WO2022180691A1 - Communication system, communication device, fraud determination method, and program - Google Patents

Communication system, communication device, fraud determination method, and program Download PDF

Info

Publication number
WO2022180691A1
WO2022180691A1 PCT/JP2021/006880 JP2021006880W WO2022180691A1 WO 2022180691 A1 WO2022180691 A1 WO 2022180691A1 JP 2021006880 W JP2021006880 W JP 2021006880W WO 2022180691 A1 WO2022180691 A1 WO 2022180691A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
data
sub
received data
pub
Prior art date
Application number
PCT/JP2021/006880
Other languages
French (fr)
Japanese (ja)
Inventor
弘樹 長山
将浩 白石
知暁 鷲尾
麻美 宮島
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2021/006880 priority Critical patent/WO2022180691A1/en
Publication of WO2022180691A1 publication Critical patent/WO2022180691A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F13/00Interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • the present invention relates to technology for detecting fraud such as falsification of data sent and received on a network.
  • pub/sub communication Publish/subscribe communication
  • pub/sub communication there are a publisher that is a client on the sending side that creates and sends a message called an event, and a subscriber that is a client on the receiving side of the message.
  • Pub/Sub communication has three characteristics: “spatial separation”, “temporal separation”, and “asynchronous processing”. With “spatial separation,” Publishers and Subscribers do not need to know of each other's existence. “Temporal separation” allows data to be sent and received without the Publisher and Subscriber being on the network at the same time. Also, by “asynchronous processing", transmission and reception of events can be processed asynchronously with other processing of the Publisher or Subscriber.
  • a broker-type configuration is a configuration in which a function called a broker, which is responsible for spatial separation, temporal separation, and asynchronous processing properties, is placed between Pub and Sub.
  • a brokerless configuration is a distributed configuration in which all nodes (Pub and Sub) have the ability to assume spatial separation, temporal separation, and asynchronous processing properties.
  • DDS Data Distribution Service
  • the present invention has been made in view of the above points, and an object thereof is to provide a technique that makes it possible to detect fraud such as data falsification in a communication system that performs Pub/Sub communication.
  • a communication system comprising a distributor node and a subscriber node, when the subscribing side node detects an order abnormality based on the sequence number of the received data, sending an audit request including information on the received data to the distributing side node;
  • the delivery node determines whether there is an abnormality based on the information about the received data, and transmits the determination result to the subscriber node;
  • a communication system is provided in which the subscribing node determines whether or not fraud has occurred based on the result of communication monitoring and the determination result received from the distributing node.
  • a technique that enables detection of fraud such as data falsification in a communication system that performs Pub/Sub communication.
  • FIG. 3 is a diagram for explaining Pub/Sub communication using DDS; It is a figure which shows the system configuration example in which DDS is incorporated.
  • 1 is a diagram illustrating a configuration example of a system having multiple nodes;
  • FIG. 2 is a diagram for explaining the outline of Example 1;
  • 1 is a diagram illustrating a system configuration example in Example 1;
  • FIG. 4 is a diagram showing a processing flow in Example 1.
  • FIG. 1 is a diagram illustrating a configuration example of a system having multiple nodes;
  • FIG. 11 is a diagram showing a configuration example of an APP-DDS functional unit in Example 2;
  • FIG. 4 is a diagram showing a configuration example of a DDS operation function unit;
  • FIG. 4 is a diagram showing a configuration example of a DDS operation function unit
  • FIG. 10 is a diagram showing a processing flow in Example 2-1; It is a figure for demonstrating the inspection processing example. It is a figure for demonstrating the inspection processing example. It is a figure for demonstrating the inspection processing example.
  • FIG. 13 is a diagram showing a processing flow in Example 2-2; It is a figure which shows the hardware configuration example of an apparatus.
  • the above-described brokerless configuration is adopted, and the brokerless type is realized by the DDS having a function corresponding to the broker.
  • DDS adds a NW for delivery to the NW I/F owned by the node.
  • the delivery range set by the user is operated by this delivery NW and the filters inside the DDS, enabling the appropriate data transmission/reception for applications functioning as Pub or Sub.
  • the DDS assigns a multicast address to the NW I/F that can be used within the node and prepares the delivery NW.
  • the distribution range it is possible to set whether to distribute by unicast using the existing IP address of the node or to use a newly assigned multicast address, making it possible to determine the physical data distribution range.
  • FIG. 1 An example of the delivery range is shown in Figure 1.
  • domain A and domain B are set as the delivery range.
  • a delivery range for topic [i] and a delivery range for topic [ro] are set.
  • the delivery range of key [II] is set within the delivery range of topic [I].
  • a DDS is a program that functions as middleware in a node (which may also be called a computer or communication device).
  • a processing program that is the basis for communication in DDS is prepared as a library.
  • a DDS program can be generated from a communication program generation data definition file that has parameters for data definitions (type, size, name, QoS, etc.) to be sent by an application (described as "APP"). can be generated.
  • APP application
  • FIG. 2 is a diagram showing a system configuration example in which the DDS is incorporated.
  • FIG. 2 physically shows a configuration in which a plurality of nodes (computers) to which sensors and control valves are connected are connected to a bus-type network.
  • a sensor is connected to each of nodes 1 and 2, and an APP that generates data to be published and a DDS are installed.
  • Control valves are connected to nodes 2 and 3, respectively, and APP and DDS for utilizing subscribed data are installed.
  • the example in FIG. 2 shows an example in which a Pub/Sub configuration with redundant QoS settings is realized using DDS.
  • the DDS of node 1 constitutes a primary Pub and a sub 1 Pub
  • the DDS of node 2 constitutes a sub 2 Pub.
  • the DDS of the node 3 constitutes the first Sub and the second Sub
  • the DDS of the node 4 constitutes the third Sub.
  • FIG. 2 shows an example in which the APP is written in python and the DDS is written in C++, these are just examples, and any programming language may be used. Also, when changing the Pub/Sub configuration, there are those that can be partially dynamically changed such as QoS, and those that require process restart (including program modification).
  • Example 1 and 2 will be described below as examples of the technology according to the present embodiment. In addition, Example 1 and Example 2 can be implemented in combination.
  • one node may have both Pub/Sub, and one node may have Pub/Sub across multiple domains.
  • one APP may have multiple Pubs or multiple Subs.
  • each Pub and each Sub in the same APP can be identified.
  • the communication system that is the base in the first embodiment the communication is in plain text.
  • FIG. 3 shows a configuration example of a communication system that serves as a base in the first embodiment. As shown in FIG. 3, this communication system has nodes 10 to 18, L2SW (Layer 2 switches) 20 and 21, L3SW (Layer 3 switch) 30, a packet analyzer 40, and a detector 50.
  • L2SW Layer 2 switches
  • L3SW Layer 3 switch
  • nodes 10, 11, 12, 15, 16, and 17 belong to domain D1
  • nodes 12, 13, 14, 17, and 18 belong to domain D2.
  • D1 of "DDS_D1" of node 10 indicates the domain to which the node belongs.
  • Nodes 12 and 17 belong to both domain D1 and domain D2.
  • Pub1 (APP I) is an application that publishes data on topic [I], and functions as Pub1 (Publisher1) in Pub/Sub communication.
  • Pub1 (APP) Pub1
  • Pub2 (APP) Pub2
  • node 11 has both Pub and Sub as Pub3 and Sub4.
  • Nodes 12 and 14 have multiple APPs functioning as multiple Pubs, and nodes 17 and 18 have multiple APPs functioning as multiple Subs.
  • the Internet 55 is connected to the end of the L3SW 30, and each node can communicate with the Internet 400.
  • a packet analysis device 40 is connected to each L2SW, and for example, the detection unit 50 can perform anomaly detection based on packet analysis results.
  • Embodiment 1 provides a mechanism for solving the above problems. A configuration and operation example of the first embodiment will be described with reference to FIG.
  • FIG. 4 shows a configuration in which a node on the Pub side and a node on the Sub side are connected by a NW.
  • a node on the Pub side is connected with a sensor that is a source of data to be published, and a node on the Sub side is connected with a control valve that is a destination of the subscribed data.
  • Three Pubs are configured by the DDS function of the Pub-side node, and three Subs are configured by the DDS function of the Sub-side node.
  • an APP-DDS function unit 100 is provided between the APP and the DSS.
  • an APP-DDS functional unit 200 is provided between APP and DSS.
  • the APP-DDS function unit 100 in the Pub side node has a route control unit 110, a route condition recording unit 120, and a route condition arbitration unit 130.
  • the APP-DDS functional unit 200 in the Sub-side node has a route control unit 210, a route condition recording unit 220, and a route condition arbitration unit 230. FIG. The operation of each unit will be explained in the sequence to be described later.
  • Example 1 when distributing data from nodes on the Pub side, the same data (sensor values, etc.) is distributed as multiple different topics.
  • a node on the Pub side stores and distributes the same data to topic A, topic B, and topic C.
  • the data (payload) of a topic has the identification information of the topic (eg topic A) and a value.
  • the path control unit 210 in the Sub-side node that subscribes to the data compares the received data of the three topics to determine whether or not there is fraud, and determines which topic data is actually processed (that is, the APP pass).
  • Pub1 is set as the Pub for Topic B
  • Pub2 is set as the Pub for Topic B
  • Pub3 is set as the Pub for Topic C.
  • two of the three Pubs are set as dummies.
  • the routing control unit 210 sets Sub1 as the Sub for Topic A, Sub2 as the Sub for Topic B, and Sub3 as the Sub for Topic C by controlling the DDS. do. However, two of the three Subs are set as dummies.
  • Pub1 distributes topic A data, and Sub1 receives (subscribes to) topic A data.
  • Pub2 distributes topic B data and Sub2 receives topic B data.
  • Pub3 distributes topic C data, and Sub3 receives topic C data.
  • a Pub-Sub pair that publishes/subscribes to the same topic may be called a "path".
  • the node on the Sub side (specifically, the route control unit 210) compares the distribution data between the routes. By doing so, it is possible to detect and defend against attacks other than when the multiple routes are hijacked at the same time. For example, if at least one data among the plurality of data is different from other data, it may be determined that fraud has been committed.
  • the path control unit 210 detects that any two of topic A, topic B, and topic C have the same value and the remaining one is different from the other two, the two data having the same value are It judges it to be normal and passes the data to the APP. Also, it is determined that an abnormality (illegal) has occurred in one different data path.
  • the path control unit 210 detects that the value of any of the data of Topic A, Topic B, and Topic C is different from the value of the other data, all of the three data are determined to be abnormal. does not pass any data to the APP. Also, it is determined that an abnormality has occurred in three routes.
  • FIG. 5 shows a configuration example of a communication system according to the first embodiment. As shown in FIG. 5, each node is provided with an APP-to-DDS function for the base communication system shown in FIG. The internal configuration of each APP-DDS functional unit is as shown in FIG.
  • route conditions are stored in each of the route condition recording unit 120 and the route condition recording unit 220.
  • the route condition is, for example, "use N routes from time X to time Y", "use M routes when the value of the data output from the APP is K or more", and the like. is a condition for using
  • the route condition arbitration unit 130 of the Pub-side node searches the route condition recording unit 120 and acquires the current route conditions as search results.
  • the route condition arbitration unit 230 of the Sub-side node searches the route condition recording unit 220 and acquires the current route conditions as search results.
  • the route condition arbitration units 130 and 230 hash the current route conditions obtained by searching (S105, S106). In S107, arbitration is performed by transmitting and receiving hashed route conditions between the route condition arbitration unit 130 and the route condition arbitration unit 230.
  • FIG. Specifically, each of the route condition arbitration unit 130 and the route condition arbitration unit 230 compares the route condition on its own side with the route condition on the other party's side and checks whether they match. If they match, it decides to use that route condition, and registers it in the route condition recording unit 120/220 as an arbitration result (S108/S109).
  • the Pub-side route condition arbitration unit 130 registers its own route conditions in the route condition recording unit 120 as the arbitration result (S108).
  • the route condition arbitration unit 230 on the side acquires the route condition on the Pub side from the Pub side and registers it in the route condition recording unit 220 as the arbitration result (S109).
  • the route control units 110/210 acquire the latest arbitrated route conditions from the route condition recording units 120/220 (S110 to S113). Further, the route control units 110/220 construct routes according to the route conditions. Specifically, for example, as shown in FIG. 4, when the route condition is to use three routes, the route control unit 110 controls the DDS 270 so that three routes are available. For example, add two dummy Pubs. Also, the path control unit 210 on the Sub side adds, for example, two dummy Subs so as to create three paths by controlling the DDS 270 . Note that this process is unnecessary if there are already three routes (three Pubs and three Subs).
  • the route control unit 110 receives data from the APP150.
  • the route control unit 110 duplicates the data received from the APP 150 by the number of routes.
  • the route control unit 110 notifies the DDS 270 of the duplicated data. For example, when using 3 paths, the same 3 data are posted to the DDS 270 .
  • the DDS 270 notifies the route control unit 210 on the Sub side of each data received through a plurality of routes.
  • the route control unit 210 compares the data between the routes as described above, determines whether or not the data is illegal, and determines whether or not to send the data to the APP 250 and which data to send to the APP 250. . If it is determined to send certain data to APP 250, the routing control unit 210 sends the data to APP 250 in S119.
  • Example 2 (Communication system that is the basis of the second embodiment, problems) Next, Example 2 will be described. Example 2 can also be implemented independently and can also be implemented in combination with Example 1.
  • FIG. FIG. 7 shows a communication system on which the second embodiment is based. As shown in FIG. 7, the communication system on which the second embodiment is based has the same configuration as the communication system on which the first embodiment is based shown in FIG.
  • an attacker analyzes data of a certain topic on a communication channel, and transmits malicious data generated by rewriting QoS guarantee information (sequence No. related to Reliability in this embodiment). It is conceivable that the malfunction of the assurance function (in this case, Reliability QoS Policy) is pushed.
  • attacking sequence No. >Normal Sequence No.
  • SN a number indicating the order of data
  • an attacker intercepts topic data distributed by multicast on the network and confirms the current latest SN of Pub. Then, based on the confirmed SN, incorrect data is inserted so as not to cause sequence anomaly.
  • the DDS on the Sub side only discards the data corresponding to the SN that has been received once, and does not cause an order abnormality, so it is impossible to detect that there has been unauthorized data insertion.
  • each node is provided with an APP-DDS function unit 100/200 and a DDS operation function unit 300/400.
  • the Pub-side APP-DDS functional unit 100 may not be provided.
  • FIG. 9 shows a configuration example of the APP-DDS function unit 200 on the Sub side.
  • the APP-DDS functional unit 200 has a notification control unit 240.
  • FIG. FIG. 10 shows a configuration example of the DDS operation function unit 300 on the Pub side.
  • the DDS operation function unit 300 has a pub-side audit unit 310 .
  • FIG. 11 shows a configuration example of the DDS operation function unit 400 on the Sub side.
  • the DDS operation function section 400 has a monitoring management section 410 and a Sub-side auditing section 420 . The operation of each unit will be explained in the sequence to be described later.
  • Example 2-1 an example of an anomaly determination method for attacks that cause sequence anomalies
  • Example 2-2 an example of an anomaly determination method for attacks that will not cause sequence anomalies
  • Example 2-1 and Example 2-2 will be described separately below, in actual operation, both Example 2-1 and Example 2-2 are performed. However, only the operation of Example 2-1 or only the operation of Example 2-2 may be executed.
  • the DDS internal data and traffic of Pub and Sub are detected by the sequence assurance function that the DDS has as its basic function. to determine whether the data loss that occurred was an attack by a malicious Pub. In addition, data is not passed to the APP when it is determined to be an attack.
  • Each DDS is equipped with a queue that records the transmitted/received data and its sequence (SN), which makes it possible to determine whether or not there is a sequence abnormality.
  • the DDS 340 on the Sub side when the DDS 340 on the Sub side detects the occurrence of a sequence abnormality, it transmits a sequence abnormality notification to the audit management unit 410 in S201.
  • the audit management unit 410 that has received the sequence abnormality notification transmits an audit request to each of the pub-side audit unit 310 and the sub-side audit unit 420 (S202, S203).
  • the audit request contains information about the data received on the Sub side.
  • the information about the received data is, for example, the SN of the latest data received by the Sub and the data.
  • the pub-side auditing unit 310 Upon receiving the audit request, the pub-side auditing unit 310 confirms the presence of the latest SN data received from the sub-side with respect to the DDS 330 (S204), and based on the confirmation result, determines whether or not there is an abnormality (S205). ). In S207, the pub-side auditing unit 310 transmits the determination result to the sub-side audit management unit 410.
  • FIG. 1 the pub-side auditing unit 310 confirms the presence of the latest SN data received from the sub-side with respect to the DDS 330 (S204), and based on the confirmation result, determines whether or not there is an abnormality (S205). ).
  • the pub-side auditing unit 310 transmits the determination result to the sub-side audit management unit 410.
  • the Sub side auditing unit 420 performs communication monitoring based on the latest SN received in S203 to determine whether there is an abnormality (S206). Notify 410.
  • the audit management unit 410 that has received the determination results from the pub-side audit unit 310 and the sub-side audit unit 420 makes a final determination of the presence or absence of an abnormality (unfairness), and transmits the audit result to the notification control unit 240 in S209.
  • the communication control unit 240 determines whether or not to transmit data to the APP 350 based on the inspection result. When it is determined to transmit data to APP 350, the data is transmitted to APP 350 in S211.
  • FIG. 13 An example of inspection processing will be described with reference to FIGS. 13, 14, and 15.
  • FIG. 13 In the examples of FIGS. 13, 14, and 15, it is assumed that there are Pub (publisher) and Sub (subscriber) that transmit and receive data, and there is an attacker (attacker). However, in the case of FIG. 13, it is assumed that the attacker has not attacked.
  • queues in which SNs and data are recorded are provided as functions of the DDS 330/340 on the pub side and the sub side, respectively.
  • the publisher queue stores data A to D of SN1 to 4, and the Pub-side DDS 330 puts a check mark on the data for which Ack or NACK has been received after transmission. Also, the DDS 340 on the Sub side records the received data and puts a checkmark in the subscriber queue.
  • the DDS 340 on the Sub side detects that an order abnormality has occurred, and notifies the audit management unit 410 of the order Notify anomalies.
  • the Sub side monitoring unit 420 determines that there is no abnormality, and sends the result of the determination that there is no abnormality to the audit management unit 410 on the Sub side. to notify.
  • the audit management unit 410 notifies the notification control unit 240 that there is no abnormality (no fraud) as the audit result. to the APP 350.
  • the DDS 340 on the Sub side detects that an order abnormality has occurred and notifies the audit management unit 410 of the order abnormality. do.
  • the DDS 340 on the Sub side detects that an order abnormality has occurred and notifies the audit management unit 410 of the order abnormality. do.
  • Example 2-2 Next, Example 2-2 will be described. Embodiment 2-2 will explain a mechanism capable of detecting fraud even when fraudulent data is inserted so as not to cause sequence anomaly.
  • Example 2-2 The system configuration in Example 2-2 is the same as in Example 2-1. The operation on the Sub side in embodiment 2-2 will be described with reference to the sequence diagram of FIG. In the example of FIG. 16, the DDS 340, the audit management unit 410, the Sub-side audit unit 420, the notification control unit 240, and the APP 350 in the Sub-side node are shown. Also, the DDS 340 is shown connected to the network.
  • the DDS 340 receives data with SNs.
  • the DDS 340 causes the Sub-side audit section 420 to store the set of the received data and its SN.
  • S601 and S602 are executed each time data is received, and the Sub-side auditing unit 420 stores a set of data and its SN for all received data. However, data and SN pairs received earlier than a certain time may be deleted.
  • the Sub-side auditing unit 420 compares the SN of the newly received data with the SN of the stored received data, and determines whether data with the same SN as the already received data has been newly received. to judge whether
  • the audit management unit 410 requests the Sub-side audit unit 420 to audit. Specifically, it confirms whether or not the data value corresponding to the received SN and the data value of the same SN received again match, and if they do not match, it is requested to determine that there is an abnormality.
  • the notification control unit 240 is notified.
  • Each node (communication device) according to the present embodiment can be realized, for example, by causing a computer to execute a program describing the processing content described in the present embodiment.
  • the above program can be recorded on a computer-readable recording medium (portable memory, etc.), saved, or distributed. It is also possible to provide the above program through a network such as the Internet or e-mail.
  • FIG. 17 is a diagram showing a hardware configuration example of the computer.
  • the computer of FIG. 17 has a drive device 1000, an auxiliary storage device 1002, a memory device 1003, a CPU 1004, an interface device 1005, a display device 1006, an input device 1007, an output device 1008, etc., which are interconnected by a bus BS.
  • a program that implements the processing in the computer is provided by a recording medium 1001 such as a CD-ROM or memory card, for example.
  • a recording medium 1001 such as a CD-ROM or memory card
  • the program is installed from the recording medium 1001 to the auxiliary storage device 1002 via the drive device 1000 .
  • the program does not necessarily need to be installed from the recording medium 1001, and may be downloaded from another computer via the network.
  • the auxiliary storage device 1002 stores installed programs, as well as necessary files and data.
  • the memory device 1003 reads and stores the program from the auxiliary storage device 1002 when a program activation instruction is received.
  • the CPU 1004 implements functions related to nodes according to programs stored in the memory device 1003 .
  • the interface device 1005 is used as an interface for connecting to the network.
  • a display device 1006 displays a GUI (Graphical User Interface) or the like by a program.
  • An input device 1007 is composed of a keyboard, a mouse, buttons, a touch panel, or the like, and is used to input various operational instructions.
  • the output device 1008 outputs the calculation result. Note that at the node Either or both of the display device 1006 and the input device 1007 may be omitted.
  • a communication system comprising a distributor node and a subscriber node, said delivery side node transmits a plurality of data obtained by duplicating one piece of data to said subscriber node through a plurality of routes; The subscribing node determines whether fraud has occurred by comparing the plurality of data received from the plurality of paths.
  • the plurality of routes are three or more routes, and the subscribing side node is deemed to be fraudulent when at least one data among the plurality of data received from the plurality of routes is different from other data.
  • the communication system according to item 1. (Section 3) 3. The communication system according to claim 1 or 2, wherein the subscribing node passes the data received from the plurality of paths to an application in the subscribing node when it is determined that fraud has not occurred.
  • (Section 4) 4. The method according to any one of claims 1 to 3, wherein route conditions are arbitrated between the distributor node and the subscriber node, and the plurality of routes are determined based on the arbitration result. Communications system.
  • (Section 5) A communication device used as the distributor node in a communication system comprising a distributor node and a subscriber node, a route condition arbitration unit that arbitrates route conditions with the subscribing node; a route control unit that transmits a plurality of data obtained by duplicating one piece of data to the subscribing node through a plurality of routes based on the route conditions arbitrated by the route condition arbitration unit;
  • a communication device comprising: (Section 6) A communication device used as the subscriber node in a communication system comprising a distributor node and a subscriber node, Route control for determining whether or not fraudulent activity has occurred by receiving a plurality of data obtained by duplicating one piece of data at the delivery side node from a plurality of routes and comparing the plurality of data.
  • a communication device comprising: (Section 7) A data distribution method in a communication system comprising a distributor node and a subscriber node, a step in which the delivery side node transmits a plurality of data obtained by duplicating one piece of data to the subscribing side node through a plurality of routes; and determining, by said subscribing node, whether or not fraud has occurred by comparing the plurality of data received from said plurality of paths. (Section 8) A program for causing a computer to function as each unit in the communication device according to item 5 or 6.
  • a communication system comprising a distributor node and a subscriber node, when the subscribing side node detects an order abnormality based on the sequence number of the received data, sending an audit request including information on the received data to the distributing side node;
  • the delivery node determines whether there is an abnormality based on the information about the received data, and transmits the determination result to the subscriber node;
  • the communication system wherein the subscribing side node determines whether or not fraudulent activity has occurred, based on a communication monitoring result and the determination result received from the delivery side node.
  • the distributing node determines that there is an abnormality when detecting that the subscribing node has received data that has not been transmitted by the distributing node based on the information about the received data.
  • the communication system according to item 1. (Section 3) If the subscribing node detects that data not transmitted by the distributing node is received based on the communication monitoring result and the judgment result received from the distributing node, the subscribing node commits fraud.
  • the communication system according to Clause 1 or 2. (Section 4) wherein the subscribing side node passes the data received from the distributing side node to an application in the subscribing side node if it is determined that no fraud has been committed; Communication system as described.
  • a communication device used as the distributor node in a communication system comprising a distributor node and a subscriber node, When the subscribing node detects a sequence abnormality based on the sequence number of the received data, the subscribing node receives an audit request including information on the received data from the subscribing node, and A communication device comprising: an auditing unit that determines the presence or absence of an abnormality based on information and transmits a determination result to the subscriber node.
  • a communication device used as the subscriber node in a communication system comprising a distributor node and a subscriber node, an audit management unit that transmits an audit request including information about the received data to the delivery side node when an order abnormality is detected based on the sequence number of the received data; receiving, from the delivery side node, a determination result as to whether or not there is an abnormality based on information relating to the received data at the delivery side node, and based on the determination result and the result of communication monitoring, whether fraud has been committed; an audit department that determines whether A communication device comprising: (Section 8) A fraud determination method in a communication system comprising a distributor node and a subscriber node, a step of sending an audit request including information on the received data to the delivery node when the subscriber node detects an order abnormality based on the sequence number of the received data; a step in which the delivery node determines whether there is an abnormality based on the information about the received data, and transmits the determination result to

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Computer Hardware Design (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

In a communication system having a publish-side node and a subscription-side node, when detecting an abnormality in order on the basis of the sequence number of received data, the subscription-side node transmits, to the publish-side node, an inspection request including information regarding the received data, the publish-side node determines whether or not there is an abnormality on the basis of the information regarding the received data and transmits the determination result to the subscription-side node, and the subscription-side node determines whether or not fraud has been committed on the basis of a communication monitoring result and the determination result received from the publish-side node.

Description

通信システム、通信装置、不正判定方法、及びプログラムCommunication system, communication device, fraud determination method, and program
 本発明は、ネットワーク上で送受信されるデータの改ざん等の不正を検知する技術に関連するものである。 The present invention relates to technology for detecting fraud such as falsification of data sent and received on a network.
 近年、スマートファクトリーの実現に向け、情報NW(ネットワーク)上の機器とコントロールNWの機器とをつなぐことから進められている。今後、機器の相互接続、1対多、多対1の通信を軽量・柔軟に行う通信モデルの普及が想定される。 In recent years, efforts have been made to connect devices on the information NW (network) and devices on the control NW toward the realization of smart factories. In the future, it is expected that a communication model that allows interconnection of devices and one-to-many and many-to-one communication in a lightweight and flexible manner will spread.
 上記のような軽量・柔軟に行う通信モデルとしてPublish/Subscribe通信(以降、Pub/Sub通信)が提案されている。Pub/Sub通信では、eventと呼ばれるメッセージを作成して送信する送信側のクライアントであるPublisherと、メッセージを受信する側のクライアントであるSubscriberが存在する。 Publish/subscribe communication (hereinafter referred to as pub/sub communication) has been proposed as a lightweight and flexible communication model as described above. In pub/sub communication, there are a publisher that is a client on the sending side that creates and sends a message called an event, and a subscriber that is a client on the receiving side of the message.
 Pub/Sub通信には、「空間的分離」、「時間的分離」、「非同期処理」という3つの性質がある。「空間的分離」により、PublisherとSubscriberは互いの存在を知る必要がない。「時間的分離」により、PublisherとSubscriberが同時にネットワーク上に存在しなくてもデータの送受信が可能である。また、「非同期処理」により、eventの送信、受信はPublisherもしくはSubscriberのその他処理と非同期で処理することができる。 Pub/Sub communication has three characteristics: "spatial separation", "temporal separation", and "asynchronous processing". With "spatial separation," Publishers and Subscribers do not need to know of each other's existence. "Temporal separation" allows data to be sent and received without the Publisher and Subscriber being on the network at the same time. Also, by "asynchronous processing", transmission and reception of events can be processed asynchronously with other processing of the Publisher or Subscriber.
 Pub/Sub通信のモデルには、ブローカ型とブローカレス型がある。ブローカ型の構成は、空間的分離、時間的分離、及び非同期処理の性質を担うブローカと呼ばれる機能をPubとSubの間に配置した構成である。ブローカレス型の構成は、全てのノード(PubとSub)が空間的分離、時間的分離、非同期処理の性質を担う機能を持った分散構成である。各ノードに、DDS(Data Distribution Service)と呼ばれる機能を配備することで、上記のブローカレス型の構成を実現することができる。 There are two types of Pub/Sub communication models: broker type and brokerless type. A broker-type configuration is a configuration in which a function called a broker, which is responsible for spatial separation, temporal separation, and asynchronous processing properties, is placed between Pub and Sub. A brokerless configuration is a distributed configuration in which all nodes (Pub and Sub) have the ability to assume spatial separation, temporal separation, and asynchronous processing properties. By deploying a function called DDS (Data Distribution Service) in each node, the above brokerless configuration can be realized.
特開2007-129482号公報JP 2007-129482 A
 DDSを用いたPub/Sub通信を行う通信システムにおいて、なりすましによるデータ改ざん等の不正が行われる可能性がある。 In a communication system that performs Pub/Sub communication using DDS, there is a possibility that fraud such as data falsification through spoofing will occur.
 しかし、従来技術におけるDDSを用いたPub/Sub通信を行う通信システムでは、データ改ざん等の不正を検知する仕組みが存在しなかった。 However, in conventional communication systems that perform Pub/Sub communication using DDS, there was no mechanism for detecting fraud such as data falsification.
 本発明は上記の点に鑑みてなされたものであり、Pub/Sub通信を行う通信システムにおいて、データ改ざん等の不正を検知することを可能とする技術を提供することを目的とする。 The present invention has been made in view of the above points, and an object thereof is to provide a technique that makes it possible to detect fraud such as data falsification in a communication system that performs Pub/Sub communication.
 開示の技術によれば、配信側ノードと購読側ノードとを備える通信システムであって、
 前記購読側ノードが、受信したデータの順序番号に基づいて、順序性異常を検知した場合に、前記配信側ノードに、受信したデータに関する情報を含む監査依頼を送信し、
 前記配信側ノードは、前記受信したデータに関する情報に基づいて、異常の有無を判定し、判定結果を前記購読側ノードに送信し、
 前記購読側ノードは、通信の監視結果と、前記配信側ノードから受信した前記判定結果とに基づいて、不正が行われたか否かを判断する
 通信システムが提供される。 According to the disclosed technology, a communication system comprising a distributor node and a subscriber node,
when the subscribing side node detects an order abnormality based on the sequence number of the received data, sending an audit request including information on the received data to the distributing side node;
The delivery node determines whether there is an abnormality based on the information about the received data, and transmits the determination result to the subscriber node;
A communication system is provided in which the subscribing node determines whether or not fraud has occurred based on the result of communication monitoring and the determination result received from the distributing node.
 開示の技術によれば、Pub/Sub通信を行う通信システムにおいて、データ改ざん等の不正を検知することを可能とする技術が提供される。 According to the disclosed technique, a technique is provided that enables detection of fraud such as data falsification in a communication system that performs Pub/Sub communication.
DDSを用いたPub/Sub通信を説明するための図である。FIG. 3 is a diagram for explaining Pub/Sub communication using DDS; DDSが組み込まれるシステム構成例を示す図である。It is a figure which shows the system configuration example in which DDS is incorporated. 複数ノードを有するシステムの構成例を示す図である。1 is a diagram illustrating a configuration example of a system having multiple nodes; FIG. 実施例1の概要を説明するための図である。FIG. 2 is a diagram for explaining the outline of Example 1; 実施例1におけるシステム構成例を示す図である。1 is a diagram illustrating a system configuration example in Example 1; FIG. 実施例1における処理フローを示す図である。4 is a diagram showing a processing flow in Example 1. FIG. 複数ノードを有するシステムの構成例を示す図である。1 is a diagram illustrating a configuration example of a system having multiple nodes; FIG. 実施例2におけるシステム構成例System configuration example in the second embodiment 実施例2におけるAPP-DDS間機能部の構成例を示す図である。FIG. 11 is a diagram showing a configuration example of an APP-DDS functional unit in Example 2; DDS操作機能部の構成例を示す図である。FIG. 4 is a diagram showing a configuration example of a DDS operation function unit; DDS操作機能部の構成例を示す図である。FIG. 4 is a diagram showing a configuration example of a DDS operation function unit; 実施例2-1における処理フローを示す図である。FIG. 10 is a diagram showing a processing flow in Example 2-1; 監査処理例を説明するための図である。It is a figure for demonstrating the inspection processing example. 監査処理例を説明するための図である。It is a figure for demonstrating the inspection processing example. 監査処理例を説明するための図である。It is a figure for demonstrating the inspection processing example. 実施例2-2における処理フローを示す図である。FIG. 13 is a diagram showing a processing flow in Example 2-2; 装置のハードウェア構成例を示す図である。It is a figure which shows the hardware configuration example of an apparatus.
 以下、図面を参照して本発明の実施の形態(本実施の形態)を説明する。以下で説明する実施の形態は一例に過ぎず、本発明が適用される実施の形態は、以下の実施の形態に限られるわけではない。 An embodiment (this embodiment) of the present invention will be described below with reference to the drawings. The embodiments described below are merely examples, and embodiments to which the present invention is applied are not limited to the following embodiments.
 以下で説明する実施形態では、本発明を、DDSを用いたPub/Sub通信を行う通信システムに適用する例を説明するが、本発明は、DDSを用いたPub/Sub通信に限らずに適用可能である。 In the embodiments described below, an example in which the present invention is applied to a communication system that performs Pub/Sub communication using DDS will be described, but the present invention is not limited to Pub/Sub communication using DDS. It is possible.
 (DDSを用いたPub/Subs通信について)
 まず、本実施の形態の前提となるDDS、及びDDSを用いたPub/Sub通信について説明する。 (Pub/Subs communication using DDS)
First, DDS and Pub/Sub communication using DDS, which are the premise of the present embodiment, will be described.
 本実施の形態では、前述したブローカレス型の構成を採用しており、DDSが、ブローカに相当する機能を担うことにより、ブローカレス型を実現している。 In this embodiment, the above-described brokerless configuration is adopted, and the brokerless type is realized by the DDS having a function corresponding to the broker.
 ここで、DDSにおける配送範囲管理について説明する。DDSではノードが持つNW I/Fに配送用NWを追加する。利用者が設定した配送範囲はこの配送用NWとDDS内部のフィルタにより動作し、Pub又はSubとして機能するアプリケーションに適切なデータの送受信を可能にする。 Here, we will explain the delivery range management in DDS. DDS adds a NW for delivery to the NW I/F owned by the node. The delivery range set by the user is operated by this delivery NW and the filters inside the DDS, enabling the appropriate data transmission/reception for applications functioning as Pub or Sub.
 具体的には、データバスと利用者が設定する配送範囲をもとに、DDSではノードの中で利用できるNW I/Fにマルチキャストアドレスを付与し、配送用NWを整備する。配送範囲指定時にノードが既存で持つIPアドレスを利用したユニキャストで配信するか、新たに付与したマルチキャストアドレスを活用するについても設定でき、物理的なデータ流通範囲を定めることを可能にしている。 Specifically, based on the data bus and the delivery range set by the user, the DDS assigns a multicast address to the NW I/F that can be used within the node and prepares the delivery NW. When specifying the distribution range, it is possible to set whether to distribute by unicast using the existing IP address of the node or to use a newly assigned multicast address, making it possible to determine the physical data distribution range.
 図1に配送範囲の一例を示す。図1の例では、配送範囲として、ドメインAとドメインBが設定されている。また、ドメインA内において、トピック[い]についての配送範囲とトピック[ろ]についての配送範囲が設定されている。また、トピック[い]の配送範囲内において、キー[II]の配送範囲が設定されている。 An example of the delivery range is shown in Figure 1. In the example of FIG. 1, domain A and domain B are set as the delivery range. Also, within domain A, a delivery range for topic [i] and a delivery range for topic [ro] are set. Also, the delivery range of key [II] is set within the delivery range of topic [I].
 (DDSが組み込まれるシステム構成例について)
 DDSは、ノード(コンピュータ、通信装置と呼んでもよい)においてミドルウェアとして機能するプログラムである。DDSにおける通信に必要な大元となる処理プログラムはライブラリとして用意されている。アプリケーション(「APP」と記述する)が送信するデータの定義(型、サイズ、名称、QoS、など)をパラメータとして有する通信プログラム生成用データ定義ファイルから、このライブラリを利用することで、DDSのプログラムを生成することができる。DDSの生成自体は既存技術である。 (Regarding a system configuration example in which DDS is incorporated)
A DDS is a program that functions as middleware in a node (which may also be called a computer or communication device). A processing program that is the basis for communication in DDS is prepared as a library. By using this library, a DDS program can be generated from a communication program generation data definition file that has parameters for data definitions (type, size, name, QoS, etc.) to be sent by an application (described as "APP"). can be generated. DDS generation itself is an existing technology.
 図2は、DDSが組み込まれるシステム構成例を示す図である。図2は、物理的には、センサや制御バルブが接続された複数のノード(コンピュータ)が、バス型のネットワークに接続された構成を示している。 FIG. 2 is a diagram showing a system configuration example in which the DDS is incorporated. FIG. 2 physically shows a configuration in which a plurality of nodes (computers) to which sensors and control valves are connected are connected to a bus-type network.
 ノード1、2にはそれぞれセンサが接続されており、Publishするデータを生成するAPPと、DDSが搭載されている。ノード2、3にはそれぞれ制御バルブが接続されており、Subscribeしたデータを活用するAPPと、DDSが搭載されている。 A sensor is connected to each of nodes 1 and 2, and an APP that generates data to be published and a DDS are installed. Control valves are connected to nodes 2 and 3, respectively, and APP and DDS for utilizing subscribed data are installed.
 図2の例は、DDSにより、冗長化QoS設定のあるPub/Sub構成を実現した例を示している。具体的には、ノード1のDDSにより、主Pubと副1Pubが構成され、ノード2のDDSにより副2Pubが構成されている。また、ノード3のDDSにより、第1Subと第2Subが構成され、ノード4のDDSにより第3Subが構成されている。 The example in FIG. 2 shows an example in which a Pub/Sub configuration with redundant QoS settings is realized using DDS. Specifically, the DDS of node 1 constitutes a primary Pub and a sub 1 Pub, and the DDS of node 2 constitutes a sub 2 Pub. The DDS of the node 3 constitutes the first Sub and the second Sub, and the DDS of the node 4 constitutes the third Sub.
 なお、図2の例では、APPがpythonで記述され、DDSがC++で記述される例を示しているが、これらは一例であり、どのようなプログラム言語を使用してもよい。また、Pub/Sub構成の変更をする場合、QoSなど一部動的変更できるものと、プロセスの再起動(プログラムの修正を含む)を必要とするものとがある。 Although the example in FIG. 2 shows an example in which the APP is written in python and the DDS is written in C++, these are just examples, and any programming language may be used. Also, when changing the Pub/Sub configuration, there are those that can be partially dynamically changed such as QoS, and those that require process restart (including program modification).
 以下、本実施の形態に係る技術の例として、実施例1と実施例2について説明する。なお、実施例1と実施例2は組み合わせて実施することが可能である。 Examples 1 and 2 will be described below as examples of the technology according to the present embodiment. In addition, Example 1 and Example 2 can be implemented in combination.
 (実施例1においてベースとなるシステム構成例)
 次に、実施例1においてベースとなる通信システムの例について説明する。なお、ベースとなる通信システムは、実施例2でも同様である。実施例1においてベースとなる通信システムにおいて、1つのノードは複数のドメインに所属して良い。また、1つのノードに複数のPub/Subが存在して良い。なお、ここでのPubとは、Publishするデータを生成するアプリケーションであり、Subとは、Subscribeしたデータを活用するアプリケーションである。Pub/Sub通信に係る機能はDDSが担う。 (Example of system configuration as a base in Embodiment 1)
Next, an example of a communication system based on the first embodiment will be described. Note that the base communication system is the same as in the second embodiment. In the communication system based on the first embodiment, one node may belong to multiple domains. Also, multiple Pub/Sub may exist in one node. Here, Pub is an application that generates data to be published, and Sub is an application that utilizes subscribed data. The function related to Pub/Sub communication is handled by the DDS.
 また、1つのノードにPub/Subの両方が存在しても良く、1つのノードに複数のドメインに跨るPub/Subが存在してもよい。また、1つのAPPに複数のPub又は複数のSubが存在しても良い。また、同一APPにおける各Pub、各Subは識別可能である。また、実施例1においてベースとなる通信システムにおいて、通信は平文である。 Also, one node may have both Pub/Sub, and one node may have Pub/Sub across multiple domains. Also, one APP may have multiple Pubs or multiple Subs. Also, each Pub and each Sub in the same APP can be identified. Also, in the communication system that is the base in the first embodiment, the communication is in plain text.
 図3に、実施例1においてベースとなる通信システムの構成例を示す。図3に示すように、この通信システムは、ノード10~18、L2SW(レイヤ2スイッチ)20、21、L3SW(レイヤ3スイッチ)30、パケット分析装置40、検知部50を有する。 FIG. 3 shows a configuration example of a communication system that serves as a base in the first embodiment. As shown in FIG. 3, this communication system has nodes 10 to 18, L2SW (Layer 2 switches) 20 and 21, L3SW (Layer 3 switch) 30, a packet analyzer 40, and a detector 50. FIG.
 図3の例において、ノード10、11、12、15、16、17はドメインD1に属し、ノード12、13、14、17、18はドメインD2に属する。例えば、ノード10の「DDS_D1」のD1のように、そのノードが属するドメインが示されている。ノード12とノード17は、ドメインD1とドメインD2の両方に属している。 In the example of FIG. 3, nodes 10, 11, 12, 15, 16, and 17 belong to domain D1, and nodes 12, 13, 14, 17, and 18 belong to domain D2. For example, D1 of "DDS_D1" of node 10 indicates the domain to which the node belongs. Nodes 12 and 17 belong to both domain D1 and domain D2.
 例えばノード10において、「Pub1(APPい)」は、トピック[い]のデータをPublishするアプリケーションであり、Pub/Sub通信においてPub1(Publisher1)として機能する。ノード10において、Pub1(APPい)とPub2(APPい)として、2つのPubが存在する。これは、APPとしては1つであるが、DDSの機能により、2つのPubとして機能することを示している。ノード15において示されるように、Subについても同様である。 For example, in node 10, "Pub1 (APP I)" is an application that publishes data on topic [I], and functions as Pub1 (Publisher1) in Pub/Sub communication. At node 10, there are two Pubs, Pub1 (APP) and Pub2 (APP). This indicates that although there is one APP, it functions as two Pubs due to the function of DDS. The same is true for Sub, as shown at node 15 .
 また、ノード11は、Pub3とSub4として、PubとSubの両方を備えている。ノード12、14には、複数のPubとして機能する複数のAPPが存在し、ノード17、18には、複数のSubとして機能する複数のAPPが存在する。 Also, the node 11 has both Pub and Sub as Pub3 and Sub4. Nodes 12 and 14 have multiple APPs functioning as multiple Pubs, and nodes 17 and 18 have multiple APPs functioning as multiple Subs.
 また、L3SW30の先にはインターネット55が接続されており、各ノードはインターネット400と通信することが可能である。また、各L2SWには、パケット分析装置40が接続されており、例えば、パケット分析結果に基づき、検知部50が異常検知を行うことが可能である。 Also, the Internet 55 is connected to the end of the L3SW 30, and each node can communicate with the Internet 400. A packet analysis device 40 is connected to each L2SW, and for example, the detection unit 50 can perform anomaly detection based on packet analysis results.
 (実施例1における課題)
 例えばノード10において、攻撃者が存在し、なりすましにより改ざんデータを配信する場合、Subが改ざんデータを受信することにより、システムの動作異常につながるという問題がある。 (Problem in Example 1)
For example, if an attacker exists in the node 10 and distributes tampered data by spoofing, there is a problem that the Sub receives the tampered data, leading to system malfunction.
 しかし、従来技術において、ノード内のDDSではAPP側が動作している以外に正常であるか否かを検証する仕組みが存在しないという課題がある。つまり、APPがデータを配信していれば、DDSは、通信は正常であると判断してしまい、データの改ざんを検知できなかった。 However, in the conventional technology, there is a problem that there is no mechanism for verifying whether the DDS in the node is normal or not other than that the APP side is operating. In other words, if the APP was distributing data, the DDS would have determined that the communication was normal, and could not detect falsification of the data.
 (実施例1の構成、動作例)
 実施例1では、上記の課題を解決する仕組みが提供される。図4を参照して、実施例1の構成と動作例を説明する。 (Configuration and operation example of embodiment 1)
Embodiment 1 provides a mechanism for solving the above problems. A configuration and operation example of the first embodiment will be described with reference to FIG.
 図4は、Pub側のノードとSub側のノードがNWで接続された構成を示している。Pub側のノードには、Publishするデータの発生源であるセンサが接続され、Sub側のノードには、Subscribeしたデータの活用先である制御バルブが接続されている。 FIG. 4 shows a configuration in which a node on the Pub side and a node on the Sub side are connected by a NW. A node on the Pub side is connected with a sensor that is a source of data to be published, and a node on the Sub side is connected with a control valve that is a destination of the subscribed data.
 Pub側ノードにおけるDDSの機能により、3つのPubが構成されており、Sub側ノードにおけるDDSの機能により、3つのSubが構成されている。 Three Pubs are configured by the DDS function of the Pub-side node, and three Subs are configured by the DDS function of the Sub-side node.
 Pub側ノードにおいて、APPとDSSとの間にAPP-DDS間機能部100が備えられる。Sub側ノードにおいて、APPとDSSとの間にAPP-DDS間機能部200が備えられる。 At the Pub side node, an APP-DDS function unit 100 is provided between the APP and the DSS. In the Sub-side node, an APP-DDS functional unit 200 is provided between APP and DSS.
 Pub側ノードにおけるAPP-DDS間機能部100は、経路制御部110、経路条件記録部120、経路条件調停部130を有する。Sub側ノードにおけるAPP-DDS間機能部200は、経路制御部210、経路条件記録部220、経路条件調停部230を有する。各部の動作については、後述するシーケンスにおいて説明する。 The APP-DDS function unit 100 in the Pub side node has a route control unit 110, a route condition recording unit 120, and a route condition arbitration unit 130. The APP-DDS functional unit 200 in the Sub-side node has a route control unit 210, a route condition recording unit 220, and a route condition arbitration unit 230. FIG. The operation of each unit will be explained in the sequence to be described later.
 実施例1では、Pub側のノードからデータ配信する際に、同じデータ(センサ値等)を異なる複数のトピックとして配信する。 In Example 1, when distributing data from nodes on the Pub side, the same data (sensor values, etc.) is distributed as multiple different topics.
 例えば、Pub側のノードは、トピックA、トピックB、トピックCの3つに、同じデータを格納して配信する。具体的には、あるトピックのデータ(ペイロード)は、そのトピックの識別情報(例:トピックA)と、値を有するので、例えば、配信する値がValue_1であるとすると、Pub側ノードは、「トピックA,Value_1」、「トピックB,Value_1」、及び「トピックC,Value_1」を送信する。 For example, a node on the Pub side stores and distributes the same data to topic A, topic B, and topic C. Specifically, the data (payload) of a topic has the identification information of the topic (eg topic A) and a value. Topic A, Value_1", "Topic B, Value_1", and "Topic C, Value_1".
 データを購読するSub側のノードにおける経路制御部210は、受信した3つのトピックのデータを比較することにより、不正の有無を判断し、どのトピックのデータを実際に処理するか(つまり、APPに渡すか)を決定する。 The path control unit 210 in the Sub-side node that subscribes to the data compares the received data of the three topics to determine whether or not there is fraud, and determines which topic data is actually processed (that is, the APP pass).
 上記のようにトピックA、トピックB、トピックCの3つの経路を使用する例において、図4の構成例では、Pub側のノードにおいて、経路制御部110が、DDSを制御することで、トピックA用のPubとしてPub1を設定し、トピックB用のPubとしてPub2を設定し、トピックC用のPubとしてPub3を設定する。ただし、3つのPubのうち、2つはダミーとして設定される。 In the example of using the three routes of Topic A, Topic B, and Topic C as described above, in the configuration example of FIG. Pub1 is set as the Pub for Topic B, Pub2 is set as the Pub for Topic B, and Pub3 is set as the Pub for Topic C. However, two of the three Pubs are set as dummies.
 Sub側のノードでは、経路制御部210が、DDSを制御することで、トピックA用のSubとしてSub1を設定し、トピックB用のSubとしてSub2を設定し、トピックC用のSubとしてSub3を設定する。ただし、3つのSubのうち、2つはダミーとして設定される。 At the node on the Sub side, the routing control unit 210 sets Sub1 as the Sub for Topic A, Sub2 as the Sub for Topic B, and Sub3 as the Sub for Topic C by controlling the DDS. do. However, two of the three Subs are set as dummies.
 図4の構成例において、Pub1はトピックAのデータを配信し、Sub1がトピックAのデータを受信(購読)する。Pub2はトピックBのデータを配信し、Sub2がトピックBのデータを受信する。Pub3はトピックCのデータを配信し、Sub3がトピックCのデータを受信する。同じトピックの配信/購読を行うPubとSubの組を「経路」と呼んでもよい。図4の構成例では、同じデータを配信する3つの経路が存在することになる。なお、同一データあたり3つの経路を使用することは一例である。同一データあたり、3つ以上の経路であってもよい。 In the configuration example of FIG. 4, Pub1 distributes topic A data, and Sub1 receives (subscribes to) topic A data. Pub2 distributes topic B data and Sub2 receives topic B data. Pub3 distributes topic C data, and Sub3 receives topic C data. A Pub-Sub pair that publishes/subscribes to the same topic may be called a "path". In the configuration example of FIG. 4, there are three paths that distribute the same data. Note that the use of three paths for the same data is an example. Three or more routes may be used for the same data.
 すなわち、実施例1では、同一データの配信に対し、3つ(以上)の複数経路を用意し、Sub側のノード(具体的には経路制御部210)が、経路間の配信データを比較することで、当該複数経路を同時にのっとられた時以外の攻撃を検知・防御することができる。例えば、複数のデータのうち、少なくとも1つのデータが他のデータと異なる場合に、不正が行われたと判断してもよい。 That is, in the first embodiment, three (or more) multiple routes are prepared for distribution of the same data, and the node on the Sub side (specifically, the route control unit 210) compares the distribution data between the routes. By doing so, it is possible to detect and defend against attacks other than when the multiple routes are hijacked at the same time. For example, if at least one data among the plurality of data is different from other data, it may be determined that fraud has been committed.
 一例として、複数経路としてトピックA、トピックB、トピックCに対応する3つの経路を使用する場合におけるSub側の経路制御部210による判断例を説明する。経路制御部210が、トピックA、トピックB、トピックCの3つのデータの値が同値であることを検知した場合に、データは正常であるとして、当該データをAPPに渡す。 As an example, an example of determination by the route control unit 210 on the Sub side when three routes corresponding to topic A, topic B, and topic C are used as multiple routes will be described. When the path control unit 210 detects that the three data values of Topic A, Topic B, and Topic C are the same, the data is determined to be normal and passed to the APP.
 経路制御部210が、トピックA、トピックB、トピックCのうちのいずれか2つのデータの値が同値であり、残り1つが他の2つと異なることを検知した場合、同値である2つのデータを正常であると判断し、当該データをAPPに渡す。また、異なる1つのデータの経路について、異常(不正)が生じたと判断する。 When the path control unit 210 detects that any two of topic A, topic B, and topic C have the same value and the remaining one is different from the other two, the two data having the same value are It judges it to be normal and passes the data to the APP. Also, it is determined that an abnormality (illegal) has occurred in one different data path.
 経路制御部210が、トピックA、トピックB、トピックCのいずれのデータの値も他のデータの値と異なることを検知した場合、3つのデータの全てを異常であると判断し、3つうちのいずれのデータもAPPに渡さない。また、3つの経路に異常が生じたと判断する。 When the path control unit 210 detects that the value of any of the data of Topic A, Topic B, and Topic C is different from the value of the other data, all of the three data are determined to be abnormal. does not pass any data to the APP. Also, it is determined that an abnormality has occurred in three routes.
 上記のように、同じデータを、例えば3つのトピックとして配信することにより、3つのトピックのどれかに対して改ざんが行われた場合に、改ざん値をSub側で活用してしまうリスクが低減される。また、購読した3つのトピックの値に差異があることをSub側で確認することにより、不正が行われた可能性を検知することができる。 As described above, by distributing the same data as, for example, three topics, if one of the three topics is tampered with, the risk of utilizing the tampered value on the Sub side is reduced. be. Also, by confirming on the Sub side that there is a difference in the values of the three subscribed topics, it is possible to detect the possibility of fraud.
 (実施例1の具体的構成例)
 図5に、実施例1における通信システムの構成例を示す。図5に示すとおり、図3に示したベースとなる通信システムに対して、各ノードにAPP-DDS間機能部が備えられる。各APP-DDS間機能部内の構成は、図4に示したとおりである。 (Specific configuration example of embodiment 1)
FIG. 5 shows a configuration example of a communication system according to the first embodiment. As shown in FIG. 5, each node is provided with an APP-to-DDS function for the base communication system shown in FIG. The internal configuration of each APP-DDS functional unit is as shown in FIG.
 (実施例1のシーケンス例)
 次に、図6に示すシーケンス図を参照して、実施例1における通信システムの動作例を説明する。図6の例において、Pub側のノードにおけるAPP150、経路制御部110、経路条件記録部120、経路条件調停部130が示されている。また、Sub側のノードにおけるAPP250、経路制御部210、経路条件記録部220、経路条件調停部230が示されている。DDSについては、Pub側のノードとSub側のノードのそれぞれに存在するが、図6では、複数経路でPub/Sub通信を行う機能として、1つのDDS270として示している。 (Sequence example of embodiment 1)
Next, an operation example of the communication system according to the first embodiment will be described with reference to the sequence diagram shown in FIG. In the example of FIG. 6, the APP 150, the route control unit 110, the route condition recording unit 120, and the route condition arbitration unit 130 in the node on the Pub side are shown. APP 250, route control section 210, route condition recording section 220, and route condition arbitration section 230 in the node on the Sub side are also shown. The DDS exists in each of the node on the Pub side and the node on the Sub side, but in FIG. 6, it is shown as one DDS 270 as a function of performing Pub/Sub communication through multiple paths.
 図6の前提として、経路条件記録部120と経路条件記録部220のそれぞれには、経路条件が格納されている。経路条件は、例えば、「X時~Y時はN本の経路を使用」、「APPから出力されるデータの値がK以上である場合に、M本の経路を使用」などの、複数経路を使用するための条件である。 As a premise of FIG. 6, route conditions are stored in each of the route condition recording unit 120 and the route condition recording unit 220. FIG. The route condition is, for example, "use N routes from time X to time Y", "use M routes when the value of the data output from the APP is K or more", and the like. is a condition for using
 S101、S103において、Pub側ノードの経路条件調停部130が経路条件記録部120を検索し、検索結果である現在の経路条件を取得する。同様に、S102、S104において、Sub側ノードの経路条件調停部230が経路条件記録部220を検索し、検索結果である現在の経路条件を取得する。 In S101 and S103, the route condition arbitration unit 130 of the Pub-side node searches the route condition recording unit 120 and acquires the current route conditions as search results. Similarly, in S102 and S104, the route condition arbitration unit 230 of the Sub-side node searches the route condition recording unit 220 and acquires the current route conditions as search results.
 Pub側、Sub側それぞれにおいて、経路条件調停部130、230は、検索して得た現在の経路条件をハッシュ化する(S105、S106)。S107において、経路条件調停部130と経路条件調停部230との間で、ハッシュ化した経路条件を送受信することにより、調停を行う。具体的には、経路条件調停部130と経路条件調停部230はそれぞれ、自分の側の経路条件と相手の側の経路条件とを比較して、一致するかどうかを検査する。一致すればその経路条件を使用することを決定し、それを調停結果として経路条件記録部120/220に登録する(S108/S109)。 On the Pub side and Sub side respectively, the route condition arbitration units 130 and 230 hash the current route conditions obtained by searching (S105, S106). In S107, arbitration is performed by transmitting and receiving hashed route conditions between the route condition arbitration unit 130 and the route condition arbitration unit 230. FIG. Specifically, each of the route condition arbitration unit 130 and the route condition arbitration unit 230 compares the route condition on its own side with the route condition on the other party's side and checks whether they match. If they match, it decides to use that route condition, and registers it in the route condition recording unit 120/220 as an arbitration result (S108/S109).
 一致しない場合、例えば、予め定めてある側の経路条件を使用することを決定する。例えば、Pub側の経路条件を使用することが定められている場合、Pub側の経路条件調停部130は自分の側の経路条件を調停結果として経路条件記録部120に登録し(S108)、Sub側の経路条件調停部230はPub側の経路条件をPub側から取得して、それを調停結果として経路条件記録部220に登録する(S109)。 If they do not match, for example, it is decided to use a predetermined route condition. For example, if it is decided to use the Pub-side route conditions, the Pub-side route condition arbitration unit 130 registers its own route conditions in the route condition recording unit 120 as the arbitration result (S108). The route condition arbitration unit 230 on the side acquires the route condition on the Pub side from the Pub side and registers it in the route condition recording unit 220 as the arbitration result (S109).
 Pub側、Sub側のそれぞれにおいて、経路制御部110/210は、経路条件記録部120/220から、調停済みの最新経路条件を取得する(S110~S113)。また、経路制御部110/220はそれぞれ、経路条件に従って、経路を構築する。具体的には、例えば、図4に示すように、経路条件が3経路を使用するという条件である場合においては、経路制御部110は、DDS270を制御することにより、3つの経路ができるように例えば2つのダミーのPubを追加する。また、Sub側の経路制御部210も、DDS270を制御することにより、3つの経路ができるように例えば2つのダミーのSubを追加する。なお、既に3つの経路(3つのPubと3つのSub)が存在する場合にはこの処理は不要である。 On each of the Pub side and the Sub side, the route control units 110/210 acquire the latest arbitrated route conditions from the route condition recording units 120/220 (S110 to S113). Further, the route control units 110/220 construct routes according to the route conditions. Specifically, for example, as shown in FIG. 4, when the route condition is to use three routes, the route control unit 110 controls the DDS 270 so that three routes are available. For example, add two dummy Pubs. Also, the path control unit 210 on the Sub side adds, for example, two dummy Subs so as to create three paths by controlling the DDS 270 . Note that this process is unnecessary if there are already three routes (three Pubs and three Subs).
 S114において、経路制御部110は、APP150からデータを受信する。S115において、経路制御部110は、APP150から受信したデータを、経路の数だけ複製する。S116において、経路制御部110は、DDS270に対して複製したデータを通知する。例えば3経路を使用する場合には、3つの同じデータがDDS270に通知される。 At S114, the route control unit 110 receives data from the APP150. In S115, the route control unit 110 duplicates the data received from the APP 150 by the number of routes. In S116, the route control unit 110 notifies the DDS 270 of the duplicated data. For example, when using 3 paths, the same 3 data are posted to the DDS 270 .
 S117において、複数経路で受信した各データがDDS270からSub側の経路制御部210に通知される。S118において、経路制御部210は、前述したように経路間でデータを比較して、不正の有無を判断し、データをAPP250に送付するか否か、どのデータをAPP250に送付するかを判断する。もしもあるデータをAPP250に送付すると判断した場合、S119において、経路制御部210は当該データをAPP250に送付する。 In S117, the DDS 270 notifies the route control unit 210 on the Sub side of each data received through a plurality of routes. In S118, the route control unit 210 compares the data between the routes as described above, determines whether or not the data is illegal, and determines whether or not to send the data to the APP 250 and which data to send to the APP 250. . If it is determined to send certain data to APP 250, the routing control unit 210 sends the data to APP 250 in S119.
 (実施例2のベースとなる通信システム、課題)
 次に、実施例2を説明する。実施例2は単独で実施することもできるし、実施例1と組み合わせて実施することもできる。図7に、実施例2のベースとなる通信システムを示す。図7に示すとおり、実施例2のベースとなる通信システムは、図3に示した実施例1のベースとなる通信システムと同様の構成を有する。 (Communication system that is the basis of the second embodiment, problems)
Next, Example 2 will be described. Example 2 can also be implemented independently and can also be implemented in combination with Example 1. FIG. FIG. 7 shows a communication system on which the second embodiment is based. As shown in FIG. 7, the communication system on which the second embodiment is based has the same configuration as the communication system on which the first embodiment is based shown in FIG.
 例えばPub/Sub通信の経路上に攻撃者が存在し、なりすましにより改ざんデータを配信する場合、Subが改ざんデータを受信することにより、システムの動作異常につながるという問題がある。 For example, if an attacker exists on the Pub/Sub communication path and distributes tampered data through spoofing, there is a problem that the Sub receives the tampered data, leading to system malfunction.
 例えば、攻撃者が、あるトピックのデータを通信路上で解析し、QoS保証情報(本実施例ではReliabilityに関するシーケンスNo.)を書き換えて生成した悪意のあるデータを送信することで、Sub側のQoS保証機能(この場合Reliability QoS Policy)の誤作動を引き押すことが考えられる。具体的には、攻撃用シーケンスNo.>正常なシーケンスNo.とした不正データを作成し、送信することで、攻撃用シーケンスNo.と正常なシーケンスNo.の間にデータ欠損があったと誤解させる攻撃がなされる可能性がある。シーケンスNo.はデータの順序を示す番号であり、以降、これをSNと表記する。 For example, an attacker analyzes data of a certain topic on a communication channel, and transmits malicious data generated by rewriting QoS guarantee information (sequence No. related to Reliability in this embodiment). It is conceivable that the malfunction of the assurance function (in this case, Reliability QoS Policy) is pushed. Specifically, attacking sequence No. >Normal Sequence No. By creating and transmitting illegal data such as the attack sequence No. and normal sequence no. There is a possibility that an attack may be made to mislead that there was data loss during Sequence no. is a number indicating the order of data, hereinafter referred to as SN.
 しかし、前述したとおり、従来技術において、ノード内のDDSではAPP側が動作している以外に正常であるか否かを検証する仕組みが存在しないという課題がある。つまり、APPがデータを配信していれば、DDSは、通信は正常であると判断してしまい、データの改ざんを検知できなかった。 However, as described above, in the conventional technology, there is a problem that there is no mechanism for verifying whether the DDS in the node is normal or not other than that the APP side is operating. In other words, if the APP was distributing data, the DDS would have determined that the communication was normal, and could not detect falsification of the data.
 また、順序性異常を引き起こさない次のような手順での攻撃も考えられる。まず、攻撃者はネットワーク上にマルチキャストで配信されるtopicデータを傍受し、Pubの現在の最新のSNを確認する。そして、確認したSNに基づいて、順序性異常を引き起こさないように、不正データを挿入する。 Also, an attack with the following procedure that does not cause order anomalies is also conceivable. First, an attacker intercepts topic data distributed by multicast on the network and confirms the current latest SN of Pub. Then, based on the confirmed SN, incorrect data is inserted so as not to cause sequence anomaly.
 例えば、攻撃者は、正常なPubの最新の送信済のシーケンス番号がSN=1であることを確認すると、正常なPubより先に(SN=2、データX)を挿入することで攻撃を行う。この場合、Sub側のDDSに順序性異常が起こらず、問題なく不正データXが処理された後、正しい(SN=2、データB)がDDSに到着する。 For example, when an attacker confirms that the latest transmitted sequence number of good Pub is SN=1, he attacks by inserting (SN=2, data X) before good Pub. . In this case, no sequence abnormality occurs in the DDS on the Sub side, and the correct data (SN=2, data B) arrives at the DDS after the incorrect data X is processed without any problem.
 しかし、Sub側DDSでは一度受信したSNに対応するデータは破棄されるのみであり、順序性異常を起こしたわけでもないので、不正データ挿入があったことを検知することができない。 However, the DDS on the Sub side only discards the data corresponding to the SN that has been received once, and does not cause an order abnormality, so it is impossible to detect that there has been unauthorized data insertion.
 (実施例2の構成例)
 実施例2では、上記の課題を解決する仕組みが提供される。図8を参照して、実施例2の構成例を説明する。 (Configuration example of embodiment 2)
The second embodiment provides a mechanism for solving the above problems. A configuration example of the second embodiment will be described with reference to FIG.
 図8に示すように、実施例2では、各ノードにAPP-DDS間機能部100/200とDDS操作機能部300/400が備えられる。なお、Pub側のAPP-DDS間機能部100については備えられないこととしてもよい。 As shown in FIG. 8, in the second embodiment, each node is provided with an APP-DDS function unit 100/200 and a DDS operation function unit 300/400. Note that the Pub-side APP-DDS functional unit 100 may not be provided.
 図9は、Sub側のAPP-DDS間機能部200の構成例を示す。図9に示すとおり、APP-DDS間機能部200は、通知制御部240を有する。図10は、Pub側のDDS操作機能部300の構成例を示す。図10に示すように、DDS操作機能部300は、Pub側監査部310を有する。図11は、Sub側のDDS操作機能部400の構成例を示す。図11に示すように、DDS操作機能部400は、監視管理部410、Sub側監査部420を有する。各部の動作については、後述するシーケンスのところで説明される。 FIG. 9 shows a configuration example of the APP-DDS function unit 200 on the Sub side. As shown in FIG. 9, the APP-DDS functional unit 200 has a notification control unit 240. FIG. FIG. 10 shows a configuration example of the DDS operation function unit 300 on the Pub side. As shown in FIG. 10 , the DDS operation function unit 300 has a pub-side audit unit 310 . FIG. 11 shows a configuration example of the DDS operation function unit 400 on the Sub side. As shown in FIG. 11, the DDS operation function section 400 has a monitoring management section 410 and a Sub-side auditing section 420 . The operation of each unit will be explained in the sequence to be described later.
 以下では、順序性異常を引き起こす攻撃に対する異常判定方法の例を実施例2-1として説明し、順序性異常を引き起こさない攻撃に対する異常判定方法の例を実施例2-2として説明する。以下では、実施例2-1と実施例2-2を分けて説明するが、実際の動作においては実施例2-1と実施例2-2の両方の動作が実行される。ただし、実施例2-1のみの動作あるいは実施例2-2のみの動作が実行されることとしてもよい。 In the following, an example of an anomaly determination method for attacks that cause sequence anomalies will be described as Example 2-1, and an example of an anomaly determination method for attacks that will not cause sequence anomalies will be described as Example 2-2. Although Example 2-1 and Example 2-2 will be described separately below, in actual operation, both Example 2-1 and Example 2-2 are performed. However, only the operation of Example 2-1 or only the operation of Example 2-2 may be executed.
 (実施例2-1の概要) (Overview of Example 2-1)
 実施例2-1においては、DDSが、その基本機能として有している順序性保証機能により、データ(パケット)のSNに基づきデータ欠損を検出した際に、PubとSubのDDS内部データとトラヒックを監査することで、発生したデータ欠損が悪意のあるPubによる攻撃であったかどうかを判定する。加えて、攻撃と判定された場合にAPPにデータを渡さないようにする。 In the embodiment 2-1, when data loss is detected based on the SN of data (packets), the DDS internal data and traffic of Pub and Sub are detected by the sequence assurance function that the DDS has as its basic function. to determine whether the data loss that occurred was an attack by a malicious Pub. In addition, data is not passed to the APP when it is determined to be an attack.
 つまり、Pub側とSub側で同時に監査処理を走らせ、二つの確度から不正を確認する。不正が確認された場合には、APPにデータを渡さないことで、Sub側を守ることとしている。 In other words, audit processing is run simultaneously on the Pub side and Sub side, and fraud is confirmed from two degrees of accuracy. If fraud is confirmed, the Sub side is protected by not passing data to the APP.
 (実施例2-1のシーケンス例)
 次に、図12に示すシーケンス図を参照して、実施例2-1における通信システムの動作例を説明する。図12の例において、Pub側のノードにおいて、DDS330とPub側監査部310が示されている。Sub側のノードにおいて、DDS340、監査管理部410、Sub側監査部420、通知制御部240、APP350が示されている。 (Sequence example of Example 2-1)
Next, an operation example of the communication system according to the embodiment 2-1 will be described with reference to the sequence diagram shown in FIG. In the example of FIG. 12, the DDS 330 and the Pub-side auditing unit 310 are shown in the Pub-side node. A DDS 340, an audit management unit 410, a Sub-side audit unit 420, a notification control unit 240, and an APP 350 are shown in the node on the Sub side.
 各DDSは、送信/受信したデータとその順序(SN)を記録するキューを備えており、それにより、順序性異常発生の有無を判断できる。 Each DDS is equipped with a queue that records the transmitted/received data and its sequence (SN), which makes it possible to determine whether or not there is a sequence abnormality.
 図12において、Sub側のDDS340が、順序性異常の発生を検知すると、S201において、監査管理部410に対して順序性異常通知を送信する。順序性異常通知を受信した監査管理部410は、Pub側監査部310とSub側監査部420のそれぞれに対して監査依頼を送信する(S202、S203)。監査依頼には、Sub側で受信したデータに関する情報が含まれている。受信したデータに関する情報は、例えば、Subが受信した最新データのSNとそのデータである。  In FIG. 12, when the DDS 340 on the Sub side detects the occurrence of a sequence abnormality, it transmits a sequence abnormality notification to the audit management unit 410 in S201. The audit management unit 410 that has received the sequence abnormality notification transmits an audit request to each of the pub-side audit unit 310 and the sub-side audit unit 420 (S202, S203). The audit request contains information about the data received on the Sub side. The information about the received data is, for example, the SN of the latest data received by the Sub and the data.
 監査依頼を受信したPub側監査部310は、Sub側から受信した最新SNのデータの存在をDDS330に対して確認し(S204)、その確認結果に基づいて、異常の有無の判定を行う(S205)。S207において、Pub側監査部310は、判定結果をSub側の監査管理部410に送信する。 Upon receiving the audit request, the pub-side auditing unit 310 confirms the presence of the latest SN data received from the sub-side with respect to the DDS 330 (S204), and based on the confirmation result, determines whether or not there is an abnormality (S205). ). In S207, the pub-side auditing unit 310 transmits the determination result to the sub-side audit management unit 410. FIG.
 一方、Sub側では、Sub側監査部420が、S203で受信した最新SNに基づいて、通信監視を行うことで、異常の有無の判定を行い(S206)、S208において、判定結果を監査管理部410に通知する。 On the Sub side, on the Sub side, the Sub side auditing unit 420 performs communication monitoring based on the latest SN received in S203 to determine whether there is an abnormality (S206). Notify 410.
 Pub側監査部310とSub側監査部420から判定結果を受信した監査管理部410は、最終的な異常(不正)の有無を判断し、S209において、監査結果を通知制御部240に送信する。 The audit management unit 410 that has received the determination results from the pub-side audit unit 310 and the sub-side audit unit 420 makes a final determination of the presence or absence of an abnormality (unfairness), and transmits the audit result to the notification control unit 240 in S209.
 通信制御部240は、S210において、監査結果に基づいて、APP350へのデータ送信を行うか否かを判断する。APP350へのデータ送信を行うと判断した場合に、S211において、データをAPP350に送信する。 At S210, the communication control unit 240 determines whether or not to transmit data to the APP 350 based on the inspection result. When it is determined to transmit data to APP 350, the data is transmitted to APP 350 in S211.
 (実施例2-1における監査処理の具体例)
 図13、図14、図15を参照して監査処理の例を説明する。図13、図14、図15の例において、データの送受信を行うPub(publisher)とSub(subscriber)が存在するとともに、攻撃者(attacker)が存在する状況を想定する。ただし、図13のケースでは、攻撃者による攻撃がなされていないとする。 (Specific example of audit processing in Example 2-1)
An example of inspection processing will be described with reference to FIGS. 13, 14, and 15. FIG. In the examples of FIGS. 13, 14, and 15, it is assumed that there are Pub (publisher) and Sub (subscriber) that transmit and receive data, and there is an attacker (attacker). However, in the case of FIG. 13, it is assumed that the attacker has not attacked.
 また、SNとデータを記録したキュー(Pub側のpublisherキュー、Sub側のsubscriberキュー)が、Pub側、Sub側それぞれにおいて、DDS330/340の機能として備えられている。 Also, queues in which SNs and data are recorded (publisher queue on the pub side, subscriber queue on the sub side) are provided as functions of the DDS 330/340 on the pub side and the sub side, respectively.
 publisherキューには、図13の左上に示すように、SN1~4のデータA~Dが格納されていて、Pub側のDDS330は、送信後にAck又はNACKを受信したデータについてチェックマークを付する。また、Sub側のDDS340は、subscriberキューにおいて、受信したデータを記録してチェックマークを付ける。 As shown in the upper left of FIG. 13, the publisher queue stores data A to D of SN1 to 4, and the Pub-side DDS 330 puts a check mark on the data for which Ack or NACK has been received after transmission. Also, the DDS 340 on the Sub side records the received data and puts a checkmark in the subscriber queue.
 S301において、Subは、PubからSN=1のデータAを受信し、S202において、データAに対するACKをPubに返す。これにより、Pub側、Sub側のそれぞれのキューには、データAが正常に送受信されたことが記録される。 In S301, Sub receives data A with SN=1 from Pub, and returns ACK for data A to Pub in S202. As a result, normal transmission and reception of data A is recorded in the respective queues on the Pub side and the Sub side.
 その後、PubからSN=2、3、4のデータB、C、Dが送信されるが、SN=2、3のデータB、CはSubに届かず、SN=4のデータDのみがSubに届く。そのため、Sub側のDDS340は、subscriberキューにSN=4のデータDのみを記録する。 After that, data B, C, and D with SN=2, 3, and 4 are transmitted from Pub, but data B and C with SN=2 and 3 do not reach Sub, and only data D with SN=4 is sent to Sub. reach. Therefore, the DDS 340 on the Sub side records only data D with SN=4 in the subscriber queue.
 SN=2、3のデータB、Cが届く前に、SN=4のデータDが届いたので、Sub側のDDS340は、順序性異常が発生したことを検知し、監査管理部410に順序性異常を通知する。 Since the data D with SN=4 arrived before the data B and C with SN=2 and 3 arrived, the DDS 340 on the Sub side detects that an order abnormality has occurred, and notifies the audit management unit 410 of the order Notify anomalies.
 監査管理部410は、Pub側監査部310とSub側監査部420のそれぞれに対して監査依頼(SN=4、データD)を通知する。これにより、Pub側とSub側のそれぞれが監視中の状態となる。 The audit management unit 410 notifies each of the pub-side audit unit 310 and the sub-side audit unit 420 of an audit request (SN=4, data D). As a result, both the Pub side and the Sub side are in a monitoring state.
 図13のS306に示すように、SN=2~4のデータそれぞれに対するACK/NACKがSubからPubに返される。NACKを受信したPubは、S307、S308において、SN=2のデータB、SN=3のデータCを再送する。  As shown in S306 of FIG. 13, ACK/NACK for each of the data with SN=2 to 4 is returned from Sub to Pub. Having received NACK, Pub retransmits data B with SN=2 and data C with SN=3 in S307 and S308.
 SN=4に基づき監査中であるPub側監査部310は、Pub側にSN=4のデータDが存在すること(キューに記録されていること)を確認すると、異常無と判断し、異常無の判定結果をSub側の監査管理部410に通知する。 Pub-side auditing unit 310, which is currently auditing based on SN=4, confirms that data D with SN=4 exists (recorded in the queue) on the Pub side, determines that there is no abnormality, and confirms that there is no abnormality. is notified to the audit management unit 410 on the Sub side.
 一方、Sub側において、SN=2のデータB、SN=3のデータCを受信するので、Sub側監視部420は、異常無と判断し、異常無の判定結果をSub側の監査管理部410に通知する。 On the other hand, since the Sub side receives the data B with SN=2 and the data C with SN=3, the Sub side monitoring unit 420 determines that there is no abnormality, and sends the result of the determination that there is no abnormality to the audit management unit 410 on the Sub side. to notify.
 監査管理部410は、監査結果として異常無(不正無)を通知制御部240に通知し、通知制御部240は、監査処理中にSubが受信したSN=2~4のデータB、C、DをAPP350に送信する。 The audit management unit 410 notifies the notification control unit 240 that there is no abnormality (no fraud) as the audit result. to the APP 350.
 次に、図14のケースについて説明する。S401において、Subは、PubからSN=1のデータAを受信し、S402において、データAに対するACKをPubに返す。これにより、Pub側、Sub側のそれぞれのキューには、データAが正常に送受信されたことが記録される。 Next, the case of FIG. 14 will be explained. In S401, Sub receives data A with SN=1 from Pub, and returns ACK for data A to Pub in S402. As a result, normal transmission and reception of data A is recorded in the respective queues on the Pub side and the Sub side.
 その後、S403において、攻撃者(attacker)から、不正なデータであるSN=4のデータXが送信され、Subに届く。そのため、Sub側のDDS340は、subscriberキューにSN=4のデータXを記録する。 After that, in S403, data X with SN=4, which is illegal data, is transmitted from an attacker (attacker) and reaches Sub. Therefore, the DDS 340 on the Sub side records data X with SN=4 in the subscriber queue.
 SN=2、3のデータが届く前に、SN=4のデータXが届いたので、Sub側のDDS340は、順序性異常が発生したことを検知し、監査管理部410に順序性異常を通知する。 Since the data X with SN=4 arrived before the data with SN=2 and 3 arrived, the DDS 340 on the Sub side detects that an order abnormality has occurred and notifies the audit management unit 410 of the order abnormality. do.
 監査管理部410は、Pub側監査部310とSub側監査部420のそれぞれに対して監査依頼(SN=4、データX)を通知する。これにより、Pub側とSub側のそれぞれが監視中の状態となる。 The audit management unit 410 notifies each of the pub-side audit unit 310 and the sub-side audit unit 420 of an audit request (SN=4, data X). As a result, both the Pub side and the Sub side are in a monitoring state.
 図14のS404に示すように、SN=2~4のデータそれぞれに対するACK/NACKがSubからPubに返される。SN=2~4のデータはPubにおいて未送信のデータであるため、Pubは、ACK/NACKを無視して、S405、S406において、SN=2のデータB、SN=3のデータCを送信する。ここでは、SN=4のデータはまだ送信されていないとする。その結果、図14の左下に示すように、各データが送信されたことがキューに記録される。一方、Pub側監査部310は、次のようにして異常判定を行う。  As shown in S404 of Fig. 14, ACK/NACK for each of the data with SN = 2 to 4 is returned from Sub to Pub. Since the data with SN=2 to 4 have not been transmitted in Pub, Pub ignores ACK/NACK and transmits data B with SN=2 and data C with SN=3 in S405 and S406. . Here, it is assumed that the data of SN=4 has not yet been transmitted. As a result, as shown in the lower left of FIG. 14, the transmission of each data is recorded in the queue. On the other hand, the pub-side auditing unit 310 performs abnormality determination as follows.
 ここでは、PubがSN=4のデータに対するACKを受信した時点では、SN=4が付与されたデータを送信した記録がPub側のキューにないとする。 Here, it is assumed that when Pub receives an ACK for data with SN=4, there is no record of sending data with SN=4 in the queue on the Pub side.
 この場合、SN=4に基づき監査中であるPub側監査部310は、SN=4が付与されたデータを送信した記録がPub側のキューにないことを検知した時点で、異常有と判断し、異常有の判定結果(SN=4のデータを送信していないこと)をSub側の監査管理部410に通知する。このケースは、Pub側APPの正常動作によってPub側のDDSのキューにSN=4が付与されたデータが格納されるタイミングよりも早く異常が検知されるケースである。そのため、異常判定のためにSN=4におけるデータ値(正常データDと不正データX)の比較を必要としない。 In this case, the pub-side auditing unit 310, which is in the process of auditing based on SN=4, judges that there is an abnormality when it detects that there is no record in the pub-side queue for sending data with SN=4. , and notifies the inspection management unit 410 on the Sub side of the determination result of the existence of an abnormality (data of SN=4 has not been transmitted). In this case, an abnormality is detected earlier than the timing at which the data with SN=4 is stored in the DDS queue on the pub side due to the normal operation of the pub side APP. Therefore, it is not necessary to compare the data values (normal data D and incorrect data X) at SN=4 for abnormality determination.
 Sub側において、N=2のデータB、SN=3のデータCを受信するので、subscriberキューにはこれらを受信したことが記録される。通信を監視しているSub側監査部420は、subscriberキューに基づき、SN=4のデータとして、データXを受信したことを検知し、そのことをSub側の監査管理部410に通知する。 On the Sub side, data B with N=2 and data C with SN=3 are received, so the receipt of these is recorded in the subscriber queue. The Sub-side auditing unit 420 monitoring the communication detects that data X has been received as data with SN=4 based on the subscriber queue, and notifies the Sub-side audit management unit 410 of that fact.
 監査管理部410は、Pub側監査部310からの判定結果と、Sub側監査部420からの判定結果に基づいて、SN=4のデータXは、Pub側から送信したデータではなく、異常であると判断する。つまり、不正が行われたと判断し、通知制御部240に対して、SN=4のデータXをAPP350に送信しないよう指示する。これにより、通知制御部240は、Subが受信したデータB、C、Xのうち、データB、CをAPP350に送信する。 Based on the judgment result from the pub-side auditing unit 310 and the judgment result from the sub-side auditing unit 420, the audit management unit 410 determines that the data X with SN=4 is not data transmitted from the pub side and is abnormal. I judge. That is, it determines that an illegal act has been performed, and instructs the notification control unit 240 not to transmit the data X with SN=4 to the APP 350 . Thereby, the notification control unit 240 transmits the data B and C among the data B, C and X received by the Sub to the APP 350 .
 次に、図15のケースについて説明する。S501において、Subは、PubからSN=1のデータAを受信し、S502において、データAに対するACKをPubに返す。これにより、Pub側、Sub側のそれぞれのキューには、データAが正常に送受信されたことが記録される。 Next, the case of FIG. 15 will be explained. In S501, Sub receives data A with SN=1 from Pub, and returns ACK for data A to Pub in S502. As a result, normal transmission and reception of data A is recorded in the respective queues on the Pub side and the Sub side.
 その後、S503において、攻撃者(attacker)から、不正なデータであるSN=4のデータXが送信され、Subに届く。そのため、Sub側のDDS340は、subscriberキューにSN=4のデータXを記録する。 After that, in S503, data X with SN=4, which is unauthorized data, is transmitted from an attacker (attacker) and reaches Sub. Therefore, the DDS 340 on the Sub side records data X with SN=4 in the subscriber queue.
 SN=2、3のデータが届く前に、SN=4のデータXが届いたので、Sub側のDDS340は、順序性異常が発生したことを検知し、監査管理部410に順序性異常を通知する。 Since the data X with SN=4 arrived before the data with SN=2 and 3 arrived, the DDS 340 on the Sub side detects that an order abnormality has occurred and notifies the audit management unit 410 of the order abnormality. do.
 監査管理部410は、Pub側監査部310とSub側監査部420のそれぞれに対して監査依頼(SN=4、データX)を通知する。これにより、Pub側とSub側のそれぞれが監視中の状態となる。 The audit management unit 410 notifies each of the pub-side audit unit 310 and the sub-side audit unit 420 of an audit request (SN=4, data X). As a result, both the Pub side and the Sub side are in a monitoring state.
 図15のS504に示すように、SN=2~4のデータそれぞれに対するACK/NACKがSubからPubに返される。SN=2~4のデータはPubにおいて未送信のデータであるため、Pubは、ACK/NACKを無視して、S505、S506、S507において、SN=2のデータB、SN=3のデータC、SN=4のデータDを送信する。その結果、図15の左下に示すように、各データが送信されたことがキューに記録される。一方、Pub側監査部310は、次のようにして異常判定を行う。  As shown in S504 of FIG. 15, ACK/NACK for each of the data with SN=2 to 4 is returned from Sub to Pub. Since data with SN=2 to 4 are data that have not been transmitted in Pub, Pub ignores ACK/NACK, and in S505, S506, and S507, data B with SN=2, data C with SN=3, Data D with SN=4 is transmitted. As a result, as shown in the lower left of FIG. 15, the transmission of each data is recorded in the queue. On the other hand, the pub-side auditing unit 310 performs abnormality determination as follows.
 ここでは、SN=4が付与されたデータDを送信した記録がPub側のキューにあるとする。SN=4、データXに基づき監査中であるPub側監査部310は、データXとキューに記録されているSN=4のデータDとを比較して、一致していないことを検知すると、異常有と判断し、異常有の判定結果(SN=4のデータXを送信していないこと)をSub側の監査管理部410に通知する。 Here, it is assumed that there is a record of sending data D with SN=4 in the queue on the Pub side. Pub-side auditing unit 310, which is auditing based on SN=4 and data X, compares data X with data D with SN=4 recorded in the queue, and detects that they do not match. It determines that there is an abnormality, and notifies the inspection management unit 410 on the Sub side of the determination result that there is an abnormality (data X with SN=4 has not been transmitted).
 Sub側において、SN=2のデータB、SN=3のデータC、SN=4のデータDを受信するので、subscriberキューにはこれらを受信したことが記録される。通信を監視しているSub側監査部420は、subscriberキューに基づき、SN=4のデータとして、データXとデータDを受信したことを検知するので、異常有と判断し、異常有の判定結果(SN=4としてデータXとデータDを受信したこと)をSub側の監査管理部410に通知する。 Since the Sub side receives data B with SN = 2, data C with SN = 3, and data D with SN = 4, the receipt of these is recorded in the subscriber queue. The Sub-side auditing unit 420, which monitors communication, detects that data X and data D have been received as data with SN=4 based on the subscriber queue. The audit management unit 410 on the Sub side is notified that data X and data D have been received with SN=4.
 監査管理部410は、Pub側監査部310からの判定結果と、Sub側監査部420からの判定結果に基づいて、SN=4のデータXのデータが異常であると判断する。つまり、不正が行われたと判断し、通知制御部240に対して、SN=4のデータXをAPP350に送信しないよう指示する。これにより、通知制御部240は、Subが受信したデータB、C、D、Xのうち、データB、C、DをAPP350に送信する。 The audit management unit 410 determines that the data X with SN=4 is abnormal based on the judgment result from the pub-side audit unit 310 and the judgment result from the sub-side audit unit 420. That is, it determines that an illegal act has been performed, and instructs the notification control unit 240 not to transmit the data X with SN=4 to the APP 350 . Thereby, the notification control unit 240 transmits the data B, C, and D among the data B, C, D, and X received by the Sub to the APP 350 .
 (実施例2-2)
 次に、実施例2-2について説明する。実施例2-2では、順序性異常を引き起こさないように不正データが挿入された場合でも、その不正を検知することが可能な仕組みについて説明する。 (Example 2-2)
Next, Example 2-2 will be described. Embodiment 2-2 will explain a mechanism capable of detecting fraud even when fraudulent data is inserted so as not to cause sequence anomaly.
 実施例2-2でのシステム構成は実施例2-1と同じである。実施例2-2におけるSub側の動作を図16のシーケンス図を参照して説明する。図16の例において、Sub側のノードにおける、DDS340、監査管理部410、Sub側監査部420、通知制御部240、APP350が示されている。また、DDS340はネットワークに接続されていることが示されている。 The system configuration in Example 2-2 is the same as in Example 2-1. The operation on the Sub side in embodiment 2-2 will be described with reference to the sequence diagram of FIG. In the example of FIG. 16, the DDS 340, the audit management unit 410, the Sub-side audit unit 420, the notification control unit 240, and the APP 350 in the Sub-side node are shown. Also, the DDS 340 is shown connected to the network.
 S601において、DDS340はSNが付与されたデータを受信する。S602において、DDS340は、受信したデータとそのSNの組をSub側監査部420に記憶させる。 At S601, the DDS 340 receives data with SNs. In S602, the DDS 340 causes the Sub-side audit section 420 to store the set of the received data and its SN.
 S601、S602はデータを受信する度に実行され、Sub側監査部420には、受信済みの全てのデータについて、データとそのSNの組が格納されている。ただし、ある時間よりも過去に受信したデータとSNの組については削除してもよい。  S601 and S602 are executed each time data is received, and the Sub-side auditing unit 420 stores a set of data and its SN for all received data. However, data and SN pairs received earlier than a certain time may be deleted.
 S603において、Sub側監査部420は、新たに受信したデータのSNと、記憶されている受信済みデータのSNとを比較し、既に受信済みのSNと同じSNのデータを新たに受信したか否かを判断する。 In S603, the Sub-side auditing unit 420 compares the SN of the newly received data with the SN of the stored received data, and determines whether data with the same SN as the already received data has been newly received. to judge whether
 Sub側監査部420は、受信済みのSN(例えばSN=2)と同じSNのデータを受信したと判断した場合に、S604において、そのことを当該SNとともに監査管理部410に通知する。 When the Sub-side auditing unit 420 determines that it has received data with the same SN as the received SN (for example, SN=2), it notifies the auditing management unit 410 of this along with the SN in S604.
 S605において、監査管理部410は、Sub側監査部420に監査を依頼する。具体的には、受信済みのSNに対応するデータ値と再度受け取った同じSNのデータ値が一致するかどうかを確認し、不一致の場合に異常と判定するよう依頼する。 In S605, the audit management unit 410 requests the Sub-side audit unit 420 to audit. Specifically, it confirms whether or not the data value corresponding to the received SN and the data value of the same SN received again match, and if they do not match, it is requested to determine that there is an abnormality.
 S606において、Sub側監査部420は、上記の判定を実行する。例えば、受信済みSN=2のデータ値が「X」であり、新たに受信したSN=2のデータ値が「B」である場合、Sub側監査部420は、異常有を判定する。なお、Sub側監査部420は、S604の通知及びS605の依頼受信を行うことなく、上記異常判定処理を行うこととしてもよい。 In S606, the Sub-side auditing unit 420 executes the above determination. For example, when the received data value of SN=2 is "X" and the newly received data value of SN=2 is "B", the Sub-side auditing unit 420 determines that there is an abnormality. Note that the Sub-side auditing unit 420 may perform the abnormality determination process without receiving the notification of S604 and the request of S605.
 S607において、Sub側監査部420は判定結果(例えば、SN=2に不正データ挿入があったことを示す判定結果)を監査管理部410に通知し、S608において、監査管理部410は監査結果を通知制御部240に通知する。 In S607, the Sub-side auditing unit 420 notifies the audit management unit 410 of the judgment result (for example, the judgment result indicating that unauthorized data has been inserted into SN=2). The notification control unit 240 is notified.
 例えば、通知制御部240が、SN=2に不正データ挿入があったことを示す監査結果を監査管理部410から受信した場合、通知制御部240は、SN=2に不正データ挿入があったことをAPP350に通知することができる(S609)。これにより、APP350において、例えば、既に受信したSN=2のデータXを不正データとして扱うことができる。 For example, when the notification control unit 240 receives from the audit management unit 410 an audit result indicating that unauthorized data has been inserted into SN=2, the notification control unit 240 detects that unauthorized data has been inserted into SN=2. can be notified to APP 350 (S609). As a result, in the APP 350, for example, the already received data X with SN=2 can be handled as incorrect data.
 (ハードウェア構成例)
 本実施の形態における各ノード(通信装置)は、例えば、コンピュータに、本実施の形態で説明する処理内容を記述したプログラムを実行させることにより実現することができる。 (Hardware configuration example)
Each node (communication device) according to the present embodiment can be realized, for example, by causing a computer to execute a program describing the processing content described in the present embodiment.
 上記プログラムは、コンピュータが読み取り可能な記録媒体(可搬メモリ等)に記録して、保存したり、配布したりすることが可能である。また、上記プログラムをインターネットや電子メール等、ネットワークを通して提供することも可能である。 The above program can be recorded on a computer-readable recording medium (portable memory, etc.), saved, or distributed. It is also possible to provide the above program through a network such as the Internet or e-mail.
 図17は、上記コンピュータのハードウェア構成例を示す図である。図17のコンピュータは、それぞれバスBSで相互に接続されているドライブ装置1000、補助記憶装置1002、メモリ装置1003、CPU1004、インタフェース装置1005、表示装置1006、入力装置1007、出力装置1008等を有する。 FIG. 17 is a diagram showing a hardware configuration example of the computer. The computer of FIG. 17 has a drive device 1000, an auxiliary storage device 1002, a memory device 1003, a CPU 1004, an interface device 1005, a display device 1006, an input device 1007, an output device 1008, etc., which are interconnected by a bus BS.
 当該コンピュータでの処理を実現するプログラムは、例えば、CD-ROM又はメモリカード等の記録媒体1001によって提供される。プログラムを記憶した記録媒体1001がドライブ装置1000にセットされると、プログラムが記録媒体1001からドライブ装置1000を介して補助記憶装置1002にインストールされる。但し、プログラムのインストールは必ずしも記録媒体1001より行う必要はなく、ネットワークを介して他のコンピュータよりダウンロードするようにしてもよい。補助記憶装置1002は、インストールされたプログラムを格納すると共に、必要なファイルやデータ等を格納する。 A program that implements the processing in the computer is provided by a recording medium 1001 such as a CD-ROM or memory card, for example. When the recording medium 1001 storing the program is set in the drive device 1000 , the program is installed from the recording medium 1001 to the auxiliary storage device 1002 via the drive device 1000 . However, the program does not necessarily need to be installed from the recording medium 1001, and may be downloaded from another computer via the network. The auxiliary storage device 1002 stores installed programs, as well as necessary files and data.
 メモリ装置1003は、プログラムの起動指示があった場合に、補助記憶装置1002からプログラムを読み出して格納する。CPU1004は、メモリ装置1003に格納されたプログラムに従って、ノードに係る機能を実現する。インタフェース装置1005は、ネットワークに接続するためのインタフェースとして用いられる。表示装置1006はプログラムによるGUI(Graphical User Interface)等を表示する。入力装置1007はキーボード及びマウス、ボタン、又はタッチパネル等で構成され、様々な操作指示を入力させるために用いられる。出力装置1008は演算結果を出力する。なお、ノードにおいて。表示装置1006、入力装置1007のいずれか又は両方を備えないこととしてもよい。 The memory device 1003 reads and stores the program from the auxiliary storage device 1002 when a program activation instruction is received. The CPU 1004 implements functions related to nodes according to programs stored in the memory device 1003 . The interface device 1005 is used as an interface for connecting to the network. A display device 1006 displays a GUI (Graphical User Interface) or the like by a program. An input device 1007 is composed of a keyboard, a mouse, buttons, a touch panel, or the like, and is used to input various operational instructions. The output device 1008 outputs the calculation result. Note that at the node Either or both of the display device 1006 and the input device 1007 may be omitted.
 (実施の形態の効果)
 本実施の形態に係る技術によれば、DDSを用いてPub/Sub通信を行う通信システムにおいて、データ改ざん等の不正を検知することが可能となる。 (Effect of Embodiment)
According to the technology according to the present embodiment, it is possible to detect fraud such as falsification of data in a communication system that performs Pub/Sub communication using DDS.
 (実施の形態のまとめ)
    <実施例1に関するまとめ>
 本明細書には、少なくとも下記各項の通信システム、通信装置、データ配信方法、及びプログラムが開示されている。
(第1項)
 配信側ノードと購読側ノードとを備える通信システムであって、
 前記配信側ノードが、1つのデータを複製して得られた複数のデータを複数の経路で前記購読側ノードに送信し、
 前記購読側ノードは、前記複数の経路から受信した複数のデータ間で比較を行うことにより、不正が行われたか否かを判断する
 通信システム。
(第2項)
 前記複数の経路は、3つ以上の経路であり、前記購読側ノードは、前記複数の経路から受信した複数のデータのうち、少なくとも1つのデータが他のデータと異なる場合に、不正が行われたと判断する
 第1項に記載の通信システム。
(第3項)
 前記購読側ノードは、不正が行われていないと判断した場合に、前記複数の経路から受信したデータを、前記購読側ノードにおけるアプリケーションに渡す
 第1項又は第2項に記載の通信システム。
(第4項)
 前記配信側ノードと前記購読側ノードとの間で経路条件についての調停を実行し、調停結果に基づいて前記複数の経路を決定する
 第1項ないし第3項のうちいずれか1項に記載の通信システム。
(第5項)
 配信側ノードと購読側ノードとを備える通信システムにおける前記配信側ノードとして使用される通信装置であって、
 前記購読側ノードとの間で経路条件の調停を行う経路条件調停部と、
 1つのデータを複製して得られた複数のデータを、前記経路条件調停部により調停された経路条件に基づく複数の経路で前記購読側ノードに送信する経路制御部と、
 を備える通信装置。
(第6項)
 配信側ノードと購読側ノードとを備える通信システムにおける前記購読側ノードとして使用される通信装置であって、
 前記配信側ノードにおいて1つのデータを複製して得られた複数のデータを複数の経路から受信し、当該複数のデータ間で比較を行うことにより、不正が行われたか否かを判断する経路制御部
 を備える通信装置。
(第7項)
 配信側ノードと購読側ノードとを備える通信システムにおけるデータ配信方法であって、
 前記配信側ノードが、1つのデータを複製して得られた複数のデータを複数の経路で前記購読側ノードに送信するステップと、
 前記購読側ノードが、前記複数の経路から受信した複数のデータ間で比較を行うことにより、不正が行われたか否かを判断するステップと
 を備えるデータ配信方法。
(第8項)
 コンピュータを、第5項又は第6項に記載の通信装置における各部として機能させるためのプログラム。 (Summary of embodiment)
<Summary of Example 1>
This specification discloses at least a communication system, a communication device, a data distribution method, and a program according to the following items.
(Section 1)
A communication system comprising a distributor node and a subscriber node,
said delivery side node transmits a plurality of data obtained by duplicating one piece of data to said subscriber node through a plurality of routes;
The subscribing node determines whether fraud has occurred by comparing the plurality of data received from the plurality of paths.
(Section 2)
The plurality of routes are three or more routes, and the subscribing side node is deemed to be fraudulent when at least one data among the plurality of data received from the plurality of routes is different from other data. The communication system according to item 1.
(Section 3)
3. The communication system according to claim 1 or 2, wherein the subscribing node passes the data received from the plurality of paths to an application in the subscribing node when it is determined that fraud has not occurred.
(Section 4)
4. The method according to any one of claims 1 to 3, wherein route conditions are arbitrated between the distributor node and the subscriber node, and the plurality of routes are determined based on the arbitration result. Communications system.
(Section 5)
A communication device used as the distributor node in a communication system comprising a distributor node and a subscriber node,
a route condition arbitration unit that arbitrates route conditions with the subscribing node;
a route control unit that transmits a plurality of data obtained by duplicating one piece of data to the subscribing node through a plurality of routes based on the route conditions arbitrated by the route condition arbitration unit;
A communication device comprising:
(Section 6)
A communication device used as the subscriber node in a communication system comprising a distributor node and a subscriber node,
Route control for determining whether or not fraudulent activity has occurred by receiving a plurality of data obtained by duplicating one piece of data at the delivery side node from a plurality of routes and comparing the plurality of data. A communication device comprising:
(Section 7)
A data distribution method in a communication system comprising a distributor node and a subscriber node,
a step in which the delivery side node transmits a plurality of data obtained by duplicating one piece of data to the subscribing side node through a plurality of routes;
and determining, by said subscribing node, whether or not fraud has occurred by comparing the plurality of data received from said plurality of paths.
(Section 8)
A program for causing a computer to function as each unit in the communication device according to item 5 or 6.
    <実施例2に関するまとめ>
 本明細書には、少なくとも下記各項の通信システム、通信装置、不正判定方法、及びプログラムが開示されている。
(第1項)
 配信側ノードと購読側ノードとを備える通信システムであって、
 前記購読側ノードが、受信したデータの順序番号に基づいて、順序性異常を検知した場合に、前記配信側ノードに、受信したデータに関する情報を含む監査依頼を送信し、
 前記配信側ノードは、前記受信したデータに関する情報に基づいて、異常の有無を判定し、判定結果を前記購読側ノードに送信し、
 前記購読側ノードは、通信の監視結果と、前記配信側ノードから受信した前記判定結果とに基づいて、不正が行われたか否かを判断する
 通信システム。
(第2項)
 前記配信側ノードは、前記受信したデータに関する情報に基づいて、前記配信側ノードが送信していないデータを、前記購読側ノードが受信していたことを検知した場合に、異常有と判断する
 第1項に記載の通信システム。
(第3項)
 前記購読側ノードは、通信の監視結果と、前記配信側ノードから受信した前記判定結果とに基づいて、前記配信側ノードが送信していないデータを受信したことを検知した場合に、不正が行われたと判断する
 第1項又は第2項に記載の通信システム。
(第4項)
 前記購読側ノードは、不正が行われていないと判断した場合に、前記配信側ノードから受信したデータを、前記購読側ノードにおけるアプリケーションに渡す
 第1項ないし第3項のうちいずれか1項に記載の通信システム。
(第5項)
 前記購読側ノードは、データを受信する度に、受信したデータとその順序番号を記憶し、既に受信したデータの順序番号と同じ順序番号を有するデータを新たに受信した場合に、異常有と判断する
 第1項ないし第4項のうちいずれか1項に記載の通信システム。
(第6項)
 配信側ノードと購読側ノードとを備える通信システムにおける前記配信側ノードとして使用される通信装置であって、
 前記購読側ノードにおいて、受信したデータの順序番号に基づいて、順序性異常が検知された場合に、前記購読側ノードから、受信したデータに関する情報を含む監査依頼を受信し、前記受信したデータに関する情報に基づいて、異常の有無を判定し、判定結果を前記購読側ノードに送信する監査部
 を備える通信装置。
(第7項)
 配信側ノードと購読側ノードとを備える通信システムにおける前記購読側ノードとして使用される通信装置であって、
 受信したデータの順序番号に基づいて、順序性異常を検知した場合に、前記配信側ノードに、受信したデータに関する情報を含む監査依頼を送信する監査管理部と、
 前記配信側ノードにおいて前記受信したデータに関する情報に基づいてなされた異常の有無の判定結果を、前記配信側ノードから受信し、当該判定結果と、通信の監視結果とに基づいて、不正が行われたか否かを判断する監査部と、
 を備える通信装置。
(第8項)
 配信側ノードと購読側ノードとを備える通信システムにおける不正判定方法であって、
 前記購読側ノードが、受信したデータの順序番号に基づいて、順序性異常を検知した場合に、前記配信側ノードに、受信したデータに関する情報を含む監査依頼を送信するステップと、
 前記配信側ノードが、前記受信したデータに関する情報に基づいて、異常の有無を判定し、判定結果を前記購読側ノードに送信するステップと、
 前記購読側ノードが、通信の監視結果と、前記配信側ノードから受信した前記判定結果とに基づいて、不正が行われたか否かを判断するステップと
 を備える不正判定方法。
(第9項)
 コンピュータを、第5項又は第6項に記載の通信装置における各部として機能させるためのプログラム。 <Summary of Example 2>
This specification discloses at least a communication system, a communication device, a fraud determination method, and a program according to the following items.
(Section 1)
A communication system comprising a distributor node and a subscriber node,
when the subscribing side node detects an order abnormality based on the sequence number of the received data, sending an audit request including information on the received data to the distributing side node;
The delivery node determines whether there is an abnormality based on the information about the received data, and transmits the determination result to the subscriber node;
The communication system, wherein the subscribing side node determines whether or not fraudulent activity has occurred, based on a communication monitoring result and the determination result received from the delivery side node.
(Section 2)
The distributing node determines that there is an abnormality when detecting that the subscribing node has received data that has not been transmitted by the distributing node based on the information about the received data. The communication system according to item 1.
(Section 3)
If the subscribing node detects that data not transmitted by the distributing node is received based on the communication monitoring result and the judgment result received from the distributing node, the subscribing node commits fraud. The communication system according to Clause 1 or 2.
(Section 4)
wherein the subscribing side node passes the data received from the distributing side node to an application in the subscribing side node if it is determined that no fraud has been committed; Communication system as described.
(Section 5)
Each time the subscribing node receives data, it stores the received data and its sequence number, and determines that there is an abnormality when newly receiving data having the same sequence number as the sequence number of already received data. The communication system according to any one of items 1 to 4.
(Section 6)
A communication device used as the distributor node in a communication system comprising a distributor node and a subscriber node,
When the subscribing node detects a sequence abnormality based on the sequence number of the received data, the subscribing node receives an audit request including information on the received data from the subscribing node, and A communication device comprising: an auditing unit that determines the presence or absence of an abnormality based on information and transmits a determination result to the subscriber node.
(Section 7)
A communication device used as the subscriber node in a communication system comprising a distributor node and a subscriber node,
an audit management unit that transmits an audit request including information about the received data to the delivery side node when an order abnormality is detected based on the sequence number of the received data;
receiving, from the delivery side node, a determination result as to whether or not there is an abnormality based on information relating to the received data at the delivery side node, and based on the determination result and the result of communication monitoring, whether fraud has been committed; an audit department that determines whether
A communication device comprising:
(Section 8)
A fraud determination method in a communication system comprising a distributor node and a subscriber node,
a step of sending an audit request including information on the received data to the delivery node when the subscriber node detects an order abnormality based on the sequence number of the received data;
a step in which the delivery node determines whether there is an abnormality based on the information about the received data, and transmits the determination result to the subscriber node;
A fraud determination method comprising the step of determining whether or not fraud has been committed by the subscribing node based on the communication monitoring result and the determination result received from the distribution node.
(Section 9)
A program for causing a computer to function as each unit in the communication device according to item 5 or 6.
 以上、本実施の形態について説明したが、本発明はかかる特定の実施形態に限定されるものではなく、特許請求の範囲に記載された本発明の要旨の範囲内において、種々の変形・変更が可能である。 Although the present embodiment has been described above, the present invention is not limited to such a specific embodiment, and various modifications and changes can be made within the scope of the gist of the present invention described in the claims. It is possible.
10~18 ノード
20、21 L2SW
30 L3SW
40 パケット分析装置
50 検知部
55 インターネット
100、200 APP-DDS間機能部
110、210 経路制御部
120、220 経路条件記録部
130、230 経路条件調停部
240 通知制御部
300、400 DDS操作機能部
310 Pub側監査部
410 監査管理部
420 Sub側監査部
1000 ドライブ装置
1001 記録媒体
1002 補助記憶装置
1003 メモリ装置
1004 CPU
1005 インタフェース装置
1006 表示装置
1007 入力装置
1008 出力装置 10 to 18 nodes 20, 21 L2SW
30 L3 SW
40 packet analysis device 50 detection unit 55 Internet 100, 200 APP- DDS function units 110, 210 route control units 120, 220 route condition recording units 130, 230 route condition mediation unit 240 notification control units 300, 400 DDS operation function unit 310 Pub-side audit unit 410 Audit management unit 420 Sub-side audit unit 1000 Drive device 1001 Recording medium 1002 Auxiliary storage device 1003 Memory device 1004 CPU
1005 interface device 1006 display device 1007 input device 1008 output device

Claims (8)

  1.  配信側ノードと購読側ノードとを備える通信システムであって、
     前記購読側ノードが、受信したデータの順序番号に基づいて、順序性異常を検知した場合に、前記配信側ノードに、受信したデータに関する情報を含む監査依頼を送信し、
     前記配信側ノードは、前記受信したデータに関する情報に基づいて、異常の有無を判定し、判定結果を前記購読側ノードに送信し、
     前記購読側ノードは、通信の監視結果と、前記配信側ノードから受信した前記判定結果とに基づいて、不正が行われたか否かを判断する
     通信システム。     A communication system comprising a distributor node and a subscriber node,
    when the subscribing side node detects an order abnormality based on the sequence number of the received data, sending an audit request including information on the received data to the distributing side node;
    The delivery node determines whether there is an abnormality based on the information about the received data, and transmits the determination result to the subscriber node;
    The communication system, wherein the subscribing side node determines whether or not fraudulent activity has occurred, based on a communication monitoring result and the determination result received from the delivery side node.
  2.  前記配信側ノードは、前記受信したデータに関する情報に基づいて、前記配信側ノードが送信していないデータを、前記購読側ノードが受信していたことを検知した場合に、異常有と判断する
     請求項1に記載の通信システム。     Based on the information about the received data, the distribution node determines that there is an abnormality when it detects that the subscriber node has received data that the distribution node has not transmitted. Item 1. The communication system according to item 1.
  3.  前記購読側ノードは、通信の監視結果と、前記配信側ノードから受信した前記判定結果とに基づいて、前記配信側ノードが送信していないデータを受信したことを検知した場合に、不正が行われたと判断する
     請求項1又は2に記載の通信システム。     If the subscribing node detects that data not transmitted by the distributing node is received based on the communication monitoring result and the judgment result received from the distributing node, the subscribing node commits fraud. 3. The communication system according to claim 1 or 2, wherein the communication system determines that the
  4.  前記購読側ノードは、データを受信する度に、受信したデータとその順序番号を記憶し、既に受信したデータの順序番号と同じ順序番号を有するデータを新たに受信した場合に、異常有と判断する
     請求項1ないし3のうちいずれか1項に記載の通信システム。     Each time the subscribing node receives data, it stores the received data and its sequence number, and determines that there is an abnormality when newly receiving data having the same sequence number as the sequence number of already received data. The communication system according to any one of claims 1 to 3.
  5.  配信側ノードと購読側ノードとを備える通信システムにおける前記配信側ノードとして使用される通信装置であって、
     前記購読側ノードにおいて、受信したデータの順序番号に基づいて、順序性異常が検知された場合に、前記購読側ノードから、受信したデータに関する情報を含む監査依頼を受信し、前記受信したデータに関する情報に基づいて、異常の有無を判定し、判定結果を前記購読側ノードに送信する監査部
     を備える通信装置。     A communication device used as the distributor node in a communication system comprising a distributor node and a subscriber node,
    When the subscribing node detects a sequence abnormality based on the sequence number of the received data, the subscribing node receives an audit request including information on the received data from the subscribing node, and A communication device comprising: an auditing unit that determines the presence or absence of an abnormality based on information and transmits a determination result to the subscriber node.
  6.  配信側ノードと購読側ノードとを備える通信システムにおける前記購読側ノードとして使用される通信装置であって、
     受信したデータの順序番号に基づいて、順序性異常を検知した場合に、前記配信側ノードに、受信したデータに関する情報を含む監査依頼を送信する監査管理部と、
     前記配信側ノードにおいて前記受信したデータに関する情報に基づいてなされた異常の有無の判定結果を、前記配信側ノードから受信し、当該判定結果と、通信の監視結果とに基づいて、不正が行われたか否かを判断する監査部と、
     を備える通信装置。     A communication device used as the subscriber node in a communication system comprising a distributor node and a subscriber node,
    an audit management unit that transmits an audit request including information about the received data to the delivery side node when an order abnormality is detected based on the sequence number of the received data;
    receiving, from the delivery side node, a determination result as to whether or not there is an abnormality based on information relating to the received data at the delivery side node, and based on the determination result and the result of communication monitoring, whether fraud has been committed; an audit department that determines whether
    A communication device comprising:
  7.  配信側ノードと購読側ノードとを備える通信システムにおける不正判定方法であって、
     前記購読側ノードが、受信したデータの順序番号に基づいて、順序性異常を検知した場合に、前記配信側ノードに、受信したデータに関する情報を含む監査依頼を送信するステップと、
     前記配信側ノードが、前記受信したデータに関する情報に基づいて、異常の有無を判定し、判定結果を前記購読側ノードに送信するステップと、
     前記購読側ノードが、通信の監視結果と、前記配信側ノードから受信した前記判定結果とに基づいて、不正が行われたか否かを判断するステップと
     を備える不正判定方法。     A fraud determination method in a communication system comprising a distributor node and a subscriber node,
    a step of sending an audit request including information on the received data to the delivery node when the subscriber node detects an order abnormality based on the sequence number of the received data;
    a step in which the delivery node determines whether there is an abnormality based on the information about the received data, and transmits the determination result to the subscriber node;
    A fraud determination method comprising the step of determining whether or not fraud has been committed by the subscribing node based on the communication monitoring result and the determination result received from the distribution node.
  8.  コンピュータを、請求項5又は6に記載の通信装置における各部として機能させるためのプログラム。 A program for causing a computer to function as each unit in the communication device according to claim 5 or 6.
PCT/JP2021/006880 2021-02-24 2021-02-24 Communication system, communication device, fraud determination method, and program WO2022180691A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/006880 WO2022180691A1 (en) 2021-02-24 2021-02-24 Communication system, communication device, fraud determination method, and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/006880 WO2022180691A1 (en) 2021-02-24 2021-02-24 Communication system, communication device, fraud determination method, and program

Publications (1)

Publication Number Publication Date
WO2022180691A1 true WO2022180691A1 (en) 2022-09-01

Family

ID=83047853

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/006880 WO2022180691A1 (en) 2021-02-24 2021-02-24 Communication system, communication device, fraud determination method, and program

Country Status (1)

Country Link
WO (1) WO2022180691A1 (en)

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003509970A (en) * 1999-09-16 2003-03-11 ブリティッシュ・テレコミュニケーションズ・パブリック・リミテッド・カンパニー Packet authentication
JP2020092318A (en) * 2018-12-04 2020-06-11 株式会社東芝 Relay device, relay method, and computer program

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003509970A (en) * 1999-09-16 2003-03-11 ブリティッシュ・テレコミュニケーションズ・パブリック・リミテッド・カンパニー Packet authentication
JP2020092318A (en) * 2018-12-04 2020-06-11 株式会社東芝 Relay device, relay method, and computer program

Similar Documents

Publication Publication Date Title
US7076801B2 (en) Intrusion tolerant server system
AU2015270231B2 (en) Secured network bridge
US20110066841A1 (en) Platform for policy-driven communication and management infrastructure
JP4195480B2 (en) An apparatus and method for managing and controlling the communication of a computer terminal connected to a network.
Hubballi et al. LAN attack detection using discrete event systems
US11689543B2 (en) System and method for detecting transmission of a covert payload of data
US20200167342A1 (en) System for Secure Software Defined Networking Based on Block-Chain and Method Thereof
Yuan et al. A practical byzantine-based approach for faulty switch tolerance in software-defined networks
US10303565B2 (en) Multicasting system voting on server data
US6779038B1 (en) System and method for extending virtual synchrony to wide area networks
Correia et al. Worm-IT–a wormhole-based intrusion-tolerant group communication system
US20170223045A1 (en) Method of forwarding data between computer systems, computer network infrastructure and computer program product
WO2022180691A1 (en) Communication system, communication device, fraud determination method, and program
WO2022180690A1 (en) Communication system, communication device, data distribution method, and program
Xiao et al. Modeling and verifying SDN under Multi‐controller architectures using CSP
US7558210B1 (en) Publish-subscribe looping detection and correction
JPWO2006043327A1 (en) Relay device and network system
KR101518852B1 (en) Security system including ips device and ids device and operating method thereof
JP2018098727A (en) Service system, communication program, and communication method
WO2022208855A1 (en) Communication system, abnormality detection device, abnormality detection method, and program
US20240187428A1 (en) Communication system, switching apparatus, switching method, and program
Abdallah et al. Performance analysis of SDN vs OSPF in diverse network environments
Pandey Reliable delivery and ordering mechanisms for an intrusion-tolerant group communication system
WO2022208857A1 (en) Communication system, inspection device, inspection method, and program
US7669207B2 (en) Method for detecting, reporting and responding to network node-level events and a system thereof

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21927794

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 21927794

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP