[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

WO2017145526A1 - Communication control apparatus and communication control method - Google Patents

Communication control apparatus and communication control method Download PDF

Info

Publication number
WO2017145526A1
WO2017145526A1 PCT/JP2017/000363 JP2017000363W WO2017145526A1 WO 2017145526 A1 WO2017145526 A1 WO 2017145526A1 JP 2017000363 W JP2017000363 W JP 2017000363W WO 2017145526 A1 WO2017145526 A1 WO 2017145526A1
Authority
WO
WIPO (PCT)
Prior art keywords
ifg
communication
communication frame
allowable
frame
Prior art date
Application number
PCT/JP2017/000363
Other languages
French (fr)
Japanese (ja)
Inventor
淳也 藤田
山田 勉
山田 弘道
Original Assignee
株式会社日立製作所
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 株式会社日立製作所 filed Critical 株式会社日立製作所
Publication of WO2017145526A1 publication Critical patent/WO2017145526A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/40Bus networks

Definitions

  • the present invention relates to a communication control device and a communication control method for improving cyber security tolerance in a communication network that requires real-time performance.
  • control systems critical infrastructure control systems
  • control devices that play the core role in the control mechanisms such as the controller for control and the network for control communication are designed in pursuit of high real-time characteristics, and many are configured by embedded systems.
  • Embedded systems include dedicated software and hardware such as RTOS (Real-Time Operating System), microcomputer (microcontroller), ASIC (Application Specific Integrated Circuit), and FPGA (Field Programmable Gate Array).
  • RTOS Real-Time Operating System
  • microcomputer microcontroller
  • ASIC Application Specific Integrated Circuit
  • FPGA Field Programmable Gate Array
  • security devices such as FW (Fire Wall) and AAA (Authentication, Authorization and Accounting) servers are deployed at the boundaries that can be intrusions from external networks.
  • FW Fire Wall
  • AAA Authentication, Authorization and Accounting
  • the security risk of the control system can be further reduced by adopting the technology that directly implements the security function for the existing control device.
  • Patent Document 1 discloses a network relay device that relays communication in a communication network that performs communication between a plurality of clients.
  • the network relay device is a network LSI (Large-Scale Integration).
  • a network relay device is proposed, which includes a transfer engine unit configured as follows and a central control unit that controls the operation state of the network relay device.
  • the network relay device disclosed in Patent Document 1 includes a plurality of functional blocks that realize a function for individually transferring data inside, a load determining unit that determines a load applied to each functional block, and a load on the line. And a clock supplied to each functional block from each functional block or line load determined by the load determining unit, and a frequency voltage control unit for individually switching at least one of the operating voltages.
  • the instantaneous load is measured from the packet communication interval (IFG: Inter-Frame Gap), and the clock supplied to each functional block and the availability of the operating voltage are determined from the result. It is determined by the frequency voltage control unit.
  • a countermeasure against a DoS (Denial of Service) attack can be realized.
  • DoS attack is normal communication when viewed from the communication data alone, it is difficult to detect with FW and the like, and it is relatively easy to execute the attack.
  • Patent Document 2 proposes a synchronous message processing method that avoids the influence of an attack under a DoS attack in which a large number of messages (synchronization messages) sent to a certain terminal are sent. ing.
  • a terminal equipped with this synchronization message processing method holds and transmits synchronization message data, an application unit that accepts user-side processing, a synchronization processing unit that interprets the meaning of the synchronization message data, and sends and receives synchronization messages to and from the network. And a protocol processing unit that executes communication protocol processing.
  • the above-described protocol processing unit measures the IFG (Inter frame Gap) with the previously received synchronization message, and discards the synchronization message if the IFG is within a certain time.
  • the network relay device disclosed in Patent Document 1 determines the load on the network by measuring the IFG of the communication data as the load determination process, but performs statistical processing as the load determination, and the communication data is instantaneously abnormal. It is difficult to determine whether there is.
  • the synchronous message processing method of Patent Document 2 is a mechanism for determining a DoS attack based on the condition whether or not the IFG is below a threshold value.
  • the IFG threshold determination means determines a DoS attack by registering a fixed value in advance, or changing the threshold depending on whether or not a white list of a communication transmission source registered in advance or a black list is described.
  • the terminals that can be connected to the network are often limited, and RTU (Remote Terminal Unit) or HMI (Human-Machine Interface), which is the transmission source of permitted communication, is a stepping stone for DoS attacks. Is likely to be.
  • RTU Remote Terminal Unit
  • HMI Human-Machine Interface
  • the synchronous message processing method disclosed in Patent Document 2 uses the synchronous message as a discarding unit, and buffers the synchronous message in a memory area in the apparatus including the synchronous message processing method disclosed in Patent Document 2. After determining whether or not it is a message, data necessary for determining whether or not a synchronous message is acceptable, such as transmission source information, is acquired.
  • the problem to be solved by the present invention is to easily add a security function to an existing control device, and in particular, to detect a DoS attack without affecting the real-time property of communication between control devices. Or to avoid.
  • the present invention is for solving the above-described problem, relays a communication frame transmitted from the network to the control device, and the communication frame is a communication control device configured by small frames following a predetermined order
  • the communication control device includes: an IFG measurement unit that measures IFG of a communication frame; a communication frame scan unit that scans communication frame data without storing data; and obtains scan data and communication frame array data; and communication frame scan Based on the scan data of the current communication frame acquired by the unit, an allowable IFG determination unit that determines an allowable IFG of a communication frame to be received next, an allowable IFG list that stores the allowable IFG obtained by the allowable IFG determination unit, The IFG measurement value acquired by the IFG measurement unit and the communication frame acquired by the communication frame scan unit.
  • the present invention is a communication control method in a communication control apparatus configured to relay a communication frame transmitted from a network to a control apparatus, and the communication frame is composed of small frames that follow a predetermined order. If the IFG measurement value during the period is less than or equal to the threshold, any data is extracted from the communication frame, checked against one or more rules based on the extracted data, and whether there is an abnormality in the communication data based on the result And an arbitrary item in one or more rule lists related to the next communication frame is updated.
  • the communication control method means a method for realizing the following processing which is performed by the communication control in the present invention.
  • the configuration and effects of the present invention will be described by taking a control system as an example, the present invention is also applied to a system that requires real-time performance comparable to that of the control system.
  • FIG. 2 shows an application example of the communication control apparatus of the present invention to a control system.
  • the communication control device T according to the present invention shown in FIG. 2 is installed between the network NW that performs real-time communication in the control system and the control device E that is a protection target from the DoS attack.
  • the installation mode includes a mode of relaying between networks, a mode of directly connecting to a NIC (Network Interface Card) of the control device E, or a mode of directly mounting inside the control device E. Any of the mobile phones can be applied. In short, it may be installed on the control device entrance side on the communication path including the network.
  • FIG. 1 shows a configuration example of a communication control apparatus T according to the present invention.
  • the communication control apparatus T takes in the communication frame F1 from the network NW from the input interface I / F1, and outputs the communication frame F2 after the security processing from the output interface I / F2.
  • the communication data D of the communication frame F1 is first captured by the IFG measurement unit 201.
  • the IFG measurement unit 201 measures the IFG of the communication frame at the data link level, and sends the IFG measurement value D1 to the abnormal communication frame determination unit 203. It is done.
  • the communication data D constituting the communication frame F1 is then taken into the communication frame scanning unit 202, and the communication frame scanning unit 202 scans the data without storing the data of the communication frame F1, and the scan data D3 and the communication frame F1 are arranged.
  • Data D2 is acquired.
  • the data D2 of the arrangement of the communication frames F1 is sent to the abnormal communication frame determination unit 203, and the scan data D3 is sent to the allowable IFG determination unit 205.
  • the allowable IFG determination unit 205 determines the allowable IFG of the communication frame F1 (t + 1) to be received next based on the scan data D3 of the current communication frame F1 (t) acquired by the communication frame scanning unit 202.
  • the allowable IFG of the communication frame F1 determined by the allowable IFG determination unit 205 is sent to the allowable IFG list 200 as update information D4, and the allowable IFG set for each header information and reception frequency of the communication frame F1 in the allowable IFG list 200. Form a list.
  • the list content D5 of the allowable IFG list 200 is sent to the abnormal communication frame determination unit 203.
  • the IFG measurement value D1 acquired by the IFG measurement unit 201 the communication frame array data D2 acquired by the communication frame scan unit 202, and the allowable IFG list content D5 acquired from the allowable IFG list 200. From this, it is determined whether or not the communication frame F1 is a DoS attack.
  • the network control unit 204 generates security information indicating permission, discard or warning of the communication frame F1 based on the determination result generated by the abnormal communication frame determination unit 203, and outputs it from the output interface I / F2. Reflected in the frame F2. As a result, the downstream control device E side can determine whether or not data can be adopted using the security information of the received communication frame F2.
  • the communication frame F1 handled by the communication control device T in FIG. 1 may be various, but here, for example, a description will be given with reference to the structure of the communication frame F1 compliant with IEEE802.3 shown in FIG.
  • An IEEE 802.3-compliant communication frame F1 taken as an example of a communication frame includes a preamble F11, SFD (F12), destination address F13, source address F14, Type (F15), payload / upper protocol F16, FCS (F17) from the top. ).
  • each part of F11 to F17 constituting the communication frame F1 is collectively referred to as a small frame, and will be described separately from the communication frame F1 as a whole.
  • FIG. 5 shows an example of the allowable IFG list 200 handled by the communication control apparatus T in FIG.
  • FIG. 5 shows an allowable IFG (bit time) set for main small frames after the destination address F13 in FIG.
  • the destination address F13, source address F14, Type (F15), and data part (IP source address) are taken up as main small frames after the destination address F13 stored in the allowable IFG list 200.
  • the allowable IFG (bit time) is 500, 400, 300, and 200 (bit time), respectively.
  • the permissible IFG for each small frame described in the permissible IFG list 200 is a set of permissible IFGs that are successively shorter from the small frame closer to the head of the communication frame F1 to the subsequent stage.
  • FIG. 3 shows a flowchart of basic processing of the communication control apparatus T according to the present invention.
  • the communication control device T in FIG. 1 receives the communication data D of the communication frame F1 as information necessary for internal processing at an appropriate timing, and further, with the execution of the flowchart in FIG. Derived from D, IFG measurement value data D1, communication frame data D2, scan data D3, and the like are generated.
  • the communication frame F1 from the network NW received by the input side communication interface I / F1 of the communication control device T is detected.
  • the detection of the communication frame F1 can be performed as reception detection by detecting, for example, a preamble that is the leading portion of the communication frame F1 and an SFD (Start Frame Delimiter).
  • a preamble that is the leading portion of the communication frame F1 and an SFD (Start Frame Delimiter).
  • SFD Start Frame Delimiter
  • IFG which is a time difference between the previous communication frame reception time and the communication frame reception time received this time is measured.
  • it can be measured by an internal clock of the communication control device T or the like.
  • the case where the measured IFG is 600 (bit time) and the case where the measured IFG is 250 (bit time) will be described as an example.
  • the measured IFG measured in processing step S301 is compared with the maximum allowable IFG (hereinafter referred to as the maximum allowable IFG) among the allowable IFGs stored in the allowable IFG list 200 of FIG. If the measurement IFG is larger than the maximum allowable IFG (N in processing step S302), the processing on the processing step S309 side is performed. If the measurement IFG is smaller than the maximum allowable IFG (Y in processing step S302), the processing step S303 is performed. Side processing.
  • the maximum allowable IFG hereinafter referred to as the maximum allowable IFG
  • the processing step S306 is described.
  • the current communication frame F1 (t) is permitted in step S309.
  • the allowable IFG list of the communication frame F1 (t + 1) to be acquired next is received.
  • Scan data D3 which is information necessary for updating 200, is acquired from the communication frame F1 (t).
  • the processing IFG in processing step S303 is performed.
  • the data of the current communication frame F1 (t) after the preamble is acquired from the head, and the data of the communication frame F1 (t) (communication frame data D2) is acquired as needed.
  • the processing in the processing step S303 will be described later with reference to FIG. 4, but in short, for each small frame below the preamble constituting the communication frame F1 (t), data necessary to determine that the small frame is acquired. Is.
  • the process of processing step S304 is executed when data until the corresponding list in the allowable IFG list 200 can be selected is obtained from the communication frame F1 (t), and the allowable IFG and measurement IFG of the list are obtained. Compare More specifically, for a small frame below the preamble constituting the communication frame F1 (t), when the small frame can be detected, a list corresponding to the small frame in the allowable IFG list 200 is selected, The allowable IFG described in the selected list is compared with the measured IFG.
  • the process on the process step S311 side is performed.
  • the process in process step S305 is performed.
  • step S311 when the measured IFG is larger than the allowable IFG of the corresponding list (N in processing step S304), the sequential repeated determination is executed for sequential small frames.
  • the measurement IFG is 250 (bit time), and the allowable IFG determined by the source address F14 which is the first small frame after the destination address F13 is 400 (bit time).
  • the measurement IFG becomes equal to or less than the allowable IFG, and the communication data F1 is discarded and an alert is generated in processing step S305.
  • FCS frame check sequence
  • processing step S307 after the series of communication frame F1 (t) abnormality determination processing is completed, the allowable IFG list is updated based on the acquired communication frame data (scan data D3). This update process needs to be completed before the next communication frame F1 (t + 1) is received. For example, in the case of a protocol conforming to IEEE 802.3, it is determined in the specification that it is 96 bit time, and the update of the allowable IFG list may be completed within this time.
  • the abnormal communication frame determination unit 203 in FIG. 1 that executes the step of the processing step S304 in FIG. 3 is described in the target allowable IFG list based on the small frame data obtained sequentially from the top of the communication frame. A plurality of allowed IFG items can be sequentially compared.
  • the destination address F13 is detected after the reception of the communication frame F1 is detected by detecting the preamble F11 and the SFD (F12) which are the heads of the communication frame F1. Get the data.
  • the allowable IFG corresponding to the destination address F13 is obtained by referring to the allowable IFG list 200 and compared with the measured IFG and the maximum allowable IFG described in the destination address F13. .
  • the allowable IFG (bit time) of the destination address F13 is 500 (bit time)
  • the comparison process executed in the processing step S304 specifically proceeds as follows.
  • the premise of the processing here is that the measurement IFG is confirmed to be smaller than the permissible IFG (500) corresponding to the destination address F13 by the processing in the processing step S302, and therefore the comparison processing executed in the processing step S304.
  • the allowable IFG (400) corresponding to the source address F14 is acquired from the allowable IFG list 200.
  • the measurement IFG of the source address F14 is smaller than the allowable IFG (400) corresponding to the source address F14, it corresponds to the type F15 (type) information and the payload part F16 (including higher level protocols such as Internet Protocol).
  • the permissible IFG (200) to be acquired is acquired from the permissible IFG list 200, and the comparison processing with the type I15 (type) information and the measurement IFG of the payload portion F16 is sequentially executed.
  • the processing step S305 separates the FCS (F17) data at the end of the communication frame F1. Replace with the data. Thereby, the communication frame F1 can be discarded in the NIC of the control device E.
  • the DoS attack can be increased without storing the communication frame F1. Since the determination can be made with accuracy, the control device E can be resistant to DoS attacks without affecting its real-time processing.
  • the minimum configuration of the allowable IFG list 200 includes two attributes of “data condition” and “allowable IFG”.
  • the data condition corresponds to data information of a communication frame, for example.
  • the conditions of the destination address F13 and the source address F14 of the communication frame correspond to this.
  • the destination address F13 and the source address F14 which are small frames after the preamble F11 and the SFD (F12), which are used to detect the reception of the communication frame F1 are the head part of the communication frame F1.
  • the data condition corresponds to the “data condition”.
  • the value (bit time) set in the “allowable IFG” should be determined in consideration of the system requirements and the processing performance of the apparatus.
  • the communication control device T scans the communication frame F1 from the head by cut-through, and refers to the allowable IFG corresponding to the data condition attribute of the allowable IFG list 200 as soon as a small frame after the destination address F13 is acquired as necessary information. Then, the measurement IFG is compared. For this reason, the allowable IFG is determined according to the system requirements and the processing performance of the apparatus. This is because the criterion for determining a DoS attack depends on system specifications and device processing performance.
  • the processing performance of the communication frame of the device will also be affected.
  • a communication frame processing platform used in an enterprise server has sufficient performance for processing a communication frame F1 of the order of several hundred Gbps.
  • the control device E constituting the control system has limited resources in many cases, and often cannot process a communication frame F1 of 100 Mbps or more. That is, depending on the processing performance of the communication frame receiving terminal, a certain type of communication may or may not be a DoS attack.
  • the communication control device T of the present invention executes a process of dynamically updating the allowable IFG list according to the communication status and the processing performance of the device. For example, in the control device E, when the time related to processing of a certain communication frame F1 can be evaluated in advance, a DoS attack is detected by setting a value equal to or longer than the processing time as the allowable IFG in the data pattern of the communication frame, or There is a possibility that it can be avoided.
  • the control device E is queued
  • the communication frame F1 is processed, and processing resources are occupied.
  • the communication frame F1 can be regarded as a DoS attack.
  • the above-described countermeasure in the present invention can cope with such a DoS attack.
  • FIG. 6a shows a case where the reception interval of the communication frame F1 is short and the measured average IFG is short.
  • FIG. 6b shows the case where the average IFG is long.
  • control device E in the control system periodically transmits and receives data.
  • communication for real-time control is often periodic.
  • an allowable IFG is set only for the communication frame F1 that may be received next. Set it and disable others.
  • the setting for invalidating the corresponding communication frame F1 can be handled by setting a value equal to or greater than the cycle time (T freq ) in the allowable IFG. An example of this is shown in FIG.
  • the signal processed by the communication control device T according to the third embodiment of the present invention installed between the network NW and the control device E of FIG. 2 is periodically repeated every cycle time T freq. Signal.
  • the period time T freq for example, communication is known to be received in advance in the order of the communication frame F1a, the communication frame F1b, the communication frame F1c, and the communication frame F1d.
  • the communication frame F1a is the to be processed next, the period time T freq there later, the relationship of the period is held similarly in other communication frame.
  • the time between successive communication frames is arbitrarily set. Therefore, the IFG to be managed by the communication frame F1a is related to the communication frame F1a after one cycle, and is not the time between successive communication frames.
  • Example 3 From this, possess acceptable IFG list 200, all communication frames handled in the period time T freq (communication frame F1a, communication frame F1b, communication frame F1c, a communication frame F1d) the allowable IFG about To do.
  • the value of each allowable IFG in the allowable IFG list 200 is appropriately updated every time a communication frame is received.
  • the pattern P1 is the content of the allowable IFG list 200 after receiving the communication frame F1a
  • the pattern P2 is the content of the allowable IFG list 200 after receiving the communication frame F2b
  • the pattern P3 is the allowable IFG list 200 after receiving the communication frame F1c.
  • the contents are shown.
  • only the communication frame F1b of the allowable IFG list 200 is set to a numerical value of T freq or less, for example, 200, and other communication frames are set to T freq . Shall. In this way, after the communication frame F1a has passed, only the communication frame F1b can be set to be permitted.
  • only the communication frame F1d of the allowable IFG list 200 sets, for example, 500 as a numerical value equal to or less than T freq , and other communication frames set T freq. And by doing so, after the communication frame F1c passes, only the communication frame F1d can be set to be permitted.
  • both the communication frame F1b and the communication frame F1c in the allowable IFG list after receiving the communication frame F1a By setting a numerical value equal to or lower than T freq to the allowable IFG, it is possible to cope with a case where any one of a plurality of received IFGs is received.
  • FIG. 8 shows an example in which a valid numerical value is set in the allowable IFG for both the communication frame F1b and the communication frame F1c in this case, and it is necessary to set a reception prohibition period of a certain time after receiving the communication frame F1a.
  • the reception prohibition period 400 bit time in the example of FIG. 8 is set as the allowable IFG of the communication frame F1c.
  • FIG. 9 shows an example of the allowable IFG list 200 including information on the reception frequency of the communication frame F1.
  • the allowable IFG list 200 shown in FIG. 9 further includes information on allowable reception frequency as an attribute.
  • the permissible reception frequency is the number of received communication frames that can be determined that the communication frame is not abnormal with respect to a certain number of received communication frames.
  • the current communication frame reception frequency hereinafter referred to as the current reception frequency
  • the allowable reception frequency can be expressed in a format such as the number of communication frames received in 100 frames.
  • the allowable reception frequencies (/ 100 frames) of the communication frames F1A, F1B, F1C, and F1D are set to 5, 10, 10, and 20.
  • the reception frequency is normal up to 5 times per 100 frames, and when the frequency exceeds 6 times, the communication frame F1A is regarded as abnormal.
  • FIG. 10 shows a part of the configuration of the communication control apparatus T having the allowable IFG list 200 having information on the allowable reception frequency.
  • the communication control device T in FIG. 10 counts the reception frequency for each communication frame data D2 received from the communication frame scanning unit 202 in addition to the configuration described in FIG.
  • the communication frame statistics processing unit 206 that notifies the unit 203 is provided.
  • the abnormal communication frame determination unit 203 has a function of determining whether there is an abnormality in the communication frame including the reception frequency information of the communication frame, in addition to the function of the abnormal communication frame determination unit 203 of FIG.
  • FIG. 11 shows a flowchart in which the communication control device T according to the fourth embodiment determines the presence / absence of a communication frame including reception frequency information.
  • the process of the flowchart of FIG. 11 is basically the same as the process of FIG. 3 and is different only in that a reception frequency determination process step S310 is added.
  • both the measurement IFG comparison processing (processing step S304) and the reception frequency processing (processing step S310) are executed in parallel, and if any of them is determined to be abnormal (Y in processing step S304)
  • Processing data discarding and alert generation processing (processing step S305) is executed in processing step S310 (N). If no abnormality is detected in the reception frequency process (Y in process step S310), the process proceeds to process step S307. If no abnormality is detected in the measurement IFG comparison process (N in process step S304), the process proceeds to process step S311. The process moves to a round process for small frames.
  • the communication control apparatus T according to the fourth embodiment illustrated in FIG. 10 can detect a DoS attack with higher accuracy than the communication control apparatus T illustrated in FIG.
  • Allowable IFG list 201: IFG measurement unit 202: Communication frame scan unit 203: Abnormal communication frame determination unit 204: Network control unit 205: Allowable IFG determination unit 206: Communication frame statistics processing unit D: Communication data D1: IFG measurement value D2: Array data D3: Scan data D4: Update information F11: Preamble F12: SFD F13: Destination address F14: Source address F15: Type F16: Payload / upper protocol F17: FCS F1, F2: Communication frame IF / 1: Input interface IF / 2: Output interface NW: Network T: Communication control device

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The purpose of the present invention is to easily add a security function to an existing control apparatus, and especially to detect or avoid DoS attacks without affecting the real-time property of communication between control apparatuses. A communication control apparatus relays a communication frame to be transmitted to a control apparatus from a network, the communication frame being constituted by small frames that follow a predetermined order. The communication control apparatus is provided with: an IFG measurement unit that measures an IFG of the communication frame; a communication frame scan unit that scans data in the communication frame without storing the data and that acquires the scanned data and data relating to the arrangement of the communication frame; an allowable-IFG determination unit that determines an allowable IFG of the communication frame that is to be received next, on the basis of the scanned data of the current communication frame acquired by the communication frame scan unit; an allowable-IFG list that stores the allowable IFG obtained by the allowable-IFG determination unit; an abnormal communication frame determination unit that determines that the communication frame is a DoS attack from an IFG measurement value acquired by the IFG measurement unit, data relating to the arrangement of the small frames of the communication frame acquired by the communication frame scan unit, and the content of the allowable-IFG list stored in the allowable-IFG list; and a network control unit which, in accordance with a determination result from the abnormal communication frame determination unit, adds to the communication frame security information signifying discarding of or a warning about the communication frame and transmits the communication frame to the control apparatus. The communication control apparatus is characterized in that the abnormal communication frame determination unit determines that the communication frame is a DoS attack by comparing the allowable IFG stored in the allowable-IFG list with the IFG measurement value.

Description

通信制御装置および通信制御方法Communication control device and communication control method
 本発明は、リアルタイム性が求められる通信ネットワークにおいてサイバーセキュリティ耐性を向上するための通信制御装置および通信制御方法に関する。 The present invention relates to a communication control device and a communication control method for improving cyber security tolerance in a communication network that requires real-time performance.
 近年、重要インフラの制御システム(以下、制御システムという)に対するサイバーセキュリティ(以下、単にセキュリティという)に関する脅威が深刻となっている。 In recent years, threats related to cyber security (hereinafter simply referred to as security) for critical infrastructure control systems (hereinafter referred to as control systems) have become serious.
 制御システムの構成要素の内、制御用コントローラや制御通信用ネットワークなどの制御機構の中核を担う制御装置は高いリアルタイム性を追求した設計となっており、多くは組込みシステムによって構成されている。 Among the control system components, the control devices that play the core role in the control mechanisms such as the controller for control and the network for control communication are designed in pursuit of high real-time characteristics, and many are configured by embedded systems.
 組込みシステムはRTOS(Real-Time Operating System)、マイコン(マイクロコントローラ)、ASIC(Application Specific Integrated Circuit)、FPGA(Field Programmable Gate Array)などの専用ソフトウェアやハードウェアから構成される。これら部品によって実装される組込みシステムは、高いリアルタイム性を追求した結果、冗長性を排除した設計となっており、拡張性が乏しいものとなっている。 Embedded systems include dedicated software and hardware such as RTOS (Real-Time Operating System), microcomputer (microcontroller), ASIC (Application Specific Integrated Circuit), and FPGA (Field Programmable Gate Array). As a result of pursuing high real-time performance, the embedded system mounted with these components has a design that eliminates redundancy and has poor expandability.
 このため、特に既存の組み込みシステムに対してセキュリティ機能を追加実装することは困難である。 Therefore, it is difficult to implement additional security functions especially for existing embedded systems.
 一方、制御システムに対する攻撃は近年巧妙化しており、特に制御装置は多くの場合セキュリティ機能が実装されていないため、攻撃者によって狙われやすい。加えて、制御装置は他の装置間と密に連携した処理を実行しており、一か所の不具合が制御システム全体に波及するリスクが高い。制御装置が攻撃を受けた結果、システム全体がダウンし、安全性とビジネスの側面で大きな打撃を受ける可能性がある。 On the other hand, attacks on control systems have become more sophisticated in recent years, and control devices are often not targeted for security because they are often not equipped with security functions. In addition, the control device executes processing closely linked with other devices, and there is a high risk that a failure at one place will spread to the entire control system. As a result of the attack on the control device, the entire system can go down and can be severely impacted on safety and business aspects.
 以上を踏まえ、組み込みシステムとされた既存の制御システムに対してもセキュリティ機能を追加する技術が求められている。 Based on the above, there is a need for technology to add security functions to existing control systems that are considered embedded systems.
 制御システムにセキュリティ機能を追加するとき、多くの場合には外部ネットワークからの侵入口となり得る境界にFW(Fire Wall)やAAA(Authentication、 Authorization and Accounting)サーバなどのセキュリティ装置を配備することで、セキュリティ機能を実装している。 When adding security functions to a control system, in many cases, security devices such as FW (Fire Wall) and AAA (Authentication, Authorization and Accounting) servers are deployed at the boundaries that can be intrusions from external networks. A security function is implemented.
 しかるにこのアプローチの場合、システム外部からの侵入を防御することができるが、これらセキュリティ装置の脆弱性によってシステムへ侵入された場合や内部犯行者など、これらセキュリティ機能を迂回できる攻撃者に対して攻撃を許してしまう可能性がある。 However, this approach can prevent intrusions from outside the system, but attacks against attackers who can bypass these security functions, such as those that enter the system due to vulnerabilities of these security devices or internal criminals. May be forgiven.
 したがって、既存の制御装置に対して直接セキュリティ機能を実装する技術の採用により、制御システムのセキュリティリスクを更に低減することができる。 Therefore, the security risk of the control system can be further reduced by adopting the technology that directly implements the security function for the existing control device.
 既存の制御装置に対して直接セキュリティ機能を実装する方法として、制御装置の通信ポートやネットワークの間に通信を中継する装置を設置し、通信を受信する装置をセキュア化する方法がある。 As a method of directly implementing a security function for an existing control device, there is a method of securing a device that receives communication by installing a device that relays communication between a communication port of a control device or a network.
 この方法の公知の例として、特許文献1は、複数のクライアント間で通信を行う通信ネットワークにおいて、通信を中継するネットワーク中継装置であって、このネットワーク中継装置は、ネットワークLSI(Large-Scale Integration)で構成される転送エンジン部と、ネットワーク中継装置の動作状態を制御する中央制御部と、を具備するネットワーク中継装置を提案している。 As a known example of this method, Patent Document 1 discloses a network relay device that relays communication in a communication network that performs communication between a plurality of clients. The network relay device is a network LSI (Large-Scale Integration). A network relay device is proposed, which includes a transfer engine unit configured as follows and a central control unit that controls the operation state of the network relay device.
 更に特許文献1のネットワーク中継装置は、内部で個別にデータ転送を行うための機能を実現する複数の機能ブロックと、前記各機能ブロックにかかる負荷や、前記回線の負荷を判定する負荷判定部と、前記負荷判定部が判定した各機能ブロックや回線の負荷から、各機能ブロックに対して供給するクロックと、動作電圧の少なくとも一方を個別に切替える周波数電圧制御部と、を有する。このネットワーク中継装置における負荷判定部では、パケットの通信間隔(IFG:Inter-Frame Gap)から瞬時的な負荷を計測し、その結果から、各機能ブロックへ供給するクロックと、動作電圧の供給可否を周波数電圧制御部で判定する。 Furthermore, the network relay device disclosed in Patent Document 1 includes a plurality of functional blocks that realize a function for individually transferring data inside, a load determining unit that determines a load applied to each functional block, and a load on the line. And a clock supplied to each functional block from each functional block or line load determined by the load determining unit, and a frequency voltage control unit for individually switching at least one of the operating voltages. In the load determination unit in this network relay device, the instantaneous load is measured from the packet communication interval (IFG: Inter-Frame Gap), and the clock supplied to each functional block and the availability of the operating voltage are determined from the result. It is determined by the frequency voltage control unit.
 また、通信を受信する装置をセキュア化する手段として、DoS(Denial of Service)攻撃への対抗手段を実現することが挙げられる。 Also, as a means for securing a device that receives communication, a countermeasure against a DoS (Denial of Service) attack can be realized.
 DoS攻撃は通信データ単体から見ると正常な通信であるため、FWなどでの検知が難しく、攻撃の実行が比較的容易であることからセキュリティ上大きな脅威である。 Since DoS attack is normal communication when viewed from the communication data alone, it is difficult to detect with FW and the like, and it is relatively easy to execute the attack.
 DoS攻撃への対抗手段の公知の例として、特許文献2は、ある端末に送られるメッセージ(同期メッセージ)が大量に送られるDoS攻撃下において、攻撃の影響を回避する同期メッセージ処理方法を提案している。 As a known example of a countermeasure against a DoS attack, Patent Document 2 proposes a synchronous message processing method that avoids the influence of an attack under a DoS attack in which a large number of messages (synchronization messages) sent to a certain terminal are sent. ing.
 この同期メッセージ処理方法を具備する端末は、同期メッセージのデータを保持し、ユーザ側の処理を受け付けるアプリケーション部と、同期メッセージのデータの意味を解釈する同期処理部と、同期メッセージをネットワークと送受信するために通信プロトコルの処理を実行するプロトコル処理部と、を有する。 A terminal equipped with this synchronization message processing method holds and transmits synchronization message data, an application unit that accepts user-side processing, a synchronization processing unit that interprets the meaning of the synchronization message data, and sends and receives synchronization messages to and from the network. And a protocol processing unit that executes communication protocol processing.
 前述のプロトコル処理部は、前回受信した同期メッセージとのIFG(Inter frame Gap)を測定し、IFGが一定時間以内であれば、その同期メッセージを破棄している。 The above-described protocol processing unit measures the IFG (Inter frame Gap) with the previously received synchronization message, and discards the synchronization message if the IFG is within a certain time.
特許第5066007号Patent No. 5060607 特開2009―57190号公報JP 2009-57190 A
 特許文献1のネットワーク中継装置は、負荷判定処理として、通信データのIFGを測定することでネットワークの負荷を判定するが、負荷の判定として統計処理をしており、瞬時に当該通信データが異常であるかどうか判定することは困難である。 The network relay device disclosed in Patent Document 1 determines the load on the network by measuring the IFG of the communication data as the load determination process, but performs statistical processing as the load determination, and the communication data is instantaneously abnormal. It is difficult to determine whether there is.
 特許文献2の同期メッセージ処理方法は、DoS攻撃をIFGが閾値以下であるか否かという条件から判定する機構である。 The synchronous message processing method of Patent Document 2 is a mechanism for determining a DoS attack based on the condition whether or not the IFG is below a threshold value.
 IFGの閾値判定手段は、事前に固定値を登録するか、事前に登録された通信送信元のホワイトリスト、またはブラックリストの記載有無で閾値を変動させることでDoS攻撃を判定する。 The IFG threshold determination means determines a DoS attack by registering a fixed value in advance, or changing the threshold depending on whether or not a white list of a communication transmission source registered in advance or a black list is described.
 この方法の場合、ホワイトリストに記載された送信元か、ブラックリストに記載されていない送信元がDoS攻撃の攻撃元である場合は、DoS攻撃を検知、または回避できない。 In the case of this method, when the sender listed in the white list or the sender not listed in the black list is the attack source of the DoS attack, the DoS attack cannot be detected or avoided.
 特に制御システムの場合、ネットワークへ接続可能な端末は限定されていることが多く、許可された通信の送信元であるRTU(Remote Terminal Unit)やHMI(Human-Machine Interface)がDoS攻撃の踏み台となる可能性が高い。 In particular, in the case of a control system, the terminals that can be connected to the network are often limited, and RTU (Remote Terminal Unit) or HMI (Human-Machine Interface), which is the transmission source of permitted communication, is a stepping stone for DoS attacks. Is likely to be.
 加えて、一定の閾値を設定するのみではシステムが必要に応じて実行する短いIFGの通信のDoS攻撃判定ができない。 In addition, it is not possible to determine the DoS attack for short IFG communications that the system executes as needed only by setting a certain threshold.
 併せて、特許文献2の同期メッセージ処理方法は、同期メッセージを破棄手段として、同期メッセージを特許文献2の同期メッセージ処理方法を具備する装置内のメモリ域にバッファリングしており、その上で同期メッセージであるか否であるかを判定した上で、送信元情報など、同期メッセージの可否判定で必要となるデータを取得する。 In addition, the synchronous message processing method disclosed in Patent Document 2 uses the synchronous message as a discarding unit, and buffers the synchronous message in a memory area in the apparatus including the synchronous message processing method disclosed in Patent Document 2. After determining whether or not it is a message, data necessary for determining whether or not a synchronous message is acceptable, such as transmission source information, is acquired.
 この方式を既存の制御装置に適用した場合、受信データを装置内のメモリ域にバッファリングする処理により遅延が発生してしまい、既存の制御装置のリアルタイム処理を阻害する可能性がある。 When this method is applied to an existing control device, a delay occurs due to a process of buffering received data in a memory area in the device, which may hinder real-time processing of the existing control device.
 以上のことから本発明が解決しようとする課題は、既存の制御装置に容易にセキュリティ機能を追加することであり、特に、制御装置間の通信のリアルタイム性に影響を与えずにDoS攻撃を検知、または回避することである。 From the above, the problem to be solved by the present invention is to easily add a security function to an existing control device, and in particular, to detect a DoS attack without affecting the real-time property of communication between control devices. Or to avoid.
 本発明は、上記課題を解決するためのものであり、ネットワークから制御装置に送信する通信フレームを中継するとともに、通信フレームは所定の順番に従う小フレームで構成されている通信制御装置であって、通信制御装置は、通信フレームのIFGを測定するIFG測定部と、通信フレームのデータをストアすることなくスキャンし、スキャンデータと通信フレームの配列のデータを取得する通信フレームスキャン部と、通信フレームスキャン部が取得した現在の通信フレームのスキャンデータを元に、次に受信する通信フレームの許容IFGを決定する許容IFG決定部と、許容IFG決定部で求めた許容IFGを記憶する許容IFGリストと、IFG測定部が取得したIFG測定値と、通信フレームスキャン部が取得した通信フレームの小フレームの配列のデータと、許容IFGリストが記憶する許容IFGリストの内容から、通信フレームがDoS攻撃であることを判定する異常通信フレーム判定部と、異常通信フレーム判定部の判定結果に応じて、通信フレームの破棄、または警告を意味するセキュリティ情報を通信フレームに付与して制御装置に送信するネットワーク制御部を備え、異常通信フレーム判定部は、許容IFGリストに記憶した許容IFGとIFG測定値を比較して通信フレームがDoS攻撃であることを判定することを特徴とする。 The present invention is for solving the above-described problem, relays a communication frame transmitted from the network to the control device, and the communication frame is a communication control device configured by small frames following a predetermined order, The communication control device includes: an IFG measurement unit that measures IFG of a communication frame; a communication frame scan unit that scans communication frame data without storing data; and obtains scan data and communication frame array data; and communication frame scan Based on the scan data of the current communication frame acquired by the unit, an allowable IFG determination unit that determines an allowable IFG of a communication frame to be received next, an allowable IFG list that stores the allowable IFG obtained by the allowable IFG determination unit, The IFG measurement value acquired by the IFG measurement unit and the communication frame acquired by the communication frame scan unit. The abnormal communication frame determination unit for determining that the communication frame is a DoS attack and the determination result of the abnormal communication frame determination unit from the data of the small frame arrangement data of the system and the content of the allowable IFG list stored in the allowable IFG list. In response, the network control unit includes a network control unit that transmits the communication frame discarding or security information indicating a warning to the communication frame and transmits it to the control device. The abnormal communication frame determination unit stores the allowable IFG and IFG stored in the allowable IFG list. The measurement value is compared to determine that the communication frame is a DoS attack.
 また本発明は、ネットワークから制御装置に送信する通信フレームを中継するとともに、通信フレームは所定の順番に従う小フレームで構成されている通信制御装置における通信制御方法であって、前回受信した通信フレームとの間のIFG測定値が、閾値以下である場合に、通信フレームから任意のデータを抽出し、抽出データを元に1項目以上の規則と照合し、その結果を元に当該通信データの異常有無を判定すると共に、次の通信フレームに関する1項目以上の規則リストの内、任意の項目を更新すること、を特徴とする。 In addition, the present invention is a communication control method in a communication control apparatus configured to relay a communication frame transmitted from a network to a control apparatus, and the communication frame is composed of small frames that follow a predetermined order. If the IFG measurement value during the period is less than or equal to the threshold, any data is extracted from the communication frame, checked against one or more rules based on the extracted data, and whether there is an abnormality in the communication data based on the result And an arbitrary item in one or more rule lists related to the next communication frame is updated.
 本発明によれば、制御システムの構成要素である装置のうち、特に既存の装置に対して、DoS攻撃を検知、または回避する機能を実現できる。 According to the present invention, it is possible to realize a function of detecting or avoiding a DoS attack with respect to an existing device among devices that are components of a control system.
 また本発明の実施例によれば、DoS攻撃を高精度に検知し、かつリアルタイム性に影響を与えないパケット破棄処理を実現できるため、制御システムの運用に影響を与えないままシステムのセキュリティを確保できる。 In addition, according to the embodiment of the present invention, it is possible to detect a DoS attack with high accuracy and to realize a packet discarding process that does not affect the real-time property, thereby ensuring system security without affecting the operation of the control system. it can.
本発明に係る通信制御装置Tの構成例を示す図。The figure which shows the structural example of the communication control apparatus T which concerns on this invention. 本発明の通信制御装置の制御システムへの適用例を示す図。The figure which shows the example of application to the control system of the communication control apparatus of this invention. 本発明に係る通信制御装置Tの基本的なフローチャートを示す図。The figure which shows the basic flowchart of the communication control apparatus T which concerns on this invention. 通信フレームの一例としてIEEE802.3準拠の通信フレームの構造を示す図。The figure which shows the structure of the communication frame based on IEEE802.3 as an example of a communication frame. 通信制御装置Tで取り扱う許容IFGリスト200の例を示す図。The figure which shows the example of the allowable IFG list 200 handled by the communication control apparatus T. 通信フレームF1の受信間隔が短く、測定される平均のIFGが短い場合を示す図。The figure which shows the case where the receiving interval of the communication frame F1 is short and the measured average IFG is short. 通信フレームF1の受信間隔が長く、測定される平均のIFGが長い場合を示す図。The figure which shows the case where the receiving interval of the communication frame F1 is long and the measured average IFG is long. 通信制御装置Tの周期性を乱す通信を異常として判定する際の許容IFGリストの例を示す図。The figure which shows the example of the allowable IFG list at the time of determining the communication which disturbs the periodicity of the communication control apparatus T as abnormality. 複数の通信フレームに対応する許容IFGに周期時間未満の時間を設定する例を示す図。The figure which shows the example which sets the time less than period time to permissible IFG corresponding to a some communication frame. 通信フレームF1の受信頻度の情報を含む許容IFGリスト200の例を示す図。The figure which shows the example of the allowable IFG list | wrist 200 containing the information of the reception frequency of the communication frame F1. 受信頻度の情報を考慮した通信制御装置構成例を示す図。The figure which shows the communication control apparatus structural example which considered the information of the reception frequency. 図10の通信制御装置Tの基本的なフローチャートを示す図。The figure which shows the basic flowchart of the communication control apparatus T of FIG.
 以下、図面を用いて本発明における通信制御装置および通信制御方法について説明する。尚、通信制御方法とは、本発明における通信制御が処理する以下に示す処理を実現する方法を意味する。また、ここでは制御システムを例に本発明の構成および効果について説明するが、制御システムと同程度のリアルタイム性が求められるシステムに対しても適用される。 Hereinafter, a communication control device and a communication control method according to the present invention will be described with reference to the drawings. Note that the communication control method means a method for realizing the following processing which is performed by the communication control in the present invention. Although the configuration and effects of the present invention will be described by taking a control system as an example, the present invention is also applied to a system that requires real-time performance comparable to that of the control system.
 図2は、本発明の通信制御装置の制御システムへの適用例を示している。 FIG. 2 shows an application example of the communication control apparatus of the present invention to a control system.
 図2に示した本発明に係る通信制御装置Tは、制御システムにおいてリアルタイム通信を実行するネットワークNW、およびDoS攻撃からの保護対象である制御装置Eの間に設置される。尚、設置の形態には、ネットワーク間に中継する形態もあれば、制御装置EのNIC(Network Interface Card)と直接接続する形態、または制御装置E内部に直接実装する形態があるが本発明はそのいずれの携帯であっても適用可能である。要するにネットワークを含む通信経路上の制御装置入口側に設置されていればよい。 The communication control device T according to the present invention shown in FIG. 2 is installed between the network NW that performs real-time communication in the control system and the control device E that is a protection target from the DoS attack. Note that the installation mode includes a mode of relaying between networks, a mode of directly connecting to a NIC (Network Interface Card) of the control device E, or a mode of directly mounting inside the control device E. Any of the mobile phones can be applied. In short, it may be installed on the control device entrance side on the communication path including the network.
 図1は、本発明に係る通信制御装置Tの構成例を示している。 FIG. 1 shows a configuration example of a communication control apparatus T according to the present invention.
 通信制御装置Tは、ネットワークNWからの通信フレームF1を入力用インターフェイスI/F1から取り込み、セキュリティ処理後の通信フレームF2を出力用インターフェイスI/F2から出力する。 The communication control apparatus T takes in the communication frame F1 from the network NW from the input interface I / F1, and outputs the communication frame F2 after the security processing from the output interface I / F2.
 通信フレームF1の通信データDは、最初にIFG測定部201に取り込まれ、IFG測定部201において通信フレームのIFGをデータリンクレベルで測定して、IFG測定値D1が異常通信フレーム判定部203に送られる。 The communication data D of the communication frame F1 is first captured by the IFG measurement unit 201. The IFG measurement unit 201 measures the IFG of the communication frame at the data link level, and sends the IFG measurement value D1 to the abnormal communication frame determination unit 203. It is done.
 通信フレームF1を構成する通信データDは、次に通信フレームスキャン部202に取り込まれ、通信フレームスキャン部202において通信フレームF1のデータをストアすることなくスキャンし、スキャンデータD3と通信フレームF1の配列のデータD2を取得する。通信フレームF1の配列のデータD2は、異常通信フレーム判定部203に送られ、スキャンデータD3は許容IFG決定部205に送られる。 The communication data D constituting the communication frame F1 is then taken into the communication frame scanning unit 202, and the communication frame scanning unit 202 scans the data without storing the data of the communication frame F1, and the scan data D3 and the communication frame F1 are arranged. Data D2 is acquired. The data D2 of the arrangement of the communication frames F1 is sent to the abnormal communication frame determination unit 203, and the scan data D3 is sent to the allowable IFG determination unit 205.
 許容IFG決定部205では、通信フレームスキャン部202が取得した現在の通信フレームF1(t)のスキャンデータD3を元に、次に受信する通信フレームF1(t+1)の許容IFGを決定する。許容IFG決定部205で決定された通信フレームF1の許容IFGは、更新情報D4として許容IFGリスト200に送られ、許容IFGリスト200において通信フレームF1のヘッダ情報や受信頻度毎で設定された許容IFGリストを形成する。許容IFGリスト200のリスト内容D5は、異常通信フレーム判定部203に送られる。 The allowable IFG determination unit 205 determines the allowable IFG of the communication frame F1 (t + 1) to be received next based on the scan data D3 of the current communication frame F1 (t) acquired by the communication frame scanning unit 202. The allowable IFG of the communication frame F1 determined by the allowable IFG determination unit 205 is sent to the allowable IFG list 200 as update information D4, and the allowable IFG set for each header information and reception frequency of the communication frame F1 in the allowable IFG list 200. Form a list. The list content D5 of the allowable IFG list 200 is sent to the abnormal communication frame determination unit 203.
 異常通信フレーム判定部203では、IFG測定部201が取得したIFG測定値D1、通信フレームスキャン部202が取得した通信フレームの配列のデータD2、および許容IFGリスト200から取得した許容IFGリストの内容D5から、通信フレームF1がDoS攻撃であるかどうか判定する。 In the abnormal communication frame determination unit 203, the IFG measurement value D1 acquired by the IFG measurement unit 201, the communication frame array data D2 acquired by the communication frame scan unit 202, and the allowable IFG list content D5 acquired from the allowable IFG list 200. From this, it is determined whether or not the communication frame F1 is a DoS attack.
 ネットワーク制御部204では、異常通信フレーム判定部203が生成した判定結果を元に、通信フレームF1の許可、破棄、または警告を意味するセキュリティ情報を生成し、出力用インターフェイスI/F2から出力する通信フレームF2に反映する。これにより、後流の制御装置E側では、受領した通信フレームF2のセキュリティ情報を用いて、データの採用可否を判断することが可能となる。 The network control unit 204 generates security information indicating permission, discard or warning of the communication frame F1 based on the determination result generated by the abnormal communication frame determination unit 203, and outputs it from the output interface I / F2. Reflected in the frame F2. As a result, the downstream control device E side can determine whether or not data can be adopted using the security information of the received communication frame F2.
 図1の通信制御装置Tで取り扱う通信フレームF1は種々のものであってよいが、ここでは例えば、図4に示すIEEE802.3準拠の通信フレームF1の構造を参照して説明する。 The communication frame F1 handled by the communication control device T in FIG. 1 may be various, but here, for example, a description will be given with reference to the structure of the communication frame F1 compliant with IEEE802.3 shown in FIG.
 通信フレームの一例として取り上げたIEEE802.3準拠の通信フレームF1は、先頭からプリアンブルF11、SFD(F12)、宛先アドレスF13、送信元アドレスF14、Type(F15)、ペイロード・上位プロトコルF16、FCS(F17)で構成されている。なお本発明においては、通信フレームF1を構成するF11からF17の各部を総称する用語として小フレームと表示することとし、全体としての通信フレームF1とは区別して説明する。 An IEEE 802.3-compliant communication frame F1 taken as an example of a communication frame includes a preamble F11, SFD (F12), destination address F13, source address F14, Type (F15), payload / upper protocol F16, FCS (F17) from the top. ). In the present invention, each part of F11 to F17 constituting the communication frame F1 is collectively referred to as a small frame, and will be described separately from the communication frame F1 as a whole.
 また図1の通信制御装置Tで取り扱う許容IFGリスト200について、一例を示すと図5のようである。図5は、図4の宛先アドレスF13以降の主要な小フレームについて、許容IFG(bit時間)を設定したものである。図5の例では、許容IFGリスト200に格納された宛先アドレスF13以降の主要な小フレームとして、宛先アドレスF13、送信元アドレスF14、Type(F15)、データ部(IP送信元アドレス)を取り上げており、その許容IFG(bit時間)は、それぞれ500、400、300、200(bit時間)とされている。この許容IFGリスト200に記述された小フレームごとの許容IFGは、要するに通信フレームF1の先頭に近い小フレームから後段になるほど順次短い許容IFGを設定したものである。 FIG. 5 shows an example of the allowable IFG list 200 handled by the communication control apparatus T in FIG. FIG. 5 shows an allowable IFG (bit time) set for main small frames after the destination address F13 in FIG. In the example of FIG. 5, the destination address F13, source address F14, Type (F15), and data part (IP source address) are taken up as main small frames after the destination address F13 stored in the allowable IFG list 200. The allowable IFG (bit time) is 500, 400, 300, and 200 (bit time), respectively. The permissible IFG for each small frame described in the permissible IFG list 200 is a set of permissible IFGs that are successively shorter from the small frame closer to the head of the communication frame F1 to the subsequent stage.
 図3は、本発明に係る通信制御装置Tの基本的な処理のフローチャートを示している。なお、図1の通信制御装置Tは内部での処理に必要な情報として、通信フレームF1の通信データDが適宜のタイミングで入力されており、さらには図3のフローチャートの実行に伴い、通信データDに派生して、IFG測定値データD1、通信フレームデータD2、スキャンデータD3、などが生成されるものとする。 FIG. 3 shows a flowchart of basic processing of the communication control apparatus T according to the present invention. Note that the communication control device T in FIG. 1 receives the communication data D of the communication frame F1 as information necessary for internal processing at an appropriate timing, and further, with the execution of the flowchart in FIG. Derived from D, IFG measurement value data D1, communication frame data D2, scan data D3, and the like are generated.
 図3のフローチャートの最初の処理ステップS300では、通信制御装置Tの入力側通信インターフェイスI/F1に受信した、ネットワークNWからの通信フレームF1を検知する。なお通信フレームF1の検知は、例えば通信フレームF1の先頭部分であるプリアンブル、およびSFD(Start Frame Delimiter)を検出することで受信検知とすることができる。例えば、IEEE802.3準拠の通信フレームの場合、プリアンブルは56bit、SFDは8bitであり、プリアンブルとSFDの組を検出することで通信フレームF1の受信を検知できる。 In the first processing step S300 of the flowchart of FIG. 3, the communication frame F1 from the network NW received by the input side communication interface I / F1 of the communication control device T is detected. Note that the detection of the communication frame F1 can be performed as reception detection by detecting, for example, a preamble that is the leading portion of the communication frame F1 and an SFD (Start Frame Delimiter). For example, in the case of a communication frame conforming to IEEE 802.3, the preamble is 56 bits and the SFD is 8 bits, and the reception of the communication frame F1 can be detected by detecting the pair of the preamble and the SFD.
 次に処理ステップS301では、前回の通信フレーム受信時刻と、今回受信した通信フレーム受信時刻との時間差であるIFGを測定する。具体的なIFGを測定する手段としては、例えば通信制御装置Tの内部クロック等により測定することができる。なお以下においては、測定されたIFGが600(bit時間)である場合と、250(bit時間)である場合を例にして説明する。 Next, in processing step S301, IFG which is a time difference between the previous communication frame reception time and the communication frame reception time received this time is measured. As a specific means for measuring IFG, for example, it can be measured by an internal clock of the communication control device T or the like. In the following description, the case where the measured IFG is 600 (bit time) and the case where the measured IFG is 250 (bit time) will be described as an example.
 次に処理ステップS302では、処理ステップS301で測定した測定IFGと、図1の許容IFGリスト200に保管された許容IFGの中で最大の値の許容IFG(以下、最大許容IFGという)とを比較し、測定IFGが最大許容IFGより大きい場合(処理ステップS302のN)は、処理ステップS309側の処理を行い、測定IFGが最大許容IFGより小さい場合(処理ステップS302のY)は、処理ステップS303側の処理を行う。 Next, in processing step S302, the measured IFG measured in processing step S301 is compared with the maximum allowable IFG (hereinafter referred to as the maximum allowable IFG) among the allowable IFGs stored in the allowable IFG list 200 of FIG. If the measurement IFG is larger than the maximum allowable IFG (N in processing step S302), the processing on the processing step S309 side is performed. If the measurement IFG is smaller than the maximum allowable IFG (Y in processing step S302), the processing step S303 is performed. Side processing.
 先の測定IFGの例で説明すると、例えば測定IFGが600(bit時間)であり、図5の最大許容IFGである500(bit時間)より大きい場合(処理ステップS302のN)は、処理ステップS306において現在の通信フレームF1(t)を許可することになるが、通信フレームF1(t)の通過を許可する前に、処理ステップS309において、次に取得する通信フレームF1(t+1)の許容IFGリスト200を更新する上で必要な情報であるスキャンデータD3を通信フレームF1(t)から取得する。 For example, when the measurement IFG is 600 (bit time) and is larger than 500 (bit time) which is the maximum allowable IFG in FIG. 5 (N in processing step S302), the processing step S306 is described. The current communication frame F1 (t) is permitted in step S309. Before the passage of the communication frame F1 (t) is permitted, in step S309, the allowable IFG list of the communication frame F1 (t + 1) to be acquired next is received. Scan data D3, which is information necessary for updating 200, is acquired from the communication frame F1 (t).
 測定IFGが250(bit時間)であり、処理ステップS302において最大許容IFGである500(bit時間)よりも測定IFGが小さい(処理ステップS302のY)と判断された場合は、処理ステップS303での処理により、プリアンブル以後の現在の通信フレームF1(t)のデータを先頭から取得し、通信フレームF1(t)のデータ(通信フレームデータD2)を随時取得する。処理ステップS303における処理は、図4を用いて後述するが、要するに通信フレームF1(t)を構成するプリアンブル以下の各小フレームについて、当該小フレームであることを判定するに必要なデータを取得したものである。 If it is determined that the measurement IFG is 250 (bit time) and the measurement IFG is smaller than 500 (bit time) that is the maximum allowable IFG in processing step S302 (Y in processing step S302), the processing IFG in processing step S303 is performed. By processing, the data of the current communication frame F1 (t) after the preamble is acquired from the head, and the data of the communication frame F1 (t) (communication frame data D2) is acquired as needed. The processing in the processing step S303 will be described later with reference to FIG. 4, but in short, for each small frame below the preamble constituting the communication frame F1 (t), data necessary to determine that the small frame is acquired. Is.
 処理ステップS304の処理は、許容IFGリスト200内の該当するリストを選択できるようになるまでのデータが通信フレームF1(t)から得られた場合に実行され、そのリストの許容IFGと測定IFGとを比較する。より具体的に述べると、通信フレームF1(t)を構成するプリアンブル以下の小フレームについて、その小フレームを検知できた時点において、許容IFGリスト200内の当該小フレームに該当するリストを選択し、選択したリストに記載された許容IFGと、測定IFGとを比較するものである。 The process of processing step S304 is executed when data until the corresponding list in the allowable IFG list 200 can be selected is obtained from the communication frame F1 (t), and the allowable IFG and measurement IFG of the list are obtained. Compare More specifically, for a small frame below the preamble constituting the communication frame F1 (t), when the small frame can be detected, a list corresponding to the small frame in the allowable IFG list 200 is selected, The allowable IFG described in the selected list is compared with the measured IFG.
 測定IFGが該当リストの許容IFGより大きい場合(処理ステップS304のN)は、処理ステップS311側の処理を行う。測定IFGが該当リストの許容IFGより小さい場合(処理ステップS304のY)は、処理ステップS305の処理を行う。 If the measured IFG is larger than the allowable IFG in the corresponding list (N in process step S304), the process on the process step S311 side is performed. When the measurement IFG is smaller than the allowable IFG in the corresponding list (Y in process step S304), the process in process step S305 is performed.
 測定IFGが該当リストの許容IFGより大きい場合(処理ステップS304のN)の処理ステップS311の処理では、順次の小フレームについて、逐次繰り返し判断を実行させる。 In the processing of step S311 when the measured IFG is larger than the allowable IFG of the corresponding list (N in processing step S304), the sequential repeated determination is executed for sequential small frames.
 先の説明事例によれば、測定IFGは250(bit時間)であり、宛先アドレスF13後の最初の小フレームである送信元アドレスF14で定まる許容IFGは400(bit時間)である。この場合には測定IFGが許容IFG以下となり、処理ステップS305において通信データF1の破棄、アラート生成を実行する。これらの判断は、小フレームが確認できたその都度に逐次許容IFGリスト200を参照して実行されるが、一度通信データF1の破棄、アラート生成が確認できた場合には、以後のフレームの判断を必ずしも必要としない。 According to the previous explanation example, the measurement IFG is 250 (bit time), and the allowable IFG determined by the source address F14 which is the first small frame after the destination address F13 is 400 (bit time). In this case, the measurement IFG becomes equal to or less than the allowable IFG, and the communication data F1 is discarded and an alert is generated in processing step S305. These determinations are executed with reference to the permissible IFG list 200 each time a small frame can be confirmed. However, once the communication data F1 has been discarded and alert generation has been confirmed, determination of subsequent frames is performed. Is not necessarily required.
 通信フレームを破棄する具体的な方法としては、例えば、通信フレームの末端に付与されたFCS(frame Check sequence)をビット反転などによって別の値に置き換える方法がある。こうすることで、通信フレームの受信側装置である制御装置EのNICにてフレームチェック処理を実行する際に破棄される。FCSを別の値に置き換える方法により、FCSを除くフレーム全体のデータを取得できるだけでなく、カットスルーでの通信フィルタリング処理が実現できる。 As a specific method of discarding a communication frame, for example, there is a method of replacing an FCS (frame check sequence) attached to the end of the communication frame with another value by bit inversion or the like. By doing so, it is discarded when the frame check process is executed in the NIC of the control device E which is a communication frame receiving side device. By replacing the FCS with another value, not only the data of the entire frame excluding the FCS can be acquired, but also a communication filtering process by cut-through can be realized.
 処理ステップS307では、一連の通信フレームF1(t)の異常判定処理が終了した後、取得した通信フレームのデータ(スキャンデータD3)を元に、許容IFGリストを更新する。この更新処理は次の通信フレームF1(t+1)を受信するまでに完了する必要がある。例えば、IEEE802.3準拠のプロトコルの場合、仕様上、96bit時間であることが定められており、この時間以内に許容IFGリストの更新を完了すればよい。 In processing step S307, after the series of communication frame F1 (t) abnormality determination processing is completed, the allowable IFG list is updated based on the acquired communication frame data (scan data D3). This update process needs to be completed before the next communication frame F1 (t + 1) is received. For example, in the case of a protocol conforming to IEEE 802.3, it is determined in the specification that it is 96 bit time, and the update of the allowable IFG list may be completed within this time.
 処理ステップS308の処理では、許容IFGリストの更新完了後に、次の通信フレームの受信を待ち受け、通信フレームF1(t+1)を受信した場合は、処理ステップS300に戻り、上記した一連の処理を次の通信フレームF1(t+1)に対して繰り返す。 In the process of processing step S308, after the update of the allowable IFG list is completed, the reception of the next communication frame is awaited. When the communication frame F1 (t + 1) is received, the process returns to process step S300, and the series of processes described above is performed. Repeat for communication frame F1 (t + 1).
 尚、図3の処理ステップS304のステップを実行する図1の異常通信フレーム判定部203は、通信フレームの先頭から順番に得られた小フレームのデータを元に、対象となる許容IFGリストに記載された複数の許容IFGの項目を順次比較することができる。 The abnormal communication frame determination unit 203 in FIG. 1 that executes the step of the processing step S304 in FIG. 3 is described in the target allowable IFG list based on the small frame data obtained sequentially from the top of the communication frame. A plurality of allowed IFG items can be sequentially compared.
 係る通信フレームF1の場合、通信制御装置Tにおける処理ステップS300では、通信フレームF1の先頭部であるプリアンブルF11およびSFD(F12)を検出することで通信フレームF1の受信を検知した後に、宛先アドレスF13のデータを取得する。 In the case of the communication frame F1, in the processing step S300 in the communication control device T, the destination address F13 is detected after the reception of the communication frame F1 is detected by detecting the preamble F11 and the SFD (F12) which are the heads of the communication frame F1. Get the data.
 以上要するに通信制御装置Tにおいては、処理ステップS302において、宛先アドレスF13に該当する許容IFGを許容IFGリスト200から参照して入手し、測定IFGと宛先アドレスF13に記載された最大許容IFGと比較する。処理ステップS302の処理では宛先アドレスF13の許容IFG(bit時間)が500(bit時間)であるので、測定IFGが500(bit時間)より大きいか、小さいかを判断することになる。 In short, in the communication control apparatus T, in the processing step S302, the allowable IFG corresponding to the destination address F13 is obtained by referring to the allowable IFG list 200 and compared with the measured IFG and the maximum allowable IFG described in the destination address F13. . In the processing of processing step S302, since the allowable IFG (bit time) of the destination address F13 is 500 (bit time), it is determined whether the measurement IFG is larger or smaller than 500 (bit time).
 処理ステップS303で通信フレーム取得した後に、処理ステップS304で実行される比較処理は具体的には以下のように進行する。ここでの処理の前提としては、処理ステップS302の処理により、測定IFGが、宛先アドレスF13に該当する許容IFG(500)より小さいことが確認されているので、処理ステップS304で実行される比較処理では、更に送信元アドレスF14に該当する許容IFG(400)を許容IFGリスト200から取得する。その結果、送信元アドレスF14の測定IFGが、送信元アドレスF14に該当する許容IFG(400)より小さい場合は、タイプF15(type)情報やペイロード部F16(Internet Protocolなど上位プロトコルを含む)に該当する許容IFG(200)を許容IFGリスト200から取得し、タイプF15(type)情報やペイロード部F16の測定IFGとの比較処理を順次実行する。 After the communication frame is acquired in the processing step S303, the comparison process executed in the processing step S304 specifically proceeds as follows. The premise of the processing here is that the measurement IFG is confirmed to be smaller than the permissible IFG (500) corresponding to the destination address F13 by the processing in the processing step S302, and therefore the comparison processing executed in the processing step S304. Then, the allowable IFG (400) corresponding to the source address F14 is acquired from the allowable IFG list 200. As a result, when the measurement IFG of the source address F14 is smaller than the allowable IFG (400) corresponding to the source address F14, it corresponds to the type F15 (type) information and the payload part F16 (including higher level protocols such as Internet Protocol). The permissible IFG (200) to be acquired is acquired from the permissible IFG list 200, and the comparison processing with the type I15 (type) information and the measurement IFG of the payload portion F16 is sequentially executed.
 この許容IFGリスト200内の許容IFGと測定IFGとを比較する過程で、当該通信フレームF1が異常であると判定された場合、処理ステップS305では通信フレームF1末尾のFCS(F17)のデータを別のデータに置き換える。これにより、制御装置EのNICにおいて当該通信フレームF1を破棄することを可能とする。 If it is determined that the communication frame F1 is abnormal in the process of comparing the allowable IFG in the allowable IFG list 200 and the measurement IFG, the processing step S305 separates the FCS (F17) data at the end of the communication frame F1. Replace with the data. Thereby, the communication frame F1 can be discarded in the NIC of the control device E.
 このように、通信フレームF1を構成する小フレームの単位ごとに、許容IFGリスト200と、通信フレームF1から取得されるデータを順次比較することで、通信フレームF1をストアすることなくDoS攻撃を高精度に判定できるため、制御装置Eは、自身のリアルタイム処理に影響を与えないままDoS攻撃への耐性を具備できる。 As described above, by sequentially comparing the allowable IFG list 200 and the data acquired from the communication frame F1 for each unit of the small frame constituting the communication frame F1, the DoS attack can be increased without storing the communication frame F1. Since the determination can be made with accuracy, the control device E can be resistant to DoS attacks without affecting its real-time processing.
 実施例2では、通信フレームF1を構成する小フレーム単位での許容IFGを定めるための幾つかの考え方について説明する。 In the second embodiment, some ideas for determining an allowable IFG for each small frame constituting the communication frame F1 will be described.
 まず図5に例示した許容IFGリスト200の詳細仕様について説明する。許容IFGリスト200の最小の構成は、「データの条件」と「許容IFG」の二つの属性から成る
First, detailed specifications of the allowable IFG list 200 illustrated in FIG. 5 will be described. The minimum configuration of the allowable IFG list 200 includes two attributes of “data condition” and “allowable IFG”.
 このうち、データの条件とは、例えば、通信フレームのデータ情報が該当する。図5に示した許容IFGリスト200の例の場合、通信フレームの宛先アドレスF13や送信元アドレスF14の条件などがこれに該当する。別の表現をするならば、通信フレームF1の受信を検知するために利用した、通信フレームF1の先頭部であるプリアンブルF11およびSFD(F12)以降の小フレームである宛先アドレスF13や送信元アドレスF14が、この「データの条件」に相当する。 Of these, the data condition corresponds to data information of a communication frame, for example. In the case of the example of the allowable IFG list 200 shown in FIG. 5, the conditions of the destination address F13 and the source address F14 of the communication frame correspond to this. In other words, the destination address F13 and the source address F14, which are small frames after the preamble F11 and the SFD (F12), which are used to detect the reception of the communication frame F1, are the head part of the communication frame F1. Corresponds to the “data condition”.
 これに対し、「許容IFG」に設定する値(bit時間)は、システムの要件や装置の処理性能を十分に考慮して定められるのがよい。通信制御装置Tは、通信フレームF1を先頭からカットスルーでスキャンし、必要な情報として宛先アドレスF13以降の小フレームを取得次第、順次許容IFGリスト200のデータ条件属性に対応する許容IFGを参照して、測定IFGとの比較を行う。このため、許容IFGはシステムの要件や装置の処理性能によって決定する。これは、DoS攻撃であると判定する基準が、システムの仕様や装置の処理性能に依存するためである。 On the other hand, the value (bit time) set in the “allowable IFG” should be determined in consideration of the system requirements and the processing performance of the apparatus. The communication control device T scans the communication frame F1 from the head by cut-through, and refers to the allowable IFG corresponding to the data condition attribute of the allowable IFG list 200 as soon as a small frame after the destination address F13 is acquired as necessary information. Then, the measurement IFG is compared. For this reason, the allowable IFG is determined according to the system requirements and the processing performance of the apparatus. This is because the criterion for determining a DoS attack depends on system specifications and device processing performance.
 例えば、ある制御装置Eが特定パターンの通信フレームF1を受信した場合に100ミリ秒の処理を実行するようなシステム仕様の場合、そのパターンに該当する通信フレームF1を受信する毎に100ミリ秒の処理が発生してしまう。このような通信フレームが100ミリ秒以下の頻度で受信された場合、制御装置Eの処理リソースが占有されてしまい、他の処理が阻害されるというリスクがある。 For example, in the case of a system specification that executes processing of 100 milliseconds when a certain control device E receives a communication frame F1 of a specific pattern, every time the communication frame F1 corresponding to the pattern is received, 100 milliseconds. Processing occurs. When such a communication frame is received with a frequency of 100 milliseconds or less, there is a risk that processing resources of the control device E are occupied and other processing is hindered.
 加えて、装置の通信フレーム等の処理性能も影響する。例えば、エンタープライズ向けのサーバで利用されるような通信フレームの処理基盤は数百Gbpsオーダの通信フレームF1に対して、十分処理可能な性能を有している。他方、制御システムを構成する制御装置Eは、多くの場合にリソースが限られており、100Mbps以上の通信フレームF1を処理できないケースが多い。つまり、通信フレーム受信端末の処理性能によって、ある種の通信がDoS攻撃となる場合と、そうならない場合がある。 In addition, the processing performance of the communication frame of the device will also be affected. For example, a communication frame processing platform used in an enterprise server has sufficient performance for processing a communication frame F1 of the order of several hundred Gbps. On the other hand, the control device E constituting the control system has limited resources in many cases, and often cannot process a communication frame F1 of 100 Mbps or more. That is, depending on the processing performance of the communication frame receiving terminal, a certain type of communication may or may not be a DoS attack.
 以上の内容を踏まえ、本発明の通信制御装置Tにおいては、通信の状況や装置の処理性能に応じて許容IFGリストを動的に更新する処理を実行する。例えば、制御装置Eにおいて、ある通信フレームF1の処理に係る時間を事前に評価できる場合、その処理時間以上の値を当該通信フレームのデータパターンにおける許容IFGとすることで、DoS攻撃を検知、または回避できる可能性がある。 Based on the above contents, the communication control device T of the present invention executes a process of dynamically updating the allowable IFG list according to the communication status and the processing performance of the device. For example, in the control device E, when the time related to processing of a certain communication frame F1 can be evaluated in advance, a DoS attack is detected by setting a value equal to or longer than the processing time as the allowable IFG in the data pattern of the communication frame, or There is a possibility that it can be avoided.
 例えば制御装置Eが、対象の通信フレームF1処理中の間に連続で受信した同じデータパターンの通信フレームF1が到着し、その通信フレームF1がキューイングされてしまう場合、制御装置Eは、キューイングされた通信フレームF1を処理してしまい、処理リソースが占有されてしまう。 For example, when the communication frame F1 having the same data pattern received continuously during the processing of the target communication frame F1 arrives and the communication frame F1 is queued, the control device E is queued The communication frame F1 is processed, and processing resources are occupied.
 特に制御システムの場合、システム内の制御装置Eにとって自身のリアルタイム性を阻害するような通信フレームF1が短時間の間に大量に受信されることは、通常のシステム設計では考えられず、そのような通信フレームF1はDoS攻撃としてみなすことができる。本発明における上述の対策は、このようなDoS攻撃に対処可能となる。 In particular, in the case of a control system, it is not considered in a normal system design that a large amount of communication frames F1 that hinder the real-time property of the control device E in the system are received in a short time. The communication frame F1 can be regarded as a DoS attack. The above-described countermeasure in the present invention can cope with such a DoS attack.
 図6aは、通信フレームF1の受信間隔が短く、測定される平均のIFGが短い場合を示している。また図6bは、逆に平均のIFGが長い場合を示している。図6aのようなケースでは、許容IFGリスト200に登録する各許容IFGとしては、図5と比較して短めの値(200、150等)を設定するのがよく、図6bのようなケースでは、許容IFGリスト200に登録する各許容IFGとして図5と比較して長めの値(4000、2500等)を設定するのがよい。 FIG. 6a shows a case where the reception interval of the communication frame F1 is short and the measured average IFG is short. FIG. 6b shows the case where the average IFG is long. In the case as shown in FIG. 6a, it is preferable to set a shorter value (200, 150, etc.) than that in FIG. 5 as each allowable IFG registered in the allowable IFG list 200. In the case as shown in FIG. It is preferable to set a longer value (4000, 2500, etc.) than that in FIG. 5 as each allowable IFG registered in the allowable IFG list 200.
 この対策の利点として、例えば攻撃を受けていない正常なネットワークの状態によっては、ネットワークが一時的に高負荷となるケースがある。このケースにおいて、攻撃を受けていないネットワークの場合、その負荷増加量は通常緩やかである。 As an advantage of this measure, for example, depending on the state of a normal network that has not been attacked, there are cases in which the network becomes temporarily heavily loaded. In this case, in the case of a network that has not been attacked, the load increase is usually moderate.
 他方、DoS攻撃は人為的であるため、瞬時に大量の通信フレームが発生するケースが多い。すなわち、本発明の上述の対策により、システムが一時的に高負荷となった場合の許容IFGのベースラインを自動で調整することができ、ネットワークの一時的な高負荷状態時におけるDoS攻撃誤判定のリスクを軽減できる。加えて、ネットワークに応じて自動的に許容IFGの最適値が適用されるようになるため、設定時の作業負荷も軽減できる。 On the other hand, since DoS attacks are artificial, a large number of communication frames are often generated instantaneously. That is, according to the above-described measures of the present invention, it is possible to automatically adjust the baseline of the allowable IFG when the system is temporarily heavily loaded, and the DoS attack misjudgment when the network is temporarily heavily loaded Can reduce the risk. In addition, since the optimum value of the allowable IFG is automatically applied according to the network, the work load at the time of setting can be reduced.
 具体的には例えば正常なネットワークの状態では、図5のような値の許容IFGである場合に、予めネットワークの一時的な高負荷状態時を想定しておき、これらの間で2割程度の緩やかな負荷上昇が認められるのが正常であると判断されるときには、この範囲内で図5の許容IFGの値を可変に調整可能とするのがよい。これらの調整は図1の許容IFG決定部205、あるいは図3の処理ステップS307にて実行される。 Specifically, for example, in a normal network state, when the allowable IFG has a value as shown in FIG. 5, a temporary high load state of the network is assumed in advance, and about 20% of these values are assumed. When it is determined that a gradual load increase is recognized, it is preferable that the allowable IFG value in FIG. 5 can be variably adjusted within this range. These adjustments are executed in the allowable IFG determination unit 205 in FIG. 1 or the processing step S307 in FIG.
 実施例3では、制御システム内の制御装置Eが周期的な処理を実行する場合の対応について説明する。 In the third embodiment, a case where the control device E in the control system executes periodic processing will be described.
 制御システム内の制御装置Eは周期的なデータの送受信をしている場合が多く、特にリアルタイム制御のための通信は多くの場合、周期的である。 In many cases, the control device E in the control system periodically transmits and receives data. In particular, communication for real-time control is often periodic.
 これらの通信は、システムの仕様に依存することが多く、特定の通信フレームF1を受信することで、制御装置Eの処理リソースを一定期間占有する場合もある。このようなパケットは必ず周期性を遵守しなければならず、周期性を乱す通信が発生した場合はシステム全体の制御の周期性が乱れ、結果としてシステム全体がダウンする恐れがある。 These communications often depend on the specifications of the system, and the processing resources of the control device E may be occupied for a certain period by receiving a specific communication frame F1. Such packets must always observe periodicity, and when communication that disturbs periodicity occurs, the periodicity of control of the entire system is disturbed, and as a result, the entire system may be down.
 周期性を乱す通信をDoS攻撃と検知するため、実施例3に係る通信制御装置Tにおいては、ある通信フレームF1を受信した後、次に受信する可能性がある通信フレームF1に関してのみ許容IFGを設定し、他のものは無効と設定する。 In order to detect communication that disturbs periodicity as a DoS attack, in the communication control apparatus T according to the third embodiment, after receiving a certain communication frame F1, an allowable IFG is set only for the communication frame F1 that may be received next. Set it and disable others.
 尚、該当する通信フレームF1を無効化する設定は、許容IFGに周期時間(Tfreq)以上の値を設定することで対応可能である。この例を図7に示す。 Note that the setting for invalidating the corresponding communication frame F1 can be handled by setting a value equal to or greater than the cycle time (T freq ) in the allowable IFG. An example of this is shown in FIG.
 図7の場合に、図2のネットワークNWと制御装置Eの間に設置された本発明の実施例3に係る通信制御装置Tが処理する信号は、周期時間Tfreqごとに周期的に繰り返される信号である。かつ周期時間Tfreq内で、例えば通信フレームF1a、通信フレームF1b、通信フレームF1c、通信フレームF1dの順序で受信されることがあらかじめ判明している通信の場合を示している。個々の通信フレームとして例えば通信フレームF1aについてみると、この通信フレームF1aが次回処理されるのは、周期時間Tfreq後であり、この周期の関係は他の通信フレームでも同様に保持されている。但し連続する各通信フレーム間の時間は任意に設定されている。従って、通信フレームF1aが管理すべきIFGは1周期後の通信フレームF1aとの関係であって、連続する各通信フレーム間の時間ではない。 In the case of FIG. 7, the signal processed by the communication control device T according to the third embodiment of the present invention installed between the network NW and the control device E of FIG. 2 is periodically repeated every cycle time T freq. Signal. In addition, in the period time T freq , for example, communication is known to be received in advance in the order of the communication frame F1a, the communication frame F1b, the communication frame F1c, and the communication frame F1d. As for each example communication frame F1a as the communication frame, the communication frame F1a is the to be processed next, the period time T freq there later, the relationship of the period is held similarly in other communication frame. However, the time between successive communication frames is arbitrarily set. Therefore, the IFG to be managed by the communication frame F1a is related to the communication frame F1a after one cycle, and is not the time between successive communication frames.
 このことから実施例3の処理では、許容IFGリスト200として、周期時間Tfreq内で取り扱う全ての通信フレーム(通信フレームF1a、通信フレームF1b、通信フレームF1c、通信フレームF1d)についての許容IFGを保有する。この許容IFGリスト200内の各許容IFGの値は、通信フレーム受信の都度適宜更新される。 In the process of Example 3 From this, possess acceptable IFG list 200, all communication frames handled in the period time T freq (communication frame F1a, communication frame F1b, communication frame F1c, a communication frame F1d) the allowable IFG about To do. The value of each allowable IFG in the allowable IFG list 200 is appropriately updated every time a communication frame is received.
 図7において、パターンP1は通信フレームF1a受信後の許容IFGリスト200の内容、パターンP2は通信フレームF2b受信後の許容IFGリスト200の内容、パターンP3は通信フレームF1c受信後の許容IFGリスト200の内容を示している。これによれば、通信フレームF1aを受信した後、パターンP1に示すように許容IFGリスト200の通信フレームF1bのみTfreq以下の数値として例えば200を設定し、他の通信フレームはTfreqを設定するものとする。こうすることで、通信フレームF1aの通過後は通信フレームF1bのみを許可する設定にできる。 In FIG. 7, the pattern P1 is the content of the allowable IFG list 200 after receiving the communication frame F1a, the pattern P2 is the content of the allowable IFG list 200 after receiving the communication frame F2b, and the pattern P3 is the allowable IFG list 200 after receiving the communication frame F1c. The contents are shown. According to this, after receiving the communication frame F1a, as shown in the pattern P1, only the communication frame F1b of the allowable IFG list 200 is set to a numerical value of T freq or less, for example, 200, and other communication frames are set to T freq . Shall. In this way, after the communication frame F1a has passed, only the communication frame F1b can be set to be permitted.
 通信フレームF1bを受信した後は、パターンP2に示すように許容IFGリスト200の通信フレームF1cのみTfreq以下の数値として例えば300を設定し、他の通信フレームはTfreqを設定するものとする。こうすることで、通信フレームF1bの通過後は通信フレームF1cのみを許可する設定にできる。 After receiving the communication frame F1b sets the allowable IFG communication frame F1c only T freq following values as for example 300 in the list 200 as shown in the pattern P2, other communication frame shall be set to T freq. By doing so, after the communication frame F1b passes, only the communication frame F1c can be set to be permitted.
 同様に、通信フレームF1cを受信した後は、パターンP3に示すように許容IFGリスト200の通信フレームF1dのみTfreq以下の数値として例えば500を設定し、他の通信フレームはTfreqを設定するものとする。こうすることで、通信フレームF1cの通過後は通信フレームF1dのみを許可する設定にできる。 Similarly, after receiving the communication frame F1c, as shown in the pattern P3, only the communication frame F1d of the allowable IFG list 200 sets, for example, 500 as a numerical value equal to or less than T freq , and other communication frames set T freq. And By doing so, after the communication frame F1c passes, only the communication frame F1d can be set to be permitted.
 ただし、周期通信において、たとえば通信フレームF1a受信後に通信フレームF1bまたは通信フレームF1cを受信する可能性があるケースである場合、通信フレームF1a受信後の許容IFGリストの通信フレームF1bと通信フレームF1cの両方の許容IFGにTfreq以下の数値を設定することで、複数のいずれかが受信されるケースにおいても対応できる。 However, in periodic communication, for example, when there is a possibility of receiving the communication frame F1b or the communication frame F1c after receiving the communication frame F1a, both the communication frame F1b and the communication frame F1c in the allowable IFG list after receiving the communication frame F1a By setting a numerical value equal to or lower than T freq to the allowable IFG, it is possible to cope with a case where any one of a plurality of received IFGs is received.
 図8は、このケースにおいて、通信フレームF1bと通信フレームF1cの両方に許容IFGに有効な数値を設定した例を示しており、通信フレームF1aを受信後に一定時間の受信禁止期間を設定する必要がある場合は、通信フレームF1cの許容IFGとして、その受信禁止期間分(図8の例の場合、400bit時間)を設定する。この対策により、通信制御装置Tは、次に受信する通信フレームF1を、その受信時間を含めて細密に制御できるため、DoS攻撃の検知、防御精度を高めることができる。 FIG. 8 shows an example in which a valid numerical value is set in the allowable IFG for both the communication frame F1b and the communication frame F1c in this case, and it is necessary to set a reception prohibition period of a certain time after receiving the communication frame F1a. In some cases, the reception prohibition period (400 bit time in the example of FIG. 8) is set as the allowable IFG of the communication frame F1c. With this measure, the communication control device T can finely control the next received communication frame F1 including its reception time, so that the DoS attack detection and defense accuracy can be improved.
 実施例4では、許容IFGリスト200に通信フレームの受信頻度の情報を含めて保存し、通信フレームの異常判定として利用する手法について説明する。 In the fourth embodiment, a method will be described in which information on the reception frequency of communication frames is stored in the allowable IFG list 200 and used as a communication frame abnormality determination.
 通信フレームF1の受信頻度の情報を含む許容IFGリスト200の例を図9に示す。図9中に示した許容IFGリスト200は、属性としてさらに許容受信頻度の情報を有する。 FIG. 9 shows an example of the allowable IFG list 200 including information on the reception frequency of the communication frame F1. The allowable IFG list 200 shown in FIG. 9 further includes information on allowable reception frequency as an attribute.
 許容受信頻度とは、一定数の受信通信フレーム数に対し、当該通信フレームが異常でないと判定できる通信フレームの受信数である。言い換えると、現在の通信フレーム受信頻度(以後、現受信頻度とする)が、許容受信頻度より大きい場合に、当該通信フレームを異常と見なす。許容受信頻度は、100フレーム中の通信フレーム受信数などの形式で表すことができる。 The permissible reception frequency is the number of received communication frames that can be determined that the communication frame is not abnormal with respect to a certain number of received communication frames. In other words, when the current communication frame reception frequency (hereinafter referred to as the current reception frequency) is larger than the allowable reception frequency, the communication frame is regarded as abnormal. The allowable reception frequency can be expressed in a format such as the number of communication frames received in 100 frames.
 図9の例では、通信フレームF1A、F1B、F1C、F1Dの許容受信頻度(/100フレーム)は、5、10、10、20に設定されている。これは通信フレームF1Aのケースでは受信頻度が100フレーム当たり5回までを正常とし、6回を超えたら当該通信フレームF1Aを異常と見なすものである。 In the example of FIG. 9, the allowable reception frequencies (/ 100 frames) of the communication frames F1A, F1B, F1C, and F1D are set to 5, 10, 10, and 20. In the case of the communication frame F1A, the reception frequency is normal up to 5 times per 100 frames, and when the frequency exceeds 6 times, the communication frame F1A is regarded as abnormal.
 許容受信頻度の情報を有する許容IFGリスト200を有する通信制御装置Tの構成の一部を図10に示す。 FIG. 10 shows a part of the configuration of the communication control apparatus T having the allowable IFG list 200 having information on the allowable reception frequency.
 図10の通信制御装置Tは、図1にて説明した構成に加え、通信フレームスキャン部202から受け取った通信フレームデータD2毎に、受信頻度を計数し、受信頻度の統計情報を異常通信フレーム判定部203へ通知する通信フレーム統計処理部206を具備する構成となっている。 The communication control device T in FIG. 10 counts the reception frequency for each communication frame data D2 received from the communication frame scanning unit 202 in addition to the configuration described in FIG. The communication frame statistics processing unit 206 that notifies the unit 203 is provided.
 異常通信フレーム判定部203では、図1の異常通信フレーム判定部203が具備する機能の他、通信フレームの受信頻度情報を含めて通信フレームの異常有無を判定する機能を具備する。 The abnormal communication frame determination unit 203 has a function of determining whether there is an abnormality in the communication frame including the reception frequency information of the communication frame, in addition to the function of the abnormal communication frame determination unit 203 of FIG.
 実施例4の通信制御装置Tが、受信頻度情報を含めて通信フレームの異常有無を判定するフローチャートを図11に示す。 FIG. 11 shows a flowchart in which the communication control device T according to the fourth embodiment determines the presence / absence of a communication frame including reception frequency information.
 図11のフローチャートの処理は、基本的に図3の処理と同じであり、受信頻度判断処理ステップS310を追加した点のみが相違する。 The process of the flowchart of FIG. 11 is basically the same as the process of FIG. 3 and is different only in that a reception frequency determination process step S310 is added.
 図11のフローでは、測定IFGの比較処理(処理ステップS304)と受信頻度の処理(処理ステップS310)の双方を並列に実行し、いずれかで異常が判断された場合(処理ステップS304のYまたは処理ステップS310のN)に通信データの破棄、アラート生成の処理(処理ステップS305)を実行する。なお受信頻度の処理で異常検知しない場合(処理ステップS310のY)は、処理ステップS307の処理に移り、測定IFG比較の処理で異常検知しない場合(処理ステップS304のN)は、処理ステップS311の処理に移り、小フレームについての一巡処理を繰り返す。 In the flow of FIG. 11, both the measurement IFG comparison processing (processing step S304) and the reception frequency processing (processing step S310) are executed in parallel, and if any of them is determined to be abnormal (Y in processing step S304) Processing data discarding and alert generation processing (processing step S305) is executed in processing step S310 (N). If no abnormality is detected in the reception frequency process (Y in process step S310), the process proceeds to process step S307. If no abnormality is detected in the measurement IFG comparison process (N in process step S304), the process proceeds to process step S311. The process moves to a round process for small frames.
 以上に示した処理により、図10に示した実施例4の通信制御装置Tは、図2に示した通信制御装置Tと比べて、更に高い精度でDoS攻撃を検知できる。 Through the processing described above, the communication control apparatus T according to the fourth embodiment illustrated in FIG. 10 can detect a DoS attack with higher accuracy than the communication control apparatus T illustrated in FIG.
 尚、本発明の適用例はIEEE802.3準拠の通信フレームを例に説明したが、本発明はIEEE802.3準拠の通信フレームに限定されず、他の通信プロトコルに対しても適用可能である。 Note that the application example of the present invention has been described by taking a communication frame conforming to IEEE 802.3 as an example, but the present invention is not limited to a communication frame conforming to IEEE 802.3, and can be applied to other communication protocols.
200:許容IFGリスト
201:IFG測定部
202:通信フレームスキャン部
203:異常通信フレーム判定部
204:ネットワーク制御部
205:許容IFG決定部
206:通信フレーム統計処理部
D:通信データ
D1:IFG測定値
D2:配列のデータ
D3:スキャンデータ
D4:更新情報
F11:プリアンブル
F12:SFD
F13:宛先アドレス
F14:送信元アドレス
F15:Type
F16:ペイロード・上位プロトコル
F17:FCS
F1、F2:通信フレーム
IF/1:入力用インターフェイス
IF/2:出力用インターフェイス
NW:ネットワーク
T:通信制御装置 200: Allowable IFG list 201: IFG measurement unit 202: Communication frame scan unit 203: Abnormal communication frame determination unit 204: Network control unit 205: Allowable IFG determination unit 206: Communication frame statistics processing unit D: Communication data D1: IFG measurement value D2: Array data D3: Scan data D4: Update information F11: Preamble F12: SFD
F13: Destination address F14: Source address F15: Type
F16: Payload / upper protocol F17: FCS
F1, F2: Communication frame IF / 1: Input interface IF / 2: Output interface NW: Network T: Communication control device

Claims (20)

  1.  ネットワークから制御装置に送信する通信フレームを中継するとともに、前記通信フレームは所定の順番に従う小フレームで構成されている通信制御装置であって、
     通信制御装置は、
     通信フレームのIFGを測定するIFG測定部と、
     通信フレームのデータをストアすることなくスキャンし、スキャンデータと通信フレームの配列のデータを取得する通信フレームスキャン部と、
     該通信フレームスキャン部が取得した現在の通信フレームのスキャンデータを元に、次に受信する通信フレームの許容IFGを決定する許容IFG決定部と、
     該許容IFG決定部で求めた前記許容IFGを記憶する許容IFGリストと、
     前記IFG測定部が取得したIFG測定値と、前記通信フレームスキャン部が取得した通信フレームの前記小フレームの配列のデータと、前記許容IFGリストが記憶する許容IFGリストの内容から、通信フレームがDoS攻撃であることを判定する異常通信フレーム判定部と、
     該異常通信フレーム判定部の判定結果に応じて、通信フレームの破棄、または警告を意味するセキュリティ情報を通信フレームに付与して前記制御装置に送信するネットワーク制御部を備え、
     前記異常通信フレーム判定部は、前記許容IFGリストに記憶した許容IFGとIFG測定値を比較して通信フレームがDoS攻撃であることを判定することを特徴とする通信制御装置。     While relaying a communication frame transmitted from the network to the control device, the communication frame is a communication control device composed of small frames according to a predetermined order,
    The communication control device
    An IFG measuring unit for measuring IFG of a communication frame;
    A communication frame scanning unit that scans without storing communication frame data and obtains scan data and communication frame array data;
    Based on the scan data of the current communication frame acquired by the communication frame scan unit, an allowable IFG determination unit that determines an allowable IFG of a communication frame to be received next;
    An allowable IFG list for storing the allowable IFG obtained by the allowable IFG determination unit;
    From the IFG measurement value acquired by the IFG measurement unit, the data of the arrangement of the small frames of the communication frame acquired by the communication frame scan unit, and the content of the allowable IFG list stored in the allowable IFG list, the communication frame is DoS. An abnormal communication frame determination unit that determines an attack, and
    In accordance with the determination result of the abnormal communication frame determination unit, the communication control unit includes a network control unit that discards the communication frame or adds security information that means a warning to the communication frame and transmits the communication information to the control device.
    The abnormal communication frame determination unit determines whether a communication frame is a DoS attack by comparing an allowable IFG stored in the allowable IFG list with an IFG measurement value.
  2.  請求項1に記載の通信制御装置であって、
     前記異常通信フレーム判定部は、前記許容IFGリストに記憶した前記小フレームごとの許容IFGとIFG測定値を比較して通信フレームがDoS攻撃であることを判定することを特徴とする通信制御装置。     The communication control device according to claim 1,
    The abnormal communication frame determination unit determines whether a communication frame is a DoS attack by comparing an allowable IFG for each small frame stored in the allowable IFG list with an IFG measurement value.
  3.  請求項1または請求項2に記載の通信制御装置であって、
     前記許容IFG決定部は、前記通信フレームスキャン部が取得した現在の通信フレームのスキャンデータを元に、次に受信する通信フレームの前記小フレームごとの許容IFGを決定することを特徴とする通信制御装置。     The communication control device according to claim 1 or 2,
    The allowable IFG determining unit determines an allowable IFG for each small frame of a communication frame to be received next based on scan data of a current communication frame acquired by the communication frame scanning unit. apparatus.
  4.  請求項1から請求項3のいずれか1項に記載の通信制御装置であって、
     所定の順番に従う小フレームで構成された前記通信フレームは、その後段にフレームチェックのための小フレームを備えており、前記異常通信フレーム判定部は、該小フレームのデータを操作することにより、DoS攻撃であることを後段の制御装置に通知することを特徴とする通信制御装置。     The communication control device according to any one of claims 1 to 3,
    The communication frame composed of small frames according to a predetermined order includes a small frame for frame check at the subsequent stage, and the abnormal communication frame determination unit operates DoS by manipulating the data of the small frame. A communication control apparatus that notifies a subsequent control apparatus of an attack.
  5.  前記制御装置に対して、複数種類の通信フレームが前記ネットワークから通信制御装置を介して伝送されるとともに、前記複数種類の通信フレームは、所定の制御周期を保持して送信されている請求項1から請求項4のいずれか1項に記載の通信制御装置であって、
     前記許容IFGリストには、前記複数種類の通信フレームごとに前記許容IFGリストが準備されており、前記所定の制御周期内におけるN番目の通信フレームを受信したときに、N+1番目に到来する予定の通信フレームの前記許容IFGリストにのみ許容IFGを設定することにより、N+1番目に到来する予定の通信フレームのみを処理可能とすることを特徴とする通信制御装置。     2. A plurality of types of communication frames are transmitted to the control device from the network via a communication control device, and the plurality of types of communication frames are transmitted while maintaining a predetermined control period. The communication control device according to any one of claims 1 to 4,
    In the allowed IFG list, the allowed IFG list is prepared for each of the plurality of types of communication frames, and when the Nth communication frame is received within the predetermined control period, the N + 1th schedule is scheduled to arrive. A communication control apparatus, wherein only a communication frame scheduled to arrive at the (N + 1) th time can be processed by setting an allowable IFG only in the allowable IFG list of the communication frame.
  6.  請求項5に記載の通信制御装置であって、
     N+1番目に到来する予定の通信フレームとして、複数種類の異なる通信フレームが想定される場合に、これらの複数種類の異なる通信フレームの前記許容IFGリストに許容IFGを設定することを特徴とする通信制御装置。     The communication control device according to claim 5,
    When a plurality of different communication frames are assumed as the communication frame scheduled to arrive at the (N + 1) th, the communication control is characterized in that an allowable IFG is set in the allowable IFG list of the plurality of different communication frames. apparatus.
  7.  請求項1から請求項6のいずれか1項に記載の通信制御装置であって、
     DoS攻撃であると判断される通信フレームの受信回数が、所定回数に占める割合を求め、当該割合と予め設定した許容受信頻度を比較し、前記セキュリティ情報を通信フレームに付与して前記制御装置に送信することを特徴とする通信制御装置。     The communication control device according to any one of claims 1 to 6,
    The ratio of the number of receptions of the communication frame determined to be a DoS attack to the predetermined number of times is obtained, the ratio is compared with a preset allowable reception frequency, and the security information is added to the communication frame to the control device. A communication control device for transmitting.
  8.  ネットワークから制御装置に送信する通信フレームを中継するとともに、前記通信フレームは所定の順番に従う小フレームで構成されている通信制御装置における通信制御方法であって、
     前回受信した通信フレームとの間のIFG測定値が、閾値以下である場合に、通信フレームから任意のデータを抽出し、抽出したデータを元に1項目以上の規則と照合し、その結果を元に当該通信フレームの異常有無を判定すると共に、次の通信フレームに関する1項目以上の規則リストの内、任意の項目を更新すること、を特徴とする通信制御方法。     A communication control method in a communication control apparatus configured to relay a communication frame to be transmitted from a network to a control apparatus, and the communication frame is composed of small frames according to a predetermined order,
    If the IFG measurement value with the previously received communication frame is less than or equal to the threshold value, any data is extracted from the communication frame, checked against one or more rules based on the extracted data, and the result is And determining whether there is an abnormality in the communication frame and updating an arbitrary item in the rule list of one or more items related to the next communication frame.
  9.  請求項8に記載の通信制御方法であって、
     通信フレームから任意のデータを抽出する際に、通信フレームをカットスルー方式でデータを抽出すること、を特徴とする通信制御方法。     The communication control method according to claim 8, comprising:
    A communication control method characterized by extracting data from a communication frame by a cut-through method when extracting arbitrary data from the communication frame.
  10.  請求項8または請求項9に記載の通信制御方法であって、
     前記1項目以上の規則リストとして、通信フレームの任意のデータと、前記通信フレームの任意のデータに対応する、通信フレームを異常と判定するIFG値である許容IFGと、の組を含むこと、を特徴とする通信制御方法。     The communication control method according to claim 8 or 9, wherein
    The rule list of one or more items includes a set of arbitrary data of a communication frame and an allowable IFG that corresponds to the arbitrary data of the communication frame and is an IFG value that determines that the communication frame is abnormal. A communication control method.
  11.  請求項10記載の通信制御方法であって、
     通信フレームをカットスルー方式でデータを順次抽出し、前記通信フレームから得られたデータに対応する許容IFGを、1項目以上の規則リストを元に順次検証し、通信フレームの異常の有無を判定すること、を特徴とする通信制御方法。     The communication control method according to claim 10, comprising:
    Data is extracted sequentially using the cut-through method of communication frames, and the allowable IFG corresponding to the data obtained from the communication frames is sequentially verified based on a rule list of one or more items to determine whether there is an abnormality in the communication frame. A communication control method characterized by the above.
  12.  請求項10または請求項11に記載の通信制御方法であって、
     通信フレームの異常の有無を判定する方法として、測定したIFGと許容IFGとを比較し、前記測定したIFGが許容IFG以下である場合に異常と判定すること、を特徴とする通信制御方法。     The communication control method according to claim 10 or 11,
    A communication control method, comprising: comparing a measured IFG with an allowable IFG and determining an abnormality when the measured IFG is equal to or less than the allowable IFG as a method for determining whether there is an abnormality in the communication frame.
  13.  請求項10から請求項12のいずれか1項に記載の通信制御方法であって、
     測定したIFG、または通信フレームから抽出したデータからネットワークの状態を判定し、前記ネットワークの状態に応じて1項目以上の規則リストの内容を更新すること、を特徴とする通信制御方法。     The communication control method according to any one of claims 10 to 12,
    A communication control method, comprising: determining a network state from measured IFG or data extracted from a communication frame, and updating the contents of one or more rule lists according to the network state.
  14.  請求項13記載の通信制御方法であって、
     測定したIFGの平均値が高い場合において、1項目以上の規則リストの内容を更新するに際し、前記規則リストに登録された一つ以上の許容IFG値として高い値を設定し、前記測定したIFGの平均値が低い場合において、1項目以上の規則リストの内容を更新するに際し、前記規則リストに登録された一つ以上の許容IFG値として低い値を設定すること、を特徴とする通信制御方法。     The communication control method according to claim 13, comprising:
    When the average value of the measured IFG is high, when updating the contents of one or more rule lists, a high value is set as one or more allowable IFG values registered in the rule list, and the measured IFG A communication control method characterized by setting a low value as one or more permissible IFG values registered in the rule list when updating the contents of one or more rule lists when the average value is low.
  15.  請求項10から請求項14のいずれか1項に記載の通信制御方法であって、
     ある通信フレームを受信する装置が、前記通信フレームの処理に必要とする処理時間を事前に把握できる場合、1項目以上の規則リストの内容を更新するに際し、前記規則リストに登録された前記通信フレームに対応する許容IFG値として前記通信フレームの処理に必要とする処理時間以上の数値を設定すること、を特徴とする通信制御方法。     The communication control method according to any one of claims 10 to 14,
    When a device that receives a communication frame can grasp in advance the processing time required for processing the communication frame, the communication frame registered in the rule list is updated when updating the contents of one or more rule lists. A communication control method, wherein a numerical value equal to or greater than the processing time required for processing the communication frame is set as an allowable IFG value corresponding to.
  16.  請求項10から請求項15のいずれか1項に記載の通信制御方法であって、
     周期的に受信する通信フレームを受信した後、次に受信する可能性がある通信フレームが有するデータパターンを除き、1項目以上の規則リストの内容を更新するに際し、前記規則リストに登録された一つ以上の許容IFG値として、許容IFGとして周期通信の一周期以上の数値を設定すること、を特徴とする通信制御方法。     The communication control method according to any one of claims 10 to 15,
    After updating a periodically received communication frame, except for a data pattern of a communication frame that may be received next, when updating the contents of one or more rule lists, the one registered in the rule list A communication control method characterized in that, as one or more allowable IFG values, a numerical value of one or more periods of periodic communication is set as the allowable IFG.
  17.  請求項10から請求項16のいずれか1項に記載の通信制御方法であって、
     1項目以上の規則リストとして、通信フレームの任意のデータと、前記通信フレームの任意のデータに対応する、通信フレームを異常と判定するIFG値(許容IFG)と、前記通信フレームに対応するデータパターンにおける通信フレームを異常と判定する受信頻度値(許容受信頻度)と、の組を含むこと、を特徴とする通信制御方法。     The communication control method according to any one of claims 10 to 16, comprising:
    As a rule list of one or more items, arbitrary data of a communication frame, an IFG value (allowable IFG) for determining that the communication frame is abnormal, corresponding to the arbitrary data of the communication frame, and a data pattern corresponding to the communication frame A communication control method characterized by including a set of a reception frequency value (allowable reception frequency) for determining that a communication frame is abnormal.
  18.  請求項17記載の通信制御方法であって、
     通信フレームのデータパターン毎に通信フレームの受信頻度を計数する手段を具備し、任意の通信フレームの受信頻度が、1項目以上の規則リストに記載された許可受信頻度を超える場合、当該通信フレームを異常とみなし、外部に警告する、もしくは前記通信フレームを破棄すること、を特徴とする通信制御装置。     The communication control method according to claim 17, comprising:
    A means for counting the communication frame reception frequency for each data pattern of the communication frame, and if the reception frequency of any communication frame exceeds the permitted reception frequency described in the rule list of one or more items, A communication control apparatus, characterized in that it is regarded as abnormal and warns the outside or discards the communication frame.
  19.  請求項10から請求項18のいずれか1項に記載の通信制御方法であって、
     通信フレームのフォーマットがIEEE802.3準拠の通信フレームフォーマット、または、IEEE802.3準拠の通信フレームフォーマットと同種、または派生の通信フレームフォーマット、であること、を特徴とする通信制御方法。     The communication control method according to any one of claims 10 to 18, comprising:
    A communication control method characterized in that a communication frame format is a communication frame format conforming to IEEE 802.3, or a communication frame format similar to or derived from a communication frame format conforming to IEEE 802.3.
  20.  請求項10から請求項19のいずれか1項に記載の通信制御方法であって、
     ネットワークと端末間に中継して接続される、または前記通信制御装置が実行する機能と同等の処理を前記端末のネットワークインターフェイス内で実行することを特徴とする通信制御方法。     The communication control method according to any one of claims 10 to 19,
    A communication control method characterized in that a process equivalent to a function connected by relay between a network and a terminal or executed by the communication control apparatus is executed in a network interface of the terminal.
PCT/JP2017/000363 2016-02-22 2017-01-10 Communication control apparatus and communication control method WO2017145526A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2016030919A JP2019083355A (en) 2016-02-22 2016-02-22 Communication control device and communication control method
JP2016-030919 2016-02-22

Publications (1)

Publication Number Publication Date
WO2017145526A1 true WO2017145526A1 (en) 2017-08-31

Family

ID=59686090

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2017/000363 WO2017145526A1 (en) 2016-02-22 2017-01-10 Communication control apparatus and communication control method

Country Status (2)

Country Link
JP (1) JP2019083355A (en)
WO (1) WO2017145526A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115917540A (en) * 2020-07-17 2023-04-04 三菱电机株式会社 Communication permission list generation device, communication permission list generation method, and program

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP7403414B2 (en) * 2020-08-18 2023-12-22 株式会社日立製作所 Communication relay device and communication relay method

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005151289A (en) * 2003-11-18 2005-06-09 Kddi Corp Log analyzing device and log analysis program
JP2008066903A (en) * 2006-09-06 2008-03-21 Nec Corp Intrusion detection system, its method, and communication device using it
JP2014146868A (en) * 2013-01-28 2014-08-14 Hitachi Automotive Systems Ltd Network device and data transmission reception system

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2005151289A (en) * 2003-11-18 2005-06-09 Kddi Corp Log analyzing device and log analysis program
JP2008066903A (en) * 2006-09-06 2008-03-21 Nec Corp Intrusion detection system, its method, and communication device using it
JP2014146868A (en) * 2013-01-28 2014-08-14 Hitachi Automotive Systems Ltd Network device and data transmission reception system

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115917540A (en) * 2020-07-17 2023-04-04 三菱电机株式会社 Communication permission list generation device, communication permission list generation method, and program

Also Published As

Publication number Publication date
JP2019083355A (en) 2019-05-30

Similar Documents

Publication Publication Date Title
US11363035B2 (en) Configurable robustness agent in a plant security system
US9125130B2 (en) Blacklisting based on a traffic rule violation
US20180109557A1 (en) SOFTWARE DEFINED NETWORK CAPABLE OF DETECTING DDoS ATTACKS USING ARTIFICIAL INTELLIGENCE AND CONTROLLER INCLUDED IN THE SAME
EP3355514B1 (en) Method and device for transmitting network attack defense policy and method and device for defending against network attack
CN103609070B (en) Network flow detection method, system, equipment and controller
EP2079196B1 (en) Method for protecting a network configuration set up by a spanning tree protocol
US10193890B2 (en) Communication apparatus to manage whitelist information
US9258213B2 (en) Detecting and mitigating forwarding loops in stateful network devices
JP6599819B2 (en) Packet relay device
KR20120060655A (en) Routing Method And Apparatus For Detecting Server Attacking And Network Using Method Thereof
WO2011056101A1 (en) Centralized supervision of network traffic
Zhang et al. Deployment of intrusion prevention system based on software defined networking
EP1804465A1 (en) Collaborative communication traffic control network
Wang et al. Efficient and low‐cost defense against distributed denial‐of‐service attacks in SDN‐based networks
US11700271B2 (en) Device and method for anomaly detection in a communications network
Li et al. The effects of flooding attacks on time-critical communications in the smart grid
WO2017145526A1 (en) Communication control apparatus and communication control method
Okada et al. New ldos attack in zigbee network and its possible countermeasures
Almaini et al. Delegation of authentication to the data plane in software-defined networks
EP2760181A1 (en) Methods and systems for providing redundancy in data network communications
CN110995586A (en) BGP message processing method and device, electronic equipment and storage medium
Saha et al. Two-level secure re-routing (TSR) in mobile ad hoc networks
Wang et al. An approach for protecting the openflow switch from the saturation attack
US20080117918A1 (en) Relaying Apparatus and Network System
WO2019035488A1 (en) Control device, communication system, control method, and computer program

Legal Events

Date Code Title Description
NENP Non-entry into the national phase

Ref country code: DE

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 17755968

Country of ref document: EP

Kind code of ref document: A1

122 Ep: pct application non-entry in european phase

Ref document number: 17755968

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP