[go: up one dir, main page]

WO2014181452A1 - Packet filter device and communication control system - Google Patents

Packet filter device and communication control system Download PDF

Info

Publication number
WO2014181452A1
WO2014181452A1 PCT/JP2013/063105 JP2013063105W WO2014181452A1 WO 2014181452 A1 WO2014181452 A1 WO 2014181452A1 JP 2013063105 W JP2013063105 W JP 2013063105W WO 2014181452 A1 WO2014181452 A1 WO 2014181452A1
Authority
WO
WIPO (PCT)
Prior art keywords
packet
filter device
packet filter
processing load
transmission path
Prior art date
Application number
PCT/JP2013/063105
Other languages
French (fr)
Japanese (ja)
Inventor
大倉 敬規
祥慈 柚木
山田 勉
良 藤田
Original Assignee
株式会社 日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社 日立製作所 filed Critical 株式会社 日立製作所
Priority to PCT/JP2013/063105 priority Critical patent/WO2014181452A1/en
Priority to JP2015515720A priority patent/JPWO2014181452A1/en
Publication of WO2014181452A1 publication Critical patent/WO2014181452A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/64Hybrid switching systems
    • H04L12/6418Hybrid transport

Definitions

  • the present invention relates to a packet filter device and a communication control system for transmitting data used in an industrial plant or the like.
  • illegal packet means a packet that transmits fake control data injected by the attacker into the communication network, or a packet that is not designed to be transmitted to the communication network due to a failure of the connected device.
  • a packet including data that is not allowed to be transmitted is indicated, and a “regular packet” indicates a packet that excludes the illegal packet from packets flowing through the communication network.
  • Patent Document 1 As a technique for protecting a communication network from cyber attacks, for example, a packet filter distribution method and a distributed packet filter system described in Patent Document 1 are known.
  • the filter management server manages the filter load of each packet filter to distribute the processing load in the filter, and the filter rule with a heavy processing load is a filter with a small amount of traffic. It had the characteristic of being in charge.
  • an object of the present invention is to provide a packet filter device and a communication control system that can filter out illegal packets by reducing the loss of regular packets even when the number of illegal packets increases rapidly.
  • the present invention provides a filtering process for receiving a packet transmitted through the transmission path, connected to a plurality of terminal apparatuses, and restricting the passage of the packet according to a specific rule.
  • the storage unit that stores the specific rule changes the specific rule stored in the storage unit and performs the filtering process And a control unit.
  • the present invention it is possible to provide a packet filter device and a communication control system that filter illegal packets by reducing the loss of regular packets even with a sudden increase in illegal packets.
  • the first embodiment will be described.
  • FIG. 1 shows a configuration example of a communication network system according to the first embodiment.
  • a transmission path 9 that transmits a packet
  • a plurality of terminal devices 3 that transmit and receive the packet
  • a plurality of network nodes 2 that relay packets between the transmission path 9 and the terminal device 3
  • a packet filter device 1 that transmits a packet received from one transmission path 9 to the other transmission path 9 is connected in the transmission path 9.
  • the communication network system for example, an industrial network defined by the IEEE 802.3 standard, the IEC 61158 standard, or the IEC 61375 standard may be used.
  • the terminal device 3 includes, for example, a programmable logic controller and a monitoring computer used in an industrial plant, a control computer for sending a control command to the controller, and a gateway device used for connecting a communication network and an external network. Etc. may be used.
  • the packet filter device 1 is a device that performs a filtering process that restricts the passage of packets according to a specific filter rule, and receives all the packets that are subject to the filtering process among the packets that are transmitted through the connected transmission line 9. Then, the packet subjected to some processing in the packet filter device 1 is transmitted to the connected transmission line 9.
  • the packet filter device 1 transmits a part of the packet received from the transmission path 9 to the transmission path 9 without performing the filtering process when the processing load in the apparatus exceeds a threshold value.
  • the processing load of 1 does not exceed the threshold.
  • the packet transmitted to the transmission line 9 without performing the filtering process includes not only regular packets but also illegal packets.
  • the terminal device 3 having a higher importance is installed from the upstream (left side in FIG. 1) to the downstream (right side in FIG. 1) where the packet flows.
  • the packet filter device is provided in multiple stages and the load distribution is performed so that the processing load of each filter device does not exceed the threshold value. Can be performed without arriving at the terminal device 3 having a high degree of importance, and without losing regular packets in response to a rapid increase in illegal packets, thereby providing a system that maintains real-time characteristics.
  • FIG. 2 is a diagram illustrating a configuration example inside the packet filter device 1 that performs the above-described operation.
  • the packet filter device 1 includes a reception interface unit 191 that receives a packet from the transmission path 9 and converts it into a bit string that can be processed inside the device, a control unit 100 that performs various filtering processes on the received packet,
  • the storage unit 200 stores a filter rule 11 for processing, and a transmission interface unit 192 that converts a bit string of a received packet into a code suitable for transmission on a transmission path.
  • the filter rule 11 is a rule set in advance for selecting illegal packets and regular packets.
  • the packet source address, destination address, protocol, source port number, destination port number, packet Judgment criteria such as payload are defined.
  • a reception protocol processing unit 13 that performs reception processing on the converted reception packet according to a communication protocol and a filter rule 11 that serves as a reference for determining an illegal packet are received and received.
  • An illegal packet determination unit 12 that determines whether a packet is an illegal packet or a regular packet; a filter rule 11; a transmission protocol processing unit 14 that performs transmission processing according to a communication protocol for a packet that the illegal packet determination unit 12 determines to be a normal packet; Based on the received packet information notified from the reception protocol processing unit, the result of measuring the processing load such as the amount of packets to be filtered per unit time and the amount of packets to be received per unit time is notified as the own device processing load information.
  • An apparatus processing load determination unit 10 that notifies an instruction to transmit (short circuit relay instruction), and the reception interface unit 191 according to a predetermined rule when the short circuit relay instruction is notified from the apparatus processing load determination unit 10
  • a short-circuit relay switching unit 15 that selects a part of the received packet output from the terminal (short-circuit relay packet) and outputs the selected packet to the transmission interface unit 192.
  • control unit 100 is configured by, for example, a CPU, and has been described as having various programs as processing performed by the control unit 100.
  • each function and processing is implemented by hardware by designing, for example, an integrated circuit. It can also be realized.
  • the processing load measuring unit 10 can receive information from the reception interface unit 191 or the illegal packet determination unit 12. Further, the apparatus processing load determination unit 10 can also function as the processing load measurement unit 17.
  • the threshold value is, for example, the amount of packets to be filtered per unit time or the number of packets to be received per unit time so that packets received by the packet filter device can be filtered without causing packet loss. It is good also as a standard value of the upper limit of quantity.
  • FIG. 3 is a diagram illustrating an operation when the amount of packets transmitted through the transmission path 9 is small.
  • the packet filter device 1a that is upstream of the path through which the packets are transmitted, it is possible to perform a filtering process on all received packets.
  • the regular packets A and B can be relayed to the downstream transmission path 9, and the illegal packets X and Y can be excluded.
  • FIG. 4 is a diagram showing an operation when the amount of packets transmitted through the transmission path 9 increases.
  • the amount of packets transmitted through the transmission path 9 increases, the processing load measured by the processing load measurement unit 17 exceeds the threshold, and exceeds the processing capability of the illegal packet determination unit 12 of the packet filter device 1a.
  • the device processing load determination unit 10 issues a short-circuit relay instruction, and the short-circuit relay switching unit 15 selects a part of the reception packet output from the reception interface unit 191 according to a predetermined rule, and transmits the transmission interface unit 192.
  • the transmission line 9 To the transmission line 9.
  • the predetermined rule followed by the short-circuit relay switching unit 15 is stored in the storage unit 200, and is a certain percentage of the received packet amount (for example, 50% of the total received packet amount).
  • a packet having specific information selected from information described in the received packet or information obtained from the identifier, such as the destination terminal device, the transmission source terminal device, or the type of data included in the packet may be used.
  • the normal packet A and the illegal packets X1, X2, and X3 are filtered, and the normal packet A is relayed to the downstream transmission path 9, and the illegal packet X1 , X2, and X3 are excluded, but the normal packet B and the illegal packets Y1 and Y2 transmitted to the transmission path 9 by the short-circuit relay instruction without performing the filtering process are not subjected to the filtering process and are directly transmitted to the downstream transmission path. 9 is relayed.
  • a packet filter device 1b is connected downstream of the transmission line 9, and the regular packets A and B and illegal packets Y1 and Y2 transmitted from the upstream packet filter device 1a to the transmission line 9 By receiving and filtering by 1b, the regular packets A and B can be relayed to the downstream transmission path 9, and the illegal packets Y1 and Y2 can be excluded.
  • the downstream packet filter device filters and removes the illegal packet. can do.
  • the downstream packet filter device even if the downstream packet filter device also transmits an illegal packet to the transmission line without performing a filtering process because the processing load exceeds the threshold, the downstream packet filter device (not shown in FIG. 4) Unauthorized packets can be filtered out.
  • FIG. 5 is a processing flowchart showing the operation of the packet filter device 1 in this embodiment.
  • the packet filter device receives the packet from the transmission path 9 (S101), measures the filtering processing load, that is, the processing load applied to the packet filter device, by the processing load measuring unit 17, and the processing load is determined by the device processing load determining unit 10. It is determined whether the threshold value is exceeded (S102). When the threshold value is not exceeded (NO in S102), the illegal packet determination unit 12 performs a filtering process on all packets (S103), and transmits the filtered packet from the transmission path 9 (S104).
  • the device processing load determination unit 10 outputs a short-circuit instruction to the short-circuit relay switching unit 15, and the short-circuit relay switching unit 15 determines the received packet according to a predetermined rule. A part is output to the filtering process, and the other received packets are output to the transmission interface without performing the filtering process (S105). Then, the packet filtered according to the rule is output to the transmission line (S104).
  • the first embodiment has been described above.
  • the processing load exceeds the threshold value in the upstream packet filter device, and the filtering process is performed. Even if relayed downstream without performing the filtering, filtering processing is performed in a plurality of packet filter devices connected downstream, so that it is possible to prevent illegal packets from reaching the destination terminal device.
  • the packet filter device receives a large number of illegal packets as described above, the packet loss is prevented by the short-circuit relay instruction in the packet filter device, so that the regular packet can be prevented from being lost.
  • the device processing load determination unit 10 of each packet filter device 1 determines only from the processing load measured by the processing load measurement unit 17 of its own device and issues a short-circuit relay instruction.
  • packets are transmitted in all directions on the transmission path 9, and the processing load of the downstream packet filter device 1 is not necessarily small. Is not limited.
  • information regarding the processing load of the own device (hereinafter referred to as “own device processing load information”) is periodically exchanged between the plurality of packet filter devices 1 to each packet filter device 1.
  • the downstream packet filter device 1 A method for adjusting the amount of packets transmitted downstream by short-circuit relaying without performing filtering processing according to the size of the processing load will be described.
  • a configuration example of the information network system according to the second embodiment is the same as that shown in FIG.
  • FIG. 6 is a diagram showing an example of the internal configuration of the packet filter device 1.
  • the packet filter device 1 includes a reception interface unit 191 that receives a packet from the transmission path 9 and converts it into a bit string that can be processed inside the device, a control unit 100 that performs various filtering processes on the received packet,
  • the storage unit 200 stores a filter rule 11 for processing, and a transmission interface unit 192 that converts a bit string of a received packet into a code suitable for transmission on a transmission path.
  • the filter rule 11 is a rule set in advance for selecting illegal packets and regular packets.
  • the packet source address, destination address, protocol, source port number, destination port number, packet Judgment criteria such as payload are defined.
  • a reception protocol processing unit 131 that outputs a processing load information packet to the apparatus processing load determination unit 101 and a filter rule 11 that is a criterion for determining an illegal packet, and determines whether the received packet is an illegal packet or a regular packet.
  • a packet determination unit 12, a packet determined by the illegal packet determination unit 12 as a regular packet, and a local device processing load information packet for reporting the local device processing load information output by the device processing load determination unit 101 are transmitted according to a communication protocol.
  • a transmission protocol processing unit 141 that performs transmission and a bit of a packet to be transmitted.
  • a transmission interface unit 192 that converts a sequence into a code suitable for transmission through a transmission path, and a packet amount to be filtered per unit time based on received packet information notified from the reception protocol processing unit and a unit time per unit time
  • the processing load measuring unit 17 for notifying the result of measuring the processing load such as the amount of packets to be received as own device processing load information, and the own device processing load including own device processing load information to be notified to other packet filter devices 1
  • the filtering processing is not performed (the illegal packet determination unit 12 performs processing).
  • a device processing load determination unit 101 that determines a rule such as the amount of packets to be transmitted to the transmission path 9 and notifies an instruction of the determination content (short circuit relay instruction), and the short circuit from the device processing load determination unit 101
  • a relay instruction is notified, a part of the received packet output from the reception interface unit 191 is selected according to the instructed rule (short-circuit relay packet) and is output to the transmission interface unit 192. 151.
  • control unit 100 is configured by, for example, a CPU, and has been described as having various programs as processing performed by the control unit 100.
  • each function and processing is implemented by hardware by designing, for example, an integrated circuit. It can also be realized.
  • the processing load measuring unit 10 can receive information from the reception interface unit 191 or the illegal packet determination unit 12. Further, the apparatus processing load determination unit 10 can also function as the processing load measurement unit 17.
  • the self-device processing load information packet may be notified by a UDP / IP packet or a TCP / IP packet, or may be notified by using a protocol decided in advance with all the packet filter devices 1. Good. Further, the own device processing load information packet may be notified only to the adjacent packet filter device 1 or may be notified to all other packet filter devices 1.
  • FIG. 7 is a diagram showing a data flow when notifying all other packet filter devices 1.
  • the packet processing apparatus 1 transmits the packet processing load information packet received from one transmission path 9 from the other packet filter apparatus 1 to the other transmission path 9 as it is. However, it is possible to obtain all other packet filter device 1 processing load information. For example, the processing load information of 1a transmitted by the packet filter device 1a is relayed to the packet filter devices 1b and 1c via the transmission path 9, so that all the packet filter devices 1 acquire the processing load information of other devices. be able to.
  • FIG. 8 is a diagram illustrating an example of a rule that the apparatus processing load determination unit 101 instructs the short-circuit relay switching unit 151.
  • a rule such as the amount of packets transmitted to the transmission line 9 without performing the filtering process
  • three packet filter devices 1a, 1b, 1c are connected to the transmission line 9 side by side.
  • the packet filter device 1a Assuming the case where a packet is transmitted from the left side of the transmission path 9 in a communication network (for the sake of explanation, illustration of the network node 2 and the terminal device 3 is omitted), the packet filter device 1a Assume that the processing loads 1b and 1c are 30%, 90%, and 30% of the threshold value, respectively.
  • the processing capabilities of all the packet filter devices are equal.
  • the processing load of the packet filter device 1a increases and the processing load of the packet filter device 1a exceeds the threshold (100%) and reaches the threshold of 150%.
  • the processing loads of the downstream packet filter devices 1b and 1c are 90% and 30% of the threshold value, respectively, and the remaining processing capabilities of the packet filter devices 1b and 1c are 80%, so the packet filter device 1a Suppresses the processing load of its own device to 90% (the remaining 10% is considered to absorb the processing load fluctuation) and processes the remaining packet amount (60% ⁇ 80%) by the downstream packet filter device 1b or 1c.
  • the device processing load determination unit 101 of the packet filter device 1a issues a short-circuit relay instruction so that 60% of the received packet amount is transmitted to the downstream transmission line 9 as it is without performing filtering processing.
  • the packet filter device 1b since the packet filter device 1b received 60% more from the packet filter device 1a than when the processing load was originally 90%, the processing load of the packet filter device 1b exceeded the threshold (100%) to 150%. Reach. At this point, since the processing load of the downstream packet filter device 1c is 30% of the threshold and the remaining processing capacity is 70%, the packet filter device 1b has a processing load of 90% (the remaining 10% is the remaining 10%). It is determined that the remaining packet amount (60% ⁇ 70%) can be processed by the downstream packet filter device 1c, and filtering processing is performed on 60% of the received packet amount. Instead, the device processing load determination unit 101 of the packet filter device 1b issues a short-circuit relay instruction so that it is transmitted to the downstream transmission path 9 as it is.
  • the device processing load determination unit 101 of the packet filter device 1c does not issue a short-circuit relay instruction.
  • a rule is stored in advance in the storage unit 200 to filter the packet amount by the own device when the downstream packet filter device has a processing load, and the device processing load determination unit 101.
  • the short-circuit relay switching unit 151 determines the amount of packets to be filtered according to the rule.
  • FIG. 8 shows an example in which the three packet filter devices 1a, 1b, and 1c cooperate to perform a filtering process on a large amount of received packets.
  • the packet filter device 1a has an excessively large amount
  • a packet is received (for example, 500% of the threshold value)
  • the reason why the packet may be discarded is that a received packet that cannot be processed may include an illegal packet.
  • the packet filter device 1a This is because, when it is determined that all the received packets cannot be processed even if the processing capabilities of the packet filter devices 1b and 1c are combined, a means of intentionally discarding the received packets that cannot be processed can be considered.
  • FIG. 9 is a processing flowchart showing the operation of the packet filter device 1 in the present embodiment.
  • the packet filter device 1 receives a packet from the transmission line 9 (S201), measures the filtering processing load, that is, the processing load applied to the packet filter device, by the processing load measuring unit 17, and the device processing load determining unit 10 processes the processing load. Is determined to exceed the threshold (S202). When the threshold value is not exceeded (NO in S202), the illegal packet determination unit 12 performs a filtering process on all packets (S203), and transmits the filtered packet from the transmission path 9 (S204).
  • the processing load exceeds the threshold value (YES in S202)
  • whether or not the amount of data that can be processed by the downstream packet filter device will be determined downstream if the packet is transmitted downstream from the own device without performing the filtering process. Judgment is made from the processing load information of a certain packet filter device (S205). If the amount of data that can be processed by the downstream packet filter device does not exceed (NO in S205), a part of the received packet is output to the filtering process according to a predetermined rule, and the other received packets are transmitted without performing the filtering process. After output to the interface (S206), the packet is transmitted from the transmission path (S204).
  • the packet filter device 1 discards the received packet that is not subjected to the filtering process (S207), and only the packet determined to be a regular packet is transmitted. The packet is transmitted from (S204).
  • a process of discarding a received packet that is not filtered in S207 is performed, but discarding of a packet that cannot be processed may be performed by a downstream packet filter device.
  • the plurality of packet filter devices 1 regularly exchange their own processing load information with each other, and each packet filter device 1 performs processing of the other packet filter devices 1.
  • the information on the load is grasped, and when the processing load of the own device exceeds the threshold, the packet of the packet to be transmitted to the downstream by short-circuit relaying without performing the filtering process depending on the processing load of the downstream packet filter device 1
  • the processing load can be optimally shared in cooperation with the plurality of downstream packet filter devices 1.
  • the packet filter device 1 is connected inline to the transmission line 9.
  • This connection method is characterized in that the packet filter device 1 can target all packets transmitted through the transmission path 9 as a filtering process.
  • the packet filtering apparatus 1 uses the packet specified as not subject to filtering processing in the connection method shown in FIG. As a result, reception processing and transmission processing are performed until a wasteful processing load occurs.
  • the packet filter device 1 transmits / receives only the packet defined as the filtering target, and the packet defined as not subject to the filtering process does not pass through the packet filter device 1 and is transmitted through the transmission line 9.
  • a configuration capable of transmitting the data will be described with reference to FIG.
  • FIG. 10 is a diagram focusing only on the portion where the packet filter device 1 is connected to the transmission line 9, and descriptions of the network node 2 and the terminal device 3 are omitted.
  • the packet relay device 200 is connected inline to the transmission line 9, and the packet relay device 200 and the packet filter device 1 are connected via the transmission line 900.
  • the packet relay apparatus 200 relays a packet defined as a filtering process target among the packets transmitted through the transmission path 9 to the transmission path 900, and relays a packet defined as not subject to the filtering process to the transmission path 900. Without relaying to the transmission line 9 (the transmission line 9 in the direction opposite to the direction of reception).
  • the packet filter device 1 internally processes the packet received from the transmission line 900, and then transmits the transmission packet to the transmission line 900.
  • the packet relay apparatus 200 that has received a packet from the transmission path 900 relays the packet to the transmission path 9.
  • the basis for the packet relay device 200 to determine a packet that is subject to filtering processing or not subject to filtering processing may be information on a destination terminal device or a transmission source terminal device included in the packet, It may be a specific bit string included in the data loaded in the packet.
  • the packet relay apparatus 200 relays a packet received from the left direction of the transmission path 9 among the packets defined as a filtering process target to the transmission path 900, and the packet filtering apparatus 1 performs the filtering process.
  • the packet is relayed to the transmission path 9 again, it is necessary to relay the packet to the right direction of the transmission path 9, and the packet received from the right direction of the transmission path 9 is relayed to the transmission path 900, and the packet filter device 1
  • the packet subjected to the filtering process is relayed to the transmission path 9 again, it is necessary to relay the packet to the left of the transmission path 9.
  • VLAN 1 and VLAN 2 are configured between the packet relay device 200 and the packet filter device 1, and the packet relay device 200 moves to the left of the transmission path 9 among the packets defined as the filtering processing target.
  • the packet received from 1 is attached with a VLAN tag of VLAN 1 and relayed to the transmission line 900
  • the packet received from the right side of the transmission line 9 is attached with a VLAN tag of VLAN 2 and relayed to the transmission line 900.
  • the packet filter device 1 internally processes a packet received from the transmission line 900 and transmits it again to the transmission line 900, the packet with the VLAN tag of VLAN1 is attached to the VLAN tag of VLAN2 and transmitted.
  • a packet with a VLAN tag of VLAN2 is attached to the VLAN tag of VLAN1 and transmitted.
  • the packet relay apparatus 200 removes the VLAN tag from the packet received from the transmission path 900 and transmits it to the left side of the transmission path 9 with the VLAN tag of VLAN2. The packet is sent to the right side of the transmission line 9 with the VLAN tag removed.
  • a transmission path 901 and a transmission path 902 are provided between the packet relay device 200 and the packet filter device 1 as shown in FIG.
  • the packet relay apparatus 200 relays a packet received from the left direction of the transmission path 9 among the packets stipulated for filtering processing, to the transmission path 901 and receives a packet received from the right direction of the transmission path 9 Is relayed to the transmission line 902.
  • the packet filter device 1 internally processes a packet received from the transmission path 901 and then transmits it to the transmission path again when transmitting to the transmission path 902 and internally processes a packet received from the transmission path 902. When transmitting again to the transmission path, the transmission is performed to the transmission path 901.
  • the packet relay apparatus 200 transmits the packet received from the transmission path 901 to the left of the transmission path 9 and transmits the packet received from the transmission path 902 to the right of the transmission path 9.
  • a switching hub or a layer 3 switch used in a LAN compliant with the IEEE 802.3 standard may be used, or a packet having specific destination information or transmission source information is specified. It may have a function capable of setting to relay to the relay destination port. Such a function can be realized by using, for example, the Static MAC Address setting function implemented in the Catalyst 2950 of Cisco, CenterCOM IA810M, CenterCOM x610Series, etc. of Allied Telesis.
  • the third embodiment has been described above.
  • the packet filter device 1 only needs to perform the filtering process for only the packets prescribed for the filtering process.
  • a more robust communication control system can be constructed against cyber attacks.
  • the present invention provides a packet filter device that performs a filtering process that restricts the passage of packets according to a specific filter rule in a communication network in which a plurality of terminal devices are connected to a transmission path and transmits and receives packets.
  • a plurality of packet filter devices are arranged on a path of a transmission path that is connected to the path and through which a packet is transmitted from the source terminal apparatus to the destination terminal apparatus.
  • the packet filter device receives all the packets to be subjected to filtering processing among the packets transmitted on the connected transmission path, and the packets subjected to some processing inside the packet filter device are connected. Send to transmission line.
  • Each of the packet filter devices performs a filtering process on a part of a packet received from a transmission line when a filtering processing load, a packet reception processing load, etc. (hereinafter referred to as “processing load”) exceeds a threshold value. By not transmitting to the transmission line, the processing load of the packet filter device is prevented from exceeding a threshold value.
  • the packets transmitted to the transmission line without performing the filtering process include not only regular packets but also illegal packets.
  • the packet filter apparatus includes the following: A processing function is provided.
  • a reception interface unit that receives a packet from a transmission path and converts it into a bit string that can be processed inside the apparatus, a reception protocol processing unit that performs reception processing on the converted reception packet according to a communication protocol, and a reception packet
  • An illegal packet determination unit that determines whether the packet is an illegal packet or a regular packet, a filter rule storage unit that stores a filter rule for the malicious packet determination unit to determine an illegal packet, and the illegal packet determination unit is a normal packet
  • a transmission protocol processing unit that performs transmission processing on the determined packet according to a communication protocol, a transmission interface unit that converts a bit string of the packet to be transmitted into a code suitable for transmission on the transmission path, and filtering processing per unit time, for example Packets received and processed per unit time
  • a processing load measuring unit that measures a processing load such as a processing amount and a processing load measured by the processing load measuring unit are compared with a threshold value, and when the measured processing load becomes larger than the threshold value, a filtering process is performed.
  • a device processing load determination unit that issues an instruction to transmit to a transmission line without transmission (hereinafter referred to as a “short circuit relay instruction”), and a predetermined when a short circuit relay instruction is issued from the device processing load determination unit.
  • a short-circuit relay switching unit that selects a part of the received packet output from the reception interface unit according to a rule (the selected packet is referred to as a “short-circuit relay packet”) and outputs the selected packet to the transmission interface unit. .
  • the threshold value is, for example, the amount of packets to be filtered per unit time or the reception processing per unit time so that all packets received by the packet filter device can be filtered without causing packet loss. It is good also as a standard value of the upper limit of packet amount.
  • a packet transmitted to the transmission line without performing the filtering process is subjected to a filtering process in a packet filter device connected downstream of the transmission line.
  • the downstream packet filter device filters and removes the illegal packet. Even if the downstream packet filter device also sends an illegal packet to the transmission line without performing a filtering process because the processing load exceeds a threshold, the downstream packet filter device filters the illegal packet. Can be removed.
  • the packet filter device of the present invention is connected in multiple stages to the transmission path on the packet route, the processing load exceeds the threshold in the upstream packet filter device and relayed downstream without performing filtering processing.
  • the filtering process is performed in a plurality of packet filter devices connected downstream, it is possible to prevent an illegal packet from reaching the destination terminal device.
  • the packet filter device receives a large number of illegal packets as described above, the packet loss is prevented by the short-circuit relay instruction in the packet filter device, so that the regular packet can be prevented from being lost.
  • the multiple packet filter devices connected in multiple stages cooperate to reduce the filtering processing load.
  • a large amount of attack packets can be filtered, and a secure industrial system can be constructed.
  • the reception buffer overflow in each packet filter device can be prevented, so that regular packets are not lost and the system can be prevented from being stopped.
  • this invention is not limited to the above-mentioned Example, Various modifications are included.
  • the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described.
  • a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment.
  • each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit.
  • Each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by the processor.
  • Information such as programs, tables, and files for realizing each function can be stored in a recording device such as a memory, a hard disk, an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.
  • control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.
  • Packet filter device 100 Control unit 200 Storage unit 10, 101 Device processing load determination unit 11 Filter rule storage unit 12 Illegal packet determination unit 13, 131 Reception protocol processing unit 14, 141 Transmission protocol processing unit 15, 151 Short-circuit relay switching unit 17 Processing load measuring unit 191 Reception interface unit 192 Transmission interface unit 2 Network node 200 Packet relay device 3 Terminal devices 9, 900, 901, 902 Transmission path

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The purpose of the present invention is to provide a packet filter device and a communication control system capable of filtering illegal packets while reducing a loss of normal packets for even a rapid increase in illegal packets. To this end, the present invention is characterized by having, in a packet filter device connected to a plurality of terminal devices via a transmission path and used for receiving a packet transmitted via the transmission path and performing a filtering process for limiting the passage of the packet according to a specific rule, a storage unit for storing the specific rule, and a control unit for changing, while performing the filtering process, the specific rule stored in the storage unit when a processing load imposed on packet processing reaches a prescribed value.

Description

パケットフィルタ装置および通信制御システムPacket filter device and communication control system
 本発明は、産業プラントなどで使用されるデータを伝送するパケットフィルタ装置および通信制御システムに関する。 The present invention relates to a packet filter device and a communication control system for transmitting data used in an industrial plant or the like.
 近年、プラントやファクトリオートメーションシステムなどの産業システムにおいて、システムの停止や破壊を行う目的でシステム内に侵入した攻撃者により、プログラマブルロジックコントローラ(PLC)などの制御機器が接続され制御データが伝送される通信ネットワークに対して、偽の制御データを注入するなどの方法でサイバー攻撃を実施する脅威が増大していることが指摘されており、サイバー攻撃から通信ネットワークを防御する手法や装置が種々開発されている。 In recent years, in an industrial system such as a plant or factory automation system, a control device such as a programmable logic controller (PLC) is connected and transmitted by an attacker who has entered the system for the purpose of stopping or destroying the system. It has been pointed out that the threat of implementing cyber attacks by injecting fake control data into communication networks is increasing, and various methods and devices have been developed to protect communication networks from cyber attacks. ing.
 なお、以下では「不正パケット」および「正規パケット」という呼称を用いて説明する。 In the following description, the names “illegal packet” and “regular packet” are used.
 すなわち、「不正パケット」とは、攻撃者が通信ネットワークに注入した偽の制御データを伝送するパケットや、接続機器の故障などにより通信ネットワークへ送信される設計想定外のパケットなど、本来通信ネットワークで伝送することが許されないデータを含んだパケットを示し、「正規パケット」とは通信ネットワークを流れるパケットのうち前記不正パケットを除くパケットを示す。 In other words, “illegal packet” means a packet that transmits fake control data injected by the attacker into the communication network, or a packet that is not designed to be transmitted to the communication network due to a failure of the connected device. A packet including data that is not allowed to be transmitted is indicated, and a “regular packet” indicates a packet that excludes the illegal packet from packets flowing through the communication network.
 サイバー攻撃から通信ネットワークを防御する手法としては、例えば、特許文献1に記載のパケットフィルタ分散方法および分散化パケットフィルタシステムが知られている。 As a technique for protecting a communication network from cyber attacks, for example, a packet filter distribution method and a distributed packet filter system described in Patent Document 1 are known.
 特許文献1に記載の分散化パケットフィルタシステムでは、フィルタ管理サーバが各パケットフィルタのフィルタ負荷を管理することにより、フィルタにおける処理負荷を分散させ、処理負荷の重いフィルタ規則はトラフィック量が少ないフィルタに担当させる、という特徴を持つものであった。 In the distributed packet filter system described in Patent Document 1, the filter management server manages the filter load of each packet filter to distribute the processing load in the filter, and the filter rule with a heavy processing load is a filter with a small amount of traffic. It had the characteristic of being in charge.
特開2003-244247JP 2003-244247 A
 特許文献1記載の技術では、フィルタ管理サーバが各パケットフィルタのフィルタ規則を管理し変更を指示するため、不正パケットの急激な増加にフィルタ規則変更が即時に対応できず、正規パケットを消失させる可能性がある、という問題がある。 In the technology described in Patent Document 1, since the filter management server manages the filter rules of each packet filter and instructs the change, the filter rule change cannot immediately cope with the rapid increase of illegal packets, and the regular packet can be lost. There is a problem that there is.
 また、パケットフィルタが受信したパケットは必ずフィルタ処理を経て中継されるため、不正パケットが増加してパケット受信量がフィルタ処理の処理速度を超過すると、パケットフィルタの受信バッファが溢れてしまい、不正パケットだけでなく、正規パケットも消失させてしまう、という問題もある。 Also, since packets received by the packet filter are always relayed through the filtering process, if the number of illegal packets increases and the amount of received packets exceeds the processing speed of the filtering process, the reception buffer of the packet filter overflows, and illegal packets In addition, there is a problem that regular packets are lost.
 そこで、本発明では、不正パケットの急激な増加に対しても正規パケットの消失を低減して、不正パケットをフィルタリングできるパケットフィルタ装置および通信制御システムを提供することを目的とする。 Therefore, an object of the present invention is to provide a packet filter device and a communication control system that can filter out illegal packets by reducing the loss of regular packets even when the number of illegal packets increases rapidly.
 上記課題を解決するために、本発明は、複数の端末装置と伝送路を介して接続され、前記伝送路を伝送されるパケットを受信し、特定の規則に従ってパケットの通過を制限するフィルタリング処理を行うパケットフィルタ装置において、前記特定の規則を記憶する記憶部と、パケットの処理にかかる処理負荷が規定値に達すると、前記記憶部に記憶する前記特定の規則を変更して前記フィルタリング処理を行う制御部と、を有することを特徴とする。 In order to solve the above-described problems, the present invention provides a filtering process for receiving a packet transmitted through the transmission path, connected to a plurality of terminal apparatuses, and restricting the passage of the packet according to a specific rule. In the packet filter device to be performed, when the processing load for processing the packet reaches a specified value, the storage unit that stores the specific rule changes the specific rule stored in the storage unit and performs the filtering process And a control unit.
 本発明では、不正パケットの急激な増加に対しても正規パケットの消失を低減して、不正パケットをフィルタリングするパケットフィルタ装置および通信制御システムを提供できる。 According to the present invention, it is possible to provide a packet filter device and a communication control system that filter illegal packets by reducing the loss of regular packets even with a sudden increase in illegal packets.
本発明の1実施形態に係る通信制御システムの構成を示す図である。It is a figure which shows the structure of the communication control system which concerns on one Embodiment of this invention. 本発明の1実施形態に係るパケットフィルタ装置の構成を示す図である。It is a figure which shows the structure of the packet filter apparatus which concerns on one Embodiment of this invention. 本発明の1実施形態に係るパケットフィルタ装置の動作を示す図である。It is a figure which shows operation | movement of the packet filter apparatus which concerns on one Embodiment of this invention. 本発明の1実施形態に係るパケットフィルタ装置の動作を示す図である。It is a figure which shows operation | movement of the packet filter apparatus which concerns on one Embodiment of this invention. 本発明の1実施形態に係るパケットフィルタ装置の処理フローを示す図である。It is a figure which shows the processing flow of the packet filter apparatus which concerns on one Embodiment of this invention. 本発明の1実施形態に係るパケットフィルタ装置の構成を示す図である。It is a figure which shows the structure of the packet filter apparatus which concerns on one Embodiment of this invention. 本発明の1実施形態に係るパケットフィルタ装置の動作を示す図である。It is a figure which shows operation | movement of the packet filter apparatus which concerns on one Embodiment of this invention. 本発明の1実施形態に係るパケットフィルタ装置の動作を示す図である。It is a figure which shows operation | movement of the packet filter apparatus which concerns on one Embodiment of this invention. 本発明の1実施形態に係るパケットフィルタ装置の処理フローを示す図である。It is a figure which shows the processing flow of the packet filter apparatus which concerns on one Embodiment of this invention. 本発明の1実施形態に係る通信制御システムの構成を示す図である。It is a figure which shows the structure of the communication control system which concerns on one Embodiment of this invention. 本発明の1実施形態に係る通信制御システムの構成を示す図である。It is a figure which shows the structure of the communication control system which concerns on one Embodiment of this invention. 本発明の1実施形態に係る通信制御システムの構成を示す図である。It is a figure which shows the structure of the communication control system which concerns on one Embodiment of this invention.
 以下、本発明の実施形態について図面を用いて説明する。 Hereinafter, embodiments of the present invention will be described with reference to the drawings.
第1の実施形態First embodiment
 第1の実施形態について説明する。 The first embodiment will be described.
 まず、図1に、第1の実施形態に係る通信ネットワークシステムの一構成例を示す。 First, FIG. 1 shows a configuration example of a communication network system according to the first embodiment.
 図1における通信ネットワークシステムでは、パケットを伝送する伝送路9と、パケットを送受信する複数の端末装置3と、伝送路9と端末装置3との間でパケットを中継する複数のネットワークノード2と、から構成される通信ネットワークシステムであって、伝送路9において、図1に示すように、一方の伝送路9から受信したパケットを他方の伝送路9へ送信するパケットフィルタ装置1を接続する。 In the communication network system in FIG. 1, a transmission path 9 that transmits a packet, a plurality of terminal devices 3 that transmit and receive the packet, a plurality of network nodes 2 that relay packets between the transmission path 9 and the terminal device 3, As shown in FIG. 1, a packet filter device 1 that transmits a packet received from one transmission path 9 to the other transmission path 9 is connected in the transmission path 9.
 また、前記通信ネットワークシステムとしては、例えば、IEEE802.3規格やIEC61158規格やIEC61375規格で規定された産業用ネットワークを使用してもよい。 Further, as the communication network system, for example, an industrial network defined by the IEEE 802.3 standard, the IEC 61158 standard, or the IEC 61375 standard may be used.
 また、前記端末装置3としては、例えば、産業プラントで使用するプログラマブルロジックコントローラや監視用コンピュータ、コントローラに制御指令を送る制御用コンピュータ、さらには通信ネットワークと外部ネットワークを接続するために使用するゲートウェイ装置などを使用してもよい。 The terminal device 3 includes, for example, a programmable logic controller and a monitoring computer used in an industrial plant, a control computer for sending a control command to the controller, and a gateway device used for connecting a communication network and an external network. Etc. may be used.
 前記パケットフィルタ装置1は、特定のフィルタ規則に従ってパケットの通過を制限するフィルタリング処理を行う装置であり、接続された伝送路9を伝送されるパケットのうち、フィルタリング処理の対象となるパケットを全て受信し、パケットフィルタ装置1内部で何らかの処理を施した前記パケットを、接続された伝送路9へ送信する。 The packet filter device 1 is a device that performs a filtering process that restricts the passage of packets according to a specific filter rule, and receives all the packets that are subject to the filtering process among the packets that are transmitted through the connected transmission line 9. Then, the packet subjected to some processing in the packet filter device 1 is transmitted to the connected transmission line 9.
 前記パケットフィルタ装置1は、装置内の処理負荷が閾値を超えた時に、伝送路9から受信したパケットの一部について、フィルタリング処理を行うことなく伝送路9へ送信することにより、前記パケットフィルタ装置1の処理負荷が閾値を超えないようにする。 The packet filter device 1 transmits a part of the packet received from the transmission path 9 to the transmission path 9 without performing the filtering process when the processing load in the apparatus exceeds a threshold value. The processing load of 1 does not exceed the threshold.
 前記フィルタリング処理を行うことなく伝送路9へ送信するパケットには、正規パケットだけではなく不正パケットも含まれる。 The packet transmitted to the transmission line 9 without performing the filtering process includes not only regular packets but also illegal packets.
 また、本実施例では、パケットが流れる上流(図1で左側)から下流(図1で右側)にいくに従って重要度の高い端末装置3が設置されるものとする。そして、重要度の高い端末装置3へパケットが流れる際には、パケットフィルタ装置を多段に設けて各フィルタ装置の処理負荷が閾値を超えないように負荷分散してフィルタリング処理を行うため、不正パケットを重要度の高い端末装置3へ到達させることなく、また、不正パケットの急激な増加に対して正規パケットを消失させることなくフィルタリング処理を行うことができ、リアルタイム性を保持したシステムを提供できる。 Also, in this embodiment, it is assumed that the terminal device 3 having a higher importance is installed from the upstream (left side in FIG. 1) to the downstream (right side in FIG. 1) where the packet flows. When a packet flows to the terminal device 3 having a high degree of importance, the packet filter device is provided in multiple stages and the load distribution is performed so that the processing load of each filter device does not exceed the threshold value. Can be performed without arriving at the terminal device 3 having a high degree of importance, and without losing regular packets in response to a rapid increase in illegal packets, thereby providing a system that maintains real-time characteristics.
 図2は、上述の動作を行うパケットフィルタ装置1内部の一構成例を示す図である。 FIG. 2 is a diagram illustrating a configuration example inside the packet filter device 1 that performs the above-described operation.
 すなわち、パケットフィルタ装置1は、伝送路9からパケットを受信して装置内部で処理可能なビット列に変換する受信インタフェース部191と、受信したパケットに対して各種フィルタリング処理を行う制御部100と、フィルタリング処理を行うフィルタ規則11が記憶される記憶部200と、受信するパケットのビット列を伝送路を伝送させるのに適した符号に変換する送信インタフェース部192と、から構成される。ここで、フィルタ規則11は、不正パケットと正規パケットを選別するために予め設定された規則であり、パケットの送信元アドレス、送信先アドレス、プロトコル、送信元ポート番号、送信先ポート番号、パケットのペイロードなどの判断基準が定められる。また、制御部10が実行するプログラムとして、前記変換された受信パケットに対して通信プロトコルに従って受信処理を行う受信プロトコル処理部13と、不正パケットを判定する基準となるフィルタ規則11を取得して受信パケットが不正パケットか正規パケットかを判定する不正パケット判定部12と、フィルタ規則11前記不正パケット判定部12が正規パケットと判定したパケットを通信プロトコルに従って送信処理を行う送信プロトコル処理部14と、前記受信プロトコル処理部から通知された受信パケット情報を基に単位時間当りのフィルタリング処理するパケット量や単位時間当りの受信処理するパケット量などの処理負荷を計測した結果を自装置処理負荷情報として通知する処理負荷計測部17と、前記自装置処理負荷情報により通知された処理負荷を閾値と比較して、前記計測した処理負荷が閾値より大きくなった場合に、フィルタリング処理を行うことなく(不正パケット判定部12にて処理を行うことなく)伝送路へ送信するよう指示(短絡中継指示)を通知する装置処理負荷判定部10と、前記装置処理負荷判定部10から前記短絡中継指示が通知された場合に、予め決められた規則に従い前記受信インタフェース部191から出力された受信パケットの一部を選択して(短絡中継パケット)前記送信インタフェース部192に出力する短絡中継切替部15と、から構成される。 That is, the packet filter device 1 includes a reception interface unit 191 that receives a packet from the transmission path 9 and converts it into a bit string that can be processed inside the device, a control unit 100 that performs various filtering processes on the received packet, The storage unit 200 stores a filter rule 11 for processing, and a transmission interface unit 192 that converts a bit string of a received packet into a code suitable for transmission on a transmission path. Here, the filter rule 11 is a rule set in advance for selecting illegal packets and regular packets. The packet source address, destination address, protocol, source port number, destination port number, packet Judgment criteria such as payload are defined. Further, as a program executed by the control unit 10, a reception protocol processing unit 13 that performs reception processing on the converted reception packet according to a communication protocol and a filter rule 11 that serves as a reference for determining an illegal packet are received and received. An illegal packet determination unit 12 that determines whether a packet is an illegal packet or a regular packet; a filter rule 11; a transmission protocol processing unit 14 that performs transmission processing according to a communication protocol for a packet that the illegal packet determination unit 12 determines to be a normal packet; Based on the received packet information notified from the reception protocol processing unit, the result of measuring the processing load such as the amount of packets to be filtered per unit time and the amount of packets to be received per unit time is notified as the own device processing load information. A processing load measuring unit 17 and the own device processing load information; When the measured processing load becomes larger than the threshold, the filtering processing is not performed (the processing is not performed by the illegal packet determination unit 12) and the transmission load is notified. An apparatus processing load determination unit 10 that notifies an instruction to transmit (short circuit relay instruction), and the reception interface unit 191 according to a predetermined rule when the short circuit relay instruction is notified from the apparatus processing load determination unit 10 A short-circuit relay switching unit 15 that selects a part of the received packet output from the terminal (short-circuit relay packet) and outputs the selected packet to the transmission interface unit 192.
 ここで、本実施例では、制御部100は例えばCPUで構成され、制御部100が行う処理として各種プログラムを有するよう説明したが、機能や処理ごとに例えば集積回路で設計する等によりハードウェアで実現することもできる。また、処理負荷測定部10は受信インタフェース部191や不正パケット判定部12から情報を貰うこともできる。また、装置処理負荷判定部10が処理負荷測定部17の機能を兼ねることもできる。 Here, in the present embodiment, the control unit 100 is configured by, for example, a CPU, and has been described as having various programs as processing performed by the control unit 100. However, each function and processing is implemented by hardware by designing, for example, an integrated circuit. It can also be realized. Further, the processing load measuring unit 10 can receive information from the reception interface unit 191 or the illegal packet determination unit 12. Further, the apparatus processing load determination unit 10 can also function as the processing load measurement unit 17.
 なお、前記閾値とは、例えば、パケットフィルタ装置が受信したパケットを、パケット消失を発生させることなくフィルタリング処理できるための、単位時間当りのフィルタリング処理するパケット量や、単位時間当りの受信処理するパケット量の上限の目安の値としてもよい。 The threshold value is, for example, the amount of packets to be filtered per unit time or the number of packets to be received per unit time so that packets received by the packet filter device can be filtered without causing packet loss. It is good also as a standard value of the upper limit of quantity.
 次に、パケットフィルタ装置1の動作について説明する。 Next, the operation of the packet filter device 1 will be described.
 図3は、伝送路9を伝送されるパケットの量が少ない場合の動作を示す図である。伝送路9を伝送されるパケットの量が少ない場合は、図3に示すように、パケットが伝送される経路の上流にあたるパケットフィルタ装置1aにおいて、受信する全パケットについてフィルタリング処理を行うことができ、正規パケットAおよびBを下流の伝送路9へ中継し、不正パケットXおよびYを排除できる。 FIG. 3 is a diagram illustrating an operation when the amount of packets transmitted through the transmission path 9 is small. When the amount of packets transmitted through the transmission path 9 is small, as shown in FIG. 3, in the packet filter device 1a that is upstream of the path through which the packets are transmitted, it is possible to perform a filtering process on all received packets. The regular packets A and B can be relayed to the downstream transmission path 9, and the illegal packets X and Y can be excluded.
 図4は、伝送路9を伝送されるパケットの量が増加した場合の動作を示す図である。図4のように、伝送路9を伝送されるパケットの量が増加し、処理負荷計測部17が計測する処理負荷が閾値を超え、パケットフィルタ装置1aの不正パケット判定部12の処理能力を超えると、装置処理負荷判定部10が短絡中継指示を発し、短絡中継切替部15が予め決められた規則に従い前記受信インタフェース部191から出力された受信パケットの一部を選択して前記送信インタフェース部192に出力し、伝送路9へ送信する。 FIG. 4 is a diagram showing an operation when the amount of packets transmitted through the transmission path 9 increases. As shown in FIG. 4, the amount of packets transmitted through the transmission path 9 increases, the processing load measured by the processing load measurement unit 17 exceeds the threshold, and exceeds the processing capability of the illegal packet determination unit 12 of the packet filter device 1a. Then, the device processing load determination unit 10 issues a short-circuit relay instruction, and the short-circuit relay switching unit 15 selects a part of the reception packet output from the reception interface unit 191 according to a predetermined rule, and transmits the transmission interface unit 192. To the transmission line 9.
 ここで、前記短絡中継切替部15が従う予め決められた規則は、記憶部200に記憶されており、受信パケット量の一定の割合の量(例えば、全受信パケット量の50%など)であってもよいし、宛先端末装置や送信元端末装置、あるいはパケットに含まれるデータの種類など、受信パケットに記載された情報や識別子から得られる情報から選択した特定の情報を持つパケット(例えば、宛先端末装置がAである全パケット、音声データを伝送するパケット、など)であってもよい。 Here, the predetermined rule followed by the short-circuit relay switching unit 15 is stored in the storage unit 200, and is a certain percentage of the received packet amount (for example, 50% of the total received packet amount). Alternatively, a packet having specific information selected from information described in the received packet or information obtained from the identifier, such as the destination terminal device, the transmission source terminal device, or the type of data included in the packet (for example, the destination All packets whose terminal device is A, packets for transmitting voice data, etc.) may be used.
 パケットフィルタ1aの上述の動作により、図4に示すように、正規パケットAと不正パケットX1、X2、X3はフィルタリング処理が行われ、正規パケットAは下流の伝送路9へ中継し、不正パケットX1、X2、X3は排除されるが、フィルタリング処理が行われることなく前記短絡中継指示により伝送路9へ送信された正規パケットBと不正パケットY1、Y2は、フィルタリング処理をされずそのまま下流の伝送路9へ中継される。 By the above-described operation of the packet filter 1a, as shown in FIG. 4, the normal packet A and the illegal packets X1, X2, and X3 are filtered, and the normal packet A is relayed to the downstream transmission path 9, and the illegal packet X1 , X2, and X3 are excluded, but the normal packet B and the illegal packets Y1 and Y2 transmitted to the transmission path 9 by the short-circuit relay instruction without performing the filtering process are not subjected to the filtering process and are directly transmitted to the downstream transmission path. 9 is relayed.
 一方、伝送路9の下流にはパケットフィルタ装置1bが接続されており、上流のパケットフィルタ装置1aから伝送路9へ送信された前記正規パケットA、Bと不正パケットY1、Y2は、パケットフィルタ装置1bにより受信されフィルタリング処理されることにより、正規パケットAおよびBを下流の伝送路9へ中継し、不正パケットY1、Y2を排除できる。 On the other hand, a packet filter device 1b is connected downstream of the transmission line 9, and the regular packets A and B and illegal packets Y1 and Y2 transmitted from the upstream packet filter device 1a to the transmission line 9 By receiving and filtering by 1b, the regular packets A and B can be relayed to the downstream transmission path 9, and the illegal packets Y1 and Y2 can be excluded.
 このように、上流のパケットフィルタ装置において処理負荷が閾値を超えて、フィルタリング処理を行うことなく伝送路へ不正パケットを送信した場合でも、下流のパケットフィルタ装置が前記不正パケットをフィルタリング処理して除去することができる。 In this way, even when the processing load exceeds the threshold in the upstream packet filter device and an illegal packet is transmitted to the transmission line without performing the filtering process, the downstream packet filter device filters and removes the illegal packet. can do.
 また、たとえ前記下流のパケットフィルタ装置も処理負荷が閾値を超えてフィルタリング処理を行うことなく伝送路へ不正パケットを送信した場合でも、さらに下流のパケットフィルタ装置(図4では記述を省略)が前記不正パケットをフィルタリング処理して除去することができる。 Further, even if the downstream packet filter device also transmits an illegal packet to the transmission line without performing a filtering process because the processing load exceeds the threshold, the downstream packet filter device (not shown in FIG. 4) Unauthorized packets can be filtered out.
 図5は、本実施例におけるパケットフィルタ装置1の動作を示す処理フロー図である。パケットフィルタ装置は、伝送路9からパケットを受信し(S101)、フィルタリング処理の負荷、すなわちパケットフィルタ装置にかかる処理負荷を処理負荷測定部17によって測定し、装置処理負荷判定部10によって処理負荷が閾値を超えるか判断する(S102)。閾値を超えない場合(S102でNO)、不正パケット判定部12は全てのパケットに対してフィルタリング処理を行い(S103)、フィルタリング処理されたパケットを伝送路9から送信する(S104)。一方、処理負荷が閾値を超え場合(S102でYES)、装置処理負荷判定部10は短路中継切替部15へ短絡指示を出力し、短路中継切替部15は、予め定められた規則に従って受信パケットの一部はフィルタリング処理へ出力し、その他の受信パケットはフィルタリング処理を行うことなく送信インターフェースへ出力する(S105)。そして、規則に従ってフィルタリング処理されたパケットを伝送路へ出力する(S104)。 FIG. 5 is a processing flowchart showing the operation of the packet filter device 1 in this embodiment. The packet filter device receives the packet from the transmission path 9 (S101), measures the filtering processing load, that is, the processing load applied to the packet filter device, by the processing load measuring unit 17, and the processing load is determined by the device processing load determining unit 10. It is determined whether the threshold value is exceeded (S102). When the threshold value is not exceeded (NO in S102), the illegal packet determination unit 12 performs a filtering process on all packets (S103), and transmits the filtered packet from the transmission path 9 (S104). On the other hand, when the processing load exceeds the threshold value (YES in S102), the device processing load determination unit 10 outputs a short-circuit instruction to the short-circuit relay switching unit 15, and the short-circuit relay switching unit 15 determines the received packet according to a predetermined rule. A part is output to the filtering process, and the other received packets are output to the transmission interface without performing the filtering process (S105). Then, the packet filtered according to the rule is output to the transmission line (S104).
 以上、第1の実施形態について説明した。 The first embodiment has been described above.
 以上に述べたことにより、本実施例では、パケットの経路上の伝送路に本発明のパケットフィルタ装置を多段に接続しておけば、上流のパケットフィルタ装置において処理負荷が閾値を超えてフィルタリング処理を行うことなく下流に中継されても、下流に接続された複数のパケットフィルタ装置においてフィルタリング処理されるため、不正パケットが宛先端末装置へ到達することを防止することができる。 As described above, in this embodiment, if the packet filter device of the present invention is connected in multiple stages to the transmission path on the packet route, the processing load exceeds the threshold value in the upstream packet filter device, and the filtering process is performed. Even if relayed downstream without performing the filtering, filtering processing is performed in a plurality of packet filter devices connected downstream, so that it is possible to prevent illegal packets from reaching the destination terminal device.
 また、上記により大量の不正パケットをパケットフィルタ装置が受信した場合でも、パケットフィルタ装置内で短絡中継指示によりパケット消失を防ぐため、正規パケットが消失することを防止できる。 In addition, even when the packet filter device receives a large number of illegal packets as described above, the packet loss is prevented by the short-circuit relay instruction in the packet filter device, so that the regular packet can be prevented from being lost.
第2の実施形態Second embodiment
 上述の第1の実施形態では、各パケットフィルタ装置1の装置処理負荷判定部10は、自装置の処理負荷計測部17が測定した処理負荷のみから判断して短絡中継指示を発していた。しかし、通信ネットワークに接続された端末装置間で様々なパケットが送受信されているため、伝送路9にはあらゆる方向にパケットが伝送されており、下流のパケットフィルタ装置1の処理負荷が必ずしも小さいとは限らない。 In the above-described first embodiment, the device processing load determination unit 10 of each packet filter device 1 determines only from the processing load measured by the processing load measurement unit 17 of its own device and issues a short-circuit relay instruction. However, since various packets are transmitted and received between terminal devices connected to the communication network, packets are transmitted in all directions on the transmission path 9, and the processing load of the downstream packet filter device 1 is not necessarily small. Is not limited.
 そこで、第2の実施形態では、複数のパケットフィルタ装置1の間で相互に、自装置の処理負荷に関する情報(以下「自装置処理負荷情報」と称す)を定期的に交換し、各パケットフィルタ装置1が他のパケットフィルタ装置1の処理負荷に関する情報(以下「他装置処理負荷情報」と称す)を把握し、自装置の処理負荷が閾値を超えたときに、下流のパケットフィルタ装置1の処理負荷の大きさにより、フィルタリング処理を行うことなく短絡中継して下流に送信するパケットの量を調整する方法について述べる。 Therefore, in the second embodiment, information regarding the processing load of the own device (hereinafter referred to as “own device processing load information”) is periodically exchanged between the plurality of packet filter devices 1 to each packet filter device 1. When the device 1 grasps information on the processing load of the other packet filter device 1 (hereinafter referred to as “other device processing load information”) and the processing load of the own device exceeds the threshold, the downstream packet filter device 1 A method for adjusting the amount of packets transmitted downstream by short-circuit relaying without performing filtering processing according to the size of the processing load will be described.
 第2の実施形態に係る情報ネットワークシステムの一構成例は図1と同様である。 A configuration example of the information network system according to the second embodiment is the same as that shown in FIG.
 図6はパケットフィルタ装置1内部の一構成例を示す図である。 FIG. 6 is a diagram showing an example of the internal configuration of the packet filter device 1.
 すなわち、パケットフィルタ装置1は、伝送路9からパケットを受信して装置内部で処理可能なビット列に変換する受信インタフェース部191と、受信したパケットに対して各種フィルタリング処理を行う制御部100と、フィルタリング処理を行うフィルタ規則11が記憶される記憶部200と、受信するパケットのビット列を伝送路を伝送させるのに適した符号に変換する送信インタフェース部192と、から構成される。ここで、フィルタ規則11は、不正パケットと正規パケットを選別するために予め設定された規則であり、パケットの送信元アドレス、送信先アドレス、プロトコル、送信元ポート番号、送信先ポート番号、パケットのペイロードなどの判断基準が定められる。 That is, the packet filter device 1 includes a reception interface unit 191 that receives a packet from the transmission path 9 and converts it into a bit string that can be processed inside the device, a control unit 100 that performs various filtering processes on the received packet, The storage unit 200 stores a filter rule 11 for processing, and a transmission interface unit 192 that converts a bit string of a received packet into a code suitable for transmission on a transmission path. Here, the filter rule 11 is a rule set in advance for selecting illegal packets and regular packets. The packet source address, destination address, protocol, source port number, destination port number, packet Judgment criteria such as payload are defined.
 また、制御部10が実行するプログラムとして、前記変換された受信パケットに対して通信プロトコルに従って受信処理を行い、かつ、他のパケットフィルタ装置1から受信した前記他装置処理負荷情報を通知する他装置処理負荷情報パケットを装置処理負荷判定部101へ出力する受信プロトコル処理部131と、不正パケットを判定する基準となるフィルタ規則11を取得して、受信パケットが不正パケットか正規パケットかを判定する不正パケット判定部12と、前記不正パケット判定部12が正規パケットと判定したパケットと装置処理負荷判定部101が出力した前記自装置処理負荷情報を通知する自装置処理負荷情報パケットを通信プロトコルに従って送信処理を行う送信プロトコル処理部141と、送信するパケットのビット列を伝送路を伝送させるのに適した符号に変換する送信インタフェース部192と、前記受信プロトコル処理部から通知された受信パケット情報を基に単位時間当りのフィルタリング処理するパケット量や単位時間当りの受信処理するパケット量などの処理負荷を計測した結果を自装置処理負荷情報として通知する処理負荷計測部17と、他のパケットフィルタ装置1へ通知する自装置処理負荷情報を含む前記自装置処理負荷情報パケットを定期的に出力し、かつ、前記自装置処理負荷情報により通知された処理負荷を閾値と比較して、前記計測した処理負荷が閾値より大きくなった場合に、他のパケットフィルタ装置1から受信した前記他装置処理負荷情報を基に、フィルタリング処理を行うことなく(不正パケット判定部12にて処理を行うことなく)伝送路9へ送信するパケット量などの規則を決定し、その決定内容の指示(短絡中継指示)を通知する装置処理負荷判定部101と、前記装置処理負荷判定部101から前記短絡中継指示が通知された場合に、指示された前記規則に従い前記受信インタフェース部191から出力された受信パケットの一部を選択して(短絡中継パケット)前記送信インタフェース部192に出力する短絡中継切替部151と、から構成される。 In addition, as a program executed by the control unit 10, another device that performs reception processing on the converted received packet according to a communication protocol and notifies the other device processing load information received from another packet filter device 1 A reception protocol processing unit 131 that outputs a processing load information packet to the apparatus processing load determination unit 101 and a filter rule 11 that is a criterion for determining an illegal packet, and determines whether the received packet is an illegal packet or a regular packet. A packet determination unit 12, a packet determined by the illegal packet determination unit 12 as a regular packet, and a local device processing load information packet for reporting the local device processing load information output by the device processing load determination unit 101 are transmitted according to a communication protocol. A transmission protocol processing unit 141 that performs transmission and a bit of a packet to be transmitted. A transmission interface unit 192 that converts a sequence into a code suitable for transmission through a transmission path, and a packet amount to be filtered per unit time based on received packet information notified from the reception protocol processing unit and a unit time per unit time The processing load measuring unit 17 for notifying the result of measuring the processing load such as the amount of packets to be received as own device processing load information, and the own device processing load including own device processing load information to be notified to other packet filter devices 1 When the information processing packet is output periodically and the processing load notified by the self-device processing load information is compared with a threshold value and the measured processing load becomes larger than the threshold value, another packet filter device 1 Based on the processing load information received from the other device, the filtering processing is not performed (the illegal packet determination unit 12 performs processing). A device processing load determination unit 101 that determines a rule such as the amount of packets to be transmitted to the transmission path 9 and notifies an instruction of the determination content (short circuit relay instruction), and the short circuit from the device processing load determination unit 101 When a relay instruction is notified, a part of the received packet output from the reception interface unit 191 is selected according to the instructed rule (short-circuit relay packet) and is output to the transmission interface unit 192. 151.
 ここで、本実施例では、制御部100は例えばCPUで構成され、制御部100が行う処理として各種プログラムを有するよう説明したが、機能や処理ごとに例えば集積回路で設計する等によりハードウェアで実現することもできる。また、処理負荷測定部10は受信インタフェース部191や不正パケット判定部12から情報を貰うこともできる。また、装置処理負荷判定部10が処理負荷測定部17の機能を兼ねることもできる。 Here, in the present embodiment, the control unit 100 is configured by, for example, a CPU, and has been described as having various programs as processing performed by the control unit 100. However, each function and processing is implemented by hardware by designing, for example, an integrated circuit. It can also be realized. Further, the processing load measuring unit 10 can receive information from the reception interface unit 191 or the illegal packet determination unit 12. Further, the apparatus processing load determination unit 10 can also function as the processing load measurement unit 17.
 なお、前記自装置処理負荷情報パケットは、UDP/IPパケットあるいはTCP/IPパケットで通知してもよいし、全てのパケットフィルタ装置1との間で予め取り決めしたプロトコルを使用して通知してもよい。また、前記自装置処理負荷情報パケットは、隣接したパケットフィルタ装置1へのみ通知してもよいし、あるいは、他の全てのパケットフィルタ装置1へ通知してもよい。 The self-device processing load information packet may be notified by a UDP / IP packet or a TCP / IP packet, or may be notified by using a protocol decided in advance with all the packet filter devices 1. Good. Further, the own device processing load information packet may be notified only to the adjacent packet filter device 1 or may be notified to all other packet filter devices 1.
 図7は、他の全てのパケットフィルタ装置1へ通知する場合のデータの流れを示す図である。図7に示すように、一方の伝送路9から受信した他のパケットフィルタ装置1からの前記自装置処理負荷情報パケットは、そのまま他方の伝送路9へ送信することにより、全てのパケットフィルタ装置1が他の全てのパケットフィルタ装置1処理負荷情報を得ることが可能となる。例えばパケットフィルタ装置1aが送信する1aの処理負荷情報は、伝送路9を介してパケットフィルタ装置1b、1cと中継されることで全てのパケットフィルタ装置1に他の装置の処理負荷情報を取得させることができる。 FIG. 7 is a diagram showing a data flow when notifying all other packet filter devices 1. As shown in FIG. 7, the packet processing apparatus 1 transmits the packet processing load information packet received from one transmission path 9 from the other packet filter apparatus 1 to the other transmission path 9 as it is. However, it is possible to obtain all other packet filter device 1 processing load information. For example, the processing load information of 1a transmitted by the packet filter device 1a is relayed to the packet filter devices 1b and 1c via the transmission path 9, so that all the packet filter devices 1 acquire the processing load information of other devices. be able to.
 図8は、装置処理負荷判定部101が短絡中継切替部151に指示する規則の例を示す図である。フィルタリング処理を行うことなく伝送路9へ送信するパケット量などの規則としては、例えば、図8に示すように、3個のパケットフィルタ装置1a、1b、1cが並んで伝送路9へ接続されている通信ネットワークにおいて(説明の都合上、ネットワークノード2や端末装置3などの図示は省略)、伝送路9の左の方からパケットが伝送されてくる場合を想定すると、ある時点でパケットフィルタ装置1a、1b、1cの処理負荷がそれぞれ閾値の30%、90%、30%であったとする。ここで、説明の簡単化のため全てのパケットフィルタ装置の処理能力は等しいとする。 FIG. 8 is a diagram illustrating an example of a rule that the apparatus processing load determination unit 101 instructs the short-circuit relay switching unit 151. As a rule such as the amount of packets transmitted to the transmission line 9 without performing the filtering process, for example, as shown in FIG. 8, three packet filter devices 1a, 1b, 1c are connected to the transmission line 9 side by side. Assuming the case where a packet is transmitted from the left side of the transmission path 9 in a communication network (for the sake of explanation, illustration of the network node 2 and the terminal device 3 is omitted), the packet filter device 1a Assume that the processing loads 1b and 1c are 30%, 90%, and 30% of the threshold value, respectively. Here, for simplification of explanation, it is assumed that the processing capabilities of all the packet filter devices are equal.
 次に、伝送路9の左の方から伝送されてくるパケットの量が増加し、パケットフィルタ装置1aの処理負荷が閾値(100%)を超えて閾値の150%に達したとする。この時点で、下流のパケットフィルタ装置1b、1cの処理負荷がそれぞれ閾値の90%、30%であり、パケットフィルタ装置1b、1cの残りの処理能力を合わせると80%あるため、パケットフィルタ装置1aは自装置の処理負荷を90%(残りの10%は処理負荷変動の吸収分と考える)に抑えて、残りのパケット量(60%<80%)を下流のパケットフィルタ装置1bあるいは1cで処理可能と判断し、受信したパケット量の60%をフィルタリング処理を行わず下流の伝送路9にそのまま送信するように、パケットフィルタ装置1aの装置処理負荷判定部101が短絡中継指示を出す。 Next, it is assumed that the amount of packets transmitted from the left side of the transmission path 9 increases and the processing load of the packet filter device 1a exceeds the threshold (100%) and reaches the threshold of 150%. At this point, the processing loads of the downstream packet filter devices 1b and 1c are 90% and 30% of the threshold value, respectively, and the remaining processing capabilities of the packet filter devices 1b and 1c are 80%, so the packet filter device 1a Suppresses the processing load of its own device to 90% (the remaining 10% is considered to absorb the processing load fluctuation) and processes the remaining packet amount (60% <80%) by the downstream packet filter device 1b or 1c. The device processing load determination unit 101 of the packet filter device 1a issues a short-circuit relay instruction so that 60% of the received packet amount is transmitted to the downstream transmission line 9 as it is without performing filtering processing.
 一方、パケットフィルタ装置1bは、もともと処理負荷が90%であったところにさらにパケットフィルタ装置1aから60%多く受信したため、パケットフィルタ装置1bの処理負荷が閾値(100%)を超えて150%に達する。この時点で、下流のパケットフィルタ装置1cの処理負荷が閾値の30%であり、残りの処理能力が70%あるため、パケットフィルタ装置1bは自装置の処理負荷を90%(残りの10%は処理負荷変動の吸収分と考える)に抑えて、残りのパケット量(60%<70%)を下流のパケットフィルタ装置1cで処理可能と判断し、受信したパケット量の60%をフィルタリング処理を行わず下流の伝送路9にそのまま送信するように、パケットフィルタ装置1bの装置処理負荷判定部101が短絡中継指示を出す。 On the other hand, since the packet filter device 1b received 60% more from the packet filter device 1a than when the processing load was originally 90%, the processing load of the packet filter device 1b exceeded the threshold (100%) to 150%. Reach. At this point, since the processing load of the downstream packet filter device 1c is 30% of the threshold and the remaining processing capacity is 70%, the packet filter device 1b has a processing load of 90% (the remaining 10% is the remaining 10%). It is determined that the remaining packet amount (60% <70%) can be processed by the downstream packet filter device 1c, and filtering processing is performed on 60% of the received packet amount. Instead, the device processing load determination unit 101 of the packet filter device 1b issues a short-circuit relay instruction so that it is transmitted to the downstream transmission path 9 as it is.
 さらに、パケットフィルタ装置1cは、もともと処理負荷が30%であったところにさらにパケットフィルタ装置1bから60%多く受信したため、パケットフィルタ装置1cの処理負荷が閾値の90%に達するが、閾値(100%)は超えていないため処理可能であるため、パケットフィルタ装置1cの装置処理負荷判定部101は短絡中継指示を出さない。ここで、上記のとおり下流のパケットフィルタ装置がどの程度の処理負荷の時に自装置でどの程度のパケット量をフィルタリングするは、予め記憶部200内に規則が記憶されており、装置処理負荷判定部101、短絡中継切替部151は、当該規則に従って、フィルタリング処理を行うパケット量を決定する。 Further, since the packet filter device 1c received 60% more from the packet filter device 1b where the processing load was originally 30%, the processing load of the packet filter device 1c reaches 90% of the threshold value. %) Is not exceeded and can be processed, the device processing load determination unit 101 of the packet filter device 1c does not issue a short-circuit relay instruction. Here, as described above, a rule is stored in advance in the storage unit 200 to filter the packet amount by the own device when the downstream packet filter device has a processing load, and the device processing load determination unit 101. The short-circuit relay switching unit 151 determines the amount of packets to be filtered according to the rule.
 このように、図8では3個のパケットフィルタ装置1a、1b、1cが連携して、大量の受信パケットのフィルタリング処理を行った例を示したが、もし、パケットフィルタ装置1aが過度に大量なパケットを受信した場合(例えば閾値の500%)、パケットフィルタ装置1aは下流のパケットフィルタ装置1b、1cの処理能力を合わせても全ての受信パケットを処理不可能と判断したとする。この場合は、例えば、最下流のパケットフィルタ装置1cにおいて処理しきれない受信パケットを廃棄してもよいし、また、処理不可能と判断した上流のパケットフィルタ装置1aにおいて、処理しきれない受信パケットを廃棄してもよい。 As described above, FIG. 8 shows an example in which the three packet filter devices 1a, 1b, and 1c cooperate to perform a filtering process on a large amount of received packets. However, if the packet filter device 1a has an excessively large amount, When a packet is received (for example, 500% of the threshold value), it is assumed that the packet filter device 1a determines that all received packets cannot be processed even if the processing capabilities of the downstream packet filter devices 1b and 1c are combined. In this case, for example, a received packet that cannot be processed in the most downstream packet filter device 1c may be discarded, or a received packet that cannot be processed in the upstream packet filter device 1a determined to be unprocessable. May be discarded.
 前記廃棄してもよい理由は、処理しきれない受信パケットには不正パケットも含まれている可能性があり、宛先端末に不正パケットを受信させないようにするために、パケットフィルタ装置1aが下流のパケットフィルタ装置1b、1cの処理能力を合わせても全ての受信パケットを処理不可能と判断した場合に、敢えて、処理しきれない受信パケットを廃棄するという手段も考えられるからである。 The reason why the packet may be discarded is that a received packet that cannot be processed may include an illegal packet. In order to prevent the destination terminal from receiving an illegal packet, the packet filter device 1a This is because, when it is determined that all the received packets cannot be processed even if the processing capabilities of the packet filter devices 1b and 1c are combined, a means of intentionally discarding the received packets that cannot be processed can be considered.
 図9は、本実施例におけるパケットフィルタ装置1の動作を示す処理フロー図である。パケットフィルタ装置1は、伝送路9からパケットを受信し(S201)、フィルタリング処理の負荷、すなわちパケットフィルタ装置にかかる処理負荷を処理負荷測定部17によって測定し、装置処理負荷判定部10によって処理負荷が閾値を超えるか判断する(S202)。閾値を超えない場合(S202でNO)、不正パケット判定部12は全てのパケットに対してフィルタリング処理を行い(S203)、フィルタリング処理されたパケットを伝送路9から送信する(S204)。一方、処理負荷が閾値を超える場合(S202でYES)、フィルタリング処理をせずに自装置よりも下流へパケットを伝送すると、下流のパケットフィルタ装置が処理できるデータ量を超えるかどうかを、下流にあるパケットフィルタ装置の処理負荷情報から判断する(S205)。下流のパケットフィルタ装置が処理できるデータ量を超えない場合(S205でNO)、予め定められた規則に従って受信パケットの一部はフィルタリング処理へ出力し、その他の受信パケットはフィルタリング処理を行うことなく送信インタフェースへ出力後(S206)、伝送路からパケットを送信する(S204)。下流のパケットフィルタ装置が処理できるデータ量を超えると判断した場合(S205でYES)、パケットフィルタ装置1はフィルタリング処理をしない受信パケットを破棄し(S207)、正規パケットと判断されたパケットのみ伝送路からパケットを送信する(S204)。 FIG. 9 is a processing flowchart showing the operation of the packet filter device 1 in the present embodiment. The packet filter device 1 receives a packet from the transmission line 9 (S201), measures the filtering processing load, that is, the processing load applied to the packet filter device, by the processing load measuring unit 17, and the device processing load determining unit 10 processes the processing load. Is determined to exceed the threshold (S202). When the threshold value is not exceeded (NO in S202), the illegal packet determination unit 12 performs a filtering process on all packets (S203), and transmits the filtered packet from the transmission path 9 (S204). On the other hand, if the processing load exceeds the threshold value (YES in S202), whether or not the amount of data that can be processed by the downstream packet filter device will be determined downstream if the packet is transmitted downstream from the own device without performing the filtering process. Judgment is made from the processing load information of a certain packet filter device (S205). If the amount of data that can be processed by the downstream packet filter device does not exceed (NO in S205), a part of the received packet is output to the filtering process according to a predetermined rule, and the other received packets are transmitted without performing the filtering process. After output to the interface (S206), the packet is transmitted from the transmission path (S204). When it is determined that the amount of data that can be processed by the downstream packet filter device is exceeded (YES in S205), the packet filter device 1 discards the received packet that is not subjected to the filtering process (S207), and only the packet determined to be a regular packet is transmitted. The packet is transmitted from (S204).
 ここで、S207でフィルタリング処理をしない受信パケットを破棄する処理を行っているが、この処理しきれないパケットの破棄は下流のパケットフィルタ装置で実施してもよい。 Here, a process of discarding a received packet that is not filtered in S207 is performed, but discarding of a packet that cannot be processed may be performed by a downstream packet filter device.
 以上、第2の実施形態について説明した。 The second embodiment has been described above.
 以上に述べたことにより、本実施例では、複数のパケットフィルタ装置1の間で相互に、自装置処理負荷情報を定期的に交換し、各パケットフィルタ装置1が他のパケットフィルタ装置1の処理負荷に関する情報を把握し、自装置の処理負荷が閾値を超えたときに、下流のパケットフィルタ装置1の処理負荷の大きさにより、フィルタリング処理を行うことなく短絡中継して下流に送信するパケットの量を調整することにより、上流のパケットフィルタ装置1が大量のパケットを受信した場合でも、下流の複数のパケットフィルタ装置1と連携して処理負荷を最適に分担することができる。したがって、不正パケットが宛先端末装置へ到達することを防止することができ、大量の不正パケットをパケットフィルタ装置が受信した場合でも、パケットフィルタ装置内で短絡中継指示によりパケット消失を防ぐため、正規パケットが消失することを防止できる。 As described above, in this embodiment, the plurality of packet filter devices 1 regularly exchange their own processing load information with each other, and each packet filter device 1 performs processing of the other packet filter devices 1. The information on the load is grasped, and when the processing load of the own device exceeds the threshold, the packet of the packet to be transmitted to the downstream by short-circuit relaying without performing the filtering process depending on the processing load of the downstream packet filter device 1 By adjusting the amount, even when the upstream packet filter device 1 receives a large number of packets, the processing load can be optimally shared in cooperation with the plurality of downstream packet filter devices 1. Therefore, it is possible to prevent illegal packets from reaching the destination terminal device, and even when a large number of illegal packets are received by the packet filter device, in order to prevent packet loss due to a short-circuit relay instruction within the packet filter device, regular packets Can be prevented from disappearing.
第3の実施形態Third embodiment
 図1に示すように、上述の第1の実施形態および第2の実施形態では、パケットフィルタ装置1を伝送路9へインライン接続していた。本接続方法では、パケットフィルタ装置1が伝送路9を伝送される全てのパケットをフィルタリング処理の対象にすることができるという特徴がある。 As shown in FIG. 1, in the first embodiment and the second embodiment described above, the packet filter device 1 is connected inline to the transmission line 9. This connection method is characterized in that the packet filter device 1 can target all packets transmitted through the transmission path 9 as a filtering process.
 一方、伝送路9を伝送されるパケットに、フィルタリング処理の対象外と規定されたパケットが混在する場合、図1に示す接続方法では、パケットフィルタ装置1はフィルタリング処理の対象外と規定されたパケットまで受信処理および送信処理することになり、無駄な処理負荷が発生してしまう。 On the other hand, when the packet transmitted through the transmission path 9 includes a packet specified as not subject to filtering processing, the packet filtering apparatus 1 uses the packet specified as not subject to filtering processing in the connection method shown in FIG. As a result, reception processing and transmission processing are performed until a wasteful processing load occurs.
 そこで、第3の実施形態では、フィルタリング処理の対象に規定されたパケットのみパケットフィルタ装置1にて送受信し、フィルタリング処理の対象外と規定されたパケットはパケットフィルタ装置1を経由せず伝送路9を伝送できる構成を図10を用いて述べる。 Therefore, in the third embodiment, the packet filter device 1 transmits / receives only the packet defined as the filtering target, and the packet defined as not subject to the filtering process does not pass through the packet filter device 1 and is transmitted through the transmission line 9. A configuration capable of transmitting the data will be described with reference to FIG.
 なお、図10はパケットフィルタ装置1を伝送路9に接続する部分だけに注目した図であり、ネットワークノード2や端末装置3などの記述は省略している。 Note that FIG. 10 is a diagram focusing only on the portion where the packet filter device 1 is connected to the transmission line 9, and descriptions of the network node 2 and the terminal device 3 are omitted.
 図10において、伝送路9にパケット中継装置200をインライン接続し、パケット中継装置200とパケットフィルタ装置1を伝送路900を介して接続する。
パケット中継装置200は、伝送路9を伝送されるパケットのうち、フィルタリング処理の対象に規定されたパケットを伝送路900へ中継し、フィルタリング処理の対象外と規定されたパケットは伝送路900へ中継せずに伝送路9(受信した方向とは反対の方向の伝送路9)へ中継する。 In FIG. 10, the packet relay device 200 is connected inline to the transmission line 9, and the packet relay device 200 and the packet filter device 1 are connected via the transmission line 900.
The packet relay apparatus 200 relays a packet defined as a filtering process target among the packets transmitted through the transmission path 9 to the transmission path 900, and relays a packet defined as not subject to the filtering process to the transmission path 900. Without relaying to the transmission line 9 (the transmission line 9 in the direction opposite to the direction of reception).
 パケットフィルタ装置1は、伝送路900から受信したパケットを内部で処理した後、送信パケットを伝送路900へ送信する。伝送路900からパケットを受信したパケット中継装置200は、前記パケットを伝送路9へ中継する。 The packet filter device 1 internally processes the packet received from the transmission line 900, and then transmits the transmission packet to the transmission line 900. The packet relay apparatus 200 that has received a packet from the transmission path 900 relays the packet to the transmission path 9.
 パケット中継装置200がフィルタリング処理の対象あるいは対象外に規定されたパケットを判断する根拠は、パケットに含まれる宛先端末装置や送信元端末装置の情報であってもよいし、使用される上位プロトコルやパケットに搭載されたデータに含まれる特定のビット列であってもよい。 The basis for the packet relay device 200 to determine a packet that is subject to filtering processing or not subject to filtering processing may be information on a destination terminal device or a transmission source terminal device included in the packet, It may be a specific bit string included in the data loaded in the packet.
 ここで、パケット中継装置200は、フィルタリング処理の対象に規定されたパケットのうち、伝送路9の左方向から受信したパケットは伝送路900へ中継し、パケットフィルタ装置1にてフィルタリング処理を施されたパケットを再び伝送路9へ中継する時は、伝送路9の右方向へ中継する必要があり、伝送路9の右方向から受信したパケットは伝送路900へ中継し、パケットフィルタ装置1にてフィルタリング処理を施されたパケットを再び伝送路9へ中継する時は、伝送路9の左方向へ中継する必要がある。 Here, the packet relay apparatus 200 relays a packet received from the left direction of the transmission path 9 among the packets defined as a filtering process target to the transmission path 900, and the packet filtering apparatus 1 performs the filtering process. When the packet is relayed to the transmission path 9 again, it is necessary to relay the packet to the right direction of the transmission path 9, and the packet received from the right direction of the transmission path 9 is relayed to the transmission path 900, and the packet filter device 1 When the packet subjected to the filtering process is relayed to the transmission path 9 again, it is necessary to relay the packet to the left of the transmission path 9.
 パケット中継装置200において上述の中継方法を実現する一方法として、図11に示すように、パケット中継装置200とパケットフィルタ装置1との間で複数のVLAN(Virtual LAN)を構成する方法がある。 As a method for realizing the above-described relay method in the packet relay device 200, there is a method of configuring a plurality of VLANs (Virtual LANs) between the packet relay device 200 and the packet filter device 1, as shown in FIG.
 すなわち、図11において、パケット中継装置200とパケットフィルタ装置1との間でVLAN1とVLAN2を構成し、パケット中継装置200は、フィルタリング処理の対象に規定されたパケットのうち、伝送路9の左方向から受信したパケットにはVLAN1のVLANタグを付けて伝送路900へ中継し、伝送路9の右方向から受信したパケットにはVLAN2のVLANタグを付けて伝送路900へ中継する。 That is, in FIG. 11, VLAN 1 and VLAN 2 are configured between the packet relay device 200 and the packet filter device 1, and the packet relay device 200 moves to the left of the transmission path 9 among the packets defined as the filtering processing target. The packet received from 1 is attached with a VLAN tag of VLAN 1 and relayed to the transmission line 900, and the packet received from the right side of the transmission line 9 is attached with a VLAN tag of VLAN 2 and relayed to the transmission line 900.
 一方、パケットフィルタ装置1は、伝送路900から受信したパケットを内部で処理した後、再度伝送路900へ送信する場合、VLAN1のVLANタグが付いたパケットはVLAN2のVLANタグに付け替えて送信し、VLAN2のVLANタグが付いたパケットはVLAN1のVLANタグに付け替えて送信する。 On the other hand, when the packet filter device 1 internally processes a packet received from the transmission line 900 and transmits it again to the transmission line 900, the packet with the VLAN tag of VLAN1 is attached to the VLAN tag of VLAN2 and transmitted. A packet with a VLAN tag of VLAN2 is attached to the VLAN tag of VLAN1 and transmitted.
 さらに、パケット中継装置200は、伝送路900から受信したパケットのうち、VLAN1のVLANタグが付いたパケットはVLANタグを除去して伝送路9の左方向へ送信し、VLAN2のVLANタグが付いたパケットはVLANタグを除去して伝送路9の右方向へ送信する。 Further, the packet relay apparatus 200 removes the VLAN tag from the packet received from the transmission path 900 and transmits it to the left side of the transmission path 9 with the VLAN tag of VLAN2. The packet is sent to the right side of the transmission line 9 with the VLAN tag removed.
 ところで、上述のように、パケットフィルタ装置1がVLANタグを持つパケットに対応できない場合は、図12に示すように、パケット中継装置200とパケットフィルタ装置1との間で伝送路901と伝送路902を構成し、パケット中継装置200は、フィルタリング処理の対象に規定されたパケットのうち、伝送路9の左方向から受信したパケットは伝送路901へ中継し、伝送路9の右方向から受信したパケットは伝送路902へ中継する。 By the way, as described above, when the packet filter device 1 cannot cope with a packet having a VLAN tag, a transmission path 901 and a transmission path 902 are provided between the packet relay device 200 and the packet filter device 1 as shown in FIG. The packet relay apparatus 200 relays a packet received from the left direction of the transmission path 9 among the packets stipulated for filtering processing, to the transmission path 901 and receives a packet received from the right direction of the transmission path 9 Is relayed to the transmission line 902.
 一方、パケットフィルタ装置1は、伝送路901から受信したパケットを内部で処理した後、再度伝送路へ送信する場合は伝送路902へ送信し、伝送路902から受信したパケットを内部で処理した後、再度伝送路へ送信する場合は伝送路901へ送信する。 On the other hand, the packet filter device 1 internally processes a packet received from the transmission path 901 and then transmits it to the transmission path again when transmitting to the transmission path 902 and internally processes a packet received from the transmission path 902. When transmitting again to the transmission path, the transmission is performed to the transmission path 901.
 さらに、パケット中継装置200は、伝送路901から受信したパケットは伝送路9の左方向へ送信し、伝送路902から受信したパケットは伝送路9の右方向へ送信する。 Further, the packet relay apparatus 200 transmits the packet received from the transmission path 901 to the left of the transmission path 9 and transmits the packet received from the transmission path 902 to the right of the transmission path 9.
 なお、前記パケット中継装置200としては、例えば、IEEE802.3規格準拠のLANで使用されるスイッチングハブあるいはレイヤ3スイッチを使用してもよいし、特定の宛先情報あるいは送信元情報を有するパケットを特定の中継先ポートに中継する設定が可能な機能を有するものでもよい。このような機能は、例えば、Cisco社のCatalyst2950やアライドテレシス社のCentreCOM IA810M、CentreCOM x610Seriesなどに実装されているStatic MAC Address設定機能を使用すれば実現できる。 As the packet relay device 200, for example, a switching hub or a layer 3 switch used in a LAN compliant with the IEEE 802.3 standard may be used, or a packet having specific destination information or transmission source information is specified. It may have a function capable of setting to relay to the relay destination port. Such a function can be realized by using, for example, the Static MAC Address setting function implemented in the Catalyst 2950 of Cisco, CenterCOM IA810M, CenterCOM x610Series, etc. of Allied Telesis.
 以上、第3の実施形態について説明した。 The third embodiment has been described above.
 以上に述べたことにより、本実施例により、パケットフィルタ装置1は、フィルタリング処理の対象に規定されたパケットのみフィルタリング処理すればよいため、パケットフィルタ装置1の処理負荷が軽減され、大量の不正パケットによるサイバー攻撃に対して、より強固な通信制御システムが構築できる。 As described above, according to the present embodiment, the packet filter device 1 only needs to perform the filtering process for only the packets prescribed for the filtering process. A more robust communication control system can be constructed against cyber attacks.
 以上実施例で説明したとおり本発明は、複数の端末装置が伝送路に接続されパケットを送受信する通信ネットワークにおいて、特定のフィルタ規則に従ってパケットの通過を制限するフィルタリング処理を行うパケットフィルタ装置が前記伝送路に接続され、パケットが送信元端末装置から宛先端末装置まで伝送される伝送路の経路上に、複数のパケットフィルタ装置が配置されるようにする。 As described in the above embodiments, the present invention provides a packet filter device that performs a filtering process that restricts the passage of packets according to a specific filter rule in a communication network in which a plurality of terminal devices are connected to a transmission path and transmits and receives packets. A plurality of packet filter devices are arranged on a path of a transmission path that is connected to the path and through which a packet is transmitted from the source terminal apparatus to the destination terminal apparatus.
 また、前記パケットフィルタ装置は、接続された伝送路上を伝送されるパケットのうち、フィルタリング処理の対象となるパケットを全て受信し、パケットフィルタ装置内部で何らかの処理を施した前記パケットを、接続された伝送路へ送信する。 In addition, the packet filter device receives all the packets to be subjected to filtering processing among the packets transmitted on the connected transmission path, and the packets subjected to some processing inside the packet filter device are connected. Send to transmission line.
 また、前記各パケットフィルタ装置は、フィルタリング処理負荷やパケット受信処理負荷など(以下「処理負荷」と称す)が閾値を超えた時に、伝送路から受信したパケットの一部について、フィルタリング処理を行うことなく伝送路へ送信することにより、前記パケットフィルタ装置の処理負荷が閾値を超えないようにする。 Each of the packet filter devices performs a filtering process on a part of a packet received from a transmission line when a filtering processing load, a packet reception processing load, etc. (hereinafter referred to as “processing load”) exceeds a threshold value. By not transmitting to the transmission line, the processing load of the packet filter device is prevented from exceeding a threshold value.
 ここで、前記フィルタリング処理を行うことなく伝送路へ送信するパケットには、正規パケットだけではなく不正パケットも含まれる。 Here, the packets transmitted to the transmission line without performing the filtering process include not only regular packets but also illegal packets.
 また、パケットフィルタ装置が、処理負荷が閾値を超えた時に、伝送路から受信したパケットの一部について、フィルタリング処理を行うことなく伝送路へ送信するためには、パケットフィルタ装置には、以下の処理機能を具備する。 In order for the packet filter device to transmit a part of the packet received from the transmission line to the transmission line without performing the filtering process when the processing load exceeds the threshold, the packet filter apparatus includes the following: A processing function is provided.
 すなわち、伝送路からパケットを受信して装置内部で処理可能なビット列に変換する受信インタフェース部と、前記変換された受信パケットに対して通信プロトコルに従って受信処理を行う受信プロトコル処理部と、受信パケットが不正パケットか正規パケットかを判定する不正パケット判定部と、前記不正パケット判定部が不正パケットと判定するためのフィルタ規則を記憶しているフィルタ規則記憶部と、前記不正パケット判定部が正規パケットと判定したパケットを通信プロトコルに従って送信処理を行う送信プロトコル処理部と、送信するパケットのビット列を伝送路を伝送させるのに適した符号に変換する送信インタフェース部と、例えば、単位時間当りのフィルタリング処理するパケット量や単位時間当りの受信処理するパケット量などの処理負荷を計測する処理負荷計測部と、前記処理負荷計測部が計測した処理負荷を閾値と比較して、前記計測した処理負荷が閾値より大きくなった場合に、フィルタリング処理を行うことなく伝送路へ送信するよう指示(以下「短絡中継指示」と称す)を発する装置処理負荷判定部と、前記装置処理負荷判定部から前記短絡中継指示が発せられた場合に、予め決められた規則に従い前記受信インタフェース部から出力された受信パケットの一部を選択して(前記選択されたパケットは「短絡中継パケット」と称す)前記送信インタフェース部に出力する短絡中継切替部と、を具備する。 That is, a reception interface unit that receives a packet from a transmission path and converts it into a bit string that can be processed inside the apparatus, a reception protocol processing unit that performs reception processing on the converted reception packet according to a communication protocol, and a reception packet An illegal packet determination unit that determines whether the packet is an illegal packet or a regular packet, a filter rule storage unit that stores a filter rule for the malicious packet determination unit to determine an illegal packet, and the illegal packet determination unit is a normal packet A transmission protocol processing unit that performs transmission processing on the determined packet according to a communication protocol, a transmission interface unit that converts a bit string of the packet to be transmitted into a code suitable for transmission on the transmission path, and filtering processing per unit time, for example Packets received and processed per unit time A processing load measuring unit that measures a processing load such as a processing amount and a processing load measured by the processing load measuring unit are compared with a threshold value, and when the measured processing load becomes larger than the threshold value, a filtering process is performed. A device processing load determination unit that issues an instruction to transmit to a transmission line without transmission (hereinafter referred to as a “short circuit relay instruction”), and a predetermined when a short circuit relay instruction is issued from the device processing load determination unit. A short-circuit relay switching unit that selects a part of the received packet output from the reception interface unit according to a rule (the selected packet is referred to as a “short-circuit relay packet”) and outputs the selected packet to the transmission interface unit. .
 なお、前記閾値とは、例えば、パケットフィルタ装置が受信した全パケットを、パケット消失を発生させることなくフィルタリング処理できるための、単位時間当りのフィルタリング処理するパケット量や、単位時間当りの受信処理するパケット量の上限の目安の値としてもよい。 The threshold value is, for example, the amount of packets to be filtered per unit time or the reception processing per unit time so that all packets received by the packet filter device can be filtered without causing packet loss. It is good also as a standard value of the upper limit of packet amount.
 ここで、前記フィルタリング処理を行うことなく伝送路へ送信されたパケットは、伝送路の下流に接続されたパケットフィルタ装置においてフィルタリング処理される。 Here, a packet transmitted to the transmission line without performing the filtering process is subjected to a filtering process in a packet filter device connected downstream of the transmission line.
 したがって、上流のパケットフィルタ装置において処理負荷が閾値を超えて、フィルタリング処理を行うことなく伝送路へ不正パケットを送信した場合でも、下流のパケットフィルタ装置が前記不正パケットをフィルタリング処理して除去することができるし、前記下流のパケットフィルタ装置も処理負荷が閾値を超えてフィルタリング処理を行うことなく伝送路へ不正パケットを送信した場合でも、さらに下流のパケットフィルタ装置が前記不正パケットをフィルタリング処理して除去することができる。 Therefore, even when the processing load exceeds the threshold in the upstream packet filter device and an illegal packet is transmitted to the transmission line without performing the filtering process, the downstream packet filter device filters and removes the illegal packet. Even if the downstream packet filter device also sends an illegal packet to the transmission line without performing a filtering process because the processing load exceeds a threshold, the downstream packet filter device filters the illegal packet. Can be removed.
 上述より、パケットの経路上の伝送路に本発明のパケットフィルタ装置を多段に接続しておけば、上流のパケットフィルタ装置において処理負荷が閾値を超えてフィルタリング処理を行うことなく下流に中継されても、下流に接続された複数のパケットフィルタ装置においてフィルタリング処理されるため、不正パケットが宛先端末装置へ到達することを防止することができる。 From the above, if the packet filter device of the present invention is connected in multiple stages to the transmission path on the packet route, the processing load exceeds the threshold in the upstream packet filter device and relayed downstream without performing filtering processing. However, since the filtering process is performed in a plurality of packet filter devices connected downstream, it is possible to prevent an illegal packet from reaching the destination terminal device.
 また、上記により大量の不正パケットをパケットフィルタ装置が受信した場合でも、パケットフィルタ装置内で短絡中継指示によりパケット消失を防ぐため、正規パケットが消失することを防止できる。 In addition, even when the packet filter device receives a large number of illegal packets as described above, the packet loss is prevented by the short-circuit relay instruction in the packet filter device, so that the regular packet can be prevented from being lost.
 また、産業システムのシステム内部に侵入した者からの攻撃に対して、個々のパケットフィルタ装置のフィルタリング処理能力が高くなくても、多段接続された複数のパケットフィルタ装置が連携してフィルタリング処理負荷を分担することにより、大量の攻撃パケットをフィルタリングすることができ、セキュアな産業システムを構築できる。 In addition, even if the filtering capability of individual packet filter devices is not high in response to an attack from a person who has entered the system of an industrial system, the multiple packet filter devices connected in multiple stages cooperate to reduce the filtering processing load. By sharing, a large amount of attack packets can be filtered, and a secure industrial system can be constructed.
 また、大量の攻撃パケットが発生しても、各パケットフィルタ装置における受信バッファ溢れを防止することができるため、正規パケットを消失させることがなく、システムの停止を防止できる。 Also, even if a large number of attack packets occur, the reception buffer overflow in each packet filter device can be prevented, so that regular packets are not lost and the system can be prevented from being stopped.
 なお、本発明は上記した実施例に限定されるものではなく、様々な変形例が含まれる。例えば、上記した実施例は本発明を分かりやすく説明するために詳細に説明したものであり、必ずしも説明した全ての構成を備えるものに限定されるものではない。また、ある実施例の構成の一部を他の実施例の構成に置き換えることが可能であり、また、ある実施例の構成に他の実施例の構成を加えることも可能である。また、各実施例の構成の一部について、他の構成の追加・削除・置換をすることが可能である。 In addition, this invention is not limited to the above-mentioned Example, Various modifications are included. For example, the above-described embodiments have been described in detail for easy understanding of the present invention, and are not necessarily limited to those having all the configurations described. Further, a part of the configuration of one embodiment can be replaced with the configuration of another embodiment, and the configuration of another embodiment can be added to the configuration of one embodiment. Further, it is possible to add, delete, and replace other configurations for a part of the configuration of each embodiment.
 また、上記の各構成、機能、処理部、処理手段等は、それらの一部又は全部を、例えば集積回路で設計する等によりハードウェアで実現してもよい。また、上記の各構成、機能等は、プロセッサがそれぞれの機能を実現するプログラムを解釈し、実行することによりソフトウェアで実現してもよい。各機能を実現するプログラム、テーブル、ファイル等の情報は、メモリや、ハードディスク、SSD(Solid State Drive)等の記録装置、または、ICカード、SDカード、DVD等の記録媒体に置くことができる。 In addition, each of the above-described configurations, functions, processing units, processing means, and the like may be realized by hardware by designing a part or all of them with, for example, an integrated circuit. Each of the above-described configurations, functions, and the like may be realized by software by interpreting and executing a program that realizes each function by the processor. Information such as programs, tables, and files for realizing each function can be stored in a recording device such as a memory, a hard disk, an SSD (Solid State Drive), or a recording medium such as an IC card, an SD card, or a DVD.
 また、制御線や情報線は説明上必要と考えられるものを示しており、製品上必ずしも全ての制御線や情報線を示しているとは限らない。実際には殆ど全ての構成が相互に接続されていると考えてもよい。 Also, the control lines and information lines indicate what is considered necessary for the explanation, and not all the control lines and information lines on the product are necessarily shown. Actually, it may be considered that almost all the components are connected to each other.
1、1a、1b、1c パケットフィルタ装置
100 制御部
200 記憶部
10、101 装置処理負荷判定部
11 フィルタ規則記憶部
12 不正パケット判定部
13、131 受信プロトコル処理部
14、141 送信プロトコル処理部
15、151 短絡中継切替部
17 処理負荷計測部
191 受信インタフェース部
192 送信インタフェース部
2 ネットワークノード
200 パケット中継装置
3 端末装置
9、900、901、902 伝送路 1, 1a, 1b, 1c Packet filter device 100 Control unit 200 Storage unit 10, 101 Device processing load determination unit 11 Filter rule storage unit 12 Illegal packet determination unit 13, 131 Reception protocol processing unit 14, 141 Transmission protocol processing unit 15, 151 Short-circuit relay switching unit 17 Processing load measuring unit 191 Reception interface unit 192 Transmission interface unit 2 Network node 200 Packet relay device 3 Terminal devices 9, 900, 901, 902 Transmission path

Claims (12)

  1.  複数の端末装置と伝送路を介して接続され、前記伝送路を伝送されるパケットを受信し、特定の規則に従ってパケットの通過を制限するフィルタリング処理を行うパケットフィルタ装置において、
     前記特定の規則を記憶する記憶部と、
     パケットの処理にかかる処理負荷が規定値に達すると、前記記憶部に記憶する前記特定の規則を変更して前記フィルタリング処理を行う制御部と、を有することを特徴とするパケットフィルタ装置。     In a packet filter device that is connected to a plurality of terminal devices via a transmission path, receives a packet transmitted through the transmission path, and performs a filtering process that restricts the passage of the packet according to a specific rule.
    A storage unit for storing the specific rule;
    And a control unit configured to change the specific rule stored in the storage unit and perform the filtering process when a processing load for packet processing reaches a specified value.
  2.  請求項1において、
     前記制御部は、前記伝送路を介して接続される他のパケットフィルタ装置から、当該他のパケットフィルタ装置におけるパケットの処理負荷に関する情報を収集し、自装置のパケットの処理にかかる処理負荷、および、前記他のパケットフィルタ装置から収集した前記処理負荷に関する情報、に基づいて前記特定の規則を変更することを特徴とするパケットフィルタ装置。     In claim 1,
    The control unit collects information on the processing load of the packet in the other packet filter device from another packet filter device connected via the transmission path, and the processing load for processing the packet of the own device, and The packet filter device, wherein the specific rule is changed based on the information on the processing load collected from the other packet filter device.
  3.  複数の端末装置と伝送路を介して接続され、前記伝送路を伝送されるパケットを受信し、特定の規則に従ってパケットの通過を制限するフィルタリング処理を行うパケットフィルタ装置において、
     前記特定の規則を記憶する記憶部と、
     前記伝送路を介して接続される他のパケットフィルタ装置との間で相互にパケットの処理負荷に関する情報を交換し、他のパケットフィルタ装置から受け取った前記処理負荷に関する情報に従って前記特定の規則を変更して前記フィルタリング処理を行う制御部と、を有することを特徴とするパケットフィルタ装置。     In a packet filter device that is connected to a plurality of terminal devices via a transmission path, receives a packet transmitted through the transmission path, and performs a filtering process that restricts the passage of the packet according to a specific rule.
    A storage unit for storing the specific rule;
    Information regarding packet processing load is mutually exchanged with other packet filter devices connected via the transmission path, and the specific rule is changed according to the information regarding the processing load received from the other packet filter devices. And a control unit that performs the filtering process.
  4.  請求項2または3において、
     前記特定の規則を変更とは、前記伝送路から受信した複数のパケットのうち一部または全部のパケットの前記フィルタリング処理を省略するよう変更することであることを特徴とするパケットフィルタ装置。     In claim 2 or 3,
    Changing the specific rule means changing the filtering so as to omit the filtering process for some or all of a plurality of packets received from the transmission path.
  5.  請求項4において、
     前記制御部は、前記他のパケットフィルタ装置から収集した前記処理負荷に関する情報に基づいて、前記他のパケットフィルタ装置にかかる処理負荷が予め定められた閾値内に収まるよう前記フィルタリング処理を省略するパケットの量を定めることを特徴とするパケットフィルタ装置。     In claim 4,
    The controller omits the filtering process based on information on the processing load collected from the other packet filter device so that the processing load on the other packet filter device falls within a predetermined threshold. A packet filter device characterized by determining the amount of.
  6.  請求項4において、
     前記制御部は、受信した複数のパケットのうち一部について前記フィルタリング処理を省略すると、前記他のパケットフィルタ装置にかかる処理負荷が予め定められた閾値を超えると判断した場合には、受信したパケットのうち前記フィルタリング処理を省略したパケットを破棄することを特徴とするパケットフィルタ装置。     In claim 4,
    If the control unit omits the filtering process for a part of the received plurality of packets, and determines that the processing load on the other packet filter device exceeds a predetermined threshold, the received packet A packet filter device that discards the packet from which the filtering process is omitted.
  7.  請求項4において、
     前記伝送路には、前記他のパケットフィルタ装置が複数多段に接続されており、
     前記制御部は、複数の前記他のパケットフィルタ装置から収集した前記処理負荷に関する情報に基づいて複数の前記他のパケットフィルタ装置で処理可能なパケットの量を求め、前記フィルタリング処理を省略するパケットの量を定めることを特徴とするパケットフィルタ装置。     In claim 4,
    A plurality of other packet filter devices are connected to the transmission line in multiple stages,
    The control unit obtains the amount of packets that can be processed by the plurality of other packet filter devices based on the information on the processing load collected from the plurality of other packet filter devices, and determines the number of packets for which the filtering process is omitted. A packet filter device characterized by determining an amount.
  8.  請求項4において、
     前記制御部は、パケットに含まれる特定のビット列、パケットの送信元端末装置に関する情報、パケットの宛先端末装置に関する情報、パケットのデータが使用するプロトコルに関する情報、のいずれかに基づいてフィルタリング処理を省略するパケットを選択することを特徴とするパケットフィルタ装置。     In claim 4,
    The control unit omits the filtering process based on any of a specific bit string included in the packet, information on the packet transmission source terminal device, information on the packet destination terminal device, and information on the protocol used by the packet data. A packet filter device that selects a packet to be transmitted.
  9.  請求項2または3において、
     前記処理負荷は、パケットフィルタ装置が単位時間当たりに受信するパケット量から求めることを特徴とするパケットフィルタ装置。     In claim 2 or 3,
    The processing load is obtained from the amount of packets received by the packet filter device per unit time.
  10.  伝送路を介して互いに接続され、パケットを送受信する複数の端末装置と、
     前記伝送路を伝送されるパケットを受信し、特定の規則に従ってパケットの通過を制限するフィルタリング処理を行う複数のパケットフィルタ装置と、を有する通信制御システムであって、
     前記パケットフィルタ装置は、
     前記特定の規則を記憶する記憶部と、
     パケットの処理にかかる処理負荷が規定値に達すると、前記記憶部に記憶する前記特定の規則を変更して前記フィルタリング処理を行う制御部と、を有することを特徴とする通信制御システム。     A plurality of terminal devices connected to each other via a transmission path and transmitting and receiving packets;
    A plurality of packet filter devices for receiving a packet transmitted through the transmission path and performing a filtering process for restricting the passage of the packet according to a specific rule, and a communication control system comprising:
    The packet filter device includes:
    A storage unit for storing the specific rule;
    And a control unit that performs the filtering process by changing the specific rule stored in the storage unit when a processing load for packet processing reaches a specified value.
  11.  請求項10において、
     少なくとも1つのパケットフィルタ装置は、他のパケットフィルタ装置から、当該他のパケットフィルタ装置のパケットの処理負荷に関する情報を収集し、
     前記少なくとも1つのパケットフィルタ装置は、自装置のパケットの処理にかかる処理負荷、および、前記他のパケットフィルタ装置から収集した前記処理負荷に関する情報、に基づいて前記他のパケットフィルタ装置にかかる処理負荷が予め定められた閾値内に収まるように、複数のパケットのうち一部または全部のパケットの前記フィルタリング処理を省略するよう前記特定の規則を変更することを特徴とする通信制御システム。     In claim 10,
    At least one packet filter device collects information on the processing load of the packet of the other packet filter device from another packet filter device;
    The at least one packet filter device has a processing load applied to the other packet filter device based on a processing load applied to processing the packet of the own device and information relating to the processing load collected from the other packet filter device. The specific rule is changed so as to omit the filtering processing of a part or all of a plurality of packets so that is within a predetermined threshold value.
  12.  請求項10において、
     少なくとも1つの前記パケットフィルタ装置は、当該パケットフィルタ装置と前記伝送路との間に接続される中継装置を有し、
     前記中継装置は、前記伝送路に流れるパケットのうち前記フィルタリング処理の対象となるパケットを選択して前記少なくとも1つのパケットフィルタ装置へ送信することを特徴とする通信制御システム。     In claim 10,
    At least one of the packet filter devices has a relay device connected between the packet filter device and the transmission path,
    The communication apparatus according to claim 1, wherein the relay apparatus selects a packet to be subjected to the filtering process from packets flowing through the transmission path and transmits the selected packet to the at least one packet filter apparatus.
PCT/JP2013/063105 2013-05-10 2013-05-10 Packet filter device and communication control system WO2014181452A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2013/063105 WO2014181452A1 (en) 2013-05-10 2013-05-10 Packet filter device and communication control system
JP2015515720A JPWO2014181452A1 (en) 2013-05-10 2013-05-10 Packet filter device and communication control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2013/063105 WO2014181452A1 (en) 2013-05-10 2013-05-10 Packet filter device and communication control system

Publications (1)

Publication Number Publication Date
WO2014181452A1 true WO2014181452A1 (en) 2014-11-13

Family

ID=51866953

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2013/063105 WO2014181452A1 (en) 2013-05-10 2013-05-10 Packet filter device and communication control system

Country Status (2)

Country Link
JP (1) JPWO2014181452A1 (en)
WO (1) WO2014181452A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001211204A (en) * 2000-01-26 2001-08-03 Hitachi Ltd Load balancing method and apparatus
JP2001249866A (en) * 2000-03-06 2001-09-14 Fujitsu Ltd Network in which firewall function is distributed, firewall server having firewall distribution function, and edge node having firewall function
JP2009504022A (en) * 2005-07-28 2009-01-29 リバーベッド テクノロジー インコーポレイティッド Serial clustering
JP2011172126A (en) * 2010-02-22 2011-09-01 Mitsubishi Electric Corp Packet filtering system, packet filtering apparatus, and program

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001211204A (en) * 2000-01-26 2001-08-03 Hitachi Ltd Load balancing method and apparatus
JP2001249866A (en) * 2000-03-06 2001-09-14 Fujitsu Ltd Network in which firewall function is distributed, firewall server having firewall distribution function, and edge node having firewall function
JP2009504022A (en) * 2005-07-28 2009-01-29 リバーベッド テクノロジー インコーポレイティッド Serial clustering
JP2011172126A (en) * 2010-02-22 2011-09-01 Mitsubishi Electric Corp Packet filtering system, packet filtering apparatus, and program

Also Published As

Publication number Publication date
JPWO2014181452A1 (en) 2017-02-23

Similar Documents

Publication Publication Date Title
US8737398B2 (en) Communication module with network isolation and communication filter
US8320242B2 (en) Active response communications network tap
EP2685758B1 (en) Method, device and system for scheduling data flow
Maziku et al. Software Defined Networking enabled resilience for IEC 61850-based substation communication systems
WO2012090355A1 (en) Communication system, forwarding node, received packet process method, and program
US20110222394A1 (en) Fabric extra traffic
US9300591B2 (en) Network device
JP6923809B2 (en) Communication control system, network controller and computer program
US20170048149A1 (en) Determining a load distribution for data units at a packet inspection device
CN103210609A (en) Electronic device for communication in a data network including a protective circuit for identifying unwanted data
KR20190085039A (en) Service packet transmission method and node device
KR101889502B1 (en) Abnormal traffic detection method on control system protocol
CN104160735A (en) Packet processing method, forwarder, packet processing device and packet processing system
CN104539600A (en) Industrial control firewall implementing method for supporting filtering IEC 104 protocol
JP4620070B2 (en) Traffic control system and traffic control method
JP7156310B2 (en) COMMUNICATION DEVICE, COMMUNICATION SYSTEM, COMMUNICATION CONTROL METHOD, AND PROGRAM
WO2014181452A1 (en) Packet filter device and communication control system
Molina et al. Managing path diversity in layer 2 critical networks by using OpenFlow
Lotlikar et al. DoShield Through SDN for IoT Enabled Attacks
JP2013016044A (en) Firewall device and method for controlling firewall device
JP4973566B2 (en) Firewall apparatus, access control sharing method, and program
US20190394143A1 (en) Forwarding data based on data patterns
KR102048862B1 (en) Method and apparatus for controlling congestion in a network apparatus
KR20170008913A (en) Iec 61850 communication duplexe thernet module for digital protective relay
KR20150130020A (en) Method for Traffic Management of Communication Device

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13884266

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2015515720

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13884266

Country of ref document: EP

Kind code of ref document: A1