周波数)を最適化することができる。例えば、バイナリ形式のシグネチャ(マルウェアに特徴的なパターン)検知では1ビットごとの照合が必要である。これに対し、ポート番号等の多ビット単位で通信フレーム上の出現位置が特定できるパターン(例えばワード)の検知においては、当該多ビット単位での照合でよく、不正な通信を検出するための好適な実装形式が異なる。それゆえ、第1の実施形態は、種種の不正な通信に対応しつつ、消費電力を低減することができる。 [Effect of First Embodiment]
In the first embodiment configured as described above, each buffer and feature are determined according to the granularity of the matching pattern (unit of comparison processing), as compared with the case where the buffer and the feature value comparison unit are configured with only a single bit width. The operating speed (operating frequency) of the value comparing unit can be optimized. For example, detection of a binary signature (a pattern characteristic of malware) requires bit-by-bit matching. On the other hand, in detecting a pattern (for example, a word) that can specify an appearance position on a communication frame in multi-bit units such as a port number, it is sufficient to perform matching in the multi-bit unit, which is suitable for detecting illegal communication. Implementation format is different. Therefore, the first embodiment can reduce power consumption while coping with various types of unauthorized communication.
 例えば、入力される信号が100Mbpsであるとき、従来の方式ではすべてのバッファ及び特徴値比較部を100MHzで動かす必要がある。これに対し、本実施形態の通信中継装置1では、前述したように、単ビット幅バッファ122及び単ビット幅特徴値比較部132に対しては100MHzで動作させる必要があるが、8ビット幅に対応した多ビット幅バッファ121及び多ビット幅特徴値比較部131は、その1/8の12.5MHzの動作周波数で済む。例えば、通信フレームの照合ビット位置が4や8の倍数である場合は、多ビット幅バッファ121及び多ビット幅特徴値比較部131で照合する。 For example, when the input signal is 100 Mbps, in the conventional method, it is necessary to operate all the buffers and the feature value comparison unit at 100 MHz. In contrast, in the communication relay device 1 of the present embodiment, as described above, the single-bit width buffer 122 and the single-bit width feature value comparison unit 132 need to operate at 100 MHz, The corresponding multi-bit width buffer 121 and multi-bit width feature value comparison unit 131 need only operate at an operating frequency of 12.5 MHz, which is 1/8 of that. For example, when the collation bit position of the communication frame is a multiple of 4 or 8, the collation is performed by the multi-bit width buffer 121 and the multi-bit width feature value comparison unit 131.
 一般的に回路の消費電力は動作周波数に比例することから、1/8の動作周波数の回路を含む場合、すべての回路を100MHzで動作させるのに比べて消費電力を低減することができる。消費電力の低減は、放熱構造の簡易化などにつながるため、通信中継装置1の低コスト化にも寄与する。すなわち、多ビット幅バッファ121を設けることで、単ビット幅バッファ122よりも動作周波数を落とせるため、消費電力が小さく、また回路規模が小さい低コストの通信中継装置を実現できる。 (4) Since power consumption of a circuit is generally proportional to the operating frequency, when a circuit having an operating frequency of 1/8 is included, power consumption can be reduced as compared to operating all circuits at 100 MHz. Reduction of power consumption leads to simplification of a heat dissipation structure and the like, which also contributes to cost reduction of the communication relay device 1. That is, by providing the multi-bit width buffer 121, the operating frequency can be lower than that of the single-bit width buffer 122, so that a low-cost communication relay device with low power consumption and small circuit size can be realized.
 ある通信フレームに対し判定すべきマッチングパターンが10パターンあり、そのうち8ビット幅マッチングパターンが5パターン、1ビット幅マッチングパターンが5パターンであるとする。従来は、8ビット幅と1ビット幅を含む10パターンの判定を、単ビット幅バッファ122及び単ビット幅特徴値比較部132で全て行うため、消費電力が増大していた。しかし、本実施形態では、8ビット幅対応の多ビット幅バッファ121及び多ビット幅特徴値比較部131で5個の8ビット幅マッチングパターンの比較処理を行い、1ビット幅対応の単ビット幅バッファ122及び単ビット幅特徴値比較部132で残りの5個の1ビット幅マッチングパターンの比較処理を行う。このように、判定すべきマッチングパターンのビット幅に応じて、比較処理を行うバッファ及び特徴値比較部を最適化することで、消費電力を大幅に削減することが可能になる。 と す る Assume that there are 10 matching patterns to be determined for a certain communication frame, of which 5 are 8-bit width matching patterns and 5 are 1-bit width matching patterns. Conventionally, since the determination of 10 patterns including the 8-bit width and the 1-bit width is all performed by the single-bit width buffer 122 and the single-bit width feature value comparison unit 132, power consumption increases. However, in the present embodiment, the multi-bit width buffer 121 and the multi-bit width feature value comparison unit 131 for 8-bit width compare five 8-bit width matching patterns and perform the single-bit width buffer for 1-bit width. The comparison processing of the remaining five 1-bit width matching patterns is performed by the 122 and the single bit width feature value comparison unit 132. As described above, by optimizing the buffer for performing the comparison process and the feature value comparison unit according to the bit width of the matching pattern to be determined, it is possible to significantly reduce power consumption.
 また、本実施形態では、単ビット幅バッファ122側は、比較結果を単ビット幅特徴値比較部132から置換部15に通知するのみであり、多ビット幅バッファ121が上流通信ポート11から入力された通信フレーム内のデータ列を順に置換部15に出力する。このように、通信フレームのビット列の中継にビット幅のより大きい多ビット幅バッファ121を用いることで、単ビット幅バッファ122を用いる場合と比較して、ビット列の中継に掛かる消費電力を低減できる。 Further, in the present embodiment, the single-bit width buffer 122 only notifies the comparison result from the single-bit width feature value comparison unit 132 to the replacement unit 15, and the multi-bit width buffer 121 is input from the upstream communication port 11. The data sequence in the communication frame is output to the replacing unit 15 in order. As described above, by using the multi-bit width buffer 121 having a larger bit width for relaying the bit string of the communication frame, the power consumption required for relaying the bit string can be reduced as compared with the case where the single bit width buffer 122 is used.
 また、本実施形態によれば、既存の制御システムに後付けで、少なくとも消費電力が小さいセキュリティ対策能力を付与することが可能である。それゆえ、既存プラントの延命や改良に伴うセキュリティ対策の需要に応えることができる。 According to the present embodiment, it is possible to provide a security measure capability with low power consumption at least after the existing control system. Therefore, it is possible to meet the demand for security measures accompanying extension and improvement of the life of an existing plant.
 第2通信装置4が制御装置26である場合、通信フレームの特徴値を算出して判定する機能を、制御装置26に追加して、制御装置26の限られた処理能力を用いて実現することは困難である。本実施形態の通信中継装置1を制御装置26の外部に追加することにより、制御装置26を変更することなく、また制御装置26の負荷を増加させることなく、制御装置26への攻撃を防ぐことができる。 When the second communication device 4 is the control device 26, a function of calculating and determining the characteristic value of the communication frame is added to the control device 26, and the function is realized using the limited processing capability of the control device 26. It is difficult. By adding the communication relay device 1 of the present embodiment to the outside of the control device 26, it is possible to prevent attacks on the control device 26 without changing the control device 26 and without increasing the load on the control device 26. Can be.
 制御装置26への攻撃を意図する者は、攻撃対象の制御装置26における設計上ないし実装上の不備(脆弱性)を継続的に探し、それらを悪用した新たな攻撃手法を適用してくる恐れがある。長期にわたり稼働することが求められるインフラなどの制御システムでは、その稼働期間内において、新たな攻撃手法への防御策を継続して追加できることが望ましい。制御システムの稼働中に制御装置26を停止させることは困難であるため、制御装置26のプログラムの改修や、パッチ(修正プログラム)の適用などは困難である。本実施形態によれば、通信中継装置1に特徴値抽出ルールおよび通過条件を設定することにより、制御システムの動作を停止させることなく、新たな攻撃手法に対応することができる。 A person who intends to attack the control device 26 may continuously search for design or implementation deficiencies (vulnerabilities) in the control device 26 to be attacked, and apply a new attack method that exploits them. There is. In a control system such as an infrastructure that is required to operate for a long period of time, it is desirable that a defense measure against a new attack method can be continuously added during the operation period. Since it is difficult to stop the control device 26 while the control system is operating, it is difficult to modify the program of the control device 26 or apply a patch (modification program). According to the present embodiment, by setting the feature value extraction rule and the passage condition in the communication relay device 1, it is possible to cope with a new attack technique without stopping the operation of the control system.
 ところで、ストアアンドフォワード方式を用いる中継装置は、通信フレームのすべてを受信して格納し、通信フレームを通過させるか廃棄するかを判定し、通過させると判定された通信フレームのみを送信する。すなわち、この中継装置は、判定が完了するまで、通信フレームの送信を開始しない。したがって、通信フレームの長さなどによって中継の遅延時間は変動する。 By the way, the relay device using the store-and-forward scheme receives and stores all communication frames, determines whether to pass or discard the communication frame, and transmits only the communication frame determined to be passed. That is, the relay device does not start transmitting the communication frame until the determination is completed. Therefore, the relay delay time varies depending on the length of the communication frame and the like.
 一方、通信中継装置1は、通信フレームの各ビットを受信して各バッファに入力し、各バッファを通過させ、通過中の部分データにより通信フレームが正常か否かを判定し、異常であれば通信フレームの一部のビットを書き換え、受信した順に各ビットを送信する。すなわち、通信中継装置1は、連続して受信する複数の通信フレームを、通信フレームの長さや通信フレームの判定結果に関わらず、一定の遅延時間で第2通信装置4へ中継する。制御システムにおいては、短い周期で通信フレームが送信されるため、中継の遅延時間が一定であることが好ましい。 On the other hand, the communication relay device 1 receives each bit of the communication frame, inputs the bit to each buffer, passes each buffer, determines whether or not the communication frame is normal based on the partial data being passed. Some bits of the communication frame are rewritten, and each bit is transmitted in the order of reception. That is, the communication relay device 1 relays a plurality of communication frames received continuously to the second communication device 4 with a fixed delay time regardless of the length of the communication frame and the determination result of the communication frame. In the control system, since the communication frame is transmitted in a short cycle, the relay delay time is preferably constant.
 更に通信フレームが各バッファを通過する間にデータ列の一部を算出し、所定の通過条件と比較することで当該通信フレームの中継の有効/無効を判定することができる。判定の結果、当該通信フレームの中継が無効と判定された場合には、下流通信ポート16により当該通信フレームの先頭の送出が開始されていても、当該通信フレームの末尾のFCS部を書き換えることで、第2通信装置4にて当該通信フレームの受信を無効とし、破棄することができる。これにより、中継の遅延時間を増大させることなく通信フレームを遮断することができる。 (4) Further, by calculating a part of the data string while the communication frame passes through each buffer and comparing the calculated data stream with a predetermined passing condition, it is possible to determine whether the relay of the communication frame is valid or invalid. As a result of the determination, when the relay of the communication frame is determined to be invalid, even if the transmission of the head of the communication frame is started by the downstream communication port 16, the FCS part at the end of the communication frame is rewritten. The second communication device 4 can invalidate the reception of the communication frame and discard it. As a result, the communication frame can be cut off without increasing the relay delay time.
<第1の実施形態の変形例>
 第1の実施形態では記述を簡略にするために、適用される特徴値(ビット列のパターン)が多ビット幅及び単ビット幅でそれぞれ1つずつの場合を示したが、これらは複数の異なる特徴量をそれぞれのビット幅で適用できるようにしてもよい。一般的に、遮断すべき不正なパターンは多様化の一途をたどっており、多様なパターンに対応できるようにしておく必要がある。 <Modification of First Embodiment>
In the first embodiment, in order to simplify the description, the case where the applied feature value (bit string pattern) is one for each of the multi-bit width and the single-bit width has been described. The quantities may be adapted for each bit width. Generally, illegal patterns to be blocked are diversifying, and it is necessary to be able to cope with various patterns.
 また、本実施形態では、多ビット幅バッファと多ビット幅特徴値比較部を1組、並びに、単ビット幅バッファ及び単ビット幅特徴値比較部を1組設けた場合を示したが、この例に限らない。多ビット幅対応の回路と単ビット幅対応の回路をそれぞれ複数組備えてもよい。本発明では、複数組のバッファ及び特徴値比較部のうち、少なくとも1組のバッファ及び特徴値比較部のビット幅が1であり、かつ、少なくとも1組のバッファ及び特徴値比較部のビット幅が2以上であればよい。例えば、多ビット幅バッファ121に4ビット幅バッファを利用した場合、単ビット幅バッファと比較して消費電力が約1/4に低減するとともに、4ビット幅の標準のMII(media-independent interface)インターフェースと互換性を有するので変換回路が不要になる。4ビット幅対応の構成の場合は、動作周波数は25MHzとなる。 Further, in the present embodiment, the case where one set of the multi-bit width buffer and the multi-bit width feature value comparison unit and one set of the single bit width buffer and the single bit width feature value comparison unit are provided is described. Not limited to A plurality of circuits each corresponding to a multi-bit width and a single-bit width may be provided. According to the present invention, the bit width of at least one of the buffers and the feature value comparison units is one, and the bit width of the at least one of the buffers and the feature value comparison units is one. It suffices if it is 2 or more. For example, when a 4-bit width buffer is used as the multi-bit width buffer 121, the power consumption is reduced to about 1/4 as compared with a single-bit width buffer, and a 4-bit standard MII (media-independent interface) is used. Since it is compatible with the interface, a conversion circuit is not required. In the case of a configuration corresponding to a 4-bit width, the operating frequency is 25 MHz.
 また、本実施形態では、保持している特徴値のいずれかに合致したときに当該特徴値を含む通信フレームを遮断する、いわゆるブラックリスト方式について説明したが、この例に限らない。通信中継装置1は、いわゆるホワイトリスト方式、すなわち、保持している特徴値のすべてに合致した場合にのみ当該特徴値を含む通信フレームを通過させ、それ以外はすべて遮断する方式で実装されていてもよい。 Also, in the present embodiment, the so-called blacklist system in which a communication frame including the feature value is cut off when the feature value matches any of the held feature values has been described, but the present invention is not limited to this example. The communication relay device 1 is implemented in a so-called whitelist method, that is, a method in which a communication frame including the feature value is passed only when all of the retained feature values are matched, and all other frames are blocked. Is also good.
 ブラックリスト方式の場合、通過条件は、バッファの要素数に対応する要素(バッファのビット幅に対応するビット列)が当該要素数の要素から構成された不正な通信を表すマッチングパターン(第1のパターン)に合致しないことである。特徴値比較部は、通信パターン内に第1のパターンと合致するデータ列が存在した場合に、合致信号を出力する。そして、置換部15は、いずれかの特徴値比較部から合致信号を受信すると、通信フレーム内のFCS部の値を書き換える。このような構成とした場合、ブラックリスト方式で照合するのが適当な通信フレームに対して良好な照合を行うことができる。 In the case of the blacklist method, the passing condition is a matching pattern (a first pattern) in which an element corresponding to the number of elements in the buffer (a bit string corresponding to the bit width of the buffer) represents an unauthorized communication composed of elements having the number of elements. ). The feature value comparison unit outputs a match signal when a data string that matches the first pattern exists in the communication pattern. Then, upon receiving the match signal from any of the feature value comparison units, the replacement unit 15 rewrites the value of the FCS unit in the communication frame. In the case of such a configuration, it is possible to perform good matching on a communication frame that is appropriate to perform matching using the blacklist method.
 ホワイトリスト方式の場合、通過条件は、バッファの要素数に対応する要素(バッファのビット幅に対応するビット列)が当該要素数の要素から構成された不正な通信ではないことを表すマッチングパターン(第2のパターン)に合致することである。特徴値比較部は、通信パターン内の照合対象のすべてのデータ列が第2のパターンと合致するかいなかを判定し、判定結果を置換部15に通知する。そして、置換部15は、いずれかの特徴値比較部において、第2のパターンと合致しないデータ列が存在したと判定された場合には、置換部15は、通信フレーム内のFCS部の値を書き換える。このような構成とした場合、ホワイトリスト方式で照合するのが適当な通信フレームに対して良好な照合を行うことができる。 In the case of the whitelist method, the pass condition is a matching pattern (bit string corresponding to the bit width of the buffer) indicating that the element corresponding to the number of elements of the buffer is not an unauthorized communication composed of the elements of the number of elements. 2 pattern). The feature value comparison unit determines whether or not all data strings to be matched in the communication pattern match the second pattern, and notifies the replacement unit 15 of the determination result. When any of the feature value comparison units determines that there is a data string that does not match the second pattern, the replacement unit 15 replaces the value of the FCS unit in the communication frame with the data string. rewrite. In the case of such a configuration, it is possible to perform good matching on a communication frame that is appropriate to be matched by the whitelist method.
 なお、制御システムネットワーク3においては、同じ形式や同じ長さの通信フレームが一定周期で送信されるという特徴がある。このような場合の通信フレームは、例えば、ペイロード中の固定長の値だけが変わるものや、スイッチのONまたはOFFを示すものである。このような場合、通過条件は通信フレームの受信時刻を用いてもよい。連続する二つの通信フレームのフレーム受信時刻の差であるフレーム受信間隔を特徴値とした場合、通過条件は、フレーム受信間隔が所定の時間範囲内にあることである。上述した各変形例は、第2の実施形態にも適用可能である。 The control system network 3 is characterized in that communication frames having the same format and the same length are transmitted at a constant period. The communication frame in such a case is, for example, one in which only the value of the fixed length in the payload changes, or one which indicates ON or OFF of the switch. In such a case, the passage condition may use the reception time of the communication frame. When the frame reception interval, which is the difference between the frame reception times of two consecutive communication frames, is used as the feature value, the passing condition is that the frame reception interval is within a predetermined time range. Each of the modifications described above is also applicable to the second embodiment.
<第2の実施形態>
 第1の実施形態では、制御システムネットワーク3から到来する不正な通信から第2通信装置4を保護することができる。しかし、実際には、第2通信装置4が制御システムネットワーク3以外の経路でマルウェア感染等の攻撃を受け、第2通信装置4から制御システムネットワーク3に向かって不正な通信を送出するケースも考えられる。例えば、制御システムネットワーク3の内部からの不正な通信として、制御装置26に装着されたUSBメモリを介して制御システムネットワーク3に不正な通信が送信されることも考えられる。このような場合への対策として、通信の伝送方向を双方向に拡張し、第1の実施形態と逆向きに不正な通信が伝搬することを防止することが求められる。第2の実施形態では、第1の実施形態とは逆向きに不正な通信が伝搬することを防止する通信中継装置について説明する。 <Second embodiment>
In the first embodiment, the second communication device 4 can be protected from unauthorized communication coming from the control system network 3. However, actually, a case is considered in which the second communication device 4 is attacked by malware infection or the like on a route other than the control system network 3 and sends out unauthorized communication from the second communication device 4 to the control system network 3. Can be For example, as the unauthorized communication from inside the control system network 3, it is conceivable that the unauthorized communication is transmitted to the control system network 3 via the USB memory attached to the control device 26. As a countermeasure against such a case, it is required to extend the communication transmission direction in both directions so as to prevent illegal communication from propagating in the opposite direction to the first embodiment. In the second embodiment, a communication relay device that prevents illegal communication from propagating in the opposite direction to the first embodiment will be described.
 図4は、第2の実施形態に係る通信中継装置1Aの概略構成例を示すブロック図である。通信中継装置1Aは、第1中継部40a及び第2中継部40bの2つの中継部を含む。制御システムネットワーク3から第2通信装置4へ伝送される通信フレームの経路(便宜的に「下り」という)と、逆に第2通信装置4から制御システムネットワーク3へ伝送される通信フレームの経路(便宜的に「上り」という)とに、それぞれ第1中継部40a及び第2中継部40bが挿入されている。第1中継部40aは下り方向の通信フレームを中継し、第2中継部40bは上り方向の通信フレームを中継する。第1中継部40a及び第2中継部40bのそれぞれは、第1の実施形態で述べた通信中継装置1と同様の構成を有する。 FIG. 4 is a block diagram illustrating a schematic configuration example of a communication relay device 1A according to the second embodiment. The communication relay device 1A includes two relay units, a first relay unit 40a and a second relay unit 40b. The path of the communication frame transmitted from the control system network 3 to the second communication device 4 (referred to as “down” for convenience) and the path of the communication frame transmitted from the second communication device 4 to the control system network 3 ( For convenience, the first relay unit 40a and the second relay unit 40b are inserted into “up”. The first relay unit 40a relays a downstream communication frame, and the second relay unit 40b relays an upstream communication frame. Each of the first relay unit 40a and the second relay unit 40b has the same configuration as the communication relay device 1 described in the first embodiment.
 第1実施形態と同様、第1通信装置2から下り方向に伝送される通信フレームのうち、第1中継部40aによりFCSフィールドの値を無効値に置換された通信フレームは、第2通信装置4により廃棄される。同様に、第2通信装置4から上り方向に伝送される通信フレームのうち、第2中継部40bによりFCSフィールドの値を無効値に置換された通信フレームは、例えば宛先が第1通信装置2であった場合、第1通信装置2により廃棄される。これにより、下り方向、すなわち制御システムネットワーク3から到来する不正な通信から第2通信装置4を保護する機能に加え、上り方向、すなわち第2通信装置4から送出される不正な通信から制御システムネットワーク3に接続された機器を保護する機能を実現することができる。 As in the first embodiment, of the communication frames transmitted in the downstream direction from the first communication device 2, the communication frames in which the value of the FCS field is replaced with an invalid value by the first relay unit 40 a are the second communication devices 4. Discarded by Similarly, among the communication frames transmitted in the upward direction from the second communication device 4, the communication frame in which the value of the FCS field is replaced with an invalid value by the second relay unit 40 b has, for example, a destination of the first communication device 2. If there is, it is discarded by the first communication device 2. Accordingly, in addition to the function of protecting the second communication device 4 from the downlink, that is, the unauthorized communication coming from the control system network 3, the function of protecting the second communication device 4 from the uplink, that is, the unauthorized communication sent from the second communication device 4 A function of protecting the device connected to the third device can be realized.
 このとき、第1中継部40a及び第2中継部40bは、それぞれに異なるマッチングパターンを設定することができる。すなわち、多ビット幅マッチングパターン141を、第1中継部40aと第2中継部40bで異なるパターンにしてもよい。同様に、単ビット幅マッチングパターン142を、第1中継部40aと第2中継部40bで異なるパターンにしてもよい。これにより、上り経路と下り経路で異なるマッチングパターン(通過条件)を定義することができる。この場合、上り経路と下り経路のそれぞれにおける脅威の傾向に応じて柔軟な対策を講じることができる。 At this time, the first relay unit 40a and the second relay unit 40b can set different matching patterns respectively. That is, the multi-bit width matching pattern 141 may be different between the first relay unit 40a and the second relay unit 40b. Similarly, the single bit width matching pattern 142 may be different patterns in the first relay unit 40a and the second relay unit 40b. Thereby, different matching patterns (passing conditions) can be defined for the up route and the down route. In this case, flexible measures can be taken according to the tendency of the threat on each of the up route and the down route.
 なお、第1中継部40a内の上流通信ポート11と第2中継部40b内の下流通信ポート16とが一つの通信ポートであってもよく、第2中継部40b内の上流通信ポート11と第1中継部40a内の下流通信ポート16とが一つの通信ポートであってもよい。また、第1中継部40aと第2中継部40bが互いに異なる筺体に設けられていてもよい。 Note that the upstream communication port 11 in the first relay unit 40a and the downstream communication port 16 in the second relay unit 40b may be one communication port, and the upstream communication port 11 in the second relay unit 40b and the The downstream communication port 16 in one relay section 40a may be one communication port. Further, the first relay section 40a and the second relay section 40b may be provided in different housings.
 また、第1中継部40aと第2中継部40bで、特徴値設定インターフェース17及び特徴値定義部18(それぞれ図2参照)を共通としてもよい。すなわち、第1中継部40aと第2中継部40bは、特徴値設定インターフェース17及び特徴値定義部18を備えない。管理者は、通信中継装置1Aの特徴値設定インターフェース17及び特徴値定義部18を介して特徴値(多ビット幅マッチングパターン、単ビット幅マッチングパターン)を、第1中継部40aと第2中継部40bに個別に又は一斉に設定する。通信中継装置1Aにおいて、下り経路と上り経路とに共通の特徴値を用いることにより、下り経路と上り経路とに異なる特徴値を用いる場合に比べて、特徴値の設定の工数を削減できる。 The feature value setting interface 17 and the feature value definition unit 18 (see FIG. 2) may be shared by the first relay unit 40a and the second relay unit 40b. That is, the first relay unit 40a and the second relay unit 40b do not include the feature value setting interface 17 and the feature value definition unit 18. The administrator transfers the feature values (multi-bit width matching pattern, single bit width matching pattern) via the feature value setting interface 17 and the feature value definition unit 18 of the communication relay device 1A to the first relay unit 40a and the second relay unit. 40b is set individually or all at once. In the communication relay device 1A, by using a common feature value for the downstream route and the upstream route, the number of steps for setting the feature value can be reduced as compared with a case where different feature values are used for the downstream route and the upstream route.
 上述した第1及び第2の実施形態に係る通信中継装置1,1Aの動作は、ハードウェアによって行われてもよく、ソフトウェアによって行われてもよい。図5は、ソフトウェアによって行われる場合に、通信中継装置1,1Aが備えるコンピューター50のハードウェア構成例のブロック図を示す。通信中継装置1Aの第1中継部40a及び第2中継部40bのコンピューター50のハードウェア構成は、通信中継装置1と同様の構成とすることができる。 The operations of the communication relay apparatuses 1 and 1A according to the first and second embodiments described above may be performed by hardware or may be performed by software. FIG. 5 is a block diagram illustrating an example of a hardware configuration of a computer 50 included in the communication relay apparatuses 1 and 1A when the communication is performed by software. The hardware configuration of the computer 50 of the first relay unit 40a and the second relay unit 40b of the communication relay device 1A can be the same as that of the communication relay device 1.
 コンピューター50は、CPU(Central Processing Unit)51、ROM(Read Only Memory)52、RAM(Random Access Memory)53、不揮発性ストレージ55、第1通信インターフェース56、及び第2通信インターフェース57を備える。通信中継装置1内の各部は、システムバス54を介して相互にデータの送受信が可能に接続されている。 The computer 50 includes a CPU (Central Processing Unit) 51, a ROM (Read Only Memory) 52, a RAM (Random Access Memory) 53, a nonvolatile storage 55, a first communication interface 56, and a second communication interface 57. Each unit in the communication relay device 1 is connected to each other via a system bus 54 so as to be able to transmit and receive data to and from each other.
 CPU51、ROM52、及びRAM53は制御部を構成する。この制御部は、通信中継装置1全体又は通信中継装置1A内の各部の動作を制御する。CPU51は、上述した各実施形態に係る各機能を実現するソフトウェアのプログラムコードをROM52から読み出して実行し、各部の制御や各種の演算を行う。なお、CPU51に代えて、MPU(Micro Processing Unit)等の他の演算処理装置を用いてもよい。 (4) The CPU 51, the ROM 52, and the RAM 53 form a control unit. This control unit controls the operation of the entire communication relay device 1 or each unit in the communication relay device 1A. The CPU 51 reads out a program code of software for realizing each function according to each of the above-described embodiments from the ROM 52, executes the program code, and controls each unit and performs various calculations. Note that, instead of the CPU 51, another arithmetic processing device such as an MPU (Micro Processing Unit) may be used.
 ROM52は、不揮発性メモリ(記録媒体)の一例として用いられ、ROM52にはCPU51が動作するために必要なプログラムやデータ等が記憶される。RAM53は、揮発性メモリの一例として用いられ、RAM53にはCPU51による演算処理の途中に発生した変数やパラメータ等が一時的に記憶される。 The ROM 52 is used as an example of a non-volatile memory (recording medium). The ROM 52 stores programs, data, and the like necessary for the operation of the CPU 51. The RAM 53 is used as an example of a volatile memory, and temporarily stores variables, parameters, and the like generated during the arithmetic processing by the CPU 51.
 不揮発性ストレージ55は、記録媒体の一例であり、CPU51が実行するプログラムやOS(Operating System)等のプログラム、テーブル、ファイル等の情報を記憶することが可能である。不揮発性ストレージ55には、例えば半導体メモリやハードディスク、SSD(Solid State Drive)等の記録装置、又は磁気や光を利用することができる。なお、プログラムは、ローカルエリアネットワーク(LAN)、インターネット、デジタル衛星放送といった、有線または無線の伝送媒体を介して提供されてもよい。 The non-volatile storage 55 is an example of a recording medium, and can store information such as programs executed by the CPU 51, programs such as an OS (Operating System), tables, and files. For the non-volatile storage 55, for example, a recording device such as a semiconductor memory, a hard disk, a solid state drive (SSD), or a magnetism or light can be used. Note that the program may be provided via a wired or wireless transmission medium such as a local area network (LAN), the Internet, or digital satellite broadcasting.
 第1通信インターフェース56には、例えばNICやモデム等が用いられ、端子が接続されたLAN等のネットワーク又は専用線等を介して、外部装置との間で各種のデータを送受信することが可能に構成されている。例えば、第1通信インターフェース56は、上流通信ポート11に相当する。 For example, an NIC or a modem is used as the first communication interface 56, and various data can be transmitted and received to and from an external device via a network such as a LAN to which terminals are connected or a dedicated line. It is configured. For example, the first communication interface 56 corresponds to the upstream communication port 11.
 第2通信インターフェース57には、例えばNICやモデム等が用いられ、端子が接続されたLAN等のネットワーク又は専用線等を介して、外部装置との間で各種のデータを送受信することが可能に構成されている。例えば、第2通信インターフェース57は、下流通信ポート16に相当する。 For example, an NIC or a modem is used as the second communication interface 57, and various data can be transmitted / received to / from an external device via a network such as a LAN to which a terminal is connected or a dedicated line. It is configured. For example, the second communication interface 57 corresponds to the downstream communication port 16.
 なお、コンピューター50に、表示部及び操作部を設け、監視員が表示部に表示された内容を確認して操作部を通じて必要な情報を入力できるように構成してもよい。表示部は、例えば液晶ディスプレイモニタであり、GUI画面やCPU51で行われた処理の結果等を表示する。操作部には、例えば、マウスやタッチパネル等のポインティングデバイス、キーボードなどが用いられる。監視員は、操作部に所定の操作を行い、指示を入力することが可能である。操作部は、監視員の操作に応じた入力信号を生成してCPU51へ供給する。 The computer 50 may be provided with a display unit and an operation unit so that the observer can check the content displayed on the display unit and input necessary information through the operation unit. The display unit is, for example, a liquid crystal display monitor, and displays a GUI screen, a result of processing performed by the CPU 51, and the like. For the operation unit, for example, a pointing device such as a mouse or a touch panel, a keyboard, or the like is used. The observer can perform a predetermined operation on the operation unit and input an instruction. The operation unit generates an input signal according to the operation of the monitor and supplies the input signal to the CPU 51.
 さらに、本発明は上述した各実施形態例に限られるものではなく、請求の範囲に記載した本発明の要旨を逸脱しない限りにおいて、その他種々の応用例、変形例を取り得ることは勿論である。 Further, the present invention is not limited to the above-described embodiments, and it goes without saying that various other applied examples and modified examples can be adopted without departing from the gist of the present invention described in the claims. .
 例えば、上述した実施形態例は本発明を分かりやすく説明するために通信中継装置の構成を詳細かつ具体的に説明したものであり、必ずしも説明した全ての構成要素を備えるものに限定されない。また、ある実施形態例の構成の一部を他の実施形態例の構成要素に置き換えることは可能である。また、ある実施形態例の構成に他の実施形態例の構成要素を加えることも可能である。また、各実施形態例の構成の一部について、他の構成要素の追加、削除、置換をすることも可能である。 For example, in the above-described embodiment, the configuration of the communication relay device is described in detail and specifically in order to easily explain the present invention, and is not necessarily limited to a configuration including all the described components. Further, a part of the configuration of one embodiment can be replaced with the component of another embodiment. It is also possible to add components of another embodiment to the configuration of one embodiment. Further, it is also possible to add, delete, or replace other components with respect to a part of the configuration of each embodiment.
 また、上記の各構成、機能、処理部等は、それらの一部又は全部を、例えば集積回路で設計するなどによりハードウェアで実現してもよい。また、ある処理部により実施される処理が、1つのハードウェアにより実現されてもよいし、複数のハードウェアによる分散処理により実現されてもよい。 The components, functions, processing units, and the like described above may be partially or entirely realized by hardware, for example, by designing an integrated circuit. Further, the processing performed by a certain processing unit may be realized by one piece of hardware, or may be realized by distributed processing by a plurality of pieces of hardware.
 また、上述した実施形態において、制御線や情報線は説明上必要と考えられるものを示しており、製品上必ずしも全ての制御線や情報線を示しているとは限らない。実際には殆ど全ての構成要素が相互に接続されていると考えてもよい。 In addition, in the above-described embodiment, the control lines and the information lines are considered to be necessary for the explanation, and do not necessarily indicate all the control lines and the information lines on the product. In fact, it can be considered that almost all components are connected to each other.
 1,1A…通信中継装置、 2…第1通信装置、 3…制御システムネットワーク、 4…第2通信装置、 11…上流通信ポート、 15…置換部、 16…下流通信ポート、 18…特徴値定義部、 40a…第1中継部、 40b…第2中継部、 121…多ビット幅バッファ、 122…単ビット幅バッファ、 131…多ビット幅特徴値比較部、 132…単ビット幅特徴値比較部、 141…多ビット幅マッチングパターン、 142…単ビット幅マッチングパターン 1, 1A: communication relay device, # 2: first communication device, # 3: control system network, # 4: second communication device, # 11: upstream communication port, # 15: replacement unit, # 16: downstream communication port, # 18: feature value definition , # 40a: first relay unit, # 40b: second relay unit, # 121: multi-bit width buffer, # 122: single bit width buffer, # 131: multi-bit width feature value comparison unit, # 132: single bit width feature value comparison unit 141: Multi-bit width matching pattern, # 142: Single-bit width matching pattern

Claims (7)

  1.  第1通信装置より送信される通信フレーム内の複数の要素を順に受信する受信部と、
     前記受信部が受信した前記通信フレーム内の複数の要素を順次記憶及び出力する、動作単位の要素数と動作速度の組み合わせが異なる複数のバッファ部と、
     前記バッファ部ごとに設けられ、前記バッファ部の要素数に対応する要素と前記バッファ部の通過条件とを比較する複数の比較部と、
     前記複数の要素を順に伝送し、いずれかの前記比較部において前記要素数に対応する要素が前記通過条件を満たさない場合、前記通信フレーム内の第1領域に対応する要素を変更する変更部と、
     前記変更部から伝送される前記複数の要素を順に第2通信装置へ送信する送信部と、を備える
     通信中継装置。     A receiving unit that sequentially receives a plurality of elements in a communication frame transmitted from the first communication device;
    A plurality of buffer units that sequentially store and output a plurality of elements in the communication frame received by the receiving unit, and a combination of the number of elements of an operation unit and an operation speed are different,
    A plurality of comparing units provided for each of the buffer units, and comparing an element corresponding to the number of elements of the buffer unit with a passage condition of the buffer unit;
    A transmitting unit that sequentially transmits the plurality of elements, and a changing unit that changes an element corresponding to a first area in the communication frame when an element corresponding to the number of elements does not satisfy the passage condition in any of the comparing units. ,
    A transmission unit that sequentially transmits the plurality of elements transmitted from the change unit to the second communication device.
  2.  前記複数のバッファ部における各々の前記動作単位の要素数と前記動作速度の積が同一又は実質的に同一の値である
     請求項1に記載の通信中継装置。     The communication relay device according to claim 1, wherein a product of the number of elements of each of the operation units and the operation speed in the plurality of buffer units has the same or substantially the same value.
  3.  複数の前記バッファ部のうち、少なくとも1つのバッファ部の前記要素数が1であり、かつ、少なくとも1つのバッファ部の前記要素数が2以上である
     請求項2に記載の通信中継装置。     The communication relay device according to claim 2, wherein the number of elements of at least one buffer unit among the plurality of buffer units is one, and the number of elements of at least one buffer unit is two or more.
  4.  複数の前記バッファ部のうち前記要素数のより大きいバッファ部が、前記受信部から入力された前記通信フレーム内の複数の要素を順に前記変更部に出力する
     請求項2に記載の通信中継装置。     The communication relay device according to claim 2, wherein a buffer unit having a larger number of elements among the plurality of buffer units sequentially outputs a plurality of elements in the communication frame input from the receiving unit to the change unit.
  5.  前記バッファ部の各々は、シフトレジスタで構成される
     請求項2に記載の通信中継装置。     The communication relay device according to claim 2, wherein each of the buffer units includes a shift register.
  6.  前記通信フレーム内の前記第1領域に対応する要素は、誤り検査符号である
     請求項2に記載の通信中継装置。     The communication relay device according to claim 2, wherein an element corresponding to the first area in the communication frame is an error check code.
  7.  前記通過条件は、前記バッファ部の前記要素数に対応する要素が当該要素数の要素から構成された不正な通信ではないことを表すマッチングパターンに合致することであり、いずれかの前記比較部において、前記要素数に対応する要素が前記マッチングパターンと合致しない場合には、前記変更部は、前記通信フレーム内の前記第1領域に対応する要素を変更する
     請求項1乃至6のいずれか一項に記載の通信中継装置。     The passing condition is that an element corresponding to the number of elements of the buffer unit matches a matching pattern indicating that the communication is not an unauthorized communication composed of the number of elements. 7. If the element corresponding to the number of elements does not match the matching pattern, the changing unit changes the element corresponding to the first area in the communication frame. A communication relay device according to claim 1.
PCT/JP2019/023219 2018-08-23 2019-06-12 Communication relay device WO2020039705A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2018156014A JP2020031342A (en) 2018-08-23 2018-08-23 Communication relay device
JP2018-156014 2018-08-23

Publications (1)

Publication Number Publication Date
WO2020039705A1 true WO2020039705A1 (en) 2020-02-27

Family

ID=69592579

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2019/023219 WO2020039705A1 (en) 2018-08-23 2019-06-12 Communication relay device

Country Status (2)

Country Link
JP (1) JP2020031342A (en)
WO (1) WO2020039705A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013150045A (en) * 2012-01-17 2013-08-01 Alaxala Networks Corp Network relay apparatus and control method thereof
JP2015119386A (en) * 2013-12-19 2015-06-25 株式会社日立製作所 Communication relay device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2013150045A (en) * 2012-01-17 2013-08-01 Alaxala Networks Corp Network relay apparatus and control method thereof
JP2015119386A (en) * 2013-12-19 2015-06-25 株式会社日立製作所 Communication relay device

Also Published As

Publication number Publication date
JP2020031342A (en) 2020-02-27

Similar Documents

Publication Publication Date Title
US11048797B2 (en) Securing vehicle bus by corrupting suspected messages transmitted thereto
US7600257B2 (en) Method and an apparatus to perform multiple packet payloads analysis
US10095634B2 (en) In-vehicle network (IVN) device and method for operating an IVN device
US9596075B2 (en) Transparent serial encryption
US7890991B2 (en) Apparatus and method for providing security and monitoring in a networking architecture
US7882554B2 (en) Apparatus and method for selective mirroring
Elbaz et al. Tec-tree: A low-cost, parallelizable tree for efficient defense against memory replay attacks
US8683224B2 (en) Processor-implemented method for ensuring software integrity
EP3748919A1 (en) Frame transmission prevention apparatus, frame transmission prevention method, and in-vehicle network system
US20070056030A1 (en) Apparatus and method for facilitating network security with granular traffic modifications
EP2742649B1 (en) Intelligent phy with security detection for ethernet networks
Yu et al. Exploiting error control approaches for hardware trojans on network-on-chip links
US9160539B1 (en) Methods and apparatus for secure, stealthy and reliable transmission of alert messages from a security alerting system
EP3544262A1 (en) Method of improving security in a factory automation network
US11403428B2 (en) Protecting integrity of log data
Frey et al. Exploiting state obfuscation to detect hardware trojans in NoC network interfaces
US8438641B2 (en) Security protocol processing for anti-replay protection
US20210157388A1 (en) Clock control to increase robustness of a serial bus interface
Olufowobi et al. Controller area network intrusion prevention system leveraging fault recovery
Carnevale et al. Macsec-based security for automotive ethernet backbones
JP6234804B2 (en) Communication relay device
WO2020039705A1 (en) Communication relay device
JP2021005382A (en) Communication device and method for authenticating message
US20210194893A1 (en) Method for detecting an attack on a control device of a vehicle
US10956356B1 (en) Clock control to increase robustness of a serial bus interface

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19851921

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19851921

Country of ref document: EP

Kind code of ref document: A1