JP2005341364A - Network system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a network system capable of constantly monitoring all packets transmitted through an internal network and effectively preventing unauthorized access in the internal network.
SOLUTION: An internal network 4 and a plurality of terminal devices 3 are connected via a hub 2, and each hub 2 relays a packet transmitted between the terminal device 3 and the internal network 4. The relay function unit 21, the unauthorized access detection function unit 22 that detects the presence / absence of unauthorized access to a packet, and when the unauthorized access is detected by the unauthorized access detection function unit 22, the relay function unit 21 performs packet relay processing And a shut-off function unit 23 that shuts off over time.
[Selection] Figure 1

Description

  The present invention relates to a network system in which an internal network and a plurality of terminal devices are connected via a hub, and more particularly to a technique for effectively preventing unauthorized access and enhancing network security.

  In general, in a network system, there is a risk that data is destroyed, falsified, or leaked due to malicious access from the outside, such as a DoS attack or a brute force attack. Therefore, it is necessary to take sufficient security measures in the network system.

  By the way, in a conventional network system, a firewall is provided between the Internet and an internal network (intranet) such as an in-house LAN, and unauthorized access to the internal network through the external Internet is blocked by the firewall.

  Also, in the prior art, a dedicated fraud detection server is connected to the Internet, the fraud detection server constantly monitors packets transmitted over the Internet, and fraud avoidance processing is performed when the fraud detection server detects a fraud packet What has been made possible is proposed (for example, see Patent Document 1).

  Furthermore, in the prior art, in a hub that connects between an internal network and a plurality of terminal devices, a unique address is added in advance to the connection port, and a unique address is also added in advance to the terminal device to connect the hub. There has also been proposed a technique that enables access only when the unique addresses of both terminals match when a terminal device is connected to a port, and prevents unauthorized terminal devices from being connected to a hub ( For example, see Patent Documents 2 and 3).

JP 2002-7234 A Japanese Patent Laid-Open No. 11-177597 Japanese Examined Patent Publication No. 7-67109

  However, when a firewall is provided as in the past, it is possible to prevent unauthorized access to the internal network through the external Internet, but this is effective when unauthorized access is made within the internal network. It is difficult to prevent.

  In addition, although the prior art described in Patent Document 1 can prevent unauthorized packets from being transmitted through the Internet, monitoring of unauthorized access in this case is performed by using a network (network) connection point (node). It only monitors and takes countermeasures for passing packets, and it is effective for illegal packets that are transmitted outside the monitored connection point, for example, illegal packets that are transmitted within the internal network. It cannot be prevented.

  Furthermore, in the conventional techniques as described in Patent Documents 2 and 3, an unauthorized terminal device can be prevented from being connected to the hub in advance, but an appropriate terminal device is once connected to the hub. If unauthorized access is made after being performed, this cannot be effectively prevented.

  The present invention has been made to solve the above-described problem, and is capable of constantly monitoring all packets transmitted through the internal network, thereby effectively preventing unauthorized access in the internal network. The purpose is to provide a system.

  In order to achieve the above object, the present invention adopts the following configuration in a network system in which an internal network and a plurality of terminal devices are connected via a hub.

  That is, in the present invention, the hub includes a relay unit that relays a packet transmitted between the terminal device and an internal network, an unauthorized access detection unit that detects whether or not the packet is unauthorized, and the unauthorized access. And a blocking unit that blocks the relay process of the packet by the relay unit for a predetermined time when an unauthorized access is detected by the detection unit.

  According to the present invention, it is possible to monitor whether or not all packets transmitted on the internal network are fraudulent, and the relay of this packet is blocked for packets having an illegal purpose. Unauthorized access in the network can be effectively prevented.

Embodiment 1 FIG.
FIG. 1 is a configuration diagram showing the entire network system according to Embodiment 1 of the present invention.

  In this network system, the Internet 5 and an internal network 4 such as an in-house LAN are connected via a firewall 6. Further, the internal network 4 and a plurality of terminal devices 3 composed of personal computers or the like are connected via the hub 2 respectively. Further, a vulnerability analysis server 1 is connected to one hub 2.

  Each hub 2 includes a relay function unit 21, an unauthorized access detection function unit 22, a blocking function unit 23, a notification function unit 24, a vulnerability determination data file 25, and an update function unit 26.

  The relay function unit 21 relays a packet transmitted between the terminal device 3 and the internal network 4 and, when vulnerability information distributed from the vulnerability analysis server 1 is addressed to the own device, this information Is supposed to receive.

  The unauthorized access detection function unit 22 determines whether there is unauthorized access to a packet transmitted via the internal network and a packet transmitted from the terminal device 3 based on the vulnerability information registered in the vulnerability determination data file 25. Each one is to be detected.

  The blocking function unit 23 blocks packet relay processing by the relay function unit 21 for a predetermined time when the unauthorized access detection function unit 22 detects unauthorized access.

  The notification function unit 24 notifies the vulnerability analysis server 1 of unauthorized access information detected by the unauthorized access detection function unit 22.

  The vulnerability determination data file 25 stores vulnerability information for the unauthorized access detection function unit 22 to perform packet vulnerability determination.

  The update function unit 26 registers the vulnerability information distributed from the vulnerability analysis server 1 in the vulnerability determination data file 25 to update the existing vulnerability information.

  The relay function unit 21 described above is used as a relay unit and a receiving unit in claims, the unauthorized access detection function unit 22 is used as an unauthorized access detection unit in claims, and the blocking function unit 23 is used as a blocker in claims. The notification function unit 24 corresponds to the notification unit of the claims, and the update function unit 26 corresponds to the update unit of the claims.

  On the other hand, the vulnerability analysis server 1 includes a vulnerability analysis memory 11, an unauthorized access analysis function unit 12, a reception / delivery function unit 13, and a screen function unit 14.

  The vulnerability analysis memory 11 includes a hard disk or the like, and includes an unauthorized access detection data file 11a, an unauthorized access history data file 11b, a new vulnerability information data file 11c, and a previous vulnerability information data file 11d.

  In the unauthorized access detection data file 11a, unauthorized access information detected by the unauthorized access detection function unit 22 of each hub 2, that is, unauthorized access detection time, detected unauthorized access item, attack source device information, attack The previous device information, presence / absence of update of vulnerability information, and the like are stored. The unauthorized access history data file 11b stores unauthorized access items detected by the unauthorized access detection function unit 22 of each hub 2 in chronological order from the newest one. The new vulnerability information data file 11c stores vulnerability information newly obtained by the unauthorized access analysis function unit 12, and the previous vulnerability information data file 11d stores vulnerability information before the change. Yes.

  The unauthorized access analysis function unit 12 performs vulnerability analysis based on unauthorized access information stored in the vulnerability analysis memory 11 to create vulnerability information.

  The receiving / delivering function unit 13 receives unauthorized access information notified from the notification function unit 24 of the hub 2 and distributes vulnerability information newly obtained by the unauthorized access analysis function unit 12 to each hub 2. .

  Further, the screen function unit 14 includes a display device (not shown), and the unauthorized access detection time, the detected unauthorized access item, the attack source device information stored in the vulnerability analysis memory 11 by the operation of the operator, Information about the attacking device information and vulnerability information is displayed as log information.

  The vulnerability analysis memory 11 is the information storage means in the claims, the unauthorized access analysis function unit 12 is the vulnerability analysis means in the claims, and the receiving / delivery function unit 13 is in the claims. The screen function unit 14 corresponds to the receiving / distributing means and the display means of the claims.

  Next, the unauthorized access monitoring processing operation in the network system having the above configuration will be described with reference to the flowchart shown in FIG. In addition, the code | symbol S in a figure means each process step.

  For example, assume that the terminal device 3 at the top in FIG. 1 is the attack source and the terminal device 3 at the bottom is the attack destination. When a packet is transmitted from the terminal device 3 at the attack destination, the packet from the terminal device 3 is received by the relay function unit 21 of the hub 2 (step 1). The data is transferred to the access detection function unit 22.

  The unauthorized access detection function unit 22 compares the information in the packet to be relayed with the vulnerability information registered in the vulnerability determination data file 25 to determine whether the access is unauthorized (Steps 12 and 13). ). At this time, if it is determined that the access is not unauthorized, the relay function unit 21 relays this packet and sends it to the internal network 4 (step 14), so this packet is transmitted from the internal network 4 via the hub 2 to a predetermined value. Is transmitted to the terminal device 3. Alternatively, a packet is transmitted from the internal network 4 through the Internet 5.

  On the other hand, when the unauthorized access detection function unit 22 determines that the packet from the terminal device 3 is unauthorized access, the blocking function unit 23 responds to the packet blocking instruction from the terminal device 3 with the relay function unit. 21 (step 15), the relay function unit 21 stops the relay processing of all packets from the attack source terminal device 3 (step 16). The blocking function unit 23 starts monitoring the blocking duration (step 17), and the notification function unit 24 transmits the unauthorized access information detected by the unauthorized access detection function unit 22 to the vulnerability analysis server 1 (step). 18).

  After that, when a predetermined interruption duration time elapses (step 19), the interruption function unit 23 determines that the unauthorized access from the terminal device 3 of the attack source has ended, and the relay function unit 21 from the terminal device 3 An instruction to resume packet relay is given (step 20). As a result, the relay function unit 21 resumes receiving packets from the terminal device 3 (step 21).

  As described above, since all the terminal devices 3 are connected to the internal network 4 via the hub 2, it is possible to monitor whether all the packets transmitted from all the terminal devices 3 are fraudulent. . In addition, since packets transmitted from the internal network 4 to the terminal device 3 always pass through the hub 2, all packets transmitted from the internal network 4 to the terminal device 3 via the hub 2 are fraudulent. Can be monitored. And since the relay of this packet is blocked for a packet having an unauthorized purpose, unauthorized access transmitted via the internal network 4 can be reliably and effectively prevented.

  Next, transmission / reception processing operations of unauthorized access information and vulnerability information between the vulnerability analysis server 1 and the hub 2 will be described with reference to the flowcharts of FIGS. 3 and 4. In addition, the code | symbol S in a figure means each process step.

  When the unauthorized access detection function unit 22 of each hub 2 detects unauthorized access, the notification function unit 24 detects the detected unauthorized access information, that is, the unauthorized access detection time, the detected unauthorized access item, the attack source device information, The device information of the attack destination is transmitted to the vulnerability analysis server 1 via the internal network 4 or directly (step 31).

  Upon receiving this unauthorized access information (step 32), the receiving / delivery function unit 13 of the vulnerability analysis server 1 stores this unauthorized access information in the vulnerability analysis memory 11 (step 33). As a result, the unauthorized access detection data file 11a includes the unauthorized access detection time detected by the unauthorized access detection function unit 22 of each hub 2, the detected unauthorized access item, the attack source device information, and the attack destination device information. Stored. In the unauthorized access history data file 11b, unauthorized access items detected by the unauthorized access detection function unit 22 of each hub 2 are stored in chronological order from the newest one.

  Subsequently, the unauthorized access analysis function unit 12 performs an analysis based on the information stored in each of the databases 11a to 11d of the unauthorized access detection data file 11a so that important items are detected preferentially as unauthorized access. Perform (step 34). Then, new vulnerability information is created from the analysis result (step 35). A specific example of processing for creating new vulnerability information by this analysis will be described in detail later.

  When new vulnerability information is created in this way, the new vulnerability information is stored in the new vulnerability information database 11c, and is received / distributed by the receiving / distributing function unit 13 via the internal network 4 or all hubs 2. Directly distributed (step 36).

  Since the new vulnerability information distributed from the vulnerability analysis server 1 is received by the relay function unit 21 of each hub 2 (step 41), the relay function unit 21 receives the new vulnerability information from the vulnerability analysis server 1. It is determined whether or not it is addressed to the own device (step 42). In this case, if it is not addressed to the own device, the processing is terminated, while if it is addressed to the own device, the relay processing of all ports is temporarily stopped and the new vulnerability information is transferred to the update function unit 26 (step 43). . In response to this, the update function unit 26 registers the new vulnerability information in the vulnerability determination data file 25 to update the existing vulnerability information (step 44). Then, after the update is completed, the update function unit 26 notifies the relay function unit 21 of the restart of the relay process, so that the relay function unit 21 restarts the relay process (step 45). As a result, it is possible to reliably prevent an unauthorized packet from being transmitted from the attack source terminal device 3 to the attack destination terminal device 3.

  Thereafter, the unauthorized access detection function unit 22 of each hub 2 determines whether or not each packet to be relayed is unauthorized access based on the new vulnerability information updated and registered in the vulnerability determination data file 25. It will be.

  As described above, since the vulnerability information registered in the vulnerability determination data file 25 of the hub 2 is always updated based on the vulnerability analysis result obtained by the vulnerability analysis server 1, the unauthorized access detection function unit Therefore, it is possible to preferentially detect unauthorized access with the latest type and high aggression, and to maintain a high security function.

  Further, in response to the operation of the operator, the screen function unit 14 of the vulnerability analysis server 1 detects the unauthorized access detection time, the detected unauthorized access item, the attack source device information stored in the vulnerability analysis memory 11, Information on the attack destination device, information on whether or not vulnerability information is updated, information on unauthorized access history, and lock information such as old and new vulnerability information are displayed on the display device. Thereby, the operator can grasp | ascertain the content of unauthorized access concretely.

  Next, the vulnerability analysis processing operation by the unauthorized access analysis function unit 12 of the vulnerability analysis server 1 will be described with reference to the explanatory diagram shown in FIG. 5 and the flowchart shown in FIG.

  FIG. 5A shows each item of unauthorized access stored in the unauthorized access detection data file 11a. The unauthorized access items are listed in order from the newly detected items from top to bottom. FIG. 5B shows vulnerability information before update stored in the previous vulnerability information data file 11d, and each item of unauthorized access is arranged from top to bottom according to the detection frequency. FIG. 5C shows updated new vulnerability information stored in the new vulnerability information data file 11c, and each item of unauthorized access is arranged from the top to the bottom according to the detection frequency. FIG. 5D shows unauthorized access history information stored in the unauthorized access history data file 11b, and unauthorized access items are arranged in time series from top to bottom according to the order of detection of unauthorized access.

  Of the items listed as unauthorized access in the unauthorized access detection data file 11a of FIG. 5 (a), the unauthorized access analysis function unit 12 first selects items (A and B in this example) included in the range of X1. Set as a priority detection item. For the items A and B included in the range X1, a certain range Y is set as a search area from the unauthorized access history information stored in the unauthorized access history data file 11b. The occurrence frequency of each item A and B is checked. Then, the ranking is given from the item with the highest occurrence frequency (step 61). In this example, since the item A has a frequency 1 and the item B has a frequency 2 in the search area Y, the item B is the detection item with the highest ranking and the item A is the detection item with the next highest ranking. When the occurrence frequency of the items in the range of X1 is the same, the order listed in FIG.

  Next, regarding the unauthorized access detection items (C to G in this case) included in the range of X2, each item C to G is similarly searched in the unauthorized access history information search area Y stored in the unauthorized access history data file 11b. Check the frequency of occurrence. In this example, item C has frequency 3, item D has frequency 2, item E has frequency 0, item F has frequency 2, and item G has frequency 0.

  Here, among the items C to G, the item C has the highest occurrence frequency and therefore the highest ranking. Next, items D and F have the highest occurrence frequency, but both items D and F have the same frequency. At this time, the order of the items listed in FIG. Therefore, item F is set after item D (step 62).

  The remaining items other than the above items are E and G. Since the items E and G have a frequency of 0, in this case, they are arranged according to the order of the previous vulnerability information stored in the previous vulnerability information data file 11d shown in FIG. 5B (step 63). That is, in the case of this example, the item G is ranked higher than the item E in the previous vulnerability information, so the item G is set higher than the item E. Therefore, as shown in FIG. 5C, newly created vulnerability information (detection items in the order of priority of unauthorized access) is finally B → A → C → D → F → G → E. It becomes the priority.

  As described above, the unauthorized access analysis function unit 12 includes the listed unauthorized access detection items (FIG. 5A), unauthorized access history information (FIG. 5D), and previous vulnerability information (FIG. 5B). )) Statistically analyzed the detection frequency of unauthorized access detection items, and newly set the priority of unauthorized access detection items based on the analysis results, and this is used as new vulnerability information (FIG. 5 (c)). Create as. Therefore, it is possible to always prioritize and detect unauthorized access with the latest type and high aggression.

  Note that the content of the unauthorized access information shown in FIG. 5 is merely an example, and it is needless to say that the content is not limited to such content.

It is a block diagram which shows the whole network system in Embodiment 1 of this invention. It is a flowchart with which it uses for description of the unauthorized access monitoring process operation | movement in the network system. 5 is a flowchart for explaining the entire information processing operation of the vulnerability analysis server based on unauthorized access information given from a hub in the network system. 4 is a flowchart for explaining processing operations of a hub when vulnerability information is given from a vulnerability analysis server in the network system. It is explanatory drawing with which it uses for description of the vulnerability analysis processing operation | movement by a vulnerability analysis server. It is a flowchart with which it uses for description of the vulnerability analysis processing operation | movement by a vulnerability analysis server.

Explanation of symbols

1 vulnerability analysis server, 2 hubs, 3 terminal devices, 4 internal network,
11 Vulnerability analysis memory (information storage means),
12 Unauthorized access analysis function (vulnerability analysis means),
13 receiving and delivering function part (receiving and delivering means), 14 screen function part (display means),
21 Relay function unit (relay means, receiving means),
22 Unauthorized access detection function part (unauthorized access detection means),
23 blocking function part (blocking means), 24 notification function part (notifying means),
25 Vulnerability determination data file, 26 Update function part (update means).

Claims (5)

In a network system in which an internal network and a plurality of terminal devices are connected via a hub, the hub includes a relay unit that relays a packet transmitted between the terminal device and the internal network, and the packet Unauthorized access detection means for detecting the presence or absence of unauthorized access, and blocking means for blocking the relay processing of packets by the relay means for a predetermined time when unauthorized access is detected by the unauthorized access detection means. A characteristic network system. The vulnerability analysis server includes an information storage unit that stores unauthorized access information detected by the unauthorized access detection unit of each hub, and the unauthorized access information stored in the information storage unit. Vulnerability analysis means for analyzing vulnerability and creating vulnerability information, and receiving the unauthorized access information from the hub and receiving the vulnerability information analyzed by the vulnerability analysis means to each hub. The network system according to claim 1, further comprising a distribution unit. The vulnerability analysis means statistically analyzes the frequency of occurrence of unauthorized access detection items based on the unauthorized access information stored in the information storage means, and re-determines the priority order of unauthorized access detection items based on the analysis result. 3. The network system according to claim 2, wherein new vulnerability information is created. The hub includes notifying means for notifying the vulnerability analysis server of unauthorized access information, receiving means for receiving vulnerability information distributed from the vulnerability analysis server, and vulnerability received by the receiving means. 4. The network system according to claim 2, further comprising an update unit configured to update existing vulnerability information for detecting unauthorized access by the unauthorized access detection unit based on the information. The vulnerability analysis server stores the unauthorized access detection time, detected unauthorized access item, attack source device information, attack destination device information, presence / absence of update of vulnerability information, etc. as log information in the information storage means. The network system according to any one of claims 2 to 4, further comprising display means for displaying an image of the log information stored in the information storage means.

Images